Identify and Manage Strategic Risk Impacts on Your Organization

  • Buy Link or Shortcode: {j2store}219|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Vendor Management
  • Parent Category Link: /vendor-management

Moreso than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their strategic plans to accommodate risk on an unprecedented level.

A new global change will impact your organizational strategy at any given time. So, make sure your plans are flexible enough to manage the inevitable consequences.

Our Advice

Critical Insight

  • Identifying and managing a vendor’s potential strategic impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes affect strategic plans.
  • Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.

Impact and Result

  • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
  • Prioritize and classify your vendors with quantifiable, standardized rankings.
  • Prioritize focus on your high-risk vendors.
  • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

Identify and Manage Strategic Risk Impacts on Your Organization Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Identify and Manage Strategic Risk Impacts to Your Organization Deck – Use the research to better understand the negative impacts of vendor actions on your strategic plans.

Use this research to identify and quantify the potential strategic impacts caused by vendors. Use Info-Tech’s approach to look at the strategic impact from various perspectives to better prepare for issues that may arise.

  • Identify and Manage Strategic Risk Impacts on Your Organization Storyboard

2. What If Vendor Strategic Impact Tool – Use this tool to help identify and quantify the strategic impacts of negative vendor actions

By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

  • Strategic Risk Impact Tool
[infographic]

Further reading

Identify and Manage Strategic Risk Impacts on Your Organization

The world is in a perpetual state of change. Organizations need to build adaptive resiliency into their strategic plans to adjust to ever-changing market dynamics.

Analyst perspective

Organizations need to build flexible resiliency into their strategic plans to be able to adjust to ever-changing market dynamics.

This is a picture of Frank Sewell, Research Director, Vendor Management at Info-Tech Research Group

Like most people, organizations are poor at assessing the likelihood of risk. If the past few years have taught us anything, it is that the probability of a risk occurring is far more flexible in the formula Risk = Likelihood * Impact than we ever thought possible. The impacts of these risks have been catastrophic, and organizations need to be more adaptive in managing them to strengthen their strategic plans.

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge

Moreso than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their strategic plans to accommodate risk on an unprecedented level.

A new global change will impact your organizational strategy at any given time. So, make sure your plans are flexible enough to manage the inevitable consequences.

Common Obstacles

Identifying and managing a vendor’s potential strategic impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes affect strategic plans.

Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.

Info-Tech’s Approach

Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Impacts Tool.

Info-Tech Insight

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This image depicts a cube divided into six different coloured sections. The sections are labeled: Financial; Reputational; Operational; Strategic; Security; Regulatory & Compliance.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:

This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Strategic risk impacts

Potential losses to the organization due to risks to the strategic plan

  • In this blueprint, we’ll explore strategic risks (risks to the Strategic Plans of the organization) and their impacts.
  • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct strategic plans.
This image depicts a cube divided into six different coloured sections. The section labeled Strategic is highlighted.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%

of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

82%

of Microsoft’s non-essential employees shifted to working from home in 2020, joining the 18% already remote.

89%

of organizations invested in web conferencing technology to facilitate collaboration.

Source: Info-Tech Tech Trends Survey 2022

Strategic risks on a global scale

Odds are at least one of these is currently affecting your strategic plans

  • Vendor Acquisitions
  • Global Pandemic
  • Global Shortages
  • Gas Prices
  • Poor Vendor Performance
  • Travel Bans
  • War
  • Natural Disasters
  • Supply Chain Disruptions
  • Security Incidents

Make sure you have the right people at the table to identify and plan to manage impacts.

Identify & manage strategic risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their strategic planning moving forward.

Vendor Acquisitions

The IT market is an ever-shifting environment. Larger companies often gobble up smaller ones to control their sectors. Incorporating plans to manage those shifts in ownership will be key to many strategic plans that depend on niche vendor solutions for success. Be sure to monitor the potentially affected markets on an ongoing cadence.

Global Shortages

Organizations need to accept that shortages will recur periodically and that preparing for them will significantly increase the success potential of long-term strategic plans. Understand what your business needs to stock for project needs and where those supplies are located, and plan how to rapidly access and distribute them as required if supply chain disruptions occur.

What to look for in vendors

Identify strategic risk impacts

  • A vendor acquires many smaller, seemingly irrelevant IT products. Suddenly their revenue model includes aggressive license compliance audits.
    • Ensure that your installed software meets license compliance requirements with good asset management practices.
    • Monitor the market for such acquisitions or news of audits hitting companies.
  • A vendor changes their primary business model from storage and hardware to becoming a self-proclaimed “professional services guru,” relying almost entirely on their name recognition to build their marketing.
    • Be wary of self-proclaimed experts and review their successes and failures with other organizations before adopting them into your business strategy.
    • Review the backgrounds their “experts” have and make sure they have the industry and technical skill sets to perform the services to the required level.

Not preparing for your growth can delay your goals

Why can’t I get a new laptop?

For example:

  • An IT professional services organization plans to take advantage of the growing work-from-home trend to expand its staff by 30% over the coming year.
  • Logically, this should include a review of the necessary tasks involved, including onboarding.
    • Suppose the company does not order enough equipment in preparation to cover the new staff plus routine replacement. In that case, this will delay the output of the new team members immeasurably as they wait for their company equipment and will delay existing staff whose equipment breaks, preventing them from getting back to work efficiently.

Sometimes an organization has the right mindset to take advantage of the changes in the market but can fail to plan for the particulars.

When your strategic plan changes, you need to revisit all the steps in the processes to ensure a successful outcome.

Strategic risks

Poor or uninformed business decisions can lead to organizational strategic failures

  • Supply chain disruptions and global shortages
    • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.
  • Poor vendor performance
    • Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.
  • Vendor acquisitions
    • A lot of acquisition is going on in the market today. Large companies are buying competitors and either imposing new terms on customers or removing the competing products from the market. Prepare options for any strategy tied to a niche product.

It is important to identify potential risks to strategic plans to manage the risk and be agile enough in planning to adapt to the changing environments.

Info-Tech Insight
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Prepare your strategic risk management for success

Due diligence will enable successful outcomes

  1. Obtain top-level buy-in; it is critical to success.
  2. Build enterprise risk management (ERM) through incremental improvement.
  3. Focus initial efforts on the “big wins” to prove the process works.
  4. Use existing resources.
  5. Build on any risk management activities that already exist in the organization.
  6. Socialize ERM throughout the organization to gain additional buy‑in.
  7. Normalize the process long term with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess strategic risk

  1. Review Organizational Strategy
    Understand the organizational strategy to prepare for the “What If” game exercise.
  2. Identify & Understand Potential Strategic Risks
    Play the “What If” game with the right people at the table.
  3. Create a Risk Profile Packet for Leadership
    Pull all the information together in a presentation document.
  4. Validate the Risks
    Work with leadership to ensure that the proposed risks are in line with their thoughts.
  5. Plan to Manage the Risks
    Lower the overall risk potential by putting mitigations in place.
  6. Communicate the Plan
    It is important not only to have a plan but also to socialize it in the organization for awareness.
  7. Enact the Plan
    Once the plan is finalized and socialized, put it in place with continued monitoring for success.

Insight summary

Insight 1

Organizations build portions of their strategies around chosen vendors and should protect those plans against the risks of unforeseen acquisitions in the market.
Is your vendor solvent? Does it have enough staff to accommodate your needs? Has its long-term planning been affected by changes in the market? Is it unique in its space?

Insight 2

Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.
For example, Philip's recall of ventilators impacted its products and the availability of its competitor’s products as demand overwhelmed the market.

Insight 3

Organizations need to become better at risk assessment and actively manage the identified risks to their strategic plans.
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Strategic risk impacts are often unanticipated, causing unforeseen downstream effects. Anticipating the potential changes in the global IT market and continuously monitoring vendors’ risk levels can help organizations modify their strategic alignment with the new norms.

Identifying strategic risk

Who should be included in the discussion

  • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
  • Getting input from operational experts at your organization will enhance the long-term potential for success of your strategies.
  • Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying new emerging potential strategic partners.

Review your strategic plans for new risks and evolving likelihood on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is a very flexible variable.

See the blueprint Build an IT Risk Management Program

Managing strategic risk impacts

What can we realistically do about the risks?

  • Review business continuity plans and disaster recovery testing.
  • Institute proper contract lifecycle management.
  • Re-evaluate corporate policies frequently.
  • Develop IT governance and change control.
  • Ensure strategic alignment in contracts.
  • Introduce continual risk assessment to monitor the relevant vendor markets.
    • Regularly review your strategic plans for new risks and evolving likelihood.
    • Risk = Likelihood x Impact (R=L*I)
      • Impact (I) tends to remain the same and be well understood, while Likelihood (L) turns out to be highly variable.
  • Be adaptable and allow for innovations that arise from the current needs.
    • Capture lessons learned from prior incidents to improve over time, and adjust your strategy based on the lessons.

Organizations need to be reviewing their strategic risk plans considering the likelihood of incidents in the global market.

Pandemics, extreme weather, and wars that affect global supply chains are a current reality, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned

  • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
  • When it happens, follow your incident response plans and act accordingly.
  • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
  • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The “what if” game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

  1. Break into smaller groups (or if too small, continue as a single group).
  2. Use the Strategic Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
  3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Strategic Risk Impact Tool

Input Output
  • List of identified potential risk scenarios scored by likelihood and financial impact
  • List of potential management of the scenarios to reduce the risk
  • Comprehensive strategic risk profile on the specific vendor solution
Materials Participants
  • Whiteboard/flip charts
  • Strategic Risk Impact Tool to help drive discussion
  • Vendor Management – Coordinator
  • Organizational Leadership
  • Operations Experts (SMEs)
  • Legal/Compliance/Risk Manager

Case Study

Airline Industry Strategic Adaptation

Industry: Airline

Impact categories: Pandemic, Lockdowns, Travel Bans, Increased Fuel Prices

  • In 2019 the airline industry yielded record profits of $35.5 billion.
  • In 2020 the pandemic devastated the industry with losses around $371 billion.
  • The industry leaders engaged experts to conduct a study on how the pandemic impacted them and propose measures to ensure the survival of their industry in the future after the pandemic.
  • They determined that “[p]recise decision-making based on data analytics is essential and crucial for an effective Covid-19 airline recovery plan.”

Results

The pandemic prompted systemic change to the overall strategic planning of the airline industry.

Summary

Be vigilant and adaptable to change

  • Organizations need to learn how to assess the likelihood of potential risks in the changing global world.
  • Those organizations that incorporate adaptive risk management processes can prepare their strategic plans for greater success.
  • Bring the right people to the table to outline potential risks in the market.
  • Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the strategic plan.
  • Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market.

Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

This image contains a screenshot from Info-Tech's Identify and Manage Financial Risk Impacts on Your Organization.
  • Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
  • Prioritize and classify your vendors with quantifiable, standardized rankings.
  • Prioritize focus on your high-risk vendors.
  • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Reduce Agile Contract Risk

This image contains a screenshot from Info-Tech's Identify and Reduce Agile Contract Risk
  • Customer maturity levels with Agile are low, with 67% of organizations using Agile for less than five years.
  • Customer competency levels with Agile are also low, with 84% of organizations stating they are below a high level of competency.
  • Contract disputes are the number one or two types of disputes faced by organizations across all industries.

Build an IT Risk Management Program

This image contains a screenshot from Info-Tech's Build an IT Risk Management Program
  • Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
  • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
  • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

Bibliography

Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Research Contributors and Experts

  • Frank Sewell
    Research Director, Info-Tech Research Group
  • Steven Jeffery
    Principal Research Director, Info-Tech Research Group
  • Scott Bickley
    Practice Lead, Info-Tech Research Group
  • Donna Glidden
    Research Director, Info-Tech Research Group
  • Phil Bode
    Principal Research Director, Info-Tech Research Group
  • David Espinosa
    Senior Director, Executive Services, Info-Tech Research Group
  • Rick Pittman
    Vice President, Research, Info-Tech Research Group
  • Patrick Philpot
    CISSP
  • Gaylon Stockman
    Vice President, Information Security
  • Jennifer Smith
    Senior Director

Create a Game Plan to Implement Cloud Backup the Right Way

  • Buy Link or Shortcode: {j2store}469|cart{/j2store}
  • member rating overall impact: 7.0/10 Overall Impact
  • member rating average dollars saved: $2,000 Average $ Saved
  • member rating average days saved: 5 Average Days Saved
  • Parent Category Name: Storage & Backup Optimization
  • Parent Category Link: /storage-and-backup-optimization
  • Cloud adoption is frequently driven by hype rather than careful consideration of the best-fit solution.
  • IT is frequently rushed into cloud adoption without appropriate planning.
  • Organizations frequently lack appropriate strategies to deal with cloud-specific backup challenges.
  • Insufficient planning for cloud backup can exacerbate problems rather than solving them, leading to poor estimates of the cost and effort involved, budget overruns, and failure to meet requirements.

Our Advice

Critical Insight

  • The cloud isn’t a magic bullet, but it tends to deliver the most value to organizations with specific use cases – frequently smaller organizations who are looking to avoid the cost of building or upgrading a data center.
  • Cloud backup does not necessarily reduce backup costs so much as it moves them around. Cloud backup distributes costs over a longer term. Organizations need to compare the difference in CAPEX and OPEX to determine if making the move makes financial sense.
  • The cloud can deliver a great deal of value for organizations who are looking to reduce the operational effort demanded by an existing tape library for second- or third-tier backups.
  • Data security risks in some cases may be overstated, depending on what on-premises security is available. However, targeting backup to the cloud introduces other risks that need to be considered before implementation is given the green light.

Impact and Result

  • Understand if cloud backup is the right solution for actual organizational needs.
  • Make an informed decision about targeting backup to the cloud by considering the big picture TCO and effort level involved in adoption.
  • Have a ready strategy to mitigate the most common challenges with cloud adoption projects.
  • Develop a roadmap that lays out the required step-by-step to implement cloud backup.

Create a Game Plan to Implement Cloud Backup the Right Way Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Understand the benefits and risks of targeting backups to the cloud

Build a plan to mitigate the risks associated with backing data up in the cloud.

  • Storyboard: Create a Game Plan to Implement Cloud Backup the Right Way

2. Determine if the cloud can meet the organization's data requirements

Assess if the cloud is a good fit for your organization’s backup data.

  • Cloud Backup Implementation Game Plan Tool

3. Mitigate the Challenges of Backing Up to the Cloud

Build a cloud challenge contingency plan.

4. Build a Cloud Backup Implementation Roadmap

Perform a gap analysis to determine cloud backup implementation initiatives.

Infographic

Workshop: Create a Game Plan to Implement Cloud Backup the Right Way

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Evaluate the business case for targeting backup at the cloud

The Purpose

Understand how cloud backup will affect backup and recovery processes

Determine backup and recovery objectives

Assess the value proposition of cloud backup

Key Benefits Achieved

A high-level understanding of the benefits of moving to cloud backup

A best-fit analysis of cloud backup in comparison to organizational needs

Activities

1.1 Document stakeholder goals for cloud backup

1.2 Document present backup processes

1.3 Document ideal backup processes

1.4 Review typical benefits of cloud backup

Outputs

Documented stakeholder goals

Current backup process diagrams

Ideal backup process diagram

2 Identify candidate data sets and assess opportunities and readiness

The Purpose

Identify candidate data sets for cloud-based backup

Determine RPOs and RTOs for candidate data sets

Identify potential value specific to each data set for targeting backup at the cloud

Evaluate organizational readiness for targeting backup at the cloud

Key Benefits Achieved

Documented recovery objectives

Recommendations for cloud backup based on actual organizational needs and readiness

Activities

2.1 Document candidate data sets

2.2 Determine recovery point and recovery time objectives for candidate data sets

2.3 Identify potential value of cloud-based backup for candidate data sets

2.4 Discuss the risk and value of cloud-based backup versus an on-premises solution

2.5 Evaluate organizational readiness for cloud backup

2.6 Identify data sets to move to the cloud

Outputs

Validated list of candidate data sets

Specific RPOs and RTOs for core data sets

An assessment of the value of cloud backup for data sets

A tool-based recommendation for moving backups to the cloud

3 Mitigate the challenges of backing up to the cloud

The Purpose

Understand different cloud provider models and their specific risks

Identification of how cloud backup will affect IT infrastructure and personnel

Strategize ways to mitigate the most common challenges of implementing cloud backup

Understand the client/vendor relationship in cloud backup

Understand the affect of cloud backup on data security

Key Benefits Achieved

Verified best-fit cloud provider model for organizational needs

Verified strategy for meeting the most common challenges for cloud-based backup

A strong understanding of how cloud backup will change IT

Strategies for approaching vendors to ensure a strong footing in negotiations and clear expectations for the client/vendor relationship

Activities

3.1 Discuss the impact of cloud backup on infrastructure and IT environment

3.2 Create a cloud backup risk contingency plan

3.3 Document compliance and security regulations

3.4 Identify client and vendor responsibilities for cloud backup

3.5 Discuss and document the impact of cloud backup on IT roles and responsibilities

3.6 Compile a list of implementation intiatives

3.7 Evaluate the financial case for cloud backup

Outputs

Cloud risk assessment

Documented contingency strategies for probabe risks

Negotiation strategies for dealing with vendors

A committed go/no-go decision on the value of cloud backup weighted against the effort of implementation

4 Build a cloud backup implementation roadmap

The Purpose

Create a road map for implementing cloud backup

Key Benefits Achieved

Determine any remaining gaps between the present state and the ideal state for cloud backup

Understand the steps and time frame for implementing cloud backup

Allocate roles and responsibilities for the implementation intitiative

A validated implementation road map

Activities

4.1 Perform a gap analysis to generate a list of implementation intiatives

4.2 Prioritize cloud backup initiatives

4.3 Assess risks and dependencies for critical implementation initiatives

4.4 Assign ownership over implementation tasks

4.5 Determine road map time frame and structure

4.6 Populate the roadmap with cloud backup initiatives

Outputs

A validated gap analysis

A prioritized list of cloud backup initiatives

Documented dependencies and risks associated with implementation tasks

A roadmap for targeting backups at the cloud

Considerations to Optimize Container Management

  • Buy Link or Shortcode: {j2store}499|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Data Center & Facilities Strategy
  • Parent Category Link: /data-center-and-facilities-strategy

Do you experience challenges with the following:

  • Equipping IT operations processes to manage containers.
  • Choosing the right container technology.
  • Optimizing your infrastructure strategy for containers.

Our Advice

Critical Insight

  • Plan ahead to ensure your container strategy aligns with your infrastructure roadmap. Before deciding between bare metal and cloud, understand the different components of a container management solution and plan for current and future infrastructure services.
  • When selecting tools from multiple sources, it is important to understand what each tool should and should not meet. This holistic approach is necessary to avoid gaps and duplication of effort.

Impact and Result

Use the reference architecture to plan for the solution you need and want to deploy. Infrastructure planning and strategy optimizes the container image supply chain, uses your current infrastructure, and reduces costs for compute and image scan time.

Considerations to Optimize Container Management Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Considerations to Optimize Container Management Deck – A document to guide you design your container strategy.

A document that walks you through the components of a container management solution and helps align your business objectives with your current infrastructure services and plan for your future assets.

  • Considerations to Optimize Container Management Storyboard

2. Container Reference Architecture – A best-of-breed template to help you build a clear, concise, and compelling strategy document for container management.

Complete the reference architecture tool to strategize your container management.

  • Container Reference Architecture
[infographic]

Further reading

Considerations to Optimize Container Management

Design a custom reference architecture that meets your requirements.

Analyst Perspective

Containers have become popular as enterprises use DevOps to develop and deploy applications faster. Containers require managed services because the sheer number of containers can become too complex for IT teams to handle. Orchestration platforms like Kubernetes can be complex, requiring management to automatically deploy container-based applications to operating systems and public clouds. IT operations staff need container management skills and training.

Installing and setting up container orchestration tools can be laborious and error-prone. IT organizations must first implement the right infrastructure setup for containers by having a solid understanding of the scope and scale of containerization projects and developer requirements. IT administrators also need to know how parts of the existing infrastructure connect and communicate to maintain these relationships in a containerized environment. Containers can run on bare metal servers, virtual machines in the cloud, or hybrid configurations, depending on your IT needs

Nitin Mukesh, Senior Research Analyst, Infrastructure and Operations

Nitin Mukesh
Senior Research Analyst, Infrastructure and Operations
Info-Tech Research Group

Executive Summary

Your Challenge Common Obstacles Info-Tech’s Approach

The container software market is constantly evolving. Organizations must consider many factors to choose the right container management software for their specific needs and fit their future plans.

It's important to consider your organization's current and future infrastructure strategy and how it fits with your container management strategy. The container management platform you choose should be compatible with the existing network infrastructure and storage capabilities available to your organization.

IT operations staff have not been thinking the same way as developers who have now been using an agile approach for some time. Container image builds are highly automated and have several dependencies including scheduling, testing, and deployment that the IT staff is not trained for or lack the ability to create anything more than a simple image.

Use the reference architecture to plan for the solution you need and want to deploy. Infrastructure planning and strategy optimizes the container image supply chain and reduces costs for compute and image scan time.

Plan ahead to ensure your container strategy aligns with your infrastructure roadmap. Before deciding between bare metal and cloud, understand the different components of a container management solution and plan for current and future infrastructure services.

Your challenge

Choosing the right container technology: IT is a rapidly changing and evolving market, with startups and seasoned technology vendors maintaining momentum in everything from container platforms to repositories to orchestration tools. The rapid evolution of container platform components such as orchestration, storage, networking, and system services such as load balancing has made the entire stack a moving target.

However, waiting for the industry to be standardized can be a recipe for paralysis, and waiting too long to decide on solutions and approaches can put a company's IT operations in catch-up mode.

Keeping containers secure: Security breaches in containers are almost identical to operating system level breaches in virtual machines in terms of potential application and system vulnerabilities. It is important for any DevOps team working on container and orchestration architecture and management to fully understand the potential vulnerabilities of the platforms they are using.

Optimize your infrastructure strategy for containers: One of the challenges enterprise IT operations management teams face when it comes to containers is the need to rethink the underlying infrastructure to accommodate the technology. While you may not want to embrace the public cloud for your critical applications just yet, IT operations managers will need an on-premises infrastructure so that applications can scale up and down the same way as they are containerized.

Common ways organizations use containers

A Separation of responsibilities
Containerization provides a clear separation of responsibilities as developers can focus on application logic and dependencies, while IT operations teams can focus on deployment and management instead of application details such as specific software versions and configurations.

B Workload portability
Containers can run almost anywhere: physical servers or on-premise data centers on virtual machines or developer machines, as well as public clouds on Linux, Windows, or Mac operating systems, greatly easing development and deployment.

“Lift and shift” existing applications into a modern cloud architecture. Some organizations even use containers to migrate existing applications to more modern environments. While this approach provides some of the basic benefits of operating system virtualization, it does not provide all the benefits of a modular, container-based application architecture.

C Application isolation
Containers virtualize CPU, memory, storage, and network resources at the operating system level, providing developers with a logically isolated view of the operating system from other applications.

Source: TechTarget, 2021

What are containers and why should I containerize?

A container is a partially isolated environment in which an application or parts of an application can run. You can use a single container to run anything from small microservices or software processes to larger applications. Inside the container are all the necessary executable, library, and configuration files. Containers do not contain operating system images. This makes them lighter and more portable with much less overhead. Large application deployments can deploy multiple containers into one or more container clusters (CapitalOne, 2020).

Containers have the following advantages:

  • Reduce overhead costs: Because containers do not contain operating system images, they require fewer system resources than traditional or hardware virtual machine environments.
  • Enhanced portability: Applications running in containers can be easily deployed on a variety of operating systems and hardware platforms.
  • More consistent operations: DevOps teams know that applications in containers run the same no matter where they are deployed.
  • Efficiency improvement: Containers allow you to deploy, patch, or scale applications faster.
  • Develop better applications: Containers support Agile and DevOps efforts to accelerate development and production cycles.

Source: CapitalOne, 2020

Container on the cloud or on-premise?

On-premises containers Public cloud-based containers

Advantages:

  • Full control over your container environment.
  • Increased flexibility in networking and storage configurations.
  • Use any version of your chosen tool or container platform.
  • No need to worry about potential compliance issues with data stored in containers.
  • Full control over the host operating system and environment.

Disadvantages:

  • Lack of easy scalability. This can be especially problematic if you're using containers because you want to be more agile from a DevOps perspective.
  • No turnkey container deployment solution. You must set up and maintain every component of the container stack yourself.

Advantages:

  • Easy setup and management through platforms such as Amazon Elastic Container Service or Azure Container Service. These products require significant Docker expertise to use but require less installation and configuration than on-premise installations.
  • Integrates with other cloud-based tools for tasks such as monitoring.
  • Running containers in the cloud improves scalability by allowing you to add compute and storage resources as needed.

Disadvantages:

  • You should almost certainly run containers on virtual machines. That can be a good thing for many people; however, you miss out on some of the potential benefits of running containers on bare metal servers, which can be easily done.
  • You lose control. To build a container stack, you must use the orchestrator provided by your cloud host or underlying operating system.

Info-Tech Insight
Start-ups and small businesses that don't typically need to be closely connected to hardware can easily move (or start) to the cloud. Large (e.g. enterprise-class) companies and companies that need to manage and control local hardware resources are more likely to prefer an on-premises infrastructure. For enterprises, on-premises container deployments can serve as a bridge to full public cloud deployments or hybrid private/public deployments. The answer to the question of public cloud versus on premises depends on the specific needs of your business.

Container management

From container labeling that identifies workloads and ownership to effective reporting that meets the needs of different stakeholders across the organization, it is important that organizations establish an effective framework for container management.

Four key considerations for your container management strategy:

01 Container Image Supply Chain
How containers are built

02 Container Infrastructure and Orchestration
Where and how containers run together

03 Container Runtime Security and Policy Enforcement
How to make sure your containers only do what you want them to do

04 Container Observability
Runtime metrics and debugging

To effectively understand container management solutions, it is useful to define the various components that make up a container management strategy.

1: Container image supply chain

To run a workload as a container, it must first be packaged into a container image. The image supply chain includes all libraries or components that make up a containerized application. This includes CI/CD tools to test and package code into container images, application security testing tools to check for vulnerabilities and logic errors, registries and mirroring tools for hosting container images, and attribution mechanisms such as image signatures for validating images in registries.

Important functions of the supply chain include the ability to:

  • Scan container images in registries for security issues and policy compliance.
  • Verify in-use image hashes have been scanned and authorized.
  • Mirror images from public registries to isolate yourself from outages in these services.
  • Attributing images to the team that created them.

Source: Rancher, 2022

Info-Tech Insight
It is important to consider disaster recovery for your image registry. As mentioned above, it is wise to isolate yourself from registry disruptions. However, external registry mirroring is only one part of the equation. You also want to make sure you have a high availability plan for your internal registry as well as proper backup and recovery processes. A highly available, fault-tolerant container management platform is not just a runtime environment.

2: Container infrastructure and orchestration

Orchestration tools

Once you have a container image to run, you need a location to run it. That means both the computer the container runs on and the software that schedules it to run. If you're working with a few containers, you can make manual decisions about where to run container images, what to run with container images, and how best to manage storage and network connectivity. However, at scale, these kinds of decisions should be left to orchestration tools like Kubernetes, Swarm, or Mesos. These platforms can receive workload execution requests, determine where to run based on resource requirements and constraints, and then actually launch that workload on its target. And if a workload fails or resources are low, it can be restarted or moved as needed.

Source: DevOpsCube, 2022

Storage

Storage is another important consideration. This includes both the storage used by the operating system and the storage used by the container itself. First, you need to consider the type of storage you actually need. Can I outsource my storage concerns to a cloud provider using something like Amazon Relational Database Service instead? If not, do you really need block storage (e.g. disk) or can an external object store like AWS S3 meet your needs? If your external object storage service can meet your performance and durability requirements as well as your governance and compliance needs, you're in luck. You may not have to worry about managing the container's persistent storage. Many external storage services can be provisioned on demand, support discrete snapshots, and some even allow dynamic scaling on demand.

Networking

Network connectivity inside and outside the containerized environment is also very important. For example, Kubernetes supports a variety of container networking interfaces (CNIs), each providing different functionality. Questions to consider here are whether you can set traffic control policies (and the OSI layer), how to handle encryption between workloads and between workloads and external entities, and how to manage traffic import for containerized workloads. The impact of these decisions also plays a role on performance.

Backups

Backups are still an important task in containerized environments, but the backup target is changing slightly. An immutable, read-only container file system can be recreated very easily from the original container image and does not need to be backed up. Backups or snapshots on permanent storage should still be considered. If you are using a cloud provider, you should also consider fault domain and geo-recovery scenarios depending on the provider's capabilities. For example, if you're using AWS, you can use S3 replication to ensure that EBS snapshots can be restored in another region in case of a full region outage.

3: Container runtime security and policy enforcement

Ensuring that containers run in a place that meets the resource requirements and constraints set for them is necessary, but not sufficient. It is equally important that your container management solution performs continuous validation and ensures that your workloads comply with all security and other policy requirements of your organization. Runtime security and policy enforcement tools include a function for detecting vulnerabilities in running containers, handling detected vulnerabilities, ensuring that workloads are not running with unnecessary or unintended privileges, and ensuring that only other workloads that need to be allowed can connect.

One of the great benefits of (well implemented) containerized software is reducing the attackable surface of the application. But it doesn't completely remove it. This means you need to think about how to observe running applications to minimize security risks. Scanning as part of the build pipeline is not enough. This is because an image without vulnerabilities at build time can become a vulnerable container because new flaws are discovered in its code or support libraries. Instead, some modern tools focus on detecting unusual behavior at the system call level. As these types of tools mature, they can make a real difference to your workload’s security because they rely on actual observed behavior rather than up-to-date signature files.

4: Container observability

What’s going on in there?

Finally, if your container images are being run somewhere by orchestration tools and well managed by security and policy enforcement tools, you need to know what your containers are doing and how well they are doing it. Orchestration tools will likely have their own logs and metrics, as will networking layers, and security and compliance checking tools; there is a lot to understand in a containerized environment. Container observability covers logging and metrics collection for both your workloads and the tools that run them.

One very important element of observability is the importance of externalizing logs and metrics in a containerized environment. Containers come and go, and in many cases the nodes running on them also come and go, so relying on local storage is not recommended.

The importance of a container management strategy

A container management platform typically consists of a variety of tools from multiple sources. Some container management software vendors or container management services attempt to address all four key components of effective container management. However, many organizations already have tools that provide at least some of the features they need and don't want to waste existing licenses or make significant changes to their entire infrastructure just to run containers.

When choosing tools from multiple sources, it's important to understand what needs each tool meets and what it doesn't. This holistic approach is necessary to avoid gaps and duplication of effort.

For example, scanning an image as part of the build pipeline and then rescanning the image while the container is running is a waste of CPU cycles in the runtime environment. Similarly, using orchestration tools and separate host-based agents to aggregate logs or metrics can waste CPU cycles as well as storage and network resources.

Planning a container management strategy

1 DIY, Managed Services, or Packaged Products
Developer satisfaction is important, but it's also wise to consider the team running the container management software. Migrating from bare metal or virtual machine-based deployment methodologies to containers can involve a significant learning curve, so it's a good idea to choose a tool that will help smooth this curve.
2 Kubernetes
In the world of container management, Kubernetes is fast becoming the de facto standard for container orchestration and scheduling. Most of the products that address the other aspects of container management discussed in this post (image supply chain, runtime security and policy enforcement, observability) integrate easily with Kubernetes. Kubernetes is open-source software and using it is possible if your team has the technical skills and the desire to implement it themselves. However, that doesn't mean you should automatically opt to build yourself.
3 Managed Kubernetes
Kubernetes is difficult to implement well. As a result, many solution providers offer packaged products or managed services to facilitate Kubernetes adoption. All major cloud providers now offer Kubernetes services that reduce the operational burden on your teams. Organizations that have invested heavily in the ecosystem of a particular cloud provider may find this route suitable. Other organizations may be able to find a fully managed service that provides container images and lets the service provider worry about running the images which, depending on the cost and capacity of the organization, may be the best option.
4 Third-Party Orchestration Products
A third approach is packaged products from providers that can be installed on the infrastructure (cloud or otherwise). These products can offer several potential advantages over DIY or cloud provider offerings, such as access to additional configuration options or cluster components, enhanced functionality, implementation assistance and training, post-installation product support, and reduced risk of cloud provider lock-in.

Source: Kubernetes, 2022; Rancher, 2022

Infrastructure considerations

It's important to describe your organization’s current and future infrastructure strategy and how it fits into your container management strategy. It’s all basic for now, but if you plan to move to a virtual machine or cloud provider next year, your container management solution should be able to adapt to your environment now and in the future. Similarly, if you’ve already chosen a public cloud, you may want to make sure that the tool you choose supports some of the cloud options, but full compatibility may not be an important feature.

Infrastructure considerations extend beyond computing. Choosing a container management platform should be compatible with the existing network infrastructure and storage capacity available to your organization. If you have existing policy enforcement, monitoring, and alerting tools, the ideal solution should be able to take advantage of them. Moving to containers can be a game changer for developers and operations teams, so continuing to use existing tools to reduce complexity where possible can save time and money.

Leverage the reference architecture to guide your container management strategy

Questions for support transition

Using the examples as a guide, complete the tool to strategize your container management

Download the Reference Architecture

Bibliography

Mell, Emily. “What is container management and why is it important?” TechTarget, April 2021.
https://www.techtarget.com/searchitoperations/definition/container-management-software#:~:text=A%20container%20management%20ecosystem%20automates,operator%20to%20keep%20up%20with

Conrad, John. “What is Container Orchestration?” CapitalOne, 24 August 2020.
https://www.capitalone.com/tech/cloud/what-is-container-orchestration/?v=1673357442624

Kubernetes. “Cluster Networking.” Kubernetes, 2022.
https://kubernetes.io/docs/concepts/cluster-administration/networking/

Rancher. “Comparing Kubernetes CNI Providers: Flannel, Calico, Canal, and Weave.” Rancher, 2022.
https://www.suse.com/c/rancher_blog/comparing-kubernetes-cni-providers-flannel-calico-canal-and-weave/

Wilson, Bob. “16 Best Container Orchestration Tools and Services.” DevopsCube, 5 January 2022.
https://devopscube.com/docker-container-clustering-tools/

Decide if You Are Ready for SAFe

  • Buy Link or Shortcode: {j2store}355|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Architecture & Strategy
  • Parent Category Link: /architecture-and-strategy
  • Complex application landscapes require delivery teams to work together and coordinate changes across multiple product lines and releases.
  • Leadership wants to balance strategic goals with localized prioritization of changes.
  • Traditional methodologies are not well suited to support enterprise agility: Scrum doesn’t scale easily, and Waterfall is too slow and risky.

Our Advice

Critical Insight

SAFe’s popularity is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision making. This directly conflicts with Agile’s purpose and principles of empowerment and agility.

  • Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.
  • Few organizations are capable or should be applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.

Impact and Result

  • Start with a clear understanding of your needs, constraints, goals, and culture.
    • Start with an Agile readiness assessment. Agile is core to value realization.
    • Take the time to determine your drivers and goals.
    • If SAFe is right for you, selecting the right implementation partner is key.
  • Plan SAFe as a long-term enterprise cultural transformation requiring changes at all levels.

Decide if You Are Ready for SAFe Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Decide if You Are Ready for SAFe Storyboard – Research to help you understand where SAFe fits into delivery methodologies and determine if SAFe is right for your organization.

This deck will guide you to define your primary drivers for SAFe, assess your Agile readiness, define enablers and blockers, estimate implementation risk, and start your SAFe implementation plan.

  • Decide if You Are Ready for SAFe Storyboard

2. Scaled Agile Readiness Assessment – A tool to conduct an Agile readiness survey.

Start your journey with a clear understanding about the level of Agile and product maturity throughout the organization. Each area that lacks strength should be evaluated further and added to your journey map.

  • Scaled Agile Readiness Assessment

3. SAFe Transformation Playbook – A template to build a change management plan to guide your transition.

Define clear ownership for every critical step.

  • SAFe Transformation Playbook
[infographic]

Workshop: Decide if You Are Ready for SAFe

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Understand where SAFe fits into delivery methodologies and SDLCs

The Purpose

Understand what is driving your proposed SAFe transformation and if it is the right framework for your organization.

Key Benefits Achieved

Better understanding of your scaled agile needs and drivers

Activities

1.1 Define your primary drivers for SAFe.

1.2 Create your own list of pros and cons of SAFe.

Outputs

List of primary drivers for SAFe

List of pros and cons of SAFe

2 Determine if you are ready for SAFe

The Purpose

Identify factors influencing a SAFe implementation and ensure teams are aware and prepared.

Key Benefits Achieved

Starting understanding of your organization’s readiness to implement a SAFe framework

Activities

2.1 Assess your Agile readiness.

2.2 Define enablers and blockers of scaling Agile delivery.

2.3 Estimate your SAFe implementation risk.

2.4 Start your SAFe implementation plan.

Outputs

Agile readiness assessment results

List of enablers and blockers of scaling Agile delivery

Estimated SAFe implementation risk

High-level SAFe implementation plan template

Further reading

Decide if You Are Ready for SAFe

Approach the Scaled Agile Framework (SAFe) with open eyes and an open wallet.

Analyst Perspective

Ensure that SAFe is the right move before committing.

Waterfall is dead. Or obsolete at the very least.

Organizations cannot wait months or years for product, service, application, and process changes. They need to embrace business agility to respond to opportunities more quickly and deliver value sooner. Agile established values and principles that have promoted smaller cycle times, greater connections between teams, improved return on investment (ROI) prioritization, and improved team empowerment.

Where organizations continue to struggle is matching localized Scrum teams with enterprise initiatives. This struggle is compounded by legacy executive planning cycles, which undermine Agile team authority. SAFe has provided a series of frameworks to help organizations deal with these issues. It combines enterprise planning and alignment with cross-team collaboration.

Don't rely on popularity or marketing to make your scaled Agile decision. SAFe is a highly disruptive transformation, and it requires extensive training, coaching, process changes, and time to implement. Without the culture shift to an Agile mindset at all levels, SAFe becomes a mirror of Waterfall processes dressed in SAFe names. Furthermore, SAFe itself will not fix problems with communication, requirements, development, testing, release, support, or governance. You will still need to fix these problems within the SAFe framework to be successful.

Hans Eckman, Principal Research Director, Applications Delivery and Management

Hans Eckman
Principal Research Director, Applications Delivery and Management
Info-Tech Research Group

Executive Summary

Your Challenge Common Obstacles Info-Tech's Approach
  • Complex application landscapes require delivery teams to work together and coordinate changes across multiple product lines and releases.
  • Leadership wants to maintain executive strategic planning with faster delivery of changes.
  • Traditional methodologies are not well suited to support enterprise agility.
    • Waterfall is too slow, inefficient, and full of accumulated risk.
    • Scrum is not easy to scale and requires behavioral changes.
  • Enterprise transformations are never fast or easy, and SAFe is positioned as a complete replacement of your delivery practices.
  • Teams struggle with SAFe's rigid framework, interconnected methodologies, and new terms.
  • Few organizations are successful at implementing a pure SAFe framework.
  • Organizations without scaled product families have difficulties organizing SAFe teams into proper value streams.
  • Team staffing and stability are hard to resolve.
Start with a clear understanding of your needs, constraints, goals, and culture.
  • Developing an Agile mindset is core to value realization. Start with Info-Tech's Agile Readiness Assessment.
  • Take the time to identify your drivers and goals.
  • If SAFe is right for you, build a transformation plan and select the right implementation partner.
Plan SAFe as a long-term enterprise cultural transformation, requiring changes at all levels.

Info-Tech Insight
SAFe is a highly disruptive enterprise transformation, and it won't solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and how fast you are willing to transform, and make sure that you have the right transformation and coaching partner in place. There is no right software development lifecycle (SDLC) or methodology. Find or create the methodology that best aligns to your needs and goals.

Agile's Four Core Values

"...while there is value in the items on the right, we value the items on the left more."
- The Agile Manifesto

STOP! If you're not Agile, don't start with SAFe.

Agile over SAFe

Successful SAFe requires an Agile mindset at all levels.

Be aware of common myths around Agile and SAFe

SAFe does not...

1...solve development and communication issues.

2...ensure that you will finish requirements faster.

3...mean that you do not need planning and documentation.

"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)

Info-Tech Insight
Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.

Review the drivers that are motivating your organization to adopt and scale Agile practices

Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

If a group's specific needs and drivers are not addressed, its members may develop negative sentiments toward Agile development. These negative sentiments can affect their ability to see the benefits of Agile, and they may return to their old habits once the opportunity arises.

It is important to find opportunities in which both business objectives and functional group drivers can be achieved by scaling Agile development. This can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. It can also be used to justify activities that specifically address functional group drivers.

Examples of Motivating Drivers for Scaling Agile

  • Improve artifact handoffs between development and operations.
  • Increase collaboration among development teams.
  • Reveal architectural and system risks early.
  • Expedite the feedback loop from support.
  • Improve capacity management.
  • Support development process innovation.
  • Create a safe environment to discuss concerns.
  • Optimize value streams.
  • Increase team engagement and comradery.

Don't start with scaled Agile!

Scaling Agile is a way to optimize product management and product delivery in application lifecycle management practices. Do not try to start with SAFe when the components are not yet in place.

Scaled Agile


Thought model describing how Agile connects Product Management to Product Delivery to elevate the entire Solution Lifecycle.

Scale Agile delivery to improve cross-functional dependencies and releases

Top Business Concerns When Scaling Agile

1 Organizational Culture: The current culture may not support team empowerment, learning from failure, and other Agile principles. SAFe also allows top-down decisions to persist.

2 Executive Support: Executives may not dedicate resources, time, and effort into removing obstacles to scaling Agile because of lack of business buy-in.

3 Team Coordination: Current collaboration structures may not enable teams and stakeholders to share information freely and integrate workflows easily.

4 Business Misalignment: Business vision and objectives may be miscommunicated early in development, risking poorly planned and designed initiatives and low-quality products.

Extending collaboration is the key to success.

Uniting stakeholders and development into a single body is the key to success. Assess the internal and external communication flow and define processes for planning and tracking work so that everyone is aware of how to integrate, communicate, and collaborate.

The goal is to enable faster reaction to customer needs, shorter release cycles, and improved visibility of the project's progress with cross-functional and diverse conversations.

Advantages of successful SAFe implementations

Once SAFe is complete and operational, organizations have seen measurable benefits:

  • Multiple frameworks to support different levels of SAFe usage
  • Deliberate and consistent planning and coordination
  • Coordinating dependencies within value streams
  • Reduced time to delivery
  • Focus on customers and end users
  • Alignment to business goals and value streams
  • Increased employee engagement

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Advantages of successful SAFe implementations

Source: "Benefits," Scaled Agile, 2023

Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

Scrum vs SAFe

Develop Your Agile Approach for a Successful Transformation

Source: Scaled Agile, Inc.

Info-Tech's IT Management & Governance Framework

Info-Tech's IT Management & Governance Framework

Info-Tech Insight
SAFe is an enterprise, culture, and process transformation that impacts all IT services. Some areas of Info-Tech's IT Management & Governance Framework have higher impacts and require special attention. Plan to include transformation support for each of these topics during your SAFe implementation. SAFe will not fix broken processes on its own.

Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

Waterfall with SAFe terminology

Source: Scaled Agile, Inc.

Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

  • Delivery Manager = Release Train Engineer
  • Stakeholder/Sponsor = Product Manager
  • Release = Release Train
  • Project/Program = Project or Portfolio

SAFe isn't without risks or challenges

Risks and Causes of Failed SAFe Transformations

  • SAFe conflicts with legacy cultures and delivery processes.
  • SAFe promotes continued top-down decisions, undermining team empowerment.
  • Scaled product families are required to define proper value streams.
  • Team empowerment and autonomy are reduced.
  • SAFe activities are poorly executed.
  • There are high training and coaching costs.
  • Implementation takes a long time.
  • End-to-end delivery management tools aligned to SAFe are required.
  • Legacy delivery challenges are not specifically solved with SAFe.
  • SAFe is designed to work for large-scale development teams.

Challenges

  • Adjusting to a new set of terms for common roles, processes, and activities
  • Executing planning cycles
  • Defining features and epics at the right level
  • Completing adequate requirements
  • Defining value streams
  • Coordinating releases and release trains
  • Providing consistent quality

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Focus on your core competencies instead

Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

Product Delivery

Product Management

"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
– "Agile at Scale," Harvard Business Review

Insight Summary

Overarching insight
SAFe is a highly disruptive enterprise transformation, and it will not solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and fast you are willing to transform and make sure that you have the right transformation and coaching partner in place.

SAFe conflicts with core Agile principles.
The popularity of SAFe is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision-making. This directly conflicts with Agile's purpose and principles of empowerment and agility.

SAFe and Agile will not solve enterprise delivery challenges.
Poor culture, processes, governance, and leadership will disrupt any methodology. Many issues with drivers for SAFe could be solved by improving development and release management within current methodologies.

Most organizations should not be using a pure SAFe framework
Few organizations are capable of, or should be, applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.

Without an Agile mindset, SAFe will be executed as Waterfall stages using SAFe terminology.
Groups that "Do Agile" are not likely to embrace the behavioral changes needed to make any scaled framework effective. SAFe becomes a series of Waterfall PIs using SAFe terminology.

Your transformation does not start with SAFe.
Start your transition to scaled Agile with a maturity assessment for current delivery practices. Fixing broken process, tools, and teams must be at the heart of your initiative.

Blueprint Deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key Deliverable

SAFe Transformation Playbook

Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

Scaled Agile Readiness Assessment

Conduct the Agile readiness survey. Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

Case Study

Spotify's approach to Agile at scale

INDUSTRY: Digital Media
SOURCE: Unified Communications and Collaborations

Spotify's Scaling Agile Initiative

With rapid user adoption growth (over 15 million active users in under six years), Spotify had to find a way to maintain an Agile mindset across 30+ teams in three different cities, while maintaining the benefits of cross-functional collaboration and flexibility for future growth.

Spotify's Approach

Spotify found a fit-for-purpose way for the organization to increase team autonomy without losing the benefits of cross-team communication from economics of scale. Spotify focused on identifying dependencies that block or slow down work through a mix of reprioritization, reorganization, architectural changes, and technical solutions. The organization embraced dependencies that led to cross-team communication and built in the necessary flexibility to allow Agile to grow with the organization.

Spotify's scaling Agile initiative used interview processes to identify what each team depended on and how those dependencies blocked or slowed the team.

Squad refers to an autonomous Agile release team in this case study.

Case Study

Suncorp instilled dedicated communication streams to ensure cross-role collaboration and culture.

INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

Challenge Solution Results
  • Suncorp Group wanted to improve delivery and minimize risk. Suncorp realized that it needed to change its project delivery process to optimize business value delivery.
  • With five core business units, over 15,000 employees, and US$96 billion in assets, Suncorp had to face a broad set of project coordination challenges.
  • Suncorp decided to deliver all IT projects using Agile.
  • Suncorp created a change program consisting of five main streams of work, three of which dealt with the challenges specific to Agile culture:
    • People: building culture, leadership, and support
    • Communication: ensuring regular employee collaboration
    • Capabilities: blending training and coaching
  • Sponsorship from management and champions to advocate Agile were key to ensure that everyone was unified in a common purpose.
  • Having a dedicated communication stream was vital to ensure regular sharing of success and failure to enable learning.
  • Having a structured, standard approach to execute the planned culture change was integral to success.

Case Study

Nationwide embraces DevOps and improves software quality.

INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

Challenge Solution Results
  • In the past, Nationwide primarily followed a Waterfall development process. However, this method created conflicts between IT and business needs.
  • The organization began transitioning from Waterfall to Agile development. It has seen early successes with Agile: decrease in defects per release and more success in meeting delivery times.
  • Nationwide needed to respond more efficiently to changing market requirements and regulations and to increase speed to market.
  • Nationwide decided to take a DevOps approach to application development and delivery.
  • IT wanted to perform continuous integration and deployment in its environments.
  • Cross-functional teams were organically created, made up of members from the business and multiple IT groups, including development and operations.
  • DevOps allowed Nationwide to be more Agile and more responsive to its customers.
  • Teams were able to perform acceptance testing with their customers in parallel with development. This allowed immediate feedback to help steer the project in the right direction.
  • DevOps improved code quality by 50% over a three-year period and reduced user downtime by 70%.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit Guided Implementation Workshop Consulting
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

Phase 1

Call #1:

Scope your requirements, objectives, and specific challenges.

Call #2:

1.1.1 Define your primary drivers for SAFe.

1.1.2 Create your own list of pros and cons of SAFe.

Call #3:

1.2.1 Assess your Agile readiness.

1.2.2 Define enablers and blockers for scaling Agile delivery.

1.2.3 Estimate your SAFe implementation risk.

Call #4:

1.2.4 Start your SAFe implementation plan.

Summarize your results and plan your next steps.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is one to four calls over the course of one to six weeks.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Pre-Planning Step 1.1 Step 1.2
Identify your stakeholders. Step 1.1 Understand where SAFe fits into your delivery methodologies and SDLCs. Step 1.2 Determine if you are ready for SAFe.
Activities 1. Determine stakeholders and subject matter experts.
2. Coordinate timing and participation.
3. Set goals and expectations for the workshop.
1.1.1 Define your primary drivers for SAFe.
1.1.2 Create your own list of pros and cons of SAFe
1.2.1 Assess your Agile readiness.
1.2.2 Define enablers and blockers for scaling Agile delivery.
1.2.3 Estimate your SAFe implementation risk.
1.2.4 Start your SAFe implementation plan.
Deliverables
  • Workshop schedule
  • Participant commitment
    • List of primary drivers for SAFe
    • List of pros and cons of SAFe
    • Agile Readiness Assessment results
    • List of enablers and blockers for scaling Agile delivery
    • Estimated SAFe implementation risk
    • Template for high-level SAFe implementation plan

    Supporting Your Agile Journey

    Enable Product Agile Delivery Executive Workshop Develop Your Agile Approach Spread Best Practices with an Agile Center of Excellence Implement DevOps Practices That Work Enable Organization-Wide Collaboration by Scaling Agile
    Number One Number two Number Three Number Four Number Five

    Align and prepare your IT leadership teams.

    Audience: Senior and IT delivery leadership

    Size: 8-16 people

    Time: 7 hours

    Tune Agile team practices to fit your organization culture.

    Audience: Agile pilot teams and subject matter experts (SMEs)

    Size: 10-20 people

    Time: 4 days

    Leverage Agile thought leadership to expand your best practices.

    Audience: Agile SMEs and thought leaders

    Size: 10-20 people

    Time: 4 days

    Build a continuous integration and continuous delivery pipeline.

    Audience: Product owners (POs) and delivery team leads

    Size: 10-20 people

    Time: 4 days

    Execute a disciplined approach to rolling out Agile methods.

    Audience: Agile steering team and SMEs

    Size: 3-8 people

    Time: 3 hours

    Repeat Legend

    Sample agendas are included in the following sections for each of these topics.

    Your Product Transformation Journey

    1. Make the Case for Product Delivery2. Enable Product Delivery - Executive Workshop3. Deliver on Your Digital Product Vision4. Deliver Digital Products at Scale5. Mature and Scale Product Ownership
    Align your organization with the practices to deliver what matters most.Participate in a one-day executive workshop to help you align and prepare your leadership.Enhance product backlogs, roadmapping, and strategic alignment.Scale product families to align with your organization's goals.Align and mature your product owners.

    Audience: Senior executives and IT leadership

    Size: 8-16 people

    Time: 6 hours

    Repeat Symbol

    Audience: Product owners/managers

    Size: 10-20 people

    Time: 3-4 days

    Repeat Symbol

    Audience: Product owners/managers

    Size: 10-20 people

    Time: 3-4 days

    Audience: Product owners/managers

    Size: 8-16 people

    Time: 2-4 days

    Repeat Symbol

    Repeat Legend

    Phase 1

    Determine if SAFe Is Right for Your Organization

    Phase 1
    1.1 Understand where SAFe fits into your delivery methodologies and SDLCs
    1.2 Determine if you are ready for SAFe (fit for purpose)

    This phase will walk you through the following activities:

    • 1.1.1 Define your primary drivers for SAFe.
    • 1.1.2 Create your own list of pros and cons of SAFe.
    • 1.2.1 Assess your Agile readiness.
    • 1.2.2 Define enablers and blockers for scaling Agile delivery.
    • 1.2.3 Estimate your SAFe implementation risk.
    • 1.2.4 Start your SAFe implementation plan.

    This phase involves the following participants:

    • Senior leadership
    • IT leadership
    • Project Management Office
    • Delivery managers
    • Product managers/owners
    • Agile thought leaders and coaches
    • Compliance teams leads

    Step 1.1

    Understand where SAFe fits into your delivery methodologies and SDLCs

    Activities
    1.1.1 Define your primary drivers for SAFe
    1.1.2 Create your own list of pros and cons of SAFe

    This step involves the following participants:

    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Outcomes of this step:

    • List of primary drivers for SAFe
    • List of pros and cons of SAFe

    Agile's Four Core Values

    "...while there is value in the items on the right, we value the items on the left more."
    – The Agile Manifesto

    STOP! If you're not Agile, don't start with SAFe.

    Agile's Four Core Values

    Successful SAFe requires an Agile mindset at all levels.

    Be aware of common myths around Agile and SAFe

    SAFe does not...

    1...solve development and communication issues.

    2...ensure that you will finish requirements faster.

    3...mean that you do not need planning and documentation.

    "Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
    – Kristen Morton, Associate Implementation Architect,
    OneShield Inc. (Info-Tech Interview)

    Info-Tech Insight
    SAFe only provides a framework and steps where these issues can be resolved.

    The importance of values and principles

    Modern development practices (such as Agile, Lean, and DevOps) are based on values and principles. This supports the move away from command-and-control management to self-organizing teams.

    Values

    • Values represent your team's core beliefs and capture what you want to instill in your team.

    Principles

    • Principles represent methods for solving a problem or deciding.
    • Given that principles are rooted in specifics, they can change more frequently because they are both fallible and conducive to learning.

    Consider the guiding principles of your application team

    Teams may have their own perspectives on how they deliver value and their own practices for how they do this. These perspectives can help you develop guiding principles for your own team to explain your core values and cement your team's culture. Guiding principles can help you:

    • Enable the appropriate environment to foster collaboration within current organizational, departmental, and cultural constraints
    • Foster the social needs that will engage and motivate your team in a culture that suits its members
    • Ensure that all teams are driven toward the same business and team goals, even if other teams are operating differently
    • Build organizational camaraderie aligned with corporate strategies

    Info-Tech Insight
    Following methodologies by the book can be detrimental if they do not fit your organization's needs, constraints, and culture. The ultimate goal of all teams is to deliver value. Any practices or activities that drive teams away from this goal should be removed or modified.

    Review the drivers that are motivating your organization to adopt and scale Agile practices

    Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

    By not addressing a group's specific needs and drivers, the resulting negative sentiments of its members toward Agile development can affect their ability to see the benefits of Agile and they may return to old habits once the opportunity arises.

    Find opportunities in which both business objectives and functional group drivers can be achieved with scaling Agile development. This alignment can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. This assessment can also be used to justify activities that specifically address functional group drivers.

    Examples of Motivating Drivers for Scaling Agile

    • Improve artifact hand-offs between development and operations.
    • Increase collaboration among development teams.
    • Reveal architectural and system risks early.
    • Expedite the feedback loop from support.
    • Improve capacity management.
    • Support development process innovation.
    • Create a safe environment to discuss concerns.
    • Optimize value streams.
    • Increase team engagement and comradery.

    Exercise 1.1.1 Define your primary drivers for SAFe

    30 minutes

    • Brainstorm a list of drivers for scaling Agile.
    • Build a value canvas to help capture and align team expectations.
    • Identify jobs or functions that will be impacted by SAFe.
    • List your current pains and gains.
    • List the pain relievers and gain creators.
    • Identify the deliverable needed for a successful transformation.
    • Complete your SAFe value canvas in your SAFe Transformation Playbook.

    Enter the results in your SAFe Transformation Playbook.

    Input
    • Organizational understanding
    • Existing Agile delivery strategic plans
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    SAFe Value Canvas Template

    SAFe Value Canvas Template

    Case Study

    A public utilities organization steadily lost stakeholder engagement, diminishing product quality.

    INDUSTRY: Public Utilities
    SOURCE: Info-Tech Expert Interview

    Challenge

    • The goal of a public utilities organization was to adopt Agile so it could quickly respond to changes and trim costs.
    • The organization decided to scale Agile using a structured approach. It began implementation with IT teams that were familiar with Agile principles and leveraged IT seniors as Agile champions. To ensure that Agile principles were widespread, the organization decided to develop a training program with vendor assistance.
    • As Agile successes began to be seen, the organization decided to increase the involvement of business teams gradually so it could organically grow the concept within the business.

    Results

    • Teams saw significant success with many projects because they could easily demonstrate deliverables and clearly show the business value. Over time, the teams used Agile for large projects with complex processing needs.
    • Teams continued to deliver small projects successfully, but business engagement waned over time. Some of the large, complex applications they delivered using Agile lacked the necessary functionality and appropriate controls and, in some cases, did not have the ability to scale due to a poor architectural framework. These applications required additional investment, which far exceeded the original cost forecasts.

    While Agile and product development are intertwined, they are not the same!

    Delivering products does not necessarily require an Agile mindset. However, Agile methods help to facilitate the journey because product thinking is baked into them.

    Agile and product development are intertwined

    Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

    SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

    Difference between Scrum and SAFe

    Develop Your Agile Approach for a Successful Transformation

    Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

    Waterfall with SAFe terminology

    Info-Tech Insight
    When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

    • Delivery Manager = Release Train Engineer
    • Stakeholder/Sponsor = Product Manager
    • Release = Release Train
    • Project/Program = Project or Portfolio

    Advantages of successful SAFe implementations

    Once SAFe is complete and operational, organizations have seen measurable benefits:

    • Multiple frameworks to support different levels of SAFe usage
    • Deliberate and consistent planning and coordination
    • Coordinating dependencies within value streams
    • Reduced time to delivery
    • Focus on customers and end users
    • Alignment to business goals and value streams
    • Increased employee engagement

    Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
    "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

    Advantages of successful SAFe implementations

    Source: "Benefits," Scaled Agile, 2023

    SAFe isn't without risks or challenges

    Risks and Causes of Failed SAFe Transformations

    • SAFe conflicts with legacy cultures and delivery processes.
    • SAFe promotes continued top-down decisions, undermining team empowerment.
    • Scaled product families are required to define proper value streams.
    • Team empowerment and autonomy are reduced.
    • SAFe activities are poorly executed.
    • There are high training and coaching costs.
    • Implementation takes a long time.
    • End-to-end delivery management tools aligned to SAFe are required.
    • Legacy delivery challenges are not specifically solved with SAFe.
    • SAFe is designed to work for large-scale development teams.

    Challenges

    • Adjusting to a new set of terms for common roles, processes, and activities
    • Executing planning cycles
    • Defining features and epics at the right level
    • Completing adequate requirements
    • Defining value streams
    • Coordinating releases and release trains
    • Providing consistent quality

    Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023; "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

    Exercise 1.1.2 Create your own list of the pros and cons of SAFe

    1 hour

    Pros Cons

    Enter the results in your SAFe Transformation Playbook

    Input
    • Organizational drivers
    • Analysis of SAFe
    • Estimate of fit for purpose
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Focus on your core competencies instead

    Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

    Product Delivery

    Product Management

    "But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
    - "Agile at Scale," Harvard Business Review

    Step 1.2

    Determine if you are ready for SAFe (fit for purpose)

    Activities
    1.2.1 Assess your Agile readiness
    1.2.2 Define enablers and blockers for scaling Agile delivery
    1.2.3 Estimate your SAFe implementation risk
    1.2.4 Start your SAFe implementation plan

    This step involves the following participants:

    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Outcomes of this step:

    • Agile Readiness Assessment results
    • Enablers and blockers for scaling Agile
    • SAFe implementation risk
    • SAFe implementation plan

    Use CLAIM to guide your Agile journey

    Use CLAIM to guide your Agile journey

    Conduct the Agile Readiness Assessment Survey

    Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

    • Start your journey with a clear understanding of the level of Agile and product maturity throughout your organization.
    • Each area that lacks strength should be evaluated further and added to your journey map.

    Chart of Agile Readiness

    Exercise 1.2.1 Assess your Agile readiness

    1 hour

    • Open and complete the Agile Readiness Assessment in your playbook or the Excel tool provided.
    • Discuss each area's high and low scores to reach a consensus.
    • Record your results in your SAFe Transformation Playbook.

    Chart of Agile Readiness

    Enter the results in Scaled Agile Readiness Assessment.

    Input
    • Organizational knowledge
    • Agile Readiness Assessment
    Output
    • IT leadership
    • Delivery managers
    • Project Management Office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Exercise 1.2.2 Define enablers and blockers for scaling Agile delivery

    1 hour

    • Identify and mitigate blockers for scaling Agile in your organization.
      • Identify enablers who will support successful SAFe transformation.
      • Identify blockers who will make the transition to SAFe more difficult.
      • For each blocker, define at least one mitigating step.
    Enablers Blockers Mitigation

    Enter the results in your SAFe Transformation Playbook

    Input
    • Agile Readiness Assessment
    • Organizational knowledge
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Estimate your SAFe implementation risk

    Poor Fit High Risk Scaling Potential
    Team size <50 >150 or non-dedicated 50-150 dedicated
    Agile maturity Waterfall and project delivery Individual Scrum DevOps teams Scrum DevOps teams coordinating dependencies
    Product management maturity Project-driver changes from stakeholders Proxy product owners within delivery teams Defined product families and products
    Strategic goals Localized decisions Enterprise goals implemented at the app level Translation and refinement of enterprise goals through product families
    Enterprise architecture Siloed architecture standards Common architectures Future enterprise architecture and employee review board (ERB) reviews
    Release management Independent release schedules Formal release calendar Continuous integration/development (CI/CD) with organizational change management (OCM) scheduled cross-functional releases
    Requirements management and quality assurance Project based Partial requirements and test case coverage Requirements as an asset and test automation

    Exercise 1.2.3 Estimate your SAFe implementation risk

    30 minutes

    • Determine which description best matches your overall organizational state.
    • Enter the results in your SAFe Transformation Playbook.
    • Change the text to bold in the cell you selected to describe your current state and/or add a border around the cell.

    Chart of SAFe implementation risk

    Enter the results in SAFe Transformation Playbook.

    Input
    • Agile Readiness Assessment
    • Organizational knowledge
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Interpret your SAFe implementation risks

    Analyze your highlighted selections and patterns in the rows and columns. Use these factors to inform your SAFe implementation steps and timing.

    Interpret your SAFe implementation risks

    Build your implementation plan

    Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

    Plan your transformation.

    • Align stakeholders and thought leaders.
    • Select an implementation partner.
    • Insert critical steps.

    Build your SAFe framework.

    • Define your target SAFe framework.
    • Customize your SAFe framework.
    • Establish SAFe governance and reporting.
    • Insert critical steps.

    Implement SAFe practices.

    • Define product families and value streams.
    • Conduct SAFe training for:
      • Executive leadership
      • Agile SAFe coaches
      • Practitioners
    • Insert critical steps.

    For additional help with OCM, please download Master Organizational Change Management Practices.

    Exercise 1.2.4 Start your SAFe implementation plan

    30 minutes

    • Using the high-level SAFE implementation framework, begin building out the critical steps.
    • Record the results in your SAFe Transformation Playbook.
    • Your playbook is an evergreen document to help guide your implementation. It should be reviewed often.

    SAFe implementation plan

    Enter the results in your SAFe Transformation Playbook

    Input
    • SAFe readiness assessment
    • Enablers and blockers
    • Drivers for SAFe
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Select an implementation partner

    Finding the right SAFe implementation partner is critical to your transformation success.

    • Using your previous assessment, align internal and external resources to support your transformation.
    • Select a partner who has experience in similar organizations and is aligned with your delivery goals.
    • Plan to transition support to internal teams when SAFe practices have stabilized and moved into continuous improvement.
    • Augment your transformation partner with internal coaches.
    • Plan for a multiyear engagement before SAFe benefits are realized.

    Summary of Accomplishments

    Your journey begins.

    Implementing SAFe is a long, expensive, and difficult process. For some organizations, SAFe provides the balance of leadership-driven prioritization and control with shorter release cycles and time to value. The key is making sure that SAFe is right for you and you are ready for SAFe. Few organizations fit perfectly into one of the SAFe frameworks. Instead, consider fine-tuning and customizing SAFe to meet your needs and gradual transformation.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    Below are sample activities that will be conducted by Info-Tech analysts with your team:

    Scaled Agile Delivery Readiness Assessment
    This assessment will help identify enablers and blockers in your organizational culture using our CLAIM+G organization transformation model.

    SAFE Value Canvas
    Use a value campus to define jobs, pains, gains, pain relievers, gain creators, and needed deliverables to help inform and guide your SAFe transformation.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Bibliography

    "6 Biggest SAFe Agile Implementation Mistakes to Avoid." Triumph Strategic Consulting, 27 July 2017.

    "The 7 Must-Haves for Achieving Scaling Agile Success." The 7 Must-Haves for Achieving Scaling Agile Success.

    Ageling, Willem-Jan. "11 Most Common Reasons to Use Scaled Agile Framework (SAFE) and How to Do This With Unscaled Scrum." Medium, Serious Scrum, 26 Jan. 2020.

    Agile India, International Conference on Agile and Lean Software Development, 2014.

    "Air France - KLM - Agile Adoption with SAFe." Scaled Agile, 28 Nov. 2022.

    "Application Development Trends 2019 - Global Survey Report." OutSystems.

    "Benefits of SAFe: How It Benefits Organizations." Scaled Agile, 13 Mar. 2023.

    Berkowitz, Emma. "The Cost of a SAFe(r) Implementation: CPRIME Blog." Cprime, 30 Jan. 2023.

    "Chevron - Adopting SAFe with Remote Workforce." Scaled Agile, 28 Nov. 2022.

    "Cisco It - Adopting Agile Development with SAFe." Scaled Agile, 13 Sept. 2022.

    "CMS - Business Agility Transformation Using SAFe." Scaled Agile, 13 Sept. 2022.

    Crain, Anthony. "4 Biggest Challenges in Moving to Scaled Agile Framework (SAFe)." TechBeacon, 25 Jan. 2019.

    "The Essential Role of Communications ." Project Management Institute .

    Gardiner, Phil. "SAFe Implementation: 4 Tips for Getting Started." Applied Frameworks, 20 Jan. 2022.

    "How Do I Start Implementing SAFe?" Agility in Mind, 29 July 2022.

    "How to Masterfully Screw Up Your SAFe Implementation." Wibas Artikel-Bibliothek, 6 Sept. 2022.

    "Implementation Roadmap." Scaled Agile Framework, 14 Mar. 2023.

    Islam, Ayvi. "SAFe Implementation 101 - The Complete Guide for Your Company." //Seibert/Media, 22 Dec. 2020.

    "Johnson Controls - SAFe Implementation Case Study." Scaled Agile, 28 Nov. 2022.

    "The New Rules and Opportunities of Business Transformation." KPMG.

    "Nokia Software - SAFe Agile Transformation." Scaled Agile, 28 Nov. 2022.

    Pichler, Roman. "What Is Product Management?" Romanpichler, 2014.

    "Product Documentation." ServiceNow.

    "Pros and Cons of Scaled Agile Framework." PremierAgile.

    "Pulse of the Profession Beyond Agility." Project Management Institute.

    R, Ramki. "Pros and Cons of Scaled Agile Framework (SAFe)." Medium, 3 Mar. 2019.

    R, Ramki. "When Should You Consider Implementing SAFe (Scaled Agile Framework)?" Medium, Medium, 3 Mar. 2019.

    Rigby, Darrell, Jeff Sutherland, and Andy Noble. "Agile at Scale: How to go from a few teams to hundreds." Harvard Business Review, 2018.

    "SAFe Implementation Roadmap." Scaled Agile Framework, Scaled Agile, Inc., 14 Mar. 2023.

    "SAFe Partner Cprime: SAFe Implementation Roadmap: Scaled Agile." Cprime, 5 Apr. 2023.

    "SAFe: The Good, the Bad, and the Ugly." Project Management Institute.

    "Scaled Agile Framework." Wikipedia, Wikimedia Foundation, 29 Mar. 2023.

    "Scaling Agile Challenges and How to Overcome Them." PremierAgile.

    "SproutLoud - a Case Study of SAFe Agile Planning." Scaled Agile, 29 Nov. 2022.

    "Story." Scaled Agile Framework, 13 Apr. 2023.

    Sutherland , Jeff. "Scrum: How to Do Twice as Much in Half the Time." Tedxaix, YouTube, 7 July 2014.

    Venema, Marjan. "6 Scaled Agile Frameworks - Which One Is Right for You?" NimbleWork, 23 Dec. 2022.

    Warner, Rick. "Scaled Agile: What It Is and Why You Need It." High-Performance Low-Code for App Development, OutSystems, 25 Oct. 2019.

    Watts, Stephen, and Kirstie Magowan. "The Scaled Agile Framework (SAFE): What to Know and How to Start." BMC Blogs, 9 Sept. 2020.

    "What Is SAFe? The Scaled Agile Framework Explained." CIO, 9 Feb. 2021.

    "Why Agile Transformations Fail: Four Common Culprits." Planview.

    "Why You Should Use SAFe (and How to Find SAFe Training to Help)." Easy Agile.

    Y., H. "Story Points vs. 'Ideal Days.'" Cargo Cultism, 19 Aug. 2010.

    Bibliography

    Enable Organization-Wide Collaboration by Scaling Agile

    Ambler, Scott W. "Agile Architecture: Strategies for Scaling Agile Development." Agile Modeling, 2012.

    - - -. "Comparing Approaches to Budgeting and Estimating Software Development Projects." AmbySoft.

    - - -. "Agile and Large Teams." Dr. Dobb's, 17 Jun 2008.

    Ambler, Scott W. and Mark Lines. Disciplined Agile Delivery: A Practitioner's Guide to Agile Software Delivery in the Enterprise. IBM Press, 2012.

    Ambler, Scott W., and Mark Lines. "Scaling Agile Software Development: Disciplined Agility at Scale." Disciplined Agile Consortium White Paper Series, 2014.

    AmbySoft. "2014 Agile Adoption Survey Results." Scott W. Ambler + Associates, 2014.

    Bersin, Josh. "Time to Scrap Performance Appraisals?" Forbes Magazine, 5 June 2013. Accessed 30 Oct. 2013..

    Cheese, Peter, et al. " Creating an Agile Organization." Accenture, Oct. 2009. Accessed Nov. 2013..

    Croxon, Bruce, et al. "Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'" HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON, 12 Nov. 2013. Panel discussion.

    Culbert, Samuel. "10 Reasons to Get Rid of Performance Reviews." Huffington Post Business, 18 Dec. 2012. Accessed 28 Oct. 2013.

    Denning, Steve. "The Case Against Agile: Ten Perennial Management Objections." Forbes Magazine, 17 Apr. 2012. Accessed Nov. 2013.

    Estis, Ryan. "Blowing up the Performance Review: Interview with Adobe's Donna Morris." Ryan Estis & Associates, 17 June 2013. Accessed Oct. 2013.

    Heikkila et al. "A Revelatory Case Study on Scaling Agile Release Planning." EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), 2010.

    Holler, Robert, and Ian Culling. "From Agile Pilot Project to Enterprise-Wide Deployment: Five Sure-Fire Ways To Fail When You Scale." VersionOne, 2010.

    Kniberg, Henrik, and Anders Ivarsson, "Scaling Agile @ Spotify," Unified Communications and Collaborations, 2012.

    Narayan, Sriram. "Agile IT Organization Design: For Digital Transformation and Continuous Delivery." Addison-Wesley Professional, 2015.

    Shrivastava, NK, and Phillip George. "Scaling Agile." RefineM, 2015.

    Sirkia, Rami, and Maarit Laanti. "Lean and Agile Financial Planning." Scaled Agile Framework Blog, 2014.

    Scaled Agile Framework (SAFe). "Agile Architecture." Scaled Agile Inc., 2015.

    VersionOne. 9th Annual: State of Agile Survey. VersionOne, LLC, 2015.

    Appendix A: Supporting Info-Tech Research

    Transformation topics and supporting research to make your journey easier, with less rework

    Supporting research and services

    Improving IT Alignment

    Build a Business-Aligned IT Strategy
    Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.

    Make Your IT Governance Adaptable
    Governance isn't optional, so keep it simple and make it flexible.

    Create an IT View of the Service Catalog
    Unlock the full value of your service catalog with technical components.

    Application Portfolio Management Foundations
    Ensure your application portfolio delivers the best possible return on investment.

    Shifting Toward Agile DevOps

    Agile/DevOps Research Center
    Access the tools and advice you need to be successful with Agile.

    Develop Your Agile Approach for a Successful Transformation
    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Implement DevOps Practices That Work
    Streamline business value delivery through the strategic adoption of DevOps practices.

    Perform an Agile Skills Assessment
    Being Agile isn't about processes, it's about people.

    Define the Role of Project Management in Agile and Product-Centric Delivery
    Projects and products are not mutually exclusive.

    Shifting Toward Product Management

    Make the Case for Product Delivery
    Align your organization on the practices to deliver what matters most.

    Deliver on Your Digital Product Vision
    Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale
    Deliver value at the scale of your organization through defining enterprise product families.

    Mature and Scale Product Ownership
    Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Build a Value Measurement Framework
    Focus product delivery on business value- driven outcomes.

    Improving Value and Delivery Metrics

    Build a Value Measurement Framework
    Focus product delivery on business value-driven outcomes.

    Create a Holistic IT Dashboard
    Mature your IT department by measuring what matters.

    Select and Use SDLC Metrics Effectively
    Be careful what you ask for, because you will probably get it.

    Reduce Time to Consensus With an Accelerated Business Case
    Expand on the financial model to give your initiative momentum.

    Improving Governance, Prioritization, and Value

    Make Your IT Governance Adaptable
    Governance isn't optional, so keep it simple and make it flexible.

    Maximize Business Value From IT Through Benefits Realization
    Embed benefits realization into your governance process to prioritize IT spending and confirm the value of IT.

    Drive Digital Transformation With Platform Strategies
    Innovate and transform your business models with digital platforms.

    Succeed With Digital Strategy Execution
    Building a digital strategy is only half the battle: create a systematic roadmap of technology initiatives to execute the strategy and drive digital transformation.

    Build a Value Measurement Framework
    Focus product delivery on business value-driven outcomes.

    Create a Holistic IT Dashboard
    Mature your IT department by measuring what matters.

    Improving Requirements Management and Quality Assurance

    Requirements Gathering for Small Enterprises
    Right-size the guidelines of your requirements gathering process.

    Improve Requirements Gathering
    Back to basics: great products are built on great requirements.

    Build a Software Quality Assurance Program
    Build quality into every step of your SDLC.

    Automate Testing to Get More Done
    Drive software delivery throughput and quality confidence by extending your automation test coverage.

    Manage Your Technical Debt
    Make the case to manage technical debt in terms of business impact.

    Create a Business Process Management Strategy
    Avoid project failure by keeping the "B" in BPM.

    Build a Winning Business Process Automation Playbook
    Optimize and automate your business processes with a user-centric approach.

    Improving Release Management

    Optimize Applications Release Management
    Build trust by right-sizing your process using appropriate governance.

    Streamline Application Maintenance
    Effective maintenance ensures the long-term value of your applications.

    Streamline Application Management
    Move beyond maintenance to ensure exceptional value from your apps.

    Optimize IT Change Management
    Right-size IT change management to protect the live environment.

    Manage Your Technical Debt
    Make the case to manage technical debt in terms of business impact.

    Improve Application Development Throughput
    Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

    Improving Business Relationship Management

    Embed Business Relationship Management in IT
    Show that IT is worthy of Trusted Partner status.

    Mature and Scale Product Ownership
    Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Improving Security

    Build an Information Security Strategy
    Create value by aligning your strategy to business goals and business risks.

    Develop and Deploy Security Policies
    Enhance your overall security posture with a defensible and prescriptive policy suite.

    Simplify Identity and Access Management
    Leverage risk- and role-based access control to quantify and simplify the identity and access management (IAM) process.

    Improving and Supporting Business-Managed Applications

    Embrace Business-Managed Applications
    Empower the business to implement their own applications with a trusted business-IT relationship.

    Enhance Your Solution Architecture Practices
    Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

    Satisfy Digital End Users With Low- and No-Code
    Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

    Build Your First RPA Bot
    Support RPA delivery with strong collaboration and management foundations.

    Automate Work Faster and More Easily With Robotic Process Automation
    Embrace the symbiotic relationship between the human and digital workforce.

    Improving Business Intelligence, Analytics, and Reporting

    Modernize Data Architecture for Measurable Business Results
    Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice.

    Build a Reporting and Analytics Strategy
    Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

    Build Your Data Quality Program
    Quality data drives quality business decisions.

    Design Data-as-a-Service
    Journey to the data marketplace ecosystems.

    Build a Robust and Comprehensive Data Strategy
    Learn about the key to building and fostering a data-driven culture.

    Build an Application Integration Strategy
    Level the table before assembling the application integration puzzle or risk losing pieces.

    Appendix B: SDLC Transformation Steps

    Waterfall SDLC

    Valuable product delivered at the end of an extended project lifecycle, frequently in years

    Waterfall SDLC

    • Business is separated from the delivery of technology it needs. Only one-third of the product is actually valuable (ITRG, N=40,000).
    • In Waterfall, a team of experts in specific disciplines hand off different aspects of the lifecycle.
    • Document sign-offs are required to ensure integration between silos (Business, Development, and Operations) and individuals.
    • A separate change-request process lays over the entire lifecycle to prevent changes from disrupting delivery.
    • Tools are deployed to support a specific role (e.g. BA) and seldom integrated (usually requirements <-> test).

    Wagile/Agifall/WaterScrumFall SDLC

    Valuable product delivered in multiple releases

     Wagile/Agifall/WaterScrumFall SDLC

    • Business is more closely integrated by a business product owner, who is accountable for day-to-day delivery of value for users.
    • The team collaborates and develops cross-functional skills as they define, design, build, and test code over time.
    • Sign-offs are reduced but documentation is still focused on satisfying project delivery and operations policy requirements.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Tools start to be integrated to streamline delivery (usually requirements and Agile work management tools).

    Agile SDLC

    Valuable product delivered iteratively: frequency depends Ops' capacity

    Agile SDLC

    • Business users are closely integrated through regularly scheduled demos (e.g. every two weeks).
    • Team is fully cross-functional and collaborates to plan, define, design, build, and test the code, supported by specialists.
    • Documentation is focused on future development and operations needs.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Automation is explored for application development (e.g. automated regression testing).

    Agile With DevOps SDLC

    High frequency iterative delivery of valuable product (e.g. every two weeks)

     Agile With DevOps SDLC

    • Business users are closely integrated through regularly scheduled demos.
    • Development and operations teams collaborate to plan, define, design, build, test, and deploy code, supported by automation.
    • Documentation is focused on supporting users, future changes, and operational support.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Test, build, deploy process is fully automated. (Service desk is still separated.)

    DevOps SDLC

    Continuous integration and delivery

     DevOps SDLC

    • Business users are closely integrated through regularly scheduled demos.
    • Fully integrated DevOps team collaborates to plan, define, design, build, test, deploy, and maintain code.
    • Documentation is focused on future development and use adoption.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Development and operations toolchain are fully integrated.

    Fully integrated product SDLC

    Agile + DevOps + continuous delivery of valuable product on demand

     Fully integrated product SDLC

    • Business users are fully integrated with the teams through dedicated business product owner.
    • Cross-functional teams collaborate across the business and technical life of the product.
    • Documentation supports internal and external needs (business, users, operations).
    • Change is built into the process to allow the team to respond to change dynamically.
    • Toolchain is fully integrated (including service desk).

    Appendix C: Understanding Agile Scrum Practices and Ceremonies

    Cultural advantages of Agile

    Cultural advantages of Agile

    Agile* SDLC

    With shared ownership instead of silos, we are able to deliver value at the end of every iteration (aka sprint)

    Agile SDLC

    Key Elements of the Agile SDLC

    • You are not "one and done." There are many short iterations with constant feedback.
    • There is an empowered product owner. This is a single authoritative voice who represents stakeholders.
    • There is a fluid product backlog. This enables prioritization of requirements "just-in-time."
    • There is a cross-functional, self-managing team. This team makes commitments and is empowered by the organization to do so.
    • There is working, tested code at the end of each sprint: Value becomes more deterministic along sprint boundaries.
    • Stakeholders are allowed to see and use the functionality and provide necessary feedback.
    • Feedback is being continuously injected back into the product backlog. This shapes the future of the solution.
    • There is continuous improvement through sprint retrospectives.
    • The virtuous cycle of sprint-demo-feedback is internally governed when done right.

    * There are many Agile methodologies to choose from, but Scrum is by far the most widely used (and is shown above).

    Understand the Scrum process

    The scrum process coordinates multiple stakeholders to deliver on business priorities.

    Understand the Scrum process

    Understand the ceremonies part of the scrum process

     Understand the ceremonies part of the scrum process

    Scrum vs. Kanban: Key differences

    Scrum vs. Kanban: Key differences

    Scrum vs. Kanban: When to use each

    Scrum

    Related or grouped changes are delivered in fixed time intervals.

    Use when:

    • Coordinating the development or release of related items
    • Maturing a product or service
    • Coordinating interdependencies between work items

    Kanban

    Independent items are delivered as soon as each is ready.

    Use when:

    • Completing work items from ticketing or individual requests
    • Completing independent changes
    • Releasing changes as soon as possible

    Appendix D: Improving Product Management

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    Product delivery realizes value for your product family

    Manage and communicate key milestones

    Successful product-delivery managers understand and define key milestones in their product-delivery lifecycles. These milestones need to be managed along with the product backlog and roadmap.

    Manage and communicate key milestones

    Info-Tech Best Practice
    Product management is not just about managing the product backlog and development cycles. Teams need to manage key milestones, such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints.

    A backlog stores and organizes product backlog items (PBIs) at various stages of readiness

    Organize product backlog at various stages of readiness

    A well-formed backlog can be thought of as a DEEP backlog:

    Detailed Appropriately: PBIs are broken down and refined as necessary.

    Emergent: The backlog grows and evolves over time as PBIs are added and removed.

    Estimated: The effort that a PBI requires is estimated at each tier.

    Prioritized: A PBI's value and priority are determined at each tier.

    Source: Perforce, 2018

    Backlog tiers facilitate product planning steps

    Ranging from the intake of an idea to a PBI ready for development; to enter the backlog, each PBI must pass through a given quality filter.

    Backlog tiers facilitate product planning steps

    Each activity is a variation of measuring value and estimating effort in order to validate and prioritize a PBI.

    A PBI successfully completes an activity and moves to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.

    Use quality filters to ensure focus on the most important PBIs

    Expand the concepts of defining "ready" and "done" to include the other stages of a PBI's journey through product planning.

    Use quality filters to ensure focus on the most important PBIs

    Info-Tech Best Practice
    A quality filter ensures that quality is met and the appropriate teams are armed with the correct information to work more efficiently and improve throughput.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    Define product value by aligning backlog delivery with roadmap goals

    Product roadmaps guide delivery and communicate your strategy

    In "Deliver on Your Digital Product Vision," we demonstrate how a product roadmap is core to value realization. The product roadmap is your communicated path. As a product owner, you use it to align teams and changes to your defined goals, as well as your product to enterprise goals and strategy.

    Product roadmaps guide delivery and communicate your strategy

    Info-Tech Insight
    The quality of your product backlog - and your ability to realize business value from your delivery pipeline - is directly related to the input, content, and prioritization of items in your product roadmap.

    Info-Tech's approach

    Operationally align product delivery to enterprise goals

    Operationally align product delivery to enterprise goals

    The Info-Tech Difference

    Create a common definition of what a product is and identify the products in your inventory.

    Use scaling patterns to build operationally aligned product families.

    Develop a roadmap strategy to align families and products to enterprise goals and priorities.

    Use products and families to assess value realization.

    Optimize IT Project Intake, Approval, and Prioritization

    • Buy Link or Shortcode: {j2store}433|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $124,419 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Companies are approving more projects than they can deliver. Most organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to.
    • While organizations want to achieve a high throughput of approved projects, many are unable or unwilling to allocate an appropriate level of IT resourcing to adequately match the number of approved initiatives.
    • Portfolio management practices must find a way to accommodate stakeholder needs without sacrificing the portfolio to low-value initiatives that do not align with business goals.

    Our Advice

    Critical Insight

    • Approve only the right projects that you have capacity to deliver. Failure to align projects with strategic goals and resource capacity are the most common causes of portfolio waste across organizations.
    • More time spent with stakeholders during the ideation phase to help set realistic expectations for stakeholders and enhance visibility into IT’s capacity and processes is key to both project and organizational success.
    • Too much intake red tape will lead to an underground economy of projects that escape portfolio oversight, while too little intake formality will lead to a wild west of approvals that could overwhelm the PMO. Finding the right balance of intake formality for your organization is the key to establishing a PMO that has the ability to focus on the right things.

    Impact and Result

    • Establish an effective scorecard to create transparency into IT’s capacity and processes. This will help set realistic expectations for stakeholders, eliminate “squeaky wheel” prioritization, and give primacy to the highest value requests.
    • Build a centralized process that funnels requests into a single intake channel to eliminate confusion and doubt for stakeholders and staff while also reducing off-the-grid initiatives.
    • Clearly define a series of project approval steps, and communicate requirements for passing them.
    • Develop practices that incorporate the constraint of resource capacity to cap the amount of project approvals to that which is realistic to help improve the throughput of projects through the portfolio.

    Optimize IT Project Intake, Approval, and Prioritization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize project intake, approval, and prioritization process, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set realistic goals for optimizing project intake, approval, and prioritization process

    Get value early by piloting a scorecard for objectively determining project value, and then examine your current state of project intake to set realistic goals for optimizing the process.

    • Optimize Project Intake, Approval, and Prioritization – Phase 1: Set Realistic Goals for Optimizing Process
    • Project Value Scorecard Development Tool
    • Project Intake Workflow Template - Visio
    • Project Intake Workflow Template - PDF
    • Project Intake, Approval, and Prioritization SOP

    2. Build an optimized project intake, approval, and prioritization process

    Take a deeper dive into each of the three processes – intake, approval, and prioritization – to ensure that the portfolio of projects is best aligned to stakeholder needs, strategic objectives, and resource capacity.

    • Optimize Project Intake, Approval, and Prioritization – Phase 2: Build New Optimized Processes
    • Light Project Request Form
    • Detailed Project Request Form
    • Project Intake Classification Matrix
    • Benefits Commitment Form Template
    • Proposed Project Technology Assessment Tool
    • Fast Track Business Case Template
    • Comprehensive Business Case Template
    • Project Intake and Prioritization Tool

    3. Integrate the new optimized processes into practice

    Plan a course of action to pilot, refine, and communicate the new optimized process using Info-Tech’s expertise in organizational change management.

    • Optimize Project Intake, Approval, and Prioritization – Phase 3: Integrate the New Processes into Practice
    • Intake Process Pilot Plan Template
    • Project Backlog Manager
    • Intake and Prioritization Impact Analysis Tool
    [infographic]

    Workshop: Optimize IT Project Intake, Approval, and Prioritization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Refocus on Project Value to Set Realistic Goals

    The Purpose

    Set the course of action for optimizing project intake, approval, and prioritization by examining the current state of the process, the team, the stakeholders, and the organization as a whole.

    Key Benefits Achieved

    The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    Activities

    1.1 Define the criteria with which to determine project value.

    1.2 Envision your target state for your optimized project intake, approval, and prioritization process.

    Outputs

    Draft project valuation criteria

    Examination of current process, definition of process success criteria

    2 Examine, Optimize, and Document the New Process

    The Purpose

    Drill down into, and optimize, each of the project intake, approval, and prioritization process.

    Key Benefits Achieved

    Info-Tech’s methodology systemically fits the project portfolio into its triple constraint of stakeholder needs, strategic objectives, and resource capacity, to effectively address the challenges of establishing organizational discipline for project intake.

    Activities

    2.1 Conduct retrospectives of each process against Info-Tech’s best practice methodology for project intake, approval, and prioritization process.

    2.2 Pilot and customize a toolbox of deliverables that effectively captures the right amount of data developed for informing the appropriate decision makers for approval.

    Outputs

    Documentation of new project intake, approval, and prioritization process

    Tools and templates to aid the process

    3 Pilot, Plan, and Communicate the New Process

    The Purpose

    Reduce the risks of prematurely implementing an untested process.

    Methodically manage the risks associated with organizational change and maximize the likelihood of adoption for the new process.

    Key Benefits Achieved

    Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Activities

    3.1 Create a plan to pilot your intake, approval, and prioritization process to refine it before rollout.

    3.2 Analyze the impact of organizational change through the eyes of PPM stakeholders to gain their buy-in.

    Outputs

    Process pilot plan

    Organizational change communication plan

    Further reading

    Optimize IT Project Intake, Approval, and Prioritization

    Decide which IT projects to approve and when to start them.

    ANALYST PERSPECTIVE

    Capacity-constrained intake is the only sustainable path forward.

    "For years, the goal of project intake was to select the best projects. It makes sense and most people take it on faith without argument. But if you end up with too many projects, it’s a bad strategy. Don’t be afraid to say NO or NOT YET if you don’t have the capacity to deliver. People might give you a hard time in the near term, but you’re not helping by saying YES to things you can’t deliver."

    Barry Cousins,

    Senior Director, PMO Practice

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • PMO Directors who have trouble with project throughput
    • CIOs who want to improve IT’s responsive-ness to changing needs of the business
    • CIOs who want to maximize the overall business value of IT’s project portfolio

    This Research Will Help You:

    • Align project intake and prioritization with resource capacity and strategic objectives
    • Balance proactive and reactive demand
    • Reduce portfolio waste on low-value projects
    • Manage project delivery expectations and satisfaction of business stakeholders
    • Get optimized project intake processes off the ground with low-cost, high-impact tools and templates

    This Research Will Also Assist:

    • C-suite executives and steering committee members who want to ensure IT’s successful delivery of projects with high business impact
    • Project sponsors and product owners who seek visibility and transparency toward proposed projects

    This Research Will Help Them:

    • Ensure that high-impact projects are approved and delivered in a timely manner
    • Gain clarity and visibility in IT’s project approval process
    • Improve your understanding of IT’s capacity to set more realistic expectations on what gets done

    Executive summary

    Situation

    • As a portfolio manager, you do not have the authority to decline or defer new projects – but you also lack the capacity to realistically say yes to more project work.
    • Stakeholders have unrealistic expectations of what IT can deliver. Too many projects are approved, and it may be unclear why their project is delayed or in a state of suspended animation.

    Complication

    • The cycle of competition is making it increasingly difficult to follow a longer-term strategy during project intake, making it unproductive to approve projects for any horizon longer than one to two years.
    • As project portfolios become more aligned to “transformative” projects, resourcing for smaller, department-level projects becomes increasingly opaque.

    Resolution

    • Establish an effective scorecard to create transparency into IT’s capacity and processes. This will help set realistic expectations for stakeholders, eliminate “squeaky wheel” prioritization, and give primacy to the highest value requests.
    • Build a centralized process that funnels requests into a single intake channel to eliminate confusion and doubt for stakeholders and staff while also reducing off-the-grid initiatives.
    • Clearly define a series of project approval steps, and communicate requirements for passing them.
    • Developing practices that incorporate the constraint of resource capacity to cap the amount of project approvals to that which is realistic will help improve the throughput of projects through the portfolio.

    Info-Tech Insight

    1. Approve only the right projects… Counterbalance stakeholder needs with strategic objectives of the business and that of IT, in order to maintain the value of your project portfolio at a high level.
    2. …that you have capacity to deliver. Resource capacity-informed project approval process enables you to avoid biting off more than you can chew and, over time, build a track record of fulfilling promises to deliver on projects.

    Most organizations are good at approving projects, but bad at starting them – and even worse at finishing them

    Establishing project intake discipline should be a top priority from a long-term strategy and near-term tactical perspective.

    Most organizations approve more projects than they can finish. In fact, many approve more than they can even start, leading to an ever-growing backlog where project ideas – often good ones – are never heard from again.

    The appetite to approve more runs directly counter to the shortage of resources that plagues most IT departments. This tension of wanting more from less suggests that IT departments need to be more disciplined in choosing what to take on.

    Info-Tech’s data shows that most IT organizations struggle with their project backlog (Source: N=397 organizations, Info-Tech Research Group PPM Current State Scorecard, 2017).

    “There is a minimal list of pending projects”

    A bar graph is depicted. It has 5 bars to show that when it comes to minimal lists of pending projects, 34% strongly disagree, 35% disagree, and 21% are ambivalent. Only 7% agree and 3% strongly agree.

    “Last year we delivered the number of projects we anticipated at the start of the year”

    A bar graph is depicted. It has 5 bars to show that when it comes to the number of projects anticipated at the start of the year, they were delivered. Surveyors strongly disagreed at 24%, disagreed at 31%, and were ambivalent at 30%. Only 13% agreed and 2% strongly agreed.

    The concept of fiduciary duty demonstrates the need for better discipline in choosing what projects to take on

    Unless someone is accountable for making the right investment of resource capacity for the right projects, project intake discipline cannot be established effectively.

    What is fiduciary duty?

    Officers and directors owe their corporation the duty of acting in the corporation’s best interests over their own. They may delegate the responsibility of implementing the actions, but accountability can't be delegated; that is, they have the authority to make choices and are ultimately answerable for them.

    No question is more important to the organization’s bottom line. Projects directly impact the bottom line because they require investment of resource time and money for the purposes of realizing benefits. The scarcity of resources requires that choices be made by those who have the right authority.

    Who approves your projects?

    Historically, the answer would have been the executive layer of the organization. However, in the 1990s management largely abdicated its obligation to control resources and expenditures via “employee empowerment.”

    Controls on approvals became less rigid, and accountability for choosing what to do (and not do) shifted onto the shoulders of the individual worker. This creates a current paradigm where no one is accountable for the malinvestment…

    …of resources that comes from approving too many projects. Instead, it’s up to individual workers to sink or swim as they attempt to reconcile, day after day, seemingly infinite organizational demand with their finite supply of working hours.

    Ad hoc project selection schemes do not work

    Without active management, reconciling the imbalance between demand with available work hours is a struggle that results largely in one of these two scenarios:

    “Squeaky wheel”: Projects with the most vocal stakeholders behind them are worked on first.

    • IT is seen to favor certain lines of business, leading to disenfranchisement of other stakeholders.
    • Everything becomes the highest priority, which reinforces IT’s image as a firefighter, rather than a business value contributor
    • High-value projects without vocal support never get resourced; opportunities are missed.

    “First in, first out”: Projects are approved and executed in the order they are requested.

    • Urgent or important projects for the business languish in the project backlog; opportunities are missed.
    • Low-value projects dominate the project portfolio.
    • Stakeholders leave IT out of the loop and resort to “underground economy” for getting their needs addressed.

    80% of organizations feel that their portfolios are dominated by low-value initiatives that do not deliver value to the business (Source: Cooper).

    Approve the right projects that you have capacity to deliver by actively managing the intake of projects

    Project intake, approval, and prioritization (collectively “project intake”) reconciles the appetite for new projects with available resource capacity and strategic goals.

    Project intake is a key process of project portfolio management (PPM). The Project Management Institute (PMI) describes PPM as:

    "Interrelated organizational processes by which an organization evaluates, selects, prioritizes, and allocates its limited internal resources to best accomplish organizational strategies consistent with its vision, mission, and values."

    (PMI, Standard for Portfolio Management, 3rd ed.)

    Triple Constraint Model of the Project Portfolio

    Project Intake:

    • Stakeholder Need
    • Strategic Objectives
    • Resource Capacity

    All three components are required for the Project Portfolio

    Organizations practicing PPM recognize available resource capacity as a constraint and aim to select projects – and commit the said capacity – to projects that:

    1. Best satisfy the stakeholder needs that constantly change with the market
    2. Best align to the strategic objectives and contribute the most to business
    3. Have sufficient resource capacity available to best ensure consistent project throughput

    92% vs. 74%: 92% of high-performing organizations in PPM report that projects are well aligned to strategic initiatives vs. 74% of low performers (PMI, 2015).

    82% vs. 55%: 82% of high-performing organizations in PPM report that resources are effectively reallocated across projects vs. 55% of low performers (PMI, 2015)

    Info-Tech’s data demonstrates that optimizing project intake can also improve business leaders’ satisfaction of IT

    CEOs today perceive IT to be poorly aligned to business’ strategic goals:

    43% of CEOs believe that business goals are going unsupported by IT (Source: Info-Tech’s CEO-CIO Alignment Survey (N=124)).

    60% of CEOs believe that improvement is required around IT’s understanding of business goals (Source: Info-Tech’s CEO-CIO Alignment Survey (N=124)).

    Business leaders today are generally dissatisfied with IT:

    30% of business stakeholders are supporters of their IT departments (Source: Info-Tech’s CIO Business Vision Survey (N=21,367)).

    The key to improving business satisfaction with IT is to deliver on projects that help the business achieve its strategic goals:

    A chart is depicted to show a list of reported important projects, and then reordering the projects based on actual importance.
    Source: Info-Tech’s CIO Business Vision Survey (N=21,367)

    Optimized project intake not only improves the project portfolio’s alignment to business goals, but provides the most effective way to improve relationships with IT’s key stakeholders.

    Benchmark your own current state with overall & industry-specific data using Info-Tech’s Diagnostic Program.

    However, establishing organizational discipline for project intake, approval, and prioritization is difficult

    Capacity awareness

    Many IT departments struggle to realistically estimate available project capacity in a credible way. Stakeholders question the validity of your endeavor to install capacity-constrained intake process, and mistake it for unwillingness to cooperate instead.

    Many moving parts

    Project intake, approval, and prioritization involve the coordination of various departments. Therefore, they require a great deal of buy-in and compliance from multiple stakeholders and senior executives.

    Lack of authority

    Many PMOs and IT departments simply lack the ability to decline or defer new projects.

    Unclear definition of value

    Defining the project value is difficult because there are so many different and conflicting ways that are all valid in their own right. However, without it, it's impossible to fairly compare among projects to select what's "best."

    Establishing intake discipline requires a great degree of cooperation and conformity among stakeholders that can be cultivated through strong processes.

    Info-Tech’s intake, approval, and prioritization methodology systemically fits the project portfolio to its triple constraint

    Info-Tech’s Methodology

    Info-Tech’s Methodology
    Project Intake Project Approval Project Prioritization
    Project requests are submitted, received, triaged, and scoped in preparation for approval and prioritization. Business cases are developed, evaluated, and selected (or declined) for investment, based on estimated value and feasibility. Work is scheduled to begin, based on relative value, urgency, and availability of resources.
    Stakeholder Needs Strategic Objectives Resource Capacity
    Project Portfolio Triple Constraint

    Info-Tech’s methodology for optimizing project intake delivers extraordinary value, fast

    In the first step of the blueprint, you will prototype a set of scorecard criteria for determining project value.

    Our methodology is designed to tackle your hardest challenge first to deliver the highest-value part of the deliverable. Since the overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects, one must define how “the best projects” are determined.

    In nearly all instances…a key challenge for the PPM team is reaching agreement over how projects should rank.

    – Merkhofer

    A Project Value Scorecard will help you:

    • Evolve the discussions on project and portfolio value beyond a theoretical concept
    • Enable apples-to-apples comparisons amongst many different kinds of projects

    The Project Value Scorecard Development Tool is designed to help you develop the project valuation scheme iteratively. Download the pre-filled tool with content that represents a common case, and then, customize it with your data.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool

    This blueprint provides a clear path to maximizing your chance of success in optimizing project intake

    Info-Tech’s practical, tactical research is accompanied by a suite of tools and templates to accelerate your process optimization efforts.

    Organizational change and stakeholder management are critical elements of optimizing project intake, approval, and prioritization processes because they require a great degree of cooperation and conformity among stakeholders, and the list of key stakeholders are long and far-reaching.

    This blueprint will provide a clear path to not only optimize the processes themselves, but also for the optimization effort itself. This research is organized into three phases, each requiring a few weeks of work at your team’s own pace – or all in one week, through a workshop facilitated by Info-Tech analysts.

    Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization

    Tools and Templates:

    • Project Value Scorecard Development Tool (.xlsx)
    • PPM Assessment Report (Info-Tech Diagnostics)
    • Standard Operating Procedure Template (.docx)

    Build Optimized Project Intake, Approval, and Prioritization Processes

    Tools and Templates:

    • Project Request Forms (.docx)
    • Project Classification Matrix (.xlsx)
    • Benefits Commitment Form (.xlsx)
    • Proposed Project Technology Assessment Tool (.xlsx)
    • Business Case Templates (.docx)
    • Intake and Prioritization Tool (.xlsx)

    Integrate the Newly Optimized Processes into Practice

    Tools and Templates:

    • Process Pilot Plan Template (.docx)
    • Impact Assessment and Communication Planning Tool (.xlsx)

    Info-Tech’s approach to PPM is informed by industry best practices and rooted in practical insider research

    Info-Tech uses PMI and ISACA frameworks for areas of this research.

    The logo for PMI is in the picture.

    PMI’s Standard for Portfolio Management, 3rd ed. is the leading industry framework, proving project portfolio management best practices and process guidelines.

    The logo for COBIT 5 is in the picture.

    COBIT 5 is the leading framework for the governance and management of enterprise IT.

    In addition to industry-leading frameworks, our best-practice approach is enhanced by the insights and guidance from our analysts, industry experts, and our clients.

    Info-Tech's logo is shown.

    33,000+

    Our peer network of over 33,000 happy clients proves the effectiveness of our research.

    1,000+

    Our team conducts 1,000+ hours of primary and secondary research to ensure that our approach is enhanced by best practices.

    Deliver measurable project intake success for your organization with this blueprint

    Measure the value of your effort to track your success quantitatively and demonstrate the proposed benefits, as you aim to do so with other projects through improved PPM.

    Optimized project intake, approval, and prioritization processes lead to a high PPM maturity, which will improve the successful delivery and throughput of your projects, resource utilization, business alignment, and stakeholder satisfaction ((Source: BCG/PMI).

    A double bar graph is depicted to show high PPM maturity yields measurable benefits. It covers 4 categories: Management for individual projects, financial performance, strategy implementation, and organizational agility.

    Measure your success through the following metrics:

    • Reduced turnaround time between project requests and initial scoping
    • Number of project proposals with articulated benefits
    • Reduction in “off-the-grid” projects
    • Team satisfaction and workplace engagement
    • PPM stakeholder satisfaction score from business stakeholders: see Info-Tech’s PPM Customer Satisfaction Diagnostics

    $44,700: In the past 12 months, Info-Tech clients have reported an average measured value of $44,700 from undertaking a guided implementation of this research.

    Add your own organization-specific goals, success criteria, and metrics by following the steps in the blueprint.

    Case Study: Financial Services PMO prepares annual planning process with Project Value Scorecard Development Tool

    CASE STUDY

    Industry: Financial Services

    Source: Info-Tech Client

    Challenge

    PMO plays a diverse set of roles, including project management for enterprise projects (i.e. PMI’s “Directive” PMO), standards management for department-level projects (i.e. PMI’s “Supportive” PMO), process governance of strategic projects (i.e. PMI’s “Controlling” PMO), and facilitation / planning / reporting for the corporate business strategy efforts (i.e. Enterprise PMO).

    To facilitate the annual planning process, the PMO needed to develop a more data-driven and objective project intake process that implicitly aligned with the corporate strategy.

    Solution

    Info-Tech’s Project Value Scorecard tool was incorporated into the strategic planning process.

    Results

    The scorecard provided a simple way to list the competing strategic initiatives, objectively score them, and re-sort the results on demand as the leadership chooses to switch between ranking by overall score, project value, ability to execute, strategic alignment, operational alignment, and feasibility.

    The Project Value Scorecard provided early value with multiple options for prioritized rankings.

    A screenshot of the Project Value Scorecard is shown in the image.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Optimize Project Intake, Approval, and Prioritization – project overview

    1. Set Realistic Goals for Optimizing Process 2. Build New Optimized Processes 3. Integrate the New Processes into Practice
    Best-Practice Toolkit

    1.1 Define the criteria with which to determine project value.


    2.1 Streamline intake to manage stakeholder expectations.

    2.2 Set up steps of project approval to maximize strategic alignment while right-sizing the required effort.

    2.3 Prioritize projects to maximize the value of the project portfolio within the constraint of resource capacity.

    3.1 Pilot your intake, approval, and prioritization process to refine it before rollout.

    3.2 Analyze the impact of organizational change through the eyes of PPM stakeholders to gain their buy-in.

    Guided Implementations
    • Introduce Project Value Scorecard Development Tool and pilot Info-Tech’s example scorecard on your own backlog.
    • Map current project intake, approval, and prioritization process and key stakeholders.
    • Set realistic goals for process optimization.
    • Improve the management of stakeholder expectations with an optimized intake process.
    • Improve the alignment of the project portfolio to strategic objectives with an optimized approval process.
    • Enable resource capacity-constrained greenlighting of projects with an optimized prioritization process.
    • Create a process pilot strategy with supportive stakeholders.
    • Conduct a change impact analysis for your PPM stakeholders to create an effective communication strategy.
    • Roll out the new process and measure success.
    Onsite Workshop

    Module 1:

    Refocus on Project Value to Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization Process

    Module 2:

    Examine, Optimize, and Document the New Project Intake, Approval, and Prioritization Process

    Module 3:

    Pilot, Plan, and Communicate the New Process and Its Required Organizational Changes

    Phase 1 Outcome:
    • Draft project valuation criteria
    • Examination of current process
    • Definition of process success criteria
    Phase 2 Outcome:
    • Documentation of new project intake, approval, and prioritization process
    • Tools and templates to aid the process
    Phase 3 Outcome:
    • Process pilot plan
    • Organizational change communication plan

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Benefits of optimizing project intake and project value definition

    1.1 Complete and review PPM Current State Scorecard Assessment

    1.2 Define project value for the organization

    1.3 Engage key PPM stakeholders to iterate on the scorecard prototype

    Set realistic goals for process optimization

    2.1 Map current intake, approval, and prioritization workflow

    2.2 Enumerate and prioritize process stakeholders

    2.3 Determine the current and target capability levels

    2.4 Define the process success criteria and KPIs

    Optimize project intake and approval processes

    3.1 Conduct focused retrospectives for project intake and approval

    3.2 Define project levels

    3.3 Optimize project intake processes

    3.4 Optimize project approval processes

    3.5 Compose SOP for intake and approval

    3.6 Document the new intake and approval workflow

    Optimize project prioritization process plan for a process pilot

    4.1 Conduct focused retrospective for project prioritization

    4.2 Estimate available resource capacity

    4.3 Pilot Project Intake and Prioritization Tool with your project backlog

    4.4 Compose SOP for prioritization

    4.5 Document the new prioritization workflow

    4.6 Discuss process pilot

    Analyze stakeholder impact and create communication strategy

    5.1 Analyze stakeholder impact and responses to impending organization change

    5.2 Create message canvas for at-risk change impacts and stakeholders

    5.3 Set course of action for communicating change

    Deliverables
    1. PPM Current State Scorecard
    2. Project Value Scorecard prototype
    1. Current intake, approval, and prioritization workflow
    2. Stakeholder register
    3. Intake process success criteria
    1. Project request form
    2. Project level classification matrix
    3. Proposed project deliverables toolkit
    4. Customized intake and approval SOP
    5. Flowchart for the new intake and approval workflow
    1. Estimated resource capacity for projects
    2. Customized Project Intake and Prioritization Tool
    3. Customized prioritization SOP
    4. Flowchart for the new prioritization workflow
    5. Process pilot plan
    1. Completed Intake and Prioritization Impact Analysis Tool
    2. Communication strategy and plan

    Phase 1

    Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization Process

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Set Realistic Goals for Project Intake, Approval, and Prioritization Process Proposed Time to Completion: 1-2 weeks

    Step 1.1: Define the project valuation criteria

    Start with an analyst kick-off call:

    • Discuss how a project value is currently determined
    • Introduce Info-Tech’s scorecard-driven project valuation approach

    Then complete these activities…

    • Create a first-draft version of a project value-driven prioritized list of projects
    • Review and iterate on the scorecard criteria

    With these tools & templates:

    Project Value Scorecard Development Tool

    Step 1.2: Envision your process target state

    Start with an analyst kick-off call:

    • Introduce Info-Tech’s project intake process maturity model
    • Discuss the use of Info-Tech’s Diagnostic Program for an initial assessment of your current PPM processes

    Then complete these activities…

    • Map your current process workflow
    • Enumerate and prioritize your key stakeholders
    • Define process success criteria

    With these tools & templates:

    Project Intake Workflow Template

    Project Intake, Approval, and Prioritization SOP Template

    Phase 1 Results & Insights:
    • The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    Get to value early with Step 1.1 of this blueprint

    Define how to determine a project’s value and set the stage for maximizing the value of your project portfolio using Info-Tech’s Project Value Scorecard Development Tool.

    Where traditional models of consulting can take considerable amounts of time before delivering value to clients, Info-Tech’s methodology for optimizing project intake, approval, and prioritization process gets you to value fast.

    The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    In the first step of this blueprint, you will pilot a multiple-criteria scorecard for determining project value that will help answer that question. Info-Tech’s Project Value Scorecard Development Tool is pre-populated with a ready-to-use, real-life example that you can leverage as a starting point for tailoring it to your organization – or adopt as is.

    Introduce objectivity and clarity to your discussion of maximizing the value of your project portfolio with Info-Tech’s practical IT research that drives measurable results.

    Download Info-Tech’s Project Value Scorecard Development Tool.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool

    Step 1.1: Define the criteria with which to determine project value

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Learn how to use the Project Value Scorecard Development Tool
    • Create a first-draft version of a project value-driven prioritized list of projects

    This step involves the following participants:

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Outcomes of this step

    • Understand the importance of devising a consensus criteria for project valuation.
    • Try a project value scorecard-driven prioritization process with your currently proposed.
    • Set the stage for optimizing project intake, approval, and prioritization processes.

    Intake, Approval, and Prioritization is a core process in Info-Tech’s project portfolio management (PPM) framework

    PPM is an infrastructure around projects that aims to ensure that the best projects are worked on at the right time with the right people.

    PPM’s goal is to maximize the throughput of projects that provide strategic and operational value to the organization. To do this, a PPM strategy must help to:

    Info-Tech's Project Portfolio Management Process Model
    3. Status & Progress Reporting
    1. Intake, Approval & Prioritization 2. Resource Management 3. Project Management 4. Project Closure 5. Benefits Tracking
    Intake Execution Closure
    1. Select the best projects
    2. Pick the right time and people to execute the projects
    3. Make sure the projects are okay
    4. Make sure the projects get done
    5. Make sure they were worth doing

    If you don’t yet have a PPM strategy in place, or would like to revisit your existing PPM strategy before optimizing your project intake, approval, and prioritization practices, see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

    A screenshot of Info-Tech's blueprint Develop a Project Portfolio Management Strategy is shown.

    “Too many projects, not enough resources” is the reality of most IT environments

    A profound imbalance between demand (i.e. approved project work and service delivery commitments) and supply (i.e. people’s time) is the top challenge IT departments face today.

    In today’s organizations, the desires of business units for new products and enhancements, and the appetites of senior leadership to approve more and more projects for those products and services, far outstrip IT’s ability to realistically deliver on everything.

    The vast majority of IT departments lack the resourcing to meet project demand – especially given the fact that day-to-day operational demands frequently trump project work.

    As a result, project throughput suffers – and with it, IT’s reputation within the organization.

    An image is depicted that has several projects laid out near a scale filling one side of it and off of it. On the other part of the scale which is higher, has an image of people in it to help show the relationship between resource supply and project demand.

    Info-Tech Insight

    Where does the time go? The portfolio manager (or equivalent) should function as the accounting department for time, showing what’s available in IT’s human resources budget for projects and providing ongoing visibility into how that budget of time is being spent.

    Don’t weigh your portfolio down by starting more than you can finish

    Focus on what will deliver value to the organization and what you can realistically deliver.

    Most of the problems that arise during the lifecycle of a project can be traced back to issues that could have been mitigated during the initiation phase.

    More than simply a means of early problem detection at the project level, optimizing your initiation processes is also the best way to ensure the success of your portfolio. With optimized intake processes you can better guarantee:

    • The projects you are working on are of high value
    • Your project list aligns with available resource capacity
    • Stakeholder needs are addressed, but stakeholders do not determine the direction of the portfolio

    80% of organizations feel their portfolios are dominated by low-value initiatives that do not deliver value to the business (Source: Cooper).

    "(S)uccessful organizations select projects on the basis of desirability and their capability to deliver them, not just desirability" (Source: John Ward, Delivering Value from Information Systems and Technology Investments).

    Establishing project value is the first – and difficult – step for optimizing project intake, approval, and prioritization

    What is the best way to “deliver value to the organization”?

    Every organization needs to explicitly define how to determine project value that will fairly represent all projects and provide a basis of comparison among them during approval and prioritization. Without it, any discussions on reducing “low-value initiatives” from the previous slide cannot yield any actionable plan.

    However, defining the project value is difficult, because there are so many different and conflicting ways that are all valid in their own right and worth considering. For example:

    • Strategic growth vs. operational stability
    • Important work vs. urgent work
    • Return on investment vs. cost containment
    • Needs of a specific line of business vs. business-wide needs
    • Financial vs. intangible benefits

    This challenge is further complicated by the difficulty of identifying the right criteria for determining project value:

    Managers fail to identify around 50% of the important criteria when making decisions (Source: Transparent Choice).

    Info-Tech Insight

    Sometimes it can be challenging to show the value of IT-centric, operational-type projects that maintain critical infrastructure since they don’t yield net-new benefits. Remember that benefits are only half the equation; you must also consider the costs of not undertaking the said project.

    Find the right mix of criteria for project valuation with Info-Tech’s Project Value Scorecard Development Tool

    Scorecard-driven approach is an easy-to-understand, time-tested solution to a multiple-criteria decision-making problem, such as project valuation.

    This approach is effective for capturing benefits and costs that are not directly quantifiable in financial terms. Projects are evaluated on multiple specific questions, or criteria, that each yield a score on a point scale. The overall score is calculated as a weighted sum of the scores.

    Info-Tech’s Project Value Scorecard is pre-populated with a best-practice example of eight criteria, two for each category (see box at bottom right). This example helps your effort to develop your own project scorecard by providing a solid starting point:

    60%: On their own, decision makers could only identify around 6 of their 10 most important criteria for making decisions (Source: Transparent Choice).

    Finally, in addition, the overall scores of approved projects can be used as a metric on which success of the process can be measured over time.

    Download Info-Tech’s Project Value Scorecard Development Tool.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool

    Categories of project valuation criteria

    • Strategic alignment: projects must be aligned with the strategic goals of the business and IT.
    • Operational alignment: projects must be aligned with the operational goals of the business and IT.
    • Feasibility: practical considerations for projects must be taken into account in selecting projects.
    • Financial: projects must realize monetary benefits, in increased revenue or decreased costs, while posing as little risk of cost overrun as possible.

    Review the example criteria and score description in the Project Value Scorecard Development Tool

    1.1.1 Project Value Scorecard Development Tool, Tab 2: Evaluation Criteria

    This tab lists eight criteria that cover strategic alignment, operational alignment, feasibility, and financial benefits/risks. Each criteria is accompanied by a qualitative score description to standardize the analysis across all projects and analysts. While this tool supports up to 15 different criteria, it’s better to minimize the number of criteria and introduce additional ones as the organization grows in PPM maturity.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 2: Evaluation Criteria

    Type: It is useful to break down projects with similar overall scores by their proposed values versus ease of execution.

    Scale: Five-point scale is not required for this tool. Use more or less granularity of description as appropriate for each criteria.

    Blank Criteria: Rows with blank criteria are greyed out. Enter a new criteria to turn on the row.

    Score projects and search for the right mix of criteria weighting using the scorecard tab

    1.1.1 Project Value Scorecard Development Tool, Tab 3: Project Scorecard

    In this tab, you can see how projects are prioritized when they are scored according to the criteria from the previous tab. You can enter the scores of up to 30 projects in the scorecard table (see screenshot to the right).

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 3: Project Scorecard is shown.

    Value (V) or Execution (E) & Relative Weight: Change the relative weights of each criteria and review any changes to the prioritized list of projects change, whose rankings are updated automatically. This helps you iterate on the weights to find the right mix.

    Feasibility: Custom criteria category labels will be automatically updated.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 3: Project Scorecard is shown.

    Overall: Choose the groupings of criteria by which you want to see the prioritized list. Available groupings are:

    • Overall score
    • By value or by execution
    • By category

    Ranks and weighted scores for each project is shown.

    For example, click on the drop-down and choose “Execution.”

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 3: Project Scorecard is shown.

    Project ranks are based only on execution criteria.

    Create a first-draft version of a project value-driven prioritized list of projects

    1.1.1 Estimated Time: 60 minutes

    Follow the steps below to test Info-Tech’s example Project Value Scorecard and examine the prioritized list of projects.

    1. Using your list of proposed, ongoing, and completed projects, identify a representative sample of projects in your project portfolio, varying in size, scope, and perceived value – about 10-20 of them.
    2. Arrange these projects in the order of priority using any processes or prioritization paradigm currently in place in your organization.
    • In the absence of formal process, use your intuition, as well as knowledge of organizational priorities, and your stakeholders.
  • Use the example criteria and score description in Tab 2 of Info-Tech’s Project Value Scorecard Development Tool to score the same list of projects:
    • Avoid spending too much time at this step. Prioritization criteria will be refined in the subsequent parts of the blueprint.
    • If multiple scorers are involved, allow some overlap to benchmark for consistency.
  • Enter the scores in Tab 3 of the tool to obtain the first-draft version of a project value-driven prioritized project list. Compare it with your list from Step 2.
  • INPUT

    • Knowledge of proposed, ongoing, and completed projects in your project portfolio

    OUTPUT

    • Prioritized project lists

    Materials

    • Project Value Scorecard Development Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Iterate on the scorecard to set the stage for optimizing project intake, approval, and prioritization

    1.1.2 Estimated Time: 60 minutes

    Conduct a retrospective of the previous activity by asking these questions:

    • How smooth was the overall scoring experience (Step 3 of Activity 1.1.1)?
    • Did you experience challenges in interpreting and applying the example project valuation criteria? Why? (e.g. lack of information, absence of formalized business strategic goals, too much room for interpretation in scoring description)
    • Did the prioritized project list agree with your intuition?

    Iterate on the project valuation criteria:

    • Manipulate the relatives weights of valuation criteria to fine-tune them.
    • Revise the scoring descriptions to provide clarity or customize them to better fit your organization’s needs, then update the project scores accordingly.
    • For projects that did not score well, will this cause concern from any stakeholders? Are the concerns legitimate? If so, this may indicate the need for inclusion of new criteria.
    • For projects that score too well, this may indicate a bias toward a specific type of project or group of stakeholders. Try adjusting the relative weights of existing criteria.

    INPUT

    • Activity 1.1.1

    OUTPUT

    • Retrospective on project valuation
    • Review of project valuation criteria

    Materials

    • Project Value Scorecard Development Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Next steps: engage key PPM stakeholders to reach a consensus when establishing how to determine project value

    Engage these key players to create the evaluation criteria that all stakeholders will support:

    • Business units: Projects are undertaken to provide value to the business. Senior management from business units must help define how project will be valued.
    • IT: IT must ensure that technical/practical considerations are taken into account when determining project value.
    • Finance: The CFO or designated representative will ensure that estimated project costs and benefits can be used to manage the budget.
    • PMO: PMO is the administrator of the project portfolio. PMO must provide coordination and support to ensure the process operates smoothly and its goals are realized.
    • Business analysts: BAs carry out the evaluation of project value. Therefore, their understanding of the evaluation criteria and the process as a whole are critical to the success of the process.
    • Project sponsors: Project sponsors are accountable for the realization of benefits for which projects are undertaken.

    Optimize the process with the new project value definition to focus your discussion with stakeholders

    This blueprint will help you not only optimize the process, but also help you work with your stakeholders to realize the benefits of the optimized process.

    In this step, you’ve begun improving the definition of project value. Getting it right will require several more iterations and will require a series of discussions with your key stakeholders.

    The optimized intake process built around the new definition of project value will help evolve a conceptual discussion about project value into a more practical one. The new process will paint a picture of what the future state will look like for your stakeholders’ requested projects getting approved and prioritized for execution, so that they can provide feedback that’s concrete and actionable. To help you with that process, you will be taken through a series of activities to analyze the impact of change on your stakeholders and create a communication plan in the last phase of the blueprint.

    For now, in the next step of this blueprint, you will undergo a series of activities to assess your current state to identify the specific areas for process optimization.

    "To find the right intersection of someone’s personal interest with the company’s interest on projects isn’t always easy. I always try to look for the basic premise that you can get everybody to agree on it and build from there… But it’s sometimes hard to make sure that things stick. You may have to go back three or four times to the core agreement."

    -Eric Newcomer

    Step 1.2: Envision your target state for your optimized project intake, approval, and prioritization process

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Map your current project intake, approval, and prioritization workflow, and document it in a flowchart
    • Enumerate and prioritize your key process stakeholders
    • Determine your process capability level within Info-Tech’s Framework
    • Establish your current and target states for project intake, approval, and prioritization process

    This step involves the following participants:

    • CIO
    • PMO Director/Portfolio Manager
    • Project Managers
    • Business Analysts
    • Other PPM stakeholders

    Outcomes of this step

    • Current project intake, approval, and prioritization process is mapped out and documented in a flowchart
    • Key process stakeholders are enumerated and prioritized to inform future discussion on optimizing processes
    • Current and target organizational process capability levels are determined
    • Success criteria and key performance indicators for process optimization are defined

    Use Info-Tech’s Diagnostic Program for an initial assessment of your current PPM processes

    This step is highly recommended but not required. Call 1-888-670-8889 to inquire about or request the PPM Diagnostics.

    Info-Tech's Project Portfolio Management Assessmentprovides you with a data-driven view of the current state of your portfolio, including your intake processes. Our PPM Assessment measures and communicates success in terms of Info-Tech’s best practices for PPM.

    A screenshot of Info-Tech's Project Portfolio Management Assessment blueprint is shown.

    Use the diagnostic program to:

    • Assess resource utilization across the portfolio.
    • Determine project portfolio reporting completeness.
    • Solicit feedback from your customers on the clarity of your portfolio’s business goals.
    • Rate the overall quality of your project management practices and benchmark your rating over time.
    A screenshot of Info-Tech's Project Portfolio Management Assessment blueprint is shown.

    Scope your process optimization efforts with Info-Tech’s high-level intake, approval, and prioritization workflow

    Info-Tech recommends the following workflow at a high level for a capacity-constrained intake process that aligns to strategic goals and stakeholder need.

    • Intake (Step 2.1)*
      • Receive project requests
      • Triage project requests and assign a liaison
      • High-level scoping & set stakeholder expectations
    • Approval (Step 2.2)*
      • Concept approval by project sponsor
      • High-level technical solution approval by IT
      • Business case approval by business
      • Resource allocation & greenlight projects
    • Prioritization (Step 2.3)*
      • Update project priority scores & available project capacity
      • Identify high-scoring and “on-the-bubble” projects
      • Recommend projects to greenlight or deliberate

    * Steps denote the place in the blueprint where the steps are discussed in more detail.

    Use this workflow as a baseline to examine your current state of the process in the next slide.

    Map your current project intake, approval, and prioritization workflow

    1.2.1 Estimated Time: 60-90 minutes

    Conduct a table-top planning exercise to map out the processes currently in place for project intake, approval, and prioritization.

    1. Use white 4”x6” recipe cards / large sticky notes to write out unique steps of a process. Use the high-level process workflow from the previous slides as a guide.
    2. Arrange the steps into chronological order. Benchmark the arrangement through a group discussion.
    3. Use green cards to identify artifacts or deliverables that result from a step.
    4. Use yellow cards to identify who does the work (i.e. responsible parties), and who makes the decisions (i.e. accountable party). Keep in mind that while multiple parties may be responsible, accountability cannot be shared and only a single party can be accountable for a process.
    5. Use red cards to identify issues, problems, or risks. These are opportunities for optimization.

    INPUT

    • Documentation describing the current process (e.g. standard operating procedures)
    • Info-Tech’s high-level intake workflow

    OUTPUT

    • Current process, mapped out

    Materials

    • 4x6” recipe cards
    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • Other PPM stakeholders

    Document the current project intake, approval, and prioritization workflow in a flowchart

    1.2.2 Estimated Time: 60 minutes

    Document the results of the previous table-top exercise (Activity 1.1.1) into a flow chart. Flowcharts provide a bird’s-eye view of process steps that highlight the decision points and deliverables. In addition, swim lanes can be used to indicate process stages, task ownership, or responsibilities (example below).

    An example is shown for activity 1.2.2

    Review and customize section 1.2, “Overall Process Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    "Flowcharts are more effective when you have to explain status and next steps to upper management."

    – Assistant Director-IT Operations, Healthcare Industry

    Browser-based flowchart tool examples

    INPUT

    • Mapped-out project intake process (Activity 1.2.1)

    OUTPUT

    • Flowchart representation of current project intake workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Example of a project intake, approval, and prioritization flow chart – without swim lanes

    An example project intake, approval, and prioritization flow chart without swim lanes is shown.

    Example of a project intake, approval, and prioritization flow chart – with swim lanes

    An example project intake, approval, and prioritization flow chart with swim lanes is shown.

    Download Info-Tech’s Project Intake Workflow Template (Visio and PDF)

    Enumerate your key stakeholders for optimizing intake, approval, and prioritization process

    1.2.3 30-45 minutes

    In the previous activity, accountable and responsible stakeholders for each of the steps in the current intake, approval, and prioritization process were identified.

    1. Based on your knowledge and insight of your organization, ensure that all key stakeholders with accountable and responsible stakeholders are accounted for in the mapped-out process. Note any omissions: it may indicate a missing step, or that the stakeholder ought to be, but are not currently, involved.
    2. For each step, identify any stakeholders that are currently consulted or informed. Then, examine the whole map and identify any other stakeholders that ought to be consulted or informed.
    3. Compile a list of stakeholders from steps 1-2, and write each of their names in two sticky notes.
    4. Put both sets of sticky notes on a wall. Use the wisdom-of-the-crowd approach to arrange one set in a descending order of influence. Record their ranked influence from 1 (least) to 10 (most).
    5. Rearrange the other set in a descending order of interest in seeing the project intake process optimized. Record their ranked interest from 1 (least) to 10 (most).

    INPUT

    • Mapped-out project intake process (Activity 1.2.1)
    • Insight on organizational culture

    OUTPUT

    • List of stakeholders in project intake
    • Ranked list in their influence and interest

    Materials

    • Sticky notes
    • Walls

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • Other PPM stakeholders

    Prioritize your stakeholders for project intake, approval, and prioritization process

    There are three dimensions for stakeholder prioritization: influence, interest, and support.

    1. Map your stakeholders in a 2D stakeholder power map (top right) according to their relative influence and interest.
    2. Rate their level of support by asking the following question: how likely is it that your stakeholder would welcome an improved process for project intake?

    These parameters will inform how to prioritize your stakeholders according to the stakeholder priority heatmap (bottom right). This priority should inform how to focus your attention during the subsequent optimization efforts.

    A flowchart is shown to show the relationship between influence and interest.

    Level of Support
    Stakeholder Category Supporter Evangelist Neutral Blocker
    Engage Critical High High Critical
    High Medium Low Low Medium
    Low High Medium Medium High
    Passive Low Irrelevant Irrelevant Low

    Info-Tech Insight

    There may be too many stakeholders to be able to achieve complete satisfaction. Focus your attention on the stakeholders that matter the most.

    Most organizations have low to medium capabilities around intake, approval, and prioritization

    1.2.4 Estimated Time: 15 minutes

    Use Info-Tech’s Intake Capability Framework to help define your current and target states for intake, approval, and prioritization.

    Capability Level Capability Level Description
    Capability Level 5: Optimized Our department has effective intake processes with right-sized administrative overhead. Work is continuously prioritized to keep up with emerging challenges and opportunities.
    Capability Level 4: Aligned Our department has very strong intake processes. Project approvals are based on business cases and aligned with future resource capacity.
    Capability Level 3: Engaged Our department has processes in place to track project requests and follow up on them. Priorities are periodically re-evaluated, based largely on the best judgment of one or several executives.
    Capability Level 2: Defined Our department has some processes in place but no capacity to say no to new projects. There is a formal backlog, but little or no method for grooming it.
    Capability Level 1: Unmanaged Our department has no formal intake processes in place. Most work is done reactively, with little ability to prioritize proactive project work.

    Refer to the subsequent slides for more detail on these capability levels.

    Level 1: Unmanaged

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Projects are requested through personal conversations and emails, with minimal documentation and oversight.
    Approval Projects are approved by default and rarely (if ever) declined. There is no definitive list of projects in the pipeline or backlog.
    Prioritization Most work is done reactively, with little ability to prioritize proactive project work.

    Symptoms

    • Poorly defined – or a complete absence of – PPM processes.
    • No formal approval committee.
    • No processes in place to balance proactive and reactive demands.

    Long Term

    PMOs at this level should work to have all requests funneled through a proper request form within six months. Decision rights for approval should be defined, and a scorecard should be in place within the year.

    Quick Win

    To get a handle on your backlog, start tracking all project requests using the “Project Data” tab in Info-Tech’s Project Intake and Prioritization Tool.

    Level 2: Defined

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Requests are formally documented in a request form before they’re assigned, elaborated, and executed as projects.
    Approval Projects are approved by default and rarely (if ever) declined. There is a formal backlog, but little or no method for grooming it.
    Prioritization There is a list of priorities but no process for updating it more than annually or quarterly.

    Symptoms

    • Organization does not have clear concept of project capacity.
    • There is a lack of discipline enforced on stakeholders.
    • Immature PPM processes in general.

    Long Term

    PMOs at this level should strive for greater visibility into the portfolio to help make the case for declining (or at least deferring) requests. Within the year, have a formal PPM strategy up and running.

    Quick Win

    Something PMOs at this level can accomplish quickly without any formal approval is to spend more time with stakeholders during the ideation phase to better define scope and requirements.

    Level 3: Engaged

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Processes and skills are in place to follow up on requests to clarify project scope before going forward with approval and prioritization.
    Approval Projects are occasionally declined based on exceptionally low feasibility or value.
    Prioritization Priorities are periodically re-evaluated based largely on the best judgment of one or several executives.

    Challenges

    • Senior executives’ “best judgement” is frequently fallible or influenced. Pet projects still enter the portfolio and deplete resources.
    • While approval processes “occasionally” filter out some low-value projects, many still get approved.

    Long Term

    PMOs at this level should advocate for a more formal cadence for prioritization and, within the year, establish a formal steering committee that will be responsible for prioritizing and re-prioritizing quarterly or monthly.

    Quick Win

    At the PMO level, employ Info-Tech’s Project Intake and Prioritization Tool to start re-evaluating projects in the backlog. Make this data available to senior executives when prioritization occurs.

    Level 4: Aligned

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Occurs through a centralized process. Processes and skills are in place for follow-up.
    Approval Project approvals are based on business cases and aligned with future resource capacity.
    Prioritization Project prioritization is visibly aligned with business goals.

    Challenges

    • The process of developing business cases can be too cumbersome, distracting resources from actual project work.
    • “Future” resource capacity predictions are unreliable. Reactive support work and other factors frequently change actual resource availability.

    Long Term

    PMOs at this level can strive for more accurate and frequent resource forecasting, establishing a more accurate picture of project vs. non-project work within the year.

    Quick Win

    PMOs at this level can start using Info-Tech’s Business Case Template (Comprehensive or Fast Track) to help simplify the business case process.

    Level 5: Optimizing

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Occurs through a centralized portal. Processes and skills are in place for thorough follow-up.
    Approval Project approvals are based on business cases and aligned with future resource capacity.
    Prioritization Work is continuously prioritized to keep up with emerging challenges and opportunities.

    Challenges

    • Establishing a reliable forecast for resource capacity remains a concern at this level as well.
    • Organizations at this level may experience an increasing clash between Agile practices and traditional Waterfall methodologies.

    A screenshot of Info-Tech's Manage an Agile Portfolio Blueprint

    PMOs at this level should look at Info-Tech’s Manage an Agile Portfolio for comprehensive tools and guidance on maintaining greater visibility at the portfolio level into work in progress and committed work.

    Establish your current and target states for process intake, approval, and prioritization

    1.2.5 Estimated Time: 20 minutes

    • Having reviewed the intake capability framework, you should be able to quickly identify where you currently reside in the model. Document this in the “Current State” box below.
    • Next, spend some time as a group discussing your target state. Make sure to set a realistic target as well as a realistic timeframe for meeting this target. Level 1s will not be able to become Level 5s overnight and certainly not without passing through the other levels on the way.
      • A realistic goal for a Level 1 to become a Level 2 is within six to eight months.
    Current State:
    Target State:
    Timeline for meeting target

    INPUT

    • Intake, approval, and prioritization capability framework (Activity 1.2.4)

    OUTPUT

    • Current and target state, with stated time goals

    Materials

    • Whiteboard

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Align your intake success with the strategic expectations of overall project portfolio management

    A successful project intake, approval, and prioritization process puts your leadership in a position to best steer the portfolio, like a conductor of an orchestra.

    To frame the discussion on deciding what intake success will look like, review Info-Tech’s PPM strategic expectations:

    • Project Throughput: Maximize throughput of the best projects.
    • Portfolio Visibility: Ensure visibility of current and pending projects.
    • Portfolio Responsiveness: Make the portfolio responsive to executive steering when new projects and changing priorities need rapid action.
    • Resource Utilization: Minimize resource waste and optimize the alignment of skills to assignments.
    • Benefits Realization: Clarify accountability for post-project benefits attainment for each project, and facilitate the process of tracking/reporting those benefits.
    A screenshot of Info-Tech's Develop a Project Portfolio Management Strategy blueprint.

    For a more detailed discussion and insight on PPM strategic expectations see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

    Decide what successful project intake, approval, prioritization process will look like

    1.2.6 Estimated Time: 60 minutes

    While assessing your current state, it is important to discuss and determine as a team how success will be defined.

    • During this process, it is important to consider tentative timelines for success milestones and to ask the question: what will success look like and when should it occur by?
    • Use the below table to help document success factors and timeliness. Follow the lead of our example in row 1.
    Optimization Benefit Objective Timeline Success Factor
    Facilitate project intake, prioritization, and communication with stakeholders to maximize time spent on the most valuable or critical projects. Look at pipeline as part of project intake approach and adjust priorities as required. July 1st Consistently updated portfolio data. Dashboards to show back capacity to customers. SharePoint development resources.

    Review and customize section 1.5, “Process Success Criteria” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    Info-Tech Insight

    Establish realistic short-term goals. Even with optimized intake procedures, you may not be able to eliminate underground project economies immediately. Make your initial goals realistic, leaving room for those walk-up requests that may still appear via informal channels.

    Prepare to optimize project intake and capture the results in the Intake, Approval, and Prioritization SOP

    Standard Operating Procedure (SOP) is the reference document to get all PPM stakeholders on the same page with the new optimized process.

    The current state explored and documented in this step will serve as a starting point for each step of the next phase of the blueprint. The next phase will take a deeper dive into each of the three components of Info-Tech’s project intake methodology, so that they can achieve the success criteria you’ve defined in the previous activity.

    Info-Tech’s Project Intake, Approval, and Prioritization SOP Template is intended to capture the outcome of your process optimization efforts. This blueprint guides you through numerous activities designed for your core project portfolio management team to customize each section.

    To maximize the chances of success, it is important that the team makes a concerted effort to participate. Schedule a series of working sessions over the course of several weeks for your team to work through it – or get through it in one week, with onsite Info-Tech analyst-facilitated workshops.

    Download Info-Tech’s Project Intake, Approval, and Prioritization SOP.

    A screenshot of Info-Tech's Project Intake, Approval, and Prioritization SOP.

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Case study: PMO develops mature intake and prioritization processes by slowly evolving its capability level

    CASE STUDY

    Industry: Not-for-Profit

    Source: Info-Tech Interview

    Challenge

    • A PMO for a large not-for-profit benefits provider had relatively high project management maturity, but the enterprise had low PPM maturity.
    • There were strong intake processes in place for following up on requests. For small projects, project managers would assist as liaisons to help control scope. For corporate initiates, PMs were assigned to work with a sponsor to define scope and write a charter.

    Solution

    Prioritization was a challenge. Initially, the organization had ad hoc prioritization practices, but they had developed a scoring criteria to give more formality and direction to the portfolio. However, the activity of formally prioritizing proved to be too time consuming.

    Off-the-grid projects were a common problem, with initiatives consuming resources with no portfolio oversight.

    Results

    After trying “heavy” prioritization, the PMO loosened up the process. PMO staff now go through and quickly rank projects, with two senior managers making the final decisions. They re-prioritize quarterly to have discussions around resource availability and to make sure stakeholders are in tune to what IT is doing on a daily basis. IT has a monthly meeting to go over projects consuming resources and to catch anything that has fallen between the cracks.

    "Everything isn't a number one, which is what we were dealing with initially. We went through a formal prioritization period, where we painstakingly scored everything. Now we have evolved: a couple of senior managers have stepped up to make decisions, which was a natural evolution from us being able to assign a formal ranking. Now we are able to prioritize more easily and effectively without having to painstakingly score everything."

    – PMO Director, Benefits Provider

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    A photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1-2

    A screenshot of activities 1.1.1 and 1.1.2 are shown.

    Pilot Info-Tech’s Project Value Scorecard-driven prioritization method

    Use Info-Tech’s example to prioritize your current project backlog to pilot a project value-driven prioritization, which will be used to guide the entire optimization process.

    1.2.1-3

    A screenshot of activities 1.2.1 and 1.2.3 are shown.

    Map out and document current project intake, approval, and prioritization process, and the involved key stakeholders

    A table-top planning exercise helps you visualize the current process in place and identify opportunities for optimization.

    Phase 2

    Build an Optimized Project Intake, Approval, and Prioritization Process

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Build an Optimized Project Intake, Approval, and Prioritization Process Proposed Time to Completion: 3-6 weeks

    Step 2.1: Streamline Intake

    Start with an analyst kick-off call:

    • Challenges of project intake
    • Opportunities for improving the management of stakeholder expectations by optimizing intake

    Then complete these activities…

    • Perform a process retrospective
    • Optimize your process to receive, triage, and follow up on project requests

    With these tools & templates:

    • Project Request Form.
    • Project Intake Classification Matrix

    Step 2.2: Right-Size Approval

    Start with an analyst call:

    • Challenges of project approval
    • Opportunities for improving strategic alignment of the project portfolio by optimizing project approval

    Then complete these activities…

    • Perform a process retrospective
    • Clarify accountability at each step
    • Decide on deliverables to support decision makers at each step

    With these tools & templates:

    • Benefits Commitment Form
    • Technology Assessment Tool
    • Business Case Templates

    Step 3.3: Prioritize Realistically

    Start with an analyst call:

    • Challenges in project prioritization
  • Opportunities for installing a resource capacity-constrained intake by optimizing prioritization
  • Then complete these activities…

    • Perform a process retrospective
    • Pilot the Intake and Prioritization Tool for prioritization within estimated resource capacity

    With these tools & templates:

    • Project Intake and Prioritization Tool

    Phase 2 Results & Insights:

    • Info-Tech’s methodology systemically fits the project portfolio into its triple constraint of stakeholder needs, strategic objectives, and resource capacity, to effectively address the challenges of establishing organizational discipline for project intake.

    Step 2.1: Streamline intake to manage stakeholder expectations

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Perform a deeper retrospective on current project intake process
    • Optimize your process to receive project requests
    • Revisit the definition of a project for triaging requests
    • Optimize your process to triage project requests
    • Optimize your process to follow up on project requests

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Administrative Staff

    Outcomes of this Step

    • Retrospective of the current project intake process: to continue doing, to start doing, and to stop doing
    • A streamlined, single-funnel intake channel with the right procedural friction to receive project requests
    • A refined definition of what constitutes a project, and project levels that will determine the necessary standard of rigor with which project requests should be scoped and developed into a proposal throughout the process
    • An optimized process for triaging and following up on project requests to prepare them for the steps of project approval
    • Documentation of the optimized process in the SOP document

    Understand the risks of poor intake practices

    Too much red tape could result in your portfolio falling victim to underground economies. Too little intake formality could lead to the Wild West.

    Off-the-grid projects, i.e. projects that circumvent formal intake processes, lead to underground economies that can deplete resource capacity and hijack your portfolio.

    These underground economies are typically the result of too much intake red tape. When the request process is made too complex or cumbersome, project sponsors may unsurprisingly seek alternative means to get their projects done.

    While the most obvious line of defence against the appearance of underground economies is an easy-to-use and access request form, one must be cautious. Too little intake formality could lead to a Wild West of project intake where everyone gets their initiatives approved regardless of their business merit and feasibility.

    Benefits of optimized intake Risks of poor intake
    Alignment of portfolio with business goals Portfolio overrun by off-the-grid projects
    Resources assigned to high-value projects Resources assigned to low-value projects
    Better throughput of projects in the portfolio Ever-growing project backlog
    Strong stakeholder relations Stakeholders lose faith in value of PMO

    Info-Tech Insight

    Intake is intimately bound to stakeholder management. Finding the right balance of friction for your team is the key to successfully walking the line between asking for too much and not asking for enough. If your intake process is strong, stakeholders will no longer have any reason to circumvent formal process.

    An excess number of intake channels is the telltale sign of a low capability level for intake

    Excess intake channels are also a symptom of a portfolio in turmoil.

    If you relate to the graphic below in any way, your first priority needs to be limiting the means by which projects get requested. A single, centralized channel with review and approval done in batches is the goal. Otherwise, with IT’s limited capacity, most requests will simply get added to the backlog.

    A graphic is shown to demonstrate how one may receive project requests. The following icons are in a circle: Phone, Intranet Request Form, In person, anywhere, anytime, SharePoint Request Form, Weekly Scrum, Document, and Email.

    Info-Tech Insight

    The PMO needs to have the authority – and needs to exercise the authority – to enforce discipline on stakeholders. Organizations that solicit in verbal requests (by phone, in person, or during scrum) lack the orderliness required for PPM success. In these cases, it needs to be the mission of the PMO to demand proper documentation and accountability from stakeholders before proceeding with requests.

    "The golden rule for the project documentation is that if anything during the project life cycle is not documented, it is the same as if it does not exist or never happened…since management or clients will never remember their undocumented requests or their consent to do something."

    – Dan Epstein, “Project Initiation Process: Part Two”

    Develop an intake workflow

    Info-Tech recommends following a four-step process for managing intake.

    1. Requestor fills out form and submits the request.

    Project Request Form Templates

    2. Requests are triaged into the proper queue.

    1. Divert non-project request
    2. Quickly assess value and urgency
    3. Assign specialist to follow up on request
    4. Inform the requestor

    Project Intake Classification Matrix

    3. BA or PM prepares to develop requests into a project proposal.

    1. Follow up with requestor and SMEs to refine project scope, benefits, and risks
    2. Estimate size of project and determine the required level of detail for proposal
    3. Prepare for concept approval

    Benefits Commitment Form Template

    4. Requestor is given realistic expectations for approval process.

    Perform a start-stop-continue exercise to help determine what is working and what is not working

    2.1.1 Estimated Time: 45 minutes

    Optimizing project intake may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

    Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

    1. On a whiteboard or equivalent, write “Start,” “Stop,” and “Continue” in three separate columns. 3. As a group, discuss the responses and come to an agreement as to which are most valid.
    2. Equip your team with sticky notes or markers and have them populate the columns with ideas and suggestions surrounding your current processes. 4. Document the responses to help structure your game plan for intake optimization.
    Start Stop Continue
    • Explicitly manage follow-up expectations with project requestor
    • Receiving informal project requests
    • Take too long in proposal development
    • Quarterly approval meetings
    • Approve resources for proposal development

    INPUT

    • Current project intake workflow (Activity 1.2.2)
    • Project intake success criteria (Activity 1.2.6)

    OUTPUT

    • Retrospective review of current intake process

    Materials

    • Whiteboard
    • Sticky notes/markers

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Streamline project requests into a single funnel

    It is important to identify all of the ways through which projects currently get requested and initiated, especially if you have various streams of intake competing with each other for resources and a place in the portfolio. Directing multiple channels into a single, centralized funnel is step number one in optimizing intake.

    To help you identify project sources within your organization, we’ve broken project requests into three archetypes: the good, the bad, and the ugly.

    1. The Good – Proper Requests: written formal requests that come in through one appropriate channel.

    The Bad – Walk-Ups: requests that do not follow the appropriate intake channel(s), but nevertheless make an effort to get into the proper queue. The most common instance of this is a portfolio manager or CIO filling out the proper project request form on behalf of, and under direction from, a senior executive.

    The Ugly – Guerilla Tactics: initiatives that make their way into the portfolio through informal methods or that consume portfolio resources without formal approval, authority, or oversight. This typically involves a key resource getting ambushed to work on a stakeholder’s “side project” without any formal approval from, or knowledge of, the PMO.

    Funnel requests through a single portal to streamline intake

    Decide how you would funnel project requests on a single portal for submitting project requests. Determining the right portal for your organization will depend on your current infrastructure options, as well as your current and target state capability levels.

    Below are examples of a platform for your project request portal.

    Platform Template document, saved in a repository or shared drive Email-based form (Outlook forms) Intranet form (SharePoint, internal CMS) Dedicated intake solution (PPM tool, idea/innovation tool)
    Pros Can be deployed very easily Consolidates requests into a single receiver Users have one place to go from any device All-in-one solution that includes scoring and prioritization
    Cons Manual submission and intake process consumes extra effort Can pose problems in managing requests across multiple people and platforms Requires existing intranet infrastructure and some development effort Solution is costly; requires adoption across all lines of business

    Increasing intake capability and infrastructure availability

    Introduce the right amount of friction into your intake process

    The key to an effective intake process is determining the right amount of friction to include for your organization. In this context, friction comes from the level of granularity within your project request form and the demands or level of accountability your intake processes place on requestors. You will want to have more or less friction on your intake form, depending on your current intake pain points.

    If you are inundated with a high volume of requests:

    • Make your intake form more detailed to deter “half-baked” requests.
    • Have more managerial oversight into the process. Require approval for each request.

    If you want to encourage the use of a formal channel:

    • Make your intake form more concise and lightweight.
    • Have less managerial oversight into the process. Inform managers of each request rather than requiring approval.

    Download Info-Tech’s Detailed Project Request Form.

    Download Info-Tech’s Light Project Request Form.

    A screenshot of Info-Tech's Project Request Form is shown.

    Info-Tech Insight

    Optimizing a process should not automatically mean reducing friction. Blindly reducing friction could generate a tidal wave of poorly thought-out requests, which only drives up unrealistic expectations. Mitigate the risk of unrealistic stakeholder expectations by carefully managing the message: optimize friction.

    Document your process to receive project requests

    2.1.2 Estimated Time: 30-60 minutes

    Review and customize section 2.2, “Receive project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of optimizing this process is to consolidate multiple intake channels into a single funnel with the right amount of friction to improve visibility and manageability of incoming project requests.

    The important decisions to document for this step include:

    1. What data will be collected, and from whom? For example, Info-Tech’s Light Project Request Form Template will be used to collect project requests from everyone.
    2. How will requests be collected, and from where? For example, the template will be available as a fillable form on a SharePoint site.
    3. Who will be informed of the requests? For example, the PMO Director and the BA team will be notified with a hyperlink to the completed request form.
    4. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Retrospective of current process (Activity 2.1.1)

    OUTPUT

    • Customized Project Request Form
    • Method of implementation

    Materials

    • Project Request Form Templates

    Participants

    • PMO Director/ Portfolio Manager
    • Business Analysts

    Info-Tech Best Practice

    Whatever method of request collection you choose, ensure there is no doubt about how requesters can access the intake form.

    Establish a triage process to improve portfolio success

    Once a request has been submitted, it will need to be triaged. Triage begins as soon as the request is received. The end goal of the triage process is to set appropriate expectations for stakeholders and to ensure that all requests going forward for approval are valid requests.

    PPM Triage Process

    1. Divert non-project requests by validating that what is described on the request form qualifies as a “project.” Make sure requests are in the appropriate queue – for example, service desk request queue, change and release management queue, etc.
    2. Quickly assess value and urgency to determine whether the request requires fast-tracking or any other special consideration.
    3. Assign a specialist to follow up on the request. Match the request to the most suitable BA, PM, or equivalent. This person will become the Request Liaison (“RL”) for the request and will work with the requestor to define preliminary requirements.
    4. Inform the requestor that the request has been received and provide clear direction on what will happen with the request next, such as who will follow up on it and when. See the next slide for some examples of this follow-up.

    The PMO Triage Team

    • Portfolio Manager, or equivalent
    • Request Liaisons (business analysts, project managers, or equivalent)

    “Request Liaison” Role

    The BAs and PMs who follow up on requests play an especially important role in the triage process. They serve as the main point of contact to the requestor as the request evolves into a business case. In this capacity they perform a valuable stakeholder management function, helping to increase confidence and enhance trust in IT.

    To properly triage project requests, define exactly what a project is

    Bring color to the grey area that can exist in IT between those initiatives that fall somewhere in between “clearly a service ticket” and “clearly a project.”

    What constitutes a project?

    Another way of asking this question that gets more to the point for this blueprint – for what types of initiatives is project intake, approval, and prioritization rigor required?

    This is especially true in IT where, for some smaller initiatives, there can be uncertainty in many organizations during the intake and initiation phase about what should be included on the formal project list and what should go to help desk’s queue.

    As the definitions in the table below show, formal project management frameworks each have similar definitions of “a project.”

    Source Definition
    PMI A temporary endeavor undertaken to create a unique product, service, or result.” (553)
    COBIT A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient to achieve a required business outcome) to the enterprise based on an agreed‐on schedule and budget.” (74)
    PRINCE2 A temporary organization that is created for the purpose of delivering one or more business products according to an agreed business case.

    For each, a project is a temporary endeavor planned around producing a specific organizational/business outcome. The challenge of those small initiatives in IT is knowing when those endeavors require a business case, formal resource tracking, and project management rigor, and when they don’t.

    Separating small projects from non-projects requires a consideration of approval rights

    While conventional wisdom says to base your project definition on an estimation of cost, risk, etc., you also need to ask, “does this initiative require formal approval?”

    In the next step, we will define a suggested minimum threshold for a small “level 1” project. While these level thresholds are good and necessary for a number of reasons – including triaging your project requests – you may still often need to exercise some critical judgment in separating the tickets from the projects. In addition to the level criteria that we will develop in this step, use the checklist below to help with your differentiating.

    Service Desk Ticket Small Project
    • Approval seems implicit given the scope of the task.
    • No expectations of needing to report on status.
    • No indications that management will require visibility during execution.
    • The scope of the task suggests formal approval may be required.
    • You may have to report on status.
    • Possibility that management may require visibility during execution.

    Info-Tech Insight

    Guard the value of the portfolio. Because tickets carry with them an implicit approval, you need to be wary at the portfolio level of those that might possess a larger scope than their status of ticket implies. Sponsors that, for whatever reason, resist the formal intake process may use the ticketing process to sneak projects in through the backdoor. When assessing tickets and small projects at the portfolio level, you need to ask: is it possible that someone at an executive level might want to get updates on this because of its duration, scope, risk, cost, etc.? Could someone at the management level get upset that the initiative came in as a ticket and is burning up time and driving costs without any visibility?

    Sample Project/Non-Project Separation Criteria

    Non-Project Small Project
    e.g. Time required e.g. < 40 hours e.g. 40 > hours
    e.g. Complexity e.g. Very low e.g. Moderate – Low Difficulty: Does not require highly developed or specialized skill sets
    e.g. Collaboration e.g. None required e.g. Limited coordination and collaboration between resources and departments
    e.g. Repeatability of work e.g. Fully repeatable e.g. Less predictable
    e.g. Frequency of request type e.g. Hourly to daily e.g. Weekly to monthly

    "If you worked for the help desk, over time you would begin to master your job since there is a certain rhythm and pattern to the work…On the other hand, projects are unique. This characteristic makes them hard to estimate and hard to manage. Even if the project is similar to one you have done before, new events and circumstances will occur. Each project typically holds its own challenges and opportunities"

    – Jeffrey and Thomas Mochal

    Define the minimum-threshold criteria for small projects

    2.1.3 Estimated Time: 30 minutes

    Follow the steps below to define the specifics of a “level 1” project for your organization.

    1. Using your project list and/or ticketing system, identify a handful of small projects, large service desk tickets, and especially those items that fall somewhere in the grey area in between (anywhere between 10 to 20 of each). Then, determine the organizationally appropriate considerations for defining your project levels. Options include:
    • Duration
    • Budget/Cost
    • Technology requirements
    • Customer involvement
    • Integration
    • Organizational impact
    • Complexity
    • Number of cross-functional workgroups and teams involved
  • Using the list of projects established in the previous step, determine the organizationally appropriate considerations for defining your project levels –anywhere from four to six considerations is a good number.
  • Using these criteria and your list of small projects, define the minimum threshold for your level one projects across each of these categories. Record these thresholds in the table on the next slide.
  • INPUT

    • Data concerning small projects and service desk tickets, including size, duration, etc.

    OUTPUT

    • Clarity around how to define your level 1 projects

    Materials

    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Remove room for stakeholder doubt and confusion by informing requests forward in a timely manner

    During triaging, requestors should be notified as quickly as possible (a) that their request has been received and (b) what to expect next for the request. Make this forum as productive and informative as possible, providing clear direction and structure for the future of the request. Be sure to include the following:

    • A request ID or ticket number.
    • Some direction on who will be following up on the request –provide an individual’s name when possible.
    • An estimated timeframe of when they can expect to hear from the individual following up.

    The logistic of this follow-up will depend on a number of different factors.

    • The number of requests you receive.
    • Your ability to automate the responses.
    • The amount of detail you would like to, or need to, provide stakeholders with.

    Info-Tech Best Practice

    Assign an official request number or project ID to all requests during this initial response. An official request number anchors the request to a specific and traceable dataset that will accompany the project throughout its lifecycle.

    Sample “request received” emails

    If you receive a high volume of requests or need a quick win for improving stakeholder relations:

    Sample #1: Less detailed, automatic response

    Hello Emma,

    Thank you. Your project request has been received. Requests are reviewed and assigned every Monday. A business analyst will follow up with you in the next 5-10 business days. Should you have any questions in the meantime, please reply to this email.

    Best regards,

    Information Technology Services

    If stakeholder management is a priority, and you want to emphasize the customer-facing focus:

    Sample #2: More detailed, tailored response

    Hi Darren,

    Your project request has been received and reviewed. Your project ID number is #556. Business analyst Alpertti Attar has been assigned to follow up on your request. You can expect to hear from him in the next 5-10 business days to set up a meeting for preliminary requirements gathering.

    If you have any questions in the meantime, please contact Alpertti at aattar@projectco.com. Please include the Project ID provided in this email in all future correspondences regarding this request.

    Thank you for your request. We look forward to helping you bring this initiative to fruition.

    Sincerely,

    Jim Fraser

    PMO Director, Information Technology Services

    Info-Tech Insight

    A simple request response will go a long way in terms of stakeholder management. It will not only help assure stakeholders that their requests are in progress but the request confirmation will also help to set expectations and take some of the mystery out of IT’s processes.

    Document your process to triage project requests

    2.1.4 Estimated Time: 30-60 minutes

    Review and customize section 2.3, “Triage project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of optimizing this process is to divert non-project requests and set an appropriate initial set of stakeholder expectations for next steps. The important decisions to document for this step include:

    1. What defines a project? Record the outcomes of Activities 2.1.3 into the SOP.
    2. Who triages the requests and assign request liaisons? Who are they? For example, a lead BA can assign a set roster of BAs to project requests.
    3. What are the steps to follow for sending the initial response? See the previous slides on automated responses vs. detailed, tailored responses.
    4. How will you account for the consumption of resource capacity? For example, impose a maximum of four hours per week per analyst, and track the hours worked for each request to establish a pattern for capacity consumption.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Results of activity 2.1.3

    OUTPUT

    • SOP for triaging project requests

    Materials

    • SOP Template

    Participants

    • PMO Director/ Portfolio Manager
    • Business Analysts

    Info-Tech Best Practice

    Whatever method of request collection you choose, ensure there is no doubt about how requesters can access the intake form.

    Follow up on requests to define project scope and set realistic expectations

    The purpose of this follow-up is to foster communication among the requestor, IT, and the sponsor to scope the project at a high level. The follow-up should:

    • Clarify the goals and value of the request.
    • Begin to manage expectations based on initial assessment of feasibility.
    • Ensure the right information is available for evaluating project proposals downstream. Every project should have the below key pieces of scope defined before any further commitments are made.

    Focus on Defining Key Pieces of Scope

    • Budget (funding, source)
    • Business outcome
    • Completion criteria
    • Timeframes (start date and duration)
    • Milestones/deliverables

    Structure the Follow-Up Process to Enhance Alignment Between IT and the Business

    Once a Request Liaison (RL) has been assigned to a request, it is their responsibility to schedule time (if necessary) with the requestor to perform a scoping exercise that will help define preliminary requirements. Ideally, this follow-up should occur no later than a week of the initial request.

    Structure the follow-up for each request based on your preliminary estimates of project size (next slide). Use the “Key Pieces of Scope” to the left as a guide.

    It may also be helpful for RLs and stakeholders to work together to produce a rough diagram or mock-up of the final deliverable. This will ensure that the stakeholder’s idea has been properly communicated, and it could also help refine or broaden this idea based on IT’s capabilities.

    After the scoping exercise, it is the RL’s responsibility to inform the requestor of next steps.

    Info-Tech Insight

    More time spent with stakeholders defining high-level requirements during the ideation phase is key to project success. It will not only improve the throughput of projects, but it will enhance the transparency of IT’s capacity and enable IT to more effectively support business processes.

    Perform a preliminary estimation of project size

    Project estimation is a common pain point felt by many organizations. At this stage, a range-of-magnitude (ROM) estimate is sufficient for the purposes of sizing the effort required for developing project proposals with appropriate detail.

    A way to structure ROM estimates is to define a set of standard project levels. It will help you estimate 80% of projects with sufficient accuracy over time with little effort. The remaining 20% of projects that don’t meet their standard target dates can be managed as exceptions.

    The increased consistency of most projects will enable you to focus more on managing the exceptions.

    Example of standard project sizes:

    Level Primary unit of estimation Target completion date*
    1 Weeks 3 weeks – 3 months
    2 Months 3 months – 6 months
    3 Quarters 2 – 4 quarters
    3+ Years 1 year or more

    * Target completion date is simply that – a target, not a service level agreement (SLA). Some exceptions will far exceed the target date, e.g. projects that depend heavily on external or uncontrollable factors.

    Info-Tech Best Practice

    Project levelling is useful for right-sizing many downstream processes; it sets appropriate levels of detail and scrutiny expected for project approval and prioritization steps, as well as the appropriate extent of requirements gathering, project management, and reporting requirements afterwards.

    Set your thresholds for level 2 and level 3 projects

    2.1.5 Estimated Time: 30 minutes

    Now that the minimum threshold for your smallest projects has been identified, it’s time to identify the maximum threshold in order to better apply project intake, approval, and prioritization rigor where it’s needed.

    1. Looking at your project list (e.g. Activity 1.1.1, or your current project backlog), isolate the medium and large projects. Examine the two categories in turn.
    2. Start with the medium projects. Using the criteria identified in Activity 2.1.3, identify where your level one category ends.
    • What are the commonly recurring thresholds that distinguish medium-sized projects from smaller initiatives?
    • Are there any criteria that would need to take on a greater importance when making the distinction? For instance, will cost or duration take on a greater weighting when determining level thresholds?
    • Once you have reached consensus, record these in the table on the next slide.
  • Now examine your largest projects. Once again relying on the criteria from Activity 2.1.3, determine where your medium-sized projects end and your large projects begin.
    • What are the commonly recurring thresholds that distinguish large and extra-large projects from medium-sized initiatives?
    • Once you have reached consensus, records these in the table on the next slide.

    INPUT

    • Leveling criteria from Activity 2.1.3
    • Project backlog, or list of projects from Activity 1.1.1

    OUTPUT

    • Clarity around how to define your level two and three projects

    Materials

    • Whiteboard
    • The project level table on the next slide

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Sample Project Levels Table

    Project Level Level 1 Level 2 Level 3
    Work Effort 40-100 hours 100-500 hours 500+ hours
    Budget $100,000 and under $100,000 to $500,000 $500,000 and over
    Technology In-house expertise Familiar New or requires system-wide change/training
    Complexity Well-defined solution; no problems expected Solution is known; some problems expected Solution is unknown or not clearly defined
    Cross-Functional Workgroups/Teams 1-2 3-5 > 6

    Apply a computation decision-making method for project levelling

    2.1.5 Project Intake Classification Matrix

    Capture the project levels in Info-Tech’s Project Intake Classification Matrix Tool to benchmark your levelling criteria and to determine project levels for proposed projects.

    Download Info-Tech’s Project Intake Classification Matrix tool.

    A screenshot of Info-Tech's Project Intake Classification Matrix Tool, tab 2 is shown.
    1. Pick a category to define project levels.
    2. Enter the descriptions for each project level.
    3. Assign a relative weight for each category.
    4. A screenshot of Info-Tech's Project Intake Classification Matrix Tool, tab 3 is shown.
    5. Enter a project name.
    6. Choose the description that best fits the project. If unknown, leave it blank.
    7. Suggested project levels are displayed.

    Get tentative buy-in and support from an executive sponsor for project requests

    In most organizations a project requires sponsorship from the executive layer, especially for strategic initiatives. The executive sponsor provides several vital factors for projects:

    • Funding and resources
    • Direct support and oversight of the project leadership
    • Accountability, acting as the ultimate decision maker for the project
    • Ownership of, and commitment to, project benefits

    Sometimes a project request may be made directly by a sponsor; in other times, the Request Liaison may need to connect the project request to a project sponsor.

    In either case, project request has a tentative buy-in and support of an executive sponsor before a project request is developed into a proposal and examined for approval – the subject of this blueprint’s next step.

    PMs and Sponsors: The Disconnect

    A study in project sponsorship revealed a large gap between the perception of the project managers and the perception of sponsors relative to the sponsor capability. The widest gaps appear in the areas of:

    • Motivation: 34% of PMs say sponsors frequently motivate the team, compared to 82% of executive sponsors who say they do so.
    • Active listening: 42% of PMs say that sponsors frequently listen actively, compared to 88% of executive sponsors who say they do so.
    • Effective communication: 47% of PMs say sponsors communicate effectively and frequently, compared to 92% of executive sponsors who say they do so.
    • Managing change: 37% of PMs say sponsors manage change, compared to 82% of executive sponsors who say they do so.

    Source: Boston Consulting Group/PMI, 2014

    Actively engaged executive sponsors continue to be the top driver of whether projects meet their original goals and business intent.

    – PMI Pulse of the Profession, 2017

    76% of respondents [organizations] agree that the role of the executive sponsor has grown in importance over the past five years.

    – Boston Consulting Group/PMI, 2014

    Document your process to follow up on project requests

    2.1.6 45 minutes

    Review and customize section 2.4, “Follow up on project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of optimizing this process is to initiate communication among the requestor, IT, and the sponsor to scope the project requests at a high level. The important decisions to document for this step include:

    1. How will you perform a scoping exercise with the requestor? Leverage existing organizational processes (e.g. high-level requirements gathering). Look to the previous slides for suggested outcomes of the exercise.
    2. How will you determine project levels? Record the outcomes of activities 2.1.5 into the SOP.
    3. How will the RL follow up on the scoped project request with a project sponsor? For example, project requests scoped at a high level will be presented to senior leadership whose lines of business are affected by the proposed project to gauge their initial interest.
    4. How will you account for the consumption of resource capacity? For example, impose a maximum of 8 hours per week per analyst, and track the hours worked for each request to establish a pattern for capacity consumption.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Activity 2.1.5
    • Existing processes for scoping exercises

    OUTPUT

    • SOP for following up on project requests

    Materials

    • SOP Template

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Examine the new project intake workflow as a whole and document it in a flow chart

    2.1.7 Estimated Time: 30-60 minutes

    Review and customize section 2.1, “Project Intake Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

    1. Requestor fills out form and submits the request.
    2. Requests are triaged into the proper queue.
    3. BA or PM prepares to develop requests into a project proposal.
    4. Requestor is given realistic expectations for approval process.

    Consider the following points:

    1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
    2. Is the ownership of each step clear? How will we ensure a smooth handoff between each step and prevent requests from falling through the cracks?

    INPUT

    • New process steps for project intake (Activities 2.1.2-6)

    OUTPUT

    • Flowchart representation of new project intake workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Case study: Portfolio manager achieves intake and project success through detailed request follow-up

    Case Study

    Industry: Municipal Government

    Source: Info-Tech Client

    Challenge

    • There is an IT department with a relatively high level of project management maturity.
    • They have approximately 30 projects on the go, ranging from small to large.
    • To help with intake, IT assembled a project initiation team. It was made up of managers from throughout the county. This group “owned the talent” and met once a month to assess requests. As a group, they were able to assemble project teams quickly.

    Solution

    • Project initiation processes kept failing. A lot of time was spent within IT getting estimations precise, only to have sponsors reject business cases because they did not align with what those sponsors had in mind.
    • Off-the-grid projects were a challenge. Directors did not follow intake process and IT talent was torn in multiple directions. There was nothing in place for protecting the talent and enforcing processes on stakeholders.

    Results

    • IT dedicated a group of PMs and BAs to follow up on requests.
    • Working with stakeholders, this group collects specific pieces of information that allows IT to get to work on requests faster. Through this process, requests reach the charter stage more quickly and with greater success.
    • An intake ticketing system was established to protect IT talent. Workers are now better equipped to redirect stakeholders through to the proper channels.

    Step 2.2: Set up steps of project approval to maximize strategic alignment while right-sizing the required effort

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Perform a deeper retrospective on current project approval process
    • Define the approval steps, their accountabilities, and the corresponding terminologies for approval
    • Right-size effort and documentation required for each project level through the approval steps

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Administrative Staff

    Outcomes of this step

    • Retrospective of the current project intake process: to continue doing, to start doing, and to stop doing
    • A series of approval steps are defined, in which their accountabilities, responsibilities, and the nomenclature for what is approved at each steps are clarified and documented
    • A toolbox of deliverables for proposed projects that captures key information developed to inform project approval decisions at each step of the approval process, and the organizational standard for what to use for which project level
    • Documentation of the optimized process in the SOP document

    Set up an incremental series of approval stage-gates to tackle common challenges in project approval

    This section will help you address key challenges IT leaders face around project approval.

    Challenges Info-Tech’s Advice
    Project sponsors receive funding from their business unit or other source (possibly external, such as a grant), and assume this means their project is “approved” without any regard to IT costs or resource constraints. Clearly define a series of approval steps, and communicate requirements for passing them.
    Business case documentation is rarely updated to reflect unforeseen costs, emerging opportunities, and changing priorities. As a result, time and money is spent finishing diminished priority projects while the value of more recent projects erodes in the backlog. Approve projects in smaller pieces, with early test/pilot phases focused on demonstrating the value of later phases.
    Project business cases often focus on implementation and overlook ongoing operating costs imposed on IT after the project is finished. These costs further diminish IT’s capacity for new projects, unless investment in more capacity (such as hiring) is included in business cases. Make ongoing support and maintenance costs a key element in business case templates and evaluations.
    Organizations approve new projects without regard to the availability of resource capacity (or lack thereof). Project lead times grow and stakeholders become more dissatisfied because IT is unable to show how the business is competing with itself for IT’s time. Increase visibility into what IT is already working on and committed to, and for whom.

    Develop a project approval workflow

    Clearly define a series of approval steps, and communicate requirements for passing them. “Approval” can be a dangerous word in project and portfolio management, so it is important to clarify what is required to pass each step, and how long the process will take.

    1 2 3 4
    Approval step Concept Approval Feasibility Approval Business Case Approval Resource Allocation (Prioritization)
    Alignment Focus Business need / Project sponsorship Technology Organization-wide business need Resource capacity
    Possible dispositions at each gate
    • Approve developing project proposal
    • Reject concept
    • Proceed to business case approval
    • Approve a test/pilot project for feasibility
    • Reject proposal
    • Approve project and funding in full
    • Approve a test/pilot project for viability
    • Reject proposal
    • Begin or continue project work
    • Hold project
    • Outsource project
    • Reject project
    Accountability e.g. Project Sponsor e.g. CIO e.g. Steering Committee e.g. CIO
    Deliverable Benefits Commitment Form Template Proposed Project Technology Assessment Tool Business Case (Fast Track, Comprehensive) Intake and Prioritization Tool

    Identify the decision-making paradigm at each step

    In general, there are three different, mutually exclusive decision-making paradigms for approving projects:

    Paradigm Description Benefits Challenges Recommendation
    Unilateral authority One individual makes decisions. Decisions tend to be made efficiently and unambiguously. Consistency of agenda is easier to preserve. Decisions are subject to one person’s biases and unseen areas. Decision maker should solicit and consider input from others and seek objective rigor.
    Ad hoc deliberation Stakeholders informally negotiate and communicate decisions between themselves. Deliberation helps ensure different perspectives are considered to counterbalance individual biases and unseen areas. Ad hoc decisions tend to lack documentation and objective rationale, which can perpetuate disagreement. Use where unilateral decisions are unfeasible (due to complexity, speed of change, culture, etc.), and stakeholders are very well aligned or highly skilled negotiators and communicators.
    Formal steering committee A select group that represent various parts of the organization is formally empowered to make decisions for the organization. Formal committees can ensure oversight into decisions, with levers available to help resolve uncertainty or disagreement. Formal committees introduce administrative overhead and effort that might not be warranted by the risks involved. Formal steering committees are best where formality is warranted by the risks and costs involved, and the organizational culture has an appetite for administrative oversight.

    Info-Tech Insight

    The individual or party who has the authority to make choices, and who is ultimately answerable for those decisions, is said to be accountable. Understanding the needs of the accountable party is critical to the success of the project approval process optimization efforts.

    Perform a start-stop-continue exercise to help determine what is working and what is not working

    2.2.1 Estimated Time: 45 minutes

    Optimizing project approval may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

    Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

    1.On a whiteboard or equivalent, write “Start,” “Stop,” and “Continue” in three separate columns. 3.As a group, discuss the responses and come to an agreement as to which are most valid.
    2.Equip your team with sticky notes or markers and have them populate the columns with ideas and suggestions surrounding your current processes. 4.;Document the responses to help structure your game plan for intake optimization.
    StartStopContinue
    • Inject technical feasibility approval step as an input to final approval
    • Simplify business cases
    • Approve low-value projects
    • Take too long in proposal development
    • Quarterly approval meetings
    • Approve resources for proposal development

    INPUT

    • Current project approval workflow (Activity 1.2.2)
    • Project approval success criteria (Activity 1.2.6)

    OUTPUT

    • Retrospective review of current approval process

    Materials

    • Whiteboard
    • Sticky notes/markers

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Customize the approval steps and describe them at a high level

    2.2.2 Estimated Time: 30-60 minutes

    Review and customize section 3.2, “Project Approval Steps” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to customize the definition of the approval steps for your organization, so that it makes sense for the existing organizational governance structure, culture, and need. Use the results of the start-stop-continue to inform what to customize. Consider the following factors:

    1. Order of steps: given the current decision-making paradigm, does it make sense to reorder the steps?
    2. Dispositions at each step: what are the possible dispositions, and who is accountable for making the dispositions?
    3. Project levels: do all projects require three-step approval before they’re up for prioritization? For example, IT steering committee may wish to be involved only for Level 3 projects and Level 2 projects with significant business impact, and not for Level 1 projects and IT-centric Level 2 projects.
    4. Accountability at each step: who makes the decisions?
    5. Who will handle exceptions? Aim to prevent the new process from being circumvented by vocal stakeholders, but also allow for very urgent requests. A quick win to strike this balance is to clarify who will exercise this discretion.

    INPUT

    • Retrospective of current process (Activity 2.2.1)
    • Project level definition
    • Approval steps in the previous slide

    OUTPUT

    • Customized project approval steps for each project level

    Materials

    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Specify what “approval” really means to manage expectations for what project work can be done and when

    2.2.3 Estimated Time: 15 minutes

    Review and customize section 3.2, “Project Approval Steps” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In the old reality, projects were approved and never heard back from again, which effectively gave your stakeholders a blanket default expectation of “declined.” With the new approval process, manage your stakeholder expectations more explicitly by refining your vocabulary around approval.

    Within this, decision makers should view their role in approval as approving that which can and should be done. When a project is approved and slated to backlog, the intention should be to allocate resources to it within the current intake cycle.

    Customize the table to the right with organizationally appropriate definitions, and update your SOP.

    “No” Declined.
    “Not Now” “It’s a good idea, but the time isn’t right. Try resubmitting next intake cycle.”
    “Concept Approval” Approval to add the item to the backlog with the intention of starting it this intake cycle.
    “Preliminary Approval” Approval for consumption of PMO resources to develop a business case.
    “Full Approval” Project is greenlighted and project resources are being allocated to it.

    Info-Tech Insight

    Refine the nomenclature. Add context to “approved” and “declined.” Speak in terms of “not now” or “you can have it when these conditions are met.” With clear expectations of the resources required to support each request, you can place accountability for keeping the request alive back on the sponsors.

    Continuously work out a balance between disciplined decision making and “analysis paralysis"

    A graph is depicted to show the relationship between disciplined decision making and analysis paralysis. The sweet spot for disciplined decisions changes between situations and types of decisions.

    A double bar graph is depicted to show the relative effort spent on management practice. The first bar shows that 20% has a high success of portfolio management. 35% has a low success of portfolio management. A caption on the graph: Spending additional time assessing business cases doesn’t necessarily improve success.

    Info-Tech Insight

    Estimates that form the basis of business cases are often based on flawed assumptions. Use early project phases or sprints to build working prototypes to test the assumptions on which business cases are built, rather than investing time improving precision of estimates without improving accuracy.

    Right-size project approval process with Info-Tech’s toolbox of deliverables

    Don’t paint every project with the same brush. Choose the right set of information needed for each project level to maximize the throughput of project approval process.

    The next several slides will take you through a series of tools and templates that help guide the production of deliverables. Each deliverable wireframes the required analysis of the proposed project for one step of the approval process, and captures that information in a document. This breaks down the overall work for proposal development into digestible chunks.

    As previously discussed, aim to right-size the approval process rigor for project levels. Not all project levels may call for all steps of approval, or the extent of required analysis within an approval step may differ. This section will conclude by customizing the requirement for deliverables for each project level.

    Tools and Templates for the Project Approval Toolbox

    • Benefits Commitment Form Template (.xlsx) Document the project sponsor’s buy-in and commitment to proposed benefits in a lightweight fashion.
    • Proposed Technology Assessment Tool (.xlsx) Determine the proposed project’s readiness for adoption from a technological perspective.
    • Business Case Templates (.docx) Guide the analysis process for the overall project proposal development in varying levels of detail.

    Use Info-Tech’s lightweight Benefits Commitment Form Template to document the sponsor buy-in and support

    2.2.4 Benefits Commitment Form Template

    Project sponsors are accountable for the realization of project benefits. Therefore, for a project to be approved by a project sponsor, they must buy-in and commit to the proposed benefits.

    Defining project benefits and obtaining project sponsor commitment has been demonstrated to improve the project outcome by providing the focal point of the project up-front. This will help reduce wasted efforts to develop parts of the proposals that are not ultimately needed.

    A double bar graph titled: Benefits realization improves project outcome is shown.

    Download Info-Tech’s Benefits Commitment Form Template.

    Contents of a Benefits Commitment Form

    • One-sentence highlight of benefits and risks
    • Primary benefit, hard (quantitative) and soft (qualitative)
    • Proposed measurements for metrics
    • Responsible and accountable parties for benefits
    A screenshot of Info-Tech's Establish the Benefits Realization Process blueprint is shown.

    For further discussion on benefits realization, use Info-Tech’s blueprint, Establish the Benefits Realization Process.

    Use Info-Tech’s Proposed Project Technology Assessment Tool to analyze a technology’s readiness for adoption

    2.2.4 Proposed Project Technology Assessment Tool

    In some projects, there needs to be an initial idea of what the project might look like. Develop a high-level solution for projects that:

    • Are very different from previous projects.
    • Are fairly complex, or not business as usual.
    • Require adoption of new technology or skill set.

    IT should advise and provide subject matter expertise on the technology requirements to those that ultimately approve the proposed projects, so that they can take into account additional costs or risks that may be borne from it.

    Info-Tech’s Proposed Project Technology Assessment Tool has a series of questions to address eight categories of considerations to determine the project’s technological readiness for adoption. Use this tool to ensure that you cover all the bases, and help you devise alternate solutions if necessary – which will factor into the overall business case development.

    Download Info-Tech’s Proposed Project Technology Assessment Tool.

    A screenshot of Info-Tech's Proposed Project Technology Assessment Tool is shown.

    Enable project valuation beyond financial metrics with Info-Tech’s Business Case Templates

    2.2.4 Business Case Template (Comprehensive and Fast Track)

    Traditionally, a business case is centered around financial metrics. While monetary benefits and costs are matters of bottom line and important, financial metrics are only part of a project’s value. As the project approval decisions must be based on the holistic comparison of project value, the business case document must capture all the necessary – and only those that are necessary – information to enable it.

    However, completeness of information does not always require comprehensiveness. Allow for flexibility to speed up the process of developing business plan by making a “fast-track” business case template available. This enables the application of the project valuation criteria with all other projects, with right-sized effort.

    Alarming business case statistics

    • Only one-third of companies always prepare a business case for new projects.
    • Nearly 45% of project managers admit they are unclear on the business objectives of their IT projects.

    (Source: Wrike)

    Download Info-Tech’s Comprehensive Business Case Template.

    A screenshot of Info-Tech's Comprehensive Business Case Template is shown.

    Download Info-Tech’s Fast Track Business Case Template.

    A screenshot of Info-Tech's Fast Track Business Case Template is shown.

    Info-Tech Insight

    Pass on that which is known. Valuable information about projects is lost due to a disconnect between project intake and project initiation, as project managers are typically not brought on board until project is actually approved. This will be discussed more in Phase 3 of this blueprint.

    Document the right-sized effort and documentation required for each project level

    2.2.4 Estimated Time:60-90 minutes

    Review and customize section 3.3, “Project Proposal Deliverables” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to customize the requirements for project proposal deliverables, so that it properly informs each of the approval steps discussed in the previous activity. The deliverables will also shape the work effort required for projects of various levels. Consider the following factors:

    1. Project levels: what deliverables should be required, recommended, or suggested for each of the project levels? How will exceptions be handled, and who will be accountable?
    2. Existing project proposal documents: what existing proposal documents, tools and templates can we leverage for the newly optimized approval steps?
    3. Skills availability: do these tools and templates represent a significant departure from the current state? If so, is there capacity (time and skill) to achieve the desired target state?
    4. How will you account for the consumption of resource capacity? Do a rough order of estimate for the resource capacity consumed the new deliverable standard.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Process steps (Activity 2.2.2)
    • Current approval workflow(Activity 1.2.1)
    • Artifacts introduced in the previous slides

    OUTPUT

    • Requirement for artifacts and effort for each approval step

    Materials

    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Examine the new project approval workflow as a whole and document it in a flow chart

    2.2.5 Estimated Time: 30-60 minutes

    Review and customize section 3.1, “Project Approval Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

    1 2 3 4
    Approval Step Concept Approval Feasibility Approval Business Case Approval Resource Allocation (Prioritization)
    Alignment Focus Business need/ Project Sponsorship Technology

    Organization-wide

    Business need

    Resource capacity

    Consider the following points:

    1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
    2. Is the ownership of each step clear? How will we ensure a smooth hand-off between each step and prevent requests from falling through the cracks?

    INPUT

    • New process steps for project approval (Activities 2.2.2-4)

    OUTPUT

    • Flowchart representation of new project approval workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Step 2.3: Prioritize projects to maximize the value of the project portfolio within the constraint of resource capacity

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Perform a deeper retrospective on current project prioritization process
    • Optimize your process to maintain resource capacity supply and project demand data
    • Optimize your process to formally make disposition recommendations to appropriate decision makers

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Administrative Staff

    Outcomes of this step

    • Retrospective of the current project prioritization process: to continue doing, to start doing, and to stop doing
    • Realistic estimate of available resource capacity, in the absence of a resource management practice
    • Optimized process for presenting the decision makers with recommendations and facilitating capacity-constrained steering of the project portfolio
    • Project Intake and Prioritization Tool for facilitating the prioritization process
    • Documentation of the optimized process in the SOP document

    The availability of staff time is rarely factored into IT project and service delivery commitments

    A lot gets promised and worked on, and staff are always busy, but very little actually gets done – at least not within given timelines or to expected levels of quality.

    Organizations tend to bite off more than they can chew when it comes to project and service delivery commitments involving IT resources.

    While the need for businesses to make an excess of IT commitments is understandable, the impacts of systemically over-allocating IT are clearly negative:

    • Stakeholder relations suffer. Promises are made to the business that can’t be met by IT.
    • IT delivery suffers. Project timelines and quality frequently suffer, and service support regularly lags.
    • Employee engagement suffers. Anxiety and stress levels are consistently high among IT staff, while morale and engagement levels are low.

    76%: 76% of organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to.

    – Cooper, 2014

    70%: Almost 70% of workers feel as though they have too much work on their plates and not enough time to do it.

    – Reynolds, 2016

    Unconstrained, unmanaged demand leads to prioritization of work based on consequences rather than value

    Problems caused by the organizational tendency to make unrealistic delivery commitments is further complicated by the reality of the matrix environment.

    Today, many IT departments use matrix organization. In this system, demands on a resource’s time come from many directions. While resources are expected to prioritize their work, they lack the authority to formally reject any demand. As a result, unconstrained, unmanaged demand frequently outstrips the supply of work-hours the resource can deliver.

    When this happens, the resource has three options:

    1. Work more hours, typically without compensation.
    2. Choose tasks not to do in a way that minimizes personal consequences.
    3. Diminish work quality to meet quantity demands.

    The result is an unsustainable system for all those involved:

    1. Individual workers cannot meet expectations, leading to frustration and disengagement.
    2. Managers cannot deliver on the projects or services they manage and struggle to retain skilled resources who are looking elsewhere for “greener pastures.”
    3. Executives cannot execute strategic plans as they lose decision-making power over their resources.

    Prioritize project demand by project value to get the most out of constrained project capacity – but practicing it is difficult

    The theory may be simple and intuitive, but the practice is extremely challenging. There are three practical challenges to making project prioritization effective.

    Project Prioritization

    Capacity awareness

    Many IT departments struggle to realistically estimate available project capacity in a credible way. Stakeholders question the validity of your endeavor to install capacity-constrained intake process, and mistake it for unwillingness to cooperate instead.

    Lack of authority

    Many PMOs and IT departments simply lack the ability to decline or defer new projects.

    Many moving parts

    Project intake, approval, and prioritization involve the coordination of various departments. Therefore, they require a great deal of buy-in and compliance from multiple stakeholders and senior executives.

    Project Approval

    Unclear definition of value

    Defining the project value is difficult, because there are so many different and conflicting ways that are all valid in their own right. However, without it, it's impossible to fairly compare among projects to select what's "best."

    Unclear definition of value

    In Step 1.1 of the blueprint, we took the first step toward resolving this challenge by prototyping a project valuation scorecard.

    A screenshot of Step 1.1 of this blueprint is shown.

    "Prioritization is a huge issue for us. We face the simultaneous challenges of not having enough resources but also not having a good way to say no. "

    – CIO, governmental health agency

    Address the challenges of capacity awareness and authority with a project prioritization workflow

    Info-Tech recommends following a four-step process for managing project prioritization.

    1. Collect and update supply and demand data
      1. Re-evaluate project value for all proposed, on-hold and ongoing projects
      2. Estimate available resource capacity for projects
    2. Prioritize project demand by value
      1. Identify highest-value, “slam-dunk” projects
      2. Identify medium-value, “on-the-bubble” projects
      3. Identify lower-value projects that lie beyond the available capacity
    3. Approve projects for initiation or continuation
      1. Submit recommendations for review
      2. Adjust prioritized list with business judgment
      3. Steering committee approves projects to work on
    4. Manage a realistically defined project portfolio
    • Stakeholder Need
    • Strategic Objectives
    • Resource Capacity

    Intake and Prioritization Tool

    Perform a start-stop-continue exercise to help determine what is working and what is not working

    2.3.1 Estimated Time: 60 minutes

    Optimizing project prioritization may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

    Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

    1. On a whiteboard or equivalent, write “Start,” “Stop,” and “Continue” in three separate columns. 3. As a group, discuss the responses and come to an agreement as to which are most valid.
    2. Equip your team with sticky notes or markers and have them populate the columns with ideas and suggestions surrounding your current processes. 4. Document the responses to help structure your game plan for intake optimization.
    Start Stop Continue
    • Periodically review the project value scorecard with business stakeholders
    • “Loud Voices First” prioritization
    • Post-prioritization score changes
    • Updating project value scores for current projects

    INPUT

    • Current project prioritization workflow (Activity 1.2.2)
    • Project prioritization success criteria (Activity 1.2.6)

    OUTPUT

    • Retrospective review of current prioritization process

    Materials

    • Whiteboard
    • Sticky notes/markers

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Use Info-Tech’s lightweight Intake and Prioritization Tool to get started on capacity-constrained project prioritization

    Use Info-Tech’s Project Intake and Prioritization Tool to facilitate the scorecard-driven prioritization and ensure effective flow of data.

    This tool builds on the Project Valuation Scorecard Tool to address the challenges in project prioritization:

    1. Lack of capacity awareness: quickly estimate a realistic supply of available work hours for projects for a given prioritization period, in the absence of a reliable and well-maintained resource utilization and capacity data.
    2. Using standard project sizing, quickly estimate the size of the demand for proposed and ongoing projects and produce a report that recommends the list of projects to greenlight – and highlight the projects within that list that are at risk of being short-charged of resources – that will aim to help you tackle:

    3. Lack of authority to say “no” or “not yet” to projects: save time and effort in presenting the results of project prioritization analysis that will enable the decision makers to make well-informed, high-quality portfolio decisions.
    4. The next several slides will walk you through the tool and present activities to facilitate its use for your organization.

    Download Info-Tech’s Project Intake and Prioritization Tool.

    A screenshot of Info-Tech's Project Intake Prioritization Tool is shown.

    Create a high-level estimate of available project capacity to inform how many projects can be greenlighted

    2.3.2 Project Intake and Prioritization Tool, Tab 2: Project Capacity

    Estimate how many work-hours are at your disposal for projects using Info-Tech’s resource calculator.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool, Tab 2: Project Capacity

    1. Compile a list of each role within your department, the number of staff, and the hours in a typical work week.

    2. Enter the foreseeable out-of-office time (vacation, sick time, etc.). Typically, this value is 12-16% depending on the region.

    3. Enter how much working time is spent on non-projects for each role: administrative duties and “keep the lights on” work.

    4. Select a period of time for breaking down available resource capacity in hours.

    Project Work (%): Percentage of your working time that goes toward project work is calculated as what’s left after your non-project working time allocations have been subtracted.

    Project (h) Total Percentage: Take a note of this percentage as your project capacity. This number will put the estimated project demand in context for the rest of the tool.

    Example for a five-day work week:

    • 2 weeks (10 days) of statutory holidays
    • 3 weeks of vacation
    • 1.4 weeks (7 days) of sick days on average
    • 1 week (5 days) for company holidays

    Result: 7.4/52 weeks’ absence = 14%

    Estimate your available project capacity for the next quarter, half-year, or year

    2.3.2 Estimated Time: 30 minutes

    Discover how many work-hours are at your disposal for project work.

    1. Use the wisdom-of-the-crowd approach or resource utilization data to fill out Tab 2 of the tool. This is intended to be somewhat of a rough estimate; avoid the pitfall of being too granular in role or in time split.
    2. Choose a time period that corresponds to your project prioritization period: monthly, quarterly, 4 months, semi-annually (6 months), or annually.
    3. Examine the pie graph representation of your overall capacity breakdown, like the one shown below.

    Screenshot from Tab 2 of Project Intake and Prioritization Tool

    INPUT

    • Knowledge of organization’s personnel and their distribution of time

    OUTPUT

    • Estimate of available project capacity

    Materials

    • Project Intake and Prioritization Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    On average, only about half of the available project capacity results in productive project work

    Place realistic expectations on your resources’ productivity.

    Info-Tech’s PPM Current State Scorecard diagnostic provides a comprehensive view of your portfolio management strengths and weaknesses, including project portfolio management, project management, customer management, and resource utilization.

    A screenshot of Info-Tech's PPM Current State Scorecard diagnostic

    Use the wisdom of the crowd to estimate resource waste in:

    • Cancelled projects
    • Inefficiency
    • Suboptimal assignment of resources
    • Unassigned resources
    • Analyzing, fixing, and redeploying

    50% of PPM resource is wasted on average, effectively halving your available project capacity.

    Source: Info-Tech PPM Current State Scorecard

    Define project capacity and project t-shirt sizes

    2.3.3 Project Intake and Prioritization Tool, Tab 3: Settings

    The resource capacity calculator in the previous tab yields a likely optimistic estimate for how much project capacity is available. Based on this estimate as a guide, enter your optimistic (maximum) and pessimistic (minimum) estimates of project capacity as a percentage of total capacity:

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    Info-Tech’s data shows that only about 50% of time spent on project work is wasted: cancelled projects, inefficiency, rework, etc. As a general rule, enter half of your maximum estimate of your project capacity.

    Capacity in work hours is shown here from the previous tab, to put the percentages in context. This example shows a quarterly breakdown (Step 4 from the previous slide; cell N5 in Tab 2.).

    Next, estimate the percentage of your maximum estimated project capacity that a single project would typically consume in the given period for prioritization.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    These project sizes might not line up with the standard project levels from Step 2.1 of the blueprint: for example, an urgent mid-sized project that requires all hands on deck may need to consume almost 100% of maximum available project capacity.

    Estimate available project capacity and standard project demand sizes for prioritizing project demand

    2.3.3 Estimated Time: 30 minutes

    Refine your estimates of project capacity supply and demand as it applies to a prioritization period.

    1. The estimated project capacity from Activity 2.3.2 represents a theoretical limit. It is most likely an overestimation (see box below). As a group, discuss and decide on a more realistic available project capacity:
      1. Optimistic estimate, assuming sustained peak productivity from everyone in your organization;
      2. Pessimistic estimate, taking into account the necessary human downtime and the PPM resource waste (see previous slide).
    2. Refine the choices of standard project effort sizes, expressed as percentages of maximum project capacity. As a reminder, this sizing is for the chosen prioritization period, and is independent from the project levels set previously in Activity 2.1.4 and 2.1.5.

    Dedicated work needs dedicated break time

    In a study conducted by the Draugiem Group, the ideal work-to-break ratio for maximizing focus and productivity was 52 minutes of work, followed by 17 minutes of rest (Evans). This translates to 75% of resource capacity yielding productive work, which could inform your optimistic estimate of project capacity.

    INPUT

    • Project capacity (Activity 2.3.2)
    • PPM Current State Scorecard (optional)

    OUTPUT

    • Capacity and demand estimate data for tool use

    Materials

    • Project Intake and Prioritization Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Finish setting up the Project Intake and Prioritization Tool

    2.3.4 Project Intake and Prioritization Tool, Tab 3: Settings

    Enter the scoring criteria, which was worked out from Step 1.1 of the blueprint. This workbook supports up to ten scoring criteria; use of more than ten may make the prioritization step unwieldy.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    Leave unused criteria rows blank.

    Choose “value” or “execution” from a drop-down.

    Score does not need to add up to 100.

    Finally, set up the rest of the drop-downs used in the next tab, Project Data. These can be customized to fit your unique project portfolio needs.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    Enter project data into the Project Intake and Prioritization Tool

    2.3.4 Project Intake and Prioritization Tool, Tab 4: Project Data

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 4

    Ensure that each project has a unique name.

    Completed (or cancelled) projects will not be included in prioritization.

    Choose the standard project size defined in the previous tab.

    Change the heading when you customize the workbook.

    Days in Backlog is calculated from the Date Added column.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 4

    Overall weighted project prioritization score is calculated as a sum of value and execution scores.

    Weighted value and execution scores are calculated according to the scoring criteria table in the 2. Settings tab.

    Enter the raw scores. Weights will be taken into calculation behind the scenes.

    Spaces for unused intake scores will be greyed out. You can enter data, but they will not affect the calculated scores.

    Document your process to maintain resource capacity supply and project demand data

    2.3.4 Estimated Time: 30 minutes

    Review and customize section 4.2, “Maintain Supply and Demand Data” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to document the process with which the supply and demand information will be updated for projects. Consider the following factors:

    1. Estimates of resource supply: how often will the resource supply be updated? How are you estimating the range (maximum vs. minimum, optimistic vs. pessimistic)? Leverage your existing organizational process assets for resource management.
    2. Updating project data for proposed projects: when and how often will the project valuation scores be updated? Do you have sufficient inputs? Examine the overall project approval process from Step 2.2 of the blueprint, and ensure that sufficient information is available for project valuation (Activity 2.2.3).
    3. Updating project data for ongoing projects: will you prioritize ongoing projects along with proposed projects? When and how often will the project valuation scores be updated? Do you have sufficient inputs?
    4. How will you account for the consumption of resource capacity? Do a rough order of estimate for the resource capacity consumed in this process.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Organizational process assets for resource management, strategic planning, etc.
    • Activity 2.3.3
    • Activity 2.2.3

    OUTPUT

    • Process steps for refreshing supply and demand data

    Materials

    • SOP Template
    • Project Intake and Prioritization Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Prioritized list of projects shows what fits under available project capacity for realizing maximum value

    2.3.5 Project Intake and Prioritization Tool, Tab 5: Results

    The output of the Project Intake and Prioritization Tool is a prioritized list of projects with indicators to show that their demand on project capacity will fit within the estimated available project capacity for the prioritization period.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    Status indicates whether the project is proposed or ongoing; completed projects are excluded.

    Disposition indicates the course of recommended action based on prioritization.

    Proposed projects display how long they have been sitting in the backlog.

    Projects highlighted yellow are marked as “deliberate” for their dispositions. These projects pose risks of not getting properly resourced. One must proceed with caution if they are to be initiated or continued.

    Provide better support to decision makers with the prioritized list, and be prepared for their steering

    It is the portfolio manager’s responsibility to provide the project portfolio owners with reliable data and enable them to make well-informed decisions for the portfolio.

    The prioritized list of proposed and ongoing projects, and an approximate indication for how they fill out the estimated available resource capacity, provide a meaningful starting ground for discussion on which projects to continue or initiate, to hold, or to proceed with caution.

    However, it is important to recognize the limitation of the prioritization methodology. There may be legitimate reasons why some projects should be prioritized over another that the project valuation method does not successfully capture. At the end of the day, it’s the prerogative of the portfolio owners who carry on the accountabilities to steer the portfolio.

    The portfolio manager has a responsibility to be prepared for reconciling the said steering with the unchanged available resource capacity for project work. What comes off the list of projects to continue or initiate? Or, will we outsource capacity if we must meet irreconcilable demand? The next slide will show how Info-Tech’s tool helps you with this process.

    Info-Tech Best Practice

    Strive to become the best co-pilot. Constantly iterate on the scoring criteria to better adapt to the portfolio owners’ preference in steering the project portfolio.

    Manipulate the prioritized list with the Force Disposition list

    2.3.5 Project Intake and Prioritization Tool, Tab 5: Results

    The Force Disposition list enables you to inject subjective judgment in project prioritization. Force include and outsource override project prioritization scores and include the projects for approval:

    • Force include counts the project demand against capacity.
    • Outsource, on the other hand, does not count the project demand.
    • Force exclude removes a project from prioritized list altogether, without deleting the row and losing its data.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    Choose a project name and a disposition using a drop-down.

    Use this list to test out various scenarios, useful for what-if analysis.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    Document your process to formally make disposition recommendations to appropriate decision-making party

    2.3.5 Estimated Time: 60 minutes

    Review and customize section 4.3, “Approve projects for initiation or continuation” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to formalize the process of presenting the prioritized list of projects for review, modify the list based on steering decisions, and obtain the portfolio owners’ approval for projects to initiate or continue, hold, or terminate. Consider the following factors:

    1. Existing final approval process: what are the new injections to the current decision-making process for final approval?
    2. Meeting prep, agenda, and follow-up: what are the activities that must be carried out by PMO / portfolio manager to support the portfolio decision makers and obtain final approval?
    3. “Deliberate” projects: what additional information should portfolio owners be presented with, in order to deliberate on the projects at risk of being not properly resourced? For example, consider a value-execution plot (right).

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    INPUT

    • Approval process steps (Activity 2.2.2)
    • Steering Committee process documentation

    OUTPUT

    • Activities for supporting the decision-making body

    Materials

    • SOP Template
    • Project Intake and Prioritization Tool

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Once a project is approved, pass that which is known on to those responsible for downstream processes

    Aim to be responsible stewards of important and costly information developed throughout project intake, approval, and prioritization processes.

    Once the proposed project is given a green light, the project enters an initiation phase.

    No matter what project management methodology is employed, it is absolutely vital to pass on the knowledge gained and insights developed through the intake, approval, and prioritization processes. This ensures that the project managers and team are informed of the project’s purpose, business benefits, rationale for the project approval, etc. and be able to focus their efforts in realizing the project’s business goals.

    Recognize that this does not aim to create any new artifacts. It is simply a procedural safeguard against the loss of important and costly information assets for your organization.

    A flowchart is shown as an example of business documents leading to the development of a project charter.

    Information from the intake process directly feeds into, for example, developing a project charter.

    Source: PMBOK, 6th edition

    "If the project manager can connect strategy to the project they are leading (and therefore the value that the organization desires by sanctioning the project), they can ensure that the project is appropriately planned and managed to realize those benefits."

    – Randall T. Black, P.Eng., PMP; source: PMI Today

    Examine the new project intake workflow as a whole and document it in a flow chart

    2.3.6 Estimated Time: 30-60 minutes

    Review and customize section 4.1, “Project Prioritization Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

    1. Collect and update supply and demand data
    2. Prioritize project demand by value
    3. Approve projects for initiation or continuation
    4. Manage a realistically defined project portfolio

    Consider the following points:

    1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
    2. Is the ownership of each step clear? How will we ensure a smooth handoff between each step and prevent requests from falling through the cracks?

    INPUT

    • New process steps for project prioritization (Activities 2.3.x-y)

    OUTPUT

    • Flowchart representation of new project prioritization workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Leverage Info-Tech’s other blueprints to complement your project prioritization processes

    The project capacity estimates overlook a critical piece of the resourcing puzzle for the sake of simplicity: skills. You need the right skills at the right time for the right project.

    Use Info-Tech’s Balance Supply and Demand with Realistic Resource Management Practices blueprint to enhance the quality of information on your project supply.

    A screenshot of Info-Tech's Balance Supply and Demand with Realistic Resource Management Practices blueprint.

    There is more to organizing your project portfolio than a strict prioritization by project value. For example, as with a financial investment portfolio, project portfolio must achieve the right investment mix to balance your risks and leverage opportunities.

    Use Info-Tech’s Maintain an Organized Portfolio blueprint to refine the makeup of your project portfolio.

    A screenshot of Info-Tech's Maintain an Organized Portfolio blueprint.

    Continuous prioritization of projects allow organizations to achieve portfolio responsiveness.

    Use Info-Tech’s Manage an Agile Portfolio blueprint to take prioritization of your project portfolio to the next level.

    A screenshot of Info-Tech's Manage an Agile Portfolio blueprint

    46% of organizations use a homegrown PPM solution. Info-Tech’s Grow Your Own PPM Solution blueprint debuts a spreadsheet-based Portfolio Manager tool that provides key functionalities that integrates those of the Intake and Prioritization Tool with resource management, allocation and portfolio reporting capabilities.

    A screenshot of Info-Tech's Grow Your Own PPM Solution blueprint

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    A picture of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.2-6

    A screenshot of activities 2.1.2-6 is shown.

    Optimize your process to receive, triage, and follow up on project requests

    Discussion on decision points and topics of consideration will be facilitated to leverage the diverse viewpoints amongst the workshop participants.

    2.3.2-5

    A screenshot of activities 2.3.2-5 is shown.

    Set up a capacity-informed project prioritization process using Info-Tech’s Project Intake and Prioritization Tool

    A table-top planning exercise helps you visualize the current process in place and identify opportunities for optimization.

    Phase 3

    Integrate the New Optimized Processes into Practice

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Integrate the New Optimized Processes into Practice

    Proposed Time to Completion: 6-12 weeks

    Step 3.1: Pilot your process to refine it prior to rollout

    Start with an analyst kick-off call:

    • Review the proposed intake, approval, and prioritization process

    Then complete these activities…

    • Select receptive stakeholders to work with
    • Define the scope of your pilot and determine logistics
    • Document lessons learned and create an action plan for any changes

    With these tools & templates:

    • Process Pilot Plan
    • Project Backlog Manager Job Description

    Step 3.2: Analyze the impact of organizational change

    Review findings with analyst:

    • Results of the process pilot and the finalized intake SOP
    • Key PPM stakeholders
    • Current organizational climate

    Then complete these activities…

    • Analyze the stakeholder impact and responses to impending organizational change
    • Create message canvases for at-risk change impacts and stakeholders to create an effective communication plan

    With these tools & templates:

    • Intake Process Implementation Impact Analysis Tool

    Phase 3 Results & Insights:

    • Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Step 3.1: Pilot your intake, approval, and prioritization process to refine it before rollout

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Select receptive managers to work with during your pilot
    • Define the scope of your pilot and determine logistics
    • Plan to obtain feedback, document lessons learned, and create an action plan for any changes
    • Finalize Project Intake, Approval, and Prioritization SOP

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts

    Outcomes of this step

    • A pilot team
    • A process pilot plan that defines the scope, logistics, and process for retrospection
    • Project Backlog Manager job description
    • Finalized Project Intake, Approval, and Prioritization SOP for rollout

    Pilot your new processes to test feasibility and address issues before a full deployment

    Adopting the right set of practices requires a significant degree of change that necessitates buy-in from varied stakeholders throughout IT and the business.

    Rome wasn’t built in a day. Similarly, benefits of optimized project intake, approval, and prioritization process will not be realized overnight.

    Resist the urge to deploy a big-bang roll out of your new intake practices. The approach is ill advised for two main reasons:

    • It will put more of a strain on the implementation team in the near term, with a larger pool of end users to train and collect data from.
    • Putting untested practices in a department-wide spotlight could lead to mass confusion in the near-term and color the new processes in a negative light, leading to a loss of stakeholder trust and engagement right out-of-the-gate.

    Start with a pilot phase. Identify receptive lines of business and IT resources to work with, and leverage their insights to help iron out the kinks in your process before unveiling your practices to IT and all business users at large.

    This step will help you to:

    • Plan and execute a pilot of the processes we developed in Phase 2.
    • Incorporate the lessons learned from that pilot to strengthen your SOP and ease the communication process.

    Info-Tech Insight

    Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Plan your pilot like you would any project to ensure it’s well defined and its goals are clearly articulated

    Use Info-Tech’s Intake Process Pilot Plan Template to help define the scope of your pilot and set appropriate goals for the test-run of your new processes.

    A process pilot is a limited scope of an implementation (constrained by time and resources involved) in order to test the viability and effectiveness of the process as it has been designed.

    • Investing time and energy into a pilot phase can help to lower implementation risk, enhance the details and steps within a process, and improve stakeholder relations prior to a full scale rollout.
    • More than a dry run, however, a pilot should be approached strategically, and planned out to limit the scope of it and achieve specific outcomes.
    • Leverage a planning document to ensure your process pilot is grounded in a common set of definitions, that the pilot is delivering value and insight, and that ultimately the pilot can serve as a starting point for a full-scale process implementation.

    Download Info-Tech’s Process Pilot Plan Template

    A screenshot of Info-Tech's Process Pilot Plan Template is shown.

    "The advantages to a pilot are several. First, risk is constrained. Pilots are closely monitored so if a problem does occur, it can be fixed immediately. Second, the people working in the pilot can become trainers as you roll the process out to the rest of the organization. Third, the pilot is another opportunity for skeptics to visit the pilot process and learn from those working in it. There’s nothing like seeing a new process working for people to change their minds."

    Daniel Madison

    Select receptive stakeholders to work with during your pilot

    3.1.1 Estimated Time: 20-60 minutes

    Info-Tech recommends selecting PPM stakeholders who are aware of your role and some of the challenges in project intake, approval, and prioritization to assist in the implementation process.

    1. If receptive PPM stakeholders are known, schedule a 15-minute meeting with them to inquire if they would be willing to be part of the pilot process.
    2. If receptive project managers are not known, use Info-Tech’s Stakeholder Engagement Workbook to conduct a formal selection process.
      1. Enter a list of potential participants for pilot in tab 3.
      2. Rate project managers in terms of influence, pilot interest, and potential deployment contribution within tab 4.
      3. Review tab 5 in the workbook. Receptive PPM stakeholders will appear in the top quadrants. Ideal PPM stakeholders for the pilot are located in the top right quadrant of the graph.

    A screenshot of Info-Tech's Stakeholder Engagement Workbook Tab 5 is shown.

    INPUT

    • Project portfolio management stakeholders (Activity 1.2.3)

    OUTPUT

    • Pilot project team

    Materials

    • Stakeholder Engagement Workbook
    • Process Pilot Plan Template

    Participants

    • PMO Director/ Portfolio Manager
    • CIO (optional)

    Document the PPM stakeholders involved in your pilot in Section 3 of Info-Tech’s Process Pilot Plan Template.

    Define the scope of your pilot and determine logistics

    3.1.2 Estimated Time: 60-90 minutes

    Use Info-Tech’s Process Pilot Plan Template to design the details of your pilot.

    Investing time into planning your pilot phase strategically will ensure a clear scope, better communications for those piloting the processes, and – overall – better, more actionable results for the pilot phase. The Pilot Plan Template is broken into five sections to assist in these goals:

    • Pilot Overview and Scope
    • Success and Risk Factors
    • Stakeholders Involved and Communications Plan
    • Pilot Retrospective and Feedback Protocol

    The duration of your pilot should go at least one prioritization period, e.g. one to two quarters.

    Estimates of time commitments should be captured for each stakeholder. During the retrospective at the end of the pilot you should capture actuals to help determine the time-cost of the process itself and measure its sustainability.

    Once the Plan Template is completed, schedule time to share and communicate it with the pilot team and executive sponsors of the process.

    While you should invest time in this planning document, continue to lean on the Intake, Approval, and Prioritization SOP throughout the pilot phase.

    INPUT

    • Sections 1 through 4 of the Process Pilot Plan Template

    OUTPUT

    • A process pilot plan

    Materials

    • Process Pilot Plan Template

    Participants

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Execute your pilot and prepare to make process revisions before the full rollout

    Hit play! Begin the process pilot and get familiar with the work routine and resource management solution.

    Some things to keep in mind during the pilot include:

    • Depending on the solution you are using, you will likely need to spend one day or less to populate the tool. During the pilot, measure the time and effort required to manage the data within the tool. Determine whether time and effort required is viable on an ongoing basis (i.e. can you do it every month or quarter) and has value.
    • Meet with the pilot team and other stakeholders regularly during the pilot, at least biweekly. Allow the team (and yourself) to speak honestly and openly about what isn’t working. The pilot is your chance to make things better.
    • Keep notes about what will need to change in the SOP. For major changes, you may have to tweak the process during the pilot itself. Update the process documents as needed and communicate the changes and why they’re being made. If required, update the scope of the pilot in the Pilot Plan Template.
    An example is shown on how to begin the process pilot and getting familiar with the work routine and resource management solution.

    Obtain feedback from the pilot group to improve your processes before a wider rollout

    3.1.3 Estimated Time: 30 minutes

    Pilot projects allow you to validate your assumptions and leverage lessons learned. During the planning of the pilot, you should have scheduled a retrospective meeting with the pilot team to formally assess strengths and weaknesses in the process you have drafted.

    • Schedule the retrospective shortly after the pilot is completed. Info-Tech recommends performing a Stop/Start/Continue meeting with pilot participants to obtain and capture feedback.
    • Have members of the meeting record any processes/activities on sticky notes that should:
      • Stop: because they are ineffective or not useful
      • Start: because they would be useful for the tool and have not been incorporated into current processes
      • Continue: because they are useful and positively contribute to intended process outcomes.

    An example of how to structure a Stop/Start/Continue activity on a whiteboard using sticky notes.

    An example of stop, start, and continue is activity is shown.

    INPUT

    • What’s working and what isn’t in the process

    OUTPUT

    • Ideas to improve process

    Materials

    • Whiteboard
    • Sticky notes
    • Process Pilot Plan Template

    Participants

    • Process owner (PMO director or portfolio owner)
    • Pilot team

    See the following slide for additional instructions.

    Document lessons learned and create an action plan for any changes to the processes

    3.1.4 Estimated Time: 30 minutes

    An example of stop, start, and continue is activity is shown.

    As a group, discuss everyone’s responses and organize according to top priority (mark with a 1) and lower priority/next steps (mark with a 2). At this point, you can also remove any sticky notes that are repetitive or no longer relevant.

    Once you have organized based on priority, be sure to come to a consensus with the group regarding which actions to take. For example, if the group agrees that they should “stop holding meetings weekly,” come to a consensus regarding how often meetings will be held, i.e. monthly.

    Priority Action Required Who is Responsible Implementation Date
    Stop: Holding meetings weekly Hold meetings monthly Jane Doe, PMO Next Meeting: August 1, 2017
    Start: Discussing backlog during meetings Ensure that backlog data is up to date for discussion on date of next meeting. John Doe, Portfolio Manager August 1, 2017

    Create an action plan for the top priority items that require changes (the Stops and Starts). Record in this slide, or your preferred medium. Be sure to include who is responsible for the action and the date that it will be implemented.

    Document the outcomes of the start/stop/continue and your action plan in Section 6 of Info-Tech’s Process Pilot Plan Template.

    Use Info-Tech’s Backlog Manager Job Description Template to help fill any staffing needs around data maintenance

    3.1 Project Backlog Manager Job Description

    You will need to determine responsibilities and accountabilities for portfolio management functions within your team.

    If you do not have a clearly identifiable portfolio manager at this time, you will need to clarify who will wear which hats in terms of facilitating intake and prioritization, high-level capacity awareness, and portfolio reporting.

    • Use Info-Tech’s Project Backlog Manager job description template to help clarify some of the required responsibilities to support your intake, approval, and prioritization strategy.
      • If you need to bring in an additional staff member to help support the strategy, you can customize the job description template to help advertise the position. Simply edit the text in grey within the template.
    • If you have other PPM tasks that you need to define responsibilities for, you can use the RASCI chart on the final tab of the PPM Strategy Development Tool.

    Download Info-Tech’s Project Backlog Manager job description template.

    A screenshot of Info-Tech's Project Backlog Manager template is shown.

    Finalize the Intake, Approval, and Prioritization SOP and prepare to communicate your processes

    Once you’ve completed the pilot process and made the necessary tweaks, you should finalize your Intake, Approval, and Prioritization SOP and prepare to communicate it.

    Update section 1.2, “Overall Process Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template with the new process flow.

    Revisit your SOP from Phase 2 and ensure it has been updated to reflect the process changes that were identified in activity 3.1.4.

    • If during the pilot process the data was too difficult or time consuming to maintain, revisit the dimensions you have chosen and choose dimensions that are easier to accurately maintain. Tweak your process steps in the SOP accordingly.
    • In the long term, if you are not observing any progress toward achieving your success criteria, revisit the impact analysis that we’ll prepare in step 3.2 and address some of these inhibitors to organizational change.

    Download Info-Tech’s Project Intake, Approval, and Prioritization SOP template.

    A screenshot of Info-Tech's Project Intake, Approval, and Prioritization SOP template.

    Info-Tech Best Practice

    Make your SOP high impact. SOPs are often at risk of being left unmaintained and languishing in disuse. Improve the SOP’s succinctness and usability by making it visual; consult Info-Tech’s blueprint, Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind.

    Step 3.2: Analyze the impact of organizational change through the eyes of PPM stakeholders to gain their buy-in

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Analyze the stakeholder impact and responses to impending organizational change
    • Create message canvases for at-risk change impacts and stakeholders
    • Set the course of action for communicating changes to your stakeholders

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts

    Outcomes of this step

    • A thorough organizational change impact analysis, based on Info-Tech’s expertise in organizational change management
    • Message canvases and communication plan for your stakeholders
    • Go-live for the new intake, approval, and prioritization process

    Manage key PPM stakeholders and communicate changes

    • Business units: Projects are undertaken to provide value to the business. Senior management from business units must help define how project will be valued.
    • IT: IT must ensure that technical/practical considerations are taken into account when determining project value.
    • Finance: The CFO or designated representative will ensure that estimated project costs and benefits can be used to manage the budget.
    • PMO: PMO is the administrator of the project portfolio. PMO must provide coordination and support to ensure the process operates smoothly and its goals are realized.
    • Business analysts: BAs carry out the evaluation of project value. Therefore, their understanding of the evaluation criteria and the process as a whole are critical to the success of the process.
    • Project sponsors: Project sponsors are accountable for the realization of benefits for which projects are undertaken.

    Impacts will be felt differently by different stakeholders and stakeholder groups

    As you assess change impacts, keep in mind that no impact will be felt the same across the organization. Depth of impact can vary depending on the frequency (will the impact be felt daily, weekly, monthly?), the actions necessitated by it (e.g. will it change the way the job is done or is it simply a minor process tweak?), and the anticipated response of the stakeholder (support, resistance, indifference?).

    Use the Organizational Change Depth Scale below to help visualize various depths of impact. The deeper the impact, the tougher the job of managing change will be.

    Procedural Behavioral Interpersonal Vocational Cultural
    Procedural change involves changes to explicit procedures, rules, policies, processes, etc. Behavioral change is similar to procedural change, but goes deeper to involve the changing tacit or unconscious habits. Interpersonal change goes beyond behavioral change to involve changing relationships, teams, locations, reporting structures, and other social interactions. Vocational change requires acquiring new knowledge and skills, and accepting the loss or decline in the value or relevance of previously acquired knowledge and skills. Cultural change goes beyond interpersonal and vocational change to involve changing personal values, social norms, and assumptions about the meaning of good vs. bad or right vs. wrong.
    Example: providing sales reps with mobile access to the CRM application to let them update records from the field. Example: requiring sales reps to use tablets equipped with a custom mobile application for placing orders from the field. Example: migrating sales reps to work 100% remotely. Example: migrating technical support staff to field service and sales support roles. Example: changing the operating model to a more service-based value proposition or focus.

    Perform a change impact analysis to maximize the chances of adoption for the new intake process

    Invest time and effort to analyze the impact of change to create an actionable stakeholder communication plan that yields the desirable result: adoption.

    Info-Tech’s Drive Organizational Change from the PMO blueprint offers the OCM Impact Analysis Tool to helps document the change impact across multiple dimensions, enabling the project team to review the analysis with others to ensure that the most important impacts are captured.

    This tool has been customized for optimizing project intake, approval, and prioritization process to deliver the same result in a more streamlined way. The next several slides will take you through the activities to ultimately create an OCM message canvas and a communication plan for your key stakeholders.

    Download Info-Tech’s Intake and Prioritization Impact Analysis Tool.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool is shown.

    "As a general principle, project teams should always treat every stakeholder initially as a recipient of change. Every stakeholder management plan should have, as an end goal, to change recipients’ habits or behaviors."

    -PMI, 2015

    Set up the Intake Process and Prioritization Impact Analysis Tool

    3.2.1 Intake and Prioritization Impact Analysis Tool, Tab 2-3

    In Tab 2, enter your stakeholders’ names. Represent stakeholders as a group if you expect the impact of change on them to be reasonably uniform, as well as their anticipated responses. Otherwise, consider adding them as individuals or subgroups.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 2 is shown.

    In Tab 3, enter whether you agree or disagree with each statement that represents an element of organizational change that be introduced as the newly optimized intake process is implemented.

    As a result of the change initiative in question:

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 3 is shown.

    Analyze the impact and the anticipated stakeholder responses of each change

    3.2.1 Intake and Prioritization Impact Analysis Tool, Tab 4: Impact Analysis Inputs

    Each change statement that you agreed with in Tab 3 are listed here in Tab 4 of the Intake and Prioritization Impact Analysis Tool. For each stakeholder, estimate and enter the following data:

    1. Frequency of the Impact: how often will the impact of the change be felt?
    2. Effort Associated with Impact: what is the demand on a stakeholder’s effort to implement the change?
    3. Anticipated Response: rate from enthusiastic response to active subversion. Honest and realistic estimates of anticipated responses are critical to the rest of the impact analysis.
    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 4 is shown.

    Analyze the stakeholder impact and responses to impending organizational change as a group

    3.2.1 Estimated Time: 60-90 minutes

    Divide and conquer. Leverage the group to get through the seemingly daunting amount of work involved with impact analysis.

    1. Divide the activity participants into subgroups and assign a section of the impact analysis. It may be helpful to do one section together as a group to make sure everyone is roughly on the same page for assessing impact.
    2. Suggested ways to divide up the impact analysis include:

    • By change impact. This would be suitable when the process owners (or would-be process owners) are available and participating.
    • By stakeholders. This would be suitable for large organizations where the activity participants know some stakeholders better than others.

    Tip: use a spreadsheet tool that supports multi-user editing (e.g. Google Sheets, Excel Online).

  • Aggregate the completed work and benchmark one another’s analysis by reviewing them with the entire group.
  • INPUT

    • Organizational and stakeholder knowledge
    • Optimized intake process

    OUTPUT

    • Estimates of stakeholder-specific impact and response

    Materials

    • Intake and Prioritization Impact Analysis Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Info-Tech Insight

    Beware of bias. Groups are just as susceptible to producing overly optimistic or pessimistic analysis as individuals, just in different ways. Unrealistic change impact analysis will compromise your chances of arriving at a reasonable, tactful stakeholder communication plan.

    Examine your impact analysis report

    3.2.2 Intake and Prioritization Impact Analysis Tool, Tab 5: Impact Analysis Outputs

    These outputs are based on the impacts you analyzed in Tab 4 of the tool (Activity 3.2.1). They are organized in seven sections:

    1. Top Five Highest Risk Impacts, based on the frequency and effort inputs across all impacts.
    2. Overall Process Adoption Rating (top right), showing the overall difficulty of this change given likelihood/risk that the stakeholders involved will absorb the anticipated change impacts.
    3. Top Five Most Impacted Stakeholders, based on the frequency and effort inputs across all impacts.
    4. Top Five Process Supporters and;
    5. Top Five Process Resistors, based on the anticipated response inputs across all impacts.
    6. Impact Register (bottom right): this list breaks down each change’s likelihood of adoption.
    7. Potential Impacts to Watch Out For: this list compiles all of the "Don't Know" responses from Tab 3.
    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 5 is shown. It shows Section 2. Overall process adoption rating. A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 5 is shown. It shows Section 6. Impact Register.

    Tailor messages for at-risk change impacts and stakeholders with Info-Tech’s Message Canvas

    3.2.2 Intake and Prioritization Impact Analysis Tool, Tab 6: Message Canvas

    Use Info-Tech’s Message Canvas on this tab to help rationalize and elaborate the change vision for each group.

    Elements of a Message Canvas

    • Why is there a need for this process change?
    • What will be new for this audience?
    • What will go away for this audience?
    • What will be meaningfully unchanged for this audience?
    • How will this change benefit this audience?
    • When and how will the benefits be realized for this audience?
    • What does this audience have to do for this change to succeed?
    • What does this audience have to stop doing for this change to succeed?
    • What should this audience continue doing?
    • What support will this audience receive to help manage the transition?
    • What should this audience expect to do/happen next?

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 6 is shown.

    Info-Tech Insight

    Change thy language, change thyself.

    Jargon, acronyms, and technical terms represent deeply entrenched cultural habits and assumptions.

    Continuing to use jargon or acronyms after a transition tends to drag people back to old ways of thinking and working.

    You don’t need to invent a new batch of buzzwords for every change (nor should you), but every change is an opportunity to listen for words and phrases that have lost their meaning through overuse and abuse.

    Create message canvases for at-risk change impacts and stakeholders as a group

    3.2.2 Estimated Time: 90-120 minutes

    1. Decide on the number of message canvases to complete. This will be based on the number of at-risk change impacts and stakeholders.
    2. Divide the activity participants into subgroups and assign a section of the message canvas. It may be helpful to do one section together as a group to make sure everyone is roughly on the same page for assessing impact.
    3. Aggregate the completed work and benchmark the message canvases amongst subgroups.

    Remember these guidelines to help your messages resonate:

    • People are busy and easily distracted. Tell people what they really need to know first, before you lose their attention.
    • Repetition is good. Remember the Aristotelian triptych: “Tell them what you’re going to tell them, then tell them, then tell them what you told them.”
    • Don’t use technical terms, jargon, or acronyms. Different groups in organizations tend to develop specialized vocabularies. Everybody grows so accustomed to using acronyms and jargon every day that it becomes difficult to notice how strange it sounds to outsiders. This is especially important when IT communicates with non-technical audiences. Don’t alienate your audience by talking at them in a strange language.
    • Test your message. Run focus groups or deliver communications to a test audience (which could be as simple as asking 2–3 people to read a draft) before delivering messages more broadly.

    – Info-Tech Blueprint, Drive Organizational Change from the PMO

    INPUT

    • Impact Analysis Outputs
    • Organizational and stakeholder knowledge

    OUTPUT

    • Estimates of stakeholder-specific impact and response

    Materials

    • Intake and Prioritization Impact Analysis Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Distill the message canvases into a comprehensive communication plan

    3.2.3 Intake and Prioritization Impact Analysis Tool, Tab 7: Communication Plan

    The communication plan creates an action plan around the message canvases to coordinate the responsibilities of delivering them, so the risks of “dropping the ball” on your stakeholders are minimized.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 7: Communication is shown.

    1. Choose a change impact from a drop-down menu.

    2. Choose an intended audience...

    … and the message canvas to reference.

    3. Choose the method of delivery. It will influence how to craft the message for the stakeholder.

    4. Indicate who is responsible for creating and communicating the message.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 7: Communication is shown.

    5. Briefly indicate goal of the communication and the likelihood of success.

    6. Record the dates to plan and track the communications that take place.

    Set the course of action for communicating changes to your stakeholders

    3.2.2 Estimated Time: 90-120 minutes

    1. Divide the activity participants into subgroups and assign communication topics to each group. There should be one communication topic for each change impact. Based on the message canvas, create a communication plan draft.
    2. Aggregate the completed work and benchmark the communication topic amongst subgroups.
    3. Share the finished communication plan with the rest of the working group. Do not share this file widely, but keep it private within the group.

    Identify critical points in the change curve:

    1. Honeymoon of “Uninformed Optimism”: There is usually tentative support and even enthusiasm for change before people have really felt or understood what it involves.
    2. Backlash of “Informed Pessimism” (leading to “Valley of Despair”): As change approaches or begins, people realize they’ve overestimated the benefits (or the speed at which benefits will be achieved) and underestimated the difficulty of change.
    3. Valley of Despair and beginning of “Hopeful Realism”: Eventually, sentiment bottoms out and people begin to accept the difficulty (or inevitability) of change.
    4. Bounce of “Informed Optimism”: People become more optimistic and supportive when they begin to see bright spots and early successes.
    5. Contentment of “Completion”: Change has been successfully adopted and benefits are being realized.

    Based on Don Kelley and Daryl Conner’s Emotional Cycle of Change.

    INPUT

    • Change impact analysis results
    • Message canvases
    • List of stakeholders

    OUTPUT

    • Communication Plan

    Materials

    • Intake and Prioritization Impact Analysis Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Roll out the optimized intake, approval, and prioritization process, and continually monitor adoption and success

    As you implement your new project intake process, familiarize yourself with common barriers and challenges.

    There will be challenges to watch for in evaluating the effectiveness of your intake processes. These may include circumvention of process by key stakeholders, re-emergence of off-the-grid projects and low-value initiatives.

    As a quick and easy way to periodically assess your processes, consider the following questions:

    • Are you confident that all work in progress is being tracked via the project list?
    • Are your resources all currently working on high-value initiatives?
    • Since optimizing, have you been able to deliver (or are you on target to deliver) all that has been approved, with no initiatives in states of suspended animation for long periods of time?
    • Thanks to sufficient portfolio visibility and transparency into your capacity, have you been able to successfully decline requests that did not add value or that did not align with resourcing?

    If you answer “no” to any of these questions after a sufficient post-implementation period (approximately six to nine months, depending on the scope of your optimizing), you may need to tweak certain aspects of your processes or seek to align your optimization with a lower capability level in the short term.

    Small IT department struggles to optimize intake and to communicate new processes to stakeholders

    CASE STUDY

    Industry: Government

    Source: Info-Tech Client

    Challenge

    There is an IT department for a large municipal government. Possessing a relatively low level of PPM maturity, IT is in the process of establishing more formal intake practices in order to better track, and respond to, project requests. New processes include a minimalist request form (sent via email) coupled with more thorough follow-up from BAs and PMs to determine business value, ROI, and timeframes.

    Solution

    Even with new user-friendly processes in place, IT struggles to get stakeholders to adopt, especially with smaller initiatives. These smaller requests frequently continue to come in outside of the formal process and, because of this, are often executed outside of portfolio oversight. Without good, reliable data around where staff time is spent, IT lacks the authority to decline new requests.

    Results

    IT is seeking further optimization through better communication. They are enforcing discipline on stakeholders and reiterating that all initiatives, regardless of size, need to be directed through the process. IT is also training its staff to be more critical. “Don’t just start working on an initiative because a stakeholder asks.” With staff being more critical and directing requests through the proper queues, IT is getting better at tracking and prioritizing requests.

    "The biggest challenge when implementing the intake process was change management. We needed to shift our focus from responding to requests to strategically thinking about how requests should be managed. The intake process allows the IT Department to be transparent to customers and enables decision makers."

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    A picture of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.1

    A screenshot of activity 3.1.1 is shown

    Select receptive stakeholders to work with during your pilot

    Identify the right team of supportive PPM stakeholders to carry out the process pilot. Strategies to recruit the right people outside the workshop will be discussed if appropriate.

    3.2.1

    A screenshot of activity 3.2.1 is shown.

    Analyze the stakeholder impact and responses to impending organizational change

    Carry out a thorough analysis of change impact in order to maximize the effectiveness of the communication strategy in support of the implementation of the optimized process.

    Insight breakdown

    Insight 1

    • The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    Insight 2

    • Info-Tech’s methodology systemically fits the project portfolio into its triple constraint of stakeholder needs, strategic objectives, and resource capacity to effectively address the challenges of establishing organizational discipline for project intake.

    Insight 3

    • Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Summary of accomplishment

    Knowledge Gained

    • Triple constraint model of project portfolio: stakeholder needs, strategic objectives, and resource capacity
    • Benefits of optimizing project intake, approval, and prioritization for managing a well-behaved project portfolio
    • Challenges of installing well-run project intake
    • Importance of piloting the process and communicating impacts to stakeholders

    Processes Optimized

    • Project valuation process: scorecard, weights
    • Project intake process: reception, triaging, follow-up
    • Project approval process: steps, accountabilities, deliverables
    • Project prioritization process: estimation of resource capacity for projects, project demand
    • Communication for organizational change

    Deliverables Completed

    • Optimized Project Intake, Approval, and Prioritization Process
    • Documentation of the optimized process in the form of a Standard Operating Procedure
    • Project valuation criteria, developed with Project Value Scorecard Development Tool and implemented through the Project Intake and Prioritization Tool
    • Standardized project request form with right-sized procedural friction
    • Standard for project level classification, implemented through the Project Intake Classification Matrix
    • Toolbox of deliverables for capturing information developed to inform decision makers for approval: Benefits Commitment Form, Technology Assessment Tool, Business Case Templates
    • Process pilot plan
    • Communication plan for organizational change, driven by a thorough analysis of change impacts on key stakeholders using the Intake and Prioritization Impact Analysis Tool

    Research contributors and experts

    Picture of Kiron D. Bondale

    Kiron D. Bondale, PMP, PMI - RMP

    Senior Project Portfolio & Change Management Professional

    A placeholder photo is shown here.

    Scot Ganshert, Portfolio Group Manager

    Larimer County, CO

    Picture of Garrett McDaniel

    Garrett McDaniel, Business Analyst II – Information Technology

    City of Boulder, CO

    A placeholder photo is shown here.

    Joanne Pandya, IT Project Manager

    New York Property Insurance Underwriters

    Picture of Jim Tom.

    Jim Tom, CIO

    Public Health Ontario

    Related Info-Tech research

    A screenshot of Info-Tech's Develop a Project Portfolio Management Strategy blueprint

    Develop a Project Portfolio Management Strategy blueprint"

    A screenshot of Info-Tech's Grow Your Own PPM Solution blueprint is shown.

    Grow Your Own PPM Solution

    A screenshot of Info-Tech's Balance Supply and Demand with Realistic Resource Management Practices blueprint is shown.

    Balance Supply and Demand with Realistic Resource Management Practices

    A screenshot of Info-Tech's Maintain an Organized Portfolio blueprint is shown.

    Maintain an Organized Portfolio

    A screenshot of Info-Tech's Manage a Minimum Viable PMO blueprint is shown.

    Manage a Minimum Viable PMO

    A screenshot of Info-Tech's Establish the Benefits Realization Process blueprint is shown.

    Establish the Benefits Realization Process

    A screenshot of Info-Tech's Manage an Agile Portfolio blueprint is shown.

    Manage an Agile Portfolio

    A screenshot of Info-Tech's Tailor Project Management Processes to Fit Your Projects blueprint is shown.

    Tailor Project Management Processes to Fit Your Projects

    A screenshot of Info-Tech's Project Portfolio Management Diagnostic Program blueprint is shown.

    Project Portfolio Management Diagnostic Program

    The Project Portfolio Management Diagnostic Program is a low-effort, high-impact program designed to help project owners assess and improve their PPM practices. Gather and report on all aspects of your PPM environment to understand where you stand and how you can improve.

    Bibliography

    Boston Consulting Group. “Executive Sponsor Engagement: Top Driver of Project and Program Success.” PMI, 2014. Web.

    Boston Consulting Group. “Winning Through Project Portfolio Management: the Practitioners’ Perspective.” PMI, 2015. Web.

    Bradberry, Travis. “Why The 8-Hour workday Doesn’t Work.” Forbes, 7 Jun 2016. Web.

    Cook, Scott. Playbook: Best Practices. Business Week

    Cooper, Robert, G. “Effective Gating: Make product innovation more productive by using gates with teeth.” Stage-Gate International and Product Development Institute. March/April 2009. Web.

    Epstein, Dan. “Project Initiation Process: Part Two.” PM World Journal. Vol. IV, Issue III. March 2015. Web.

    Evans, Lisa. “The Exact Amount of Time You Should Work Every Day.” Fast Company, 15 Sep. 2014. Web.

    Madison, Daniel. “The Five Implementation Options to Manage the Risk in a New Process.” BPMInstitute.org. n.d. Web.

    Merkhofer, Lee. “Improve the Prioritization Process.” Priority Systems, n.d. Web.

    Miller, David, and Mike Oliver. “Engaging Stakeholder for Project Success.” PMI, 2015. Web.

    Mind Tools. “Kelley and Conner’s Emotional Cycle of Change.” Mind Tools, n.d. Web.

    Mochal, Jeffrey and Thomas Mochal. Lessons in Project Management. Appress: September 2011. Page 6.

    Newcomer, Eric. “Getting Decisions to Stick.” Standish Group PM2go, 20 Oct 2017. Web.

    “PMI Today.” Newtown Square, PA: PMI, Oct 2017. Web.

    Project Management Institute. “Standard for Portfolio Management, 3rd ed.” Newtown Square, PA: PMI, 2013.

    Project Management Institute. “Pulse of the Profession 2017: Success Rates Rise.” PMI, 2017. Web.

    Transparent Choice. “Criteria for Project Prioritization.” n.p., n.d. Web.

    University of New Hampshire (UNH) Project Management Office. “University of New Hampshire IT Intake and Selection Process Map.” UNH, n.d. Web.

    Ward, John. “Delivering Value from Information Systems and Technology Investments: Learning from Success.” Information Systems Research Centre. August 2006. Web.

    Map Technical Skills for a Changing Infrastructure & Operations Organization

    • Buy Link or Shortcode: {j2store}333|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: 5 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • Infrastructure & Operations is changing rapidly. It’s a constant challenge to find the right skills to support the next new technology while at the same time maintaining the skills in house that allow you to support your existing platforms.
    • A lack of clarity around required skills makes finding the right skills difficult, and it’s not clear whether you should train, hire, contract, or outsource to address gaps.
    • You need to keep up with changes and new strategy while continuing to support your existing environment.

    Our Advice

    Critical Insight

    • Take a strategic approach to acquiring skills – looking only as far as the needs of the next project will lead to a constant skills shortage with no plan for it to be addressed.
    • Begin by identifying your future state. Identify needed skills in the organization to support planned projects and initiatives, and to mitigate skills-related risks.

    Impact and Result

    • Leverage your infrastructure roadmap and cloud strategy to identify needed skills in your future state environment.
    • Decide how you’ll acquire needed skills based on the characteristics of need for each skill.
    • Communicate the change and create a plan of action for the skills transformation.

    Map Technical Skills for a Changing Infrastructure & Operations Organization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should map technical skills for a changing Infrastructure & Operations organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify skills needs for the future state environment

    Identify what skills are needed based on where the organization is going.

    • Map Technical Skills for a Changing Infrastructure & Operations Organization – Phase 1: Identify Skills Needs for Your Future State Environment
    • Future State Playbook
    • IT/Cloud Solutions Architect
    • IT/Cloud Engineer
    • IT/Cloud Administrator
    • IT/Cloud Demand Billing & Accounting Analyst

    2. Acquire needed skills

    Ground skills acquisition decisions in the characteristics of need.

    • Map Technical Skills for a Changing Infrastructure & Operations Organization – Phase 2: Acquire Needed Skills
    • Technical Skills Map

    3. Maximize the value of the skills map

    Get stakeholder buy-in; leverage the skills map in other processes.

    • Map Technical Skills for a Changing Infrastructure & Operations Organization – Phase 3: Maximize the Value of Your Skills Map
    • Technical Skills Map Communication Deck Template
    [infographic]

    Workshop: Map Technical Skills for a Changing Infrastructure & Operations Organization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Initiatives and Skills-Related Risks

    The Purpose

    Identify process and skills changes required by the future state of your environment.

    Key Benefits Achieved

    Set foundation for alignment between strategy-defined technology initiatives and needed skills.

    Activities

    1.1 Review the list of initiatives and projects with the group.

    1.2 Identify how key support, operational, and deployment processes will change through planned initiatives.

    1.3 Identify skills-related risks and pain points.

    Outputs

    Future State Playbook

    2 Identify Needed Skills and Roles

    The Purpose

    Identify process and skills changes required by the future state of your environment.

    Key Benefits Achieved

    Set foundation for alignment between strategy-defined technology initiatives and needed skills.

    Activities

    2.1 Identify skills required to support the new environment.

    2.2 Map required skills to roles.

    Outputs

    IT/Cloud Architect Role Description

    IT/Cloud Engineer Role Description

    IT/Cloud Administrator Role Description

    3 Create a Plan to Acquire Needed Skills

    The Purpose

    Create a skills acquisition strategy based on the characteristics of need.

    Key Benefits Achieved

    Optimal skills acquisition strategy defined.

    Activities

    3.1 Modify impact scoring scale for key skills decision factors.

    3.2 Apply impact scoring scales to needed skills

    3.3 Decide whether to train, hire, contract, or outsource to acquire needed skills.

    Outputs

    Technical Skills Map

    4 Develop a Communication Plan

    The Purpose

    Create an effective communication plan for different stakeholders across the organization.

    Identify opportunities to leverage the skills map elsewhere.

    Key Benefits Achieved

    Create a concise, clear, consistent, and relevant change message for stakeholders across the organization.

    Activities

    4.1 Review skills decisions and decide how you will acquire skills in each role.

    4.2 Update roles descriptions.

    4.3 Create a change message.

    4.4 Identify opportunities to leverage the skills map in other processes.

    Outputs

    Technical Skills Map Communication Deck

    Build a Robust and Comprehensive Data Strategy

    • Buy Link or Shortcode: {j2store}120|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $46,734 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down.
    • At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing expectations and demands.

    Our Advice

    Critical Insight

    • As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    • A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    • Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Impact and Result

    • Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:
      • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy
      • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
      • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Build a Robust and Comprehensive Data Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data Strategy Research – A step-by-step document to facilitate the formulation of a data strategy that brings together the business context, data management foundation, people, and culture.

    Data should be at the foundation of your organization’s evolution. The transformational insights that executives and decision makers are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, trusted, and relevant data readily available to the users who need it.

    • Build a Robust and Comprehensive Data Strategy – Phases 1-3

    2. Data Strategy Stakeholder Interview Guide and Findings – A template to support you in your meetings or interviews with key stakeholders as you work on understanding the value of data within the various lines of business.

    This template will help you gather insights around stakeholder business goals and objectives, current data consumption practices, the types or domains of data that are important to them in supporting their business capabilities and initiatives, the challenges they face, and opportunities for data from their perspective.

    • Data Strategy Stakeholder Interview Guide and Findings

    3. Data Strategy Use Case Template – An exemplar template to demonstrate the business value of your data strategy.

    Data strategy optimization anchored in a value proposition will ensure that the data strategy focuses on driving the most valuable and critical outcomes in support of the organization’s enterprise strategy. The template will help you facilitate deep-dive sessions with key stakeholders for building use cases that are of demonstrable value not only to their relevant lines of business but also to the wider organization.

    • Data Strategy Use Case Template

    4. Chief Data Officer – A job description template that includes a detailed explication of the responsibilities and expectations of a CDO.

    Bring data to the C-suite by creating the Chief Data Officer role. This position is designed to bridge the gap between the business and IT by serving as a representative for the organization's data management practices and identifying how the organization can leverage data as a competitive advantage or corporate asset.

    • Chief Data Officer

    5. Data Strategy Document Template – A structured template to plan and document your data strategy outputs.

    Use this template to document and formulate your data strategy. Follow along with the sections of the blueprint Build a Robust and Comprehensive Data Strategy and complete the template as you progress.

    • Data Strategy Document Template
    [infographic]

    Workshop: Build a Robust and Comprehensive Data Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value: Understand the Current Business Environment

    The Purpose

    Establish the business context for the business strategy.

    Key Benefits Achieved

    Substantiates the “why” of the data strategy.

    Highlights the organization’s goals, objectives, and strategic direction the data must align with.

    Activities

    1.1 Data Strategy 101

    1.2 Intro to Tech’s Data Strategy Framework

    1.3 Data Strategy Value Proposition: Understand stakeholder’s strategic priorities and the alignment with data

    1.4 Discuss the importance of vision, mission, and guiding principles of the organization’s data strategy

    1.5 Understand the organization’s data culture – discuss Data Culture Survey results

    1.6 Examine Core Value Streams of Business Architecture

    Outputs

    Business context; strategic drivers

    Data strategy guiding principles

    Sample vision and mission statements

    Data Culture Diagnostic Results Analysis

    2 Business-Data Needs Discovery: Key Business Stakeholder Interviews

    The Purpose

    Build use cases of demonstrable value and understand the current environment.

    Key Benefits Achieved

    An understanding of the current maturity level of key capabilities.

    Use cases that represent areas of concern and/or high value and therefore need to be addressed.

    Activities

    2.1 Conduct key business stakeholder interviews to initiate the build of high-value business-data cases

    Outputs

    Initialized high-value business-data cases

    3 Understand the Current Data Environment & Practice: Analyze Data Capability and Practice Gaps and Develop Alignment Strategies

    The Purpose

    Build out a future state plan that is aimed at filling prioritized gaps and that informs a scalable roadmap for moving forward on treating data as an asset.

    Key Benefits Achieved

    A target state plan, formulated with input from key stakeholders, for addressing gaps and for maturing capabilities necessary to strategically manage data.

    Activities

    3.1 Understand the current data environment: data capability assessment

    3.2 Understand the current data practice: key data roles, skill sets; operating model, organization structure

    3.3 Plan target state data environment and data practice

    Outputs

    Data capability assessment and roadmapping tool

    4 Align Business Needs with Data Implications: Initiate Roadmap Planning and Strategy Formulation

    The Purpose

    Consolidate business and data needs with consideration of external factors as well as internal barriers and enablers to the success of the data strategy. Bring all the outputs together for crafting a robust and comprehensive data strategy.

    Key Benefits Achieved

    A consolidated view of business and data needs and the environment in which the data strategy will be operationalized.

    An analysis of the feasibility and potential risks to the success of the data strategy.

    Activities

    4.1 Analyze gaps between current- and target-state

    4.2 Initiate initiative, milestone and RACI planning

    4.3 Working session with Data Strategy Owner

    Outputs

    Data Strategy Next Steps Action Plan

    Relevant data strategy related templates (example: data practice patterns, data role patterns)

    Initialized Data Strategy on-a-Page

    Further reading

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    ANALYST PERSPECTIVE

    Data Strategy: Key to helping drive organizational innovation and transformation

    "In the dynamic environment in which we operate today, where we are constantly juggling disruptive forces, a well-formulated data strategy will prove to be a key asset in supporting business growth and sustainability, innovation, and transformation.

    Your data strategy must align with the organization’s business strategy, and it is foundational to building and fostering an enterprise-wide data-driven culture."

    Crystal Singh,

    Director – Research and Advisory

    Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • Chief data officers (CDOs), chief architects, VPs, and digital transformation directors and CIOs who are accountable for ensuring data can be leveraged as a strategic asset of the organization.

    This Research Will Help You:

    • Put a strategy in place to ensure data is available, accessible, well integrated, secured, of acceptable quality, and suitably visualized to fuel decision making by the organizations’ executives.
    • Align data management plans and investments with business requirements and the organization’s strategic plans.
    • Define the relevant roles for operationalizing your data strategy.

    This Research Will Also Assist:

    • Data architects and enterprise architects who have been tasked with supporting the formulation or optimization of the organization’s data strategy.
    • Business leaders creating plans for leveraging data in their strategic planning and business processes.
    • IT professionals looking to improve the environment that manages and delivers data.

    This Research Will Help Them:

    • Get a handle on the current situation of data within the organization.
    • Understand how the data strategy and its resulting initiatives will affect the operations, integration, and provisioning of data within the enterprise.

    Executive Summary

    Situation

    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down. At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing and demanding expectations.

    Complication

    • As organizations pivot in response to industry disruptions and changing landscapes, a reactive and piecemeal approach leads to data architectures and designs that fail to deliver real and measurable value to the business.
    • Despite the growing focus on data, many organizations struggle to develop a cohesive business-driven strategy for effectively managing and leveraging their data assets.

    Resolution

    Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:

    • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy.
    • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
    • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Info-Tech Insight

    1. As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    2. A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    3. Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Why do you need a data strategy?

    Your data strategy is the vehicle for ensuring data is poised to support your organization’s strategic objectives.

    The dynamic marketplace of today requires organizations to be responsive in order to gain or maintain their competitive edge and place in their industry.

    Organizations need to have that 360-degree view of what’s going on and what’s likely to happen.

    Disruptive forces often lead to changes in business models and require organizations to have a level of adaptability to remain relevant.

    To respond, organizations need to make decisions and should be able to turn to their data to gain insights for informing their decisions.

    A well-formulated and robust data strategy will ensure that your data investments bring you the returns by meeting your organization’s strategic objectives.

    Organizations need to be in a position where they know what’s going on with their stakeholders and anticipate what their stakeholders’ needs are going to be.

    Data cannot be fully leveraged without a cohesive strategy

    Most organizations today will likely have some form of data management in place, supported by some of the common roles such as DBAs and data analysts.

    Most will likely have a data architecture that supports some form of reporting.

    Some may even have a chief data officer (CDO), a senior executive who has a seat at the C-suite table.

    These are all great assets as a starting point BUT without a cohesive data strategy that stitches the pieces together and:

    • Effectively leverages these existing assets
    • Augments them with additional and relevant key roles and skills sets
    • Optimizes and fills in the gaps around your current data management enablers and capabilities for the growing volume and variety of data you’re collecting
    • Fully caters to real, high-value strategic organizational business needs

    you’re missing the mark – you are not fully leveraging the incredible value of your data.

    Cross-industry studies show that on average, less than half of an organization’s structured data is actively used in making decisions

    And, less than 1% of its unstructured data is analyzed or used at all. Furthermore, 80% of analysts' time is spent simply discovering and preparing, data with over 70% of employees having access to data they should not. Source: HBR, 2017

    Organizational drivers for a data strategy

    Your data strategy needs to align with your organizational strategy.

    Main Organizational Strategic Drivers:

    1. Stakeholder Engagement/Service Excellence
    2. Product and Service Innovations
    3. Operational Excellence
    4. Privacy, Risk, and Compliance Management

    “The companies who will survive and thrive in the future are the ones who will outlearn and out-innovate everyone else. It is no longer ‘survival of the fittest’ but ‘survival of the smartest.’ Data is the element that both inspires and enables this new form of rapid innovation.– Joel Semeniuk, 2016

    A sound data strategy is the key to unlocking the value in your organization’s data.

    Data should be at the foundation of your organization’s evolution.

    The transformational insights that executives are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, well-integrated, trustworthy, relevant data readily available to the business users who need it.

    Whether hoping to gain a better understanding of your business, trying to become an innovator in your industry, or having a compliance and regulatory mandate that needs to be met, any organization can get value from its data through a well-formulated, robust, and cohesive data strategy.

    According to a leading North American bank, “More than one petabyte of new data, equivalent to about 1 million gigabytes” is entering the bank’s systems every month. – The Wall Street Journal, 2019

    “Although businesses are at many different stages in unlocking the power of data, they share a common conviction that it can make or break an enterprise.”– Jim Love, ITWC CIO and Chief Digital Officer, IT World Canada, 2018

    Data is a strategic organizational asset and should be treated as such

    The expression “Data is an asset” or any other similar sentiment has long been heard.

    With such hype, you would have expected data to have gotten more attention in the boardrooms. You would have expected to see its value reflected on financial statements as a result of its impact in driving things like acquisition, retention, product and service development and innovation, market growth, stakeholder satisfaction, relationships with partners, and overall strategic success of the organization.

    The time has surely come for data to be treated as the asset it is.

    “Paradoxically, “data” appear everywhere but on the balance sheet and income statement.”– HBR, 2018

    “… data has traditionally been perceived as just one aspect of a technology project; it has not been treated as a corporate asset.”– “5 Essential Components of a Data Strategy,” SAS

    According to Anil Chakravarthy, who is the CEO of Informatica and has a strong vantage point on how companies across industries leverage data for better business decisions, “what distinguishes the most successful businesses … is that they have developed the ability to manage data as an asset across the whole enterprise.”– McKinsey & Company, 2019

    How data is perceived in today’s marketplace

    Data is being touted as the oil of the digital era…

    But just like oil, if left unrefined, it cannot really be used.

    "Data is the new oil." – Clive Humby, Chief Data Scientist

    Source: Joel Semeniuk, 2016

    Enter your data strategy.

    Data is being perceived as that key strategic asset in your organization for fueling innovation and transformation.

    Your data strategy is what allows you to effectively mine, refine, and use this resource.

    “The world’s most valuable resource is no longer oil, but data.”– The Economist, 2017

    “Modern innovation is now dependent upon this data.”– Joel Semeniuk, 2016

    “The better the data, the better the resulting innovation and impact.”– Joel Semeniuk, 2016

    What is it in it for you? What opportunities can data help you leverage?

    GOVERNMENT

    Leveraging data as a strategic asset for the benefit of citizens.

    • The strategic use of data can enable governments to provide higher-quality services.
    • Direct resources appropriately and harness opportunities to improve impact.
    • Make better evidence-informed decisions and better understand the impact of programs so that funds can be directed to where they are most likely to deliver the best results.
    • Maintain legitimacy and credibility in an increasingly complex society.
    • Help workers adapt and be competitive in a changing labor market.
    • A data strategy would help protect citizens from the misuse of their data.

    Source: Privy Council Office, Government of Canada, 2018

    What is it in it for you? What opportunities can data help you leverage?

    FINANCIAL

    Leveraging data to boost traditional profit and loss levers, find new sources of growth, and deliver the digital bank.

    • One bank used credit card transactional data (from its own terminals and those of other banks) to develop offers that gave customers incentives to make regular purchases from one of the bank’s merchants. This boosted the bank’s commissions, added revenue for its merchants, and provided more value to the customer (McKinsey & Company, 2017).
    • In terms of enhancing productivity, a bank used “new algorithms to predict the cash required at each of its ATMs across the country and then combined this with route-optimization techniques to save money” (McKinsey & Company, 2017).

    A European bank “turned to machine-learning algorithms that predict which currently active customers are likely to reduce their business with the bank.” The resulting understanding “gave rise to a targeted campaign that reduced churn by 15 percent” (McKinsey & Company, 2017).

    A leading Canadian bank has built a marketplace around their data – they have launched a data marketplace where they have productized the bank’s data. They are providing data – as a product – to other units within the bank. These other business units essentially represent internal customers who are leveraging the product, which is data.

    Through the use of data and advanced analytics, “a top bank in Asia discovered unsuspected similarities that allowed it to define 15,000 microsegments in its customer base. It then built a next-product-to-buy model that increased the likelihood to buy three times over.” Several sets of big data were explored, including “customer demographics and key characteristics, products held, credit-card statements, transaction and point-of-sale data, online and mobile transfers and payments, and credit-bureau data” (McKinsey & Company, 2017).

    What is it in it for you? What opportunities can data help you leverage?

    HEALTHCARE

    Leveraging data and analytics to prevent deadly infections

    The fifth-largest health system in the US and the largest hospital provider in California uses a big data and advanced analytics platform to predict potential sepsis cases at the earliest stages, when intervention is most helpful.

    Using the Sepsis Bio-Surveillance Program, this hospital provider monitors 120,000 lives per month in 34 hospitals and manages 7,500 patients with potential sepsis per month.

    Collecting data from the electronic medical records of all patients in its facilities, the solution uses natural language processing (NLP) and a rules engine to continually monitor factors that could indicate a sepsis infection. In high-probability cases, the system sends an alarm to the primary nurse or physician.

    Since implementing the big data and predictive analytics system, this hospital provider has seen a significant improvement in the mortality and the length of stay in ICU for sepsis patients.

    At 28 of the hospitals which have been on the program, sepsis mortality rates have dropped an average of 5%.

    With patients spending less time in the ICU, cost savings were also realized. This is significant, as sepsis is the costliest condition billed to Medicare, the second costliest billed to Medicaid and the uninsured, and the fourth costliest billed to private insurance.

    Source: SAS, 2019

    What is it in it for you? What opportunities can data help you leverage?

    RETAIL

    Leveraging data to better understand customer preferences, predict purchasing, drive customer experience, and optimize supply and demand planning.

    Netflix is an example of a big brand that uses big data analytics for targeted advertising. With over 100 million subscribers, the company collects large amounts of data. If you are a subscriber, you are likely familiar with their suggestions messages of the next series or movie you should catch up on. These suggestions are based on your past search data and watch data. This data provides Netflix with insights into your interests and preferences for viewing (Mentionlytics, 2018).

    “For the retail industry, big data means a greater understanding of consumer shopping habits and how to attract new customers.”– Ron Barasch, Envestnet | Yodlee, 2019

    The business case for data – moving from platitudes to practicality

    When building your business case, consider the following:

    • What is the most effective way to communicate the business case to executives?
    • How can CDOs and other data leaders use data to advance their organizations’ corporate strategy?
    • What does your data estate look like? Are you looking to leverage and drive value from your semi-structured and unstructured data assets?
    • Does your current organizational culture support a data-driven one? Does the organization have a history of managing change effectively?
    • How do changing privacy and security expectations alter the way businesses harvest, save, use, and exchange data?

    “We’re the converted … We see the value in data. The battle is getting executive teams to see it our way.”– Ted Maulucci, President of SmartONE Solutions Inc. IT World Canada, 2018

    Where do you stack up? What is your current data management maturity?

    Info-Tech’s IT Maturity Ladder denotes the different levels of maturity for an IT department and its different functions. What is the current state of your data management capability?

    Innovator - Transforms the Business. Business Partner - Expands the Business. Trusted Operator - Optimizes the Business. Firefighter - Supports the Business. Unstable - Struggles to Support.

    Info-Tech Insight

    You are best positioned to successfully execute on a data strategy if you are currently at or above the Trusted Operator level. If you find yourself still at the Unstable or Firefighter stage, your efforts are best spent on ensuring you can fulfill your day-to-day data and data management demands. Improving this capability will help build a strong data management foundation.

    Guiding principles of a data strategy

    Value of Clearly Defined Data Principles

    • Guiding principles help define the culture and characteristics of your practice by describing your beliefs and philosophy.
    • Guiding principles act as the heart of your data strategy, helping to shape initiative plans and day-to-day behaviors related to the use and treatment of the organization’s data assets.

    “Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.”– McKinsey, 2018

    Build a Robust and Comprehensive Data Strategy

    Business Strategy and Current Environment connect with the Data Strategy. Data Strategy includes: Organizational Drivers and Data Value, Data Strategy Objectives and Guiding Principles, Data Strategy Vision and Mission, Data Strategy Roadmap, People: Roles and Organizational Structure, Data Culture and Data Literacy, Data Management and Tools, Risk and Feasibility.

    Follow Info-Tech’s methodology for effectively leveraging the value out of your data

    Some say it’s the new oil. Or the currency of the new business landscape. Others describe it as the fuel of the digital economy. But we don’t need platitudes — we need real ways to extract the value from our data. – Jim Love, CIO and Chief Digital Officer, IT World Canada, 2018

    1. Business Context. 2. Data and Resources Foundation. 3. Effective Data Strategy

    Our practical step-by-step approach helps you to formulate a data strategy that delivers business value.

    1. Establish Business Context and Value: In this phase, you will determine and substantiate the business drivers for optimizing the data strategy. You will identify the business drivers that necessitate the data strategy optimization and examine your current organizational data culture. This will be key to ensuring the fruits of your optimization efforts are being used. You will also define the vision, mission, and guiding principles and build high-value use cases for the data strategy.
    2. Ensure You Have a Solid Data and Resources Foundation: This phase will help you ensure you have a solid data and resources foundation for operationalizing your data strategy. You will gain an understanding of your current environment in terms of data management enablers and the required resources portfolio of key people, roles, and skill sets.
    3. Formulate a Sustainable Data Strategy: In this phase, you will bring the pieces together for formulating an effective data strategy. You will evaluate and prioritize the use cases built in Phase 1, which summarize the alignment of organizational goals with data needs. You will also create your strategic plan, considering change management and communication.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks are used throughout all four options.

    Applications Priorities 2022

    • Buy Link or Shortcode: {j2store}183|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy

    There is always more work than hours in the day. IT often feels understaffed and doesn’t know how to get it all done. Trying to satisfy all the requests results in everyone getting a small piece of the pie and in users being dissatisfied.

    Our Advice

    Critical Insight

    Focusing on one initiative will allow leaders to move the needle on what is important.

    Impact and Result

    Focus on the big picture, leveraging Info-Tech’s blueprints. By increasing maturity and efficiency, IT staff can spend more time on value-added activities.

    Applications Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Applications Priorities 2022 – A deck that discusses the five priorities we are seeing among Applications leaders.

    There is always more work than hours in the day. IT often feels understaffed and doesn’t know how to get it all done. Trying to satisfy all the requests results in everyone getting a small piece of the pie and in users being dissatisfied. Use Info-Tech's Applications Priorities 2022 to learn about the five initiatives that IT should prioritize for the coming year.

    • Applications Priorities Report for 2022
    [infographic]

    IT Service Management Selection Guide

    • Buy Link or Shortcode: {j2store}488|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $29,187 Average $ Saved
    • member rating average days saved: 6 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Your ITSM solution that was once good enough is no longer adequate for a rapidly evolving services culture.
    • Processes and data are disconnected with multiple workarounds and don’t allow the operations team to mature processes.
    • The workarounds, disparate systems, and integrations you’ve implemented to solve IT operations issues are no longer adequate.

    Our Advice

    Critical Insight

    • Accessing funding for IT solutions can be challenging when the solution isn’t obviously aligned to the business need.
    • To maximize value and stakeholder satisfaction, determine use cases early, engage the right stakeholders, and define success.
    • Choosing a solution for a single purpose and then expanding it to cover other use cases can be a very effective use of technology dollars. However, spending the time up front to determine which use cases should be included and which will need a separate best-of-breed solution will make the best use of your investment.

    Impact and Result

    • Create a business case that defines use cases and requirements.
    • Shorten the list of viable vendors by matching vendors to use cases.
    • Determine which features are most important to reach your goals and select the best-matched vendor.

    IT Service Management Selection Guide Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how Info-Tech’s methodology will provide a quick solution to selecting ITSM vendors and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a business case

    Create a light business case to gain buy-in and define goals, milestones, and use cases.

    • IT Service Management Business Case Template

    2. Define requirements

    Create your list of requirements and shortlist vendors.

    • The ITSM Vendor Evaluation Workbook
    [infographic]

    Prevent Data Loss Across Cloud and Hybrid Environments

    • Buy Link or Shortcode: {j2store}377|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations are often beholden to compliance obligations that require protection of sensitive data.
    • All stages of the data lifecycle exist in the cloud and all stages provide opportunity for data loss.
    • Organizations must find ways to mitigate insider threats without impacting legitimate business access.

    Our Advice

    Critical Insight

    • Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate, tools within your existing security program.
    • The journey to data loss prevention is complex and should be taken in small and manageable steps.

    Impact and Result

    • Organizations will achieve data comprehension.
    • Organizations will align DLP with their current security program and architecture.
    • A DLP strategy will be implemented with a distinct goal in mind.

    Prevent Data Loss Across Cloud and Hybrid Environments Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prevent Data Loss Across Cloud and Hybrid Environments Storyboard – A guide to handling data loss prevention in cloud services.

    This research describes an approach to strategize and implement DLP solutions for cloud services.

    • Prevent Data Loss Across Cloud and Hybrid Environments Storyboard

    2. Data Loss Prevention Strategy Planner – A workbook designed to guide you through identifying and prioritizing your data and planning what DLP actions should be applied to protect that data.

    Use this tool to identify and prioritize your data, then use that information to make decisions on DLP strategies based on classification and data environment.

    • Data Loss Prevention Strategy Planner
    [infographic]

    Further reading

    Prevent Data Loss Across Cloud and Hybrid Environments

    Leverage existing tools and focus on the data that matters most to your organization.

    Analyst Perspective

    Data loss prevention is an additional layer of protection

    Driven by reduced operational costs and improved agility, the migration to cloud services continues to grow at a steady rate. A recent report by Palo Alto Networks indicates workload in the cloud increased by 13% last year, and companies are expecting to move an additional 11% of their workload to the cloud in the next 24 months1.

    However, moving to the cloud poses unique challenges for cyber security practitioners. Cloud services do not offer the same level of management and control over resources as traditional IT approaches. The result can be reduced visibility of data in cloud services and reduced ability to apply controls to that data, particularly data loss prevention (DLP) controls.

    It’s not unusual for organizations to approach DLP as a point solution. Many DLP solutions are marketed as such. The truth is, DLP is a complex program that uses many different parts of an organization’s security program and architecture. To successfully implement DLP for data in the cloud, an organization should leverage existing security controls and integrate DLP tools, whether newly acquired or available in cloud services, with its existing security program.

    Photo of Bob Wilson
    Bob Wilson
    CISSP
    Research Director, Security and Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Organizations must prevent the misuse and leakage of data, especially sensitive data, regardless of where it’s stored.

    Organizations often have compliance obligations requiring protection of sensitive data.

    All stages of the data lifecycle exist in the cloud and all stages provide opportunity for data loss.

    Organizations must find ways to mitigate insider threats without impacting legitimate business access.

    Common Obstacles

    Many organizations must handle a plethora of data in multiple varied environments.

    Organizations don’t know enough about the data they use or where it is located.

    Different systems offer differing visibility.

    Necessary privileges and access can be abused.

    Info-Tech’s Approach

    The path to data loss prevention is complex and should be taken in small and manageable steps.

    First, organizations must achieve data comprehension.

    Organizations must align DLP with their current security program and architecture.

    Organizations need to implement DLP with a distinct goal in mind.

    Once the components are in place it’s important to measure and improve.

    Info-Tech Insight

    Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate, tools within your existing security program.

    Your challenge

    Protecting data is a critical responsibility for organizations, no matter where it is located.

    45% of breaches occurred in the cloud (“Cost of a Data Breach 2022,” IBM Security, 2022).

    A diagram that shows the mean time to detect and contain.

    It can take upwards of 12 weeks to identify and contain a breach (“Cost of a Data Breach 2022,” IBM Security, 2022).

    • Compliance obligations will require organizations to protect certain data.
    • All data states can exist in the cloud, and each state provides a unique opportunity for data loss.
    • Insider threats, whether intentional or not, are especially challenging for organizations. It’s necessary to prevent illicit data use while still allowing work to happen.

    Info-Tech Insight

    Data loss prevention doesn’t depend on a single tool. Many of the leading cloud service providers offer DLP controls with their services and these controls should be considered.

    Common obstacles

    As organizations increasingly move data into the cloud, their environments become more complex and vulnerable to insider threats

    • It’s not uncommon for an organization not to know what data they use, where that data exists, or how they are supposed to protect it.
    • Cloud systems, especially software as a service (SaaS) applications, may not provide much visibility into how that data is stored or protected.
    • Insider threats are a primary concern, but employees must be able to access data to perform their duties. It isn’t always easy to strike a balance between adequate access and being too restrictive with controls.

    Insider threats are a significant concern

    53%

    53% of a study’s respondents think it is more difficult to detect insider threats in the cloud.

    Source: "2023 Insider Threat Report," Cybersecurity Insiders, 2023

    45%

    Only about 45% of organizations think native cloud app functionality is useful in detecting insider threats.

    Source: "2023 Insider Threat Report," Cybersecurity Insiders, 2023

    Info-Tech Insight

    An insider threat management (ITM) program focuses on the user. DLP programs focus on the data.

    Insight summary

    DLP is not just a single tool. It’s an additional layer of security that depends on different components of your security program, and it requires time and effort to mature.

    Organizations should leverage existing security architecture with the DLP controls available in the cloud services they use.

    Data loss prevention is not a point solution

    Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.

    Prioritize data

    Start with the data that matters most to your organization.

    Define an objective

    Having a clearly defined objective will make implementing a DLP program much easier.

    DLP is a layer

    Data loss prevention is not foundational, and it depends on many other parts of a mature information security program.

    The low hanging fruit is sweet

    Start your DLP implementation with a quick win in mind and build on small successes.

    DLP is a work multiplier

    Your organization must be prepared to investigate alerts and respond to incidents.

    Prevent data loss across cloud or hybrid environments

    A diagram that shows preventing data loss across cloud or hybrid environments

    Data loss prevention is not a point solution.
    It’s the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.

    Info-Tech Insight

    Leverage existing security tools where possible.

    Data loss prevention (DLP) overview

    DLP is an additional layer of security.

    DLP is a set of technologies and processes that provides additional data protection by identifying, monitoring, and preventing data from being illicitly used or transmitted.

    DLP depends on many components of a mature security program, including but not limited to:

    • Acceptable use policy
    • Data classification policy and data handling guidelines
    • Identity and access management

    DLP is achieved through some or all of the following tactics:

    • Identify: Data is detected using policies, rules, and patterns.
    • Monitor: Data is flagged and data activity is logged.
    • Prevent: Action is taken on data once it has been detected.

    Info-Tech Insight

    DLP is not foundational. Your information security program needs to be moderately mature to support a DLP strategy.

    DLP approaches and methods

    DLP uses a handful of techniques to achieve its tactics:

    • Policy and access rights: Limits access to data based on user permissions or other contextual attributes.
    • Isolation or virtualization: Data is isolated in an environment with channels for data leakage made unavailable.
    • Cryptographic approach: Data is encrypted.
    • Quantifying and limiting: Use or transfer of data is restricted by quantity.
    • Social and behavioral analysis: The DLP system detects anomalous activity, such as users accessing data outside of business hours.
    • Pattern matching: Data content is analyzed for specific patterns.
    • Data mining and text clustering: Large sets are analyzed, typically with machine learning (ML), to identify patterns.
    • Data fingerprinting: Data files are matched against a pre-calculated hash or based on file contents.
    • Statistical Analysis: Data content is analyzed for sensitive data. Usually involves machine learning.


    DLP has two primary approaches for applying techniques:

    • Content-based: Data is identified through inspecting its content. Fingerprinting and pattern matching are examples of content-based methods.
    • Context-based: Data is identified based on its situational or contextual attributes. Some factors that may be used are source, destination, and format.

    Some DLP tools use both approaches.

    Info-Tech Insight

    Different DLP products will support different methods. It is important to keep these in mind when choosing a DLP solution.

    Start by defining your data

    Define data by answering the 5 “W”s

    Who? Who owns the data? Who needs access? Who would be impacted if it was lost?
    What? What data do you have? What type of data is it? In what format does it exist?
    When? When is the data generated? When is it used? When is it destroyed?
    Where? Where is the data stored? Where is it generated? Where is it used?
    Why? Why is the data needed?

    Use what you discover about your data to create a data inventory!

    Compliance requirements

    Compliance requirements often dictate what must be done to manage and protect data and vary from industry to industry.

    Some examples of compliance requirements to consider:

    • Healthcare - Health Insurance Portability and Accountability Act (HIPAA)
    • Financial Services - Gramm-Leach-Bliley Act (GLBA)
    • Payment Card Industry Data Security Standards (PCI DSS)

    Info-Tech Insight

    Why is especially important. If you don’t need a specific piece of data, dispose of it to reduce risk and administrative overhead related to maintaining or protecting data.

    Classify your data

    Data classification facilitates making decisions about how data is treated.

    Data classification is a process by which data is categorized.

    • The classifications are often based on the sensitivity of the data or the impact a loss or breach of that data would have on the organization.
    • Data classification facilitates decisions about data handling and how information security controls are implemented. Instead of considering many different types of data individually, decisions are based on a handful of classification levels.
    • A mature data classification should include a formalized policy, handling standards, and a steering committee.

    Refer to our Discover and Classify Your Data blueprint for guidance on data classification.

    Sample data classification schema

    Label

    Category

    Top Secret Data that is mission critical and highly likely to negatively impact the organization if breached. The “crown jewels.”
    Examples: Trade secrets, military secrets
    Confidential Data that must not be disclosed, either because of a contractual or regulatory requirement or because of its value to the organization.
    Examples: Payment card data, private health information, personally identifiable information, passwords
    Internal Data that is intended for organizational use, which should be kept private.
    Examples: Internal memos, sales reports
    Limited Data that isn’t generally intended for public consumption but may be made public.
    Examples: Employee handbooks, internal policies
    Public Data that is meant for public consumption and anonymous access.
    Examples: Press releases, job listings, marketing material

    Info-Tech Insight

    Data classification should be implemented as a continuous program, not a one-time project.

    Understand data risk

    Knowing where and how your data is at risk will inform your DLP strategy.

    Data exists in three states, and each state presents different opportunities for risk. Different DLP methodologies will be appropriate for different states.

    Data states

    In use

    • End-user devices
    • Mobile devices
    • Servers

    In motion

    • Cloud services
    • Email
    • Web/web apps
    • Instant messaging
    • File transfers

    At rest

    • Cloud services
    • Databases
    • End-user devices
    • Email archives
    • Backups
    • Servers
    • Physical storage devices

    Causes of Risk

    The most common causes of data loss can be categorized by people, processes, and technology.

    A diagram that shows the categorization of causes of risk.

    Check out our Combine Security Risk Management Components Into One Program blueprint for guidance on risk management, including how to do a full risk assessment.

    Prioritize your data

    Know what data matters most to your organization.

    Prioritizing the data that most needs protection will help define your DLP goals.

    The prioritization of your data should be a business decision based on your comprehension of the data. Drivers for prioritizing data can include:

    • Compliance-driven: Noncompliance is a risk in itself and your organization may choose to prioritize data based on meeting compliance requirements.
    • Audit-driven: Data can be prioritized to prepare for a specific audit objective or in response to an audit finding.
    • Business-driven: Data could be prioritized based on how important it is to the organization’s business processes.

    Info-Tech Insight

    It’s not feasible for most organizations to apply DLP to all their data. Start with the most important data.

    Activity: Prioritize your data

    Input: Lists of data, data types, and data environments
    Output: A list of data types with an estimated priority
    Materials: Data Loss Prevention Strategy Planner worksheet
    Participants: Security leader, Data owners

    1-2 hours

    For this activity, you will use the Data Loss Prevention Strategy Planner workbook to prioritize your data.

    1. Start with tab “2. Setup” and fill in the columns. Each column features a short explanation of itself, and the following slides will provide more detail about the columns.
    2. On tab “3. Data Prioritization,” work through the rows by selecting a data type and moving left to right. This sheet features a set of instructions at the top explaining each column, and the following slides also provide some guidance. On this tab, you may use data types and data environments multiple times.

    Click to download the Data Loss Prevention Strategy Planner

    Activity: Prioritize your data

    In the Data Loss Prevention Strategy Planner tool, start with tab “2. Setup.”

    A diagram that shows tab 2 setup

    Next, move to tab “3. Data Prioritization.”

    A diagram that shows tab 3 Data Prioritization.

    Click to download the Data Loss Prevention Strategy Planner

    Determine DLP objectives

    Your DLP strategy should be able to function as a business case.

    DLP objectives should achieve one or more of the following:

    • Prevent disclosure or unauthorized use of data, regardless of its state.
    • Preserve usability while providing adequate security.
    • Improve security, privacy, and compliance capabilities.
    • Reduce overall risk for the enterprise.

    Example objectives:

    • Prevent users from emailing ePHI to addresses outside of the organization.
    • Detect when a user is uploading an unusually large amount of data to a cloud drive.

    Most common DLP use cases:

    • Protection of data, primarily from internal threats.
    • Meet compliance requirements to protect data.
    • Automate the discovery and classification of data.
    • Provide better data management and visibility across the enterprise.
    • Manage and protect data on mobile devices.

    Info-Tech Insight

    Having a clear idea of your objectives will make implementing a DLP program easier.

    Align DLP with your existing security program/architecture

    DLP depends on many different aspects of your security program.
    To the right are some components of your existing security program that will support DLP.


    1. Data handling standards or guidelines: These specify how your organization will handle data, usually based on its classification. Your data handling standards will inform the development of DLP rules, and your employees will have a clear idea of data handling expectations.

    2. Identity and access management (IAM): IAM will control the access users have to various resources and data and is integral to DLP processes.

    3. Incident response policy or plan: Be sure to consider your existing incident handling processes when implementing DLP. Modifying your incident response processes to accommodate alerts from DLP tools will help you efficiently process and respond to incidents.

    4. Existing security tools: Firewalls, email gateways, security information and event management (SIEM), and other controls should be considered or leveraged when implementing a DLP solution.

    5. Acceptable use policy: An organization must set expectations for acceptable/unacceptable use of data and IT resources.

    6. User education and awareness: Aside from baseline security awareness training, organizations should educate users about policies and communicate the risks of data leakage to reduce risk caused by user error.

    Info-Tech Insight

    Consider DLP as a secondary layer of protection; a safety net. Your existing security program should do most of the work to prevent data misuse.

    Cloud service models

    A fundamental challenge with implementing DLP with cloud services is the reduced flexibility that comes with managing less of the technology stack. Each cloud model offers varying levels of abstraction and control to the user.

    Infrastructure as a service (IaaS): This service model provides customers with virtualized technology resources, such as servers and networking infrastructure. IaaS allows users to have complete control over their virtualized infrastructure without needing to purchase and maintain hardware resources or server space. Popular examples include Amazon Web Servers, Google Cloud Engine, and Microsoft Azure.

    Platform as a service (PaaS): This service model provides users with an environment to develop and manage their own applications without needing to manage an underlying infrastructure. Popular examples include Google Cloud Engine, OpenShift, and SAP Cloud.

    Software as a service (SaaS): This service model provides customers with access to software that is hosted and maintained by the cloud provider. SaaS offers the least flexibility and control over the environment. Popular examples include Salesforce, Microsoft Office, and Google Workspace.

    A diagram that shows cloud models, including IaaS, PaaS, and SaaS.

    Info-Tech Insight

    Cloud service providers may include DLP controls and functionality for their environments with the subscription. These tools are usually well suited for DLP functions on that platform.

    Different DLP tools

    DLP products often fall into general categories defined by where those tools provide protection. Some tools fit into more than one category.

    Cloud DLP refers to DLP products that are designed to protect data in cloud environments.

    • Cloud access security broker (CASB): This system, either in-cloud or on-premises, sits between cloud service users and cloud service providers and acts as a point of control to enforce policies on cloud-based resources. CASBs act on data in motion, for the most part, but can detect and act on data at rest through APIs.
    • Existing tools integrated within a service: Many cloud services provide DLP tools to manage data loss in their service.

    Endpoint DLP: This DLP solution runs on an endpoint computing device and is suited to detecting and controlling data at rest on a computer as well as data being uploaded or downloaded. Endpoint DLP would be feasible for IaaS.

    Network DLP: Network DLP, deployed on-premises or as a cloud service, enforces policies on network flows between local infrastructure and the internet.

    • “Email DLP”: Detects and enforces security policies specifically on data in motion as emails.

    A diagram of CASB

    Choosing a DLP solution

    You will also find that some DLP solutions are better suited for some cloud service models than others.


    DLP solution types that are better suited for SaaS: CASB and Integrated Tools

    DLP solution types that are better suited for PaaS: CASB, Integrated Tools, Network DLP

    DLP solution types that are better suited for IaaS: CASB, Integrated Tools, Network DLP, and Endpoint DLP

    Your approach for DLP will vary depending on the data state you’ll be acting on and whether you are trying to detect or prevent.

    A diagram that shows DLP tactics by approach and data state

    Click to download the Data Loss Prevention Strategy Planner
    Check the tab labeled “6. DLP Features Reference” for a list of common DLP features.

    Activity: Plan DLP methods

    Input: Knowledge of data states for data types
    Output: A set of technical DLP policy rules for each data type by environment
    Materials: The same Data Loss Prevention Strategy Planner worksheet from the earlier activity
    Participants: Security leader, Data owners

    1-2 hours

    Continue with the same workbook used in the previous activity.

    1. On tab “4. DLP Methods,” indicate the expected data state the DLP control will act on. Then, select the type of DLP control your organization intends to use for that data type in that data environment.
    2. DLP actions are suggested based on the classification of the data type, but these may be overridden by manually selecting your preferred action.
    3. You will find more detail on this activity on the following slide, and you will find some additional guidance in the instructional text at the top of the worksheet.
    4. Once you have populated the columns on this worksheet, a summary of suggested DLP rules can be found on tab “5. Results.”

    Click to download the Data Loss Prevention Strategy Planner

    Activity: Plan DLP methods

    Use tab “4. DLP Methods” to plan DLP rules and technical policies.

    A diagram that shows tab 4 DLP Methods

    See tab “5. Results” for a summary of your DLP policies.

    A diagram that shows tab 5 Results.

    Click to download the Data Loss Prevention Strategy Planner

    Implement your DLP program

    Take the steps to properly implement your DLP program

    1. It’s important to shift the culture. You will need leadership’s support to implement controls and you’ll need stakeholders’ participation to ensure DLP controls don’t negatively affect business processes.
    2. Integrate DLP tools with your security program. Most cloud service providers, like Amazon, Microsoft, and Google provide DLP controls in their native environment. Many of your other security controls, such as firewalls and mail gateways, can be used to achieve DLP objectives.
    3. DLP is best implemented with a crawl, walk, then run approach. Following change management processes can reduce friction.
    4. Communicating controls to users will also reduce friction.

    A diagram of implementing DLP program

    Info-Tech Insight

    After a DLP program is implemented, alerts will need to be investigated and incidents will need a response. Be prepared for DLP to be a work multiplier!

    Measure and improve

    Metrics of effectiveness

    DLP attempts to tackle the challenge of promptly detecting and responding to an incident.
    To measure the effectiveness of your DLP program, compare the number of events, number of incidents, and mean time to respond to incidents from before and after DLP implementation.

    Metrics that indicate friction

    A high number of false positives and rule exceptions may indicate that the rules are not working well and may be interfering with legitimate use.
    It’s important to address these issues as the frustration felt by employees can undermine the DLP program.

    Tune DLP rules

    Establish a process for routinely using metrics to tune rules.
    This will improve performance and reduce friction.

    Info-Tech Insight

    Aside from performance-based tuning, it’s important to evaluate your DLP program periodically and after major system or business changes to maintain an awareness of your data environment.

    Related Info-Tech Research

    Photo of Discover and Classify Your Data

    Discover and Classify Your Data

    Understand where your data lives and who has access to it. This blueprint will help you develop an appropriate data classification system by conducting interviews with data owners and by incorporating vendor solutions to make the process more manageable and end-user friendly.

    Photo of Identify the Components of Your Cloud Security Architecture

    Identify the Components of Your Cloud Security Architecture

    This blueprint and associated tools are scalable for all types of organizations within various industry sectors. It allows them to know what types of risk they are facing and what security services are strongly recommended to mitigate those risks.

    Photo of Data Loss Prevention on SoftwareReviews

    Data Loss Prevention on SoftwareReviews

    Quickly evaluate top vendors in the category using our comprehensive market report. Compare product features, vendor strengths, user-satisfaction, and more.

    Don’t settle for just any vendor – find the one you can trust. Use the Emotional Footprint report to see which vendors treat their customers right.

    Research Contributors

    Andrew Amaro
    CSO and Founder
    Klavan Physical and Cyber Security Services

    Arshad Momin
    Cyber Security Architect
    Unicom Engineering, Inc.

    James Bishop
    Information Security Officer
    StructureFlow

    Michael Mitchell
    Information Security and Privacy Compliance Manager
    Unicom Engineering, Inc.

    One Anonymous Contributor

    Bibliography

    Alhindi, Hanan, Issa Traore, and Isaac Woungang. "Preventing Data Loss by Harnessing Semantic Similarity and Relevance." jisis.org Journal of Internet Services and Information Security, 31 May 2021. Accessed 2 March 2023. https://jisis.org/wp-content/uploads/2022/11/jisis-2021-vol11-no2-05.pdf

    Cash, Lauryn. "Why Modern DLP is More Important Than Ever." Armorblox, 10 June 2022. Accessed 10 February 2023. https://www.armorblox.com/blog/modern-dlp-use-cases/

    Chavali, Sai. "The Top 4 Use Cases for a Modern Approach to DLP." Proofpoint, 17 June 2021. Accessed 7 February 2023. https://www.proofpoint.com/us/blog/information-protection/top-4-use-cases-modern-approach-dlp

    Crowdstrike. "What is Data Loss Prevention?" Crowdstrike, 27 Sept. 2022. Accessed 6 Feb. 2023. https://www.crowdstrike.com/cybersecurity-101/data-loss-prevention-dlp/

    De Groot, Juliana. "What is Data Loss Prevention (DLP)? Definition, Types, and Tips." Digital Guardian, 8 February 2023. Accessed 9 Feb. 2023. https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevention

    Denise. "Learn More About DLP Key Use Cases." CISO Platform, 28 Nov. 2019. Accessed 10 February 2023. https://www.cisoplatform.com/profiles/blogs/learn-more-about-dlp-key-use-cases

    Google. "Cloud Data Loss Prevention." Google Cloud Google, n.d. Accessed 7 Feb. 2023. https://cloud.google.com/dlp#section-6

    Gurucul. "2023 Insider Threat Report." Cybersecurity Insiders, 13 Jan. 2023. Accessed 23 Feb. 2023. https://gurucul.com/2023-insider-threat-report

    IBM Security. "Cost of a Data Breach 2022." IBM Security, 1 Aug. 2022. Accessed 13 Feb. 2023. https://www.ibm.com/downloads/cas/3R8N1DZJ

    Mell, Peter & Grance, Tim. "The NIST Definition of Cloud Computing." NIST CSRC NIST, Sept. 2011. Accessed 7 Feb. 2023. https://csrc.nist.gov/publications/detail/sp/800-145/final

    Microsoft. "Plan for Data Loss Prevention (DLP)." Microsoft 365 Solutions and Architecture Microsoft, 6 Feb. 2023. Accessed 14 Feb. 2023. https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp

    Nanchengwa, Christopher. "The Four Questions for Successful DLP Implementation." ISACA Journal ISACA, 1 Jan. 2019. Accessed 6 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/the-four-questions-for-successful-dlp-implementation

    Palo Alto Networks. "The State of Cloud Native Security 2023." Palo Alto Networks, 2 March 2023. Accessed 23 March 2023. https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/state-of-cloud-native-security-2023.pdf

    Pritha. "Top Six Metrics for your Data Loss Prevention Program." CISO Platform, 27 Nov. 2019. Accessed 10 Feb. 2023. https://www.cisoplatform.com/profiles/blogs/top-6-metrics-for-your-data-loss-prevention-program

    Raghavarapu, Mounika. "Understand DLP Key Use Cases." Cymune, 12 June 2021. Accessed 7 Feb. 2023. https://www.cymune.com/blog-details/DLP-key-use-cases

    Sheela, G. P., & Kumar, N. "Data Leakage Prevention System: A Systematic Report." International Journal of Recent Technology and Engineering BEIESP, 30 Nov. 2019. Accessed 2 March 2023. https://www.ijrte.org/wp-content/uploads/papers/v8i4/D6904118419.pdf

    Sujir, Shiv. "What is Data Loss Prevention? Complete Guide [2022]." Pathlock, 15 Sep. 2022. Accessed 7 February 2023. https://pathlock.com/learn/what-is-data-loss-prevention-complete-guide-2022/

    Wlosinski, Larry G. "Data Loss Prevention - Next Steps." ISACA Journal, 16 Feb. 2018. Accessed 21 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/data-loss-preventionnext-steps

    Build a Service-Based Security Resourcing Plan

    • Buy Link or Shortcode: {j2store}267|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $20,799 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • IT and security leaders across all industries must determine what and how many resources are needed to support the information security program.
    • Estimating current usage and future demand for security resources can be a difficult and time-consuming exercise.

    Our Advice

    Critical Insight

    Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

    Impact and Result

    • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
    • A well-designed security services portfolio is the first step towards determining resourcing needs.
    • When planning resource allocations, plan for both mandatory and discretionary demand to optimize utilization.

    Build a Service-Based Security Resourcing Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Service-Based Security Resourcing Plan – A blueprint to help you define security roles, build a service portfolio, estimate demand, and determine resourcing needs.

    This storyboard will help you to determine your security resourcing needs using a service-based approach.

    • Build a Service-Based Security Resourcing Plan – Phases 1-3

    2. Security Resources Planning Workbook – This tool will result in a defined security service portfolio and a three-year resourcing plan.

    Use this tool to build your security service portfolio and to determine resourcing needs to meet your service demand.

    • Security Resources Planning Workbook

    Infographic

    Workshop: Build a Service-Based Security Resourcing Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Roles and Select Services

    The Purpose

    Identify the roles needed to implement and deliver your organization’s security services.

    Key Benefits Achieved

    A security services portfolio allows you to assign job roles to each service, which is the first step towards determining resourcing needs. Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.

    Activities

    1.1 Assess security needs and business pressures.

    1.2 Define security job roles.

    1.3 Define security services and assign ownership.

    Outputs

    Security Roles Definition

    Security Services Portfolio

    2 Estimate Current and Future Demand

    The Purpose

    Estimate the actual demand for security resources and determine how to allocate resources accordingly.

    Key Benefits Achieved

    Allocate resources more effectively across your Security and Risk teams.

    Raise the profile of your security team by aligning security service offerings with the demands of the business.

    Activities

    2.1 Estimate current and future demand.

    2.2 Review demand summary.

    2.3 Allocate resources where they are needed the most.

    Outputs

    Demand Estimates

    Resourcing Plan

    3 Identify Required Skills

    The Purpose

    When defining roles, consider the competencies needed to deliver your security services. Make sure to account for this need in your resource planning.

    Key Benefits Achieved

    Leverage the NCWF to establish the building blocks of a capable and ready cybersecurity workforce to effectively identify, recruit, develop and maintain cybersecurity talent.

    Activities

    3.1 Identify skills needed for planned initiatives.

    3.2 Prioritize your skill requirements.

    3.3 Assign work roles to the needs of your target environment.

    3.4 Discuss the NICE cybersecurity workforce framework.

    3.5 Develop technical skill requirements for current and future work roles.

    Outputs

    Prioritized Skill Requirements and Associated Roles

    4 Future Planning

    The Purpose

    Create a development plan to train and upskill your employees to address current and future service requirements.

    Key Benefits Achieved

    Skill needs are based on the strategic requirements of a business-aligned security program.

    Activities

    4.1 Continue developing technical skill requirements for current and future work roles.

    4.2 Conduct current workforce skills assessment.

    4.3 Develop a plan to acquire skills.

    4.4 Discuss training and certification opportunities for staff.

    4.5 Discuss next steps for closing the skills gap.

    4.6 Debrief.

    Outputs

    Role-Based Skills Gaps

    Workforce Development Plan

    Further reading

    Build a Service-Based Security Resourcing Plan

    Every security program is unique; resourcing allocations should reflect this.

    Analyst Perspective

    Start by looking inward.

    The image is a picture of Logan Rohde.The image is a picture of Isabelle Hertanto.

    Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere.

    Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively.

    Logan Rohde

    Senior Research Analyst, Security

    Info-Tech Research Group

    Isabelle Hertanto

    Principal Research Director, Security

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • IT and Security leaders across all industries must determine what and how many resources are needed to support the information security program.
    • Estimating current usage, the right allocations, and future demand for security resources can be a difficult and time-consuming exercise.
    • Needing to provide a benchmark to justify increasing headcount.
    • Absence of formally defined security service offerings and service owners.
    • Lack of skills needed to provide necessary security services.
    • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
    • A well-designed security services portfolio is the first step toward determining resourcing needs.
    • When allocating resources, plan for both mandatory and discretionary demand to position yourself for greatest success.

    Info-Tech Insight

    Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Determine what and how many resources are needed to support the information security program.
    • Identify the organization's key service offerings and the required resourcing to support delivery of such services.
    • Estimate current staff utilization and required allocations to satisfy future demand for services.

    Every organization is unique and will need different security research allocations aligned with their business needs.

    “The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”

    Paige H. Adams

    Global CISO at Zurich

    Insurance

    Source: Proofpoint, 2021

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Security leaders sometimes try to cut to the chase and lean on staffing benchmarks to justify their requests for resources. However, while staffing benchmarks are useful for quick peer-to-peer validation and decision making, they tend to reduce security programs down to a set of averages, which can be misleading when used out of context.
    • A more effective approach is to determine what security services need to be provided, the level of demand, and what it will take to meet that demand currently and in the coming years.
    • With these details available, it becomes much easier to predict what roles need to be hired, what skills need to be developed, and whether outsourcing is an option.

    Hiring delays and skills gaps can fuel resourcing challenges

    59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.

    Source: ISACA, 2020

    30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.

    Source: ISACA, 2020

    Info-Tech’s methodology for Building a Service-Based Security Resourcing Plan

    1. Determine Security Service Portfolio Offerings

    2. Plan for Mandatory Versus Discretionary Demand

    3. Define Your Resourcing Model

    Phase Steps

    1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Review Demand Summary

    3.2 Develop an Action Plan

    Phase Outcomes

    Security requirements

    Security service portfolio

    Service demand estimates

    Service hour estimates

    Three-year resourcing plan

    Stay on top of resourcing demands with a security service portfolio

    Security programs should be designed to address unique business needs.

    A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

    Watch out for role creep.

    It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

    Time estimates will improve with practice.

    It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

    Start recruiting well in advance of need.

    Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

    People and skills are both important.

    As the services in your portfolio mature and become more complex, remember to consider the skills you will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

    Make sure your portfolio reflects reality.

    There’s nothing wrong with planning for future state, but we should avoid using the portfolio as a list of goals.

    Blueprint deliverable

    Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.

    The image contains screenshots of the Security Resources Planning Workbook.

    Key deliverable:

    Security Resources Planning Workbook

    The Security Resources Planning Workbook will be used to:

    • Build a security services portfolio.
    • Estimate demand for security services and the efforts to deliver them.
    • Determine full-time equivalent (FTE) requirements for each service.
    The image contains a thought model to demonstrate the benchmarks that lead to a one-size-fits-all approach to security.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Allocate resources more effectively across your security and risk teams.
    • Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.
    • Raise the profile of your security team by aligning security service offerings with the demands of the business.
    • Ensure that people, financial, knowledge, and technology resources are appropriately allocated and leveraged across the organization.
    • Improve your organization’s ability to satisfy compliance obligations and reduce information security risk.
    • Increase customer and business stakeholder satisfaction through reliable service delivery.

    Measure the value of this blueprint

    Use these metrics to realize the value of completing this blueprint.

    Metric

    Expected Improvement

    Level of business satisfaction with IT security

    You can expect to see a 20% improvement in your IT Security Business Satisfaction Diagnostic.

    Reports on key performance indicators and service level objectives

    Expect to see a 40% improvement in security service-related key performance indicators and service level objectives.

    Employee engagement scores

    You can expect to see approximately a 10% improvement in employee engagement scores.

    Changes in rates of voluntary turnover

    Anticipating demand and planning resources accordingly will help lower employee turnover rates due to burnout or stress leave by as much as 10%.

    47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.

    Source: Security Boulevard, 2021

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific drivers.

    Call #2: Discuss roles and duties.

    Call #3: Build service portfolio and assign ownership.

    Call #4: Estimate required service hours.

    Call #5: Review service demand and plan for future state.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 4 to 6 calls over the course of 2 to 3 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Define Roles and Select Services

    Estimate Current and Future Demand

    Identify Required Skills

    Future Planning

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Assess Security Needs and Business Pressures.

    1.2 Define Security Job Roles.

    1.3 Define Security Services and Assign Ownership.

    2.1 Estimate Current and Future Demand.

    2.2 Review Demand Summary.

    2.3 Allocate Resources Where They Are Needed the Most.

    3.1 Identify Skills Needed Skills for Planned Initiatives.

    3.2 Prioritize Your Skill Requirements.

    3.3 Assign Work Roles to the Needs of Your Target Environment.

    3.4 Discuss the NICE Cybersecurity Workforce Framework.

    3.5 Develop Technical Skill Requirements for Current and Future Work Roles.

    4.1 Continue Developing Technical Skill Requirements for Current and Future Work Roles.

    4.2 Conduct Current Workforce Skills Assessment.

    4.3 Develop a Plan to Acquire Skills.

    4.4 Discuss Training and Certification Opportunities for Staff.

    4.5 Discuss Next Steps for Closing the Skills Gap.

    4.6 Debrief.

    5.1 Complete In-Progress Deliverables From Previous Four Days.

    5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next steps.

    Deliverables
    1. FTE-Hours Calculation
    2. Security Roles Definition
    3. Security Services Portfolio
    1. Demand Estimates
    2. Resourcing Plan
    1. Skills Gap Prioritization Tool
    2. Technical Skills Tool
    1. Technical Skills Tool
    2. Current Workforce Skills Assessment
    3. Skills Development Plan

    Phase 1

    Determine Security Service Portfolio Offerings

    Phase 1

    Phase 2

    Phase 3

    1.1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Determine Resourcing Status

    This phase involves the following participants:

    • CISO
    • Core Security Team
    • Business Representative (optional)

    Step 1.1

    Gather Requirements and Define Roles

    Activities

    1.1.1 Assess Business Needs and Pressures

    1.1.2 Define Security Roles

    This step involves the following participants:

    • CISO
    • Core Security Team
    • Business Representative (optional)

    Outcomes of this step

    • Security program requirements
    • Security roles definitions

    1.1.1 Assess security needs and pressures

    1 hour

    1. As a group, brainstorm the security requirements for your organization and any business pressures that exist within your industry (e.g. compliance obligations).
    • To get started, consider examples of typical business pressures on the next slides. Determine how your organization must respond to these points (note: this is not an exhaustive list).
    • You will likely notice that these requirements have already influenced the direction of your security program and the kinds of services it needs to provide to the business side of the organization.
  • There may be some that have not been well addressed by current service offerings (e.g. current service maturity, under/over definition of a service). Be sure to make a note of these areas and what the current challenge is and use these details in Step 1.2.
  • Document the results for future use in Step 1.2.1.
  • Input Output
    • List of key business requirements and industry pressures
    • Prioritized list of security program requirements
    Materials Participants
    • Whiteboard
    • Sticky notes
    • CISO
    • Core Security Team
    • Business Representative (optional)

    Typical business pressures examples

    The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.

    The image contains a screenshot of Typical business pressures examples.

    1.1.2 Define security roles

    1-2 hours

    1. Using the link below, download the Security Resources Planning Workbook and review the examples provided on the next slide.
    2. On tab 1 (Roles), review the example roles and identify which roles you have within your security team.
    • If necessary, customize the roles and descriptions to match your security team’s current make up.
    • If you have roles within your security team that do not appear in the examples, you can add them to the bottom of the table.
  • For each role, use columns D-F to indicate how many people (headcount) you have, or plan to have, in that role.
  • Use columns H-J to indicate how many hours per year each role has available to deliver the services within your service catalog.
  • Input Output
    • Full-time hours worked per week Weeks worked per year Existing job descriptions/roles
    • Calculated full-time equivalents (FTE) Defined security roles
    Materials Participants
    • Security Resources Planning Workbook
    • CISO
    • Core Security Team

    Download the Security Resources Planning Workbook

    Calculating FTEs and defining security roles

    The image contains a screenshot of the workbook demonstrating calculating FTEs and defining security roles.

    1. Start by entering the current and planned headcount for each role
    2. Then enter number of hours each role works per week
    3. Estimate the number of administrative hours (e.g. team meetings, training) per week
    4. Enter the average number of weeks per year that each role is available for service delivery
    5. The tool uses the data from steps 2-4 to calculate the average number of hours each role has for service delivery per year (FTE)

    Info-Tech Insight

    Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

    Other considerations

    Address your skills gap.

    Cybersecurity is a rapidly evolving discipline and security teams from all over are reporting challenges related to training and upskilling needed to keep pace with the developments of the threat landscape.

    95% Security leaders who agree the cybersecurity skills gap has not improved over the last few years.*

    44% Security leaders who say the skills gap situation has only gotten worse.*

    When defining roles, consider the competencies needed to deliver your security services. Use Info-Tech’s blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan to help you determine the required skillsets for each role.

    * Source: ISSA, 2021

    Info-Tech Insight

    As the services in your portfolio mature and become more complex, remember to consider the skills you need and will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

    Download blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

    Step 1.2

    Choose Security Service Offerings

    Activities

    1.2.1 Define Security Services and Role Assignments

    This step involves the following participants:

    • CISO
    • Core Security Team

    Outcomes of this step

    • Service portfolio
    • Service pipeline status
    • Service ownership

    1.2.1 Define security services and role assignments

    2-4 hours

    1. As a group, review the outputs from Step 1.1.1. These requirements will serve as the basis to prioritize the service offerings of your security portfolio.
    2. Take these outputs, as well as any additional notes you’ve made, and put them side by side with the example service offerings on tab 3 of the Security Resources Planning Workbook so each service can be considered alongside these requirements (i.e. to determine if that service should be included in the security service portfolio at this time).
    3. Using the following slides as a guide, work your way down the list of example services and choose the services for your portfolio. For each service selected, be sure to customize the definition of the service and state its outcome (i.e. what time is spent when providing this service, indicate if it is outsourced, which role is responsible for delivering it, and the service pipeline status (in use, plan to use, plan to retire)).
    InputOutput
    • Business and security requirements gathered in Step 1.1.1
    • Defined security service portfolio
    • Service ownership assigned to role
    MaterialsParticipants
    • Security Resources Planning Workbook
    • CISO
    • Core Security Team

    Download the Security Resources Planning Workbook

    Service needs aligned with your control framework

    Use Info-Tech's best-of-breed Security Framework to develop a comprehensive baseline set of security service areas.

    The image contains a screenshot of the Security Framework.

    Prioritize your security services

    Example of a custom security services portfolio definition

    Security Strategy and Governance Model

    • Aligned Business Goals
    • Security Program Objectives
    • Centralized vs. Decentralized Governance Model

    Compliance Obligations

    • Penetration testing
    • Annual security audits
    • Data privacy and protection laws

    CISO Accountabilities

    • Security Policy
    • Risk Management
    • Application & Infrastructure Security
    • Program Metrics and Reporting

    Consider each of the requirement categories developed in Step 1.1.1 against the taxonomy and service domain here. If there is a clear need to add this service, use the drop-down list in the “Include in Catalog” column to indicate “Yes.” Mark un-needed services as “No.”

    The image contains a screenshot of the security services portfolio definition.

    Assigning roles to services

    The image contains an example of assigning roles to services.

    1. If the service is being outsourced, use the drop-down list to select “Yes.” This will cause the formatting to change in the neighboring cell (Role), as this cell does not need to be completed.
    2. For all in-sourced services, indicate the role assigned to perform the service.
    3. Indicate the service-pipeline status for each of the services you include. The selection you make will affect the conditional formatting on the next tab, similar to what is described in step 1.

    Info-Tech Insight

    Make sure your portfolio reflects current state and approved plans. There’s nothing wrong with planning for the future, but we should avoid using the portfolio as a list of goals.

    Phase 2

    Plan for Mandatory Versus Discretionary Demand

    Phase 1

    Phase 2

    Phase 3

    1.1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Determine Resourcing Status

    This phase involves the following participants:

    • CISO
    • Core Security Team

    Step 2.1

    Assess Demand

    Activities

    2.1.1 Estimate Current and Future Demand

    This step involves the following participants:

    • CISO
    • Core Security Team

    Outcomes of this step

    • Service demand estimates
    • Total service hours required
    • FTEs required per service

    2.1.1 Estimate current and future demand

    2-4 hours

    1. Estimate the number of hours required to complete each of the services in your portfolio and how frequently it is performed. Remember the service-hour estimates should be based on the outcome of the service (see examples on the next slide).
    • To do this effectively, think back over the last quarter and count how many times the members of your team performed each service and how many hours it took to complete.
    • Then, think back over the last year and consider if the last quarter represents typical demand (i.e. you may notice that certain services have a greater demand at different parts of the year, such as annual audit) and arrive at your best estimate for both service hours and demand.
    • See examples on next slide.

    Note: For continuous services (i.e. 24/7 security log monitoring), use the length of the work shift for estimating the Hours to Complete and the corresponding number of shifts per year for Mandatory Demand estimates. Example: For an 8-hour shift, there are 3 shifts per day at 365 days/year, resulting in 1,095 total shifts per year.

    Download the Security Resources Planning Workbook

    InputOutput
    • Service-hour estimations
    • Expected demand for service
    • Discretionary demand for service
    • Total hours required for service
    • FTEs required for service
    MaterialsParticipants
    • Security Resources Planning Workbook
    • CISO
    • Core Security Team

    Info-Tech Insight

    Time estimates will improve over time. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

    Understanding mandatory versus discretionary demand

    Every service may have a mix of mandatory and discretionary demands. Understanding and differentiating between these types of demand is critical to developing an efficient resourcing plan.

    The image contains a picture used to represent mandatory demand.

    Mandatory Demand

    Mandatory demand refers to the amount of work that your team must perform to meet compliance obligations and critical business and risk mitigation requirements.

    Failure to meet mandatory demand levels will have serious consequences, such as regulatory fines or the introduction of risks that far exceed risk tolerances. This is work you cannot refuse.

    The image contains a diagram to demonstrate the relationship between Mandatory and Discretionary demand.

    The image contains a picture used to represent discretionary demand.

    Discretionary Demand

    Discretionary demand refers to the amount of work the security team is asked to perform that goes above and beyond your mandatory demand. Discretionary demand often comes in the form of ad hoc requests from business units or the IT department.

    Failure to meet discretionary demand levels usually has limited consequences, allowing you more flexibility to decide how much of this type of work you can accept.

    Mandatory versus discretionary demand examples

    Service Name

    Mandatory Demand Example

    Discretionary Demand Example

    Penetration Testing

    PCI compliance requires penetration testing against all systems within the cardholder data environment annually (currently 2 systems per year).

    Business units request ad hoc penetration testing against non-payment systems (expected 2-3 systems per year).

    Vendor Risk Assessments

    GDPR compliance requires vendor security assessments against all third parties that process personal information on our behalf (expected 1-2 per quarter).

    IT department has requested that the security team conduct vendor security assessments for all cloud services, regardless of whether they store personal information (expected 2-3 assessments per quarter).

    e-Discovery and Evidence Handling

    There is no mandatory demand for this service.

    The legal department occasionally asks the security team to assist with e-Discovery requests (expected demand 1-2 investigations per quarter).

    Example of service demand estimations

    The image contains a screenshot example of service demand estimations.

    1. For each service, describe the specific outcome or deliverable that the service produces. Modify the example deliverables as required.
    2. Enter the number of hours required to produce one instance of the service deliverable. For example, if the deliverable for your security training service is an awareness campaign, it may require 40 person hours to develop and deliver.
    3. Enter the number of mandatory and discretionary demands expected for each service within a given year. For instance, if you are delivering quarterly security awareness campaigns, enter 4 as the demand.

    Phase 3

    Build Your Resourcing Plan

    Phase 1

    Phase 2

    Phase 3

    1.1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Determine Resourcing Status

    This phase involves the following participants:

    • CISO
    • Security Manager

    Step 3.1

    Determine Resourcing Status

    Activities

    3.1.1 Review Demand Summary

    3.1.2 Fill Resource Gaps

    This step involves the following participants:

    • CISO
    • Security Manager

    Outcomes of this step

    • The number of FTEs required to meet demand
    • Resourcing gaps

    3.1.1 Review demand summary

    1-2 hours

    1. On tab 5 of the Security Resourcing Planning Tool (Demand Summary), review the results. This tab will show you if you have enough FTE hours per role to meet the demand level for each service.
    • Green indicates that there is a surplus of FTEs and the number displayed shows how many extra FTEs there are.
    • Yellow text that you have adequate FTEs to meet all of your mandatory demand but may not have enough to meet all of your discretionary demand.
    • Red text indicates that there are too few FTEs available, and the number displayed shows how many additional FTEs you will require.
  • Take note of how many FTEs you will need to meet expected and discretionary demand in each of the years you’ve planned for.
  • Input Output
    • Current staffing
    • Resourcing model
    Materials Participants
    • Security Resources Planning Workbook
    • CISO
    • HR Representative

    Download the Security Resources Planning Workbook

    Info-Tech Insight

    Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

    Example of demand planning summary (1/2)

    The image contains a screenshot of an example of demand planning summary.

    Example of demand planning summary (2/2)

    The image contains a screenshot of an example of demand planning. This image has a screenshot of the dashboard.

    3.1.2 Fill resource gaps

    2-4 hours

    1. Now that you have a resourcing model for your security services, you will need to plan to close the gaps between available FTEs and required service hours. For each role that has been under/over committed to service delivery, review the services assignments on tab 3 and determine the viability of the following gap closure actions:
      1. Reassign service responsibility to another role with fewer commitments
      2. Create efficiencies to reduce required hours
      3. Hire to meet the service demand
      4. Outsource the service
    2. Your resourcing shortages may not all be apparent at once. Therefore, build a roadmap to determine which needs must be addressed immediately and which can be scheduled for years two and three.

    Consider outsourcing

    Outsourcing provides access to tools and talent that would otherwise be prohibitively expensive. Typical reasons for outsourcing security operations include:

    • Difficulty finding or retaining security staff with advanced and often highly specialized skillsets.
    • The desire to transfer liability for high-risk operational activities such as 24/7 security monitoring.
    • Workforce scalability to accommodate irregular or infrequent events such as incident response and incident-related forensic investigations.

    Given the above, three different models have emerged for the operational security organization:

    1. Outsourced SecOps

    A fully outsourced Security Operations Center, managed and governed by a smaller in-house team

    2. Balanced Hybrid

    In-house operational security staff with some reliance on managed services

    3. In-House SecOps

    A predominantly in-house security team, augmented by a small managed services contract

    Once you have determined that further outsourcing is needed, go back and adjust the status in your service portfolio. Use Info-Tech's blueprint Develop Your Security Outsourcing Strategy to determine the right approach for your business needs.

    “The workforce of the future needs to be agile and adaptable, enabled by strong partnerships with third-party providers of managed security services. I believe these hybrid models really are the security workforce of the future.”

    – Senior Manager, Cybersecurity at EY

    Download blueprint Develop Your Security Outsourcing Strategy

    Info-Tech Insight

    Choose the right model for your organization’s size, risk tolerance, and process maturity level. For example, it might make more sense for larger enterprises with low risk tolerance to grow their internal teams and build in-house capability.

    Create efficiencies

    Resourcing challenges are often addressed more directly by increased spending. However, for a lot of organizations, this just isn’t possible. While there is no magic solution to resolve resource constraints and small budgets, the following tactics should be considered as a means to reduce the hours required for the services your team provides.

    Upskill Your Staff

    If full-scale training is not an option, see if there are individual skills that could be improved to help improve time to completion for your services. Use Info-Tech's blueprint Close the InfoSec Skills Gap to determine which skills are needed for your security team.

    Improve Process Familiarity

    In some organizations, especially low-maturity ones, problems can arise simply because there is a lack of familiarity with what needs to be done. Review the process, socialize it, and make sure your staff can execute in within the target time allotment.

    Add Technology

    Resourcing crunch or not, technology can help us do things better. Investigate whether automation software might help to shave a few hours off a given service. Use Info-Tech's blueprint Build a Winning Business Process Automation Playbook to optimize and automate your business processes with a user-centric approach.

    Download the blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

    Download the blueprint Build a Winning Business Process Automation Playbook

    Info-Tech Insight

    Every minute counts. While using these strategies may not solve every resourcing crunch you have, they can help put you in the best position possible to deliver on your commitments for each service.

    Plan for employee turnover

    Cybersecurity skills are in high demand; practitioners are few. The reality is that experienced security personnel have a lot of opportunities. While we cannot control for the personal reasons employees leave jobs, we can address the professional reasons that cause them to leave.

    Fair wage

    Reasonable expectations

    Provide training

    Defined career path

    It’s a sellers’ market for cybersecurity skills these days. Higher-paying offers are one of the major reasons security leaders leave their jobs (ISSA, 2021).

    Many teams lose out on good talent simply because they have unrealistic expectations, seeking 5+ years experience for an entry-level position, due to misalignment with HR (TECHNATION, 2021).

    Technology is changing (and being adopted) faster than security professionals can train on it. Ongoing training is needed to close these gaps (ISO, 2021).

    People want to see where they are now, visualize where they will be in the future, and understand what takes to get there. This helps to determine what types of training and specialization are necessary (DigitalGuardian, 2020).

    Use Info-Tech’s blueprint Build a Strategic IT Workforce Plan to help staff your security organization for success.

    The image contains a screenshot of the Build a Strategic IT Workforce Plan.

    Download blueprint Build a Strategic IT Workforce Plan

    Summary of Accomplishment

    Problem Solved

    You have now successfully identified your business and security drivers, determined what services your security program will provide, and determined your resourcing plan to meet these demands over the next three years.

    As needs change at your organization, don’t forget to re-evaluate the decisions you’ve made. Don’t forget that outsourcing a service may be the most reliable way to provide and resource it. However, this is just one tool among many that should be considered, along with upskilling, process improvement/familiarity, and process automation.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    The image contains a picture of George Al-Koura.

    George Al-Koura

    CISO

    Ruby Life

    The image contains a picture of Brian Barniner.

    Brian Barniner

    Head of Decision Science and Analytics

    ValueBridge Advisors

    The image contains a picture of Tracy Dallaire.

    Tracy Dallaire

    CISO / Director of Information Security

    McMaster University

    The image contains a picture of Ricardo Johnson.

    Ricardo Johnson

    Chief Information Security Officer

    Citrix

    Research Contributors and Experts

    The image contains a picture of Ryan Rodriguez.

    Ryan Rodriguez

    Senior Manager, Cyber Threat Management

    EY

    The image contains a picture of Paul Townley.

    Paul Townley

    VP Information Security and Personal Technology

    Owens Corning

    13 Anonymous Contributors

    Related Info-Tech Research

    Cost-Optimize Your Security Budget

    Develop Your Security Outsourcing Strategy

    Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

    Bibliography

    2021 Voice of the CISO Report.” Proofpoint, 2021. Web.

    “2022 Voice of the CISO.” Proofpoint, 2022. Web.

    Brook, Chris. “How to Find and Retain Skilled Cybersecurity Talent.” DigitalGuardian, 17 Sep. 2020. Web.

    “Canadian Cybersecurity Skills Framework” TECHNATION Canada, April 2020. Web.

    “Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment.” ISSA, 28 July 2021. Web.

    “Cybersecurity Workforce, National Occupational Standard.” TECHNATION Canada, April 2020. Web.

    Naden, Clare. “The Cybersecurity Skills Gap: Why Education Is Our Best Weapon against Cybercrime.” ISO, 15 April 2021. Web.

    Purse, Randy. “Four Challenges in Finding Cybersecurity Talent And What Companies Can Do About It.” TECHNATION Canada, 29 March 2021. Web.

    Social-Engineer. “Burnout in the Cybersecurity Community.” Security Boulevard, 8 Dec. 2021. Web.

    “State of Cybersecurity 2020.” ISACA, 2020. Web.

    The Complete Manual for Layoffs

    • Buy Link or Shortcode: {j2store}514|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $30,999 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    When the economy is negatively influenced by factors beyond any organization’s control, the impact can be felt almost immediately on the bottom line. This decline in revenue as a result of a weakening economy will force organizations to reconsider every dollar they spend.

    Our Advice

    Critical Insight

    • The remote work environment many organizations find themselves in adds a layer of complexity to the already sensitive process of laying off employees.
    • Carrying out layoffs must be done while keeping personal contact as your first priority. That personal contact should be the basis for all subsequent communication with laid-off and remaining staff, even after layoffs have occurred.

    Impact and Result

    By following our process, we can provide your organization with the direction, tools, and best practices to lay off employees. This will need to be done with careful consideration into your organization’s short- and longer-term strategic goals.

    The Complete Manual for Layoffs Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for layoffs

    Understand the most effective cost-cutting solutions and set layoff policies and guidelines.

    • The Complete Manual for Layoffs Storyboard
    • Layoffs SWOT Analysis Template
    • Redeployment and Layoff Strategy Workbook
    • Sample Layoffs Policy
    • Cost-Cutting Planning Tool
    • Termination Costing Tool

    2. Objectively identify employees

    Develop an objective layoff selection method and plan for the transfer of essential responsibilities.

    • Workforce Planning Tool
    • Employee Layoff Selection Tool

    3. Prepare to meet with employees

    Plan logistics, training, and a post-layoff plan communication.

    • Termination Logistics Tool
    • IT Knowledge Transfer Risk Assessment Tool
    • IT Knowledge Transfer Plan Template
    • IT Knowledge Identification Interview Guide Template
    • Knowledge Transfer Job Aid
    • Layoffs Communication Package

    4. Meet with employees

    Collaborate with necessary departments and deliver layoffs notices.

    • Employee Departure Checklist Tool

    5. Monitor and manage departmental effectiveness

    Plan communications for affected employee groups and monitor organizational performance.

    • Ten Ways to Connect With Your Employees
    • Creating Connections
    [infographic]

    Infrastructure & Operations Priorities 2022

    • Buy Link or Shortcode: {j2store}56|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies
    • The expectation amongst IT professionals for permanent transformational change has gone up 30% year over year. Further, 47% expect a lot of permanent change in 2022.
    • We are experiencing a great rate of change concurrent with a low degree of predictability.
    • How do you translate a general trend into a specific priority you can work on?

    Our Advice

    Critical Insight

    • Trends don’t matter but pressure does: Trends can be analyzed based on the pressure they exert (or not) on your I&O practice. Organizing trends into categories based on source makes for a more successful and contextual analysis.
    • Different prioritization is being demanded in 2022. For the foreseeable future prioritization is about drawing a line, below which you can ignore items with a clean conscience.
    • The priorities you choose to advocate for will be how your leadership is evaluated in the upcoming year.

    Impact and Result

    • By reading through this publication, you will begin to address the age-old problem “You don’t know what you don’t know.”
    • More importantly you will have a framework to dive deeper into the trends most relevant to you and your organization.
    • Info-Tech can help you turn your strong opinion into a compelling case for your stakeholders.

    Infrastructure & Operations Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Infrastructure & Operations Priorities 2022 – A framework to dive deeper into the trends most relevant to you and your organization

    Discover Info-Tech's four trends for Infrastructure & Operations leaders.

    • Infrastructure & Operations Priorities Report for 2022

    Infographic

    Monitor IT Employee Experience

    • Buy Link or Shortcode: {j2store}543|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $29,096 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • In IT, high turnover and sub-optimized productivity can have huge impacts on IT’s ability to execute SLAs, complete projects on time, and maintain operations effectively.
    • With record low unemployment rates in IT, retaining top employees and keeping them motivated in their jobs has never been more critical.

    Our Advice

    Critical Insight

    • One bad experience can cost you your top employee. Engagement is the sum total of the day-to-day experiences your employees have with your company.
    • Engagement, not pay, drives results. Engagement is key to your team's productivity and ability to retain top talent. Approach it systematically to learn what really drives your team.
    • It’s time for leadership to step up. As the CIO, it’s up to you to take ownership of your team’s engagement.

    Impact and Result

    • Info-Tech tools and guidance will help you initiate an effective conversation with your team around engagement, and avoid common pitfalls in implementing engagement initiatives.
    • Monitoring employee experience continuously using the Employee Experience Monitor enables you to take a data-driven approach to evaluating the success of your engagement initiatives.

    Monitor IT Employee Experience Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should focus on employee experience to improve engagement in IT, review Info-Tech’s methodology, and understand how our tools will help you construct an effective employee engagement program.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start monitoring employee experience

    Plan out your employee engagement program and launch the Employee Experience Monitor survey for your team.

    • Drive IT Performance by Monitoring Employee Experience – Phase 1: Start Monitoring Employee Experience
    • None
    • None
    • EXM Setup Guide
    • EXM Training Guide for Managers
    • None
    • EXM Communication Template

    2. Analyze results and ideate solutions

    Interpret your Employee Experience Monitor results, understand what they mean in the context of your team, and involve your staff in brainstorming engagement initiatives.

    • Drive IT Performance by Monitoring Employee Experience – Phase 2: Analyze Results and Ideate Solutions
    • EXM Focus Group Facilitation Guide
    • Focus Group Facilitation Guide Driver Definitions

    3. Select and implement engagement initiatives

    Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.

    • Drive IT Performance by Monitoring Employee Experience – Phase 3: Measure and Communicate Results
    • Engagement Progress One-Pager
    [infographic]

    Workshop: Monitor IT Employee Experience

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the EXM

    The Purpose

    Set up the EXM and collect a few months of data to build on during the workshop.

    Key Benefits Achieved

    Arm yourself with an index of employee experience and candid feedback from your team to use as a starting point for your engagement program.

    Activities

    1.1 Identify EXM use case.

    1.2 Identify engagement program goals and obstacles.

    1.3 Launch EXM.

    Outputs

    Defined engagement goals.

    EXM online dashboard with three months of results.

    2 Explore Engagement

    The Purpose

    To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.

    Key Benefits Achieved

    Empower your leadership team to take charge of their own team's engagement.

    Activities

    2.1 Review EXM results to understand employee experience.

    2.2 Finalize focus group agendas.

    2.3 Train managers.

    Outputs

    Customized focus group agendas.

    3 Hold Employee Focus Groups

    The Purpose

    Establish an open dialogue with your staff to understand what drives their engagement.

    Key Benefits Achieved

    Understand where in your team’s experience you can make the most impact as an IT leader.

    Activities

    3.1 Identify priority drivers.

    3.2 Identify engagement KPIs.

    3.3 Brainstorm engagement initiatives.

    3.4 Vote on initiatives within teams.

    Outputs

    Summary of focus groups results

    Identified engagement initiatives.

    4 Select and Plan Initiatives

    The Purpose

    Learn the characteristics of successful engagement initiatives and build execution plans for each.

    Key Benefits Achieved

    Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.

    Activities

    4.1 Select engagement initiatives with IT leadership.

    4.2 Discuss and decide on the top five engagement initiatives.

    4.3 Create initiative project plans.

    4.4 Build detailed project plans.

    4.5 Present project plans.

    Outputs

    Engagement project plans.

    Foster Data-Driven Culture With Data Literacy

    • Buy Link or Shortcode: {j2store}132|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 115 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    Organizations are joining the wave and adopting machine learning and artificial intelligence (AI) to unlock the value in their data and power their competitive advantage. But to succeed with these complex analytics programs, they need to begin by looking at their data – empowering their people to realize and embrace the valuable insights within the organization’s data.

    The key to achieve becoming a data-driven organization is to foster a strong data culture and equip employees with data skills through an organization-wide data literacy program.

    Our Advice

    Critical Insight

    • Start with real business problems in a hands-on format to demonstrate the value of data.
    • Use a formalized organization-wide approach to data literacy program to bridge the data skills gap.
    • Provide relevant and practical training programs tailored to different learning styles and tenures (e.g. onboarding, development plan).

    Impact and Result

    Data literacy is critical to the success of digital transformation and AI analytics. Info-Tech’s approach to creating a sustainable and effective data literacy program is recognizing it is:

    • More than just technical training. A data literacy program isn’t just about data; it encompasses aspects of business, IT, and data.
    • More than a one-off exercise. To keep the literacy skills alive the program must be regular, sustainable, and tailored to different needs across all levels of the organization.
    • More than one delivery format. Different delivery methods need to be considered to suit various learning styles to ensure an effective delivery.

    Foster Data-Driven Culture With Data Literacy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Foster Data-Driven Culture With Data Literacy Storyboard – A step-by-step guide to help organizations build an effective and sustainable data literacy program that benefits all employees who work with data.

    Data literacy as part of the data governance strategic program should be launched to all levels of employees that will help your organization bridge the data knowledge gap at all levels of the organization. This research recommends approaches to different learning styles to address data skill needs and helps members create a practical and sustainable data literacy program.

    • Foster Data-Driven Culture With Data Literacy Storyboard

    2. Fundamental Data Literacy Program Template – A document that provides an example of a fundamental data literacy program.

    Kick off a data awareness program that explains the fundamental understanding of data and its lifecycle. Explore ways to create or mature the data literacy program with smaller amounts of information on a more frequent basis.

    • Fundamental Data Literacy Program Template
    [infographic]

    Further reading

    Foster Data-Driven Culture With Data Literacy

    Data literacy is an essential part of a data-driven culture, bridging the data knowledge gaps across all levels of the organization.

    Analyst Perspective

    Data literacy is the missing link to becoming a data-driven organization.

    “Digital transformation” and “data driven” are two terms that are inseparable. With organizations accelerating in their digital transformation roadmap implementation, organizations need to invest in developing data skills with their people. Talent is scarce and the demand for data skills is huge, with 70% of employees expected to work heavily with data by 2025. There is no time like the present to launch an organization-wide data literacy program to bridge the data knowledge gap and foster a data-driven culture.

    Data literacy training is as important as your cybersecurity training. It impacts all levels of the organization. Data literacy is critical to success with digital transformation and AI analytics.

    Annabel Lui

    Principal Advisory Director, Data & Analytics Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Organizations are joining the wave and adopting machine learning (ML) and artificial intelligence (AI) to unlock the value in their data and power their competitive advantage. But to succeed with these complex analytics programs, they need to begin by empowering their people to realize and embrace the valuable insights within the organization’s data.

    The key to becoming a data-driven organization is to foster a strong data culture and equip people with data skills through an organization-wide data literacy program.

    Common Obstacles

    Challenges the data leadership is likely to face as digital transformation initiatives drive intensified competition:

    • Resistance to change
    • Technological distractions
    • “Shadow data”
    • Difficulty securing resources and skilled data professionals
    • Inability to appreciate the value of data and its meaning for users – even fear of it

    Info-Tech's Approach

    We interviewed data leaders and instructors to gather insights about investing in data:

    • Start with real business problems in a hands-on format to demonstrate the value of data.
    • Implement a formalized organization-wide approach to data literacy program to bridge the data skill gap.
    • Provide relevant and practical training programs tailored to different learning styles and tenures (e.g. onboarding,development plan).

    Info-Tech Insight

    By thoughtfully designing a data literacy training program for the audience's own experience, maturity level, and learning style, organizations build the data-driven and engaged culture that helps them to unlock their data's full potential and outperform other organizations.

    Your Challenge

    Data literacy is the missing link to drive business outcomes from data.

    • Having a data-driven culture as an organization’s mission statement without implementing a data literacy program is like making an empty promise and leaving the value unrealized and unattainable.
    • A study conducted by the Data Literacy Project clearly indicates that organizations with aggressive data literacy programs will outperform those who do not have such programs. By 2030, data literacy will be one of the most sought-after skill sets. All employees require data literacy skills.
    • Everyone has a role in data. From employees who are actively involved in data collection to operational teams who create reports with analytics tools and finally to executives who use data to make business decisions – they all require continuous data literacy training in a data-driven organization. Because of differences in maturity, data literacy strategies cannot be one-size-fits-all.

    “Data literacy is the ability to read, work with, analyze, and communicate with data. It's a skill that empowers all levels of workers to ask the right questions of data and machines, build knowledge, make decisions, and communicate meaning to others.” – Qlik, n.d.

    75% of organizational employees have access to data tools – only 21% demonstrated confidence in their data skills.

    Source: Accenture, 2020.

    89% of C-level executives expect team members to explain how data has informed their decisions, but only 11% employees are fully confident in their ability to read, analyze, work with, and communicate with data

    Source: Qlik, 2022.

    Data debt or data asset?

    Manage your data as strategic assets.

    “[Data debt is] when you have undocumented, unused, incomplete, and inconsistent data,” according to Secoda (2023). “When … data debt is not solved, data teams could risk wasting time managing reports no one uses and producing data that no one understands.”

    Signs of data debt when considering investing in data literacy:

    • Lack of definition and understanding of data terms, therefore they don’t speak the same language. Without data literacy, an organization will not succeed in becoming a data-driven organization.
    • Putting data literacy as a low priority. Organization sees this as “another” training to put on the list and keeps it on the back burner.
    • Data literacy is not seen as the number one skill set needed in the organization. However, anyone who works with data requires data skills.
    • End users are not trained on self-serve features and tools.
    • Focusing on a minority group of people rather than everyone in the organization or seeing it as a one-off exercise.
    • Delays or failure to deliver digital transformation projects due to lack of data skills and data access issues.

    66%

    of organizations say a backlog of data debt is impacting new data management initiatives.

    40%

    of organizations say individuals within the business do not trust data insights.

    30%

    of organizations are unable to become data-driven.

    Source: Experian, 2020

    Info-Tech’s Approach

    Data literacy is critical to success with digital transformation and AI analytics.

    Diagram showing components of Data literacy: 1 - Data: understand your data, 2 - Business: define the purpose, 3 - IT: Introduce new ways of working

    The Info-Tech difference:

    1. More than just technical training. Data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data.
    2. More than a one-off exercise. To keep literacy skills alive, the program must be routine and sustainable, tailored to different needs across all levels of the organization.
    3. More than one delivery format. Different delivery methods need to be considered to suit various learning styles.

    Data needs to be processed

    Data – facts – are organized, processed, and given meaning to become insights.

    Data, information, knowledge, insight, wisdom

    Image source: Welocalize, 2020.

    Data represents a discrete fact or event without relation to other things (e.g. it is raining). Data is unorganized and not useful on its own.

    Information organizes and structures data so that it is meaningful and valuable for a specific purpose (i.e. it answers questions). Information is a refined form of data.

    When information is combined with experience and intuition, it results in knowledge. It is our personal map/model of the world.

    Knowledge set with context generates insight. We become knowledgeable as a result of reading, researching, and memorizing (i.e. accumulating information).

    Wisdom means the ability to make sound judgments. Wisdom synthesizes knowledge and experiences into insights.

    Investment in data literacy is a game changer.

    Data literacy is the ability to collect, manage, evaluate, and apply data in a critical manner.

    A data-driven culture is “an operating environment that seeks to leverage data whenever and wherever possible to enhance business efficiency and effectiveness” (Forbes).

    Info-Tech Insight

    Data-driven culture refers to a workplace where decisions are made based on data evidence, not on gut instinct.

    Info-Tech’s methodology for building a data literacy program

    Phase Steps

    1. Define Data Literacy Objectives

    1.1 Understand organization’s needs

    1.2 Create vision and objective for data literacy program

    2. Assess Learning Style and Align to Program Design

    2.1 Create persona and identify audience

    2.2 Assess learning style and align to program design

    2.3 Determine the right delivery method

    3. Socialize Roadmap and Milestones

    3.1 Establish a roadmap

    3.2 Set key performance metrics and milestones

    Phase Outcomes

    Identify key objectives to establish and grow the data literacy program by articulating the problem and solutions proposed.

    Assess each audience’s learning style and adapt the program to their unique needs.

    Show a roadmap with key performance indicators to track each milestone and tell a data story.

    Insight Summary

    “In a world of more data, the companies with more data-literate people are the ones that are going to win.”

    – Miro Kazakoff, senior lecturer, MIT Sloan, in MIT Sloan School of Management, 2021

    Overarching insight

    By thoughtfully designing a data literacy training program personalized to each audience's maturity level, learning style, and experience, organizations can develop and grow a data-driven culture that unlocks the data's full potential for competitive differentiation.

    Module 1 insight

    We can learn a lot from each other. Literacy works both ways – business data stewards learn to “speak data” while IT data custodians understand the business context and value. Everyone should strive to exchange knowledge.

    Module 2 insight

    Avoid traditional classroom teaching – create a data literacy program that is learner-centric to allow participants to learn and experiment with data.

    Aligning program design to those learning styles will make participants more likely to be receptive to learning a new skill.

    Module 3 insight

    A data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data. With executive support and partnership with business, running a data literacy program means that it won’t end up being just another technical training. The program needs to address why, what, how questions.

    Tactical insight

    A lot of programs don’t include the fundamentals. To get data concepts to stick, focus on socializing the data/information/knowledge/wisdom foundation.

    Tactical insight

    Many programs speak in abstract terms. We present case studies and tangible use cases to personalize training to the audience’s world and showcase opportunities enabled through data.

    Key performance indicators (KPIs) for your data literacy program

    How do you know if your data literacy program is successful? Here are some useful KPIs:

    Program Adoption Metrics

    • Percentage of employees attending data literacy training
    • Percentage of participants who report gains in data management knowledge after training sessions
    • Maturity assessment result
    • Survey and diagnostic feedback before and after training
    • Trend analysis of overall data literacy program

    Operational Metrics

    • Number of requests for analytics/reporting services
    • Number of reports created by users
    • Speed and quality of business decisions
    • User satisfaction with reports and analytics services
    • Improved business performance (customer satisfaction)
    • Improved valuation of organization data

    A data-driven culture builds tools and skills, builds users’ trust in the quality of data across sources, and raises the skills and understanding among the frontlines by encouraging everyone to leverage data for critical thinking and innovation.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of the project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1

    Session 2

    Session 3

    Session 4

    Activities

    Define Data Literacy Objectives

    1.1 Review Data Culture Diagnostic results

    1.2 Identify business context: business goals, initiatives

    1.3 Create vision and objective for data literacy program

    Assess Learning Style and Align to Program Design

    2.1 Identify audience

    2.2 Assess learning style and align to program design

    2.3 Determine the right delivery method

    Build a Data Literacy Roadmap and Milestones

    3.1 Identify program initiatives and topics

    3.2 Determine delivery methods

    3.3 Build the data literacy roadmap

    Operational Strategy to implement Data Literacy

    4.1 Identify key performance metrics

    4.2 Identify owners and document RACI matrix

    4.3 Discuss next steps and wrap up.

    Deliverables

    1. Diagnostics reports (data culture survey)
    2. Vision and value statement
    1. Assessment of audience covering all levels of organization
    1. List of key program initiatives and topics
    2. Allocation of delivery methods
    3. Roadmap
    1. Data literacy metrics
    2. List of owners and roles and responsibilities
    3. Next step and implementation schedule

    Phase 1

    Define Data Literacy Objectives

    Phase 1: step 1 - Understand organization's needs, step 2 - Create vision and objective for data literacy program.

    Foster Data-Driven Culture With Data Literacy

    This phase will walk you through the following activities:

    • Understand the organization’s needs.
    • Create vision and objective for data literacy program.

    This phase involves the following participants:

    • Data governance sponsor
    • Data owners
    • Data stewards
    • Data custodians

    1.1 Gauge your organization’s current data culture

    Conduct data culture survey or diagnostic.

    1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
    2. Conduct an information session to introduce Info-Tech’s Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organization’s current data culture and inform the improvement of that culture.
    3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
    4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

    Input

    • Email addresses of participants in your organization who should receive the survey

    Output

    • Your organization’s Data Culture Scorecard for understanding current data culture as it relates to the use and consumption of data
    • An understanding of whether data is currently perceived to be an asset to the organization

    Materials

    • Info-Tech’s Data Culture Diagnostic service

    Participants

    • Participants include those at the senior leadership level through to middle management, as well as other business stakeholders at varying levels across the organization
    • Data owners, stewards, and custodians
    • Core data users and consumers

    Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

    1.2 Define data literacy objectives

    1. Understand the organization’s needs by identifying opportunities and challenges relating to data. Document the described real-life examples.
    2. Categorize the list and identify areas where data literacy can address the business problem.
    3. Create a vision statement for the data literacy program, ensuring that it covers all levels of the organization.
    4. Articulate the intended targets and goals in planning for a data literacy program.

    Input

    • List of opportunities and challenges relating to data
    • Relevant business real-life examples

    Output

    • Categorized list of data literacy needs
    • Vision for literacy program
    • Targets and goals

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • CDO or sponsor
    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data governance working group

    Quick wins for improving data literacy

    Data collected through Info-Tech’s Data Culture Diagnostic suggests three ways to improve data literacy:

    87%

    think more can be done to define and document commonly used terms with methods such as a business data glossary.

    68%

    think they can have a better understanding of the meaning of all data elements that are being captured or managed.

    86%

    feel that they can have more training in terms of tools as well as on what data is available at the organization.

    Source: Info-Tech Research Group's Data Culture Diagnostic, 2022; N=2,652

    Quick Wins

    • Create a business data glossary to document and define common terms.
    • Provide easy access to the business data glossary and procedures on how data is captured and managed.
    • Launch an organization-wide data literacy program.

    Delivering value is a means and the goal

    Start with real business problems in a hands-on format to demonstrate the value of data.

    Identify business problem:

    • Business decisions without facts are just guesses.
    • Management spends a lot of time finding and fixing data.
    • Unknown challenges on data assets and risk.
    • Incomplete view of customer/client and industry.
    • Not ready for modern data opportunities (e.g. artificial intelligence).

    Create an objective

    Treat data as a strategic asset to gain insight into our customers for all levels of organization.

    The solution: Data-driven culture powered by people who speak data.

    • Data dictionary
    • Data literacy
    • Trusted single source
    • Access to analytics tools
    • Decision making

    "According to Forrester, 91% of organizations find it challenging to improve the use of data insights for decision-making – even though 90% see it as a priority. Why the disconnect? A lack of data literacy."

    – Alation, 2020

    Fundamental data literacy

    Data literacy is more than just a technical training or a one-off exercise.

    Info-Tech provides various topics suited for a data literacy program that can accommodate different data skill requirements and encompasses relevant aspects of business, IT, and data.

    Info-Tech Research Group’s Data Literacy Program

    Use discovery and diagnostics to understand users’ comfort level and maturity with data.

    Data lunch 'n' learn

    • The power and value of data
    • Everyone is a data steward
    • Becoming data literate
    • Data 101
    • The future is data
    1 hour
    For: General audience, senior leadership, data leads, change management

    Speak data

    • What is data
    • Meet the data team
    • Day in the life of a steward
    • How data impacts you
    • Tools of the trade
    1/2 day
    For: New stewards, data owners, pre-data strategy workshop

    Your data story

    • Ask the right questions
    • Find the top five data elements
    • Understand your data
    • Present your data story
    • Lessons from COVID-19
    1/2 day
    For: New stewards, business data owners, pre-BI/analytics workshop

    Phase 2

    Assess Learning Style and Align to Program Design

    Phase 2: step 1 - Identify audience, step 2 - Access learning style and align to program design, step 3 - Determine the right delivery method.

    Foster Data-Driven Culture With Data Literacy

    This phase will walk you through the following activities:

    • Identify your audience.
    • Assess learning styles and align them to the data program design.
    • Determine the right delivery method.

    This phase involves the following participants:

    • Data governance sponsor
    • Data owners
    • Data stewards
    • Data custodians

    Avoid common pitfalls

    75%

    feel that training was too long to remember or to apply in their day-to-day work.

    21%

    find training had insufficient follow-up to help them apply on the job.

    Source: Grovo, 2018.

    1. Information Overload

      Trying to cover too much useful information results in overwhelm and does not deliver on key training objectives.
    2. Limited Implementation

      Learning is only the beginning. The real results are obtained when learning is followed by practice, which turns new knowledge into reliable habits.
    3. Lack of Organizational Alignment

      Implementing training without a clear link to organizational objectives leaves you unable to clearly communicate its value, undermines your ability to secure buy-in from attendees and executives, and leaves you unable to verify that the training is actually improving effectiveness.

    2.1 Understand learning style

    1. Create persona and identify the audiences and their roles in data across all levels of the organization.
    2. Identify the data program initiatives and assign the best delivery method to each initiative.
    3. Assign participants to each program initiative based on their skill gap and learning style.

    Input

    • List of audiences, their roles, and tenures
    • Data skill gap assessment
    • List of literacy program initiatives/topics

    Output

    • Target audience grouping
    • List of program initiatives with assigned groups

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • CDO or sponsor
    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data governance working group

    You and data

    Is data an integral part of your work?

    Do you feel comfortable finding and using data in your organization?

    • Many people feel intimidated by data and therefore miss out on what data can do for them.
    • Often the obstacle is language. If you don’t understand the semantics around data, you will not feel confident to contribute to discussions around data.
    • You use data every day but need additional vocabulary to understand how to handle it properly.
    • Data literacy is the ability to “speak data” and to understand what data means (i.e. how to read charts and graphs, draw valid conclusions, and recognize when data is misinterpreted or used inappropriately to be misleading).
    • The business often doesn’t understand its role in data governance and how it informs and assists IT in responsible data management.

    Info-Tech Insight

    IT and data professionals need to understand the business as much as business needs to talk about data. Bidirectional learning and feedback improves the synergy between business and IT.

    Create personas

    Persona creation is a way to brainstorm ideas for the data literacy program.

    Choose a data role (e.g. data steward, data owner, data scientist).

    Describe the persona based on goals, priorities, tenures, preferred learning style, type of work with data.

    Identify data skill and level of skills required.

    Persona 1: Denise - Manager, People and Culture. Goals, priorities, tenure, data role, learning style, skill level

    Consider these other ways to brainstorm:

    • Review current in-flight projects.
    • Analyze types of data requests.
    • Understand needs by department.
    • Share learnings in a community of practice.

    Program design

    Categorize into six data skill areas

    Not everyone needs the same level of skill sets

    Bullseye board with skill levels (Innermost going outward): Expert, advanced, intermediate and Basic. The six data skill areas: 1. Understanding Data, 2. Find and Obtain Data, 3. Read, Interpret and Evaluate Data, 4. Manage Data, 5. Create and Use Data, 6. Tell a Story and Share Data are placed equally around in sections.

    Map the personas to the program

    Bridging the data knowledge gap.

    • Each component will promote the value of data to all levels of employees when demonstrating the right way for data to be understood, managed, and consumed in the organization.
    • Categorizing the data literacy program into six areas and levels of skill sets will provide clarity into which areas to focus on.
    • The program is intended to be implemented in stages, allowing the audience to learn and adopt the new skills. Leveraging in-flight projects for rolling out training will have a higher success because the need is already built into the project.
    Personas are placed at different points in the data skill area and skill level.

    Align program design to learning styles

    The four methods (Discussion, Information, Coaching, and Self-Discovery) are based on learner-centered model design rather than the traditional teacher-centered model.

    Info-Tech Insight

    Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to different levels of users.

    When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to spread knowledge throughout your organization. It should target everyone from executive leadership to management to subject matter experts across all functions of the business.

    Discussion method

    Delivery Method

    • Interactive format between instructor and learner
    • Instructor empowers and motivates learner through dialogues and exercises

    The imaginative learner

    The imaginative learner group likes to engage in feelings and spend time on reflection. This type of learner desires personal meaning and involvement. They focus on personal values for themselves and others and make connections quickly.

    For this group of learners, their question is: why should I learn this?

    Learning characteristics

    • Seek meaning
    • Need to be personally involved
    • Learn by listening and sharing ideas
    • Function through social interaction

    Information method

    Delivery Method

    • Instructor does most of the talking in the training
    • Instructor is teaching the content, delivering the training content, and demonstrating

    Analytical learner

    The analytical learner group likes to listen, to think about information, and to come up with ideas. They are interested in acquiring facts and delving into concepts and processes. They can learn effectively and enjoy doing independent research.

    For this group of learners, their question is: what should I learn?

    Learning characteristics

    • Seek and examine the facts
    • Need to know what experts think
    • Interested in ideas and concepts
    • Critique information and collect data
    • Function by adapting to experts

    Coaching method

    Delivery Method

    • Learning has on-the-job training or learning through role-play exercises
    • Instructor is coaching and facilitating learner

    Common sense learner

    The common sense learner group likes thinking and doing. They are satisfied when they can carry out experiments, build and design, and create usability. They like tinkering and applying useful ideas.

    For this group of learners, their question is: how should I learn?

    Learning characteristics

    • Seek usability
    • Need to know how things work
    • Learn by testing theories using practical methods
    • Use factual data to build concepts
    • Enjoy hands-on experience

    Self-discovery method

    Delivery Method

    • Interactive format between instructor and learner
    • Instructor provides evaluation and remedial instruction

    Common sense learner

    The dynamic learner group learns through doing and experiencing. They are continually looking for hidden possibilities and researching ideas to make original adjustments. They learn through trial and error and self-discovery.

    For this group of learners, their question is: what if I learn this?

    Learning characteristics

    • Seek hidden possibilities
    • Need to know what can be done with things
    • Learn by trial and error
    • Enjoy variety and excel in being flexible

    Delivery method considerations

    There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

    There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

    Phase 3

    Map Out Data Literacy Roadmap and Milestones

    Phase 3: step 1 - Roadmap exercise, step 2 - Set key performance metrics and milestones.

    Foster Data-Driven Culture With Data Literacy

    This phase will walk you through the following activities:

    • Complete a roadmap exercise.
    • Set key performance metrics and milestones.

    This phase involves the following participants:

    • Data governance sponsor
    • Data owners
    • Data stewards
    • Data custodians

    3.1 Build the data literacy roadmap and milestones

    1-3 hours
    1. Gather the data literacy objectives and list of program initiatives with their assigned groups.
    2. Discuss each program initiative with the data literacy creation team, assigning content owners and estimating effort required to build the content.

    For the Gantt chart:

    • Input the roadmap start year.
    • List each data literacy topic and delivery method.
    • Populate the planned start and end dates for the prepopulated list of program initiatives.

    Input

    • List of data literacy topics with assigned groups
    • Vision statement of data literacy program
    • Data literacy objectives

    Output

    • Roadmap Gantt chart
    • List of program initiatives with start and end date
    • Content owner assignment

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • MS Projects/Excel

    Participants

    • CDO or sponsor
    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data governance working group

    Data literacy journey mapping

    Making it sustainable

    • Deliver the literacy program in stages to make it easier for the audience to consume the content.
    • Allow opportunities to apply the learnings at work.
    • Map out the data literacy trainings as they get delivered and identify gaps, if any. Continue to refine and adjust the program and delivery method for better outcome.
    • Set clear goals and KPIs measurement up front.
    • Conduct Info-Tech Research Group’s Data Culture Diagnostics to set the baseline and repeat the assessment in 12 to 18 months.
    • Assign champions to lead change and influence end users to adopt better processes.
    Data Literacy journey mapping. Different departments need different skills in data literacy.

    Research contributors

    Name

    Position

    Andrea Malick Advisory Director, Info-Tech Research Group
    Andy Neill AVP, Data and Analytics, Chief Enterprise Architect, Info-Tech Research Group
    Crystal Singh Research Director, Info-Tech Research Group
    Imad Jawadi Senior Manager, Consulting Advisory, Info-Tech Research Group
    Irina Sedenko Research Director, Info-Tech Research Group
    Reddy Doddipalli Senior Workshop Director, Info-Tech Research Group
    Sherwick Min Technical Counselor, Info-Tech Research Group
    Wayne Cain Principal Advisory Director, Info-Tech Research Group

    Info-Tech’s Data Literacy Program

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1

    Session 2

    Session 3

    Session 4

    Activities

    Understand the WHY and Value of Data

    1.1 Business context, business objectives, and goals

    1.2 You and data

    1.3 Data journey from data to insights

    1.4 Speak data – common terminology

    Learn about the WHAT Through Data Flow

    2.1 Data creation

    2.2 Data ingestion

    2.3 Data accumulation

    2.4 Data augmentation

    2.5 Data delivery

    2.6 Data consumption

    Explore the HOW Through Data Visualization Training

    3.1 Ask the right questions

    3.2 Find the top five data elements

    3.3 Understand your data

    3.4 Present your data story

    3.5 Sharing of lessons learned

    Put Them All Together Through Data Governance Awareness

    4.1 Data governance framework

    4.2 Data roles and responsibilities

    4.3 Data domain and owners

    Deliverables

    1. Learning material for understanding the data fundamental and its terminology
    1. Learning material for data flow elements
    1. Learning material for data visualization
    1. Learning material for data governance awareness program

    Related Info-Tech Research

    Establish Data Governance

    Deliver measurable business value.

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    Create a Data Management Roadmap

    Streamline your data management program with our simplified framework.

    Bibliography

    About Learning. “4MAT overview.” About Learning., 16 Aug. 2001. Web.

    Accenture. “The Human Impact of Data Literacy,” Accenture, 2020. Web.

    Anand, Shivani. “IDC Reveals India Data and Content Technologies Predictions for 2022 and onwards; Focus on Data Literacy for an Elevated data Culture.” IDC, 14 Mar. 2022. Web.

    Belissent, Jennifer, and Aaron Kalb. “Data Literacy: The Key to Data-Driven Decision Making.” Alation, April 2020. Web.

    Brown, Sara. “How to build data literacy in your company.” MIT Sloan School of Management, 9 Feb 2021. Web.

    ---. “How to build a data-driven company.” MIT Sloan School of Management, 24 Sept. 2020. Web.

    Domo. “Data Never Sleeps 9.0.” Domo, 2021. Web.

    Dykes, Brent. “Creating A Data-Driven Culture: Why Leading By Example Is Essential.” Forbes, 26 Oct. 2017. Web.

    Experian. “10 signs you are sitting on a pile of data debt.” Experian, 2020. Accessed 25 June 2021. Web.

    Experian. “2019 Global Data Management Research.” Experian, 2019. Web.

    Knight, Michelle. “Data Literacy Trends in 2023: Formalizing Programs.” Dataversity, 3 Jan. 2023. Web.

    Ghosh, Paramita. “Data Literacy Skills Every Organization Should Build.” Dataversity, 2 Nov. 2022. Web.

    Johnson, A., et al., “How to Build a Strategy in a Digital World,” Compact, 2018, vol. 2. Web.

    LifeTrain. “Learning Style Quiz.” EMTrain, Web.

    Lambers, E., et al. “How to become data literate and support a data-drive culture.” Compact, 2018, vol. 4. Web.

    Marr, Benard. “Why is data literacy important for any business?” Bernard Marr & Co., 16 Aug. 2022. Web.

    Marr, Benard. “8 simple ways to enhance your data literacy skills.” Bernard Marr & Co., 16 Aug. 2022. Web/

    Mendoza, N.F. “Data literacy: Time to cure data phobia” Tech Republic, 27 Sept. 2022. Web.

    Mizrahi, Etai. “How to stay ahead of data debt and downtime?” Secoda, 17 April 2023. Web.

    Needham, Mass., “IDC FutureScape: Top 10 Predictions for the Future of Intelligence.” IDC, 5 Dec. 2022. Web.

    Paton, J., and M.A.P. op het Veld. “Trusted Analytics.” Compact, 2017, vol. 2. Web.

    Qlik. “Data Literacy to be Most In-Demand Skill by 2030 as AI Transforms Global Workplaces.” Qlik., 16 Mar 2022. Web.

    Qlik. “What is data literacy?” Qlik, n.d. Web.

    Reed, David. Becoming Data Literate. Harriman House Publishing, 1 Sept. 2021. Print.

    Salomonsen, Summer. “Grovo’s First-Time Manager Microlearning® Program Will Help Your New Managers Thrive in 2018.” Grovos Blog, 5 Dec. 2018. Web.

    Webb, Ryan. “More Than Just Reporting: Uncovering Actionable Insights From Data.” Welocalize, 1 Sept. 2020. Web.

    The governance around resilience

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    You want to become resilient to cyberattacks, human errors, power outages, and many other causes of service interruptions. Where do you start?

    You could ask your IT team and your Operations leaders to take the required measures to ensure "reliability." Do you think that will work without any oversight and guidelines? I can tell you right off the bat: No, And you will have given the same answer in your head already. Moreover, your company's department heads will have the same answer: no. And why? Exactly because they do not know how you want to put the "law" into effect in your company.

    Your next question is, of course: "what law?." If you are in Europe, you will have heard about the many laws of the EU, like NIS2, MIFID II, DORA, EMIR, and so many more. You will be subject to other laws if you are in Asia, the US, the Middle East, Africa, or Oceania. And if you deliver services to EU companies governed by the first set, you may be subject to those European laws as well. 

    So far, about the laws, let's look at what this gives you.

    If you're like me, you want your client to be able to use your services, almost no matter what. That means you must ensure your services are available to your clients under most circumstances. Ok, if WWIII breaks out with nuclear missiles flying all over, all bets are off.  Let's ignore that occurrence. (your contracts include "acts of God" exclusions, right? (if not, let's talk.) That is the real reason you must ensure your services to our clients are resilient. Resilient systems and processes ensure your income, revenue, the livelihood of your employees, the ROI for your shareholders, and your reputation.

     As I said, there are 4 stages. Let's begin with stage 1: governance.

    What is governance but telling your staff what you want them to do? Nothing! So, Let's tell them what to do and how to achieve their Key Performance Indicators. That way, you get what you want, being in control, and they get what they want: their bonus.

    Resilience governance needs to start at the top of the organization. And for that, you need to know WHY it is being introduced.

    1. To mitigate risks posed by growing vulnerabilities introduced by increased interconnectivity
    2. To address the shift in your risk profile as you adopt increasing digital adoption
    3. To acknowledge that third-party suppliers underpin your ability to supply services to your clients
    4. To adopt a single, consistent approach to operational resilience across markets

    Obviously, this is a holistic view of the markets across the US, EU, Oceania, and Africa. Each of these markets has its own interpretations and nuances.
    The point, however, stays the same: have a sound company oversight and management view via clear governance rules like ownership, policies, procedures, guidelines, and operational task lists.

    In the end, it is all about the ability to build, ensure, and review operational resilience from a technological and business perspective.

     

     

     

    Prepare for Post-Quantum Cryptography

    • Buy Link or Shortcode: {j2store}268|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • Fault-tolerant quantum computers, capable of breaking existing encryption algorithms and cryptographic systems, are widely expected to be available sooner than originally projected.
    • Data considered secure today may already be at risk due to the threat of harvest-now-decrypt-later schemes.
    • Many current security controls will be completely useless, including today's strongest encryption techniques.

    Our Advice

    Critical Insight

    The advent of quantum computing is closer than you think: some nations have already demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer provide sufficient protection. You need to act now to begin your transformation to quantum-resistant encryption.

    Impact and Result

    • Developing quantum-resistant cryptography capabilities is crucial to maintaining data security and integrity for critical applications.
    • Organizations need to act now to begin their transformation to quantum-resistant encryption.
    • Data security (especially for sensitive data) should be an organization’s top priority. Organizations with particularly critical information need to be on top of this quantum movement.

    Prepare for Post-Quantum Cryptography Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for Post-Quantum Cryptography Storyboard – Research to help organizations to prepare and implement quantum-resistance cryptography solutions.

    Developing quantum-resistant cryptography capabilities is crucial to maintaining data security and integrity for critical applications. Organizations need to act now to begin their transformation to quantum-resistant encryption.

    • Prepare for Post-Quantum Cryptography Storyboard
    [infographic]

    Further reading

    Prepare for Post-Quantum Cryptography

    It is closer than you think, and you need to act now.

    Analyst Perspective

    It is closer than you think, and you need to act now.

    The quantum realm presents itself as a peculiar and captivating domain, shedding light on enigmas within our world while pushing the boundaries of computational capabilities. The widespread availability of quantum computers is expected to occur sooner than anticipated. This emerging technology holds the potential to tackle valuable problems that even the most powerful classical supercomputers will never be able to solve. Quantum computers possess the ability to operate millions of times faster than their current counterparts.

    As we venture further into the era of quantum mechanics, organizations relying on encryption must contemplate a future where these methods no longer suffice as effective safeguards. The astounding speed and power of quantum machines have the potential to render many existing security measures utterly ineffective, including the most robust encryption techniques used today. To illustrate, a task that currently takes ten years to crack through a brute force attack could be accomplished by a quantum computer in under five minutes.

    Amid this transition into a quantum future, the utmost priority for organizations remains data security, particularly safeguarding sensitive information. Organizations must proactively prepare for the development of countermeasures and essential resilience measures to attain a state of being "quantum safe."

    This is a picture of Alan Tang

    Alan Tang
    Principal Research Director, Security and Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Anticipated advancements in fault-tolerant quantum computers, surpassing existing encryption algorithms and cryptographic systems, are expected to materialize sooner than previously projected. The timeframe for their availability is diminishing daily.
    • Data that is presently deemed secure faces potential vulnerability due to the emergence of harvest-now-decrypt-later strategies.
    • Numerous contemporary security controls, including the most robust encryption techniques, have become obsolete and offer little efficacy.

    Common Obstacles

    • The complexity involved makes it challenging for organizations to incorporate quantum-resistant cryptography into their current IT infrastructure.
    • The endeavor of transitioning to quantum-resilient cryptography demands significant effort and time, with the specific requirements varying for each organization.
    • A lack of comprehensive understanding regarding the cryptographic technologies employed in existing IT systems poses difficulties in identifying and prioritizing systems for upgrading to post-quantum cryptography.

    Info-Tech's Approach

    • The development of quantum-resistant cryptography capabilities is essential for safeguarding the security and integrity of critical applications.
    • Organizations must proactively initiate their transition toward quantum-resistant encryption to ensure data protection.
    • Ensuring the security of corporate data assets should be of utmost importance for organizations, with special emphasis on those possessing highly critical information in light of the advancements in quantum technology.

    Info-Tech Insight

    The advent of quantum computing (QC) is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.

    Evolvement of QC theory and technologies

    1900-1975

    1976-1997

    1998-2018

    2019-Now

    1. 1900: Max Planck – The energy of a particle is proportional to its frequency: E = hv, where h is a relational constant.
    2. 1926: Erwin Schrödinger – Since electrons can affect each other's states, their energies change in both time and space. The total energy of a particle is expressed as a probability function.
    1. 1976: Physicist Roman Stanisław Ingarden publishes the paper "Quantum Information Theory."
    2. 1980: Paul Benioff describes the first quantum mechanical model of a computer.
    3. 1994: Peter Shor publishes Shor's algorithm.
    1. 1998: A working 2-qubit NMR quantum computer is used to solve Deutsch's problem by Jonathan A. Jones and Michele Mosca at Oxford University.
    2. 2003: DARPA Quantum Network becomes fully operational.
    3. 2011: D-Wave claims to have developed the first commercially available quantum computer, D-Wave One.
    4. 2018: the National Quantum Initiative Act was signed into law by President Donald Trump.
    1. 2019: A paper by Google's quantum computer research team was briefly available, claiming the project has reached quantum supremacy.
    2. 2020: Chinese researchers claim to have achieved quantum supremacy, using a photonic peak 76-qubit system known as Jiuzhang.
    3. 2021: Chinese researchers reported that they have built the world's largest integrated quantum communication network.
    4. 2022: The Quantinuum System Model H1-2 doubled its performance claiming to be the first commercial quantum computer to pass quantum volume 4096.

    Info-Tech Insight

    The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.

    Fundamental physical principles and business use cases

    Unlike conventional computers that rely on bits, quantum computers use quantum bits or qubits. QC technology surpasses the limitations of current processing powers. By leveraging the properties of superposition, interference, and entanglement, quantum computers have the capacity to simultaneously process millions of operations, thereby surpassing the capabilities of today's most advanced supercomputers.

    A 2021 Hyperion Research survey of over 400 key decision makers in North America, Europe, South Korea, and Japan showed nearly 70% of companies have some form of in-house QC program.

    Three fundamental QC physical principles

    1. Superposition
    2. Interference
    3. Entanglement

    This is an image of two headings, Optimization; and Simulation. there are five points under each heading, with an arrow above pointing left to right, labeled Qbit Count.

    Info-Tech Insight

    Organizations need to reap the substantial benefits of QC's power, while simultaneously shielding against the same technologies when used by cyber adversaries.

    Percentage of Surveyed Companies That Have QC Programs

    • 31% Have some form of in-house QC program
    • 69% Have no QC program

    Early adopters and business value

    QC early adopters see the promise of QC for a wide range of computational workloads, including machine learning applications, finance-oriented optimization, and logistics/supply chain management.

    This is an image of the Early Adopters, and the business value drivers.

    Info-Tech Insight

    Experienced attackers are likely to be the early adopters of quantum-enabled cryptographic solutions, harnessing the power of QC to exploit vulnerabilities in today's encryption methods. The risks are particularly high for industries that rely on critical infrastructure.

    The need of quantum-safe solution is immediate

    Critical components of classical cryptography will be at risk, potentially leading to the exposure of confidential and sensitive information to the general public. Business, technology, and security leaders are confronted with an immediate imperative to formulate a quantum-safe strategy and establish a roadmap without delay.

    Case Study – Google, 2019

    In 2019, Google claimed that "Our Sycamore processor takes about 200 seconds to sample one instance of a quantum circuit a million times—our benchmarks currently indicate that the equivalent task for a state-of-the-art classical supercomputer would take approximately 10,000 years."
    Source: Nature, 2019

    Why You Should Start Preparation Now

    • The complexity with integrating QC technology into existing IT infrastructure.
    • The effort to upgrade to quantum-resilient cryptography will be significant.
    • The amount of time remaining will decrease every day.

    Case Study – Development in China, 2020

    On December 3, 2020, a team of Chinese researchers claim to have achieved quantum supremacy, using a photonic peak 76-qubit system (43 average) known as Jiuzhang, which performed calculations at 100 trillion times the speed of classical supercomputers.
    Source: science.org, 2020

    Info-Tech Insight

    The emergence of QC brings forth cybersecurity threats. It is an opportunity to regroup, reassess, and revamp our approaches to cybersecurity.

    Security threats posed by QC

    Quantum computers have reached a level of advancement where even highly intricate calculations, such as factoring large numbers into their primes, which serve as the foundation for RSA encryption and other algorithms, can be solved within minutes.

    Threat to data confidentiality

    QC could lead to unauthorized decryption of confidential data in the future. Data confidentiality breaches also impact improperly disposed encrypted storage media.

    Threat to authentication protocols and digital governance

    A recovered private key, which is derived from a public key, can be used through remote control to fraudulently authenticate a critical system.

    Threat to data integrity

    Cybercriminals can use QC technology to recover private keys and manipulate digital documents and their digital signatures.

    Example:

    Consider RSA-2048, a widely used public-key cryptosystem that facilitates secure data transmission. In a 2021 survey, a majority of leading authorities believed that RSA-2048 could be cracked by quantum computers within a mere 24 hours.
    Source: Quantum-Readiness Working Group, 2022

    Info-Tech Insight

    The development of quantum-safe cryptography capabilities is of utmost importance in ensuring the security and integrity of critical applications' data.

    US Quantum Computing Cybersecurity Preparedness Act

    The US Congress considers cryptography essential for the national security of the US and the functioning of the US economy. The Quantum Computing Cybersecurity Preparedness Act was introduced on April 18, 2022, and became a public law (No: 117-260) on December 21, 2022.

    Purpose

    The purpose of this Act is to encourage the migration of Federal Government information technology systems to quantum-resistant cryptography, and for other purposes.

    Scope and Exemption

    • Scope: Systems of government agencies.
    • Exemption: This Act shall not apply to any national security system.

    Main Obligations

    Responsibilities

    Requirements
    Inventory Establishment Not later than 180 days after the date of enactment of this Act, the Director of OMB, shall issue guidance on the migration of information technology to post-quantum cryptography.
    Agency Reports "Not later than 1 year after the date of enactment of this Act, and on an ongoing basis thereafter, the head of each agency shall provide to the Director of OMB, the Director of CISA, and the National Cyber Director— (1) the inventory described in subsection (a)(1); and (2) any other information required to be reported under subsection (a)(1)(C)."
    Migration and Assessment "Not later than 1 year after the date on which the Director of NIST has issued post-quantum cryptography standards, the Director of OMB shall issue guidance requiring each agency to— (1) prioritize information technology described under subsection (a)(2)(A) for migration to post-quantum cryptography; and (2) develop a plan to migrate information technology of the agency to post-quantum cryptography consistent with the prioritization under paragraph (1)."

    "It is the sense of Congress that (1) a strategy for the migration of information technology of the Federal Government to post-quantum cryptography is needed; and (2) the government wide and industry-wide approach to post- quantum cryptography should prioritize developing applications, hardware intellectual property, and software that can be easily updated to support cryptographic agility." – Quantum Computing Cybersecurity Preparedness Act

    The development of post-quantum encryption

    Since 2016, the National Institute of Standards and Technology (NIST) has been actively engaged in the development of post-quantum encryption standards. The objective is to identify and establish standardized cryptographic algorithms that can withstand attacks from quantum computers.

    NIST QC Initiative Key Milestones

    Date Development
    Dec. 20, 2016 Round 1 call for proposals: Announcing request for nominations for public-key post-quantum cryptographic algorithms
    Nov. 30, 2017 Deadline for submissions – 82 submissions received
    Dec. 21, 2017 Round 1 algorithms announced (69 submissions accepted as "complete and proper")
    Jan. 30, 2019 Second round candidates announced (26 algorithms)

    July 22, 2020

    Third round candidates announced (7 finalists and 8 alternates)

    July 5, 2022

    Announcement of candidates to be standardized and fourth round candidates
    2022/2024 (Plan) Draft standards available

    Four Selected Candidates to be Standardized

    CRYSTALS – Kyber

    CRYSTALS – Dilithium

    FALCON

    SPHINCS+

    NIST recommends two primary algorithms to be implemented for most use cases: CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes FALCON and SPHINCS+ will also be standardized.

    Info-Tech Insight

    There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.

    Prepare for post-quantum cryptography

    The advent of QC is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.

    This is an infographic showing the three steps: Threat is Imminent; Risks are Profound; and Take Acton Now.

    Insight summary

    Overarching Insight

    The advent of QC is closer than you think as some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.

    Business Impact Is High

    The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.

    It's a Collaborative Effort

    Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a Chief Information Security Officer (CISO) alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.

    Leverage Industry Standards

    There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.

    Take a Holistic Approach

    The advent of QC poses threats to cybersecurity. It's a time to regroup, reassess, and revamp.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • This blueprint will help organizations to discover and then prioritize the systems to be upgraded to post-quantum cryptography.
    • This blueprint will enable organizations to integrate quantum-resistant cryptography into existing IT infrastructure.
    • Developing quantum-resistant cryptography capabilities is crucial to maintaining data security and integrity for critical applications.
    • This blueprint will help organizations to save effort and time needed upgrade to quantum-resilient cryptography.
    • Organizations will reap the substantial benefits of QC's power, while simultaneously shielding against the same technologies when used by cyber adversaries.
    • Avoid reputation and brand image by preventing data breach and leakage.
    • This blueprint will empower organizations to protect corporate data assets in the post-quantum era.
    • Be compliant with various security and privacy laws and regulations.

    Info-Tech Project Value

    Time, value, and resources saved to obtain buy-in from senior leadership team using our research material:

    1 FTEs*10 days*$100,000/year = $6,000

    Time, value, and resources saved to implement quantum-resistant cryptography using our research guidance:

    2 FTEs* 30 days*$100,000/year = $24,000

    Estimated cost and time savings from this blueprint:

    $6,000 + $24,000 =$30,000

    Get prepared for a post-quantum world

    The advent of sufficiently powerful quantum computers poses a risk of compromising or weakening traditional forms of asymmetric and symmetric cryptography. To safeguard data security and integrity for critical applications, it is imperative to undertake substantial efforts in migrating an organization's cryptographic systems to post-quantum encryption. The development of quantum-safe cryptography capabilities is crucial in this regard.

    Phase 1 - Prepare

    • Obtain buy-in from leadership team.
    • Educate your workforce about the upcoming transition.
    • Create defined projects to reduce risks and improve crypto-agility.

    Phase 2 - Discover

    • Determine the extent of your exposed data, systems, and applications.
    • Establish an inventory of classical cryptographic use cases.

    Phase 3 - Assess

    • Assess the security and data protection risks posed by QC.
    • Assess the readiness of transforming existing classical cryptography to quantum-resilience solutions.

    Phase 4 - Prioritize

    • Prioritize transformation plan based on criteria such as business impact, near-term technical feasibility, and effort, etc.
    • Establish a roadmap.

    Phase 5 - Mitigate

    • Implement post-quantum mitigations.
    • Decommissioning old technology that will become unsupported upon publication of the new standard.
    • Validating and testing products that incorporate the new standard.

    Phase 1 – Prepare: Protect data assets in the post-quantum era

    The rise of sufficiently powerful quantum computers has the potential to compromise or weaken conventional asymmetric and symmetric cryptography methods. In anticipation of a quantum-safe future, it is essential to prioritize crypto-agility. Consequently, organizations should undertake specific tasks both presently and in the future to adequately prepare for forthcoming quantum threats and the accompanying transformations.

    Quantum-resistance preparations must address two different needs:

    Reinforce digital transformation initiatives

    To thrive in the digital landscape, organizations must strengthen their digital transformation initiatives by embracing emerging technologies and novel business practices. The transition to quantum-safe encryption presents a unique opportunity for transformation, allowing the integration of these capabilities to evolve business transactions and relationships in innovative ways.

    Protect data assets in the post-quantum era

    Organizations should prioritize supporting remediation efforts aimed at ensuring the quantum safety of existing data assets and services. The implementation of crypto-agility enables organizations to respond promptly to cryptographic vulnerabilities and adapt to future changes in cryptographic standards. This proactive approach is crucial, as the need for quantum-safe measures existed even before the complexities posed by QC emerged.

    Preparation for the post-quantum world has been recommended by the US government and other national bodies since 2016.

    In 2016, NIST, the National Security Agency (NSA), and Central Security Service stated in their Commercial National Security Algorithm Suite and QC FAQ: "NSA believes the time is now right [to start preparing for the post-quantum world] — consistent with advances in quantum computing."
    Source: Cloud Security Alliance, 2021

    Phase 1 – Prepare: Key tasks

    Preparing for quantum-resistant cryptography goes beyond simply acquiring knowledge and conducting experiments in QC. It is vital for senior management to receive comprehensive guidance on the challenges, risks, and potential mitigations associated with the post-quantum landscape. Quantum and post-quantum education should be tailored to individuals based on their specific roles and the impact of post-quantum mitigations on their responsibilities. This customized approach ensures that individuals are equipped with the necessary knowledge and skills relevant to their respective roles.

    Leadership Buy-In

    • Get senior management commitment to post-quantum project.
    • Determine the extent of exposed data, systems, and applications.
    • Identify near-term, achievable cryptographic maturity goals, creating defined projects to reduce risks and improve crypto-agility.

    Roles and Responsibilities

    • The ownership should be clearly defined regarding the quantum-resistant cryptography program.
    • This should be a cross-functional team within which members represent various business units.

    Awareness and Education

    • Senior management needs to understand the strategic threat to the organization and needs to adequately address the cybersecurity risk in a timely fashion.
    • Educate your workforce about the upcoming transition. All training and education should seek to achieve awareness of the following items with the appropriate stakeholders.

    Info-Tech Insight

    Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a CISO alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.

    Phase 2 – Discover: Establish a data protection inventory

    During the discovery phase, it is crucial to locate and identify any critical data and devices that may require post-quantum protection. This step enables organizations to understand the algorithms in use and their specific locations. By conducting this thorough assessment, organizations gain valuable insights into their existing infrastructure and cryptographic systems, facilitating the implementation of appropriate post-quantum security measures.

    Inventory Core Components

    1. Description of devices and/or data
    2. Location of all sensitive data and devices
    3. Criticality of the data
    4. How long the data or devices need to be protected
    5. Effective cryptography in use and cryptographic type
    6. Data protection systems currently in place
    7. Current key size and maximum key size
    8. Vendor support timeline
    9. Post-quantum protection readiness

    Key Things to Consider

    • The accuracy and thoroughness of the discovery phase are critical factors that contribute to the success of a post-quantum project.
    • It is advisable to conduct this discovery phase comprehensively across all aspects, not solely limited to public-key algorithms.
    • Performing a data protection inventory can be a time-consuming and challenging phase of the project. Breaking it down into smaller subtasks can help facilitate the process.
    • Identifying all information can be particularly challenging since data is typically scattered throughout an organization. One approach to begin this identification process is by determining the inputs and outputs of data for each department and team within the organization.
    • To ensure accountability and effectiveness, it is recommended to assign a designated individual as the ultimate owner of the data protection inventory task. This person should have the necessary responsibilities and authority to successfully accomplish the task.

    Phase 3 – Assess: The workflow

    Quantum risk assessment entails evaluating the potential consequences of QC on existing security measures and devising strategies to mitigate these risks. This process involves analyzing the susceptibility of current systems to attacks by quantum computers and identifying robust security measures that can withstand QC threats.

    Risk Assessment Workflow

    This is an image of the Risk Assessment Workflow

    By identifying the security gaps that will arise with the advent of QC, organizations can gain insight into the substantial vulnerabilities that core business operations will face when QC becomes a prevalent reality. This proactive understanding enables organizations to prepare and implement appropriate measures to address these vulnerabilities in a timely manner.

    Phase 4 – Prioritize: Balance business value, security risks, and effort

    Organizations need to prioritize the mitigation initiatives based on various factors such as business value, level of security risk, and the effort needed to implement the mitigation controls. In the diagram below, the size of the circle reflects the degree of effort. The bigger the size, the more effort is needed.

    This is an image of a chart where the X axis represents Security Risk level, and the Y axis is Business Value.

    QC Adopters Anticipated Annual Budgets

    This is an image of a bar graph showing the Anticipated Annual Budgets for QC Adopters.
    Source: Hyperion Research, 2022

    Hyperion's survey found that the range of expected budget varies widely.

    • The most selected option, albeit by only 38% of respondents, was US$5 million to US$15 million.
    • About one-third of respondents foresaw annual budgets that exceeded US$15 million, and one-fifth expected budgets to exceed US$25 million.

    Build your risk mitigation roadmap

    2 hours

    1. Review the quantum-resistance initiatives generated in Phase 3 – Assessment.
    2. With input from all stakeholders, prioritize the initiatives based on business value, security risks, and effort using the 2x2 grid.
    3. Review the position of all initiatives and adjust accordingly considering other factors such as dependency, etc.
    4. Place prioritized initiatives to a wave chart.
    5. Assign ownership and target timeline for each initiative.

    This is an image the Security Risk Vs. Business value graph, above an image showing Initiatives Numbered 1-7, divided into Wave 1; Wave 2; and Wave 3.

    Input

    • Data protection inventory created in phase 2
    • Risk assessment produced in phase 3
    • Business unit leaders' and champions' understanding (high-level) of challenges posed by QC

    Output

    • Prioritization of quantum-resistance initiatives

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • Pen/whiteboard markers

    Participants

    • Quantum-resistance program owner
    • Senior leadership team
    • Business unit heads
    • Chief security officer
    • Chief privacy officer
    • Chief information officer
    • Representatives from legal, risk, and governance

    Phase 5 – Mitigate: Implement quantum-resistant encryption solutions

    To safeguard against cybersecurity risks and threats posed by powerful quantum computers, organizations need to adopt a robust defense-in-depth approach. This entails implementing a combination of well-defined policies, effective technical defenses, and comprehensive education initiatives. Organizations may need to consider implementing new cryptographic algorithms or upgrading existing protocols to incorporate post-quantum encryption methods. The selection and deployment of these measures should be cost-justified and tailored to meet the specific needs and risk profiles of each organization.

    Governance

    Implement solid governance mechanisms to promote visibility and to help ensure consistency

    • Update policies and documents
    • Update existing acceptable cryptography standards
    • Update security and privacy audit programs

    Industry Standards

    • Stay up to date with newly approved standards
    • Leverage industry standards (i.e. NIST's post-quantum cryptography) and test the new quantum-safe cryptographic algorithms

    Technical Mitigations

    Each type of quantum threat can be mitigated using one or more known defenses.

    • Physical isolation
    • Replacing quantum-susceptible cryptography with quantum-resistant cryptography
    • Using QKD
    • Using quantum random number generators
    • Increasing symmetric key sizes
    • Using hybrid solutions
    • Using quantum-enabled defenses

    Vendor Management

    • Work with key vendors on a common approach to quantum-safe governance
    • Assess vendors for possible inclusion in your organization's roadmap
    • Create acquisition policies regarding quantum-safe cryptography

    Research Contributors and Experts

    This is a picture of Adib Ghubril

    Adib Ghubril
    Executive Advisor, Executive Services
    Info-Tech Research Group

    This is a picture of Erik Avakian

    Erik Avakian
    Technical Counselor
    Info-Tech Research Group

    This is a picture of Alaisdar Graham

    Alaisdar Graham
    Executive Counselor
    Info-Tech Research Group

    This is a picture of Carlos Rivera

    Carlos Rivera
    Principal Research Advisor
    Info-Tech Research Group

    This is a picture of Hendra Hendrawan

    Hendra Hendrawan
    Technical Counselor
    Info-Tech Research Group

    This is a picture of Fritz Jean-Louis

    Fritz Jean-Louis
    Principal Cybersecurity Advisor
    Info-Tech Research Group

    Bibliography

    117th Congress (2021-2022). H.R.7535 - Quantum Computing Cybersecurity Preparedness Act. congress.gov, 21 Dec 2022.
    Arute, Frank, et al. Quantum supremacy using a programmable superconducting processor. Nature, 23 Oct 2019.
    Bernhardt, Chris. Quantum Computing for Everyone. The MIT Press, 2019.
    Bob Sorensen. Quantum Computing Early Adopters: Strong Prospects For Future QC Use Case Impact. Hyperion Research, Nov 2022.
    Candelon, François, et al. The U.S., China, and Europe are ramping up a quantum computing arms race. Here's what they'll need to do to win. Fortune, 2 Sept 2022.
    Curioni, Alessandro. How quantum-safe cryptography will ensure a secure computing future. World Economic Forum, 6 July 2022.
    Davis, Mel. Toxic Substance Exposure Requires Record Retention for 30 Years. Alert presented by CalChamber, 18 Feb 2022.
    Eddins, Andrew, et al. Doubling the size of quantum simulators by entanglement forging. arXiv, 22 April 2021.
    Gambetta, Jay. Expanding the IBM Quantum roadmap to anticipate the future of quantum-centric supercomputing. IBM Research Blog, 10 May 2022.
    Golden, Deborah, et al. Solutions for navigating uncertainty and achieving resilience in the quantum era. Deloitte, 2023.
    Grimes, Roger, et al. Practical Preparations for the Post-Quantum World. Cloud Security Alliance, 19 Oct 2021.
    Harishankar, Ray, et al. Security in the quantum computing era. IBM Institute for Business Value, 2023.
    Hayat, Zia. Digital trust: How to unleash the trillion-dollar opportunity for our global economy. World Economic Forum, 17 Aug 2022.
    Mateen, Abdul. What is post-quantum cryptography? Educative, 2023.
    Moody, Dustin. Let's Get Ready to Rumble—The NIST PQC 'Competition.' NIST, 11 Oct 2022.
    Mosca, Michele, Dr. and Dr. Marco Piani. 2021 Quantum Threat Timeline Report. Global Risk Institute, 24 Jan 2022.
    Muppidi, Sridhar and Walid Rjaibi. Transitioning to Quantum-Safe Encryption. Security Intelligence, 8 Dec 2022.
    Payraudeau, Jean-Stéphane, et al. Digital acceleration: Top technologies driving growth in a time of crisis. IBM Institute for Business Value, Nov 2020.
    Quantum-Readiness Working Group (QRWG). Canadian National Quantum-Readiness- Best Practices and Guidelines. Canadian Forum for Digital Infrastructure Resilience (CFDIR), 17 June 2022.
    Rotman, David. We're not prepared for the end of Moore's Law. MIT Technology Review, 24 Feb 2020.
    Saidi, Susan. Calculating a computing revolution. Roland Berger, 2018.
    Shorter., Ted. Why Companies Must Act Now To Prepare For Post-Quantum Cryptography. Forbes.com, 11 Feb 2022.
    Sieger, Lucy, et al. The Quantum Decade, Third edition. IBM, 2022.
    Sorensen, Bob. Broad Interest in Quantum Computing as a Driver of Commercial Success. Hyperion Research, 17 Nov 2021.
    Wise, Jason. How Much Data is Created Every Day in 2022? Earthweb, 22 Sept 2022.
    Wright, Lawrence. The Plague Year. The New Yorker, 28 Dec 2020.
    Yan, Bao, et al. Factoring integers with sublinear resources on a superconducting quantum processor. arXiv, 23 Dec 2022.
    Zhong, Han-Sen, et al. Quantum computational advantage using photons. science.org, 3 Dec 2020.

    Digital Data Ethics

    • Download01-Title: Tech Trend Update: If Digital Ethics Then Data Equity
    • Download-01: Visit Link
    • member rating overall impact: 9/10
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    In the past two years, we've seen that we need quick technology solutions for acute issues. We quickly moved to homeworking and then to a hybrid form. We promptly moved many of our offline habits online.

    That necessitated a boost in data collection from us towards our customers and employees, and business partners.
    Are you sure how to approach this structurally? What is the right thing to do?

    Impact and Results

    • When you partner with another company, set clear expectations
    • When you are building your custom solution, invite constructive criticism
    • When you present yourself as the authority, consider the most vulnerable in the relationship

    innovation

    The challenge of corporate security management

    • Buy Link or Shortcode: {j2store}41|cart{/j2store}
    • Related Products: {j2store}41|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk

    Corporate security management is a vital aspect in every modern business, regardless of business area or size. At Tymans Group we offer expert security management consulting to help your business set up proper protocols and security programs. More elaborate information about our security management consulting services and solutions can be found below.

    Corporate security management components

    You may be experiencing one or more of the following:

    • The risk goals should support business goals. Your business cannot operate without security, and security is there to conduct business safely. 
    • Security governance supports security strategy and security management. These three components form a protective arch around your business. 
    • Governance and management are like the legislative branch and the executive branch. Governance tells people what to do, and management's job is to verify that they do it.

    Our advice with regards to corporate security management

    Insight

    To have a successful information security strategy, take these three factors into account:

    • Holistic: your view must include people, processes, and technology.
    • Risk awareness: Base your strategy on the actual risk profile of your company and then add the appropriate best practices.
    • Business-aligned: When your strategic security plan demonstrates alignment with the business goals and supports it, embedding will be much more straightforward.

    Impact and results of our corporate security management approach

    • The approach of our security management consulting company helps to provide a starting point for realistic governance and realistic corporate security management.
    • We help you by implementing security governance and managing it, taking into account your company's priorities, and keeping costs to a minimum.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within the corporate security management domain have access to:

    Get up to speed

    Read up on why you should build your customized corporate information security governance and management system. Review our methodology and understand the four ways we can support you.

    Align your security objectives with your business goals

    Determine the company's risk tolerance.

    • Implement a Security Governance and Management Program – Phase 1: Align Business Goals With Security Objectives (ppt)
    • Information Security Governance and Management Business Case (ppt)
    • Information Security Steering Committee Charter (doc)
    • Information Security Steering Committee RACI Chart (doc)
    • Security Risk Register Tool (xls)

    Build a practical governance framework for your company

    Our best-of-breed security framework makes you perform a gap analysis between where you are and where you want to be (your target state). Once you know that, you can define your goals and duties.

    • Implement a Security Governance and Management Program – Phase 2: Develop an Effective Governance Framework (ppt)
    • Information Security Charter (doc)
    • Security Governance Organizational Structure Template (doc)
    • Security Policy Hierarchy Diagram (ppt)
    • Security Governance Model Facilitation Questions (ppt)
    • Information Security Policy Charter Template (doc)
    • Information Security Governance Model Tool (Visio)
    • Pdf icon 20x20
    • Information Security Governance Model Tool (PDF)

    Now that you have built it, manage your governance framework.

    There are several essential management activities that we as a security management consulting company suggest you employ.

    • Implement a Security Governance and Management Program – Phase 3: Manage Your Governance Framework (ppt)
    • Security Metrics Assessment Tool (xls)
    • Information Security Service Catalog (xls)
    • Policy Exception Tracker (xls)
    • Information Security Policy Exception Request Form (doc)
    • Security Policy Exception Approval Workflow (Visio)
    • Security Policy Exception Approval Workflow (PDF)
    • Business Goal Metrics Tracking Tool (xls)

    Book an online appointment for more advice

    We are happy to tell you more about our corporate security management solutions and help you set up fitting security objectives. As a security management consulting firm we offer solutions and advice, based on our own extensive experience, which are practical and people-orientated. Discover our services, which include data security management and incident management and book an online appointment with CEO Gert Taeymans to discuss any issues you may be facing regarding risk management or IT governance.

    cybersecurity

    Capture and Market the ROI of Your VMO

    • Buy Link or Shortcode: {j2store}212|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $108,234 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • All IT organizations are dependent on their vendors for technology products, services, and solutions to support critical business functions.
    • Measuring the impact of and establishing goals for the vendor management office (VMO) to maximize its effectiveness requires an objective and quantitative approach whenever possible.
    • Sharing the VMO’s impact internally is a balancing act between demonstrating value and self-promotion.

    Our Advice

    Critical Insight

    • The return on investment (ROI) calculation for your VMO must be customized. The ROI components selected must match your VMO ROI maturity, resources, and roadmap. There is no one-size-fits-all approach to calculating VMO ROI.
    • ROI contributions come from many areas and sources. To maximize the VMO’s ROI, look outside the traditional framework of savings and cost avoidance to vendor-facing interactions and the impact the VMO has on internal departments.

    Impact and Result

    • Quantifying the contributions of the VMO takes the guess work out of whether the VMO is performing adequately.
    • Taking a comprehensive approach to measuring the value created by the VMO and the ROI associated with it will help the organization appreciate the importance of the VMO.
    • Establishing goals for the VMO with the help of the executives and key stakeholders ensures that the VMO is supporting the needs of the entire organization.

    Capture and Market the ROI of Your VMO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should calculate and market internally your VMO’s ROI, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get organized

    Begin the process by identifying your VMO’s ROI maturity level and which calculation components are most appropriate for your situation.

    • Capture and Market the ROI of the VMO – Phase 1: Get Organized
    • VMO ROI Maturity Assessment Tool
    • VMO ROI Calculator and Tracker
    • VMO ROI Data Source Inventory and Evaluation Tool
    • VMO ROI Summary Template

    2. Establish baseline

    Set measurement baselines and goals for the next measurement cycle.

    • Capture and Market the ROI of the VMO – Phase 2: Establish Baseline
    • VMO ROI Baseline and Goals Tool

    3. Measure and monitor results

    Measure the VMO's ROI and value created by the VMO’s efforts and the overall internal satisfaction with the VMO.

    • Capture and Market the ROI of the VMO – Phase 3: Measure and Monitor Results
    • RFP Cost Estimator
    • Improvements in Working Capital Estimator
    • Risk Estimator
    • General Process Cost Estimator and Delta Estimator
    • VMO Internal Client Satisfaction Survey
    • Vendor Security Questionnaire
    • Value Creation Worksheet
    • Deal Summary Report Template

    4. Report results

    Report the results to key stakeholders and executives in a way that demonstrates the value added by the VMO to the entire organization.

    • Capture and Market the ROI of the VMO – Phase 4: Report Results
    • Internal Business Review Agenda Template
    • IT Spend Analytics
    • VMO ROI Reporting Worksheet
    • VMO ROI Stakeholder Report Template
    [infographic]

    Workshop: Capture and Market the ROI of Your VMO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Get Organized

    The Purpose

    Determine how you will measure the VMO’s ROI.

    Key Benefits Achieved

    Focus your measurement on the appropriate activities.

    Activities

    1.1 Determine your VMO’s maturity level and identify applicable ROI measurement categories.

    1.2 Review and select the appropriate ROI formula components for each applicable measurement category.

    1.3 Compile a list of potential data sources, evaluate the viability of each data source selected, and assign data collection and analysis responsibilities.

    1.4 Communicate progress and proposed ROI formula components to executives and key stakeholders for feedback and/or approval/alignment.

    Outputs

    VMO ROI maturity level and first step of customizing the ROI formula components.

    Second and final step of customizing the ROI formula components…what will actually be measured.

    Viable data sources and assignments for team members.

    A progress report for key stakeholders and executives.

    2 Establish Baseline

    The Purpose

    Set baselines to measure created value against.

    Key Benefits Achieved

    ROI contributions cannot be objectively measured without baselines.

    Activities

    2.1 Gather baseline data.

    2.2 Calculate/set baselines.

    2.3 Set SMART goals.

    2.4 Communicate progress and proposed ROI formula components to executives and key stakeholders for feedback and/or approval/alignment.

    Outputs

    Data to use for calculating baselines.

    Baselines for measuring ROI contributions.

    Value creation goals for the next measurement cycle.

    An updated progress report for key stakeholders and executives.

    3 Measure and Monitor Results

    The Purpose

    Calculate the VMO’s ROI.

    Key Benefits Achieved

    An understanding of whether the VMO is paying for itself.

    Activities

    3.1 Assemble the data and calculate the VMO’s ROI.

    3.2 Organize the data for the reporting step.

    Outputs

    The VMO’s ROI expressed in terms of how many times it pays for itself (e.g. 1X, 3X, 5X).

    Determine which supporting data will be reported.

    4 Report Results

    The Purpose

    Report results to stakeholders.

    Key Benefits Achieved

    Stakeholders understand the value of the VMO.

    Activities

    4.1 Create a reporting template.

    4.2 Determine reporting frequency.

    4.3 Decide how the reports will be distributed or presented.

    4.4 Send out a draft report and update based on feedback.

    Outputs

    A template for reporting ROI and supporting data.

    A decision about quarterly or annual reports.

    A decision regarding email, video, and in-person presentation of the ROI reports.

    Final ROI reports.

    Identify and Build the Data & Analytics Skills Your Organization Needs

    • Buy Link or Shortcode: {j2store}301|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    The rapid technological evolution in platforms, processes, and applications is leading to gaps in the skills needed to manage and use data. Some common obstacles that could prevent you from identifying and building the data & analytics skills your organization needs include:

    • Lack of resources and knowledge to secure professionals with the right mix of D&A skills and right level of experience/skills
    • Lack of well-formulated and robust data strategy
    • Underestimation of the value of soft skills

    Our Advice

    Critical Insight

    Skill deficiency is frequently stated as a roadblock to realizing corporate goals for data & analytics. Soft skills and technical skills are complementary, and data & analytics teams need a combination of both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization’s data strategy to ensure the right skills are available at the right time and minimize pertinent risks.

    Impact and Result

    Follow Info-Tech's advice on the roles and skills needed to support your data & analytics strategic growth objectives and how to execute an actionable plan:

    • Define the skills required for each essential data & analytics role.
    • Identify the roles and skills gaps in alignment with your current data strategy.
    • Establish an action plan to close the gaps and reduce risks.

    Identify and Build the Data & Analytics Skills Your Organization Needs Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Build the Data & Analytics Skills Your Organization Needs Deck – Use this research to assist you in identifying and building roles and skills that are aligned with the organization’s data strategy.

    To generate business value from data, data leaders must first understand what skills are required to achieve these goals, identify the current skill gaps, and then develop skills development programs to enhance the relevant skills. Use Info-Tech's approach to identify and fill skill gaps to ensure you have the right skills at the right time.

    • Identify and Build the Data & Analytics Skills Your Organization Needs Storyboard

    2. Data & Analytics Skills Assessment and Planning Tool – Use this tool to help you identify the current and required level of competency for data & analytics skills, analyze gaps, and create an actionable plan.

    Start with skills and roles identified as the highest priority through a high-level maturity assessment. From there, use this tool to determine whether the organization’s data & analytics team has the key role, the right combination of skill sets, and the right level competency for each skill. Create an actionable plan to develop skills and fill gaps.

    • Data & Analytics Skills Assessment and Planning Tool
    [infographic]

    Further reading

    Identify and Build the Data & Analytics Skills Your Organization Needs

    Blending soft skills with deep technical expertise is essential for building successful data & analytics teams.

    Analyst Perspective

    Blending soft skills with deep technical expertise is essential for building successful data & analytics teams.

    In today's changing environment, data & analytics (D&A) teams have become an essential component, and it is critical for organizations to understand the skill and talent makeup of their D&A workforce. Chief data & analytics officers (CDAOs) or other equivalent data leaders can train current data employees or hire proven talent and quickly address skills gaps.

    While developing technical skills is critical, soft skills are often left underdeveloped, yet lack of such skills is most likely why the data team would face difficulty moving beyond managing technology and into delivering business value.

    Follow Info-Tech's methodology to identify and address skills gaps in today's data workplace. Align D&A skills with your organization's data strategy to ensure that you always have the right skills at the right time.

    Ruyi Sun
    Research Specialist,
    Data & Analytics, and Enterprise Architecture
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The rapid technological evolution in platforms, processes, and applications is leading to gaps in the skills needed to manage and use data. Some critical challenges organizations with skills deficiencies might face include:

    • Time loss due to delayed progress and reworking of initiatives
    • Poor implementation quality and low productivity
    • Reduced credibility of data leader and data initiatives

    Common Obstacles

    Some common obstacles that could prevent you from identifying and building the data and analytics (D&A) skills your organization needs are:

    • Lack of resources and knowledge to secure professionals with the right mixed D&A skills and the right experience/skill level
    • Lack of well-formulated and robust data strategy
    • Neglecting the value of soft skills and placing all your attention on technical skills

    Info-Tech's Approach

    Follow Info-Tech's guidance on the roles and skills required to support your D&A strategic growth objectives and how to execute an actionable plan:

    • Define skills required for each essential data and analytics role
    • Identify roles and skills gap in alignment with your current data strategy
    • Establish action plan to close the gaps and reduce risks

    Info-Tech Insight

    Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills required by your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.

    The rapidly changing environment is impacting the nature of work

    Scarcity of data & analytics (D&A) skills

    • Data is one of the most valuable organizational assets, and regardless of your industry, data remains the key to informed decision making. More than 75% of businesses are looking to adopt technologies like big data, cloud computing, and artificial intelligence (AI) in the next five years (World Economic Forum, 2023). As organizations pivot in response to industry disruptions and technological advancements, the nature of work is changing, and the demand for data expertise has grown.
    • Despite an increasing need for data expertise, organizations still have trouble securing D&A roles due to inadequate upskilling programs, limited understanding of the skills required, and more (EY, 2022). Notably, scarce D&A skills have been critical. More workers will need at least a base level of D&A skills to adequately perform their jobs.

    Stock image of a data storage center.

    Organizations struggle to remain competitive when skills gaps aren't addressed

    Organizations identify skills gaps as the key barriers preventing industry transformation:

    60% of organizations identify skills gaps as the key barriers preventing business transformation (World Economic Forum, 2023)

    43% of respondents agree the business area with the greatest need to address potential skills gaps is data analytics (McKinsey & Company, 2020)

    Most organizations are not ready to address potential role disruptions and close skills gaps:

    87% of surveyed companies say they currently experience skills gaps or expect them within a few years (McKinsey & Company, 2020)

    28% say their organizations make effective decisions on how to close skills gaps (McKinsey & Company, 2020)

    Neglecting soft skills development impedes CDOs/CDAOs from delivering value

    According to BearingPoint's CDO survey, cultural challenges and limited data literacy are the main roadblocks to a CDO's success. To drill further into the problem and understand the root causes of the two main challenges, conduct a root cause analysis (RCA) using the Five Whys technique.

    Bar Chart of 'Major Roadblocks to the Success of a CDO' with 'Limited data literacy' at the top.
    (Source: BearingPoint, 2020)

    Five Whys RCA

    Problem: Poor data literacy is the top challenge CDOs face when increasing the value of D&A. Why?

    • People that lack data literacy find it difficult to embrace and trust the organization's data insights. Why?
    • Data workers and the business team don't speak the same language. Why?
    • No shared data definition or knowledge is established. Over-extensive data facts do not drive business outcomes. Why?
    • Leaders fail to understand that data literacy is more than technical training, it is about encompassing all aspects of business, IT, and data. Why?
    • A lack of leadership skills prevents leaders from recognizing these connections and the data team needing to develop soft skills.

    Problem: Cultural challenge is one of the biggest obstacles to a CDO's success. Why?

    • Decisions are made from gut instinct instead of data-driven insights, thus affecting business performance. Why?
    • People within the organization do not believe that data drives operational excellence, so they resist change. Why?
    • Companies overestimate the organization's level of data literacy and data maturity. Why?
    • A lack of strategies in change management, continuous improvement & data literacy for data initiatives. Why?
    • A lack of expertise/leaders possessing these relevant soft skills (e.g. change management, etc.).

    As organizations strive to become more data-driven, most conversations around D&A emphasize hard skills. Soft skills like leadership and change management are equally crucial, and deficits there could be the root cause of the data team's inability to demonstrate improved business performance.

    Data cannot be fully leveraged without a cohesive data strategy

    Business strategy and data strategy are no longer separate entities.

    • For any chief data & analytics officer (CDAO) or equivalent data leader, a robust and comprehensive data strategy is the number one tool for generating measurable business value from data. Data leaders should understand what skills are required to achieve these goals, consider the current skills gap, and build development programs to help employees improve those skills.
    • Begin your skills development programs by ensuring you have a data strategy plan prepared. A data strategy should never be formulated independently from the business. Organizations with high data maturity will align such efforts to the needs of the business, making data a major part of the business strategy to achieve data centricity.
    • Refer to Info-Tech's Build a Robust and Comprehensive Data Strategy blueprint to ensure data can be leveraged as a strategic asset of the organization.

    Diagram of 'Data Strategy Maturity' with two arrangements of 'Data Strategy' and 'Business Strategy'. One is 'Aligned', the other is 'Data Centric.'

    Info-Tech Insight

    The process of achieving data centricity requires alignment between the data and business teams, and that requires soft skills.

    Follow Info-Tech's methodology to identify the roles and skills needed to execute a data strategy

    1. Define Key Roles and Skills

      Digital Leadership Skills, Soft Skills, Technical Skills
      Key Output
      • Defined essential competencies, responsibilities for some common data roles
    2. Uncover the Skills Gap

      Data Strategy Alignment, High-Level Data Maturity Assessment, Skills Gap Analysis
      Key Output
      • Data roles and skills aligned with your current data strategy
      • Identified current and target state of data skill sets
    3. Build an Actionable Plan

      Initiative Priority, Skills Growth Feasibility, Hiring Feasibility
      Key Output
      • Identified action plan to address the risk of data skills deficiency

    Info-Tech Insight

    Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.

    Research benefits

    Member benefits

    • Reduce time spent defining the target state of skill sets.
    • Gain ability to reassess the feasibility of execution on your data strategy, including resources and timeline.
    • Increase confidence in the data leader's ability to implement a successful skills development program that is aligned with the organization's data strategy, which correlates directly to successful business outcomes.

    Business benefits

    • Reduce time and cost spent hiring key data roles.
    • Increase chance of retaining high-quality data professionals.
    • Reduce time loss for delayed progress and rework of initiatives.
    • Optimize quality of data initiative implementation.
    • Improve data team productivity.

    Insight summary

    Overarching insight

    Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.

    Phase 1 insight

    Technological advancements will inevitably require new technical skills, but the most in-demand skills go beyond mastering the newest technologies. Soft skills are essential to data roles as the global workforce navigates the changes of the last few years.

    Phase 2 insight

    Understanding and knowing your organization's data maturity level is a prerequisite to assessing your current skill and determining where you must align in the future.

    Phase 3 insight

    One of the misconceptions that organizations have includes viewing skills development as a one-time effort. This leads to underinvestment in data team skills, risk of falling behind on technological changes, and failure to connect with business partners. Employees must learn to continuously adapt to the changing circumstances of D&A.

    While the program must be agile and dynamic to reflect technological improvements in the development of technical skills, the program should always be anchored in soft skills because data management is fundamentally about interaction, collaboration, and people.

    Tactical insight

    Seeking input and support across your business units can align stakeholders to focus on the right data analytics skills and build a data learning culture.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is four to six calls over the course of two to three months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Call #1: Understand common data & analytics roles and skills, and your specific objectives and challenges. Call #2: Assess the current data maturity level and competency of skills set. Identify the skills gap. Call #3: Identify the relationship between current initiatives and capabilities. Initialize the corresponding roadmap for the data skills development program.

    Call #4: (follow-up call) Touching base to follow through and ensure that benefits have received.

    Identify and Build the Data & Analytics Skills Your Organization Needs

    Phase 1

    Define Key Roles and Skills

    Define Key Roles and Skills Uncover the Skills Gap Build an Actionable Plan

    This phase will walk you through the following activities:

    • 1.1 Review D&A Skill & Role List in Data & Analytics Assessment and Planning Tool

    This phase involves the following participants:

    • Data leads

    Key resources for your data strategy: People

    Having the right role is a key component for executing effective data strategy.

    D&A Common Roles

    • Data Steward
    • Data Custodian
    • Data Owner
    • Data Architect
    • Data Modeler
    • Artificial Intelligence (AI) and Machine Learning (ML) Specialist
    • Database Administrator
    • Data Quality Analyst
    • Security Architect
    • Information Architect
    • System Architect
    • MDM Administrator
    • Data Scientist
    • Data Engineer
    • Data Pipeline Developer
    • Data Integration Architect
    • Business Intelligence Architect
    • Business Intelligence Analyst
    • ML Validator

    AI and ML Specialist is projected to be the fastest-growing occupation in the next five years (World Economic Forum, 2023).

    While tech roles take an average of 62 days to fill, hiring a senior data scientist takes 70.5 days (Workable, 2019). Start your recruitment cycle early for this demand.

    D&A Leader Roles

    • Chief Data Officer (CDO)/Chief Data & Analytics Officer (CDAO)
    • Data Governance Lead
    • Data Management Lead
    • Information Security Lead
    • Data Quality Lead
    • Data Product Manager
    • Master Data Manager
    • Content and Record Manager
    • Data Literacy Manager

    CDOs act as impactful change agents ensuring that the organization's data management disciplines are running effectively and meeting the business' data needs. Only 12.0% of the surveyed organizations reported having a CDO as of 2012. By 2022, this percentage had increased to 73.7% (NewVantage Partners, 2022).

    Sixty-five percent of respondents said lack of data literacy is the top challenge CDOs face today (BearingPoint, 2020). It has become imperative for companies to consider building a data literacy program which will require a dedicated data literacy team.

    Key resources for your data strategy: Skill sets

    Distinguish between the three skills categories.

    • Soft Skills

      Soft skills are described as power skills regarding how you work, such as teamwork, communication, and critical thinking.
    • Digital Leadership Skills

      Not everyone working in the D&A field is expected to perform advanced analytical tasks. To thrive in increasingly data-rich environments, however, every data worker, including leaders, requires a basic technological understanding and skill sets such as AI, data literacy, and data ethics. These are digital leadership skills.
    • Technical Skills

      Technical skills are the practical skills required to complete a specific task. For example, data scientists and data engineers require programming skills to handle and manage vast amounts of data.

    Info-Tech Insight

    Technological advancements will inevitably require new technical skills, but the most in-demand skills go beyond mastering the newest technologies. Soft skills are essential to data roles as the global workforce navigates the changes of the last few years.

    Soft skills aren't just nice to have

    They're a top asset in today's data workplace.

    Leadership

    • Data leaders with strong leadership abilities can influence the organization's strategic execution and direction, support data initiatives, and foster data cultures. Organizations that build and develop leadership potential are 4.2 times more likely to financially outperform those that do not (Udemy, 2022).

    Business Acumen

    • The process of deriving conclusions and insights from data is ultimately utilized to improve business decisions and solve business problems. Possessing business acumen helps provide the business context and perspectives for work within data analytics fields.

    Critical Thinking

    • Critical thinking allows data leaders at every level to objectively assess a problem before making judgment, consider all perspectives and opinions, and be able to make decisions knowing the ultimate impact on results.

    Analytical Thinking

    • Analytical thinking remains the most important skill for workers in 2023 (World Economic Forum, 2023). Data analytics expertise relies heavily on analytical thinking, which is the process of breaking information into basic principles to analyze and understand the logic and concepts.

    Design Thinking & Empathy

    • Design thinking skills help D&A professionals understand and prioritize the end-user experience to better inform results and assist the decision-making process. Organizations with high proficiency in design thinking are twice as likely to be high performing (McLean & Company, 2022).

    Learning Focused

    • The business and data analytics fields continue to evolve rapidly, and the skills, especially technical skills, must keep pace. Learning-focused D&A professionals continuously learn, expanding their knowledge and enhancing their techniques.

    Change Management

    • Change management is essential, especially for data leaders who act as change agents developing and enabling processes and who assist others with adjusting to changes with cultural and procedural factors. Organizations with high change management proficiency are 2.2 times more likely to be high performing (McLean & Company, 2022).

    Resilience

    • Being motivated and adaptable is essential when facing challenges and high-pressure situations. Organizations highly proficient in resilience are 1.8 times more likely to be high performing (McLean & Company, 2022).

    Managing Risk & Governance Mindset

    • Risk management ability is not limited to highly regulated institutions. All data workers must understand risks from the larger organizational perspective and have a holistic governance mindset while achieving their individual goals and making decisions.

    Continuous Improvement

    • Continuously collecting feedback and reflecting on it is the foundation of continuous improvement. To uncover and track the lessons learned and treat them as opportunities, data workers must be able to discover patterns and connections.

    Teamwork & Collaboration

    • Value delivery in a data-centric environment is a team effort, requiring collaboration across the business, IT, and data teams. D&A experts with strong collaborative abilities can successfully work with other teams to achieve shared objectives.

    Communication & Active Listening

    • This includes communicating with relevant stakeholders about timelines and expectations of data projects and associated technology and challenges, paying attention to data consumers, understanding their requirements and needs, and other areas of interest to the organization.

    Technical skills for everyday excellence

    Digital Leadership Skills

    • Technological Literacy
    • Data and AI Literacy
    • Cloud Computing Literacy
    • Data Ethics
    • Data Translation

    Data & Analytics Technical Competencies

    • Data Mining
    • Programming Languages (Python, SQL, R, etc.)
    • Data Analysis and Statistics
    • Computational and Algorithmic Thinking
    • AI/ML Skills (Deep Learning, Computer Vision, Natural Language Processing, etc.)
    • Data Visualization and Storytelling
    • Data Profiling
    • Data Modeling & Design
    • Data Pipeline (ETL/ELT) Design & Management
    • Database Design & Management
    • Data Warehouse/Data Lake Design & Management

    1.1 Review D&A Skill & Role List in the Data & Analytics Assessment and Planning Tool

    Sample of Tab 2 in the Data & Analytics Assessment and Planning Tool.

    Tab 2. Skill & Role List

    Objective: Review the library of skills and roles and customize them as needed to align with your organization's language and specific needs.

    Download the Data & Analytics Assessment and Planning Tool

    Identify and Build the Data & Analytics Skills Your Organization Needs

    Phase 2

    Uncover the Skills Gap

    Define Key Roles and Skills Uncover the Skills Gap Build an Actionable Plan

    This phase will walk you through the following activities:

    • 2.1 High-level assessment of your present data management maturity
    • 2.2 Interview business and data leaders to clarify current skills availability
    • 2.3 Use the Data & Analytics Assessment and Planning Tool to Identify your skills gaps

    This phase involves the following participants:

    • Data leads
    • Business leads and subject matter experts (SMEs)
    • Key business stakeholders

    Identify skills gaps across the organization

    Gaps are not just about assigning people to a role, but whether people have the right skill sets to carry out tasks.

    • Now that you have identified the essential skills and roles in the data workplace, move to Phase 2. This phase will help you understand the required level of competency, assess where the organization stands today, and identify gaps to close.
    • Using the Data & Analytics Assessment and Planning Tool, start with areas that are given the highest priority through a high-level maturity assessment. From there, three levels of gaps will be found: whether people are assigned to a particular position, the right combination of D&A skill sets, and the right competency level for each skill.
    • Lack of talent assigned to a position

    • Lack of the right combination of D&A skill sets

    • Lack of appropriate competency level

    Info-Tech Insight

    Understanding your organization's data maturity level is a prerequisite to assessing the skill sets you have today and determining where you need to align in the future.

    2.1 High-level assessment of your present data management maturity

    Identifying and fixing skills gaps takes time, money, and effort. Focus on bridging the gap in high-priority areas.

    Input: Current state capabilities, Use cases (if applicable), Data culture diagnostic survey results (if applicable)
    Output: High-level maturity assessment, Prioritized list of data management focused area
    Materials: Data Management Assessment and Planning Tool (optional), Data & Analytics Assessment and Planning Tool
    Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders

    Objectives:

    Prioritize these skills and roles based on your current maturity levels and what you intend to accomplish with your data strategy.

    Steps:

    1. (Optional Step) Refer to the Build a Robust and Comprehensive Data Strategy blueprint. You can assess your data maturity level using the following frameworks and methods:
      • Review current data strategy and craft use cases that represent high-value areas that must be addressed for their teams or functions.
      • Use the data culture assessment survey to determine your organization's data maturity level.
    2. (Optional Step) Refer to the Create a Data Management Roadmap blueprint and Data Management Assessment and Planning Tool to dive deep into understanding and assessing capabilities and maturity levels of your organization's data management enablers and understanding your priority areas and specific gaps.
    3. If you have completed Data Management Assessment and Planning Tool, fill out your maturity level scores for each of the data management practices within it - Tab 3 (Current-State Assessment). Skip Tab 4 (High-Level Maturity Assessment).
    4. If you have not yet completed Data Management Assessment and Planning Tool, skip Tab 3 and continue with Tab 4. Assign values 1 to 3 for each capability and enabler.
    5. You can examine your current-state data maturity from a high level in terms of low/mid/high maturity using either Tabs 3 or 4.
    6. Suggested focus areas along the data journey:
      • Low Maturity = Data Strategy, Data Governance, Data Architecture
      • Mid Maturity = Data Literacy, Information Management, BI and Reporting, Data Operations Management, Data Quality Management, Data Security/Risk Management
      • High Maturity = MDM, Data Integration, Data Product and Services, Advanced Analytics (ML & AI Management).

    Download the Data & Analytics Assessment and Planning Tool

    2.2 Interview business and data leaders to clarify current skills availability

    1-2 hours per interview

    Input: Sample questions targeting the activities, challenges, and opportunities of each unit
    Output: Identified skills availability
    Materials: Whiteboard/Flip charts, Data & Analytics Assessment and Planning Tool
    Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders

    Instruction:

    1. Conduct a deep-dive interview with each key data initiative stakeholder (data owners, SMEs, and relevant IT/Business department leads) who can provide insights on the skill sets of their team members, soliciting feedback from business and data leaders about skills and observations of employees as they perform their daily tasks.
    2. Populate a current level of competency for each skill in the Data & Analytics Assessment and Planning Tool in Tabs 5 and 6. Having determined your data maturity level, start with the prioritized data management components (e.g. if your organization sits at low data maturity level, start with identifying relevant positions and skills under data governance, data architecture, and data architecture elements).
    3. More detailed instructions on how to utilize the workbook are at the next activity.

    Key interview questions that will help you :

    1. Do you have personnel assigned to the role? What are their primary activities? Do the personnel possess the soft and technical skills noted in the workbook? Are you satisfied with their performance? How would you evaluate their degree of competency on a scale of "vital, important, nice to have, or none"? The following aspects should be considered when making the evaluation:
      • Key Performance Indicators (KPIs): Business unit data will show where the organization is challenged and will help identify potential areas for development.
      • Project Management Office: Look at successful and failed projects for trends in team traits and competencies.
      • Performance Reviews: Look for common themes where employees excel or need to improve.
      • Focus Groups: Speak with a cross section of employees to understand their challenges.
    2. What technology is currently used? Are there requirements for new technology to be bought and/or optimized in the future? Will the workforce need to increase their skill level to carry out these activities with the new technology in place?

    Download the Data & Analytics Assessment and Planning Tool

    2.3 Use the Data & Analytics Assessment and Planning Tool to identify skills gaps

    1-3 hours — Not everyone needs the same skill levels.

    Input: Current skills competency, Stakeholder interview results and findings
    Output: Gap identification and analysis
    Materials: Data & Analytics Assessment and Planning Tool
    Participants: Data leads

    Instruction:

    1. Select your organization's data maturity level in terms of Low/Mid/High in cell A6 for both Tab 5 (Soft Skills Assessment) and Tab 6 (Technical Skills Assessment) to reduce irrelevant rows.
    2. Bring together key business stakeholders (data owners, SMEs, and relevant IT custodians) to determine whether the data role exists in the organization. If yes, assign a current-state value from “vital, important, nice to have, or none” for each skill in the assessment tool. Info-Tech has specified the desired/required target state of each skill set.
    3. Once you've assigned the current-state values, the tool will automatically determine whether there is a gap in skill set.

    Download the Data & Analytics Assessment and Planning Tool

    Identify and Build the Data & Analytics Skills Your Organization Needs

    Phase 3

    Build an Actionable Plan

    Define Key Roles and Skills Uncover the Skills Gap Build an Actionable Plan

    This phase will walk you through the following activities:

    • 3.1 Use the Data & Analytics Assessment and Planning Tool to build your actionable roadmap

    This phase involves the following participants:

    • Data leads
    • Business leads and subject matter experts (SMEs)
    • Key business stakeholders

    Determine next steps and decision points

    There are three types of internal skills development strategies

    • There are three types of internal skills development strategies organizations can use to ensure the right people with the right abilities are placed in the right roles: reskill, upskill, and new hire.
    1. Reskill

      Reskilling involves learning new skills for a different or newly defined position.
    2. Upskill

      Upskilling involves building a higher level of competency in skills to improve the worker's performance in their current role.
    3. New hire

      New hire involves hiring workers who have the essential skills to fill the open position.

    Info-Tech Insight

    One of the misconceptions that organizations have includes viewing skills development as a one-time effort. This leads to underinvestment in data team skills, risk of falling behind on technological changes, and failure to connect with business partners. Employees must learn to continuously adapt to the changing circumstances of D&A. While the program must be agile and dynamic to reflect technological improvements in the development of technical skills, the program should always be anchored in soft skills because data management is fundamentally about interaction, collaboration, and people.

    How to determine when to upskill, reskill, or hire to meet your skills needs

    Reskill

    Reskilling often indicates a change in someone's career path, so this decision requires a goal aligned with both individuals and the organization to establish a mutually beneficial situation.

    When making reskilling decisions, organizations should also consider the relevance of the skill for different positions. For example, data administrators and data architects have similar skill sets, so reskilling is appropriate for these employees.

    Upskill

    Upskilling tends to focus more on the soft skills necessary for more advanced positions. A data strategy lead, for example, might require design thinking training, which enables leaders to think from different perspectives.

    Skill growth feasibility must also be considered. Some technical skills, particularly those involving cutting-edge technologies, require continual learning to maintain operational excellence. For example, a data scientist may require AI/ML skills training to incorporate use of modern automation technology.

    New Hire

    For open positions and skills that are too resource-intensive to reskill or upskill, it makes sense to recruit new employees. Consider, however, time and cost feasibility of hiring. Some positions (e.g. senior data scientist) take longer to fill. To minimize risks, coordinate with your HR department and begin recruiting early.

    Data & Analytics skills training

    There are various learning methods that help employees develop priority competencies to achieve reskilling or upskilling.

    Specific training

    The data team can collaborate with the human resources department to plan and develop internal training sessions aimed at specific skill sets.

    This can also be accomplished through external training providers such as DCAM, which provides training courses on data management and analytics topics.

    Formal education program

    Colleges and universities can equip students with data analytics skills through formal education programs such as MBAs and undergraduate or graduate degrees in Data Science, Machine Learning, and other fields.

    Certification

    Investing time and effort to obtain certifications in the data & analytics field allows data workers to develop skills and gain recognition for continuous learning and self-improvement.

    AWS Data Analytics and Tableau Data Scientist Certification are two popular data analytics certifications.

    Online learning from general providers

    Some companies offer online courses in various subjects. Coursera and DataCamp are two examples of popular providers.

    Partner with a vendor

    The organization can partner with a vendor who brings skills and talents that are not yet available within the organization. Employees can benefit from the collaboration process by familiarizing themselves with the project and enhancing their own skills.

    Support from within your business

    The data team can engage with other departments that have previously done skills development programs, such as Finance and Change & Communications, who may have relevant resources to help you improve your business acumen and change management skills.

    Info-Tech Insight

    Seeking input and support across your business units can align stakeholders to focus on the right data analytics skills and build a data learning culture.

    Data & Analytics skills reinforcement

    Don't assume learners will immediately comprehend new knowledge. Use different methods and approaches to reinforce their development.

    Innovation Space

    • Skills development is not a one-time event, but a continuous process during which innovation should be encouraged. A key aspect of being innovative is having a “fail fast” mentality, which means collecting feedback, recognizing when something isn't working, encouraging experimentation, and taking a different approach with the goal of achieving operational excellence.
    • Human-centered design (HCD) also yields innovative outcomes with a people-first focus. When creating skills development programs for various target groups, organizations should integrate a human-centered approach.

    Commercial Lens

    • Exposing people to a commercial way of thinking can add long-term value by educating people to act in the business' best interest and raising awareness of what other business functions contribute. This includes concepts such as project management, return on investment (ROI), budget alignment, etc.

    Checklists/Rubrics

    • Employees should record what they learn so they can take the time to reflect. A checklist is an effective technique for establishing objectives, allowing measurement of skills development and progress.

    Buddy Program

    • A buddy program helps employees gain and reinforce knowledge and skills they have learned through mutual support and information exchange.

    Align HR programs to support skills integration and talent recruitment

    With a clear idea of skills needs and an executable strategy for training and reinforcing of concepts, HR programs and processes can help the data team foster a learning environment and establish a recruitment plan. The links below will direct you to blueprints produced by McLean & Company, a division of Info-Tech Research Group.

    Workforce Planning

    When integrating the skills of the future into workforce planning, determine the best approach for addressing the identified talent gaps – whether to build, buy, or borrow.

    Integrate the future skills identified into the organization's workforce plan.

    Talent Acquisition

    In cases where employee development is not feasible, the organization's talent acquisition strategy must focus more on buying or borrowing talent. This will impact the TA process. For example, sourcing and screening must be updated to reflect new approaches and skills.

    If you have a talent acquisition strategy, assess how to integrate the new roles/skills into recruiting.

    Competencies/Succession Planning

    Review current organizational core competencies to determine if they need to be modified. New skills will help inform critical roles and competencies required in succession talent pools.

    If no competency framework exists, use McLean & Company's Develop a Comprehensive Competency Framework blueprint.

    Compensation

    Evaluate modified and new roles against the organization's compensation structure. Adjust them as necessary. Look at market data to understand compensation for new roles and skills.

    Reassess your base pay structure according to market data for new roles and skills.

    Learning and Development

    L&D plays a huge role in closing the skills gap. Build L&D opportunities to support development of new skills in employees.

    Design an Impactful Employee Development Program to build the skills employees need in the future.

    3.1 Use the Data & Analytics Assessment and Planning Tool to build an actionable plan

    1-3 hours

    Input: Roles and skills required, Key decision points
    Output: Actionable plan
    Materials: Data & Analytics Assessment and Planning Tool
    Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders

    Instruction:

    1. On Tab 7 (Next Steps & Decision Points), you will find a list of tasks that correspond to roles that where there is a skills gap.
    2. Customize this list of tasks initiatives according to your needs.
    3. The Gantt chart, which will be generated automatically after assigning start and finish dates for each activity, can be used to structure your plan and guarantee that all the main components of skills development are addressed.

    Sample of Tab 7 in the Data & Analytics Assessment and Planning Tool.

    Download the Data & Analytics Assessment and Planning Tool

    Related Info-Tech Research

    Sample of the Create a Data Management Roadmap blueprint.

    Create a Data Management Roadmap

    • This blueprint will help you design a data management practice that will allow your organization to use data as a strategic enabler.

    Stock image of a person looking at data dashboards on a tablet.

    Build a Robust and Comprehensive Data Strategy

    • Put a strategy in place to ensure data is available, accessible, well-integrated, secured, of acceptable quality, and suitably visualized to fuel organization-wide decision making. Start treating data as strategic and corporate asset.

    Sample of the Foster Data-Driven Culture With Data Literacy blueprint.

    Foster Data-Driven Culture With Data Literacy

    • By thoughtfully designing a data literacy training program appropriate to the audience's experience, maturity level, and learning style, organizations build a data-driven and engaged culture that helps them unlock their data's full potential and outperform other organizations.

    Research Authors and Contributors

    Authors:

    Name Position Company
    Ruyi Sun Research Specialist Info-Tech Research Group

    Contributors:

    Name Position Company
    Steve Wills Practice Lead Info-Tech Research Group
    Andrea Malick Advisory Director Info-Tech Research Group
    Annabel Lui Principal Advisory Director Info-Tech Research Group
    Sherwick Min Technical Counselor Info-Tech Research Group

    Bibliography

    2022 Workplace Learning Trends Report.” Udemy, 2022. Accessed 20 June 2023.

    Agrawal, Sapana, et al. “Beyond hiring: How companies are reskilling to address talent gaps.” McKinsey & Company, 12 Feb. 2020. Accessed 20 June 2023.

    Bika, Nikoletta. “Key hiring metrics: Useful benchmarks for tech roles.” Workable, 2019. Accessed 20 June 2023.

    Chroust, Tomas. “Chief Data Officer – Leaders of data-driven enterprises.” BearingPoint, 2020. Accessed 20 June 2023.

    “Data and AI Leadership Executive Survey 2022.” NewVantage Partners, Jan 2022. Accessed 20 June 2023.

    Dondi, Marco, et al. “Defining the skills citizens will need in the future world of work.” McKinsey & Company, June 2021. Accessed 20 June 2023.

    Futschek, Gerald. “Algorithmic Thinking: The Key for Understanding Computer Science.” Lecture Notes in Computer Science, vol. 4226, 2006.

    Howard, William, et al. “2022 HR Trends Report.” McLean & Company, 2022. Accessed 20 June 2023.

    “Future of Jobs Report 2023.” World Economic Forum, May 2023. Accessed 20 June 2023.

    Knight, Michelle. “What is Data Ethics?” Dataversity, 19 May 2021. Accessed 20 June 2023.

    Little, Jim, et al. “The CIO Imperative: Is your technology moving fast enough to realize your ambitions?” EY, 22 Apr. 2022. Accessed 20 June 2023.

    “MDM Roles and Responsibilities.” Profisee, April 2019. Accessed 20 June 2023.

    “Reskilling and Upskilling: A Strategic Response to Changing Skill Demands.” TalentGuard, Oct. 2019. Accessed 20 June 2023.

    Southekal, Prashanth. “The Five C's: Soft Skills That Every Data Analytics Professional Should Have.” Forbes, 17 Oct. 2022. Accessed 20 June 2023.

    Develop and Deploy Security Policies

    • Buy Link or Shortcode: {j2store}256|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $19,953 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
    • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
    • Data breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
    • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

    Our Advice

    Critical Insight

    • Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.
    • Policies must be reasonable, auditable, enforceable, and measurable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.

    Impact and Result

    • Save time and money using the templates provided to create your own customized security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

    Develop and Deploy Security Policies Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop and Deploy Security Policies Deck – A step-by-step guide to help you build, implement, and assess your security policy program.

    Our systematic approach will ensure that all identified areas of security have an associated policy.

  • Develop the security policy program.
  • Develop and implement the policy suite.
  • Communicate the security policy program.
  • Measure the security policy program.
    • Develop and Deploy Security Policies – Phases 1-4

    2. Security Policy Prioritization Tool – A structured tool to help your organization prioritize your policy suite to ensure that you are addressing the most important policies first.

    The Security Policy Prioritization Tool assesses the policy suite on policy importance, ease to implement, and ease to enforce. The output of this tool is your prioritized list of policies based on our policy framework.

    • Security Policy Prioritization Tool

    3. Security Policy Assessment Tool – A structured tool to assess the effectiveness of policies within your organization and determine recommended actions for remediation.

    The Security Policy Assessment Tool assesses the policy suite on policy coverage, communication, adherence, alignment, and overlap. The output of this tool is a checklist of remediation actions for each individual policy.

    • Security Policy Assessment Tool

    4. Security Policy Lifecycle Template – A customizable lifecycle template to manage your security policy initiatives.

    The Lifecycle Template includes sections on security vision, security mission, strategic security and policy objectives, policy design, roles and responsibilities for developing security policies, and organizational responsibilities.

    • Security Policy Lifecycle Template

    5. Policy Suite Templates – A best-of-breed templates suite mapped to the Info-Tech framework you can customize to reflect your organizational requirements and acquire approval.

    Use Info-Tech's security policy templates, which incorporate multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA), to ensure that your policies are clear, concise, and consistent.

    • Acceptable Use of Technology Policy Template
    • Application Security Policy Template
    • Asset Management Policy Template
    • Backup and Recovery Policy Template
    • Cloud Security Policy Template
    • Compliance and Audit Management Policy Template
    • Data Security Policy Template
    • Endpoint Security Policy Template
    • Human Resource Security Policy Template
    • Identity and Access Management Policy Template
    • Information Security Policy Template
    • Network and Communications Security Policy Template
    • Physical and Environmental Security Policy Template
    • Security Awareness and Training Policy Template
    • Security Incident Management Policy Template
    • Security Risk Management Policy Template
    • Security Threat Detection Policy Template
    • System Configuration and Change Management Policy Template
    • Vulnerability Management Policy Template

    6. Policy Communication Plan Template – A template to help you plan your approach for publishing and communicating your policy updates across the entire organization.

    This template helps you consider the budget time for communications, identify all stakeholders, and avoid scheduling communications in competition with one another.

    • Policy Communication Plan Template

    7. Security Awareness and Training Program Development Tool – A tool to help you identify initiatives to develop your security awareness and training program.

    Use this tool to first identify the initiatives that can grow your program, then as a roadmap tool for tracking progress of completion for those initiatives.

    • Security Awareness and Training Program Development Tool

    Infographic

    Workshop: Develop and Deploy Security Policies

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define the Security Policy Program

    The Purpose

    Define the security policy development program.

    Formalize a governing security policy lifecycle.

    Key Benefits Achieved

    Understanding the current state of policies within your organization.

    Prioritizing list of security policies for your organization.

    Being able to defend policies written based on business requirements and overarching security needs.

    Leveraging an executive champion to help policy adoption across the organization.

    Formalizing the roles, responsibilities, and overall mission of the program.

    Activities

    1.1 Understand the current state of policies.

    1.2 Align your security policies to the Info-Tech framework for compliance.

    1.3 Understand the relationship between policies and other documents.

    1.4 Prioritize the development of security policies.

    1.5 Discuss strategies to leverage stakeholder support.

    1.6 Plan to communicate with all stakeholders.

    1.7 Develop the security policy lifecycle.

    Outputs

    Security Policy Prioritization Tool

    Security Policy Prioritization Tool

    Security Policy Lifecycle Template

    2 Develop the Security Policy Suite

    The Purpose

    Develop a comprehensive suite of security policies that are relevant to the needs of the organization.

    Key Benefits Achieved

    Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.

    Activities

    2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

    2.2 Develop and customize security policies.

    2.3 Develop a plan to gather feedback from users.

    2.4 Discuss a plan to submit policies for approval.

    Outputs

    Understanding of the risks and drivers that will influence policy development.

    Up to 14 customized security policies (dependent on need and time).

    3 Implement Security Policy Program

    The Purpose

    Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.

    Improve compliance and accountability with security policies.

    Plan for regular review and maintenance of the security policy program.

    Key Benefits Achieved

    Streamlined communication of the policies to users.

    Improved end user compliance with policy guidelines and be better prepared for audits.

    Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

    Activities

    3.1 Plan the communication strategy of new policies.

    3.2 Discuss myPolicies to automate management and implementation.

    3.3 Incorporate policies and processes into your security awareness and training program.

    3.4 Assess the effectiveness of security policies.

    3.5 Understand the need for regular review and update.

    Outputs

    Policy Communication Plan Template

    Understanding of how myPolicies can help policy management and implementation.

    Security Awareness and Training Program Development Tool

    Security Policy Assessment Tool

    Action plan to regularly review and update the policies.

    Further reading

    Develop and Deploy Security Policies

    Enhance your overall security posture with a defensible and prescriptive policy suite.

    Analyst Perspective

    A policy lifecycle can be the secret sauce to managing your policies.

    A policy for policy’s sake is useless if it isn’t being used to ensure proper processes are followed. A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant.

    Policies should be developed based on the use cases that enable the business to run securely and smoothly. Ensure they are aligned with the corporate culture. Rather than introducing hindrances to daily operations, policies should reflect security practices that support business goals and protection.

    No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep your organization secure.

    Photo of Danny Hammond, Research Analyst, Security, Risk, Privacy & Compliance Practice, Info-Tech Research Group. Danny Hammond
    Research Analyst
    Security, Risk, Privacy & Compliance Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Security breaches are damaging and costly. Trying to prevent and respond to them without robust, enforceable policies makes a difficult situation even harder to handle.
    • Informal, un-rationalized, ad hoc policies are ineffective because they do not explicitly outline responsibilities and compliance requirements, and they are rarely comprehensive.
    • Without a strong lifecycle to keep policies up to date and easy to use, end users will ignore or work around poorly understood policies.
    • Time and money is wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy program.
    Common Obstacles

    InfoSec leaders will struggle to craft the right set of policies without knowing what the organization actually needs, such as:

    • The security policies needed to safeguard infrastructure and resources.
    • The scope the security policies will cover within the organization.
    • The current compliance and regulatory obligations based on location and industry.
    InfoSec leaders must understand the business environment and end-user needs before they can select security policies that fit.
    Info-Tech’s Approach

    Info-Tech’s Develop and Deploy Security Policies takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:

    • Assess what security policies currently exist within the organization and consider additional secure policies.
    • Develop a policy lifecycle that will define the needs, develop required documentation, and implement, communicate, and measure your policy program.
    • Draft a set of security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

    Info-Tech Insight

    Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.

    Your Challenge

    This research is designed to help organizations design a program to develop and deploy security policies

    • A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.
    • The development of policy documents is an ambitious task, but the real challenge comes with communication and enforcement.
    • A good security policy allows employees to know what is required of them and allows management to monitor and audit security practices against a standard policy.
    • Unless the policies are effectively communicated, enforced, and updated, employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless.
    • Without a good policy lifecycle in place, it can be challenging to illustrate the key steps and decisions involved in creating and managing a policy.

    The problem with security policies

    29% Of IT workers say it's just too hard and time consuming to track and enforce.

    25% Of IT workers say they don’t enforce security policies universally.

    20% Of workers don’t follow company security policies all the time.

    (Source: Security Magazine, 2020)

    Common obstacles

    The problem with security policies isn’t development; rather, it’s the communication, enforcement, and maintenance of them.

    • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
    • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
    • Date breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
    • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.
    Bar chart of the 'Average cost of a data breach' in years '2019-20', '20-21', and '21-22'.
    (Source: IBM, 2022 Cost of a Data Breach; n=537)

    Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020.

    Info-Tech’s approach

    The right policy for the right audience. Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.

    Actions

    1. Develop policy lifecycle
    2. Identify compliance requirements
    3. Understand which policies need to be developed, maintained, or decommissioned
    I. Define Security Policy Program

    a) Security policy program lifecycle template

    b) Policy prioritization tool
    Clockwise cycle arrows at the centre of the table. II. Develop & Implement Policy Suite

    a) Policy template set

    Policies must be reasonable, auditable, enforceable, and measurable. Policy items that meet these requirements will have a higher level of adherence. Focus on efficiently creating policies using pre-developed templates that are mapped to multiple compliance frameworks.

    Actions

    1. Differentiate between policies, procedures, standards, and guidelines
    2. Draft policies from templates
    3. Review policies, including completeness
    4. Approve policies
    Gaining feedback on policy compliance is important for updates and adaptation, where necessary, as well as monitoring policy alignment to business objectives.

    Actions

    1. Enforce policies
    2. Measure policy effectiveness
    IV. Measure Policy Program

    a) Security policy tracking tool

    III. Communicate Policy Program

    a) Security policy awareness & training tool

    b) Policy communication plan template
    Awareness and training on security policies should be targeted and must be relevant to the employees’ jobs. Employees will be more attentive and willing to incorporate what they learn if they feel that awareness and training material was specifically designed to help them.

    Actions

    1. Identify any changes in the regulatory and compliance environment
    2. Include policy awareness in awareness and training programs
    3. Disseminate policies
    Build trust in your policy program by involving stakeholder participation through the entire policy lifecycle.

    Blueprint benefits

    IT/InfoSec Benefits

    • Reduces complexity within the policy creation process by using a single framework to align multiple compliance regimes.
    • Introduces a roadmap to clearly educate employees on the do’s and don’ts of IT usage within the organization.
    • Reduces costs and efforts related to managing IT security and other IT-related threats.

    Business Benefits

    • Identifies and develops security policies that are essential to your organization’s objectives.
    • Integrates security into corporate culture while maximizing compliance and effectiveness of security policies.
    • Reduces security policy compliance risk.

    Key deliverable:

    Security Policy Templates

    Templates for policies that can be used to map policy statements to multiple compliance frameworks.

    Sample of Security Policy Templates.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Security Policy Prioritization Tool

    The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
    Sample of the Security Policy Prioritization Tool.
    Sample of the Security Policy Assessment Tool.

    Security Policy Assessment Tool

    Info-Tech's Security Policy Assessment Tool helps ensure that your policies provide adequate coverage for your organization's security requirements.

    Measure the value of this blueprint

    Phase

    Purpose

    Measured Value

    Define Security Policy Program Understand the value in formal security policies and determine which policies to prepare to update, eliminate, or add to your current suite. Time, value, and resources saved with guidance and templates:
    1 FTE*3 days*$80,000/year = $1,152
    Time, value, and resources saved using our recommendations and tools:
    1 FTE*2 days*$80,000/year = $768
    Develop and Implement the Policy Suite Select from an extensive policy template offering and customize the policies you need to optimize or add to your own policy program. Time, value, and resources saved using our templates:
    1 consultant*15 days*$150/hour = $21,600 (if starting from scratch)
    Communicate Security Policy Program Use Info-Tech’s methodology and best practices to ensure proper communication, training, and awareness. Time, value, and resources saved using our training and awareness resources:
    1 FTE*1.5 days*$80,000/year = $408
    Measure Security Policy Program Use Info-Tech’s custom toolkits for continuous tracking and review of your policy suite. Time, value, and resources saved by using our enforcement recommendations:
    2 FTEs*5 days*$160,000/year combined = $3,840
    Time, value, and resources saved by using our recommendations rather than an external consultant:
    1 consultant*5 days*$150/hour = $7,200

    After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

    Overall Impact

    9.5 /10

    Overall Average $ Saved

    $29,015

    Overall Average Days Saved

    25

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is six to ten calls over the course of two to four months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope security policy requirements, objectives, and any specific challenges.

    Call #2: Review policy lifecycle; prioritize policy development.

    Call #3: Customize the policy templates.

    Call #4: Gather feedback on policies and get approval.

    Call #5: Communicate the security policy program.

    Call #6: Develop policy training and awareness programs.

    Call #7: Track policies and exceptions.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Define the security policy program
    Develop the security policy suite
    Develop the security policy suite
    Implement security policy program
    Finalize deliverables and next steps
    Activities

    1.1 Understand the current state of policies.

    1.2 Align your security policies to the Info-Tech framework for compliance.

    1.3 Understand the relationship between policies and other documents.

    1.4 Prioritize the development of security policies.

    1.5 Discuss strategies to leverage stakeholder support.

    1.6 Plan to communicate with all stakeholders.

    1.7 Develop the security policy lifecycle.

    2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

    2.2 Develop and customize security policies.

    2.1 Discuss the risks and drivers your organization faces that must be addressed by policies (continued).

    2.2 Develop and customize security policies (continued).

    2.3 Develop a plan to gather feedback from users.

    2.4 Discuss a plan to submit policies for approval.

    3.1 Plan the communication strategy for new policies.

    3.2 Discuss myPolicies to automate management and implementation.

    3.3 Incorporate policies into your security awareness and training program.

    3.4 Assess the effectiveness of policies.

    3.5 Understand the need for regular review and update.

    4.1 Review customized lifecycle and policy templates.

    4.2 Discuss the plan for policy roll out.

    4.3 Schedule follow-up Guided Implementation calls.

    Deliverables
    1. Security Policy Prioritization Tool
    2. Security Policy Lifecycle
    1. Security Policies (approx. 9)
    1. Security Policies (approx. 9)
    1. Policy Communication Plan
    2. Security Awareness and Training Program Development Tool
    3. Security Policy Assessment Tool
    1. All deliverables finalized

    Develop and Deploy Security Policies

    Phase 1

    Define the Security Policy Program

    Phase 1

    1.1 Understand the current state

    1.2 Align your security policies to the Info-Tech framework

    1.3 Document your policy hierarchy

    1.4 Prioritize development of security policies

    1.5 Leverage stakeholders

    1.6 Develop the policy lifecycle

    Phase 2

    2.1 Customize policy templates

    2.2 Gather feedback from users on policy feasibility

    2.3 Submit policies to upper management for approval

    Phase 3

    3.1 Understand the need for communicating policies

    3.2 Use myPolicies to automate the management of your security policies

    3.3 Design, build, and implement your communications plan

    3.4 Incorporate policies and processes into your training and awareness programs

    Phase 4

    4.1 Assess the state of security policies

    4.2 Identify triggers for regular policy review and update

    4.3 Develop an action plan to update policies

    This phase will walk you through the following activities:

    • Understand the current state of your organization’s security policies.
    • Align your security policies to the Info-Tech framework for compliance.
    • Prioritize the development of your security policies.
    • Leverage key stakeholders to champion the policy initiative.
    • Inform all relevant stakeholders of the upcoming policy program.
    • Develop the security policy lifecycle.

    1.1 Understand the current state of policies

    Scenario 1: You have existing policies

    1. Use the Security Policy Prioritization Tool to identify any gaps between the policies you already have and those recommended based on your changing business needs.
    2. As your organization undergoes changes, be sure to incorporate new requirements in the existing policies.
    3. Sometimes, you may have more specific procedures for a domain’s individual security aspects instead of high-level policies.
    4. Group current policies into the domains and use the policy templates to create overarching policies where there are none and improve upon existing high-level policies.

    Scenario 2: You are starting from scratch

    1. To get started on new policies, use the Security Policy Prioritization Tool to identify the policies Info-Tech recommends based on your business needs. See the full list of templates in the Appendix to ensure that all relevant topics are addressed.
    2. Whether you’re starting from scratch or have incomplete/ad hoc policies, use Info-Tech’s policy templates to formalize and standardize security requirements for end users.
    Info-Tech Insight

    Policies are living, evolving documents that require regular review and update, so even if you have policies already written, you’re not done with them.

    1.2 Align your security policies to the Info-Tech framework for compliance

    You have an opportunity to improve your employee alignment and satisfaction, improve organizational agility, and obtain high policy adherence. This is achieved by translating your corporate culture into a policy-based compliance culture.

    Align your security policies to the Info-Tech Security Framework by using Info-Tech’s policy templates.

    Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:
    • ISO 27001/27002
    • COBIT
    • Center for Internet Security (CIS) Critical Controls
    • NIST Cybersecurity Framework
    • NIST SP 800-53
    • NIST SP 800-171

    Info-Tech Security Framework

    Info-Tech Security Framework with policies grouped into categories which are then grouped into 'Governance' and 'Management'.

    1.3 Document your policy hierarchy

    Structuring policy components at different levels allows for efficient changes and direct communication depending on what information is needed.

    Policy hierarchy pyramid with 'Security Policy Lifecycle' on top, then 'Security Policies', then 'IT and/or Supporting Documentation'.

    Defines the cycle for the security policy program and what must be done but not how to do it. Aligns the business, security program, and policies.
    Addresses the “what,” “who,” “when,” and “where.”

    Defines high-level overarching concepts of security within the organization, including the scope, purpose, and objectives of policies.
    Addresses the high-level “what” and “why.”
    Changes when business objectives change.

    Defines enterprise/technology – specific, detailed guidelines on how to adhere to policies.
    Addresses the “how.”
    Changes when technology and processes change.

    Info-Tech Insight

    Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.

    1.3.1 Understand the relationship between policies and other documents

    Policy:
    • Provides emphasis and sets direction.
    • Standards, guidelines, and procedures must be developed to support an overarching policy.
    Arrows stemming from the above list, connecting to the three lists below.

    Standard:

    • Specifies uniform method of support for policy.
    • Compliance is mandatory.
    • Includes process, frameworks, methodologies, and technology.
    Two-way horizontal arrow.

    Procedure:

    • Step-by-step instructions to perform desired actions.
    Two-way horizontal arrow.

    Guideline:

    Recommended actions to consider in absence of an applicable standard, to support a policy.
    This model is adapted from a framework developed by CISA (Certified Information Systems Auditor).

    Supporting Documentation

    Considerations for standards

    Standards. These support policies by being much more specific and outlining key steps or processes that are necessary to meet certain requirements within a policy document. Ideally standards should be based on policy statements with a target of detailing the requirements that show how the organization will implement developed policies.

    If policies describe what needs to happen, then standards explain how it will happen.

    A good example is an email policy that states that emails must be encrypted; this policy can be supported by a standard such as Transport Layer Security (TLS) encryption that specifically ensures that all email communication is encrypted for messages “in transit” from one secure email server that has TLS enabled to another.

    There are numerous security standards available that support security policies/programs based on the kind of systems and controls that an organization would like to put in place. A good selection of supporting standards can go a long way to further protect users, data, and other organizational assets
    Key Policies Example Associated Standards
    Access Control Policy
    • Password Management User Standard
    • Account Auditing Standard
    Data Security Policy
    • Cryptography Standard
    • Data Classification Standard
    • Data Handling Standard
    • Data Retention Standard
    Incident Response Policy
    • Incident Response Plan
    Network Security Policy
    • Wireless Connectivity Standard
    • Firewall Configuration Standard
    • Network Monitoring Standard
    Vendor Management Policy
    • Vendor Risk Management Standard
    • Third-Party Access Control Standard
    Application Security Policy
    • Application Security Standard

    1.4 Prioritize development of security policies

    The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
    • The tool allows you to prioritize your policies based on:
      • Importance: How relevant is this policy to organizational security?
      • Ease to implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?
      • Ease to enforce: How much effort, time, and resources are required to enforce the policy?
    • Additionally, the weighting or priority of each variable of prioritization can be adjusted.

    Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary.

    Info-Tech Insight

    If you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies.

    Sample of the Security Policy Prioritization Tool.

    Download the Security Policy Prioritization Tool

    1.5 Leverage stakeholders to champion policies

    Info-Tech Insight

    While management support is essential to initiating a strong security posture, allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will be less of a police force and more of a partner.

    Executive champion

    Identify an executive champion who will ensure that the security program and the security policies are supported.

    Focus on risk and protection

    Security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate.

    Communicate policy initiatives

    Inform stakeholders of the policy initiative as security policies are only effective if they support the business requirements and user input is crucial for developing a strong security culture.

    Current security landscape

    Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders.

    Management buy-in

    This is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable.

    Define a Sourcing Strategy for Your Development Team

    • Buy Link or Shortcode: {j2store}161|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Hiring quality development team resources is becoming increasingly difficult and costly in most domestic markets.
    • Firms are seeking to do more with less and increase their development team throughput.
    • Globalization and increased competition are driving a need for more innovation in your applications.
    • Firms want more cost certainty and tighter control of their development investment.

    Our Advice

    Critical Insight

    • Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

    Impact and Result

    • We will help you build a sourcing strategy document for your application portfolio.
    • We will examine your portfolio and organization from three different perspectives to enable you to determine the right approach:
      • From a business perspective, reliance on the business, strategic value of the product, and maturity of product ownership are critical.
      • From an organizational perspective, you must examine your culture for communication processes, conflict resolution methods, vendor management skills, and geographic coverage.
      • From a technical perspective, consider integration complexity, environmental complexity, and testing processes.

    Define a Sourcing Strategy for Your Development Team Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define a Sourcing Strategy for Your Development Team Storyboard – A guide to help you choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

    This project will help you define a sourcing strategy for your application development team by assessing key factors about your products and your organization, including critical business, technical, and organizational factors. Use this analysis to select the optimal sourcing strategy for each situation.

    • Define a Sourcing Strategy for Your Development Team Storyboard

    2. Define a Sourcing Strategy Workbook – A tool to capture the results of activities to build your sourcing strategy.

    This workbook is designed to capture the results of the activities in the storyboard. Each worksheet corresponds with an activity from the deck. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

    • Define a Sourcing Strategy Workbook
    [infographic]

    Further reading

    Define a Sourcing Strategy for Your Development Team

    Choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

    Analyst Perspective

    Choosing the right sourcing strategy for your development team is about assessing your technical situation, your business needs, your organizational culture, and your ability to manage partners!

    Photo of Dr. Suneel Ghei, Principal Research Director, Application Development, Info-Tech Research Group

    Firms today are under continuous pressure to innovate and deliver new features to market faster while at the same time controlling costs. This has increased the need for higher throughput in their development teams along with a broadening of skills and knowledge. In the face of these challenges, there is a new focus on how firms source their development function. Should they continue to hire internally, offshore, or outsource? How do they decide which strategy is the right fit?

    Info-Tech’s research shows that the sourcing strategy considerations have evolved beyond technical skills and costs. Identifying the right strategy has become a function of the characteristics of the organization, its culture, its reliance on the business for knowledge, its strategic value of the application, its vendor management skills, and its ability to internalize external knowledge. By assessing these factors firms can identify the best sourcing mix for their development portfolios.

    Dr. Suneel Ghei
    Principal Research Director, Application Development
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Hiring quality development team resources is becoming increasingly difficult and costly in most domestic markets.
    • Firms are seeking to do more with less and increase their development team throughput.
    • Globalization and increased competition is driving a need for more innovation in your applications.
    • Firms want more cost certainty and tighter control of their development investment.
    Common Obstacles
    • Development leaders are encouraged to manage contract terms and SLAs rather than build long-term relationships.
    • People believe that outsourcing means you will permanently lose the knowledge around solutions.
    • Moving work outside of the current team creates motivational and retention challenges that can be difficult to overcome.
    Info-Tech’s Approach
    • Looking at this from these three perspectives will enable you to determine the right approach:
      1. From a business perspective, reliance on the business, strategic value of the product, and maturity of product ownership are critical.
      2. From an organizational perspective, you must examine your culture for communication processes, conflict resolution methods, vendor management skills, and geographic coverage
      3. From a technical perspective, consider integration complexity, environment complexity, and testing processes.

    Info-Tech Insight

    Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

    Define a sourcing strategy for your development team

    Business
    • Business knowledge/ expertise required
    • Product owner maturity
    Technical
    • Complexity and maturity of technical environment
    • Required level of integration
    Organizational
    • Company culture
    • Desired geographic proximity
    • Required vendor management skills
    1. Assess your current delivery posture for challenges and impediments.
    2. Decide whether to build or buy a solution.
    3. Select your desired sourcing strategy based on your current state and needs.
    Example sourcing strategy with initiatives like 'Client-Facing Apps' and 'ERP Software' assigned to 'Onshore Dev', 'Outsource Team', 'Offshore Dev', 'Outsource App (Buy)', 'Outsource Dev', or 'Outsource Roles'.

    Three Perspectives +

    Three Steps =

    Your Sourcing Strategy

    Diverse sourcing is used by many firms

    Many firms across all industries are making use of different sourcing strategies to drive innovation and solve business issues.

    According to a report by ReportLinker the global IT services outsourcing market reached US$413.8 billion in 2021.

    In a recent study of Canadian software firms, it was found that almost all firms take advantage of outside knowledge in their application development process. In most cases these firms also use outside resources to do development work, and about half the time they use externally built software packages in their products (Ghei, 2020)!

    Info-Tech Insight

    In today’s diverse global markets, firms that wish to stay competitive must have a defined ability to take advantage of external knowledge and to optimize their IT services spend.

    Modeling Absorptive Capacity for Open Innovation in the Canadian Software Industry (Source: Ghei, 2020; n=54.)

    56% of software development firms are sourcing applications instead of resources.

    68% of firms are sourcing external resources to develop software products.

    91% of firms are leveraging knowledge from external sources.

    Internal sourcing models

    Insourcing comes in three distinct flavors

    Geospatial map giving example locations for the three internal sourcing models. In this example, 'Head Office' is located in North America, 'Onshore' is 'Located in the same area or even office as your core business resources. Relative Cost: $$$', 'Near Shore' is 'Typically, within 1-3 time zones for ease of collaboration where more favorable resource costs exist. Relative Cost: $$', and 'Offshore' is 'Located in remote markets where significant labor cost savings can be realized. Relative Cost: $'.

    Info-Tech Insight

    Insourcing allows you to stay close to more strategic applications. But choosing the right model requires a strong look inside your organization and your ability to provide business knowledge support to developers who may have different skills and cultures and are in different geographies.

    Outsourcing models

    External sourcing can be done to different degrees

    Outsource Roles
    • Enables resource augmentation
    • Typically based on skills needs
    • Short-term outsourcing with eventual integration or dissolution
    Outsource Teams (or Projects)
    • Use of a full team or multiple teams of vendor resources
    • Meant to be temporary, with knowledge transfer at the end of the project
    Outsource Products
    • Use of a vendor to build, maintain, and support the full product
    • Requires a high degree of contract management skill

    Info-Tech Insight

    Outsourcing represents one of the most popular ways for organizations to source external knowledge and skills. The choice of model is a function of the organization’s ability to support the external resources and to absorb the knowledge back into the organization.

    Defining your sourcing strategy

    Follow the steps below to identify the best match for your organization

    Review Your Current Situation

    Review the issues and opportunities related to application development and categorize them based on the key factors.

    Arrow pointing right. Assess Build Versus Buy

    Before choosing a sourcing model you must assess whether a particular product or function should be bought as a package or developed.

    Arrow pointing right. Choose the Right Sourcing Strategy

    Based on the research, use the modeling tool to match the situation to the appropriate sourcing solution.

    Step 1.1

    Review Your Current Situation

    Activities
    • 1.1.1 Identify and categorize your challenges

    This step involves the following participants:

    • Product management team
    • Software development leadership team
    • Key stakeholders
    Outcomes of this step

    Review your current delivery posture for challenges and impediments.

    Define a Sourcing Strategy for Your Development Team
    Step 1.1 Step 1.2 Step 1.3

    Review your situation

    There are three key areas to examine in your current situation:

    Business Challenges
    • Do you need to gain new knowledge to drive innovation?
    • Does your business need to enhance its software to improve its ability to compete in the market?
    • Do you need to increase your speed of innovation?

    Technology Challenges

    • Are you being asked to take tighter control of your development budgets?
    • Does your team need to expand their skills and knowledge?
    • Do you need to increase your development speed and capacity?

    Market Challenges

    • Is your competition seen as more innovative?
    • Do you need new features to attract new clients?
    • Are you struggling to find highly skilled and knowledgeable development resources?
    Stock image of multi-colored arrows travelling in a line together before diverging.

    Info-Tech Insight

    Sourcing is a key tool to solve business and technical challenges and enhance market competitiveness when coupled with a robust definition of objectives and a way to measure success.

    1.1.1 Identify and categorize your challenges

    60 minutes

    Output: List of the key challenges in your software lifecycle. Breakdown of the list into categories to identify opportunities for sourcing

    Participants: Product management team, Software development leadership team, Key stakeholders

    1. What challenge is your firm is facing with respect to your software that you think sourcing can address? (20 minutes)
    2. Is the challenge related to a business outcome, development methodology, or technology challenge? (10 minutes)
    3. Is the challenge due to a skills gap, budget or resource challenge, throughput issue, or a broader organizational knowledge or process issue? (10 minutes)
    4. What is the specific objective for the team/leader in addressing this challenge? (15 minutes)
    5. How will you measure progress and achievement of this objective? (5 minutes)

    Document results in the Define a Sourcing Strategy Workbook

    Identify and categorize your challenges

    Sample table for identifying and categorizing challenges, with column groups 'Challenge' and 'Success Measures' containing headers 'Issue, 'Category', 'Breadth', and 'Stakeholder' in the former, and 'Objective' and 'Measurement' in the latter.

    Step 1.2

    Assess Build Versus Buy

    Activities
    • 1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

    This step involves the following participants:

    • Product management team
    • Software development leadership team
    • Key stakeholders

    Outcomes of this step

    Understand in your context the benefits and drawbacks of build versus buy, leveraging Info-Tech’s recommended definitions as a starting point.

    Define a Sourcing Strategy for Your Development Team

    Step 1.1 Step 1.2 Step 1.3

    Look vertically across the IT hierarchy to assess the impact of your decision at every level

    IT Hierarchy with 'Enterprise' at the top, branching out to 'Portfolio', then to 'Solution' at the bottom. The top is 'Strategic', the bottom 'Operational'.

    Regardless of the industry, a common and challenging dilemma facing technology teams is to determine when they should build software or systems in-house versus when they should rely wholly on an outside vendor for delivering on their technology needs.

    The answer is not as cut and dried as one would expect. Any build versus buy decision may have an impact on strategic and operational plans. It touches every part of the organization, starting with individual projects and rolling up to the enterprise strategy.

    Info-Tech Insight

    Do not ignore the impact of a build or buy decision on the various management levels in an IT organization.

    Deciding whether to build or buy

    It is as much about what you gain as it is about what problem you choose to have

    BUILD BUY

    Multi-Source Best of Breed

    Integrate various technologies that provide subset(s) of the features needed for supporting the business functions.

    Vendor Add-Ons & Integrations

    Enhance an existing vendor’s offerings by using their system add-ons either as upgrades, new add-ons, or integrations.
    Pros
    • Flexibility in choice of tools
    • In some cases, cost may be lower
    • Easier to enhance with in-house teams
    Cons
    • Introduces tool sprawl
    • Requires resources to understand tools and how they integrate
    • Some of the tools necessary may not be compatible with one another
    Pros
    • Reduces tool sprawl
    • Supports consistent tool stack
    • Vendor support can make enhancement easier
    • Total cost of ownership may be lower
    Cons
    • Vendor lock-in
    • The processes to enhance may require tweaking to fit tool capability

    Multi-Source Custom

    Integrate systems built in-house with technologies developed by external organizations.

    Single Source

    Buy an application/system from one vendor only.
    Pros
    • Flexibility in choice of tools
    • In some cases, cost may be lower
    • Easier to enhance with in-house teams
    Cons
    • May introduce tool sprawl
    • Requires resources to have strong technical skills
    • Some of the tools necessary may not be compatible with one another
    Pros
    • Reduces tool sprawl
    • Supports consistent tool stack
    • Vendor support can make enhancement easier
    • Total cost of ownership may be lower
    Cons
    • Vendor lock-in
    • The processes to enhance may require tweaking to fit tool capability

    1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

    30 minutes

    Output: A common understanding of the different approaches to build versus buy applied to your organizational context

    Participants: Product management team, Software development leadership team, Key stakeholders

    1. Look at the previous slide, Deciding whether to build or buy.
    2. Discuss the pros and cons listed for each approach.
      1. Do they apply in your context? Why or why not?
      2. Are there some approaches not applicable in terms of how you wish to work?
    3. Record the curated list of pros and cons for the different build/buy approaches.
    4. For each approach, arrange the pros and cons in order of importance.

    Document results in the Define a Sourcing Strategy Workbook

    Step 1.3

    Choose the Right Sourcing Strategy

    Activities
    • 1.3.1 Determine the right sourcing strategy for your needs

    This step involves the following participants:

    • Product management team
    • Software development leadership team
    • Key stakeholders

    Outcomes of this step

    Choose your desired sourcing strategy based on your current state and needs.

    Define a Sourcing Strategy for Your Development Team

    Step 1.1 Step 1.2 Step 1.3

    Choose the right sourcing strategy

    • Based on our research, finding the right sourcing strategy for a particular situation is a function of three key areas:
      • Business drivers
      • Organizational drivers
      • Technical drivers
    • Each area has key characteristics that must be assessed to confirm which strategy is best suited for the situation.
    • Once you have assessed the factors and ranked them from low to high, we can then match your results with the best-fit strategy.
    Business
    • Business knowledge/ expertise required
    • Product owner maturity

    Technical

    • Complexity and maturity of technical environment
    • Required level of integration

    Organizational

    • Your culture
    • Desired geographic proximity
    • Required vendor management skills

    Business drivers

    To choose the right sourcing strategy, you need to assess your key drivers of delivery

    Product Knowledge
    • The level of business involvement required to support the development team is a critical factor in determining the sourcing model.
    • Both the breadth and depth of involvement are critical factors.
    Strategic Value
    • The strategic value of the application to the company is also a critical component.
    • The more strategic the application is to the company, the closer the sourcing should be maintained.
    • Value can be assessed based on the revenue derived from the application and the depth of use of the application by the organization.
    Product Ownership Maturity
    • To support sourcing models that move further from organizational boundaries a strong product ownership function is required.
    • Product owners should ideally be fully allocated to the role and engaged with the development teams.
    • Product owners should be empowered to make decisions related to the product, its vision, and its roadmap.
    • The higher their allocation and empowerment, the higher the chances of success in external sourcing engagements.
    Stock image of a person running up a line with a positive trend.

    Case Study: The GoodLabs Studio Experience Logo for GoodLabs Studio.

    INDUSTRY: Software Development | SOURCE: Interview with Thomas Lo, Co-Founder, GoodLabs Studio
    Built to Outsource Development Teams
    • GoodLabs is an advanced software innovation studio that provides bespoke team extensions or turnkey digital product development with high-caliber software engineers.
    • Unlike other consulting firms, GoodLabs works very closely with its customers as a unified team to deliver the most significant impact on clients’ projects.
    • With this approach, it optimizes the delivery of strong software engineering skills with integrated product ownership from the client, enabling long-term and continued success for its clients.
    Results
    • GoodLabs is able to attract top engineering talent by focusing on a variety of complex projects that materially benefit from technical solutions, such as cybersecurity, fraud detection, and AI syndrome surveillance.
    • Taking a partnership approach with the clients has led to the successful delivery of many highly innovative and challenging projects for the customers.

    Organizational drivers

    To choose the right sourcing strategy for a particular problem you need to assess the organization’s key capabilities

    Stock photo of someone placing blocks with illustrated professionals one on top of the other. Vendor Management
    • Vendor management is a critical skill for effective external sourcing.
    • This can be assessed based on the organization’s ability to cultivate and grow long-term relationships of mutual value.
    • The longevity and growth of existing vendor relationships can be a good benchmark for future success.
    Absorptive Capacity
    • To effectively make use of external sourcing models, the organization must have a well-developed track record of absorbing outside knowledge.
    • This can be assessed by looking at past cases where external knowledge was sourced and internalized, such as past vendor development engagements or use of open-source code.
    Organizational Culture
    • Another factor in success of vendor engagements and long-term relationships is the matching of organizational cultures.
    • It is key to measure the organization’s current position on items like communication strategy, geographical dispersal, conflict resolution strategy, and hierarchical vs flat management.
    • These factors should be documented and matched with partners to determine the best fit.

    Case Study: WCIRB California Logo for WCIRB California.

    INDUSTRY: Workers Compensation Insurance | SOURCE: Interview with Roger Cottman, Senior VP and CIO, WCIRB California
    Trying to Find the Right Match
    • WCIRB is finding it difficult to hire local resources in California.
    • Its application is a niche product. Since no off-the-shelf alternatives exist, the organization will require a custom application.
    • WCIRB is in the early stages of a digital platform project and is looking to bring in a partner to provide a full development team, with the goal of ideally bringing the application back in-house once it is built.
    • The organization is looking for a local player that will be able to integrate well with the business.
    • It has engaged with two mid-sized players but both have been slow to respond, so it is now considering alternative approaches.
    Info-Tech’s Recommended Approach
    • WCIRB is finding that mid-sized players don’t fit its needs and is now looking for a larger player
    • Based on our research we have advised that WCIRB should ensure the partner is geographically close to its location and can be a strategic partner, not simply work on an individual project.

    Technical drivers

    To choose the right sourcing strategy for a particular problem you need to assess your technical situation and capabilities

    Environment Complexity
    • The complexity of your technical environment is a hurdle that must be overcome for external sourcing models.
    • The number of environments used in the development lifecycle and the location of environments (physical, virtual, on-premises, or cloud) are key indicators.
    Integration Requirements
    • The complexity of integration is another key technical driver.
    • The number of integrations required for the application is a good measuring stick. Will it require fewer than 5, 5-10, or more than 10?
    Testing Capabilities
    • Testing of the application is a key technical driver of success for external models.
    • Having well-defined test cases, processes, and shared execution with the business are all steps that help drive success of external sourcing models.
    • Test automation can also help facilitate success of external models.
    • Measure the percentage of test cases that are standardized, the level of business involvement, and the percentage of test cases that are automated.
    Stock image of pixelated light.

    Case Study: Management Control Systems (MC Systems) Logo for MC Systems.

    INDUSTRY: Technology Services | SOURCE: Interview with Kathryn Chin See, Business Development and Research Analyst, MC Systems
    Seeking to Outsource Innovation
    • MC Systems is seeking to outsource its innovation function to get budget certainty on innovation and reduce costs. It is looking for a player that has knowledge of the application areas it is looking to enhance and that would augment its own business knowledge.
    • In previous outsourcing experiences with skills augmentation and application development the organization had issues related to the business depth and product ownership it could provide. The collaborations did not lead to success as MC Systems lacked product ownership and the ability to reintegrate the outside knowledge.
    • The organization is concerned about testing of a vendor-built application and how the application will be supported.
    Info-Tech’s Recommended Approach
    • To date MC Systems has had success with its outsourcing approach when outsourcing specific work items.
    • It is now looking to expand to outsourcing an entire application.
    • Info-Tech’s recommendation is to seek partners who can take on development of the application.
    • MC Systems will still need resources to bring knowledge back in-house for testing and to provide operational support.

    Choosing the right model


    Legend for the table below using circles with quarters to represent Low (0 quarters) to High (4 quarters).
    Determinant Key Questions to Ask Onshore Nearshore Offshore Outsource Role(s) Outsource Team Outsource Product(s)
    Business Dependence How much do you rely on business resources during the development cycle? Circle with 4 quarters. Circle with 3 quarters. Circle with 1 quarter. Circle with 2 quarters. Circle with 1 quarter. Circle with 0 quarters.
    Absorptive Capacity How successful has the organization been at bringing outside knowledge back into the firm? Circle with 0 quarters. Circle with 1 quarter. Circle with 1 quarter. Circle with 2 quarters. Circle with 1 quarter. Circle with 4 quarters.
    Integration Complexity How many integrations are required for the product to function – fewer than 5, 5-10, or more than 10? Circle with 4 quarters. Circle with 3 quarters. Circle with 3 quarters. Circle with 2 quarters. Circle with 1 quarter. Circle with 0 quarters.
    Product Ownership Do you have full-time product owners in place for the products? Do product owners have control of their roadmaps? Circle with 1 quarter. Circle with 2 quarters. Circle with 3 quarters. Circle with 2 quarters. Circle with 4 quarters. Circle with 4 quarters.
    Organization Culture Fit What are your organization’s communication and conflict resolution strategies? Is your organization geographically dispersed? Circle with 1 quarter. Circle with 1 quarter. Circle with 3 quarters. Circle with 1 quarter. Circle with 3 quarters. Circle with 4 quarters.
    Vendor Mgmt Skills What is your skill level in vendor management? How long are your longest-standing vendor relationships? Circle with 0 quarters. Circle with 1 quarter. Circle with 1 quarter. Circle with 2 quarters. Circle with 3 quarters. Circle with 4 quarters.

    1.3.1 Determine the right sourcing strategy for your needs

    60 minutes

    Output: A scored matrix of the key drivers of the sourcing strategy

    Participants: Development leaders, Product management team, Key stakeholders

    Choose one of your products or product families and assess the factors below on a scale of None, Low, Medium, High, and Full.

    • 3.1 Assess the business factors that drive selection using these key criteria (20 minutes):
      • 3.1.1 Product knowledge
      • 3.1.2 Strategic value
      • 3.1.3 Product ownership
    • 3.2 Assess the organizational factors that drive selection using these key criteria (20 minutes):
      • 3.2.1 Vendor management
      • 3.2.2 Absorptive capacity
      • 3.2.3 Organization culture
    • 3.3 Assess the technical factors that drive selection using these key criteria (20 minutes):
      • 3.3.1 Environments
      • 3.3.2 Integration
      • 3.3.3 Testing

    Document results in the Define a Sourcing Strategy Workbook

    Things to Consider When Implementing

    Once you have built your strategy there are some additional things to consider

    Things to Consider Before Acting on Your Strategy

    By now you understand what goes into an effective sourcing strategy. Before implementing one, there are a few key items you need to consider:

    Example 'Sourcing Strategy for Your Portfolio' with initiatives like 'Client-Facing Apps' and 'ERP Software' assigned to 'Onshore Dev', 'Outsource Team', 'Offshore Dev', 'Outsource App (Buy)', 'Outsource Dev', or 'Outsource Roles'. Start with a pilot
    • Changing sourcing needs to start with one team.
    • Grow as skills develop to limit risk.
    Build an IT workforce plan Enhance your vendor management skills Involve the business early and often
    • The business should feel they are part of the discussion.
    • See our Agile/DevOps Research Center for more information on how the business and IT can better work together.
    Limit sourcing complexity
    • Having too many different partners and models creates confusion and will strain your ability to manage vendors effectively.

    Bibliography

    Apfel, Isabella, et al. “IT Project Member Turnover and Outsourcing Relationship Success: An Inverted-U Effect.” Developments, Opportunities and Challenges of Digitization, 2020. Web.

    Benamati, John, and Rajkumar, T.M. “The Application Development Outsourcing Decision: An Application of the Technology Acceptance Model.” Journal of Computer Information Systems, vol. 42, no. 4, 2008, pp. 35-43. Web.

    Benamati, John, and Rajkumar, T.M. “An Outsourcing Acceptance Model: An Application of TAM to Application Development Outsourcing Decisions.” Information Resources Management Journal, vol. 21, no. 2, pp. 80-102, 2008. Web.

    Broekhuizen, T. L. J., et al. “Digital Platform Openness: Drivers, Dimensions and Outcomes.” Journal of Business Research, vol. 122, July 2019, pp. 902-914. Web.

    Brook, Jacques W., and Albert Plugge. “Strategic Sourcing of R&D: The Determinants of Success.” Business Information Processing, vol. 55, Aug. 2010, pp. 26-42. Web.

    Delen, G. P A.J., et al. “Foundations for Measuring IT-Outsourcing Success and Failure.” Journal of Systems and Software, vol. 156, Oct. 2019, pp. 113-125. Web.

    Elnakeep, Eman, et al. “Models and Frameworks for IS Outsourcing Structure and Dimensions: A Holistic Study.” Lecture notes in Networks and Systems, 2019. Web.

    Ghei, Suneel. Modeling Absorptive Capacity for Open Innovation in the Software Industry. 2020. Faculty of Graduate Studies, Athabasca University, 2020. DBA Dissertation.

    “IT Outsourcing Market Research Report by Service Model, Organization Sizes, Deployment, Industry, Region – Global Forecast to 2027 – Cumulative Impact of COVID-19.” ReportLinker, April 2022. Web.

    Jeong, Jongkil Jay, et al. “Enhancing the Application and Measurement of Relationship Quality in Future IT Outsourcing Studies.” 26th European Conference on Information Systems: Beyond Digitization – Facets of Socio-Tehcnical Change: Proceedings of ECIS 2018, Portsmouth, UK, June 23-28, 2018. Edited by Peter Bednar, et al., 2018. Web.

    Könning, Michael. “Conceptualizing the Effect of Cultural Distance on IT Outsourcing Success.” Proceedings of Australasian Conference on Information Systems 2018, Sydney, Australia, Dec. 3-5, 2018. Edited by Matthew Noble, UTS ePress, 2018. Web.

    Lee, Jae-Nam, et al. “Holistic Archetypes of IT Outsourcing Strategy: A Contingency Fit and Configurational Approach.” MIS Quarterly, vol. 43, no. 4, Dec. 2019, pp. 1201-1225. Web.

    Loukis, Euripidis, et al. “Determinants of Software-as-a-Service Benefits and Impact on Firm Performance.” Decision Support Systems, vol. 117, Feb. 2019, pp. 38-47. Web.

    Martensson, Anders. “Patterns in Application Development Sourcing in the Financial Industry.” Proceedings of the 13th European Conference of Information Systems, 2004. Web.

    Martínez-Sánchez, Angel, et al. “The Relationship Between R&D, the Absorptive Capacity of Knowledge, Human Resource Flexibility and Innovation: Mediator Effects on Industrial Firms.” Journal of Business Research, vol. 118, Sept. 2020, pp. 431-440. Web.

    Moreno, Valter, et al. “Outsourcing of IT and Absorptive Capacity: A Multiple Case Study in the Brazilian Insurance Sector.” Brazilian Business Review, vol. 17, no. 1, Jan.-Feb. 2020, pp. 97-113. Web.

    Ozturk, Ebru. “The Impact of R&D Sourcing Strategies on Basic and Developmental R&D in Emerging Economies.” European Journal of Innovation Management, vol. 21, no. 7, May 2018, pp. 522-542. Web.

    Ribas, Imma, et al. “Multi-Step Process for Selecting Strategic Sourcing Options When Designing Supply Chains.” Journal of Industrial Engineering and Management, vol. 14, no. 3, 2021, pp. 477-495. Web.

    Striteska, Michaela Kotkova, and Viktor Prokop. “Dynamic Innovation Strategy Model in Practice of Innovation Leaders and Followers in CEE Countries – A Prerequisite for Building Innovative Ecosystems.” Sustainability, vol. 12, no. 9, May 2020. Web.

    Thakur-Wernz, Pooja, et al. “Antecedents and Relative Performance of Sourcing Choices for New Product Development Projects.” Technovation, 2020. Web.

    Build a Value Measurement Framework

    • Buy Link or Shortcode: {j2store}182|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $82,374 Average $ Saved
    • member rating average days saved: 35 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Rapid changes in today’s market require rapid, value-based decisions, and organizations that lack a shared definition of value fail to maintain their competitive advantage.
    • Different parts of an organization have different value drivers that must be given balanced consideration.
    • Focusing solely on revenue ignores the full extent of value creation in your organization and does not necessarily result in the right outcomes.

    Our Advice

    Critical Insight

    • Business is the authority on business value. While IT can identify some sources of value, business stakeholders must participate in the creation of a definition that is meaningful to the whole organization.
    • It’s about more than profit. Organizations must have a definition that encompasses all of the sources of value or they risk making short-term decisions with long-term negative impacts.
    • Technology creates business value. Treating IT as a cost center makes for short-sighted decisions in a world where every business process is enabled by technology.

    Impact and Result

    • Standardize your definition of business value. Work with your business partners to define the different sources of business value that are created through technology-enabled products and services.
    • Weigh your value drivers. Ensure that business and IT understand the relative weight and priority of the different sources of business value you have identified.
    • Use a balanced scorecard to understand value. Use the different value drivers to understand and prioritize different products, applications, projects, initiatives, and enhancements.

    Build a Value Measurement Framework Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why building a consistent and aligned framework to measure the value of your products and services is vital for setting priorities and getting the business on board.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your value drivers

    This phase will help you define and weigh value drivers based on overarching organizational priorities and goals.

    • Build a Value Measurement Framework – Phase 1: Define Your Value Drivers
    • Value Calculator

    2. Measure value

    This phase will help you analyze the value sources of your products and services and their alignment to value drivers to produce a value score that you can use for prioritization.

    • Build a Value Measurement Framework – Phase 2: Measure Value
    [infographic]

    Further reading

    Build a Value Measurement Framework

    Focus product delivery on business value–driven outcomes.

    ANALYST PERSPECTIVE

    "A meaningful measurable definition of value is the key to effectively managing the intake, prioritization, and delivery of technology-enabled products and services."

    Cole Cioran,

    Senior Director, Research – Application Development and Portfolio Management

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIOs who need to understand the value IT creates
    • Application leaders who need to make good decisions on what work to prioritize and deliver
    • Application and project portfolio managers who need to ensure the portfolio creates business value
    • Product owners who are accountable for delivering value

    This Research Will Help You:

    • Define quality in your organization’s context from both business and IT perspectives.
    • Define a repeatable process to understand the value of a product, application, project, initiative, or enhancement.
    • Define value sources and metrics.
    • Create a tool to make it easier to balance different sources of value.

    This Research Will Also Assist:

    • Product and application delivery teams who want to make better decisions about what they deliver
    • Business analysts who need to make better decisions about how to prioritize their requirements

    This Research Will Help Them:

    • Create a meaningful relationship with business partners around what creates value for the organization.
    • Enable better understanding of your customers and their needs.

    Executive summary

    Situation

    • Measuring the business value provided by IT is critical for improving the relationship between business and IT.
    • Rapid changes in today’s market require rapid, value-based decisions.
    • Every organization has unique drivers that make it difficult to see the benefits based on time and impact approaches to prioritization.

    Complication

    • An organization’s lack of a shared definition of value leads to politics and decision making that does not have a firm, quantitative basis.
    • Different parts of an organization have different value drivers that must be given balanced consideration.
    • Focusing solely on revenue does not necessarily result in the right outcomes.

    Resolution

    • Standardize your definition of business value. Work with your business partners to define the different sources of business value that are created through technology-enabled products and services.
    • Weigh your value drivers. Ensure business and IT understand the relative weight and priority of the different sources of business value you have identified.
    • Use a balanced scorecard to understand value. Use the different value drivers to understand and prioritize different products, applications, projects, initiatives, and enhancements.

    Info-Tech Insight

    1. Business is the authority on business value. While IT can identify some sources of value, business stakeholders must participate in the creation of a definition that is meaningful to the whole organization.
    2. It’s about more than profit. Organizations must have a definition that encompasses all of the sources of value, or they risk making short-term decisions with long-term negative impacts.
    3. Technology creates business value. Treating IT as a cost center makes for short-sighted decisions in a world where every business process is enabled by technology.

    Software is not currently creating the right outcomes

    Software products are taking more and more out of IT budgets.

    38% of spend on IT employees goes to software roles.

    Source: Info-Tech’s Staffing Survey

    18% of opex is spent on software licenses.

    Source: SoftwareReviews.com

    33% of capex is spent on new software.

    However, the reception and value of software products do not justify the money invested.

    Only 34% of software is rated as both important and effective by users.

    Source: Info-Tech’s CIO Business Vision

    IT benchmarks do not help or matter to the business. Focus on the metrics that represent business outcomes.

    A pie chart is shown as an example to show how benchmarks do not help the business.

    IT departments have a tendency to measure only their own role-based activities and deliverables, which only prove useful for selling practice improvement services. Technology doesn’t exist for technology's sake. It’s in place to generate specific outcomes. IT and the business need to be aligned toward a common goal of enabling business outcomes, and that’s the important measurement.

    "In today’s connected world, IT and business must not speak different languages. "

    – Cognizant, 2017

    CxOs stress the importance of value as the most critical area for IT to improve reporting

    A bar graph is shown to demonstrate the CxOs importance of value. Business value metrics are 32% of significant improvement necessary, and 51% where some improvement is necessary.

    N=469 CxOs from Info-Tech’s CEO/CIO Alignment Diagnostic

    Key stakeholders want to know how you and your products or services help them realize their goals.

    While the basics of value are clear, few take the time to reach a common definition and means to measure and apply value

    Often, IT misses the opportunity to become a strategic partner because it doesn’t understand how to communicate and measure its value to the business.

    "Price is what you pay. Value is what you get."

    – Warren Buffett

    Being able to understand the value context will allow IT to articulate where IT spend supports business value and how it enables business goal achievement.

    Value is...

    Derived from business context

  • What is our business context?
  • Enabled through governance and strategy

  • Who sees the strategy through?
  • The underlying context for decision making

  • How is value applied to support decisions?
  • A measure of achievement

  • How do I measure?
  • Determine your business context by assessing the goals and defining the unique value drivers in your organization

    Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of sources of value. Dissecting value by the benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.

    A business value matrix is shown. It shows the relationship between reading customers, increase revenue, reduce costs, and enhance services.

    Financial Benefits vs. Improved Capabilities

    Financial Benefits refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible. Human Benefits refers to how a product or service can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Increase Revenue

    Reduce Costs

    Enhance Services

    Reach Customers

    Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.

    Reduction of overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not been put in place.

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    See your strategy through by involving both IT and the business

    Buy-in for your IT strategy comes from the ability to showcase value. IT needs to ensure it has an aligned understanding of what is valuable to the organization.

    Business value needs to first be established by the business. After that, IT can build a partnership with the business to determine what that value means in the context of IT products and services.

    The Business

    What the Business and IT have in common

    IT

    Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the products along with those most familiar with the capabilities or processes enabled by technology.

    Business Value of Products and Services

    Technical subject matter experts of the products and services they deliver and maintain. Each IT function works together to ensure quality products and services are delivered up to stakeholder expectations.

    Measure your product or services with Info-Tech’s Value Measurement Framework (VMF) and value scores

    The VMF provides a consistent and less subjective approach to generating a value score for an application, product, service, or individual feature, by using business-defined value drivers and product-specific value metrics.

    Info-Tech's Value Measurement Framework is shown.

    A consistent set of established value drivers, sources, and metrics gives more accurate comparisons of relative value

    Value Drivers

    Value Sources

    Value Fulfillment Metrics

    Broad categories of values, weighed and prioritized based on overarching goals

    Instances of created value expressed as a “business outcome” of a particular function

    Units of measurement and estimated targets linked to a value source

    Reach Customers

    Customer Satisfaction

    Net Promoter Score

    Customer Loyalty

    # of Repeat Visits

    Create Revenue Streams

    Data Monetization

    Dollars Derived From Data Sales

    Leads Generation

    Leads Conversation Rate

    Operational Efficiency

    Operational Efficiency

    Number of Interactions

    Workflow Management

    Cycle Time

    Adhere to regulations & compliance

    Number of Policy Exceptions

    A balanced and weighted scorecard allows you to measure the various ways products generate value to the business

    The Info-Tech approach to measuring value applies the balanced value scorecard approach.

    Importance of value source

    X

    Impact of value source

    = Value Score

    Which is based on…

    Which is based on…

    Alignment to value driver

    Realistic targets for the KPI

    Which is weighed by…

    Which is estimated by…

    A 1-5 scale of the relative importance of the value driver to the organization

    A 1-5 scale of the application or feature’s ability to fulfill that value source

    +

    Importance of Value Source

    X

    Impact of Value Source

    +

    Importance of Value Source

    +

    Impact of Value Source

    +

    Importance of Value Source

    +

    Impact of Value Source

    +

    Importance of Value Source

    +

    Impact of Value Source

    =

    Balanced Business Value Score

    Value Score1 + VS2 + … + VSN = Overall Balance Value Score

    Value scores help support decisions. This blueprint looks specifically at four use cases for value scores.

    A value score is an input to the following activities:

    1. Prioritize Your Product Backlog
    2. Estimate the relative value of different product backlog items (i.e. epics, features, etc.) to ensure the highest value items are completed first.

      This blueprint can be used as an input into Info-Tech’s Build a Better Backlog.

    3. Prioritize Your Project Backlog
    4. Estimate the relative value of proposed new applications or major changes or enhancements to existing applications to ensure the right projects are selected and completed first.

      This blueprint can be used as an input into Info-Tech’s Optimize Project Intake, Approval, and Prioritization.

    5. Rationalize Your Applications
    6. Gauge the relative value from the current use of your applications to support strategic decision making such as retirement, consolidation, and further investments.

      This blueprint can be used as an input into Info-Tech’s Visualize Your Application Portfolio Strategy With a Business Value-Driven Roadmap.

    7. Categorize Application Tiers
    8. Gauge the relative value of your existing applications to distinguish your most to least important systems and build tailored support structures that limit the downtime of key value sources.

      This blueprint can be used as an input into Info-Tech’s Streamline Application Maintenance.

    The priorities, metrics, and a common understanding of value in your VMF carry over to many other Info-Tech blueprints

    Transition to Product Delivery

    Build a Product Roadmap

    Modernize Your SDLC

    Build a Strong Foundation for Quality

    Implement Agile Practices That Work

    Use Info-Tech’s Value Calculator

    The Value Calculator facilitates the activities surrounding defining and measuring the business value of your products and services.

    Use this tool to:

    • Weigh the importance of each Value Driver based on established organizational priorities.
    • Create a repository for Value Sources to provide consistency throughout each measurement.
    • Produce an Overall Balanced Value Score for a specific item.

    Info-Tech Deliverable

    A screenshot of Info-Tech's Value Calculator is shown.

    Populate the Value Calculator as you complete the activities and steps on the following slides.

    Limitations of the Value Measurement Framework

    "All models are wrong, but some are useful."

    – George E.P. Box, 1979

    Value is tricky: Value can be intangible, ambiguous, and cause all sorts of confusion, with the multiple, and often conflicting, priorities any organization is sure to have. You won’t likely come to a unified understanding of value or an agreement on whether one thing is more valuable than something else. However, this doesn’t mean you shouldn’t try. The VMF provides a means to organize various priorities in a meaningful way and to assess the relative value of a product or service to guide managers and decision makers on the right track and keep alignment with the rest of the organization.

    Relative value vs. ROI: This assessment produces a score to determine the value of a product or service relative to other products or services. Its primary function is to prioritize similar items (projects, epics, requirements, etc.) as opposed to producing a monetary value that can directly justify cost and make the case for a positive ROI.

    Apply caution with metrics: We live in a metric-crazed era, where everything is believed to be measurable. While there is little debate over recent advances in data, analytics, and our ability to trace business activity, some goals are still quite intangible, and managers stumble trying to link these goals to a quantifiable data source.

    In applying the VMF Info-Tech urges you to remember that metrics are not a magical solution. They should be treated as a tool in your toolbox and are sometimes no more than a rough gauge of performance. Carefully assign metrics to your products and services and do not disregard the informed subjective perspective when SMART metrics are unavailable.

    "One of the deadly diseases of management is running a company on visible figures alone."

    – William Edwards Deming, 1982

    Info-Tech’s Build a Value Measurement Framework glossary of terms

    This blueprint discusses value in a variety of ways. Use our glossary of terms to understand our specific focus.

    Value Measurement Framework (VMF)

    A method of measuring relative value for a product or service, or the various components within a product or service, through the use of metrics and weighted organizational priorities.

    Value Driver

    A board organizational goal that acts as a category for many value sources.

    Value Source

    A specific business goal or outcome that business and product or service capabilities are designed to fulfill.

    Value Fulfillment

    The degree to which a product or service impacts a business outcome, ideally linked to a metric.

    Value Score

    A measurement of the value fulfillment factored by the weight of the corresponding value driver.

    Overall Balanced Value Score

    The combined value scores of all value sources linked to a product or service.

    Relative Value

    A comparison of value between two similar items (i.e. applications to applications, projects to projects, feature to feature).

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Value Measurement Framework – project overview

    1. Define Your Value Drivers

    2. Measure Value

    Best-Practice Toolkit

    1.1 Identify your business value authorities.

    2.1 Define your value drivers.

    2.2 Weigh your value drivers.

    • Identify your product or service SMEs.
    • List your products or services items and components.
    • Identify your value sources.
    • Align to a value driver.
    • Assign metrics and gauge value fulfillment.

    Guided Implementations

    Identify the stakeholders who should be the authority on business value.

    Identify, define, and weigh the value drivers that will be used in your VMF and all proceeding value measurements.

    Identify the stakeholders who are the subject matter experts for your products or services.

    Measure the value of your products and services with value sources, fulfillment, and drivers.

    Outcome:

    • Value drivers and weights

    Outcome:

    • An initial list of reusable value sources and metrics
    • Value scores for your products or services

    Phase 1

    Define Your Value Drivers

    First determine your value drivers and add them to your VMF

    One of the main aspects of the VMF is to apply consistent and business-aligned weights to the products or services you will evaluate.

    This is why we establish your value drivers first:

    • Get the right executive-level “value authorities” to establish the overarching weights.
    • Build these into the backbone of the VMF to consistently apply to all your future measurements.
    An image of the Value Measure Framework is shown.

    Step 1.1: Identify Value Authorities

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Identify your authorities on business value.

    This step involves the following participants:

    • Owners of your value measurement framework

    Outcomes of this step

    • Your list of targeted individuals to include in Step 2.1

    Business value is best defined and measured by the combined effort and perspective of both IT and the business

    Buy-in for your IT strategy comes from the ability to showcase value. IT needs to ensure it has an aligned understanding of what is valuable to the organization. First, priorities need to be established by the business. Second, IT can build a partnership with the business to determine what that value means in the context of IT products and services.

    The Business

    What the Business and IT have in common

    IT

    Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the products along with those most familiar with the capabilities or processes enabled by technology.

    Business Value of Products and Services

    Technical subject matter experts of the products and services they deliver and maintain. Each IT function works together to ensure quality products and services are delivered up to stakeholder expectations.

    Engage key stakeholders to reach a consensus on organizational priorities and value drivers

    Engage these key players to create your value drivers:

    CEO: Who better holds the vision or mandate of the organization than its leader? Ideally, they are front and center for this discussion.

    CIO: IT must ensure that technical/practical considerations are taken into account when determining value.

    CFO: The CFO or designated representative will ensure that estimated costs and benefits can be used to manage the budgets.

    VPs: Application delivery and mgmt. is designed to generate value for the business. Senior management from business units must help define what that value is.

    Evaluators (PMO, PO, APM, etc.): Those primarily responsible for applying the VMF should be present and active in identifying and carefully defining your organization’s value drivers.

    Steering Committee: This established body, responsible for the strategic direction of the organization, is really the primary audience.

    Identify your authorities of business value to identify, define, and weigh value drivers

    1.1 Estimated Time: 15 minutes

    The objective of this exercise is to identify key business stakeholders involved in strategic decision making at an organizational level.

    1. Review your organization’s governance structure and any related materials.
    2. Identify your key business stakeholders. These individuals are the critical business strategic partners.
      1. Target those who represent the business at an organizational level and often comprise the organization’s governing bodies.
      2. Prioritize a product backlog – include product owners and product managers who are in tune with the specific value drivers of the product in question.

    INFO-TECH TIP

    If your organization does not have a formal governance structure, your stakeholders would be the key players in devising business strategy. For example:

    • CEO
    • CFO
    • BRMs
    • VPs

    Leverage your organizational chart, governing charter, and senior management knowledge to better identify key stakeholders.

    INPUT

    • Key decision maker roles

    OUTPUT

    • Targeted individuals to define and weigh value drivers

    Materials

    • N/A

    Participants

    • Owner of the value measurement framework

    Step 1.2: Define Value Drivers

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Define your value drivers.
    • Weigh your value drivers.

    This step involves the following participants:

    • Owners of your value measurement framework
    • Authorities of business value

    Outcomes of this step

    • A list of your defined and weighted value drivers

    Value is based on business needs and vision

    Value is subjective. It is defined through the organization’s past achievement and its future objectives.

    Purpose & Mission

    Past Achievement & Current State

    Vision & Future State

    Culture & Leadership

    There must be a consensus view of what is valuable within the organization, and these values need to be shared across the enterprise. Instead of maintaining siloed views and fighting for priorities, all departments must have the same value and purpose in mind. These factors – purpose and mission, past achievement and current state, vision and future state, and culture and leadership – impact what is valuable to the organization.

    Value derives from the mission and vision of an organization; therefore, value is unique to each organization

    Business value represents what the business needs to do to achieve its target state. Establishing the mission and vision helps identify that target state.

    Mission

    Vision

    Business Value

    Why does the company exist?

    • Specify the company’s purpose, or reason for being, and use it to guide each day’s activities and decisions.

    What does the organization see itself becoming?

    • Identify the desired future state of the organization. The vision articulates the role the organization strives to play and the way it wants to be perceived by the customer.
    • State the ends, rather than the means, to get to the future state.

    What critical factors fulfill the mission and vision?

    • Articulate the important capabilities the business should have in order to achieve its objectives. All business activities must enable business value.
    • Communicate the means to achieve the mission and vision.

    Understand the many types of value your products or services produce

    Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of value sources. Dissecting value by the benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.

    A business value matrix is shown. It shows the relationship between reading customers, increase revenue, reduce costs, and enhance services.

    Financial Benefits vs. Improved Capabilities

    Financial Benefits refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible. Human Benefits refers to how a product or service can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations. Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Increase Revenue

    Reduce Costs

    Enhance Services

    Reach Customers

    Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.

    Reduction of overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not been put in place.

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    Expand past Info-Tech’s high-level value quadrants and identify the value drivers specific to your organization

    Different industries have a wide range of value drivers. Consider the difference between public and private entities with respect to generating revenue or reaching their customers or other external stakeholders. Even organizations in the same industry may have different values. For example, a mature, well-established manufacturer may view reputation and innovation as its highest-priority values, whereas a struggling manufacturer will see revenue or market share growth as its main drivers.

    Value Drivers

    Increase Revenue

    Reduce Costs

    Enhance Services

    Reach Customers

    • Revenue growth
    • Data monetization
    • Cost optimization
    • Labor reduction
    • Collaboration
    • Risk and compliance
    • Customer experience
    • Trust and reputation

    You do not need to dissect each quadrant into an exhaustive list of value drivers. Info-Tech recommends defining distinct value drivers only for the areas you’ve identified as critical to your organization’s core goals and objectives.

    Understand value drivers that enable revenue growth

    Direct Revenue

    This value driver is the ability of a product or service to directly produce revenue through core revenue streams.

    Can be derived from:

    • Creating revenue
    • Improving the revenue generation of an existing service
    • Preventing the loss of a revenue stream

    Be aware of the differences between your products and services that enable a revenue source and those that facilitate the flow of capital.

    Funding

    This value driver is the ability of a product or service to enable other types of funding unrelated to core revenue streams.

    Can be derived from:

    • Tax revenue
    • Fees, fines, and ticketing programs
    • Participating in government subsidy or grant programs

    Be aware of the difference between your products and services that enable a revenue source and those that facilitate the flow of capital.

    Scale & Growth

    In essence, this driver can be viewed as the potential for growth in market share or new developing revenue sources.

    Does the product or service:

    • Increase your market share
    • Help you maintain your market share

    Be cautious of which items you identify here, as many innovative activities may have some potential to generate future revenue. Stick to those with a strong connection to future revenue and don’t qualify for other value driver categories.

    Monetization of Assets

    This value driver is the ability of your products and services to generate additional assets.

    Can be derived from:

    • Sale of data
    • Sale of market or customer reports or analysis
    • Sale of IP

    This value source is often overlooked. If given the right attention, it can lead to a big win for IT’s role in the business.

    Understand value drivers that reduce costs

    Cost Reduction

    A cost reduction is a “hard” cost saving that is reflected as a tangible decrease to the bottom line.

    This can be derived from reduction of expenses such as:

    • Salaries and wages
    • Hardware/software maintenance
    • Infrastructure

    Cost reduction plays a critical role in an application’s ability to increase efficiency.

    Cost Avoidance

    A cost avoidance is a “soft” cost saving, typically achieved by preventing a cost from occurring in the first place (i.e. risk mitigation). Cost avoidance indirectly impacts the bottom line.

    This can be derived from prevention of expenses by:

    • Mitigating a business outage
    • Mitigating another risk event
    • Delaying a price increase

    Understand the value drivers that enhance your services

    Enable Core Operations

    Some applications are in place to facilitate and support the structure of the organization. These vary depending on the capabilities of your organization but should be assessed in relation to the organization’s culture and structure.

    • Enables a foundational capability
    • Enables a niche capability

    This example is intentionally broad, as “core operations” should be further dissected to define different capabilities with ranging priority.

    Compliance

    A product or service may be required in order to meet a regulatory requirement. In these cases, you need to be aware of the organizational risk of NOT implementing or maintaining a service in relation to those risks.

    In this case, the product or service is required in order to:

    • Prevent fines
    • Allow the organization to operate within a specific jurisdiction
    • Remediate audit gaps
    • Provide information required to validate compliance

    Internal Improvement

    An application’s ability to create value outside of its core operations and facilitate the transfer of information, insights, and knowledge.

    Value can be derived by:

    • Data analytics
    • Collaboration
    • Knowledge transfer
    • Organizational learning

    Innovation

    Innovation is typically an ill-defined value driver, as it refers to the ability of your products and services to explore new value streams.

    Consider:

    • Exploration into new markets and products
    • New methods of organizing resources and processes

    Innovation is one of the more divisive value drivers, as some organizations will strive to be cutting edge and others will want no part in taking such risks.

    Understand business value drivers that connect the business to your customers

    Policy

    Products and services can also be assessed in relation to whether they enable and support policies of the organization. Policies identify and reinforce required processes, organizational culture, and core values.

    Policy value can be derived from:

    • The service or initiative will produce outcomes in line with our core organizational values.
    • Products that enable sustainability and corporate social responsibility

    Experience

    Applications are often designed to improve the interaction between customer and product. This value type is most closely linked to product quality and user experience. Customers, in this sense, can also include any stakeholders who consume core offerings.

    Customer experience value can be derived from:

    • Improving customer satisfaction
    • Ease of use
    • Resolving a customer issue or identified pain point
    • Providing a competitive advantage for your customers

    Customer Information

    Understanding demand and customer trends is a core driver for all organizations. Data provided through understanding the ways, times, and reasons that consumers use your services is a key driver for growth and stability.

    Customer information value can be achieved when an app:

    • Addresses strategic opportunities or threats identified through analyzing trends
    • Prevents failures due to lack of capacity to meet demand
    • Connects resources to external sources to enable learning and growth within the organization

    Trust & Reputation

    Products and services are designed to enable goals of digital ethics and are highly linked to your organization’s brand strategy.

    Trust and reputation can also be described as:

    • Customer loyalty and sustainability
    • Customer privacy and digital ethics

    Prioritizing this value source is critical, as traditional priorities can often come at the expense of trust and reputation.

    Define your value drivers

    1.2 Estimated Time: 1.5 hours

    The objective of this exercise is to establish a common understanding of the different values of the organization.

    1. Place your business value authorities at the center of this exercise.
    2. Collect all the documents your organization has on the mission and vision, strategy, governance, and target state, which may be defined by enterprise architecture.
    3. Identify the company mission and vision. Simply transfer the information from the mission and vision document into the appropriate spaces in the business value statement.
    4. Determine the organization’s business value drivers. Use the mission and vision, as well as the information from the collected documents, to formulate your own idea of business values.
    5. Use value driver template on the next slide to define the value driver, including:
    • Value Driver Name
    • Description
    • Related Business Capabilities – If available, review business architecture materials, such as business capability maps.
    • Established KPI and Targets – If available, include any organization-wide established KPIs related to your value driver. These KPIs will likely be used or influence the metrics eventually assigned to your applications.

    INPUT

    • Mission, vision, value statements

    OUTPUT

    • List and description of value drivers

    Materials

    • Whiteboard
    • Markers

    Participants

    • Business value authorities
    • Owner of value measurement framework

    Example Value Driver

    Value Driver Name

    Reach Customers

    Value Driver Description

    Our organization’s ability to provide quality products and experience to our core customers

    Value Driver Weight

    10/10

    Related Business Capabilities

    • Customer Services
    • Marketing
      • Customer Segmentation
      • Customer Journey Mapping
    • Product Delivery
      • User Experience Design
      • User Acceptance Testing

    Key Business Outcomes, KPIs, and Targets

    • Improved Customer Satisfaction
      • Net Promotor Score: 80%
    • Improved Loyalty
      • Repeat Sales: 30%
      • Customer Retention: 25%
      • Customer Lifetime Value: $2,500
    • Improved Interaction
      • Repeat Visits: 50%
      • Account Conversation Rates: 40%

    Weigh your value drivers

    1.3 Estimated Time: 30 minutes

    The objective of this exercise is to prioritize your value drivers based on their relative importance to the business.

    1. Again, place the business value authorities at the center of this exercise.
    2. In order to determine priority, divide 100% among your value drivers, allocating a percentage to each based on its relative importance to the organization.
    3. Normalize those percentages on to a scale of 1 to 10, which will act as the weights for your value drivers.

    INPUT

    • Mission, vision, value statements

    OUTPUT

    • Weights for value drivers

    Materials

    • Whiteboard
    • Markers

    Participants

    • Business value authorities
    • Owner of value measurement framework

    Weigh your value drivers

    1.3 Estimated Time: 30 minutes

    Value Driver

    Percentage Allocation

    1 to 10 Weight

    Revenue and other funding

    24%

    9

    Cost reduction

    8%

    3

    Compliance

    5%

    2

    Customer value

    30%

    10

    Operations

    13%

    7

    Innovation

    5%

    2

    Sustainability and social responsibility

    2%

    1

    Internal learning and development

    3%

    1

    Future growth

    10%

    5

    Total

    100%

    Carry results over to the Value Calculator

    1.3

    Document results of this activity in the “Value Drivers” tab of the Value Calculator.

    A screenshot of Info-Tech's Value Calculator is shown.

    List your value drivers.

    Define or describe your value drivers.

    Use this tool to create a repository for value sources to reuse and maintain consistency across your measurements.

    Enter the weight of each value driver in terms of importance to the organization.

    Phase 2

    Measure Value

    Step 2.1: Identify Product or Service SMEs

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Identify your product or service SMEs.
    • List your product or services items and components.

    This step involves the following participants:

    • Owners of your value measurement framework
    • Product or service SMEs

    Outcomes of this step

    • Your list of targeted individuals to include in Step 2.2

    Identify the products and services you are evaluating and break down their various components for the VMF

    In order to get a full evaluation of a product or service you need to understand its multiple facets, functions, features capabilities, requirements, or any language you use to describe its various components.

    An image of the value measure framework is shown.

    Decompose a product or service:

    • Get the right subject matter experts in place who know the business and technical aspects of the product or service.
    • Decompose the product or service to capture all necessary components.

    Before beginning, consider how your use case will impact your value measurement approach

    This table looks at how the different use cases of the VMF call for variations of this analysis, is directed at different roles, and relies on participation from different subject matter experts to provide business context.

    Use Case (uses of the VMF applied in this blueprint)

    Value (current vs. future value)

    Item (the singular entity you are producing a value score for)

    Components (the various facets of that entity that need to be considered)

    Scope (# of systems undergoing analysis)

    Evaluator (typical role responsible for applying the VMF)

    Cadence (when and why do you apply the VMF)

    Information Sources (what documents, tools, etc., do you need to leverage)

    SMEs (who needs to participate to define and measure value)

    1. Prioritize Your Product Backlog

    You are estimating future value of proposed changes to an application.

    Product backlog items (epic, feature, etc.) in your product backlog

    • Features
    • User stories
    • Enablers

    A product

    Product owner

    Continuously apply the VMF to prioritize new and changing product backlog items.

    • Epic hypothesis, documentation
    • Lean business case

    Product manager

    ????

    2. Prioritize Your Project Backlog

    Proposed projects in your project backlog

    • Benefits
    • Outcomes
    • Requirements

    Multiple existing and/or new applications

    Project portfolio manager

    Apply the VMF during your project intake process as new projects are proposed.

    • Completed project request forms
    • Completed business case forms
    • Project charters
    • Business requirements documents

    Project manager

    Product owners

    Business analysts

    3. Application Rationalization

    You are measuring current value of existing applications and their features.

    An application in your portfolio

    The uses of the application (features, function, capabilities)

    A subset of applications or the full portfolio

    Application portfolio manager

    During an application rationalization initiative:

    • Iteratively collect information and perform value measurements.
    • Structure your iterations based on functional areas to target the specific SMEs who can speak to a particular subset of applications.
    • Business capability maps

    Business process owners

    Business unit representatives

    Business architects

    Application architects

    Application SMEs

    4. Application Categorization

    The full portfolio

    Application maintenance or operations manager

    • SLAs
    • Business capability maps

    Identify your product or service SMEs

    2.1 Estimated Time: 15 minutes

    The objective of this exercise is to identify specific business stakeholders who can speak to the business outcomes of your applications at a functional level.

    1. Review your related materials that reference the stakeholders for the scoped products and services (i.e. capability maps, org charts, stakeholder maps).
    2. Identify your specific business stakeholders and application SMEs. These individuals represent the business at a functional level and are in tune with the business outcomes of their operations and the applications that support their operations.
      1. Use Case 1 – Product Owner, Product Manager
      2. Use Case 2 – Project Portfolio Manager, Project Manager, Product Owners, Business Process Owners, Appropriate Business Unit Representatives
      3. Use Case 3 – Application Portfolio Manager, Product Owners, Business Analysts, Application SMEs, Business Process Owners, Appropriate Business Unit Representatives
      4. Use Case 4 – Application Maintenance Manager, Operations Managers, Application Portfolio Manager, Product Owners, Application SMEs, Business Process Owners, Appropriate Business Unit Representatives

    INPUT

    • Specific product or service knowledge

    OUTPUT

    • Targeted individuals to measure specific products or services

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework

    Use Case 1: Collect and review all of the product backlog items

    Prioritizing your product backlog (epics, features, etc.) requires a consistent method of measuring the value of your product backlog items (PBIs) to continuously compare their value relative to one another. This should be treated as an ongoing initiative as new items are added and existing items change, but an initial introduction of the VMF will require you to collect and analyze all of the items in your backlog.

    Regardless of producing a value score for an epic, feature, or user story, your focus should be on identifying their various value sources. Review your product’s artifact documentation, toolsets, or other information sources to extract the business outcomes, impact, benefits, KPIs, or any other description of a value source.

    High

    Epics

    Carefully valuated with input from multiple stakeholders, using metrics and consistent scoring

    Level of valuation effort per PBI

    User Stories

    Collaboratively valuated by the product owner and teams based on alignment and traceability to corresponding epic or feature

    Low

    Raw Ideas

    Intuitively valuated by the product owner based on alignment to product vision and organization value drivers

    What’s in your backlog?

    You may need to create standards for defining and measuring your different PBIs. Traceability can be critical here, as defined business outcomes for features or user stories may be documented at an epic level.

    Additional Research

    Build a Better Backlog helps you define and organize your product backlog items.

    Use Case 2: Review the scope and requirements of the project to determine all of the business outcomes

    Depending on where your project is in your intake process, there should be some degree of stated business outcomes or benefits. This may be a less refined description in the form of a project request or business case document, or it could be more defined in a project charter, business requirements document/toolset, or work breakdown structure (WBS). Regardless of the information source, to make proper use of the VMF you need a clear understanding of the various business outcomes to establish the new or improved value sources for the proposed project.

    Project

    User Requirements

    Business Requirements

    System Requirements

    1

    1

    1

    2

    2

    2

    3

    3

    4

    Set Metrics Early

    Good project intake documentation begins the discussion of KPIs early on. This alerts teams to the intended value and gives your PMO the ability to integrate it into the workload of other proposed or approved projects.

    Additional Research

    Optimize Project Intake, Approval, and Prioritization provides templates to define proposed project benefits and outcomes.

    Use Cases 3 & 4: Ensure you’ve listed all of each application’s uses (functions, features, capabilities, etc.) and user groups

    An application can enable multiple capabilities, perform a variety of functions, and have a range of different user groups. Therefore, a single application can produce multiple value sources, which range in type, impact, and significance to the business’ overarching priorities. In order to effectively measure the overall value of an application you need to determine all of the ways in which that application is used and apply a business-downward view of your applications.

    Business Capability

    • Sub-capability
    • Process
    • Task

    Application

    • Module
    • Feature
    • Function

    Aim for Business Use

    Simply listing the business capabilities of an app can be too high level. Regardless of your organization’s terminology, you need to establish all of the different uses and users of an application to properly measure all of the facets of its value.

    Additional Research

    Discover Your Applications helps you identify and define the business use and features of your applications.

    List your product or services items and components

    2.2 Estimated Time: 15 minutes

    The objective of this exercise is to produce a list of the different items that you are scoring and ensure you have considered all relevant components.

    1. List each item you intend to produce a value score for:
      1. Use Case 1 – This may be the epics in your product backlog.
      2. Use Case 2 – This may be the projects in your project backlog.
      3. Use Cases 3 & 4 – This may be the applications in your portfolio. For this approach Info-Tech strongly recommends iteratively assessing the portfolio to produce a list of a subset of applications.
    2. For each item list its various components:
      1. Use Case 1 – This may be the features or user stories of an epic.
      2. Use Case 2 – This may be the business requirements of a project.
      3. Use Cases 3 & 4 – This may be the modules, features, functions, capabilities, or subsystems of an application.

    Item

    Components

    Add Customer Portal (Epic)

    User story #1: As a sales team member I need to process customer info.

    User story #2: As a customer I want access to…

    Transition to the Cloud (Project)

    Requirement #1: Build Checkout Cart

    NFR – Build integration with data store

    CRM (Application)

    Order Processing (module), Returns & Claims (module), Analytics & Reporting (Feature)

    INPUT

    • Product or service knowledge

    OUTPUT

    • Detailed list of items and components

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Use Cases 3 & 4: Create a functional view of your applications (optional)

    2.3 Estimated Time: 1 hour

    The objective of this exercise is to establish the different use cases of an application.

    1. Recall the functional requirements and business capabilities for your applications.
    2. List the various actors who will be interacting with your applications and list the consumers who will be receiving the information from the applications.
    3. Based on your functional requirements, list the use cases that the actors will perform to deliver the necessary information to consumers. Each use case serves as a core function of the application. See the diagram below for an example.
    4. Sometimes several use cases are completed before information is sent to consumers. Use arrows to demonstrate the flow of information from one use case to another.

    Example: Ordering Products Online

    Actors

    Order Customer

    Order Online

    Search Products

    Consumers

    Submit Delivery Information

    Order Customer

    Pay Order

    Bank

    INPUT

    • Product or service knowledge

    OUTPUT

    • Product or service function

    Materials

    • Whiteboard
    • Markers

    Participants

    • Application architect
    • Enterprise architect
    • Business and IT stakeholders
    • Business analyst
    • Development teams

    Use Cases 3 & 4: Create a functional view of your applications (optional) (cont’d.)

    2.3 Estimated Time: 1 hour

    5. Align your application’s use cases to the appropriate business capabilities and stakeholder objectives.

    Example:

    Stakeholder Objective: Automate Client Creation Processes

    Business Capability: Account Management

    Function: Create Client Profile

    Function: Search Client Profiles

    Business Capability: Sales Transaction Management

    Function: Order Online

    Function: Search Products Function: Search Products

    Function: Submit Delivery Information

    Function: Pay Order

    Step 2.2: Measure Value

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Identify your value sources.
    • Align to a value driver.
    • Assign metrics and gauge value fulfillment.

    This step involves the following participants:

    • Owners of your value measurement framework
    • Product or service SMEs

    Outcomes of this step

    • An initial list of reusable value sources and metrics
    • Value scores for your products or services

    Use your VMF and a repeatable process to produce value scores for all of your items

    With your products or services broken down, you can then determine a list of value sources, as well as their alignment to a value driver and a gauge of their value fulfillment, which in turn indicate the importance and impact of a value source respectively.

    A image of the value measure framework is shown.

    Lastly, we produce a value score for all items:

    • Determine business outcomes and value sources.
    • Align to the appropriate value driver.
    • Use metrics as the gauge of value fulfillment.
    • Collect your score.
    • Repeat.

    The business outcome is the impact the product or service has on the intended business activity

    Business outcomes are the business-oriented results produced by organization’s capabilities and the applications that support those capabilities. The value source is, in essence, “How does the application impact the outcome?” and this can be either qualitative or quantitative.

    Quantitative

    Qualitative

    Key Words

    Examples

    Key Words

    Examples

    Faster, cheaper

    Deliver faster

    Better

    Better user experience

    More, less

    More registrations per week

    Private

    Enhanced privacy

    Increase, decrease

    Decrease clerical errors

    Easier

    Easier to input data

    Can, cannot

    Can access their own records

    Improved

    Improved screen flow

    Do not have to

    Do not have to print form

    Enjoyable

    Enjoyable user experience

    Compliant

    Complies with regulation 12

    Transparent

    Transparent progress

    Consistent

    Standardized information gathered

    Richer

    Richer data availability

    Adapted from Agile Coach Journal.

    Measure value – Identify your value sources

    2.4 Estimated Time: 30 minutes

    The objective of this exercise is to establish the different value sources of a product or service.

    1. List the items you are producing an overall balance value score for. These can be products, services, projects, applications, product backlog items, epics, etc.
    2. For each item, list its various business outcomes in the form of a description that includes:
      1. The item being measured
      2. Business capability or activity
      3. How the item impacts said capability or activity

    Consider applying the user story format for future value sources or a variation for current value sources.

    As a (user), I want to (activity) so that I get (impact)

    INPUT

    • Product or service knowledge
    • Business process knowledge

    OUTPUT

    • List of value sources

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Measure value – Align to a value driver

    2.5 Estimated Time: 30 minutes

    The objective of this exercise is to determine the value driver for each value source.

    1. Align each value source to a value driver. Choose between options A and B.
      1. Using a whiteboard, draw out a 2 x 2 business value matrix or an adapted version based on your own organizational value drivers. Place each value source in the appropriate quadrant.
        1. Increase Revenue
        2. Reduce Costs
        3. Enhance Services
        4. Reach Customers
      2. Using a whiteboard or large sticky pads, create a section for each value driver. Place each value source with the appropriate value driver.

    INPUT

    • Product or service knowledge
    • Business process knowledge

    OUTPUT

    • Value driver weight

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Brainstorm the different sources of business value (cont’d.)

    2.5

    Example:

    An example of activity 2.5 is shown.

    Carry results over to the Value Calculator

    2.5

    Document results of this activity in the Value Calculator in the Item {#} tab.

    A screenshot of the Value Calculator is shown.

    List your Value Sources

    Your Value Driver weights will auto-populate

    Aim, but do not reach, for SMART metrics

    Creating meaningful metrics

    S pecific

    M easureable

    A chievable

    R ealisitic

    T ime-based

    Follow the SMART framework when adding metrics to the VMF.

    The intention of SMART goals and metrics is to make sure you have chosen a gauge that will:

    • Reflect the actual business outcome or value source you are measuring.
    • Ensure all relevant stakeholders understand the goals or value you are driving towards.
    • Ensure you actually have the means to capture the performance.

    Info-Tech Insight

    Metrics are NOT a magical solution. They should be treated as a tool in your toolbox and are sometimes no more than a rough gauge of performance. Carefully assign metrics to your products and services and do not disregard the informed subjective perspective when SMART metrics are unavailable.

    Info-Tech Best Practice

    One last critical consideration here is the degree of effort required to collect the metric compared to the value of the analysis you are performing. Assessing whether or not to invest in a project should apply the rigor of carefully selecting and measuring value. However, performing a rationalization of the full app portfolio will likely lead to analysis paralysis. Taking an informed subjective perspective may be the better route.

    Measure value – Assign metrics and gauge value fulfillment

    2.6 30-60 minutes

    The objective of this exercise is to determine an appropriate metric for each value source.

    1. For each value source assign a metric that will be the unit of measurement to gauge the value fulfilment of the application.
    2. Review the product or services performance with the metric
      1. Use case 1&2 (Proposed Applications and/or Features) - You will need to estimate the degree of impact the product or services will have on your selected metric.
      2. Use case 3&4 (Existing Applications and/or Features) – You can review historically how the product or service has performed with your selected metric
    3. Determine a value fulfillment on a scale of 1 – 10.
    4. 10 = The product or service far exceeds expectations and targets on the metric.

      5 = the product or service meets expectations on this metric.

      1 = the product or service underperforms on this metric.

    INPUT

    • Product or service knowledge
    • Business process knowledge

    OUTPUT

    • Value driver weight

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Carry results over to the Value Calculator

    2.6

    Document results of this activity in the Value Calculator in the Item {#} tab.

    A screenshot of Info-Tech's Value Calculator is shown.

    Assign Metrics.

    Consider using current or estimated performance and targets.

    Assess the impact on the value source with the value fulfillment.

    Collect your Overall Balanced Value Score

    Appendix

    Bibliography

    Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando – July 13, 2014. Scrum Inc. 2014. Web. 20 Nov. 2017.

    Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.

    Curtis, Bill. “The Business Value of Application Internal Quality.” CAST. 6 April 2009. Web. 20 Nov. 2017.

    Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM. April 2008. Web. 20 Nov. 2017.

    Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group. 20 Nov. 2017.

    Intrafocus. “What is a Balanced Scorecard?” Intrafocus. Web. 20 Nov. 2017

    Kerzner, Harold. Project Management: A Systems Approach to Planning, Scheduling, and Controlling. 12th ed., Wiley, 2017.

    Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura. 31 March 2010. Web. 20 Nov. 2017.

    Rachlin, Sue, and John Marshall. “Value Measuring Methodology.” Federal CIO Council, Best Practices Committee. October 2002. Web. April 2019.

    Thiagarajan, Srinivasan. “Bridging the Gap: Enabling IT to Deliver Better Business Outcomes.” Cognizant. July 2017. Web. April 2019.

    Essentials of Vendor Management for Small Business

    • Buy Link or Shortcode: {j2store}229|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Each year, SMB IT organizations spend more money “outsourcing” tasks, activities, applications, functions, and other items.
    • Many SMBs lack the affordability of implementing a sophisticated vendor management initiative or office.
    • The increased spend and associated outsourcing leads to less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively.

    Our Advice

    Critical Insight

    • Vendor management is not “plug and play” – each organization’s vendor management initiative (VMI) needs to fit its culture, environment, and goals. There are commonalities among vendor management initiatives, but the key is to adapt vendor management principles to fit your needs, not the other way around.
    • All vendors are not of equal importance to an organization. Internal resources are a scarce commodity and should be deployed so that they provide the best return on the organization’s investment. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.
    • Having a solid foundation is critical to the VMI’s ongoing success. Whether you will be creating a formal vendor management office or using vendor management techniques, tools, and templates “informally”, starting with the basics is essential. Make sure you understand why the VMI exists and what it hopes to achieve, what is in and out of scope for the VMI, what strengths the VMI can leverage and the obstacles it will have to address, and how it will work with other areas within your organization.

    Impact and Result

    • Build and implement a vendor management initiative tailored to your environment.
    • Create a solid foundation to sustain your vendor management initiative as it evolves and matures.
    • Leverage vendor management-specific tools and templates to manage vendors more proactively and improve communication.
    • Concentrate your vendor management resources on the right vendors.
    • Build a roadmap and project plan for your vendor management journey to ensure you reach your destination.
    • Build collaborative relationships with critical vendors.

    Essentials of Vendor Management for Small Business Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand how changes in the vendor landscape and customer reliance on vendors have made a vendor management initiative indispensible.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plan

    This phase helps you organize your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, a baseline VMI maturity level, and a desired future state for the VMI.

    • Essentials of Vendor Management for Small Business – Phase 1: Plan
    • Phase 1 Small Business Tools and Templates Compendium

    2. Build

    This phase helps you configure and create the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan.

    • Essentials of Vendor Management for Small Business – Phase 2: Build
    • Phase 2 Small Business Vendor Classification Tool
    • Phase 2 Small Business Risk Assessment Tool
    • Phase 2 Small Business Tools and Templates Compendium

    3. Run

    This phase helps you begin operating the VMI. The main outcomes from this phase are guidance and the steps required to implement your VMI.

    • Essentials of Vendor Management for Small Business – Phase 3: Run

    4. Review

    This phase helps the VMI identify what it should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

    • Essentials of Vendor Management for Small Business – Phase 4: Review
    [infographic]

    Further reading

    Essentials of Vendor Management for Small Business

    Create and implement a vendor management framework to begin obtaining measurable results in 90 days.


    EXECUTIVE BRIEF

    Analyst Perspective

    Vendor Management Challenge

    Small businesses are often challenged by the growth and complexity of their vendor ecosystem, including the degree to which the vendors control them. Vendors are increasing, obtaining more and more budget dollars, while funding for staff or headcount is decreasing as a result of cloud-based applications and an increase in our reliance on Managed Service Providers. Initiating a vendor management initiative (VMI) vs. creating a fully staffed vendor management office will get you started on the path of proactively controlling your vendors instead of consistently operating in a reactionary mode. This blueprint is designed with that very thought: to assist small businesses in creating the essentials of a vendor management initiative.

    This is a picture of Steve Jeffery

    Steve Jeffery
    Principal Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Each year, IT organizations "outsource" tasks, activities, functions, and other items. During 2021:

    • Spend on as-a-service providers increased 38% over 2020.*
    • Spend on managed service providers increased 16% over 2020.*
    • IT service providers increased their merger and acquisition numbers by 47% over 2020.*

    This leads to more spend, less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively.

    Common Obstacles

    As new contracts are negotiated and existing contracts are renegotiated or renewed, there is a perception that the contracts will yield certain results, output, performance, solutions, or outcomes. The hope is that these will provide a measurable expected value to IT and the organization. Oftentimes, much of the expected value is never realized. Many organizations don't have a VMI to help:

    • Ensure at least the expected value is achieved.
    • Improve on the expected value through performance management.
    • Significantly increase the expected value through a proactive VMI.

    Info-Tech's Approach

    Vendor Management is a proactive, cross-functional lifecycle. It can be broken down into four phases:

    • Plan
    • Build
    • Run
    • Review

    The Info-Tech process addresses all four phases and provides a step-by-step approach to configure and operate your VMI. The content in this blueprint helps you quickly establish your VMI and sets a solid foundation for its growth and maturity.

    Info-Tech Insight

    Vendor management is not a one-size-fits-all initiative. It must be configured:

    • For your environment, culture, and goals.
    • To leverage the strengths of your organization and personnel.
    • To focus your energy and resources on your critical vendors.

    Executive Summary

    Your challenge

    Spend on managed service providers and as-a-service providers continues to increase. In addition, IT services vendors continue to be active in the mergers and acquisitions arena. This increases the need for a VMI to help with the changing IT vendor landscape.

    38%

    2021

    16%

    2021

    47%

    2021

    Spend on as-a-service providers

    Spend on managed services providers

    IT services merger & acquisition growth (transactions)

    Source: Information Services Group, Inc., 2022.

    Executive Summary

    Common obstacles

    When organizations execute, renew, or renegotiate a contract, there is an "expected value" associated with that contract. Without a robust VMI, most of the expected value will never be realized. With a robust VMI, the realized value significantly exceeds the expected value during the contract term.

    A contract's realized value with and without a vendor management initiative

    This is an image of a bar graph showing the difference in value between those with and without a VMI, with and for those with a VMI, with Vendor Collaboration and with Vendor Performance Management. The data for those with a VMI have substantially more value.

    Source: Based on findings from Geller & Company, 2003.

    Executive Summary

    Info-Tech's approach

    A sound, cyclical approach to vendor management will help you create a VMI that meets your needs and stays in alignment with your organization as they both change (i.e. mature and grow).

    This is an image of the 4 Step Vendor Management Process. The four steps are: 1. Plan; 2. Build; 3. Run; 4. Review.

    Info-Tech's methodology for creating and operating your vmi

    Phase 1 - Plan Phase 2 - Build Phase 3 - Run Phase 4 - Review
    Phase Steps

    1.1 Mission Statement and Goals

    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    2.1 Classification Model

    2.2 Risk Assessment Tool

    2.3 Scorecards and Feedback

    2.4 Business Alignment Meeting Agenda

    2.5 Relationship Alignment Document

    2.6 Vendor Orientation

    2.7 3-Year Roadmap

    2.8 90-Day Plan

    2.9 Quick Wins2.10 Reports

    3.1 Classify Vendors

    3.2 Compile Scorecards

    3.3 Conduct Business Alignment Meetings

    3.4 Work the 90-Day Plan

    3.5 Manage the 3-Year Roadmap

    3.6 Develop/Improve Vendor Relationships

    4.1 Incorporate Leading Practices

    4.2 Leverage Lessons Learned

    4.3 Maintain Internal Alignment

    Phase Outcomes This phase helps you organize your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, a baseline VMI maturity level, and a desired future state for the VMI. This phase helps you configure and create the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan. This phase helps you begin operating the VMI. The main outcomes from this phase are guidance and the steps required to implement your VMI. This phase helps the VMI identify what it should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

    Insight Summary

    Insight 1

    Vendor management is not "plug and play" – each organization's vendor management initiative (VMI) needs to fit its culture, environment, and goals. While there are commonalities and leading practices associated with vendor management, your initiative won't look exactly like another organization's. The key is to adapt vendor management principles to fit your needs.

    Insight 2

    All vendors are not of equal importance to your organization. Internal resources are a scarce commodity and should be deployed so that they provide the best return on the organization's investment. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.

    Insight 3

    Having a solid foundation is critical to the VMI's ongoing success. Whether you will be creating a formal vendor management office or using vendor management techniques, tools, and templates "informally", starting with the basics is essential. Make sure you understand why the VMI exists and what it hopes to achieve, what is in and out of scope for the VMI, what strengths the VMI can leverage and the obstacles it will have to address, and how it will work with other areas within your organization.

    Blueprint benefits

    IT benefits

    • Identify and manage risk proactively.
    • Reduce costs and maximize value.
    • Increase visibility with your critical vendors.
    • Improve vendor performance.
    • Create a collaborative environment with key vendors.
    • Segment vendors to allocate resources more effectively and more efficiently.

    Business benefits

    • Improve vendor accountability.
    • Increase collaboration between departments.
    • Improve working relationships with your vendors.
    • Create a feedback loop to address vendor/customer issues before they get out of hand or are more costly to resolve.
    • Increase access to meaningful data and information regarding important vendors.

    Phase 1 - Plan

    Phase 1

    Phase 2 Phase 3 Phase 4

    1.1 Mission Statement and Goals

    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    2.1 Classification Model

    2.2 Risk Assessment Tool

    2.3 Scorecards and Feedback

    2.4 Business Alignment Meeting Agenda

    2.5 Relationship Alignment Document

    2.6 Vendor Orientation

    2.7 3-Year Roadmap

    2.8 90-Day Plan

    2.9 Quick Wins

    2.10 Reports

    3.1 Classify Vendors

    3.2 Compile Scorecards

    3.3 Conduct Business Alignment Meetings

    3.4 Work the 90-Day Plan

    3.5 Manage the 3-Year Roadmap

    3.6 Develop/Improve Vendor Relationships

    4.1 Incorporate Leading Practices

    4.2 Leverage Lessons Learned

    4.3 Maintain Internal Alignment

    This phase will walk you through the following activity:

    • Organizing your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, and a desired future state for the VMI.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Procurement/Sourcing
    • IT
    • Others as needed

    Vendor Management Initiative Basics for the Small/Medium Businesses

    Phase 1 – Plan

    Get Organized

    Phase 1 – Plan focuses on getting organized. Foundational elements (Mission Statement, Goals, Scope, Strengths and Obstacles, Roles and Responsibilities, and Process Mapping) will help you define your VMI. These and the other elements of this Phase will follow you throughout the process of starting up your VMI and running it.

    Spending time up front to ensure that everyone is on the same page will help avoid headaches down the road. The tendency is to skimp (or even skip) on these steps to get to "the good stuff." To a certain extent, the process provided here is like building a house. You wouldn't start building your dream home without having a solid blueprint. The same is true with vendor management. Leveraging vendor management tools and techniques without the proper foundation may provide some benefit in the short term, but in the long term it will ultimately be a house of cards waiting to collapse.

    Step 1.1 – Mission statement and goals

    Identify why the VMI exists and what it will achieve

    Whether you are starting your vendor management journey or are already down the path, it is important to know why the vendor management initiative exists and what it hopes to achieve. The easiest way to document this is with a written declaration in the form of a Mission Statement and Goals. Although this is the easiest way to proceed, it is far from easy.

    The Mission Statement should identify at a high level the nature of the services provided by the VMI, who it will serve, and some of the expected outcomes or achievements. The Mission Statement should be no longer than one or two sentences.

    The complement to the Mission Statement is the list of goals for the VMI. Your goals should not be a reassertion of your Mission Statement in bullet format. At this stage it may not be possible to make them SMART (Specific, Measurable, Achievable/Attainable, Relevant, Time-Bound/Time-Based), but consider making them as SMART as possible. Without some of the SMART parameters attached, your goals are more like dreams and wishes. At a minimum, you should be able to determine the level of success achieved for each of the VMI goals.

    Although the VMI's Mission Statement will stay static over time (other than for significant changes to the VMI or organization as a whole), the goals should be reevaluated periodically using a SMART filter, and adjusted as needed.

    1.1.1 – Mission statement and goals

    20 – 40 Minutes

    1. Meet with the participants and use a brainstorming activity to list, on a whiteboard or flip chart, the reasons why the VMI will exist.
    2. Review external mission statements for inspiration.
    3. Review internal mission statements from other areas to ensure consistency.
    4. Draft and document your Mission Statement in the Phase 1 Tools and Templates Compendium – Tab 1.1 Mission Statement and Goals.
    5. Continue brainstorming and identify the high-level goals for the VMI.
    6. Review the list of goals and make them as SMART (Specific, Measurable, Achievable/Attainable, Relevant, Time-Bound/Time-Based) as possible.
    7. Document your goals in the Phase 1 Tools and Templates Compendium– Tab 1.1 Mission Statement and Goals.
    8. Obtain signoff on the Mission Statement and goals from stakeholders and executives as required.

    Input

    • Brainstorming results
    • Mission statements from other internal and external sources

    Output

    • Completed Mission Statement and Goals

    Materials

    • Whiteboard/Flip Charts
    • Phase 1 Tools and Templates Compendium – Tab 1.1 Mission Statement and Goals

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 1 Tools and Templates Compendium

    Step 1.2 – Scope

    Determine what is in scope and out of scope for the VMI

    Regardless of where your VMI resides or how it operates, it will be working with other areas within your organization. Some of the activities performed by the VMI will be new and not currently handled by other groups or individuals internally; at the same time, some of the activities performed by the VMI may be currently handled by other groups or individuals internally. In addition, executives, stakeholders, and other internal personnel may have expectations or make assumptions about the VMI. As a result, there can be a lot of confusion about what the VMI does and doesn't do, and the answers cannot always be found in the VMI's Mission Statement and Goals.

    One component of helping others understand the VMI landscape is formalizing the VMI Scope. The Scope will define boundaries for the VMI. The intent is not to fence itself off and keep others out but provide guidance on where the VMI's territory begins and ends. Ultimately, this will help clarify the VMI's roles and responsibilities, improve workflow, and reduce errant assumptions.

    When drafting your VMI scoping document, make sure you look at both sides of the equation (similar to what you would do when following best practices for a statement of work). Identify what is in scope and what is out of scope. Be specific when describing the individual components of the VMI Scope, and make sure executives and stakeholders are onboard with the final version.

    1.2.1 – Scope

    20 - 40 Minutes

    1. Meet with the participants and use a brainstorming activity to list, on a whiteboard or flip chart, the activities and functions in scope and out of scope for the VMI.
      1. Be specific to avoid ambiguity and improve clarity.
      2. Go back and forth between in scope and out of scope as needed; it is not necessary to list all the in-scope items and then turn your attention to the out-of-scope items.
    2. Review the lists to make sure there is enough specificity. An item may be in scope or out of scope, but not both.
    3. Use the Phase 1 Tools and Templates Compendium – Tab 1.2 Scope to document the results.
    4. Obtain signoff on the Scope from stakeholders and executives as required.

    Input

    • Brainstorming results
    • Mission Statement and Goals

    Output

    • Completed list of items in and out of scope for the VMI

    Materials

    • Whiteboard/Flip Charts
    • Phase 1 Tools and Templates Compendium – Tab 1.2 Scope

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 1 Tools and Templates Compendium

    Step 1.3 – Strengths and obstacles

    Pinpoint the VMI's strengths and obstacles

    A SWOT analysis (strengths, weaknesses, opportunities, and threats) is a valuable tool, but it is overkill for your VMI at this point. However, using a modified and simplified form of this tool (strengths and obstacles) will yield significant results and benefit the VMI as it grows and matures.

    Your output will be two lists: the strengths associated with the VMI and the obstacles the VMI is facing. For example, strengths could include items such as smart people working within the VMI and executive support. Obstacles could include items such as limited headcount and training required for VMI staff.

    The goals are 1) to harness the strengths to help the VMI be successful and 2) to understand the impact of the obstacles and plan accordingly. The output can also be used to enlighten executives and stakeholders about the challenges associated with their directives or requests (e.g. human bandwidth may not be sufficient to accomplish some of the vendor management activities and there is a moratorium on hiring until the next budget year).

    For each strength identified, determine how you will or can leverage it when things are going well or when the VMI is in a bind. For each obstacle, list the potential impact on the VMI (e.g. scope, growth rate, and number of vendors that can actively be part of the VMI).

    As you do your brainstorming, be as specific as possible and validate your lists with stakeholders and executives as needed.

    1.3.1 – Strengths and obstacles

    20 - 40 Minutes

    Meet with the participants and use a brainstorming activity to list, on a whiteboard or flip chart, the VMI's strengths and obstacles.

    Be specific to avoid ambiguity and improve clarity.

    Go back and forth between strengths and obstacles as needed; it is not necessary to list all the strengths first and then all the obstacles.

    It is possible for an item to be a strength and an obstacle; when this happens, add details to distinguish the situations.

    Review the lists to make sure there is enough specificity.

    Determine how you will leverage each strength and how you will manage each obstacle.

    Use the Phase 1 Tools and Templates Compendium – Tab 1.3 Strengths and Obstacles to document the results.

    Obtain signoff on the strengths and obstacles from stakeholders and executives as required.

    Input

    • Brainstorming
    • Mission Statement and Goals
    • Scope

    Output

    • Completed list of items impacting the VMI's ability to be successful: strengths the VMI can leverage and obstacles the VMI must manage

    Materials

    • Whiteboard/Flip Charts
    • Phase 1 Tools and Templates Compendium – Tab 1.3 Strengths and Obstacles

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 1 Tools and Templates Compendium

    Step 1.4 – Roles and responsibilities

    Obtain consensus on who is responsible for what

    One crucial success factor for VMIs is gaining and maintaining internal alignment. There are many moving parts to an organization, and a VMI must be clear on the various roles and responsibilities related to the relevant processes. Some of this information can be found in the VMI's Scope referenced in Step 1.2, but additional information is required to avoid stepping on each other's toes; many of the processes require internal departments to work together. (For example, obtaining requirements for a request for proposal takes more than one person or department). While it is not necessary to get too granular, it is imperative that you have a clear understanding of how the VMI activities will fit within the larger vendor management lifecycle (which is comprised of many sub processes) and who will be doing what.

    As we have learned through our workshops and guided implementations, a traditional RACI* or RASCI* Chart does not work well for this purpose. These charts are not intuitive, and they lack the specificity required to be effective. For vendor management purposes, a higher-level view and a slightly different approach provide much better results.

    This step will lead your through the creation of an OIC* Chart to determine vendor management lifecycle roles and responsibilities. Afterward, you'll be able to say, "Oh, I see clearly who is involved in each part of the process and what their role is."

    *RACI – Responsible, Accountable, Consulted, Informed

    *RASCI – Responsible, Accountable, Support, Consulted, Informed

    *OIC – Owner, Informed, Contributor

    This is an image of a table, where the row headings are: Role 1-5, and the Column Headings are: Step 1-5.

    Step 1.4 – Roles and responsibilities (cont'd)

    Obtain consensus on who is responsible for what

    To start, define the vendor management lifecycle steps or process applicable to your VMI. Next, determine who participates in the vendor management lifecycle. There is no need to get too granular – think along the lines of departments, subdepartments, divisions, agencies, or however you categorize internal operational units. Avoid naming individuals other than by title; this typically happens when a person oversees a large group (e.g. the CIO [chief information officer] or the CPO [chief procurement officer]). Be thorough, but don't let the chart get out of hand. For each role and step of the lifecycle, ask whether the entry is necessary; does it add value to the clarity of understanding the responsibilities associated with the vendor management lifecycle? Consider two examples, one for roles and one for lifecycle steps. 1) Is IT sufficient or do you need IT Operations and IT Development? 2) Is "negotiate contract documents" sufficient or do you need negotiate the contract and negotiate the renewal? The answer will depend on your culture and environment but be wary of creating a spreadsheet that requires an 85-inch monitor to view it.

    After defining the roles (departments, divisions, agencies) and the vendor management lifecycle steps or process, assign one of three letters to each box in your chart:

    • O – Owner – who owns the process; they may also contribute to it.
    • I – Informed – who is informed about the progress or results of the process.
    • C – Contributor – who contributes or works on the process; it can be tangible or intangible contributions.

    This activity can be started by the VMI or done as a group with representatives from each of the named roles. If the VMI starts the activity, the resulting chart should be validated by the each of the named roles.

    1.4.1 – Roles and responsibilities

    1 – 6 hours

    1. Meet with the participants and configure the OIC Chart in the Phase 1 Tools and Templates Compendium – Tab 1.4 OIC Chart.
      1. Review the steps or activities across the top of the chart and modify as needed.
      2. Review the roles listed along the left side of the chart and modify as needed.
    2. For each activity or step across the top of the chart, assign each role a letter – O for owner of that activity or step, I for informed, or C for contributor. Use only one letter per cell.
    3. Work your way across the chart. Every cell should have an entry or be left blank if it is not applicable.
    4. Review the results and validate that every activity or step has an O assigned to it; there must be an owner for every activity or step.
    5. Obtain signoff on the OIC Chart from stakeholders and executives as required.

    Input

    • A list of activities or steps to complete a project starting with requirements gathering and ending with ongoing risk management.
    • A list of internal areas (departments, divisions, agencies, etc.) and stakeholders that contribute to completing a project.

    Output

    • Completed OCI chart indicating roles and responsibilities for the VMI and other internal areas.

    Materials

    • Phase 1 Tools and Templates Compendium – Tab 1.4 OIC Chart

    Participants

    • VMI team
    • Procurement/Sourcing
    • IT
    • Representatives from other areas as needed
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 1 Tools and Templates Compendium

    Phase 2 - Build

    Create and configure tools, templates, and processes

    Phase 1

    Phase 2Phase 3Phase 4

    1.1 Mission Statement and Goals

    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    2.1 Classification Model

    2.2 Risk Assessment Tool

    2.3 Scorecards and Feedback

    2.4 Business Alignment Meeting Agenda

    2.5 Relationship Alignment Document

    2.6 Vendor Orientation

    2.7 3-Year Roadmap

    2.8 90-Day Plan

    2.9 Quick Wins

    2.10 Reports

    3.1 Classify Vendors

    3.2 Compile Scorecards

    3.3 Conduct Business Alignment Meetings

    3.4 Work the 90-Day Plan

    3.5 Manage the 3-Year Roadmap

    3.6 Develop/Improve Vendor Relationships

    4.1 Incorporate Leading Practices

    4.2 Leverage Lessons Learned

    4.3 Maintain Internal Alignment

    This phase will walk you through the following activities:

    • Configuring and creating the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Human Resources
    • Legal
    • Others as needed

    Vendor Management Initiative Basics for the Small/Medium Businesses

    Phase 2 – Build

    Create and configure tools, templates, and processes

    Phase 2 – Build focuses on creating and configuring the tools and templates that will help you run your VMI. Vendor management is not a plug and play environment, and unless noted otherwise, the tools and templates included with this blueprint require your input and thought. The tools and templates must work in concert with your culture, values, and goals. That will require teamwork, insights, contemplation, and deliberation.

    During this Phase you'll leverage the various templates and tools included with this blueprint and adapt them for your specific needs and use. In some instances, you'll be starting with mostly a blank slate; while in others, only a small modification may be required to make it fit your circumstances. However, it is possible that a document or spreadsheet may need heavy customization to fit your situation. As you create your VMI, use the included materials for inspiration and guidance purposes rather than as absolute dictates.

    Step 2.1 – Classification model

    Configure the COST vendor classification tool

    One of the functions of a VMI is to allocate the appropriate level of vendor management resources to each vendor since not all vendors are of equal importance to your organization. While some people may be able intuitively to sort their vendors into vendor management categories, a more objective, consistent, and reliable model works best. Info-Tech's COST model helps you assign your vendors to the appropriate vendor management category so that you can focus your vendor management resources where they will do the most good.

    COST is an acronym for Commodity, Operational, Strategic, and Tactical. Your vendors will occupy one of these vendor management categories, and each category helps you determine the nature of the resources allocated to that vendor, the characteristics of the relationship desired by the VMI, and the governance level used.

    The easiest way to think of the COST model is as a 2 x 2 matrix or graph. The model should be configured for your environment so that the criteria used for determining a vendor's classification align with what is important to you and your organization. However, at this point in your VMI's maturation, a simple approach works best. The Classification Model included with this blueprint requires minimal configuration to get your started, and that is discussed on the activity slide associated with this Step 2.1.

    This is an image of the COST Vendor Classification Tool.

    Step 2.1 – Classification model (cont'd)

    Configure the COST vendor classification tool

    Common characteristics by vendor management category

    Operational

    Strategic
    • Low to moderate risk and criticality; moderate to high spend and switching costs
    • Product or service used by more than one area
    • Price is a key negotiation point
    • Product or service is valued by the organization
    • Quality or the perception of quality is a differentiator (i.e. brand awareness)
    • Moderate to high risk and criticality; moderate to high spend and switching costs
    • Few competitors and differentiated products and services
    • Product or service significantly advances the organization's vision, mission, and success
    • Well-established in their core industry

    Commodity

    Tactical
    • Low risk and criticality; low spend and switching costs
    • Product or service is readily available from many sources
    • Market has many competitors and options
    • Relationship is transactional
    • Price is the main differentiator
    • Moderate to high risk and criticality; low to moderate spend and switching costs
    • Vendor offerings align with or support one or more strategic objectives
    • Often IT vendors "outside" of IT (i.e. controlled and paid for by other areas)
    • Often niche or new vendors

    Source: Compiled in part from Guth, Stephen. "Vendor Relationship Management Getting What You Paid for (And More)." 2015.

    2.1.1 – Classification model

    15 – 30 Minutes

    1. Meet with the participants to configure the spend ranges in Phase 2 Vendor Classification Tool – Tab 1. Configuration for your environment.
    2. Collect your vendors and their annual spend to sort by largest to lowest.
    3. Update cells F14-J14 in the Classification Model based on your actual data.
      1. Cell F14 – Set the boundary at a point between the spend for your 10th and 11th ranked vendors. For example, if the 10th vendor by spend is $1,009, 850 and the 11th vendor by spend is $980,763, the range for F14 would be $1,000,00+.
      2. Cell G14 – Set the bottom of the range at a point between the spend for your 30th and 31st ranked vendors; the top of the range will be $1 less than the bottom of the range specified in F14.
      3. Cell H14 – Set the bottom of the range slightly below the spend for your 50th ranked vendor; the top of the range will be $1 less than the bottom of the range specified in G14.
      4. Cells I14 and J14 – Divide the remaining range in half and split it between the two cells; for J14 the range will be $0 to $1 less than the bottom range in I14.
    4. Ignore the other variables at this time.

    Input

    • Phase 1 List of Vendors by Annual Spend

    Output

    • Configured Vendor Classification Tool

    Materials

    • Phase 2 Vendor Classification Tool – Tab 1. Configuration

    Participants

    • VMI team

    Download the Info-Tech Phase 2 Vendor Classification Tool

    Step 2.2 – Risk assessment tool

    Identify risks to measure, monitor, and report on

    One of the typical drivers of a VMI is risk management. Organizations want to get a better handle on the various risks their vendors pose. Vendor risks originate from many areas: financial, performance, security, legal, and others. However, security risk is the high-profile risk, and the one organizations often focus on almost exclusively, which leaves the organization vulnerable in other areas.

    Risk management is a program, not a project; there is no completion date. A proactive approach works best and requires continual monitoring, identification, and assessment. Reacting to risks after they occur can be costly and have other detrimental effects on the organization. Any risk that adversely affects IT will adversely affect the entire organization.

    While the VMI won't necessarily be quantifying or calculating the risk directly, it generally is the aggregator of risk information across the risk categories, which it then includes in its reporting function (see Steps 2.12 and 3.8).

    At a minimum, your risk management strategy should involve:

    • Identifying the risks you want to measure and monitor.
    • Identifying your risk appetite (the amount of risk you are willing to live with).
    • Measuring, monitoring, and reporting on the applicable risks.
    • Developing and deploying a risk management plan to minimize potential risk impact.

    Vendor risk is a fact of life, but you do have options for how to handle it. Be proactive and thoughtful in your approach, and focus your resources on what is important.

    2.2.1 – Risk assessment tool

    30 - 90 Minutes

    1. Meet with the participants to configure the risk indicators in Phase 2 Vendor Risk Assessment Tool – Tab 1. Set parameters for your environment.
    2. Review the risk categories and determine which ones you will be measuring and monitoring.
    3. Review the risk indicators under each risk category and determine whether the indicator is acceptable as written, is acceptable with modifications, should be replaced, or should be deleted.
    4. Make the necessary changes to the risk indicators; these changes will cascade to each of the vendor tabs. Limit the number of risk indicators to no more than seven per risk category.
    5. Gain input and approval as needed from sponsors, stakeholders, and executives as required.

    Input

    • Scope
    • OIC Chart
    • Process Maps
    • Brainstorming

    Output

    • Configured Vendor Risk Assessment Tool

    Materials

    • Phase 2 Vendor Risk Assessment Tool – Tab 1. Set Parameters

    Participants

    • VMI team

    Download the Info-Tech Phase 2 Vendor Classification Tool

    Step 2.3 – Scorecards and feedback

    Design a two-way feedback loop with your vendors

    A vendor management scorecard is a great tool for measuring, monitoring, and improving relationship alignment. In addition, it is perfect for improving communication between you and the vendor.

    Conceptually, a scorecard is similar to a school report card. At the end of a learning cycle, you receive feedback on how well you do in each of your classes. For vendor management, the scorecard is also used to provide periodic feedback, but there are some nuances and additional benefits and objectives when compared to a report card.

    Although scorecards can be used in a variety of ways, the focus here will be on vendor management scorecards – contract management, project management, and other types of scorecards will not be included in the materials covered in this Step 2.3 or in Step 3.4.

    This image contains a table with the score for objectives A-D. The scores are: A4, B3, C5, D4.

    Step 2.3 – Scorecards and feedback (cont'd)

    Design a two-way feedback loop with your vendors

    Anatomy

    The Info-Tech scorecard includes five areas:

    • Measurement categories. Measurement categories help organize the scorecard. Limit the number of measurement categories to three to five; this allows the parties to stay focused on what's important. Too many measurement categories make it difficult for the vendor to understand the expectations.
    • Criteria. The criteria describe what is being measured. Create criteria with sufficient detail to allow the reviewers to fully understand what is being measured and to evaluate it. Criteria can be objective or subjective. Use three to five criteria per measurement category.
    • Measurement category weights. Not all your measurement categories may be of equal importance to you; this area allows you to give greater weight to a measurement category when compiling the overall score.
    • Rating. Reviewers will be asked to assign a score to each criteria using a 1 to 5 scale.
    • Comments. A good scorecard will include a place for reviewers to provide additional information regarding the rating, or other items that are relevant to the scorecard.

    An overall score is calculated based on the rating for each criteria and the measurement category weights.

    Step 2.3 – Scorecards and feedback (cont'd)

    Design a two-way feedback loop with your vendors

    Goals and objectives

    Scorecards can be used for a variety of reasons. Some of the common ones are:

    • Improving vendor performance.
    • Conveying expectations to the vendor.
    • Identifying and recognizing top vendors.
    • Increasing alignment between the parties.
    • Improving communication with the vendor.
    • Comparing vendors across the same criteria.
    • Measuring items not included in contract metrics.
    • Identifying vendors for "strategic alliance" consideration.
    • Helping the organization achieve specific goals and objectives.

    Identifying and resolving issues before they impact performance or the relationship.

    Identifying your scorecard drivers first will help you craft a suitable scorecard.

    Step 2.3 – Scorecards and feedback (cont'd)

    Design a two-way feedback loop with your vendors

    Info-Tech recommends starting with simple scorecards to allow you and the vendors to acclimate to the new process and information. As you build your scorecards, keep in mind that internal personnel will be scoring the vendors and the vendors will be reviewing the scorecard. Make your scorecard easy for your personnel to fill out, and containing meaningful content to drive the vendor in the right direction. You can always make the scorecard more complex in the future.

    Our recommendation of five categories is provided below. Choose three to five of the categories that help you accomplish your scorecard goals and objectives:

    1. Timeliness – Responses, resolutions, fixes, submissions, completions, milestones, deliverables, invoices, etc.
    2. Cost – Total cost of ownership, value, price stability, price increases/decreases, pricing models, etc.
    3. Quality – Accuracy, completeness, mean time to failure, bugs, number of failures, etc.
    4. Personnel – Skilled, experienced, knowledgeable, certified, friendly, trustworthy, flexible, accommodating, etc.
    5. Risk – Adequate contractual protections, security breaches, lawsuits, finances, audit findings, etc.

    Some criteria may be applicable in more than one category. The categories above should cover at least 80% of the items that are important to your organization. The general criteria listed for each category is not an exhaustive list, but most things break down into time, money, quality, people, and risk issues.

    Step 2.3 – Scorecards and feedback (cont'd)

    Design a two-way feedback loop with your vendors

    Additional Considerations

    • Even a good rating system can be confusing. Make sure you provide some examples or a way for reviewers to discern the differences between a 1, 2, 3, 4, and 5. Don't assume your "rating key" will be intuitive.
    • When assigning weights, don't go lower than 10% for any measurement category. If the weight is too low, it won't be relevant enough to have an impact on the total score. If it doesn't "move the needle", don't include it.
    • Final sign-off on the scorecard template should occur outside the VMI. The heavy lifting can be done by the VMI to create it, but the scorecard is for the benefit of the organization overall, and those impacted by the vendors specifically. You may end up playing arbiter or referee, but the scorecard is not the exclusive property of the VMI. Try to reach consensus on your final template whenever possible.
    • You should notice improved ratings and total scores over time for your vendors. One explanation for this is the Pygmalion Effect: "The Pygmalion [E]ffect describes situations where someone's high expectations improves our behavior and therefore our performance in a given area. It suggests that we do better when more is expected of us."* Convey your expectations and let the vendors' competitive juices take over.
    • While creating your scorecard and materials to explain the process to internal personnel, identify those pieces that will help you explain it to your vendors during vendor orientation (see Steps 2.6 and 3.4). Leveraging pre-existing materials is a great shortcut.

    *Source: The Decision Lab, n.d.

    Step 2.3 – Scorecards and feedback (cont'd)

    Design a two-way feedback loop with your vendors

    Vendor Feedback

    After you've built your scorecard, turn your attention to the second half of the equation – feedback from the vendor. A communication loop cannot be successful without dialogue flowing both ways. While this can happen with just a scorecard, a mechanism specifically geared toward the vendor providing you with feedback improves communication, alignment, and satisfaction.

    You may be tempted to create a formal scorecard for the vendor to use; avoid that temptation until later in your maturity or development of the VMI. You'll be implementing a lot of new processes, deploying new tools and templates, and getting people to work together in new ways. Work on those things first.

    For now, implement an informal process for obtaining information from the vendor. Start by identifying information that you will find useful – information that will allow you to improve overall, to reduce waste or time, to improve processes, to identify gaps in skills. Incorporate these items into your business alignment meetings (see Steps 2.4 and 3.5). Create three to five good questions to ask the vendor and include these in the business alignment meeting agenda. The goal is to get meaningful feedback, and that starts with asking good questions.

    Keep it simple at first. When the time is right, you can build a more formal feedback form or scorecard. Don't be in a rush; as long as the informal method works, keep using it.

    2.3.1 – Scorecards and feedback

    30 – 60 Minutes

    1. Meet with the participants and brainstorm ideas for your scorecard measurement categories:
      1. What makes a vendor valuable to your organization?
      2. What differentiates a "good" vendor from a "bad" vendor?
      3. What items would you like to measure and provide feedback on to the vendor to improve performance, the relationship, risk, and other areas?
    2. Select three, but no more than five, of the following measure categories: timeliness, cost, quality, personnel, and risk.
    3. Within each measurement category, list two or three criteria that you want to measure and track for your vendors. Choose items that are as universal as possible rather than being applicable to one vendor or one vendor type.
    4. Assign a weight to each measurement category, ensuring that the total weight is 100% for all measurement categories.
    5. Document your results as you go in Phase 2 Tools and Templates Compendium – Tab 2.3 Scorecard.

    Input

    • Brainstorming

    Output

    • Configured Scorecard template

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.3 Scorecard

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    2.3.2 – Scorecards and feedback

    15 to 30 Minutes

    1. Meet with the participants and brainstorm ideas for feedback to seek from your vendors during your business alignment meetings. During the brainstorming, identify questions to ask the vendor about your organization that will:
      1. Help you improve the relationship.
      2. Help you improve your processes or performance.
      3. Help you improve ongoing communication.
      4. Help you evaluate your personnel.
    2. Identify the top five questions you want to include in your business alignment meeting agenda. (Note: you may need to refine the actual questions from the brainstorming activity before they are ready to include in your business alignment meeting agenda.)
    3. Document both your brainstorming activity and your final results in Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback. The brainstorming questions can be used in the future as your VMI matures and your feedback transforms from informal to formal. The results will be used in Steps 2.4 and 3.5.

    Input

    • Brainstorming

    Output

    • Feedback questions to include with the business alignment meeting agenda

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Step 2.4 – Business alignment meeting agenda

    Craft an agenda that meets the needs of the VMI

    A business alignment meeting (BAM) is a multi-faceted tool to ensure the customer and the vendor stay focused on what is important to the customer at a high level. BAMs are not traditional operational meetings where the parties get into the details of the contracts, deal with installation problems, address project management issues, or discuss specific cost overruns. The focus of the BAM is the scorecard (see Step 2.3), but other topics are discussed, and other purposes are served. For example:

    • You can use the BAM to develop the relationship with the vendor's leadership team so that if escalation is ever needed, your organization is more than just a name on a spreadsheet or customer list.
    • You can learn about innovations the vendor is working on (without the meeting turning into a sales call).
    • You can address high-level performance trends and request corrective action as needed.
    • You can clarify your expectations.
    • You can educate the vendor about your industry, culture, and organization.
    • You can learn more about the vendor.

    As you build your BAM Agenda, someone in your organization may say, "Oh, that's just a quarterly business review (QBR) or top-to-top meeting." In most instances, an existing QBRs or top-to-top meeting is not the same as a BAM. Using the term QBR or top-to-top meeting instead of BAM can lead to confusion internally. The VMI may say to the business unit, procurement, or another department, "We're going to start running some QBRs for our strategic vendors." The typical response is, "There's no need; we already run QBRs/top-to-top meetings with our important vendors." This may be accompanied by an invitation to join their meeting, where you may be an afterthought, have no influence, and get five minutes at the end to talk about your agenda items. Keep your BAM separate so that it meets your needs.

    Step 2.4 – Business alignment meeting agenda (cont'd)

    Craft an agenda that meets the needs of the VMI

    As previously noted, using the term BAM more accurately depicts the nature of the VMI meeting and prevents confusion internally with other meetings already occurring. In addition, hosting the BAM yourself rather than piggybacking onto another meeting ensures that the VMI's needs are met. The VMI will set and control the BAM agenda and determine the invite list for internal personnel and vendor personnel. As you may have figured out by now, having the right customer and vendor personnel attend will be essential.

    BAMs are conducted at the vendor level, not the contract level. As a result, the frequency of the BAMs will depend on the vendor's classification category (see Steps 2.1 and 3.1). General frequency guidelines are provided below, but they can be modified to meet your goals:

    • Commodity vendors – Not applicable
    • Operational vendors – Biannually or annually
    • Strategic vendors – Quarterly
    • Tactical vendors – Quarterly or biannually

    BAMs can help you achieve some additional benefits not previously mentioned:

    • Foster a collaborative relationship with the vendor.
    • Avoid erroneous assumptions by the parties.
    • Capture and provide a record of the relationship (and other items) over time.

    Step 2.4 – Business alignment meeting agenda (cont'd)

    Craft an agenda that meets the needs of the VMI

    As with any meeting, building the proper agenda will be one of the keys to an effective and efficient meeting. A high-level BAM agenda with sample topics is set out below:

    BAM Agenda

    • Opening remarks
      • Welcome and introductions
      • Review of previous minutes
    • Active discussion
      • Review of open issues
      • Scorecard and feedback
      • Current status of projects to ensure situational awareness by the vendor
      • Roadmap/strategy/future projects
      • Accomplishments
    • Closing remarks
      • Reinforce positives (good behavior, results, and performance, value added, and expectations exceeded)
      • Recap
    • Adjourn

    2.4.1 – Business alignment meeting agenda

    20 – 45 Minutes

    1. Meet with the participants and review the sample agenda in Phase 2 Tools and Templates Compendium – Tab 2.4 BAM Agenda.
    2. Using the sample agenda as inspiration and brainstorming activities as needed, create a BAM agenda tailored to your needs.
      1. Select the items from the sample agenda applicable to your situation.
      2. Add any items required based on your brainstorming.
      3. Add the feedback questions identified during Activity 2.3.2 and documented in Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback.
    3. Gain input and approval from sponsors, stakeholders, and executives as required or appropriate.
    4. Document the final BAM agenda in Phase 2 Tools and Templates Compendium –Tab 2.4 BAM Agenda.

    Input

    • Brainstorming
    • Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback

    Output

    • Configured BAM agenda

    Materials

    • Phase 2 Tools and Templates Compendium – Tab2 .4 BAM Agenda

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Step 2.5 – Relationship alignment document

    Draft a document to convey important VMI information to your vendors

    Throughout this blueprint, alignment is mentioned directly (e.g. business alignment meetings [Steps 2.4 and 3.3]) or indirectly implied. Ensuring you and your vendors are on the same page, have clear and transparent communication, and understand each other's expectations is critical to fostering strong relationships. One component of gaining and maintaining alignment with your vendors is the Relationship Alignment Document (RAD). Depending upon the Scope of your VMI and what your organization already has in place, your RAD will fill in the gaps on various topics.

    Early in the VMI's maturation, the easiest approach is to develop a short document (1 one page) or a pamphlet (i.e. the classic trifold) describing the rules of engagement when doing business with your organization. The RAD can convey expectations, policies, guidelines, and other items. The scope of the document will depend on:

    1. What you believe is important for the vendors to understand.
    2. Any other similar information already provided to the vendors.

    The first step to drafting a RAD is to identify what information vendors need to know to stay on your good side. You may want vendors to know about your gift policy (e.g. employees may not accept vendor gifts above a nominal value, such as a pen or mousepad). Next, compare your list of what vendors need to know and determine if the content is covered in other vendor-facing documents such as a vendor code of conduct or your website's vendor portal. Lastly, create your RAD to bridge the gap between what you want and what is already in place. In some instances, you may want to include items from other documents to reemphasize them with the vendor community.

    Info-Tech Insight

    The RAD can be used with all vendors regardless of classification category. It can be sent directly to the vendors or given to them during vendor orientation (see Step 3.3)

    2.5.1 – Relationship alignment document

    1 to 4 Hours

    1. Meet with the participants and review the RAD sample and checklist in Phase 2 Tools and Templates Compendium – Tab 2.5 Relationship Alignment Doc.
    2. Determine:
      1. Whether you will create one RAD for all vendors or one RAD for strategic vendors and another RAD for tactical and operational vendors; whether you will create a RAD for commodity vendors.
      2. The concepts you want to include in your RAD(s).
      3. The format for your RAD(s) – traditional, pamphlet, or other.
      4. Whether signoff or acknowledgement will be required by the vendors.
    3. Draft your RAD(s) and work with other internal areas, such as Marketing to create a consistent brand for the RADS, and Legal to ensure consistent use and preservation of trademarks or other intellectual property rights and other legal issues.
    4. Review other vendor-facing documents (e.g. supplier code of conduct, onsite safety and security protocols) for consistencies between them and the RAD(s).
    5. Obtain signoff on the RAD(s) from stakeholders, sponsors, executives, Legal, Marketing, and others as needed.

    Input

    • Brainstorming
    • Vendor-facing documents, policies, and procedures

    Output

    • Completed Relationship Alignment Document(s)

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.5 Relationship Alignment Doc

    Participants

    • VMI team
    • Marketing, as needed
    • Legal, as needed

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Step 2.6 – Vendor orientation

    Create a VMI awareness process to build bridges with your vendors

    Your organization is unique. It may have many similarities with other organizations, but your culture, risk tolerance, mission, vision, and goals, finances, employees, and "customers" (those that depend on you) make it different. The same is true of your VMI. It may have similar principles, objectives, and processes to other organizations' VMIs, but yours is still unique. As a result, your vendors may not fully understand your organization and what vendor management means to you.

    Vendor orientation is another means to helping you gain and maintain alignment with your important vendors, educate them on what is important to you, and provide closure when/if the relationship with the vendor ends. Vendor orientation is comprised of three components, each with a different function:

    • Orientation
    • Reorientation
    • Debrief

    Vendor orientation focuses on the vendor management pieces of the puzzle (e.g. the scorecard process) rather than the operational pieces (e.g. setting up a new vendor in the system to ensure invoices are processed smoothly).

    Step 2.6 – Vendor orientation (cont'd)

    Create a VMI awareness process to build bridges with your vendors

    Reorientation

    • Reorientation is either identical or similar to orientation, depending upon the circumstances. Reorientation occurs for several reasons, and each reason will impact the nature and detail of the reorientation content. Reorientation occurs whenever:
    • There is a significant change in the vendor's products or services.
    • The vendor has been through a merger, acquisition, or divestiture.
    • A significant contract renewal/renegotiation has recently occurred.
    • Sufficient time has passed from orientation; commonly 2 to 3 years.
    • The vendor has been placed in a "performance improvement plan" or "relationship improvement plan" protocol.
    • Significant turnover has occurred within your organization (executives, key stakeholders, and/or VMI personnel).
    • Substantial turnover has occurred at the vendor at the executive or account management level.
    • The vendor has changed vendor classification categories after the most current classification.
    • As the name implies, the goal is to refamiliarize the vendor with your current VMI situation, governances, protocols, and expectations. The drivers for reorientation will help you determine the reorientation's scope, scale, and frequency.

    Step 2.6 – Vendor orientation (cont'd)

    Create a VMI awareness process to build bridges with your vendors

    Debrief

    To continue the analogy from orientation, debrief is like an exit interview for an employee when their employment is terminated. In this case, debrief occurs when the vendor is no longer an active vendor with your organization - all contracts have terminated or expired, and no new business with the vendor is anticipated within the next three months.

    Similar to orientation and reorientation, debrief activities will be based on the vendor's classification category within the COST model. Strategic vendors don't go away very often; usually, they transition to operational or tactical vendors first. However, if a strategic vendor is no longer providing products or services to you, dig a little deeper into their experiences and allocate extra time for the debrief meeting.

    The debrief should provide you with feedback on the vendor's experience with your organization and their participation in your VMI. Additionally, it can provide closure for both parties since the relationship is ending. Be careful that the debrief does not turn into a finger-pointing meeting or therapy session for the vendor. It should be professional and productive; if it is going off the rails, terminate the meeting before more damage can occur.

    End the debrief on a high note if possible. Thank the vendor, highlight its key contributions, and single out any personnel who went above and beyond. You never know when you will be doing business with this vendor again – don't burn bridges!

    Step 2.6 – Vendor orientation (cont'd)

    Create a VMI awareness process to build bridges with your vendors

    As you create your vendor orientation materials, focus on the message you want to convey.

    • For orientation and reorientation:
      • What is important to you that vendors need to know?
      • What will help the vendors understand more about your organization and your VMI?
      • What and how are you different from other organizations overall, and in your "industry"?
      • What will help them understand your expectations?
      • What will help them be more successful?
      • What will help you build the relationship?
    • For debrief:
      • What information or feedback do you want to obtain?
      • What information or feedback to you want to give?

    The level of detail you provide strategic vendors during orientation and reorientation may be different from the information you provide tactical and operational vendors. Commodity vendors are not typically involved in the vendor orientation process. The orientation meetings can be conducted on a one-to-one basis for strategic vendors and a one-to-many basis for operational and tactical vendors; reorientation and debrief are best conducted on a one-to-one basis. Lastly, face-to-face or video meetings work best for vendor orientation; voice-only meetings, recorded videos, or distributing only written materials seldom hit their mark or achieve the desired results.

    Step 2.7 – Three-year roadmap

    Plot your path at a high level

    1. The VMI exists in many planes concurrently:
    2. It operates both tactically and strategically.

    It focuses on different timelines or horizons (e.g., the past, the present, and the future). Creating a three-year roadmap facilitates the VMI's ability to function effectively across these multiple landscapes.

    The VMI roadmap will be influenced by many factors. The work product from Phase 1 – Plan, input from executives, stakeholders, and internal clients, and the direction of the organization are great sources of information as you begin to build your roadmap.

    To start, identify what you would like to accomplish in year 1. This is arguably the easiest year to complete: budgets are set (or you have a good idea what the budget will look like), personnel decisions have been made, resources have been allocated, and other issues impacting the VMI are known with a higher degree of certainty than any other year. This does not mean things won't change during the first year of the VMI, but expectations are usually lower, and the short event horizon makes things more predictable during the year-1 ramp-up period.

    Years 2 and 3 are more tenuous, but the process is the same: identify what you would like to accomplish or roll out in each year. Typically, the VMI maintains the year-1 plan into subsequent years and adds to the scope or maturity. For example, you may start year 1 with BAMs and scorecards for three of your strategic vendors; during year 2, you may increase that to five vendors; and during year 3, you may increase that to nine vendors. Or, you may not conduct any market research during year 1, waiting to add it to your roadmap in year 2 or 3 as you mature.

    Breaking things down by year helps you identify what is important and the timing associated with your priorities. A conservative approach is recommended. It is easy to overcommit, but the results can be disastrous and painful.

    2.7.1 – Three-year roadmap

    45 – 90 Minutes

    1. Meet with the participants and decide how to coordinate year 1 of your three-year roadmap with your existing fiscal year or reporting year. Year 1 may be shorter or longer than a calendar year.
    2. Review the VMI activities listed in Phase 2 Tools and Templates Compendium – Tab 2.7 Three-year roadmap. Use brainstorming and your prior work product from Phase 1 and Phase 2 to identify additional items for the roadmap and add them at the bottom of the spreadsheet.
    3. Starting with the first activity, determine when that activity will begin and put an X in the corresponding column; if the activity is not applicable, leave it blank or insert N/A.
    4. Go back to the top of the list and add information as needed.
      1. For any year-1 or year-2 activities, add an X in the corresponding columns if the activity will be expanded/continued in subsequent periods (e.g., if a Year 2 activity will continue in year 3, put an X in year 3 as well).
      2. Use the comments column to provide clarifying remarks or additional insights related to your plans or "X's". For example, "Scorecards begin in year 1 with three vendors and will roll out to five vendors in year 2 and nine vendors in year 3."
    5. Obtain signoff from stakeholders, sponsors, and executives as needed.

    Input

    • Phase 1 work product
    • Steps 2.1 – 2.6 work product
    • Brainstorming

    Output

    • High level three-year roadmap for the VMI

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.7 Three-Year Roadmap

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Step 2.8 – 90-day plan

    Pave your short-term path with a series of detailed quarterly plans

    Now that you have prepared a three-year roadmap, it's time to take the most significant elements from the first year and create action plans for each three-month period. Your first 90-day plan may be longer or shorter if you want to sync to your fiscal or calendar quarters. Aligning with your fiscal year can make it easier for tracking and reporting purposes; however, the more critical item is to make sure you have a rolling series of four 90-day plans to keep you focused on the important activities and tasks throughout the year.

    The 90-day plan is a simple project plan that will help you measure, monitor, and report your progress. Use the Info-Tech tool to help you track:

    Activities.

    • Tasks comprising each activity.
    • Who will be performing the tasks.
    • An estimate of the time required per person per task.
    • An estimate of the total time to achieve the activity.
    • A due date for the activity.
    • A priority of the activity.

    The first 90-day plan will have the greatest level of detail and should be as thorough as possible; the remaining three 90-day plans will each have less detail for now. As you approach the middle of the first 90-day plan, start adding details to the next 90-day plan; toward the end of the first quarter add a high-level 90-day plan to the end of the chain. Continue repeating this cycle each quarter and consult the three-year roadmap and the leadership team, as necessary.

    2.8.1 – 90-day plan

    45 – 90 Minutes

    1. Meet with the participants and decide how to coordinate the first "90-day" plan with your existing fiscal year or reporting cycles. Your first plan may be shorter or longer than 90 days.
    2. Looking at the year-1 section of the three-year roadmap, identify the activities that will be started during the next 90 days.
    3. Using the Phase 2 Tools and Templates Compendium – Tab 2.8 90-Day Plan, enter the following information into the spreadsheet for each activity to be accomplished during the next 90 days:
      1. Activity description.
      2. Tasks required to complete the activity (be specific and descriptive).
      3. The people who will be performing each task.
      4. The estimated number of hours required to complete each task.
      5. The start date and due date for each task or the activity.
    4. Validate the tasks are a complete list for each activity and the people performing the tasks have adequate time to complete the tasks by the due date(s).
    5. Assign a priority to each Activity.

    Input

    • Three-Year Roadmap
    • Phase 1 work product
    • Steps 2.1 – 2.7 work product
    • Brainstorming

    Output

    • Detailed plan for the VMI for the next quarter or "90" days

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.8 90-Day Plan

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Step 2.9 – Quick wins

    Identify potential short-term successes to gain momentum and show value immediately

    As the final step in the timeline trilogy, you are ready to identify some quick wins for the VMI. Using the first 90-day plan and a brainstorming activity, create a list of things you can do in 15 to 30 days that add value to your initiative and build momentum.

    As you evaluate your list of potential candidates, look for things that:

    • Are achievable within the stated timeline.
    • Don't require a lot of effort.
    • Involve stopping a certain process, activity, or task; this is sometimes known as a "stop doing stupid stuff" approach.
    • Will reduce or eliminate inefficiencies; this is sometimes known as the war on waste.
    • Have a moderate to high impact or bolster the VMI's reputation.

    As you look for quick wins, you may find that everything you identify does not meet the criteria. That's okay; don't force the issue. Return your focus to the 90-day plan and three-year roadmap and update those documents if the brainstorming activity associated with Step 2.9 identified anything new.

    2.9.1 – Quick wins

    15 - 30 Minutes

    1. Meet with the participants and review the three-year roadmap and 90-day plan. Determine if any item on either document can be completed:
      1. Quickly (30 days or less).
      2. With minimal effort.
      3. To provide or show moderate to high levels of value or provide the VMI with momentum.
    2. Brainstorm to identify any other items that meet the criteria in step 1 above.
    3. Compile a comprehensive list of these items and select up to five to pursue.
    4. Document the list in the Phase 2 Tools and Templates Compendium – Tab 2.9 Quick Wins.
    5. Manage the quick wins list and share the results with the VMI team and applicable stakeholders and executives.

    Input

    • Three-Year Roadmap
    • 90-Day Plan
    • Brainstorming

    Output

    • A list of activities that require low levels of effort to achieve moderate to high levels of value in a short period

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.9 Quick Wins

    Participants

    • VMI team

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Step 2.10 – Reports

    Construct your reports to resonate with your audience

    Issuing reports is a critical piece of the VMI since the VMI is a conduit of information for the organization. It may be aggregating risk data from internal areas, conducting vendor research, compiling performance data, reviewing market intelligence, or obtaining relevant statistics, feedback, comments, facts, and figures from other sources. Holding onto this information minimizes the impact a VMI can have on the organization; however, the VMI's internal clients, stakeholders, and executives can drown in raw data and ignore it completely if it is not transformed into meaningful, easily-digested information.

    Before building a report, think about your intended audience:

    • What information are they looking for? What will help them understand the big picture?
    • What level of detail is appropriate, keeping in mind the audience may not be like-minded?
    • What items are universal to all the readers and what items are of interest to one or two readers?
    • How easy or hard will it be to collect the data? Who will be providing it, and how time consuming will it be?
    • How accurate, valid, and timely will the data be?
    • How frequently will each report need to be issued?

    Step 2.10 – Reports (cont'd)

    Construct your reports to resonate with your audience

    Use the following guidelines to create reports that will resonate with your audience:

    • Value information over data, but sometimes data does have a place in your report.
    • Use pictures, graphics, and other representations more than words, but words are often necessary in small, concise doses.
    • Segregate your report by user; for example, general information up top, CIO information below that on the right, CFO information to the left of CIO information, etc.
    • Send a draft report to the internal audience and seek feedback, keeping in mind you won't be able to cater to or please everyone.

    2.10.1 – Reports

    15 – 45 Minutes

    1. Meet with the participants and review the applicable work product from Phase 1 and Phase 2; identify qualitative and quantitative items the VMI measures, monitors, tracks, or aggregates.
    2. Determine which items will be reported and to whom (by category):
      1. Internally to personnel within the VMI.
      2. Internally to personnel outside the VMI.
      3. Externally to vendors.
    3. Within each category above, determine your intended audiences/recipients. For example, you may have a different list of recipients for a risk report than you do a scorecard summary report. This will help you identify the number of reports required.
    4. Create a draft structure for each report based on the audience and the information being conveyed. Determine the frequency of each report and person responsible for creating for each report.
    5. Document your final choices in Phase 2 Tools and Templates Compendium – Tab 2.10 Reports.

    Input

    • Brainstorming
    • Phase 1 work product
    • Steps 2.1 – 2.11 work product

    Output

    • A list of reports used by the VMI
    • For each report
      • The conceptual content
      • A list of who will receive or have access
      • A creation/distribution frequency

    Materials

    • Phase 2 Tools and Templates Compendium – Tab 2.10 Reports

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech Phase 2 Tools and Templates Compendium

    Phase 3 - Run

    Implement your processes and leverage your tools and templates

    Phase 1

    Phase 2Phase 3Phase 4

    1.1 Mission Statement and Goals

    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    2.1 Classification Model

    2.2 Risk Assessment Tool

    2.3 Scorecards and Feedback

    2.4 Business Alignment Meeting Agenda

    2.5 Relationship Alignment Document

    2.6 Vendor Orientation

    2.7 3-Year Roadmap

    2.8 90-Day Plan

    2.9 Quick Wins

    2.10 Reports

    3.1 Classify Vendors

    3.2 Compile Scorecards

    3.3 Conduct Business Alignment Meetings

    3.4 Work the 90-Day Plan

    3.5 Manage the 3-Year Roadmap

    3.6 Develop/Improve Vendor Relationships

    4.1 Incorporate Leading Practices

    4.2 Leverage Lessons Learned

    4.3 Maintain Internal Alignment

    This phase will walk you through the following activity:

    • Beginning to operate the VMI. The main outcomes from this phase are guidance and the steps required to initiate your VMI.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Others as needed

    Vendor Management Initiative Basics for the Small/Medium Businesses

    Phase 3 – Run

    Implement your processes and leverage your tools and templates

    All the hard work invested in Phase 1 – Plan and Phase 2 – Build begins to pay off in Phase 3 – Run. It's time to stand up your VMI and ensure that the proper level of resources is devoted to your vendors and the VMI itself. There's more hard work ahead, but the foundational elements are in place. This doesn't mean there won't be adjustments and modifications along the way, but you are ready to use the tools and templates in the real world; you are ready to begin reaping the fruits of your labor.

    Phase 3 – Run guides you through the process of collecting data, monitoring trends, issuing reports, and conducting effective meetings to:

    • Manage risk better.
    • Improve vendor performance.
    • Improve vendor relationships.
    • Identify areas where the parties can improve.
    • Improve communication between the parties.
    • Increase the value proposition with your vendors.

    Step 3.1 – Classify vendors

    Begin classifying your top 25 vendors by spend

    Step 3.1 sets the table for many of the subsequent steps in Phase 3 – Run. The results of your classification process will determine which vendors go through the scorecarding process (Step 3.2); which vendors participate in BAMs (Step 3.3), and which vendors you will devote relationship-building resources to (Step 3.6).

    As you begin classifying your vendors, Info-Tech recommends using an iterative approach initially to validate the results from the classification model you configured in Step 2.1.

    1. Identify your top 25 vendors by spend.
    2. Run your top 10 vendors by spend through the classification model and review the results.
      1. If the results are what you expected and do not contain any significant surprises, go to 3. on the next page.
      2. If the results are not what you expected or do contain significant surprises, look at the configuration page of the tool (Tab 1) and adjust the weights or the spend categories slightly. Be cautious in your evaluation of the results before modifying the configuration page - some legitimate results are unexpected, or are surprises based on bias. If you modify the weighting, review the new results and repeat your evaluation. If you modify the spend categories, review the answers on the vendor tabs to ensure that the answers are still accurate; review the new results and repeat your evaluation.

    Step 3.1 – Classify vendors (cont'd)

    Review your results and adjust the classification tool as needed

    1. Run your top 11-through-25 vendors by spend through the classification model and review the results. Identify any unexpected results. Determine if further configuration makes sense and repeat the process outlined in 2.b., previous page, as necessary. If no further modifications are required, continue to 4., below.
    2. Share the preliminary results with the leadership team, executives, and stakeholders to obtain their approval or adjustments to the results.
      1. They may have questions and want to understand the process before approving the results.
      2. They may request that you move a vendor from one quadrant to another based on your organization's roadmap, the vendor's roadmap, or other information not available to you.
    3. Identify the vendors that will be part of the VMI at this stage – how many and which ones. Based on this number and the VMI's scope (Step 1.2), make sure you have the resources necessary to accommodate the number of vendors participating in the VMI. Proceed cautiously and gradually increase the number of vendors participating in the VMI.

    Step 3.1 – Classify vendors (cont'd)

    Finalize the results and update VMI tools and templates

    1. Update the vendor inventory tool (Step 1.7) to indicate the current classification status for the top 25 vendors by spend. Once your vendors have been classified, you can sort the vendor inventory tool by classification status to see all the vendors in that category at once.
    2. Review your three-year roadmap (Step 2.9) and 90-day plans (Step 2.6) to determine if any modifications are needed to the activities and timelines.

    Additional classification considerations:

    • You should only have a few vendors that fit in the strategic category. As a rough guideline, no more than 5% to 10% of your IT vendors should end up in the strategic category. If you have many vendors, even 5% may be too many. the classification model is an objective start to the classification process, but common sense must prevail over the "math" at the end of the day.
    • At this point, there is no need to go beyond the top 25 by spend. Most VMIs starting out can't handle more than three to five strategic vendors initially. Allow the VMI to run a pilot program with a small sample size, work out any bugs, make adjustments, and then ramp up the VMI's rollout in waves. Vendors can be added quarterly, biannually, or annually, depending upon the desired goals and available resources.

    Step 3.1 – Classify vendors (cont'd)

    Align your vendor strategy to your classification results

    As your VMI matures, additional vendors will be part of the VMI. Review the table below and incorporate the applicable strategies into your deployment of vendor management principles over time. Stay true to your mission, goals, and scope, and remember that not all your vendors are of equal importance.

    Operational

    Strategic
    • Focus on spend containment
    • Concentrate on lowering total cost of ownership
    • Invest moderately in cultivating the relationship
    • Conduct BAMs biannually or annually
    • Compile scorecards quarterly or biannually
    • Identify areas for performance and cost improvement
    • Focus on value, collaboration, and alignment
    • Review market intelligence for the vendor's industry
    • Invest significantly in cultivating the relationship
    • Initiate executive-to-executive relationships
    • Conduct BAMs quarterly
    • Compile scorecards quarterly
    • Understand how the vendors view your organization

    Commodity

    Tactical
    • Investigate vendor rationalization and consolidation
    • Negotiate for the best-possible price
    • Leverage competition during negotiations
    • Streamline the purchasing and payment process
    • Allocate minimal VMI resources
    • Assign the lowest priority for vendor management metrics
    • Conduct risk assessments biannually or annually
    • Cultivate a collaborative relationship based on future growth plans or potential with the vendor
    • Conduct BAMs quarterly or biannually
    • Compile scorecards quarterly
    • Identify areas of performance improvement
    • Leverage innovation and creative problem solving

    Step 3.1 – Classify vendors (cont'd)

    Be careful when using the word "partner" with your strategic and other vendors

    For decades, vendors have used the term "partner" to refer to the relationship they have with their clients and customers. This is often an emotional ploy used by the vendors to get the upper hand. To fully understand the terms "partner" and "partnership", let's evaluate them through two more objective, less cynical lenses.

    If you were to talk to your in-house or outside legal counsel, you may be told that partners share in profits and losses, and they have a fiduciary obligation to each other. Unless there is a joint venture between the parties, you are unlikely to have a partnership with a vendor from this perspective.

    What about a "business" partnership — one that doesn't involve sharing profits and losses? What would that look like? Here are some indicators of a business partnership (or preferably a strategic alliance):

    • Trust and transparent communication exist.
    • You have input into the vendor's roadmap for products and services.
    • The vendor is aligned with your desired outcomes and helps you achieve success.
    • You and the vendor are accountable for actions and inactions, with both parties being at risk.
    • There is parity in the peer-to-peer relationships between the organizations (e.g. C-Level to C-Level).
    • The vendor provides transparency in pricing models and proactively suggests ways for you to reduce costs.
    • You and the vendor work together to make each party better, providing constructive feedback on a regular basis.
    • The vendor provides innovative suggestions for you to improve your processes, performance, the bottom line, etc.
    • Negotiations are not one-sided; they are meaningful and productive, resulting in an equitable distribution of money and risk.

    Step 3.1 – Classify vendors (cont'd)

    Understand the implications and how to leverage the words "partner" and "partnership"

    By now you might be thinking, "What's all the fuss? Why does it matter?" At Info-Tech, we've seen firsthand how referring to the vendor as a partner can have the following impact:

    • Confidences are disclosed unnecessarily.
    • Negotiation opportunities and leverage are lost.
    • Vendors no longer have to earn the customer's business.
    • Vendor accountability is missing due to shared responsibilities.
    • Competent skilled vendor resources are assigned to other accounts.
    • Value erodes over time since contracts are renewed without being competitively sourced.
    • One-sided relationships are established, and false assurances are provided at the highest levels within the customer organization.

    Proceed with caution when using partner or partnership with your vendors. Understand how your organization benefits from using these terms and mitigate the negatives outlined above by raising awareness internally to ensure people understand the psychology behind the terms. Finally, use the term to your advantage when warranted by referring to the vendor as a partner when you want or need something that the vendor is reluctant to provide. Bottom line: be strategic in how you refer to vendors and know the risks.

    Step 3.2 – Compile scorecards

    Begin scoring your top vendors

    The scorecard process typically is owned and operated by the VMI, but the actual rating of the criteria within the measurement categories is conducted by those with day-to-day interactions with the vendors, those using or impacted by the services and products provided by the vendors, and those with the skills to research other information on the scorecard (e.g. risk). Chances are one person will not be able to complete an entire scorecard by themselves. As a result, the scorecard process is a team sport comprised of sub-teams where necessary.

    The VMI will compile the scores, calculate the final results, and aggregate all the comments into one scorecard. There are two common ways to approach this task:

    1. Send out the scorecard template to those who will be scoring the vendor and ask them to return it when completed, providing them with a due date a few days before you need it; you'll need time to compile, calculate, and aggregate.
    2. Invite those who will be scoring the vendor to a meeting and let the contributors use that time to score the vendors; make VMI team members available to answer questions and facilitate the process.

    Step 3.2 – Compile scorecards (cont'd)

    Gather input from stakeholders and others impacted by the vendors

    Since multiple people will be involved in the scorecarding process or have information to contribute, the VMI will have to work with the reviewers to ensure he right mix of data is provided. For example:

    • If you are tracking lawsuits filed by or against the vendor, one person from Legal may be able to provide that, but they may not be able to evaluate any other criteria on the scorecard.
    • If you are tracking salesperson competencies, multiple people from multiple areas may have valuable insights.
    • If you are tracking deliverable timeliness, several project managers may want to contribute across several projects.

    Where one person is contributing exclusively to limited criteria, make it easy for them to identify the criteria they are to evaluate. When multiple people from the same functional area will provide insights, they can contribute individually (and the VMI will average their responses) or they can respond collectively after reaching consensus as a group.

    After the VMI has compiled, calculated, and aggregated, share the results with executives, impacted stakeholders, and others who will be attending the BAM for that vendor. Depending upon the comments provided by internal personnel, you may need to create a sanitized version of the scorecard for the vendor.

    Make sure your process timeline has a buffer built in. You'll be sending the final scorecard to the vendor three to five days before the BAM, and you'll need some time to assemble the results. The scorecarding process can be perceived as a low-priority activity for people outside of the VMI, and other "priorities" will arise for them. Without a timeline buffer, the VMI may find itself behind schedule and unprepared, due to things beyond its control.

    Step 3.3 – Conduct business alignment meetings

    Determine which vendors will participate and how long the meetings will last

    At their core, BAMs aren't that different from any other meeting. The basics of running a meeting still apply, but there are a few nuances that apply to BAMs. Set out below are leading practices for conducing your BAMs; adapt them to meet your needs and suit your environment.

    Who

    Initially, BAMs are conducted with the strategic vendors in your pilot program. Over time you'll add vendors until all your strategic vendors are meeting with you quarterly. After that, roll out the BAMs to those tactical and operational vendors located close to the strategic quadrant in the classification model (Steps 2.1 and 3.1) and as VMI resources allow. It may take several years before you are holding regular BAMs with all your strategic, tactical, and operational vendors.

    Duration

    Keep the length of your meetings reasonable. The first few with a vendor may need to be 60 to 90 minutes long. After that, you should be able to trim them to 45 minutes to 60 minutes. The BAM does not have to fill the entire time. When you are done, you are done.

    Step 3.3 – Conduct business alignment meetings (cont'd)

    Identify who will be invited and send out invitations

    Invitations

    Set up a recurring meeting whenever possible. Changes will be inevitable but keeping the timeline regular works to your advantage. Also, the vendors included in your initial BAMs won't change for twelve months. For the first BAM with a vendor, provide adequate notice; four weeks is usually sufficient, but calendars will fill up quickly for the main attendees from the vendor. Treat the meeting as significant and make sure your invitation reflects this. A simple meeting request will often be rejected, treated as optional, or ignored completely by the vendor's leadership team (and maybe yours as well!).

    Invitees

    Internal invitees should include those with a vested interest in the vendor's performance and the relationship. Other functional areas may be invited based on need or interest. Be careful the attendee list doesn't get too big. Based on this, internal BAM attendees often include representatives from IT, Sourcing/Procurement, and the applicable business units. At times, Finance and Legal are included.

    From the vendor's side, strive to have decision makers and key leaders attend. The salesperson/account manager is often included for continuity, but a director or vice president of sales will have more insights and influence. The project manager is not needed at this meeting due to the nature of the meeting and its agenda; however, a director or vice president from the product or service delivery area is a good choice. Bottom line: get as high into the vendor's organization as possible whenever possible; look at the types of contracts you have with that vendor to provide guidance on the type of people to invite.

    Step 3.3 – Conduct business alignment meetings (cont'd)

    Prepare for the Meetings and Maintain Control

    Preparation

    Send the scorecard and agenda to the vendor five days prior to the BAM. The vendor should provide you with any information you require for the meeting five days prior, as well.

    Decide who will run the meeting. Some customers like to lead, and others let the vendor present. How you craft the agenda and your preferences will dictate who runs the show.

    Make sure the vendor knows what materials they should bring to the meeting or have access to. This will relate to the agenda and any specific requests listed under the discussion points. You don't want the vendor to be caught off guard and unable to discuss a matter of importance to you.

    Running the BAM

    Regardless of which party leads, make sure you manage the agenda to stay on topic. This is your meeting – not the vendor's, not IT's, not Procurement's or Sourcing's. Don't let anyone hijack it.

    Make sure someone is taking notes. If you are running this virtually, consider recording the meeting. Check with your legal department first for any concerns, notices, or prohibitions that may impact your recording the session.

    Remember, this is not a sales call, and it is not a social activity. Innovation discussions are allowed and encouraged, but that can quickly devolve into a sales presentation. People can be friendly toward one another, but the relationship building should not overwhelm the other purposes.

    Step 3.3 – Conduct business alignment meetings (cont'd)

    Follow these additional guidelines to maximize your meetings

    More leading practices

    • Remind everyone that the conversation may include items covered by various confidentiality provisions or agreements.
    • Publish the meeting minutes on a timely basis (within 48 hours).
    • Focus on the bigger picture by looking at trends over time; get into the details only when warranted.
    • Meet internally immediately beforehand to prepare – don't go in cold. Review the agenda and the roles and responsibilities for the attendees.
    • Physical meetings are better than virtual meetings, but travel constraints, budgets, and pandemics may not allow for physical meetings.

    Final thoughts

    • When performance or the relationship is suffering, be constructive in your feedback and conversations rather than trying to assign blame; lead with the carrot rather than the stick.
    • Look for collaborative solutions whenever possible and avoid referencing the contract if possible. Communicate your willingness to help resolve outstanding issues.
    • Use inclusive language and avoid language that puts the vendor on the defensive.
    • Make sure that your meetings are not focused exclusively on the negative, but don't paint a rosy picture where one doesn't exist.
    • A vendor that is doing well should be commended. This is an important part of relationship building.

    Step 3.4 – Work the 90-day plan

    Monitor your progress and share your results

    Having a 90-day plan is a good start, but assuming the tasks on the plan will be accomplished magically or without any oversight can lead to failure. While it won't take a lot of time to work the plan, following a few basic guidelines will help ensure the 90-day plan gets results and wasn't created in vain.

    1. Measure and track your progress against the initial/current 90-day plan at least weekly; with a short timeline, any delay can have a huge impact.
    2. If adjustments are needed to any elements of the plan, understand the cause and the impact of those adjustments before making them.
    3. Make adjustments ONLY when warranted. The temptation will be to push activities and tasks further out on the timeline (or to the next 90-day plan!) when there is any sort of hiccup along the way, especially when personnel outside the VMI are involved. Hold true to the timeline whenever possible; once you start slipping, it often becomes a habit.
    4. Report on progress every week and hold people accountable for their assignments and contributions.
    5. Take the 90-day plan seriously and treat it as you would any significant project. This is part of the VMI's branding and image.

    Step 3.5 – Manage the three-year roadmap

    Keep an eye on the future since it will feed the present

    The three-year roadmap is a great planning tool, but it is not 100% reliable. There are inherent flaws and challenges. Essentially, the roadmap is a set of three "crystal balls" attempting to tell you what the future holds. The vision for year 1 may be clear, but for each subsequent year, the crystal ball becomes foggier. In addition, the timeline is constantly changing; before you know it, tomorrow becomes today and year 2 becomes year 1.

    To help navigate through the roadmap and maximize its potential, follow these principles:

    • Manage each year of the roadmap differently.
      • Review the year-1 map each quarter to update your 90-day plans (See steps 2.10 and 3.4).
      • Review the year-2 map every six months to determine if any changes are necessary. As you cycle through this, your vantage point of year 2 will be 6 months or 12 months away from the beginning of year 2, and time moves quickly.
      • Review the year-3 map annually, and determine what needs to be added, changed, or deleted. Each time you review year 3, it will be a "new" year 3 that needs to be built.
    • Analyze the impact on the proposed modifications from two perspectives: 1) What is the impact if a requested modification is made? 2) What is the impact if a requested modification is not made?
    • Validate all modifications with leadership and stakeholders before updating the three-year roadmap to ensure internal alignment.

    Step 3.6 – Develop/improve vendor relationships

    Drive better performance through better relationships

    One of the key components of a VMI is relationship management. Good relationships with your vendors provide many benefits for both parties, but they don't happen by accident. Do not assume the relationship will be good or is good merely because your organization is buying products and services from a vendor.

    In many respects, the VMI should mirror a vendor's sales organization by establishing relationships at multiple levels within the vendor organizations, not just with the salesperson or account manager. Building and maintaining relationships is hard work, but the return on investment makes it worthwhile.

    Business relationships are comprised of many components, not all of which must be present to have a great relationship. However, there are some essential components. Whether you are trying to develop, improve, or maintain a relationship with a vendor, make sure you are conscious of the following:

    • Focusing your energies on strategic vendors first and then tactical and operational vendors.
    • Being transparent and honest in your communications.
    • Continuously building trust by being responsive and honoring commitments (timely).
    • Creating a collaborative environment and build upon common ground.
    • Thanking the vendor when appropriate.
    • Resolving disputes early, avoiding the "blame game", and being objective when there are disagreements.

    Phase 4 - Review

    Keep your VMI up to date and running smoothly

    Phase 1

    Phase 2Phase 3Phase 4

    1.1 Mission Statement and Goals

    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    2.1 Classification Model

    2.2 Risk Assessment Tool

    2.3 Scorecards and Feedback

    2.4 Business Alignment Meeting Agenda

    2.5 Relationship Alignment Document

    2.6 Vendor Orientation

    2.7 3-Year Roadmap

    2.8 90-Day Plan

    2.9 Quick Wins

    2.10 Reports

    3.1 Classify Vendors

    3.2 Compile Scorecards

    3.3 Conduct Business Alignment Meetings

    3.4 Work the 90-Day Plan

    3.5 Manage the 3-Year Roadmap

    3.6 Develop/Improve Vendor Relationships

    4.1 Incorporate Leading Practices

    4.2 Leverage Lessons Learned

    4.3 Maintain Internal Alignment

    This phase will walk you through the following activity:

    • Helping the VMI identify what it should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Others as needed

    Vendor Management Initiative Basics for the Small/Medium Businesses

    Phase 4 – Review

    Keep your VMI up to date and running smoothly

    As the adage says, "The only thing constant in life is change." This is particularly true for your VMI. It will continue to mature, people inside and outside of the VMI will change, resources will expand or contract from year to year, your vendor base will change. As a result, your VMI needs the equivalent of a physical every year. In place of bloodwork, x-rays, and the other paces your physician may put you through, you'll assess compliance with your policies and procedures, incorporate leading practices, leverage lessons learned, maintain internal alignment, and update governances.

    Be thorough in your actions during this Phase to get the most out of it. It requires more than the equivalent of gauging a person's health by taking their temperature, measuring their blood pressure, and determining their body mass index. Keeping your VMI up-to-date and running smoothly takes hard work.

    Some of the items presented in this Phase require an annual review; others may require quarterly review or timely review (i.e. when things are top of mind and current). For example, collecting lessons learned should happen on a timely basis rather than annually, and classifying your vendors should occur annually rather than every time a new vendor enters the fold.

    Ultimately, the goal is to improve over time and stay aligned with other areas internally. This won't happen by accident. Being proactive in the review of your VMI further reinforces the nature of the VMI itself – proactive vendor management, not reactive!

    Step 4.1 – Incorporate leading practices

    Identify and evaluate what external VMIs are doing

    The VMI's world is constantly shifting and evolving. Some changes will take place slowly, while others will occur quickly. Think about how quickly the cloud environment has changed over the past five years versus the 15 years before that; or think about issues that have popped up and instantly altered the landscape (we're looking at you COVID and ransomware). As a result, the VMI needs to keep pace, and one of the best ways to do that is to incorporate leading practices.

    At a high level, a leading practice is a way of doing something that is better at producing a particular outcome or result or performing a task or activity than other ways of proceeding. The leading practice can be based on methodologies, tools, processes, procedures, and other items. Leading practices change periodically due to innovation, new ways of thinking, research, and other factors. Consequently, a leading practice is to identify and evaluate leading practices each year.

    Step 4.1 – Incorporate leading practices (cont'd)

    Update your VMI based on your research

    • A simple approach for incorporating leading practices into your regular review process is set out below:
    • Research:
      • What other VMIs in your industry are doing.
      • What other VMIs outside your industry are doing.
      • Vendor management in general.
    • Based on your results, list specific leading practices others are doing that would improve your VMI (be specific – e.g. other VMIs are incorporating risk into their classification process).
    • Evaluate your list to determine which of these potential changes fit or could be modified to fit your culture and environment.
    • Recommend the proposed changes to leadership (with a short business case or explanation/justification, as needed) and gain approval.

    Remember: Leading practices or best practices may not be what is best for you. In some instances, you will have to modify them to fit in your culture and environment; in other instances, you will elect not to implement them at all (in any form).

    Step 4.2 – Leverage lessons learned

    Tap into the collective wisdom and experience of your team members

    There are many ways to keep your VMI running smoothly, and creating a lessons learned library is a great complement to the other ways covered in this Phase 4 - Review. By tapping into the collective wisdom of the team and creating a safe feedback loop, the VMI gains the following benefits:

    • Documented institutional wisdom and knowledge normally found only in the team members' brains.
    • The ability for one team member to gain insights and avoid mistakes without having to duplicate the events leading to the insights or mistakes.
    • Improved methodologies, tools, processes, procedures, skills, and relationships.

    Many of the processes raised in this Phase can be performed annually, but a lessons learned library works best when the information is deposited in a timely manner. How you choose to set up your lessons learned process will depend on the tools you select and your culture. You may want to have regular input meetings to share the lessons as they are being deposited, or you may require team members to deposit lessons learned on a regular basis (within a week after they happen, monthly, or quarterly). Waiting too long can lead to vague or lost memories and specifics; timeliness of the deposits is a crucial element.

    Step 4.2 – Leverage lessons learned (cont'd)

    Create a library to share valuable information across the team

    Lessons learned are not confined to identifying mistakes or dissecting bad outcomes. You want to reinforce good outcomes, as well. When an opportunity for a lessons-learned deposit arises, identify the following basic elements:

    • A brief description of the situation and outcome.
    • What went well (if anything) and why did it go well?
    • What didn't go well (if anything) and why didn't it go well?
    • What would/could you do differently next time?
    • A synopsis of the lesson(s) learned.

    Info-Tech Insights

    The lessons learned library needs to be maintained. Irrelevant material needs to be culled periodically, and older or duplicate material may need to be archived.

    the lessons learned process should be blameless. The goal is to share insightful information, not to reward or punish people based on outcomes or results.

    Step 4.3 – Maintain internal alignment

    Review the plans of other internal areas to stay in sync

    Maintaining internal alignment is essential for the ongoing success of the VMI. Over time, it is easy to lose sight of the fact that the VMI does not operate in a vacuum; it is an integral component of a larger organization whose parts must work well together to function optimally. Focusing annually on the VMI's alignment within the enterprise helps reduce any breakdowns that could derail the organization.

    To ensure internal alignment:

    • Review the key components of the applicable materials from Phase 1 - Plan and Phase 2 - Build with the appropriate members of the leadership team (e.g. executives, sponsors, and stakeholders). Not every item from those Phases and Steps needs to be reviewed but err on the side of caution for the first set of alignment discussions, and be prepared to review each item. You can gauge the audience's interest on each topic and move quickly when necessary or dive deeper when needed. Identify potential changes required to maintain alignment.
    • Review the strategic plans (e.g. 1-, 3-, and 5- year plans) for various portions of the organization if you have access to them or gather insights if you don't have access.
      • If the VMI is under the IT umbrella, review the strategic plans for IT and its departments.
      • Review the strategic plans for the areas the VMI works with (e.g. Procurement, Business Units).
      • The organization itself.
    • Create and vet a list of modifications to the VMI and obtain approval.
    • Develop a plan for making the necessary changes.

    Summary of Accomplishment

    Problem solved

    Vendor management is a broad, often overwhelming, comprehensive spectrum that encompasses many disciplines. By now, you should have a great idea of what vendor management can or will look like in your organization. Focus on the basics first: Why does the VMI exist and what does it hope to achieve? What is it's scope? What are the strengths you can leverage, and what obstacles must you manage? How will the VMI work with others? From there, the spectrum of vendor management will begin to clarify and narrow.

    Leverage the tools and templates from this blueprint and adapt them to your needs. They will help you concentrate your energies in the right areas and on the right vendors to maximize the return on your organization's investment in the VMI of time, money, personnel, and other resources. You may have to lead by example internally and with your vendors at first, but they will eventually join you on your path if you stay true to your course.

    At the heart of a good VMI is the relationship component. Don't overlook its value in helping you achieve your vendor management goals. The VMI does not operate in a vacuum, and relationships (internal and external) will be critical.

    Lastly, seek continual improvement from the VMI and from your vendors. Both parties should be held accountable, and both parties should work together to get better. Be proactive in your efforts, and you, the VMI, and the organization will be rewarded.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Related Info-Tech Research

    Prepare for Negotiations More Effectively
    Don't leave negotiation preparations and outcomes to chance. Learn how to prepare for negotiations more effectively and improve your results.

    Understand Common IT Contract Provisions to Negotiate More Effectively
    Info-Tech's guidance and insights will help you navigate the complex process of contract review and identify the key details necessary to maximize the protections for your organization.

    Capture and Market the ROI of Your VMO
    Calculating the impact or value of a vendor management office (VMO) can be difficult without the right framework and tools. Let Info-Tech's tools and templates help you account for the contributions made by your VMO.

    Bibliography

    Slide 5 – ISG Index 4Q 2021, Information Services Group, Inc., 2022.

    Slide 6 – ISG Index 4Q 2021, Information Services Group, Inc., 2022.

    Slide 7 – Geller & Company. "World-Class Procurement — Increasing Profitability and Quality." Spend Matters. 2003. Web. Accessed 4 Mar. 2019.

    Slide 26 – Guth, Stephen. The Vendor Management Office: Unleashing the Power of Strategic Sourcing. Lulu.com, 2007. Print. Protiviti. Enterprise Risk Management. Web. 16 Feb. 2017.

    Slide 34 – "Why Do We Perform Better When Someone Has High Expectations of Us?" The Decision Lab. Accessed January 31, 2022.

    Slide 56 - Top 10 Tips for Creating Compelling Reports," October 11, 2019, Design Eclectic. Accessed March 29, 2022.

    Slide 56 – "Six Tips for Making a Quality Report Appealing and Easy To Skim," Agency for Health Research and Quality. Accessed March 29, 2022.

    Slide 56 –Tucker, Davis. Marketing Reporting: Tips to Create Compelling Reports, March 28, 2020, 60 Second Marketer. Accessed March 29, 2022.

    Optimize Lead Generation With Lead Scoring

    • Buy Link or Shortcode: {j2store}557|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Prospective buyer traffic into digital marketing platforms has exploded.
    • Many freemium/low-cost digital marketing platforms lack lead scoring and nurturing functionality.
    • As a result, the volume of unqualified leads being delivered to outbound sellers has increased dramatically.
    • This has reduced sales productivity, frustrated prospective buyers, and raised the costs of lead generation.

    Our Advice

    Critical Insight

    • Lead scoring is a must-have capability for high-tech marketers.
    • Without lead scoring, marketers will see increased costs of lead generation and decreased SQL-to-opportunity conversion rates.
    • Lead scoring increases sales productivity and shortens sales cycles.

    Impact and Result

    • Align Marketing, Sales, and Inside Sales on your ideal customer profile.
    • Re-evaluate the assets and activities that compose your current lead generation engine.
    • Develop a documented methodology to ignore, nurture, or contact right away the leads in your marketing pipeline.
    • Deliver more qualified leads to sellers, raising sales productivity and marketing/lead-gen ROI.

    Optimize Lead Generation With Lead Scoring Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize lead generation with lead scoring, review SoftwareReviews Advisory’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive aligned vision for lead scoring

    Outline your plan, form your team, and plan marketing tech stack support.

    • Optimize Lead Generation With Lead Scoring – Phase 1: Drive an Aligned Vision for Lead Scoring

    2. Build and test your lead scoring model

    Set lead flow thresholds, define your ideal customer profile and lead generation engine components, and weight, score, test, and refine them.

    • Optimize Lead Generation With Lead Scoring – Phase 2: Build and Test Your Lead Scoring Model
    • Lead Scoring Workbook

    3. Apply your model to marketing apps and go live with better qualified leads

    Apply your lead scoring model to your lead management app, test it, validate the results with sellers, apply advanced methods, and refine.

    • Optimize Lead Generation With Lead Scoring – Phase 3: Apply Your Model to Marketing Apps and Go Live With Better Qualified Leads
    [infographic]

    Workshop: Optimize Lead Generation With Lead Scoring

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Drive Aligned Vision for Lead Scoring

    The Purpose

    Drive an aligned vision for lead scoring.

    Key Benefits Achieved

    Attain an aligned vision for lead scoring.

    Identify the steering committee and project team and clarify their roles and responsibilities.

    Provide your team with an understanding of how leads score through the marketing funnel.

    Activities

    1.1 Outline a vision for lead scoring.

    1.2 Identify steering committee and project team members.

    1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.

    1.4 Align on marketing pipeline terminology.

    Outputs

    Steering committee and project team make-up

    Direction on tech stack to support lead generation

    Marketing pipeline definitions alignment

    2 Buyer Journey and Lead Generation Engine Mapping

    The Purpose

    Define the buyer journey and map the lead generation engine.

    Key Benefits Achieved

    Align the vision for your target buyer and their buying journey.

    Identify the assets and activities that need to compose your lead generation engine.

    Activities

    2.1 Establish a buyer persona.

    2.2 Map your buyer journey.

    2.3 Document the activities and assets of your lead generation engine.

    Outputs

    Buyer persona

    Buyer journey map

    Lead gen engine assets and activities documented

    3 Build and Test Your Lead Scoring Model

    The Purpose

    Build and test your lead scoring model.

    Key Benefits Achieved

    Gain team alignment on how leads score and, most importantly, what constitutes a sales-accepted lead.

    Develop a scoring model from which future iterations can be tested.

    Activities

    3.1 Understand the Lead Scoring Grid and set your thresholds.

    3.2 Identify your ideal customer profile, attributes, and subattribute weightings – run tests.

    Outputs

    Lead scoring thresholds

    Ideal customer profile, weightings, and tested scores

    Test profile scoring

    4 Align on Engagement Attributes

    The Purpose

    Align on engagement attributes.

    Key Benefits Achieved

    Develop a scoring model from which future iterations can be tested.

    Activities

    4.1 Weight the attributes of your lead generation engagement model and run tests.

    4.2 Apply weightings to activities and assets.

    4.3 Test engagement and profile scenarios together and make any adjustments to weightings or thresholds.

    Outputs

    Engagement attributes and weightings tested and complete

    Final lead scoring model

    5 Apply Model to Your Tech Platform

    The Purpose

    Apply the model to your tech platform.

    Key Benefits Achieved

    Deliver better qualified leads to Sales.

    Activities

    5.1 Apply model to your marketing management/campaign management software and test the quality of sales-accepted leads in the hands of sellers.

    5.2 Measure overall lead flow and conversion rates through your marketing pipeline.

    5.3 Apply lead nurturing and other advanced methods.

    Outputs

    Model applied to software

    Better qualified leads in the hands of sellers

    Further reading

    Optimize Lead Generation With Lead Scoring

    In today’s competitive environment, optimizing Sales’ resources by giving them qualified leads is key to B2B marketing success.

    EXECUTIVE BRIEF

    Analyst Perspective

    Improve B2B seller win rates with a lead scoring methodology as part of your modern lead generation engine.

    The image contains a picture of Jeff Golterman.

    As B2B organizations emerge from the lowered demands brought on by COVID-19, they are eager to convert marketing contacts to sales-qualified leads with even the slightest signal of intent, but many sales cycles are wasted when sellers receive unqualified leads. Delivering highly qualified leads to sellers is still more art than science, and it is especially challenging without a way to score a contact profile and engagement. While most marketers capture some profile data from contacts, many will pass a contact over to Sales without any engagement data or schedule a demo with a contact without any qualifying profile data. Passing unqualified leads to Sales suboptimizes Sales’ resources, raises the costs per lead, and often results in lost opportunities. Marketers need to develop a lead scoring methodology that delivers better qualified leads to Field Sales scored against both the ideal customer profile (ICP) and engagement that signals lower-funnel buyer interest. To be successful in building a compelling lead scoring solution, marketers must work closely with key stakeholders to align the ICP asset/activity with the buyer journey. Additionally, working early in the design process with IT/Marketing Operations to implement lead management and analytical tools in support will drive results to maximize lead conversion rates and sales wins.

    Jeff Golterman

    Managing Director

    SoftwareReviews Advisory

    Executive Summary

    Your Challenge

    The affordability and ease of implementation of digital marketing tools have driven global adoption to record levels. While many marketers are fine-tuning the lead generation engine components of email, social media, and web-based advertising to increase lead volumes, just 32% of companies pass well-qualified leads over to outbound marketers or sales development reps (SDRs). At best, lead gen costs stay high, and marketing-influenced win rates remain suboptimized. At worst, marketing reputation suffers when poorly qualified leads are passed along to sellers.

    Common Obstacles

    Most marketers lack a methodology for lead scoring, and some lack alignment among Marketing, Product, and Sales on what defines a qualified lead. In their rush to drive lead generation, marketers often fail to “define and align” on the ICP with stakeholders, creating confusion and wasted time and resources. In the rush to adopt B2B marketing and sales automation tools, many marketers have also skipped the important steps to 1) define the buyer journey and map content types to support, and 2) invest in a consistent content creation and sourcing strategy. The wrong content can leave prospects unmotivated to engage further and cause them to seek alternatives.

    Info-Tech’s Approach

    To employ lead scoring effectively, marketers need to align Sales, Marketing, and Product teams on the definition of the ICP and what constitutes a Sales-accepted lead. The buyer journey needs to be mapped in order to identify the engagement that will move a lead through the marketing lead generation engine. Then the project team can score prospect engagement and the prospect profile attributes against the ICP to arrive at a lead score. The marketing tech stack needs to be validated to support lead scoring, and finally Sales needs to sign off on results.

    SoftwareReviews Advisory Insight:

    Lead scoring is a must-have capability for high-tech marketers. Without lead scoring, marketers will see increased costs of lead gen, decreased SQL to opportunity conversion rates, decreased sales productivity, and longer sales cycles.

    Who benefits from a lead scoring project?

    This Research Is Designed for:

    • Marketers and especially campaign managers who are:
      • Looking for a more precise way to score leads and deploy outbound marketing resources to optimize contacts-to-MQL conversion rates.
      • Looking for a more effective way to profile contacts raised by your lead gen engine.
      • Looking to use their lead management software to optimize lead scoring.
      • Starting anew to strengthen their lead generation engine and want examples of a typical engine, ways to identify buyer journey, and perform lead nurturing.

    This Research Will Help You:

    • Explain why having a lead scoring methodology is important.
    • Identify a methodology that will call for identifying an ICP against which to score prospect profiles behind each contact that engages your lead generation engine.
    • Create a process of applying weightings to score activities during contact engagement with your lead generation engine. Apply both scores to arrive at a contact/lead score.
    • Compare your current lead gen engine to a best-in-class example in order to identify gaps and areas for improvement and exploration.

    This Research Will Also Assist:

    • CMOs, Marketing Operations leaders, heads of Product Marketing, and regional Marketing leads who are stakeholders in:
      • Finding alternatives to current lead scoring approaches.
        • Altering current or evaluating new marketing technologies to support a refreshed lead scoring approaches.

    This Research Will Help Them:

    • Align stakeholders on an overall program of identifying target customers, building common understanding of what constitutes a qualified lead, and determining when to use higher-cost outbound marketing resources.
    • Deploy high-value applications that will improve core marketing metrics.

    Insight summary

    Continuous adjustment and improvement of your lead scoring methodology is critical for long-term lead generation engine success.

    • Building a highly functioning lead generation engine is an ongoing process and one that requires continual testing of new asset types, asset design, and copy variations. Buyer profiles change over time as you launch new products and target new markets.
    • Pass better qualified leads to Field Sales and improve sales win rates by taking these crucial steps to implement a better lead generation engine and a lead scoring methodology:
      • Make the case for lead scoring in your organization.
      • Establish trigger points that separate leads to ignore, nurture, qualify, or outreach/contact.
      • Identify your buyer journey and ICP through collaboration among Sales, Marketing, and Product.
      • Assess each asset and activity type across your lead generation engine and apply a weighting for each.
      • Test lead scenarios within our supplied toolkit and with stakeholders. Adjust weightings and triggers that deliver lead scores that make sense.
      • Work with IT/Marketing Operations to emulate your lead scoring methodology within your marketing automation/campaign management application.
      • Explore advanced methods including nurturing.
    • Use the Lead Scoring Workbook collaboratively with other stakeholders to design your own methodology, test lead scenarios, and build alignment across the team.

    Leading marketers who successfully implement a lead scoring methodology develop it collaboratively with stakeholders across Marketing, Sales, and Product Management. Leaders will engage Marketing Operations, Sales Operations, and IT early to gain support for the evaluation and implementation of a supporting campaign management application and for analytics to track lead progress throughout the Marketing and Sales funnels. Leverage the Marketing Lead Scoring Toolkit to build out your version of the model and to test various scenarios. Use the slides contained within this storyboard and the accompanying toolkit as a means to align key stakeholders on the ICP and to weight assets and activities across your marketing lead generation engine.

    What is lead scoring?

    Lead scoring weighs the value of a prospect’s profile against the ICP and renders a profile score. The process then weighs the value of the prospects activities against the ideal call to action (CTA) and renders an activity score. Combining the profile and activity scores delivers an overall score for the value of the lead to drive the next step along the overall buyer journey.

    EXAMPLE: SALES MANAGEMENT SOFTWARE

    • For a company that markets sales management software the ideal buyer is the head of Sales Operations. While the ICP is made up of many attributes, we’ll just score one – the buyer’s role.
    • If the prospect/lead that we wish to score has an executive title, the lead’s profile scores “High.” Other roles will score lower based on your ICP. Alongside role, you will also score other profile attributes (e.g. company size, location).
    • With engagement, if the prospect/lead clicked on our ideal CTA, which is “request a proposal,” our engagement would score high. Other CTAs would score lower.
    The image contains a screenshot of two examples of lead scoring. One example demonstrates. Profile Scoring with Lead Profile, and the second image demonstrates Activity Scoring and Lead Engagement.

    SoftwareReviews Advisory Insight:

    A significant obstacle to quality lead production is disagreement on or lack of a documented definition of the ideal customer profile. Marketers successful in lead scoring will align key stakeholders on a documented definition of the ICP as a first step in improving lead scoring.

    Use of lead scoring is in the minority among marketers

    The majority of businesses are not practicing lead scoring!

    Up to 66% of businesses don’t practice any type of lead scoring.

    Source: LeadSquared, 2014

    “ With lead scoring, you don’t waste loads of time on unworthy prospects, and you don’t ignore people on the edge of buying.”

    Source: BigCommerce

    “The benefits of lead scoring number in the dozens. Having a deeper understanding of which leads meet the qualifications of your highest converters and then systematically communicating with them accordingly increases both ongoing engagement and saves your internal team time chasing down inopportune leads.”

    – Joey Strawn, Integrated Marketing Director, in IndustrialMarketer.com

    Key benefit: sales resource optimization

    Many marketing organizations send Sales too many unqualified leads

    • Leads – or, more accurately, contacts – are not all qualified. Some are actually nothing more than time-wasters for sellers.
    • Leading marketers peel apart a contact into at least two dimensions – “who” and “how interested.”
      • The “who” is compared to the ICP and given a score.
      • The “how interested” measures contact activity – or engagement – within our lead gen engine and gives it a score.
    • Scores are combined; a contact with a low score is ignored, medium is nurtured, and high is sent to sellers.
    • A robust ICP, together with engagement scoring and when housed within your lead management software, prioritizes for marketers which contacts to nurture and gets hot leads to sellers more quickly.

    Optimizing Sales Resources Using Lead Scoring

    The image contains a screenshot of a graph to demonstrate optimizing sales resources with lead scoring.

    Lead scoring drives greater sales effectiveness

    When contacts are scored as “qualified leads” and sent to sellers, sales win rates and ROI climb

    • Contacts can be scored properly once marketers align with Sales on the ICP and work closely with colleagues in areas like product marketing and field marketing to assign weightings to lead gen activities.
    • When more qualified leads get into the hands of the salesforce, their win rates improve.
    • As win rates improve, and sellers are producing more wins from the same volume of leads, sales productivity improves and ROI on the marketing investment increases.

    “On average, organizations that currently use lead scoring experience a 77% lift in lead generation ROI, over organizations that do not currently use lead scoring.”

    – MarketingSherpa, 2012

    Average Lead Generation ROI by Use of Lead Scoring

    The image contains a screenshot of a graph to demonstrate the average lead generation ROI by using of lead scoring. 138% are currenting using lead scoring, and 78% are not using lead scoring.
    Source: 2011 B2B Marketing Benchmark Survey, MarketingSherpa
    Methodology: Fielded June 2011, N=326 CMOs

    SoftwareReviews’ Lead Scoring Approach

    1. Drive Aligned Vision for Lead Scoring

    2. Build and Test Your Lead Scoring Model

    3. Apply to Your Tech Platform and Validate, Nurture, and Grow

    Phase
    Steps

    1. Outline a vision for lead scoring and identify stakeholders.
    2. Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.
    3. Align on marketing pipeline terminology, buyer persona and journey, and lead gen engine components.
    1. Understand the Lead Scoring Grid and establish thresholds.
    2. Collaborate with stakeholders on your ICP, apply weightings to profile attributes and values, and test your model.
    3. Identify the key activities and assets of your lead gen engine, weight attributes, and run tests.
    1. Apply model to your marketing management software.
    2. Test quality of sales-accepted leads by sellers and measure conversion rates through your marketing pipeline.
    3. Apply advanced methods such as lead nurturing.

    Phase Outcomes

    1. Steering committee and stakeholder selection
    2. Stakeholder alignment
    3. Team alignment on terminology
    4. Buyer journey map
    5. Lead gen engine components and asset types documented
    1. Initial lead-stage threshold scores
    2. Ideal customer profile, weightings, and tested scores
    3. Documented activities/assets across your lead generation engine
    4. Test results to drive adjusted weightings for profile attributes and engagement
    5. Final model to apply to marketing application
    1. Better qualified leads in the hands of sellers
    2. Advanced methods to nurture leads

    Key Deliverable: Lead Scoring Workbook

    The workbook walks you through a step-by-step process to:

    • Identify your team.
    • Identify the lead scoring thresholds.
    • Define your IPC.
    • Weight the activities within your lead generation engine.
    • Run tests using lead scenarios.

    Tab 1: Team Composition

    Consider core functions and form a cross-functional lead scoring team. Document the team’s details here.

    The image contains a screenshot of the Lead Scoring Workbook, Tab 1.

    Tab 2: Threshold Setting

    Set your initial threshold weightings for profile and engagement scores.

    The image contains a screenshot of the Lead Scoring Workbook, Tab 2.

    Tab 3:

    Establish Your Ideal Customer Profile

    Identify major attributes and attribute values and the weightings of both. You’ll eventually score your leads against this ICP.

    Record and Weight Lead Gen Engine Activities

    Identify the major activities that compose prospect engagement with your lead gen engine. Weight them together as a team.

    Test Lead Profile Scenarios

    Test actual lead profiles to see how they score against where you believe they should score. Adjust threshold settings in Tab 2.

    Test Activity Engagement Scores

    Test scenarios of how contacts navigate your lead gen engine. See how they score against where you believe they should score. Adjust thresholds on Tab 2 as needed.

    Review Combined Profile and Activity Score

    Review the combined scores to see where on your lead scoring matrix the lead falls. Make any final adjustments to thresholds accordingly.

    The image contains screenshots of the Lead Scoring Workbook, Tab 3.

    Several ways we help you build your lead scoring methodology

    DIY Toolkit Guided Implementation Workshop Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    • Begin your project using the step-by-step process outlined in this blueprint.
    • Leverage the accompanying workbook.
    • Launch inquiries with the analyst who wrote the research.
    • Kick off your project with an inquiry with the authoring analyst and your engagement manager.
    • Additional inquiries will guide you through each step.
    • Leverage the blueprint and toolkit.
    • Reach out to your engagement manager.
    • During a half-day workshop the authoring analyst will guide you and your team to complete your lead scoring methodology.
    • Reach out to your engagement manager.
    • We’ll lead the engagement to structure the process, gather data, interview stakeholders, craft outputs, and organize feedback and final review.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Call #1: Collaborate on vision for lead scoring and the overall project.

    Call #2: Identify the steering committee and the rest of the team.

    Call #3: Discuss app/tech stack support for lead scoring. Understand key marketing pipeline terminology and the buyer journey.

    Call #4: Discuss your ICP, apply weightings, and run test scenarios.

    Call #5: Discuss and record lead generation engine components.

    Call #6: Understand the Lead Scoring Grid and set thresholds for your model.

    Call #7: Identify your ICP, apply weightings to attributes, and run tests.

    Call #8: Weight the attributes of engagement activities and run tests. Review the application of the scoring model on lead management software.

    Call #9: Test quality of sales-accepted leads in the hands of sellers. Measure lead flow and conversion rates through your marketing pipeline.

    Call #10: Review progress and discuss nurturing and other advanced topics.

    A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization. For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst. Your engagement managers will work with you to schedule analyst calls.

    Workshop Overview

    Accelerate your project with our facilitated SoftwareReviews Advisory workshops

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Drive Aligned Vision for Lead Scoring

    Buyer Journey and Lead Gen Engine Mapping

    Build and Test Your Lead Scoring Model

    Align on Engagement Attributes

    Apply to Your Tech Platform

    Activities

    1.1 Outline a vision for lead scoring.

    1.2 Identify steering committee and project team members.

    1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.

    1.4 Align on marketing pipeline terminology.

    2.1 Establish a buyer persona (if not done already).

    2.2 Map your buyer journey.

    2.3 Document the activities and assets of your lead gen engine.

    3.1 Understand Lead Scoring Grid and set your thresholds.

    3.2 Identify ICP attribute and sub-attribute weightings. Run tests.

    4.1 Weight the attributes of your lead gen engagement model and run tests.

    4.2 Apply weightings to activities and assets.

    4.3 Test engagement and profile scenarios together and adjust weightings and thresholds as needed.

    5.1 Apply model to your campaign management software and test quality of sales-accepted leads in the hands of sellers.

    5.2. Measure overall lead flow and conversion rates through your marketing pipeline.

    5.3 Apply lead nurturing and other advanced methods.

    Deliverables

    1. Steering committee & project team composition
    2. Direction on tech stack to support lead gen
    3. Alignment on marketing pipeline definitions
    1. Buyer (persona if needed) journey map
    2. Lead gen engine assets and activities documented
    1. Lead scoring thresholds
    2. ICP, weightings, and tested scores
    3. Test profile scoring
    1. Engagement attributes and weightings tested and complete
    2. Final lead scoring model
    1. Model applied to your marketing management/ campaign management software
    2. Better qualified leads in the hands of sellers

    Phase 1

    Drive an Aligned Vision for Lead Scoring

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    • Solidify your vision for lead scoring.
    • Achieve stakeholder alignment.
    • Assess your tech stack.

    This phase involves the following stakeholders:

    • Field Marketing/Campaign Manager
    • CMO
    • Product Marketing
    • Product Management
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 1.1

    Establish a Cross-Functional Vision for Lead Scoring

    Activities

    1.1.1 Identify stakeholders critical to success

    1.1.2 Outline the vision for lead scoring

    1.1.3 Select your lead scoring team

    This step will walk you through the following activities:

    • Discuss the reasons why lead scoring is important.
    • Review program process.
    • Identify stakeholders and team.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Stakeholder alignment on vision of lead scoring
    • Stakeholders described and team members recorded
    • A documented buyer journey and map of your current lead gen engine

    1.1.1 Identify stakeholders critical to success

    1 hour

    1. Meet to identify the stakeholders that should be included in the project’s steering committee.
    2. Finalize selection of steering committee members.
    3. Contact members to ensure their willingness to participate.
    4. Document the steering committee members and the milestone/presentation expectations for reporting project progress and results
    Input Output
    • Stakeholder interviews
    • List of business process owners (lead management, inside sales lead qualification, sales opportunity management, marketing funnel metric measurement/analytics)
    • Lead generation/scoring stakeholders
    • Steering committee members
    Materials Participants
    • N/A
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental Leads – Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    SoftwareReviews Advisory Insight:

    B2B marketers that lack agreement among Marketing, Sales, Inside Sales, and lead management supporting staff of what constitutes a qualified lead will squander precious time and resources throughout the customer acquisition process.

    1.1.2 Outline the vision for lead scoring

    1 hour

    1. Convene a meeting of the steering committee and initiative team members who will be involved in the lead scoring project.
    • Using slides from this blueprint, understand the definition of lead scoring, the value of lead scoring to the organization, and the overall lead scoring process.
    • Understand the teams’ roles and responsibilities and help your Marketing Operations/IT colleagues understand some of the technical requirements needed to support lead scoring.
    • This is important because as the business members of the team are developing the lead scoring approach on paper, the technical team can begin to evaluate lead management apps within which your lead scoring model will be brought to life.
    Input Output
    • Slides to explain lead scoring and the lead scoring program
    • An understanding of the project among key stakeholders
    Materials Participants
    • Slides taken from this blueprint. We suggest slides from the Executive Brief (slides 3-16) and any others depending on the team’s level of familiarity.
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental leads from Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    SoftwareReviews Advisory Insight:

    While SMBs can implement some form of lead scoring when volume is very low and leads can be scored by hand, lead scoring and effective lead management cannot be performed without investment in digital platforms and lead management software and integration with customer relationship management (CRM) applications in the hands of inside and field sales staff. Marketers should plan and budget for the right combination of applications and tools to be in place for proper lead management.

    Lead scoring stakeholders

    Developing a common stakeholder understanding of the ICP, the way contact profiles are scored, and the way activities and asset engagement in your lead generation engine are scored will strengthen alignment between Marketing, Sales and Product Management.

    Title

    Key Stakeholders Within a Lead Generation/Scoring Initiative

    Lead Scoring Sponsor

    • Owns the project at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with organizational strategy
    • CMO, VP of Marketing, CEO (in SMB providers)

    Lead Scoring Initiative Manager

    • Typically a senior member of the marketing team
    • Responsible for preparing and managing the project plan and monitoring the project team’s progress
    • Marketing Manager or a field marketing team member who has strong program management skills, has run large-scale B2B generation campaigns, and is familiar with the stakeholder roles and enabling technologies

    Business Leads

    • Works alongside the lead scoring initiative manager to ensure that the strategy is aligned with business needs
    • In this case, likely to be a marketing lead
    • Marketing Director

    Digital, Marketing/Sales Ops/IT Team

    • Composed of individuals whose application and technology tools knowledge and skills are crucial to lead generation success
    • Responsible for understanding the business requirements behind lead generation and the requirements in particular to support lead scoring and the evaluation, selection, and implementation of the supporting tech stack – apps, website, analytics, etc.
    • Project Manager, Business Lead, CRM Manager, Integration Manager, Marketing Application SMEs, Sales Application

    Steering Committee

    • Composed of C-suite/management-level individuals who act as the lead generation process decision makers
    • Responsible for validating goals and priorities, defining the scope, enabling adequate resourcing, and managing change especially among C-level leaders in Sales & Product
    • Executive Sponsor, Project Sponsor, CMO, Business Unit SMEs

    SoftwareReviews Advisory Insight:

    Marketers managing the lead scoring initiative must include Product Marketing, Sales, Inside Sales, and Product Management. And given that world-class B2B lead generation engines cannot run without technology enablement, Marketing Operations/IT – those that are charged with enabling marketing and sales – must also be part of the decision making and implementation process of lead scoring and lead generation.

    1.1.3 Select your lead scoring team

    30 minutes

    1. The CMO and other key stakeholders should discuss and determine who will be involved in the lead scoring project.
    • Business leaders in key areas – Product Marketing, Field Marketing, Digital Marketing, Inside Sales, Sales, Marketing Ops, Product Management, and IT – should be involved.
  • Document the members of your lead scoring team in tab 1 of the Lead Scoring Workbook.
    • The size of the team will vary depending on your initiative and size of your organization.
    InputOutput
    • Stakeholders
    • List of lead scoring team members
    MaterialsParticipants
    • Lead Scoring Workbook
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental Leads – Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    Download the Lead Scoring Workbook

    Lead scoring team

    Consider the core team functions when composing the lead scoring team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned lead management/scoring strategy. Don’t let your core team become too large when trying to include all relevant stakeholders. Carefully limit the size of the team to enable effective decision making while still including functional business units.

    Required Skills/Knowledge

    Suggested Team Members

    Business

    • Understanding of the customer
    • Understanding of brand
    • Understanding of multichannel marketing: email, events, social
    • Understanding of lead qualification
    • Field Marketing/Campaign Lead
    • Product Marketing
    • Sales Manager
    • Inside Sales Manager
    • Content Marketer/Copywriter

    IT

    • Campaign management application capabilities
    • Digital marketing
    • Marketing and sales funnel Reporting/metrics
    • Marketing Application Owners
    • CRM/Sales Application Owners
    • Marketing Analytics Owners
    • Digital Platform Owners

    Other

    • Branding/creative
    • Social
    • Change management
    • Creative Director
    • Social Media Marketer

    Step 1.2 (Optional)

    Assess Your Tech Stack for Lead Scoring

    Our model assumes you have:

    1.2.1 A marketing application/campaign management application in place that accommodates lead scoring.

    1.2.2 Lead management software integrated with the sales automation/CRM tool in the hands of Field Sales.

    1.2.3 Reporting/analytics that spans the entire lead generation pipeline/funnel.

    Refer to the following three slides if you need guidance in these areas.

    This step will walk you through the following activities:

    • Confirm that you have your tech stack in place.
    • Set up an inquiry with an Info-Tech analyst should you require guidance on evaluating lead pipeline reporting, CRM, or analytics applications.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Understanding of what new application and technology support is required to support lead scoring.

    SoftwareReviews Advisory Insight:

    Marketers that collaborate closely with Marketing Ops/IT early in the process of lead scoring design will be best able to assess whether current marketing applications and tools can support a full lead scoring capability.

    1.2.1 Plan technology support for marketing management apps

    Work with Marketing Ops and IT early to evaluate application enablement for lead management, including scoring

    A thorough evaluation takes months – start early

    • Work closely with Marketing Operations (or the team that manages the marketing apps and digital platforms) as early as possible to socialize your approach to lead scoring.
    • Work with them on a set of updated requirements for selecting a marketing management suite or for changes to existing apps and tools to support your lead scoring approach that includes lead tracking and marketing funnel analytics.
    • Access the Info-Tech blueprint Select a Marketing Management Suite, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews Marketing Management Data Quadrant during vendor evaluation and selection.

    SoftwareReviews Marketing Management Data Quadrant

    The image contains a screenshot of the Marketing Management Data Quadrant.

    1.2.2 Plan technology support for sales opportunity management

    Work with Marketing Ops and IT early to evaluate applications for sales opportunity management

    A thorough evaluation takes months – start early

    • Work closely with Sales Operations as early as possible to socialize your approach to lead scoring and how lead management must integrate with sales opportunity management to manage the entire marketing and sales funnel management process.
    • Work with them on a set of updated requirements for selecting a sales opportunity management application that integrates with your marketing management suite or for changes to existing apps and tools to support your lead management and scoring approach that support the entire marketing and sales pipeline with analytics.

    Access the Info-Tech blueprint Select and Implement a CRM Platform, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews CRM Data Quadrant during vendor evaluation and selection.

    SoftwareReviews Customer Relationship Management Data Quadrant

    The image contains a screenshot of the SoftwareReviews Customer Relationship Management Data Quadrant.

    1.2.3 Plan analytics support for marketing pipeline analysis

    Work with Marketing Ops early to evaluate analytics tools to measure marketing and sales pipeline conversions

    A thorough evaluation takes weeks – start early

    • Work closely with Marketing and Sales Operations as early as possible to socialize your approach to measuring the lifecycle of contacts through to wins across the entire marketing and sales funnel management process.
    • Work with them on a set of updated requirements for selecting tools that can support the measurement of conversion ratios from contact to MQL, SQL, and opportunity to wins. Having this data enables you to measure improvement in component parts to your lead generation engine.
    • Access the Info-Tech blueprint Select and Implement a Reporting and Analytics Solution, along with analyst inquiry support during the requirements definition, vendor evaluation and vendor selection phases. Use the SoftwareReviews Best Business intelligence & Analytics Software Data Quadrant as well during vendor evaluation and selection.

    SoftwareReviews Business Intelligence Data Quadrant

    The image contains a screenshot of the Software Reviews Business Intelligent Quadrant.

    Step 1.3

    Catalog Your Buyer Journey and Lead Gen Engine Assets

    Activities

    1.3.1 Review marketing pipeline terminology

    1.3.2 Describe your buyer journey

    1.3.3 Describe your awareness and lead generation engine

    This step will walk you through the following activities:

    • Discuss marketing funnel terminology.
    • Describe your buyer journey.
    • Catalog the elements of your lead generation engine.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on terminology, your buyer journey, and elements of your lead generation engine

    1.3.1 Review marketing pipeline terminology

    30 minutes

    1. We assume for this model the following:
      1. Our primary objective is to deliver more, and more-highly qualified, sales-qualified leads (SQLs) to our salesforce. The salesforce will accept SQLs and after further qualification turn them into opportunities. Sellers work opportunities and turn them into wins. Wins that had first/last touch attribution within the lead gen engine are considered marketing-influenced wins.
      2. This model assumes the existence of sales development reps (SDRs) whose mission it is to take marketing-qualified leads (MQLs) from the lead generation engine and further qualify them into SQLs.
      3. The lead generation engine takes contacts – visitors to activities, website, etc. – and scores them based on their profile and engagement. If the contact scores at or above the designated threshold, the lead generation engine rates it as an MQL and passes it along to Inside Sales/SDRs. If the contact scores above a certain threshold and shows promise, it is further nurtured. If the contact score is low, it is ignored.
    2. If an organization does not possess a team of SDRs or Inside Sales, you would adjust your version of the model to, for example, raise the threshold for MQLs, and when the threshold is reached the lead generation engine would pass the lead to Field Sales for further qualification.

    Stage

    Characteristics

    Actions

    Contact

    • Unqualified
    • No/low activity

    Nurture

    SDR Qualify

    Send to Sales

    Close

    MQL

    • Profile scores high
    • Engagement strong

    SQL

    • Profile strengthened
    • Demo/quote/next step confirmed

    Oppt’y

    • Sales acceptance
    • Sales opportunity management

    Win

    • Deal closed

    SoftwareReviews Advisory Insight:

    Score leads in a way that makes it crystal clear whether they should be ignored, further nurtured, further qualified, or go right into a sellers’ hands as a super hot lead.

    1.3.2 Describe your buyer journey

    1. Understand the concept of the buyer journey:
      1. Typically Product Marketing is charged with establishing deep understanding of the target buyer for each product or solution through a complete buyer persona and buyer journey map. The details of how to craft both are covered in the upcoming SoftwareReviews Advisory blueprint Craft a More Comprehensive Go-to-Market Strategy. However, we share our Buyer Journey Template here (on the next slide) to illustrate the connection between the buyer journey and the lead generation and scoring processes.
      2. Marketers and campaigners developing the lead scoring methodology will work closely with Product Marketing, asking them to document the buyer journey.
      3. The value of the buyer journey is to guide asset/content creation, nurturing strategy and therefore elements of the lead generation engine such as web experience, email, and social content and other elements of engagement.
      4. The additional value of having a buyer persona is to also inform the ICP, which is an essential element of lead scoring.
      5. For the purposes of lead scoring, use the template on the next slide to create a simple form of the buyer journey. This will guide lead generation engine design and the scoring of activities later in our blueprint.

    2 hours

    On the following slide:

    1. Tailor this template to suit your buyer journey. Text in green is yours to modify. Text in black is instructional.
    2. Your objective is to use the buyer journey to identify asset types and a delivery channel that once constructed/sourced and activated within your lead gen engine will support the buyer journey.
    3. Keep your buyer journey updated based on actual journeys of sales wins.
    4. Complete different buyer journeys for different product areas. Complete these collaboratively with stakeholders for alignment.

    SoftwareReviews Advisory Insight:

    Establishing a buyer journey is one of the most valuable tools that, typically, Product Marketing produces. Its use helps campaigners, product managers, and Inside and Field Sales. Leading marketers keep journeys updated based on live deals and characteristics of wins.

    Buyer Journey Template

    Personas: [Title] e.g. “BI Director”

    The image contains a screenshot of the describe persona level as an example.

    [Persona name] ([levels it includes from arrows above]) Buyer’s Journey for [solution type] Vendor Selection

    The image contains a screenshot of the Personas Type example to demonstrate a specific IT role, end use in a relevant department.

    1.3.3 Describe Your Awareness and Lead Gen Engine

    1. Understand the workings of a typical awareness and lead generation engine. Reference the image of a lead gen engine on the following slide when reviewing our guidance below:
      1. In our lead scoring example found in the Lead Scoring Workbook, tab 3, “Weight and Test,” we use a software company selling a sales automation solution, and the engagement activities match with the Typical Awareness and Lead Gen Engine found on the following slide. Our goal is to match a visual representation of a lead gen and awareness engine with the activity scoring portion of lead scoring.
      2. At the top of the Typical Awareness and Lead Generation Engine image, the activities are activated by a team of various roles: digital manager (new web pages), campaign manager (emails and paid media), social media marketer (organic and paid social), and events marketing manager (webinars).
      3. “Awareness” – On the right, the slide shows additional awareness activities driven by the PR/Corporate Comms and Analyst Relations teams.*
      4. The calls to action (CTAs) found in the outreach activities are illustrated below the timeline. The CTAs are grouped and are designed to 1) drive profile capture data via a main sales form fill, and 2) drive engagement that corresponds to the Education, Solution, and Selection buyer journey phases outlined on the prior slide. Ensure you have fast paths to get a hot lead – request a demo – directly to Field Sales when profiles score high.

    * For guidance on best practices in engaging industry analysts, contact your engagement manager to schedule an inquiry with our expert in this area. during that inquiry, we will share best practices and recommended analyst engagement models.

    Lead Scoring Workbook

    2 hours

    On the following slide:

    1. Tailor the slide to describe your lead generation engine as you will use it when you get to latter steps to describe the activities in your lead gen engine and weight them for lead scoring.
    2. Use the template to see what makes up a typical lead gen and awareness building engine. Record your current engine parts and see what you may be missing.
    3. Note: The “Goal” image in the upper right of the slide is meant as a reminder that marketers should establish a goal for SQLs delivered to Field Sales for each campaign.

    SoftwareReviews Advisory Insight:

    Marketing’s primary mission is to deliver marketing-influenced wins (MIWs) to the company. Building a compelling awareness and lead gen engine must be done with that goal in mind. Leaders are ruthless in testing – copy, email subjects, website navigation, etc. – to fine-tune the engine and staying highly collaborative with sellers to ensure high value lead delivery.

    Typical Awareness and Lead Gen Engine

    Understand how a typical lead generation engine works. Awareness activities are included as a reference. Use as a template for campaigns.

    The image contains a screenshot of a diagram to demonstrate how a lead generation engine works.

    Phase 2

    Build and Test Your Lead Scoring Model

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    1. Understand the Lead Scoring Grid and establish thresholds.
    2. Collaborate with stakeholders on your ICP, apply weightings to profile attributes and values, and test.
    3. Identify the key activities and assets of your lead gen engine, weight attributes, and run tests.

    This phase involves the following participants:

    • Field Marketing/Campaign Manager
    • Product Marketing
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 2.1

    Start Building Your Lead Scoring Model

    Activities

    2.1.1 Understand the Lead Scoring Grid

    2.1.2 Identify thresholds

    This step will walk you through the following activities:

    • Discuss the concept of the thresholds for scoring leads in each of the various states – “ignore,” “nurture,” “qualify,” “send to sales.”
    • Open the Lead Scoring Workbook and validate your own states to suit your organization.
    • Arrive at an initial set of threshold scores.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on stages
    • Stakeholder alignment on initial set of thresholds

    2.1.1 Understand the Lead Scoring Grid

    30 minutes

    1. Understand how lead scoring works and our grid is constructed.
    2. Understand the two important areas of the grid and the concept of how the contact’s scores will increase as follows:
      1. Profile – as the profile attributes of the contact approaches that of the ICP we want to score the contact/prospect higher. Note: Step 1.3 walks you through creating your ICP.
      2. Engagement – as the contact/prospect engages with the activities (e.g. webinars, videos, events, emails) and assets (e.g. website, whitepapers, blogs, infographics) in our lead generation engine, we want to score the contact/prospect higher. Note: You will describe your engagement activities in this step.
    3. Understand how thresholds work:
      1. Threshold percentages, when reached, trigger movement of the contact from one state to the next – “ignore,” “nurture,” “qualify with Inside Sales,” and “send to sales.”
    The image contains a screenshot of an example of the lead scoring grid, as described in the text above.

    2.1.2 Identify thresholds

    30 minutes

    We have set up a model Lead Scoring Grid – see Lead Scoring Workbook, tab 2, “Identify Thresholds.”

    Set your thresholds within the Lead Scoring Workbook:

    • Set your threshold percentages for ”Profile” and “Engagement.”
    • You will run test scenarios for each in later steps.
    • We suggest you start with the example percentages given in the Lead Scoring Workbook and plan to adjust them during testing in later steps.
    • Define the “Send to Sales,” “Qualify With Inside Sales,” “Nurture,” and “Ignore” zones.

    SoftwareReviews Advisory Insight:

    Clarify that all-important threshold for when a lead passes to your expensive and time-starved outbound sellers.

    The image contains a screenshot of the Lead Scoring Workbook, tab 2 demonstrating the Lead Scoring Grid.

    Lead Scoring Workbook

    Step 2.2

    Identify and Verify Your Ideal Customer Profile and Weightings

    Activities

    2.2.1 Identify your ideal customer profile

    2.2.2 Run tests to validate profile weightings

    This step will walk you through the following activities:

    • Identify the attributes that compose the ICP.
    • Identify the values of each attribute and their weightings.
    • Test different contact profile scenarios against what actually makes sense.
    • Adjust weightings if needed.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on ICP
    • Stakeholder alignment on weightings given to attributes
    • Tested results to verify thresholds and cores

    2.2.1 Identify your ideal customer profile

    Collaborate with stakeholders to understand what attributes best describe your ICP. Assign weightings and subratings.

    2 hours

    1. Choose attributes such as job role, organization type, number of employees/potential seat holders, geographical location, interest area, etc., that describe the ideal profile of a target buyer. Best practice sees marketers choosing attributes based on real wins.
    2. Some marketers compare the email domain of the contact to a target list of domains. In the Lead Scoring Workbook, tab 3, “Weight and Test,” we provide an example profile for a “Sales Automation Software” ICP.
    3. Use the workbook as a template, remove our example, and create your own ICP attributes. Then weight the attributes to add up to 100%. Add in the attribute values and weight them. In the next step you will test scenarios.

    SoftwareReviews Advisory Insight:

    Marketers who align with colleagues in areas such as Product Marketing, Sales, Inside Sales, Sales Training/Enablement, and Product Managers and document the ICP give their organizations a greater probability of lead generation success.

    The image contains a screenshot of tab 3, demonstrating the weight and test with the example profile.

    Lead Scoring Workbook

    2.2.2 Run tests to validate profile weightings

    Collaborate with stakeholders to run different profile scenarios. Validate your model including thresholds.

    The image contains a screenshot of tab 3 to demonstrate the next step of running tests to validate profile weightings.

    SoftwareReviews Advisory Insight:

    Keep your model simple in the interest of fast implementation and to drive early learnings. The goal is not to be perfect but to start iterating toward success. You will update your scoring model even after going into production.

    2 hours

    1. Choose scenarios of contact/lead profile attributes by placing a “1” in the “Attribute” box shown at left.
    2. Place your estimate of how you believe the profile should score in the box to the right of “Estimated Profile State.” How does the calculated state, beneath, compare to the estimated state?
    3. In cases where the calculated state differs from your estimated state, consider weighting the profile attribute differently to match.
    4. If you find estimates and calculated states off dramatically, consider changing previously determined thresholds in tab 2, “Identify Thresholds.” Test multiple scenarios with your team.

    Lead Scoring Workbook

    Step 2.3

    Establish Key Lead Generation Activities and Assets

    Activities

    2.3.1 Establish activities, attribute values, and weights

    2.3.2 Run tests to evaluate activity ratings

    This step will walk you through the following activities:

    • Identify the activities/asset types in your lead gen engine.
    • Weight each attribute and define values to score for each one.
    • Run tests to ensure your model makes sense.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Final stakeholder alignment on which assets compose your lead generation engine
    • Scoring model tested

    2.3.1 Establish activities, attribute values, and weights

    2 hours

    1. Catalog the assets and activities that compose your lead generation engine outlined in Activity 1.3.3. Identify their attribute values and weight them accordingly.
    2. Consider weighting attributes and values according to how close that asset gets to conveying your ideal call to action. For example, if your ideal CTA is “schedule a demo” and the “click” was submitted in the last seven days, it scores 100%. Take time decay into consideration. If that same click was 60 days ago, it scores less – maybe 60%.
    3. Different assets convey different intent and therefore command different weightings; a video comparing your offering against the competition, considered a down funnel asset, scores higher than the company video, considered a top-of-the-funnel activity and “awareness.”
    The image contains a screenshot of the next step of establishing activities, attribute values, and weights.

    Lead Scoring Workbook

    2.3.2 Run tests to validate activity weightings

    Collaborate with stakeholders to run different engagement scenarios. Validate your model including thresholds.

    The image contains a screenshot of activity 2.3.2: run tests to validate activity weightings.

    SoftwareReviews Advisory Insight:

    Use data from actual closed deals and the underlying activities to build your model – nothing like using facts to inform your key decisions. Use common sense and keep things simple. Then update further when data from new wins appears.

    2 hours

    1. Test scenarios of contact engagement by placing a “1” in the “Attribute” box shown at left.
    2. Place your estimate of how you believe the engagement should score in the box to the right of “Estimated Engagement State.” How does the calculated state, beneath, compare to the estimated state?
    3. In cases where the calculated state differs from your estimated state, consider weighting the activity attribute differently to match.
    4. If you find that the estimates and calculated states are off dramatically, consider changing previously determined thresholds in tab 2, “Identify Thresholds.” Test multiple scenarios with your team.

    Lead Scoring Workbook

    Phase 3

    Apply Your Model to Marketing Apps and Go Live With Better Qualified Leads

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    1. Apply model to your marketing management/campaign management software.
    2. Get better qualified leads in the hands of sellers.
    3. Apply lead nurturing and other advanced methods.

    This phase involves the following participants:

    • Field Marketing/Campaign Manager
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 3.1

    Apply Model to Your Marketing Management Software

    Activities

    3.1.1 Apply final model to your lead management software

    This step will walk you through the following activities:

    • Apply the details of your scoring model to the lead management software.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Marketing management software or campaign management application is now set up/updated with your lead scoring approach.

    3.1.1 Apply final model to your lead management software

    Now that your model is complete and ready to go into production, input your lead scoring parameters into your lead management software.

    The image contains a screenshot of activity 3.1.1 demonstrating tab 4 of the Lead Scoring Workbook.

    3 hours

    1. Go to the Lead Scoring Workbook, tab 4, “Model Summary” for a formatted version of your lead scoring model. Double-check print formatting and print off a copy.
    2. Use the copy of your model to show to prospective technology providers when asking them to demonstrate their lead scoring capabilities.
    3. Once you have finalized your model, use the printed output from this tab to ease your process of transposing the corresponding model elements into your lead management software.

    Lead Scoring Workbook

    Step 3.2

    Test the Quality of Sales-Accepted Leads

    Activities

    3.2.1 Achieve sales lead acceptance

    3.2.2 Measure and optimize

    This step will walk you through the following activities:

    • Suggest that the Inside Sales and Field Sales teams should assess whether to sign off on quality of leads received.
    • Campaign managers and stakeholders should now be able to track lead status more effectively.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Sales leadership should be able to sign off that leads are better qualified.
    • With marketing pipeline analytics in place, campaigners can start to measure lead flow and conversion rates.

    3.2.1 Achieve sales lead acceptance

    Collaborate with sellers to validate your lead scoring approach.

    1 hour

    1. Gather a set of SQLs – leads that have been qualified by Inside Sales and delivered to Field Sales. Have Field Sales team members convey whether these leads were properly qualified.
    2. Where leads are deemed not properly qualified, determine if the issue was a) a lack of proper qualification by the Inside Sales team, or b) the lead generation engine, which should have further nurtured the lead or ignored it outright.
    3. Work collaboratively with Inside Sales to update your lead scoring model and/or Inside Sales practice.

    Stage

    Characteristics

    Actions

    Contact

    • Unqualified
    • No/low activity

    Nurture

    SDR Qualify

    Send to Sales

    Close

    MQL

    • Profile scores high
    • Engagement strong

    SQL

    • Profile strengthened
    • Demo/quote/next step confirmed

    Oppt’y

    • Sales acceptance
    • Sales opportunity management

    Win

    • Deal closed

    SoftwareReviews Advisory Insight:

    Marketers that collaborate with Sales – and in this case, a group of sellers as a sales advisory team – well in advance of sales acceptance to design lead scoring will save time during this stage, build trust with sellers, and make faster decisions related to lead management/scoring.

    3.2.2 Measure and optimize

    Leverage analytics that help you optimize your lead scoring methodology.

    Ongoing

    1. Work with Marketing Ops/IT team to design and implement analytics that enable you to:
    2. Meet frequently with your stakeholder team to review results.
    3. Learn from the wins: see how they actually scored and adjust thresholds and/or asset/activity weightings.
    4. Learn from losses: fix ineffective scoring, activities, assets, form-fill strategies, and engagement paths.
    5. Test from both wins and losses if demographic weightings are delivering accurate scores.
    6. Analyze those high scoring leads that went right to sellers but did not close. This could point to a sales training or enablement challenge.
    The image contains a screenshot of the lead scoring dashboard.

    Analytics will also drive additional key insights across your lead gen engine:

    • Are volumes increasing or decreasing? What percentage of leads are in what status (A1-D4)?
    • What nurturing will re-engage stalled leads that score high in profile but low in engagement (A3, B3)?
    • Will additional profile data capture further qualify leads with high engagement (C1, C2)?
    • And beyond all of the above, what leads move to Inside Sales and convert to SQLs, opportunities, and eventually marketing-influenced wins?

    Step 3.3

    Apply Advanced Methods

    Activities

    3.3.1 Employ lead nurturing strategies

    3.3.2 Adjust your model over time to accommodate more advanced methods

    This step will walk you through the following activities:

    • Apply lead nurturing to your lead gen engine.
    • Adjust your engine over time with more advanced methods.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Marketers can begin to test lead nurturing strategies and other advanced methods.

    3.3.1 Employ lead nurturing strategies

    A robust content marketing competence with compelling assets and the capture of additional profile data for qualification are key elements of your nurturing strategy.

    The image contains a screenshot of the Lead Scoring Grid with a focus on Nurture.

    SoftwareReviews Advisory Insight:

    Nurturing success combines the art of crafting engaging copy/experiences and the science of knowing just where a prospect is within your lead gen engine. Great B2B marketers demonstrate the discipline of knowing when to drive engagement and/or additional profile attribute capture using intent while not losing the prospect to over-profiling.

    Ongoing

    1. The goal of lead nurturing is to move the collection of contacts/leads that are scoring, for example, in the A3, B3, C1, C2, and C3 cells into A2, B2, and B1 cells.
    2. How is this best done? To nurture leads that are A3 and B3, entice the prospect with engagement that leads to the bottom of funnel – e.g. “schedule a demo” or “schedule a consultation” via a compelling asset. See the example on the following slide.
    3. To nurture C1 and C2, we need to qualify them further, so entice with an asset that leads to deeper profile knowledge.
    4. For C3 leads, we need both profile and activity nurturing.

    Lead nurturing example

    The image contains an example of a lead nurturing example.

    SoftwareReviews Advisory Insight:

    When nurturing, choose/design content as to what “intent” it satisfies. For example, a head-to-head comparison with a key competitor signals “Selection” phase of the buyer journey. Content that helps determine what app-type to buy signals “Solution”. A company video, or a webinar replay, may mean your buyer is “educating themselves.

    3.3.2 Adjust your model over time to accommodate more advanced methods

    When getting started or within a smaller marketing team, focus on the basics outlined thus far in this blueprint. Larger and/or more experienced teams are able to employ more advanced methods.

    Ongoing

    Advanced Methods

    • Invest in technologies that interpret lead scores and trigger next-step actions, especially outreach by Inside and/or Field Sales.
    • Use the above to route into nurturing environments where additional engagement will raise scores and trigger action.
    • Recognize that lead value decays with time to time additional outreach/activities and to reduce lead scores over time.
    • Always be testing different engagement, copy, and subsequent activities to optimize lead velocity through your lead gen engine.
    • Build intent sensitivity into engagement activities; e.g. test if longer demo video engagement times imply ”contact me for a demo” via a qualification outreach. Update scores manually to drive learnings.
    • Vary engagement paths by demographics to deliver unique digital experiences. Use firmographics/email domain to drive leads through a more tailored account-based marketing (ABM) experience.
    • Reapply learnings from closed opportunities/wins to drive updates to buyer journey mapping and your ICP.

    Frequently used acronyms

    ABM

    Account-Based Marketing

    B2B

    Business to Business

    CMO

    Chief Marketing Officer

    CRM

    Customer Relationship Management

    ICP

    Ideal Customer Profile

    MIW

    Marketing-Influenced Win

    MQL

    Marketing-Qualified Lead

    SDR

    Sales Development Representative

    SQL

    Sales-Qualified Lead

    Works cited

    Arora, Rajat. “Mining the Real Gems from you Data – Lead Scoring and Engagement Scoring.” LeadSquared, 27 Sept. 2014. Web.

    Doyle, Jen. “2012 B2B Marketing Benchmark Report: Research and insights on attracting and converting the modern B2B buyer.” MarketingSherpa, 2012. Web.

    Doyle, Jen, and Sergio Balegno. “2011 MarketingSherpa B2B Marketing Benchmark Survey: Research and Insights on Elevating Marketing Effectiveness from Lead Generation to Sales Conversion.” MarketingSherpa, 2011.

    Kirkpatrick, David. “Lead Scoring: CMOs realize a 138% lead gen ROI … and so can you.” marketingsherpa blog, 26 Jan 2012. Web.

    Moser, Jeremy. “Lead Scoring Is Important for Your Business: Here’s How to Create Scoring Model and Hand-Off Strategy.” BigCommerce, 25 Feb. 2019. Web.

    Strawn, Joey. “Why Lead Scoring Is Important for B2Bs (and How You Can Implement It for Your Company.” IndustrialMarketer.com, 17 Aug. 2016. Web.

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    • Buy Link or Shortcode: {j2store}216|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $25,860 Average $ Saved
    • member rating average days saved: 14 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Most IT organizations do not have standard RFP templates and tools.
    • Many RFPs lack sufficient requirements.
    • Most RFP team members are not adequately trained on RFP best practices.
    • Most IT departments underestimate the amount of time that is required to perform an effective RFP.

    Our Advice

    Critical Insight

    • Vendors generally do not like RFPs
      Vendors view RFPs as time consuming and costly to respond to and believe that the decision is already made.
    • Dont ignore the benefits of an RFI
      An RFI is too often overlooked as a tool for collecting information from vendors about their product offerings and services.
    • Leverage a pre-proposal conference to maintain an equal and level playing field
      Pre-proposal conference is a convenient and effective way to respond to vendors’ questions ensuring all vendors have the same information to provide a quality response.

    Impact and Result

    • A bad or incomplete RFP results in confusing and incomplete vendor RFP responses which consume time and resources.
    • Incomplete or misunderstood requirements add cost to your project due to the change orders required to complete the project.

    Drive Successful Sourcing Outcomes With a Robust RFP Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Storyboard – Leverage your vendor sourcing process to get better results

    Discover a proven process for your RFPs. Review Info-Tech’s process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP. Our 7-phase process prevents a bad RFP from taking your time, money, and resources.

    • Drive Successful Sourcing Outcomes With a Robust RFP Process Storyboard

    2. Define your RFP Requirements Tool – A convenient tool to gather your requirements and align them to your negotiation strategy.

    Use this tool to assist you and your team in documenting the requirements for your RFP. Use the results of this tool to populate the requirements section of your RFP.

    • RFP Requirements Worksheet

    3. RFP Development Suite of Tools – Use Info-Tech’s RFP, pricing, and vendor response tools and templates to increase your efficiency in your RFP process.

    Configure this time-saving suite of tools to your organizational culture, needs, and most importantly the desired outcome of your RFP initiative. This suite contains four unique RFP templates. Evaluate which template is appropriate for your RFP. Also included in this suite are a response evaluation guidebook and several evaluation scoring tools along with a template to report the RFP results to stakeholders.

    • RFP Calendar and Key Date Tool
    • Vendor Pricing Tool
    • Lean RFP Template
    • Short-Form RFP Template
    • Long-Form RFP Template
    • Excel Form RFP Tool
    • RFP Evaluation Guidebook
    • RFP Evaluation Tool
    • Vendor TCO Tool
    • Consolidated Vendor RFP Response Evaluation Summary
    • Vendor Recommendation Presentation

    Infographic

    Workshop: Drive Successful Sourcing Outcomes With a Robust RFP Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Foundation for Creating Requirements

    The Purpose

    Problem Identification

    Key Benefits Achieved

    Current process mapped and requirements template configured

    Activities

    1.1 Overview and level-setting

    1.2 Identify needs and drivers

    1.3 Define and prioritize requirements

    1.4 Gain business authorization and ensure internal alignment

    Outputs

    Map Your Process With Gap Identification

    Requirements Template

    Map Your Process With Gap Identification

    Requirements Template

    Map Your Process With Gap Identification

    Requirements Template

    Map Your Process With Gap Identification

    Requirements Template

    2 Creating a Sourcing Process

    The Purpose

    Define Success Target

    Key Benefits Achieved

    Baseline RFP and evaluation templates

    Activities

    2.1 Create and issue RFP

    2.2 Evaluate responses/proposals and negotiate the agreement

    2.3 Purchase goods and services

    Outputs

    RFP Calendar Tool

    RFP Evaluation Guidebook

    RFP Respondent Evaluation Tool

    3 Configure Templates

    The Purpose

    Configure Templates

    Key Benefits Achieved

    Configured Templates

    Activities

    3.1 Assess and measure

    3.2 Review templates

    Outputs

    Long-Form RFP Template

    Short-Form RFP Template

    Excel-Based RFP Template

    Further reading

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    Leverage your vendor sourcing process to get better results.

    EXECUTIVE BRIEF

    Drive Successful Sourcing Outcomes with a Robust RFP Process

    Lack of RFP Process Causes...
    • Stress
    • Confusion
    • Frustration
    • Directionless
    • Exhaustion
    • Uncertainty
    • Disappointment
    Solution: RFP Process
    Steps in an RFP Process, 'Identify Need', 'Define Business Requirements', 'Gain Business Authorization', 'Perform RFI/RFP', 'Negotiate Agreement', 'Purchase Good and Services', and 'Assess and Measure Performance'.
    • Best value solutions
    • Right-sized solutions
    • Competitive Negotiations
    • Better requirements that feed negotiations
    • Internal alignment on requirements and solutions
    • Vendor Management Governance Plan
    Requirements
    • Risk
    • Legal
    • Support
    • Security
    • Technical
    • Commercial
    • Operational
    • Vendor Management Governance
    Templates, Tools, Governance
    • RFP Template
    • Your Contracts
    • RFP Procedures
    • Pricing Template
    • Evaluation Guide
    • Evaluation Matrix
    Vendor Management
    • Scorecards
    • Classification
    • Business Review Meetings
    • Key Performance Indicators
    • Contract Management
    • Satisfaction Survey

    Analyst Perspective

    Consequences of a bad RFP

    Photo of Steven Jeffery, Principal Research Director, Vendor Management, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group

    “A bad request for proposal (RFP) is the gift that keeps on taking – your time, your resources, your energy, and your ability to accomplish your goal. A bad RFP is ineffective and incomplete, it creates more questions than it answers, and, perhaps most importantly, it does not meet your organization’s expectations.”

    Steven Jeffery
    Principal Research Director, Vendor Management
    Co-Author: The Art of Creating a Quality RFP
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Most IT organizations are absent of standard RFP templates, tools, and processes.
    • Many RFPs lack sufficient requirements from across the business (Legal, Finance, Security, Risk, Procurement, VMO).
    • Most RFP team members are not adequately trained on RFP best practices.
    • Most IT departments underestimate the amount of time required to perform an effective RFP.
    • An ad hoc sourcing process is a common recipe for vendor performance failure.

    Common Obstacles

    • Lack of time
    • Lack of resources
    • Right team members not engaged
    • Poorly defined requirements
    • Too difficult to change supplier
    • Lack of a process
    • Lack of adequate tools/processes
    • Lack of a vendor communications plan that includes all business stakeholders.
    • Lack of consensus as to what the ideal result should look like.

    Info-Tech’s Approach

    • Establish a repeatable, consistent RFP process that maintains negotiation leverage and includes all key components.
    • Create reusable templates to expedite the RFP evaluation and selection process.
    • Maximize the competition by creating an equal and level playing field that encourages all the vendors to respond to your RFP.
    • Create a process that is clear and understandable for both the business unit and the vendor to follow.
    • Include Vendor Management concepts in the process.

    Info-Tech Insight

    A well planned and executed sourcing strategy that focuses on solid requirements, evaluation criteria, and vendor management will improve vendor performance.

    Executive Summary

    Your Challenge

    Your challenge is to determine the best sourcing tool to obtain vendor information on capabilities, solution(s), pricing and contracting: RFI, RFP, eRFX.

    Depending on your organization’s knowledge of the market, your available funding, and where you are in the sourcing process, there are several approaches to getting the information you need.

    An additional challenge is to answer the question “What is the purpose of our RFX?”

    If you do not have in-depth knowledge of the market, available solutions, and viable vendors, you may want to perform an RFI to provide available market information to guide your RFP strategy.

    If you have defined requirements, approved funding, and enough time, you can issue a detailed, concise RFP.

    If you have “the basics” about the solution to be acquired and are on a tight timeframe, an “enhanced RFI” may fit your needs.

    This blueprint will provide you with the tools and processes and insights to affect the best possible outcome.

    Executive Summary

    Common Obstacles

    • Lack of process/tools
    • Lack of input from stakeholders
    • Stakeholders circumventing the process to vendors
    • Vendors circumventing the process to key stakeholders
    • Lack of clear, concise, and thoroughly articulated requirements
    • Waiting until the vendor is selected to start contract negotiations
    • Waiting until the RFP responses are back to consider vendor management requirements
    • Lack of clear communication strategy to the vendor community that the team adheres to

    Many organizations underestimate the time commitment for an RFP

    70 Days is the average duration of an IT RFP.

    The average number of evaluators is 5-6

    4 Is the average number of vendor submissions, each requiring an average of two to three hours to review. (Source: Bonfire, 2019. Note: The 2019 Bonfire report on the “State of the RFP” is the most recent published.)

    “IT RFPs take the longest from posting to award and have the most evaluators. This may be because IT is regarded as a complex subject requiring complex evaluation. Certainly, of all categories, IT offers the most alternative solutions. The technology is also changing rapidly, as are the requirements of IT users – the half-life of an IT requirement is less than six months (half the requirements specified now will be invalid six months from now). And when the RFP process takes up two of those months, vendors may be unable to meet changed requirements when the time to implement arrives. This is why IT RFPs should specify the problem to be resolved rather than the solution to be provided. If the problem resolution is the goal, vendors are free to implement the latest technologies to meet that need.” (Bonfire, “2019 State of the RFP”)

    Why Vendors Don’t Like RFPs

    Vendors’ win rate

    44%

    Vendors only win an average of 44% of the RFPs they respond to (Loopio, 2022).
    High cost to respond

    3-5%

    Vendors budget 3-5% of the anticipated contract value to respond (LinkedIn, 2017, Note: LinkedIn source is the latest information available).
    Time spent writing response

    23.8 hours

    Vendors spend on average 23.8 hours to write or respond to your RFP (Marketingprofs, 2021).

    Negative effects on your organization from a lack of RFP process

    Visualization titled 'Lack of RFP Process Causes' with the following seven items listed.

    Stress, because roles and responsibilities aren’t clearly defined and communication is haphazard, resulting in strained relationships.

    Confusion, because you don’t know what the expected or desired results are.

    Directionless, because you don’t know where the team is going.

    Uncertainty, with many questions of your own and many more from other team members.

    Frustration, because of all the questions the vendors ask as a result of unclear or incomplete requirements.

    Exhaustion, because reviewing RFP responses of insufficient quality is tedious.

    Disappointment in the results your company realizes.

    (Source: The Art of Creating a Quality RFP)

    Info-Tech’s approach

    Develop an inclusive and thorough approach to the RFP Process

    Steps in an RFP Process, 'Identify Need', 'Define Business Requirements', 'Gain Business Authorization', 'Perform RFI/RFP', 'Negotiate Agreement', 'Purchase Good and Services', and 'Assess and Measure Performance'.

    The Info-Tech difference:

    1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
    2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
    3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
    4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a predetermined due date.

    Insight Summary

    Overarching insight

    Without a well defined, consistent RFP process, with input from all key stakeholders, the organization will not achieve the best possible results from its sourcing efforts.

    Phase 1 insight

    Vendors are choosing to not respond to RFPs due to their length and lack of complete requirements.

    Phase 2 insight

    Be clear and concise in stating your requirements and include, in addition to IT requirements, procurement, security, legal, and risk requirements.

    Phase 3 insight

    Consider adding vendor management requirements to manage the ongoing relationship post contract.

    Tactical insight

    Consider the RFP Evaluation Process as you draft the RFP, including weighting the RFP components. Don’t underestimate the level of effort required to effectively evaluate responses – write the RFP with this in mind.

    Tactical insight

    Provide strict, prescriptive instructions detailing how the vendor should submit their responses. Controlling vendor responses will increase your team’s efficiency in evaluations while providing ease of reference responses across multiple vendors.

    Key deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverables:

    Info-Tech provides you with the tools you need to go to market in the most efficient manner possible, with guidance on how to achieve your goals.

    Sample of

    Long-Form RFP Template
    For when you have complete requirements and time to develop a thorough RFP.
    Sample of the Long-Form RFP Template deliverable. Short-Form RFP Template
    When the requirements are not as extensive, time is short, and you are familiar with the market.
    Sample of the Short-Form RFP Template deliverable.
    Lean RFP Template
    When you have limited time and some knowledge of the market and wish to include only a few vendors.
    Sample of the Lean RFP Template deliverable. Excel-Form RFP Template
    When there are many requirements, many options, multiple vendors, and a broad evaluation team.
    Sample of the Excel-Form RFP Template deliverable.

    Blueprint benefits

    IT Benefits
    • Side-by-side comparison of vendor capabilities
    • Pricing alternatives
    • No surprises
    • Competitive solutions to deliver the best results
    Mutual IT and Business Benefits
    • Reduced time to implement
    • Improved alignment between IT /Business
    • Improved vendor performance
    • Improved vendor relations
    Business Benefits
    • Budget alignment, reduced cost
    • Best value
    • Risk mitigation
    • Legal and risk protections

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is seven to twelve calls over the course of four to six months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Phase 5

    Phase 6

    Phase 7

    Call #1: Identify the need Call #3: Gain business authorization Call #5: Negotiate agreement strategy Call #7: Assess and measure performance
    Call #2: Define business requirements Call #4: Review and perform the RFX or RFP Call #6: Purchase goods and services

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Day 1 Day 2 Day 3
    Activities
    Answer “What problem do we need to solve?”

    1.1 Overview and level-setting

    1.2 Identify needs and drivers

    1.3 Define and prioritize requirements

    1.4 Gain business authorization and ensure internal alignment

    Define what success looks like?

    2.1 Create and issue RFP

    2.2 Evaluate responses/ proposals and negotiate the agreement.

    2.3 Purchase goods and services

    Configure Templates

    3.1 Assess and measure

    3.2 Review tools

    Deliverables
    1. Map your process with gap identification
    2. RFP Requirements Worksheet
    1. RFP Calendar and Key Date Tool
    2. RFP Evaluation Guidebook
    3. RFP Evaluation Tool
    1. Long-form RFP Template
    2. Short-form RFP Template
    3. Excel-based RFP Tool
    4. Lean RFP Template

    Phase 1

    Identify Need

    Steps

    1.1 Establish the need to either purchase goods/services (RFP) or acquire additional information from the market (RFI).

    Steps in an RFP Process with the first step, 'Identify Need', highlighted.

    This phase involves the following participants:

    • Business stakeholders
    • IT
    • Sourcing/Procurement
    • Finance

    Identify the need based on business requirements, changing technology, increasing vendor costs, expiring contracts, and changing regulatory requirements.

    Outcomes of this phase

    Agreement on the need to go to market to make a purchase (RFP) or to acquire additional information (RFI) along with a high-level agreement on requirements, rough schedule (is there time to do a full blown RFP or are you time constrained, which may result in an eRFP) and the RFP team is identified.

    Identify Need
    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Identify the Need for Your RFP

    • An RFP is issued to the market when you are certain that you intend to purchase a product/service and have identified an adequate vendor base from which to choose as a result of:

      • IT Strategy
      • Changes in technology
      • Marketplace assessment
      • Contract expiration/renewal
      • Changes in regulatory requirements
      • Changes in the business’ requirements
    • An RFI is issued to the market when you are uncertain as to available technologies or supplier capabilities and need budgetary costs for planning purposes.
    • Be sure to choose the right RFx tool for your situation!
    Stock photo of a pen circling the word 'needs' on a printed document.

    Phase 2

    Define Your RFP Requirements

    Steps

    2.1 Define and classify the technical, business, financial, legal, and support and security requirements for your business.

    Steps in an RFP Process with the second step, 'Define Business Requirements', highlighted.

    This phase involves the following participants:

    • IT
    • Legal
    • Finance
    • Risk management
    • Sourcing/Procurement
    • Business stakeholders

    Outcomes of this phase

    A detailed list of required business, technical, legal and procurement requirements classified as to absolute need(s), bargaining and concession need(s), and “nice to haves.”

    Define Business Requirements

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Define RFP Requirements

    Key things to consider when defining requirements

    • Must be inclusive of the needs of all stakeholders: business, technical, financial, and legal
    • Strive for clarity and completeness in each area of consideration.
    • Begin defining your “absolute,” “bargaining,” “concession,” and ‘”dropped/out of scope” requirements to streamline the evaluation process.
    • Keep the requirements identified as “absolute” to a minimum, because vendors that do not meet absolute requirements will be removed from consideration.
    • Do you have a standard contract that can be included or do you want to review the vendor’s contract?
    • Don’t forget Data Security!
    • Begin defining your vendor selection criteria.
    • What do you want the end result to look like?
    • How will you manage the selected vendor after the contract? Include key VM requirements.
    • Defining requirements can’t be rushed or you’ll find yourself answering many questions, which may create confusion.
    • Collect all your current spend and budget considerations regarding the needed product(s) and service(s).

    “Concentrate on the needs of the organization and not the wants of the individuals when creating requirements to avoid scope creep.” (Donna Glidden, ITRG Research Director)

    Leverage the “ABCD” approach found in our Prepare for Negotiations More Effectively blueprint:
    https://tymansgrpup.com/research/ss/prepare-for-negotiations-more-effectively

    2.1 Prioritize your requirements

    1 hr to several days

    Input: List of all requirements from IT and IT Security, Business, Sourcing/Procurement, Risk Management, and Legal

    Output: Prioritized list of RFP requirements approved by the stakeholder team

    Materials: The RFP Requirements Worksheet

    Participants: All stakeholders impacted by the RFP: IT, IT Security, the Business, Sourcing/ Procurement, Risk Management, Legal

    1. Use this tool to assist you and your team in documenting the requirements for your RFP. Leverage it to collect and categorize your requirements in preparation for negotiations. Use the results of this tool to populate the requirements section of your RFP.
    2. As a group, review each of the requirements and determine their priority as they will ultimately relate to the negotiations.
      • Prioritizing your requirements will set up your negotiation strategy and streamline the process.
      • By establishing the priority of each requirement upfront, you will save time and effort in the selection process.
    3. Review RFP requirements with stakeholders for approval.

    Download the RFP Requirements Worksheet

    Phase 3

    Gain Business Authorization

    Steps

    3.1 Obtain business authorization from the business, technology, finance and Sourcing/Procurement

    Steps in an RFP Process with the third step, 'Gain Business Authorization', highlighted.

    This phase involves the following participants:

    • Business stakeholders
    • Technology and finance (depending upon the business)
    • Sourcing/Procurement

    Outcomes of this phase

    Approval by all key stakeholders to proceed with the issuing of the RFP and to make a purchase as a result.

    Gain Business Authorization

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Gain Business Authorization

    Gain authorization for your RFP from all relevant stakeholders
    • Alignment of stakeholders
    • Agreement on final requirements
    • Financial authorization
    • Commitment of resources
    • Agreement on what constitutes vendor qualification
    • Finalization of selection criteria and their prioritization

    Obtaining cross-function alignment will clear the way for contract, SOW, and budget approvals and not waste any of your and your vendor’s resources in performing an RFP that your organization is not ready to implement or invest financial and human resources in.

    Stock photo of the word 'AUTHORIZED' stamped onto a white background with a much smaller stamp laying beside it.

    Phase 4

    Create and Issue

    Steps

    4.1 Build your RFP

    4.2 Decide RFI or not

    4.3 Create your RFP

    4.4 Receive & answer questions

    4.5 Perform Pre-Proposal Conference

    4.6 Evaluate responses

    Steps in an RFP Process with the fourth step, 'Perform RFI/RFP', highlighted.

    This phase involves the following participants:

    • The RFP owner
    • IT
    • Business SMEs/stakeholders

    Outcomes of this phase

    RFP package is issued to vendors and includes the date of the Pre-Proposal Conference, which should be held shortly after RFP release and includes all parties.

    SME’s/stakeholders participate in providing answers to RFP contact for response to vendors.

    Create and Issue Your RFP/RFI

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Build your RFP with evaluation in mind

    Easing evaluation frustrations

    At the beginning of your RFP creation process consider how your requirements will impact the vendor’s response. Concentrate on the instructions you provide the vendors and how you wish to receive their responses. View the RFP through the lens of the vendors and envision how they are going to respond to the proposal.

    Limiting the number of requirements included in the RFP will increase the evaluation team’s speed when reviewing vendors’ responses. This is accomplished by not asking questions for common features and functionality that all vendors provide. Don’t ask multiple questions within a question. Avoid “lifting” vendor-specific language to copy into the RFP as this will signal to vendors who their competition might be and may deter their participation. Concentrate your requirement questions to those areas that are unique to your solution to reduce the amount of time required to evaluate the vendors’ response.

    Things to Consider When Creating Your RFP:

    • Consistency is the foundation for ease of evaluation.
    • Provide templates, such as an Excel worksheet, for the vendor’s pricing submissions and for its responses to close-ended questions.
    • Give detailed instructions on how the vendor should organize their response.
    • Limit the number of open-ended questions requiring a long narrative response to must-have requirements.
    • Organize your requirements and objectives in a numerical outline and have the vendor respond in the same manner, such as the following:
      • 1
      • 1.1
      • 1.1.1

    Increase your response quality

    Inconsistent formatting of vendor responses prevents an apples-to-apples evaluation between vendor responses. Evaluation teams are frequently challenged and are unable to evaluate vendors’ responses equally against each other for the following reasons:

    Challenges
    • Vendor responses are submitted with different and confusing nomenclature
    • Inconsistent format in response
    • Disparate order of sections in the vendors responses
    • Different style of outlining their responses, e.g. 1.1 vs. I.(i)
    • Pricing proposal included throughout their response
    • Responses are comingled with marketing messages
    • Vendor answers to requirements or objectives are not consolidated in a uniform manner
    • Disparate descriptions for response subsections
    Prevention
    • Provide specific instructions as to how the vendor is to organize their response:
      • How to format and outline the response
      • No marketing material
      • No pricing in the body of the response
    • Provide templates for pricing, technical, operational, and legal aspects.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Perform Request for Information

    Don’t underestimate the importance of the RFI

    As the name implies, a request for information (RFI) is a tool for collecting information from vendors about the companies, their products, and their services. We find RFIs useful when faced with a lot of vendors that we don’t know much about, when we want to benchmark the marketplace for products and services, including budgetary information, and when we have identified more potential vendors than we care to commit a full RFP to.

    RFIs are simpler and less time-consuming than RFPs to prepare and evaluate, so it can make a lot of sense to start with an RFI. Eliminating unqualified vendors from further consideration will save your team from weeding through RFP responses that do not meet your objectives. For their part, your vendors will appreciate your efforts to determine up-front which of them are the best bets before asking them to spend resources and money producing a costly proposal.

    While many organizations rarely use RFIs, they can be an effective tool in the vendor manager’s toolbox when used at the right time in the right way. RFIs can be deployed in competitive targeted negotiations.

    A Lean RFP is a two-stage strategy that speeds up the typical RFP process. The first stage is like an RFI on steroids, and the second stage is targeted competitive negotiation.

    Don’t rely solely on the internet to qualify vendors; use an RFI to acquire additional information before finalizing an RFP.

    4.2.1 In a hurry? Consider a Lean RFP instead of an RFP

    Several days
    1. Create an RFI with all of the normal and customary components. Next, add a few additional RFP-like requirements (e.g. operational, technical, and legal requirements). Make sure you include a request for budgetary pricing and provide any significant features and functionality requirements so that the vendors have enough information to propose solutions. In addition, allow the vendors to ask questions through your single point of coordination and share answers with all of the vendors. Finally, notify the vendors that you will not be doing an RFP.
    2. Review the vendors’ proposals and evaluate their proposals against your requirements along with their notional or budgetary pricing.
    3. Have the evaluators utilize the Lean RFP Template to record their scores accordingly.
    4. After collecting the scores from the evaluators, consolidate the scores together to discuss which vendors – we recommend two or three – you want to present demos.
    5. Based on the vendors’ demos, the team selects at least two vendors to negotiate contract and pricing terms with intent of selecting the best-value vendor.
    6. The Lean RFP shortens the typical RFP process, maintains leverage for your organization, and works great with low- to medium-spend items (however your organization defines them). You’ll get clarification on vendors’ competencies and capabilities, obtain a fair market price, and meet your internal clients’ aggressive timelines while still taking steps to protect your organization.

    Download the Lean RFP Template

    Download the RFP Evaluation Tool

    4.2.1 In a hurry? Consider a Lean RFP instead of an RFP continued

    Input

    • List of technical, operational, business, and legal requirements
    • Budgetary pricing ask

    Output

    • A Lean RFP document that includes the primary components of an RFP
    • Lean RFP vendors response evaluation

    Materials

    • Lean RFP Template
    • RFP Evaluation Tool
    • Contracting requirements
    • Pricing

    Participants

    • IT
    • Business
    • Finance
    • Sourcing/Procurement

    Case Study

    A Lean RFP saves time
    INDUSTRY: Pharmaceutical
    SOURCE: Guided Implementation
    Challenge
    • The vendor manager (VM) was experiencing pressure to shorten the expected five-month duration to perform an RFP for software that planned, coordinated, and submitted regulatory documents to the US Food and Drug Administration.
    • The VM team was not completely familiar with the qualified vendors and their solutions.
    • The organization wanted to capitalize on this opportunity to enhance its current processes with the intent of improving efficiencies in documentation submissions.
    Solution
    • Leveraging the Lean RFP process, the team reduced the 200+ RFP questionnaire into a more manageable list of 34 significant questions to evaluate vendor responses.
    • The team issued the Lean RFP and requested the vendors’ responses in three weeks instead of the five weeks planned for the RFP process.
    • The team modified the scoring process to utilize a simple weighted-scoring methodology, using a scale of 1-5.
    Results
    • The Lean RFP scaled back the complexity of a large RFP.
    • The customer received three vendor responses ranging from 19 to 43 pages and 60-80% shorter than expected if the RFP had been used. This allowed the team to reduce the evaluation period by three weeks.
    • The duration of the RFx process was reduced by more than two months – from five months to just under three months.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    4.3.1 RFP Calendar

    1 hour

    Input: List duration in days of key activities, RFP Calendar and Key Date Tool, For all vendor-inclusive meetings, include the dates on your RFP calendar and reference them in the RFP

    Output: A timeline to complete the RFP that has the support of each stakeholder involved in the process and that allows for a complete and thorough vendor response.

    Materials: RFP Calendar and Key Date Tool

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    1. As a group, identify the key activities to be accomplished and the amount of time estimated to complete each task:
      1. Identify who is ultimately accountable for the completion of each task
      2. Determine the length of time required to complete each task
    2. Use the RFP Calendar and Key Date Tool to build the calendar specific to your needs.
    3. Include vendor-related dates in the RFP, i.e., Pre-Proposal Conference, deadline for RFP questions as well as response.

    Download the RFP Calendar and Key Date Tool

    Draft your RFP

    Create and issue your RFP, which should contain at least the following:
    • The ability for the vendors to ask clarifying questions (in writing, sent to the predetermined RFP contact)
    • Pre-Proposal/Pre-Bid Conference schedule where vendors can receive the same answer to all clarifying written questions
    • A calendar of events (block the time on stakeholder calendars – see template).
    • Instructions to potential vendors on how they should construct and return their response to enable effective and timely evaluation of each offer.
    • Requirements; for example: Functional, Operational, Technical, and Legal.
    • Specification drawings as if applicable.
    • Consider adding vendor management requirements – how do you want to manage the relationship after the deal is done?
    • A pricing template for vendors to complete that facilitates comparison across multiple vendors.
    • Contract terms required by your legal team (or your standard contract for vendors to redline as part of their response and rated/ranked accordingly).
    • Create your RFP with the evaluation process and team in mind to ensure efficiency and timeliness in the process. Be clear, concise, and complete in the document.
    • Consistency and completeness is the foundation for ease of evaluation.
    • Give vendors detailed instruction on how to structure and organize their response.
    • Limit the number of open-ended questions requiring a long narrative response.
    • Be sure to leverage Info-Tech’s proven and field-tested Short-Form, Long-Form, and Lean RFP Templates provided in this blueprint.

    Create a template for the vendors’ response

    Dictating to the vendors the format of their response will increase your evaluation efficiency
    Narrative Response:

    Create either a Word or Excel document that provides the vendor with an easy vehicle for their response. This template should include the question identifier that ties the response back to the requirement in the RFP. Instruct vendors to include the question number on any ancillary materials they wish to include.

    Pricing Response:

    Create a separate Excel template that the vendors must use to provide their financial offer. This template should include pricing for hardware, software, training, implementation, and professional services, as well as placeholders for any additional fees.

    Always be flexible in accepting alternative proposals after the vendor has responded with the information you requested in the format you require.

    Stock image of a paper checklist in front of a laptop computer's screen.

    4.3.2 Vendor Pricing Tool

    1 hour

    Input: Identify pricing components for hardware, software, training, consulting/services, support, and additional licenses (if needed)

    Output: Vendor Pricing Tool

    Materials: RFP Requirements Worksheet, Pricing template

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

    1. Using a good pricing template will prevent vendors from providing pricing offers that create a strategic advantage designed to prevent you from performing an apples-to-apples comparison.
    2. Provide specific instructions as to how the vendor is to organize their pricing response, which should be submitted separate from the RFP response.
    3. Configure and tailor pricing templates that are specific to the product and/or services.
    4. Upon receipt of all the vendor’s responses, simply cut and paste their total response to your base template for an easy side-by-side pricing comparison.
    5. Do not allow vendors to submit financial proposals outside of your template.

    Download the Vendor Pricing Tool

    Three RFP Templates

    Choose the right template for the right sourcing initiative

    • Short-Form
    • Use the Short-Form RFP Template for simple, non-complex solutions that are medium to low dollar amounts that do not require numerous requirements.

    • Long-Form
    • We recommend the Long-Form RFP Template for highly technical and complex solutions that are high dollar and have long implementation duration.

    • Excel-Form
    • Leverage the Excel-Form RFP Tool for requirements that are more specific in nature to evaluate a vendor’s capability for their solution. This template is designed to be complete and inclusive of the RFP process, e.g., requirements, vendor response, and vendor response evaluation scoring.

    Like tools in a carpenters’ tool box or truck, there is no right or wrong template for any job. Take into account your organization culture, resources available, time frame, policies, and procedures to pick the right tool for the job. (Steve Jeffery, Principal Research Director, Vendor Management, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

    4.3.3 Short-Form RFP Template

    1-2 hours

    Input: List of technical, legal, business, and data security requirements

    Output: Full set of requirements, prioritized, that all participants agree to

    Materials: Short-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    • This is a less complex RFP that has relatively basic requirements and perhaps a small window in which the vendors can respond. As with the long-form RFP, exhibits are placed at the end of the RFP, an arrangement that saves both your team and the vendors time. Of course, the short-form RFP contains less-specific instructions, guidelines, and rules for vendors’ proposal submissions.
    • We find that short-form RFPs are a good choice when you need to use something more than a request for quote (RFQ) but less than an RFP running 20 or more pages. It’s ideal, for example, when you want to send an RFP to only one vendor or to acquire items such as office supplies, contingent labor, or commodity items that don’t require significant vendor risk assessment.

    Download the Short-Form RFP Template

    4.3.4 Long-Form RFP Template

    1-3 hours

    Input: List of technical, legal, business, and data security requirements

    Output: Full set of requirements, prioritized, that all stakeholders agree to

    Materials: Long-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    • A long-form or major RFP is an excellent tool for more complex and complicated requirements. This template is for a baseline RFP.
    • It starts with best-in-class RFP terms and conditions that are essential to maintaining your control throughout the RFP process. The specific requirements for the business, functional, technical, legal, and pricing areas should be included in the exhibits at the end of the template. That makes it easier to tailor the RFP for each deal, since you and your team can quickly identify specific areas that need modification. Grouping the exhibits together also makes it convenient for both your team to review and the vendors to respond.
    • You can use this sample RFP as the basis for your template RFP, taking it all as is or picking and choosing the sections that best meet the mission and objectives of the RFP and your organization.

    Download the Long-Form RFP Template

    4.3.5 Excel-Form RFP Tool

    Several weeks

    Input: List of technical, legal, business, and data security requirements

    Output: Full set of requirements, prioritized, that all stakeholders agree to

    Materials: Excel-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    • The Excel-Form RFP Tool is used as an alternative to the other RFP toolsets if you have multiple requirements and have multiple vendors to choose from.
    • Requirements are written as a “statement” and the vendor can select from five answers as to their ability to meet the requirements, with the ability to provide additional context and materials to augment their answers, as needed.
    • Requirements are listed separately in each tab, for example, Business, Legal, Technical, Security, Support, Professional Services, etc.

    Download the Excel-Form RFP Template

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Answer Vendor Questions

    Maintaining your equal and level playing field among vendors

    • Provide an adequate amount of time from the RFP issue date to the deadline for vendor questions. There may be multiple vendor staff/departments that need to read the RFP and then discuss their response approach and gather any clarifying questions, so we generally recommend three to five business days.
    • There should be one point of contact for all Q&A, which should be submitted in writing via email only. Be sure to plan for enough time to get the answers back from the RFP stakeholders.
    • After the deadline, collect all Q&A and begin the process of consolidating into one document.
    Large silver question mark.
    • Be sure to anonymize both vendor questions and your responses, so as not to reveal who asked or answered the question.
    • Send the document to all RFP respondents via your sourcing tool or BCC in an email to the point of contact, with read receipt requested. That way, you can track who has received and opened the correspondence.
    • Provide the answers a few days prior to the Pre-Proposal Conference to allow all respondents time to review the document and prepare any additional questions.
    • Begin the preparation for the Pre-Proposal Conference.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Conduct Pre-Proposal Conference

    Maintain an equal and level playing field

    • Consolidate all Q&A to be presented to all vendors during the Pre-Proposal Conference.
    • If the Pre-Proposal Conference is conducted via conference call, be sure to record the session and advise all participants at the beginning of the call.
    • Be sure to have key stakeholders present on the call to answer questions.
    • Read each question and answer, after which ask if there are any follow up questions. Be sure to capture them and then add them to the Q&A document.
    • Remind respondents that no further questions will be entertained during the remainder of the RFP response period.
    • Send the updated and completed document to all vendors (even if circumstances prevented their attending the Pre-Proposal Conference). Use the same process as when you sent out the initial answers: via email, blind copy the respondents and request read/receipt.

    “Using a Pre-Proposal Conference allows you to reinforce that there is a level playing field for all of the vendors…that each vendor has an equal chance to earn your business. This encourages and maximizes competition, and when that happens, the customer wins.” (Phil Bode, Principal Research Director, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

    Pre-Proposal Conference Agenda

    Modify this agenda for your specific organization’s culture
    1. Opening Remarks & Welcome – RFP Manager
      1. Agenda review
      2. Purpose of the Pre-Proposal Conference
    2. Review Agenda
      1. Introduction of your (customer) attendees
    3. Participating Vendor Introduction (company name)
    4. Executive or Sr. Leadership Comments (limit to five minutes)
      1. Importance of the RFP
      2. High-level business objective or definition of success
    5. Review Key Dates in the RFP

    (Source: The Art of Creating a Quality RFP, Jeffery et al., 2019)
    1. Review of any Technical Drawings or Information
      1. Key technical requirements and constraints
      2. Key infrastructure requirements and constraints
    2. Review of any complex RFP Issues
      1. Project scope/out of scope
    3. Question &Answer
      1. Vendors’ questions in alphabetical order
    4. Review of Any Specific Instructions for the Respondents
    5. Conclusion/Closing
      1. Review how to submit additional questions
      2. Remind vendors of the single point of contact

    Allow your executive or leadership sponsor to leave the Pre-Proposal Conference after they provide their comments to allow them to continue their day while demonstrating to the vendors the importance of the project.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Evaluate Responses

    Other important information

    • Consider separating the pricing component from the RFP responses before sending them to reviewers to maintain objectivity until after you have received all ratings on the proposals themselves.
    • Each reviewer should set aside focused time to carefully read each vendor’s response
    • Read the entire vendor proposal – they spent a lot time and money responding to your request, so please read everything.
    • Remind reviewers that they should route any questions to the vendor through the RFP manager.
    • Using the predetermined ranking system for each section, rate each section of the response, capturing any notes, questions, or concerns as you proceed through the document(s).
    Stock photo of a 'Rating' meter with values 'Very Bad to 'Excellent'.

    Use a proven evaluation method

    Two proven methods to reviewing vendors’ proposals are by response and by objective

    The first, by response, is when the evaluator reviews each vendor’s response in its entirety.

    The second, reviewing by objective, is when the evaluator reviews each vendor’s response to a single objective before moving on to the next.

    By Response

    Two-way arrow with '+ Pros' in green on the left and 'Cons -' in red on the right.

    By Objective

    Two-way arrow with '+ Pros' in green on the left and 'Cons -' in red on the right.

    • Each response is thoroughly read all the way through.
    • Response inconsistencies are easily noticed.
    • Evaluators obtain a good feel for the vendor's response.
    • Evaluators will lose interest as they move from one response to another.
    • Evaluation will be biased if the beginning of response is subpar, influencing the rest of the evaluation.
    • Deficiencies of the perceived favorite vendor are overlooked.
    • Evaluators concentrate on how each objective is addressed.
    • Evaluators better understand the responses, resulting in identifying the best response for the objective.
    • Evaluators are less susceptible to supplier bias.
    • Electronic format of the response hampers response review per objective.
    • If a hard copy is necessary, converting electronic responses to hard copy is costly and cumbersome.
    • Discipline is required to score each vendor's response as they go.

    Maintain evaluation objectivity by reducing response evaluation biases

    Evaluation teams can be naturally biased during their review of the vendors’ responses.

    You cannot eliminate bias completely – the best you can do is manage it by identifying these biases with the team and mitigating their influence in the evaluation process.

    Vendor

    The evaluator only trusts a certain vendor and is uncomfortable with any other vendor.
    • Evaluate the responses blind of vendor names, if possible.
    Centerpiece for this table, titled 'BIAS' and surrounding by iconized representations of the four types listed.

    Account Representatives

    Relationships extend beyond business, and an evaluator doesn't want to jeopardize them.
    • Craft RFP objectives that are vendor neutral.

    Technical

    A vendor is the only technical solution the evaluator is looking for, and they will not consider anything else.
    • Conduct fair and open solution demonstrations.

    Price

    As humans, we can justify anything at a good price.
    • Evaluate proposals without awareness of price.

    Additional insights when evaluating RFPs

    When your evaluation team includes a member of the C-suite or senior leadership, ensure you give them extra time to sufficiently review the vendor's responses. When your questions require a definitive “Yes”/“True” or “No”/“False” responses, we recommend giving the maximum score for “Yes”/“True” and the minimum score for “No”/“False”.
    Increase your efficiency and speed of evaluation by evaluating the mandatory requirements first. If a vendor's response doesn't meet the minimum requirements, save time by not reviewing the remainder of the response. Group your RFP questions with a high-level qualifying question, then the supporting detailed requirements. The evaluation team can save time by not evaluating a response that does not meet a high-level qualifying requirement.

    Establish your evaluation scoring scale

    Define your ranking scale to ensure consistency in ratings

    Within each section of your RFP are objectives, each of which should be given its own score. Our recommended approach is to award on a scale of 0 to 5. With such a scale, you need to define every level. Below are the recommended definitions for a 0 to 5 scoring scale.

    Score Criteria for Rating
    5 Outstanding – Complete understanding of current and future needs; solution addresses current and future needs
    4 Competent – Complete understanding and adequate solution
    3 Average – Average understanding and adequate solution
    2 Questionable – Average understanding; proposal questionable
    1 Poor – Minimal understanding
    0 Not acceptable – Lacks understanding
    Stock photo of judges holding up their ratings.

    Weigh the sections of your RFP on how important or critical they are to the RFP

    Obtain Alignment on Weighting the Scores of Each Section
    • There are many ways to score responses, ranging from extremely simple to highly complicated. The most important thing is that everyone responsible for completing scorecards is in total agreement about how the scoring system should work. Otherwise, the scorecards will lose their value, since different weighting and scoring templates were used to arrive at their scores.
    • You can start by weighting the scores by section, with all sections adding up to 100%.
    Example RFP Section Weights
    Pie chart of example RFP section weights, 'Operational, 20%', 'Service-Level Agreements, 20%', 'Financial, 20%', 'Legal/Contractual, 15%', 'Technical, 10%' 'Functional, 15%'.
    (Source: The Art of Creating a Quality RFP, Jeffery et al., 2019)

    Protect your negotiation leverage with these best practices

    Protect your organization's reputation within the vendor community with a fair and balanced process.
    • Unless you regularly have the evaluators on your evaluation team, always assume that the team members are not familiar nor experienced with your process and procedures.
    • Do not underestimate the amount of preparations required to ensure that your evaluation team has everything they need to evaluate vendors’ responses without bias.
    • Be very specific about the expectations and time commitment required for the evaluation team to evaluate the responses.
    • Explain to the team members the importance of evaluating responses without conflicts of interest, including the fact that information contained within the responses and all discussions within the team are considered company owned and confidential.
    • Include examples of the evaluation and scoring processes to help the evaluators understand what they should be doing.
    • Finally – don’t forget to the thank the evaluation team and their managers for their time and commitment in contributing to this essential decision.
    Stock photo of a cork board with 'best practice' spelled out by tacked bits of paper, each with a letter in a different font.

    Evaluation teams must balance commercial vs. technical requirements

    Do not alter the evaluation weights after responses are submitted.
    • Evaluation teams are always challenged by weighing the importance of price, budget, and value against the technical requirements of “must-haves” and super cool “nice-to-haves.”
    • Encouraging the evaluation team not to inadvertently convert the nice-to-haves to must-haves will prevent scope creep and budget pressure. The evaluation team must concentrate on the vendors’ responses that drive the best value when balancing both commercial and technical requirements.
    Two blocks labelled 'Commercial Requirements' and 'Technical Requirements' balancing on either end of a flat sheet, which is balancing on a silver ball.

    4.6.1 Evaluation Guidebook

    1 hour

    Input: RFP responses, Weighted Scoring Matrix, Vendor Response Scorecard

    Output: One or two finalists for which negotiations will proceed

    Materials: RFP Evaluation Guidebook

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

    1. Info-Tech provides an excellent resource for your evaluation team to better understand the process of evaluating vendor response. The guidebook is designed to be configured to the specifics of your RFP, with guidance and instructions to the team.
    2. Use this guidebook to provide instruction to the evaluation team as to how best to score and rate the RFP responses.
    3. Specific definitions are provided for applying the numerical scores to the RFP objectives will ensure consistency among the appropriate numerical score.

    Download the RFP Evaluation Guidebook

    4.6.2 RFP Vendor Proposal Scoring Tool

    1-4 hours

    Input: Each vendor’s RFP response, A copy of the RFP (less pricing), A list of the weighted criteria incorporated into a vendor response scorecard

    Output: A consolidated ranked and weighted comparison of the vendor responses with pricing

    Materials: Vendor responses, RFP Evaluation Tool

    Participants: Sourcing/Procurement, Vendor management

    1. Using the RFP outline as a base, develop a scorecard to evaluate and rate each section of the vendor response, based on the criteria predetermined by the team.
    2. Provide each stakeholder with the scorecard when you provide the vendor responses for them to review and provide the team with adequate time to review each response thoroughly and completely.
    3. Do not, at this stage, provide the pricing. Allow stakeholders to review the responses based on the technical, business, operational criteria without prejudice as to pricing.
    4. Evaluators should always be reminded that they are evaluating each vendor’s response against the objectives and requirements of the RFP. The evaluators should not be evaluating each vendor’s response against one another.
    5. While the team is reviewing and scoring responses, review and consolidate the vendor pricing submissions into one document for a side-by-side comparison.

    Download the RFP Evaluation Tool

    4.6.3 Total Cost of Owners (TCO)

    1-2 hours

    Input: Consolidated vendor pricing responses, Consolidated vendor RFP responses, Current spend within your organization for the product/service, if available, Budget

    Output: A completed TCO model summarizing the financial results of the RFP showing the anticipated costs over the term of the agreement, taking into consideration the impact of renewals.

    Materials: Vendor TCO Tool, Vendor pricing responses

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement

    • Use Info-Tech’s Vendor TCO Tool to normalize each vendor’s pricing proposal and account for the lifetime cost of the product.
    • Fill in pricing information (the total of all annual costs) from each vendor's returned Pricing Proposal.
    • The tool will summarize the net present value of the TCO for each vendor proposal.
    • The tool will also provide the rank of each pricing proposal.

    Download the Vendor TCO Tool

    Conduct an evaluation team results meeting

    Follow the checklist below to ensure an effective evaluation results meeting

    • Schedule the evaluation team’s review meeting well in advance to ensure there are no scheduling conflicts.
    • Collect the evaluation team’s scores in advance.
    • Collate scores and provide an initial ranking.
    • Do not reveal the pricing evaluation results until after initial discussions and review of the scoring results.
    • Examine both high and low scores to understand why the team members scored the response as they did.
    • Allow the team to discuss, debate, and arrive at consensus on the ranking.
    • After consensus, reveal the pricing to examine if or how it changes the ranking.
    • Align the team on the next steps with the applicable vendors.

    4.6.4 Consolidated RFP Response Scoring

    1-2 hours

    Input: Vendor Response Scorecard from each stakeholder, Consolidated RFP responses and pricing, Any follow up questions or items requiring further vendor clarification.

    Output: An RFP Response Evaluation Summary that identifies the finalists based on pre-determined criteria.

    Materials: RFP Evaluation Tool from each stakeholder, Consolidated RFP responses and pricing.

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

    1. Collect from the evaluation team all scorecards and any associated questions requiring further clarification from the vendor(s). Consolidate the scorecards into one for presentation to the team and key decision makers.
    2. Present the final scores to the team, with the pricing evaluation, to determine, based on your needs, two or three finalists that will move forward to the next steps of negotiations.
    3. Discuss any scores that are have large gaps, e.g., a requirement with a score of one from one evaluator and the same requirement with a score five from different evaluator.
    4. Arrive at a consensus of your top one or two potential vendors.
    5. Determine any required follow-up actions with the vendors and include them in the Evaluation Summary.

    Download the Consolidated Vender RFP Response Evaluation Summary

    4.6.5 Vendor Recommendation Presentation

    1-3 hours
    1. Use the Vendor Recommendation Presentation to present your finalist and obtain final approval to negotiate and execute any agreements.
    2. The Vendor Recommendation Presentation provides leadership with:
      1. An overview of the RFP, its primary goals, and key requirements
      2. A summary of the vendors invited to participate and why
      3. A summary of each component of the RFP
      4. A side-by-side comparison of key vendor responses to each of the key/primary requirements, with ranking/weighting results
      5. A summary of the vendor’s responses to key legal terms
      6. A consolidated summary of the vendors’ pricing, augmented by the TCO calculations for the finalist(s).
      7. The RFP team’s vendor recommendations based on its findings
      8. A summary of next steps with dates
      9. Request approval to proceed to next steps of negotiations with the primary and secondary vendor

    Download the Vendor Recommendation Presentation

    4.6.5 Vendor Recommendation Presentation

    Input

    • Consolidated RFP responses, with a focus on key RFP goals
    • Consolidated pricing responses
    • TCO Model completed, approved by Finance, stakeholders

    Output

    • Presentation deck summarizing the key findings of the RFP results, cost estimates and TCO and the recommendation for approval to move to contract negotiations with the finalists

    Materials

    • Consolidated RFP responses, including legal requirements
    • Consolidated pricing
    • TCO Model
    • Evaluators scoring results

    Participants

    • IT
    • Finance
    • Business stakeholders
    • Legal
    • Sourcing/Procurement

    Caution: Configure templates and tools to align with RFP objectives

    Templates and tools are invaluable assets to any RFP process

    • Leveraging templates and tools saves time and provides consistency to your vendors.
    • Maintain a common repository of your templates and tools with different versions and variations. Include a few sentences with instructions on how to use the template and tools for team members who might not be familiar with them.

    Templates/Tools

    RFP templates and tools are found in a variety of places, such as previous projects, your favorite search engine, or by asking a colleague.

    Sourcing

    Regardless of the source of these documents, you must take great care and consideration to sanitize any reference to another vendor, company, or name of the deal.

    Review

    Then you must carefully examine the components of the deal before creating your final documents.

    Popular RFP templates include:

    • RFP documents
    • Pricing templates
    • Evaluation and scoring templates
    • RFP requirements
    • Info-Tech research

    Phase 5

    Negotiate Agreement(s)

    Steps

    5.1 Perform negotiation process

    Steps in an RFP Process with the fifth step, 'Negotiate Agreement', highlighted.

    This phase involves the following participants:

    • Procurement
    • Vendor management
    • Legal
    • IT stakeholders
    • Finance

    Outcomes of this phase

    A negotiated agreement or agreements that are a result of competitive negotiations.

    Negotiate Agreement(s)

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Negotiate Agreement

    You should evaluate your RFP responses first to see if they are complete and the vendor followed your instructions.


    Then you should:

    • Plan negotiation(s) with one or more vendors based on your questions and opportunities identified during evaluation.
    • Select finalist(s).
    • Apply selection criteria.
    • Resolve vendors’ exceptions.

    Info-Tech Insight

    Be certain to include any commitments made in the RFP, presentations, and proposals in the agreement – dovetails to underperforming vendor.

    Centerpiece of the table, titled 'Negotiation Process'.

    Leverage Info-Tech's negotiation process research for additional information

    Negotiate before you select your vendor:
    • Negotiating with two or more vendors will maintain your competitive leverage while decreasing the time it takes to negotiate the deal.
    • Perform legal reviews as necessary.
    • Use sound competitive negotiations principles.

    Info-Tech Insight

    Providing contract terms in an RFP can dramatically reduce time for this step by understanding the vendor’s initial contractual position for negotiation.

    Phase 6

    Purchase Goods and Services

    Steps

    6.1 Purchase Goods & Services

    Steps in an RFP Process with the sixth step, 'Purchase Goods and Services', highlighted.

    This phase involves the following participants:

    • Procurement
    • Vendor management
    • IT stakeholders

    Outcomes of this phase

    A purchase order that completes the RFP process.

    The beginning of the vendor management process.

    Purchase Goods and Services

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Purchase Goods and Services

    Prepare to purchase goods and services

    Prepare to purchase goods and services by completing all items on your organization’s onboarding checklist.
    • Have the vendor complete applicable tax forms.
    • Set up the vendor in accounts payable for electronic payment (ACH) set-up.
    Then transact day-to-day business:
    • Provide purchasing forecasts.
    • Complete applicable purchase requisition and purchase orders. Be sure to reference the agreement in the PO.
    Stock image of a computer monitor with a full grocery cart shown on the screen.

    Info-Tech Insight

    As a customer, honoring your contractual obligations and commitments will ensure that your organization is not only well respected but considered a customer of choice.

    Phase 7

    Assess and Measure Performance

    Steps

    7.1 Assess and measure performance against the agreement

    Steps in an RFP Process with the seventh step, 'Assess and Measure Performance', highlighted.

    This phase involves the following participants:

    • Vendor management
    • Business stakeholders
    • Senior leadership (as needed)
    • IT stakeholders
    • Vendor representatives & senior management

    Outcomes of this phase

    A list of what went well during the period – it’s important to recognize successes

    A list of areas needing improvement that includes:

    • A timeline for each item to be completed
    • The team member(s) responsible

    Purchase Goods and Services

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Assess and Measure Performance

    Measure to manage: the job doesn’t end when the contract is signed.

    • Classify vendor
    • Assess vendor performance
    • Manage improvement
    • Conduct periodic vendor performance reviews or quarterly business reviews
    • Ensure contract compliance for both the vendor and your organization
    • Build knowledgebase for future
    • Re-evaluate and improve appropriately your RFP processes

    Info-Tech Insight

    To be an objective vendor manager, you should also assess and measure your company’s performance along with the vendor’s performance.

    Summary of Accomplishment

    Problem Solved

    Upon completion of this blueprint, guided implementation, or workshop, your team should have a comprehensive, well-defined end-to-end approach to performing a quality sourcing event. Leverage Info-Tech’s industry-proven tools and templates to provide your organization with an effective approach to maintain your negotiation leverage, improve the ease with which you evaluate vendor proposals, and reduce your risk while obtaining the best market value for your goods and services.

    Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your competitive negotiations.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Final Thoughts: RFP Do’s and Don’ts

    DO

    • Leverage your team’s knowledge
    • Document and explain your RFP process to stakeholders and vendors
    • Include contract terms in your RFP
    • Consider vendor management requirements up front
    • Plan to measure and manage performance after contract award leveraging RFP objectives
    • Seek feedback from the RFP team for process improvements

    DON'T

    • Reveal your budget
    • Do an RFP in a vacuum
    • Send an RFP to a vendor your team is not willing to award the business to
    • Hold separate conversations with candidate vendors during your RFP process
    • Skimp on the requirements definition to speed the process
    • Tell the vendor they are selected before negotiating

    Bibliography

    “2022 RFP Response Trends & Benchmarks.” Loopio, 2022. Web.

    Corrigan, Tony. “How Much Does it Cost to Respond to an RFP?” LinkedIn, March 2017. Accessed 10 Dec. 2019

    “Death by RFP:7 Reasons Not to Respond.” Inc. Magazine, 2013. Web.

    Jeffery, Steven, George Bordon, and Phil Bode. The Art of Creating a Quality RFP, 3rd ed. Info-Tech Research Group, 2019.

    “RFP Benchmarks: How Much Time and Staff Firms Devote to Proposals.” MarketingProfs, 2020. Web.

    “State of the RFP 2019.” Bonfire, 2019. Web.

    “What Vendors Want (in RFPs).” Vendorful, 2020. Web.

    Related Info-Tech Research

    Stock photo of two people looking at a tablet. Prepare for Negotiations More Effectively
    • Negotiations are about allocating risk and money – how much risk is a party willing to accept at what price point?
    • Using a cross-functional/cross-insight team structure for negotiation preparation yields better results.
    • Soft skills aren’t enough and theatrical negotiation tactics aren’t effective.
    Stock photo of two people in suits shaking hands. Understand Common IT Contract Provisions to Negotiate More Effectively
    • Focus on the terms and conditions, not just the price. Too often, organizations focus on the price contained within their contracts, neglecting to address core terms and conditions that can end up costing multiples of the initial price.
    • Lawyers can’t ensure you get the best business deal. Lawyers tend to look at general terms and conditions for legal risk and may not understand IT-specific components and business needs.
    Stock photo of three people gathered around a computer. Jump Start Your Vendor Management Initiative
    • Vendor management must be an IT strategy. Solid vendor management is an imperative – IT organizations must develop capabilities to ensure that services are delivered by vendors according to service-level objectives and that risks are mitigated according to the organization's risk tolerance.
    • Visibility into your IT vendor community. Understand how much you spend with each vendor and rank their criticality and risk to focus on the vendors you should be concentrating on for innovative solutions.

    Fix Your IT Culture

    • Buy Link or Shortcode: {j2store}518|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $32,499 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Go beyond value statements to create a culture that enables the departmental strategy.
    • There is confusion about how to translate culture from an abstract concept to something that is measurable, actionable, and process driven.
    • Organizations lack clarity about who is accountable and responsible for culture, with groups often pointing fingers at each other.

    Our Advice

    Critical Insight

    • When it comes to culture, the lived experience can be different from stated values. Culture is the pattern of behaviors and the way work is done rather than simply perks, working environment, and policy.
    • Executives’ active participation in culture change is paramount. If executives aren’t willing to change the way they behave, attempts to shift the culture will fail.
    • Elevate culture to a business imperative. Foster a culture that is linked to strategy rather than trying to replicate the hot culture of the moment.
    • Target values that will have the greatest impact. Select a few focus values as a guide and align all behaviors and work practices to those values.

    Impact and Result

    • Executives need to clarify how the culture they want will help achieve their strategy and choose the focus values that will have the maximum impact.
    • Measure the current state of culture and facilitate the process of leveraging existing elements while shifting undesirable ones.

    Fix Your IT Culture Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should improve your culture to enable your strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assessment: Determine current culture and identify focus values

    Complete a cultural assessment and select focus values to form core culture efforts.

    • Culture Documentation Template
    • IT Departmental Values Survey
    • IT Culture Diagnostic
    • Cultural Assessment Report Template

    2. Tools: Give IT executives the tools to drive change

    Enable executives to gather feedback on behavioral perceptions and support behavioral change.

    • Executive Reflection Template

    3. Behavioral Alignment: Align IT behaviors to the desired culture

    Review all areas of the department to understand where the links to culture exist and create a communication plan.

    • Standard Internal Communications Plan
    • IT Competency Library
    • Leadership Competency Library

    4. Sustainment: Disseminate and manage culture within the department

    Customize a process to infuse behaviors aligned with focus values in work practices and complete the first wave of meetings.

    • Culture Facilitation Guide for Leaders
    [infographic]

    Create a Right-Sized Disaster Recovery Plan

    • Buy Link or Shortcode: {j2store}410|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $83,037 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a disaster recovery plan (DRP).
    • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors but will not be effective in a crisis.
    • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
    • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

    Our Advice

    Critical Insight

    • At its core, disaster recovery (DR) is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
    • Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
    • Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

    Impact and Result

    • Define appropriate objectives for service downtime and data loss based on business impact.
    • Document an incident response plan that captures all of the steps from event detection to data center recovery.
    • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

    Create a Right-Sized Disaster Recovery Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Disaster Recovery Plan (DRP) Research – A step-by-step document that helps streamline your DR planning process and build a plan that's concise, usable, and maintainable.

    Any time a major IT outage occurs, it increases executive awareness and internal pressure to create an IT DRP. This blueprint will help you develop an actionable DRP by following our four-phase methodology to define scope, current status, and dependencies; conduct a business impact analysis; identify and address gaps in the recovery workflow; and complete, extend, and maintain your DRP.

    • Create a Right-Sized Disaster Recovery Plan – Phases 1-4

    2. DRP Case Studies – Examples to help you understand the governance and incident response components of a DRP and to show that your DRP project does not need to be as onerous as imagined.

    These examples include a client who leveraged the DRP blueprint to create practical, concise, and easy-to-maintain DRP governance and incident response plans and a case study based on a hospital providing a wide range of healthcare services.

    • Case Study: Practical, Right-Sized DRP
    • Case Study: Practical, Right-Sized DRP – Healthcare Example

    3. DRP Maturity Scorecard – An assessment tool to evaluate the current state of your DRP.

    Use this tool to measure your current DRP maturity and identify gaps to address. It includes a comprehensive list of requirements for your DRP program, including core and industry requirements.

    • DRP Maturity Scorecard

    4. DRP Project Charter Template – A template to communicate important details on the project purpose, scope, and parameters.

    The project charter template includes details on the project overview (description, background, drivers, and objectives); governance and management (project stakeholders/roles, budget, and dependencies); and risks, assumptions, and constraints (known and potential risks and mitigation strategy).

    • DRP Project Charter Template

    5. DRP Business Impact Analysis Tool – An evaluation tool to estimate the impact of downtime to determine appropriate, acceptable recovery time objectives (RTOs) and recovery point objectives (RPOs) and to review gaps between objectives and actuals.

    This tool enables you to identify critical applications/systems; identify dependencies; define objective scoring criteria to evaluate the impact of application/system downtime; determine the impact of downtime and establish criticality tiers; set recovery objectives (RTO/RPO) based on the impact of downtime; record recovery actuals (RTA/RPA) and identify any gaps between objectives and actuals; and identify dependencies that regularly fail (and have a significant impact when they fail) to prioritize efforts to improve resiliency.

    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool

    6. DRP BIA Scoring Context Example – A tool to record assumptions you made in the DRP Business Impact Analysis Tool to explain the results and drive business engagement and feedback.

    Use this tool to specifically record assumptions made about who and what are impacted by system downtime and record assumptions made about impact severity.

    • DRP BIA Scoring Context Example

    7. DRP Recovery Workflow Template – A flowchart template to provide an at-a-glance view of the recovery workflow.

    This simple format is ideal during crisis situations, easier to maintain, and often quicker to create. Use this template to document the Notify - Assess - Declare disaster workflow, document current and planned future state recovery workflows, including gaps and risks, and review an example recovery workflow.

    • DRP Recovery Workflow Template (PDF)
    • DRP Recovery Workflow Template (Visio)

    8. DRP Roadmap Tool – A visual roadmapping tool that will help you plan, communicate, and track progress for your DRP initiatives.

    Improving DR capabilities is a marathon, not a sprint. You likely can't fund and resource all the measures for risk mitigation at once. Instead, use this tool to create a roadmap for actions, tasks, projects, and initiatives to complete in the short, medium, and long term. Prioritize high-benefit, low-cost mitigations.

    • DRP Roadmap Tool

    9. DRP Recap and Results Template – A template to summarize and present key findings from your DR planning exercises and documents.

    Use this template to present your results from the DRP Maturity Scorecard, BCP-DRP Fitness Assessment, DRP Business Impact Analysis Tool, tabletop planning exercises, DRP Recovery Workflow Template, and DRP Roadmap Tool.

    • DRP Recap and Results Template

    10. DRP Workbook – A comprehensive tool that enables you to organize information to support DR planning.

    Leverage this tool to document information regarding DRP resources (list the documents/information sources that support DR planning and where they are located) and DR teams and contacts (list the DR teams, SMEs critical to DR, and key contacts, including business continuity management team leads that would be involved in declaring a disaster and coordinating response at an organizational level).

    • DRP Workbook

    11. Appendix

    The following tools and templates are also included as part of this blueprint to use as needed to supplement the core steps above:

    • DRP Incident Response Management Tool
    • DRP Vendor Evaluation Questionnaire
    • DRP Vendor Evaluation Tool
    • Severity Definitions and Escalation Rules Template
    • BCP-DRP Fitness Assessment
    [infographic]

    Workshop: Create a Right-Sized Disaster Recovery Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Parameters for Your DRP

    The Purpose

    Identify key applications and dependencies based on business needs.

    Key Benefits Achieved

    Understand the entire IT “footprint” that needs to be recovered for key applications. 

    Activities

    1.1 Assess current DR maturity.

    1.2 Determine critical business operations.

    1.3 Identify key applications and dependencies.

    Outputs

    Current challenges identified through a DRP Maturity Scorecard.

    Key applications and dependencies documented in the Business Impact Analysis (BIA) Tool.

    2 Determine the Desired Recovery Timeline

    The Purpose

    Quantify application criticality based on business impact.

    Key Benefits Achieved

    Appropriate recovery time and recovery point objectives defined (RTOs/RPOs).

    Activities

    2.1 Define an objective scoring scale to indicate different levels of impact.

    2.2 Estimate the impact of downtime.

    2.3 Determine desired RTO/RPO targets for applications based on business impact.

    Outputs

    Business impact analysis scoring criteria defined.

    Application criticality validated.

    RTOs/RPOs defined for applications and dependencies.

    3 Determine the Current Recovery Timeline and DR Gaps

    The Purpose

    Determine your baseline DR capabilities (your current state).

    Key Benefits Achieved

    Gaps between current and desired DR capability are quantified.

    Activities

    3.1 Conduct a tabletop exercise to determine current recovery procedures.

    3.2 Identify gaps between current and desired capabilities.

    3.3 Estimate likelihood and impact of failure of individual dependencies.

    Outputs

    Current achievable recovery timeline defined (i.e. the current state).

    RTO/RPO gaps identified.

    Critical single points of failure identified.

    4 Create a Project Roadmap to Close DR Gaps

    The Purpose

    Identify and prioritize projects to close DR gaps.

    Key Benefits Achieved

    DRP project roadmap defined that will reduce downtime and data loss to acceptable levels.

    Activities

    4.1 Determine what projects are required to close the gap between current and desired DR capability.

    4.2 Prioritize projects based on cost, effort, and impact on RTO/RPO reduction.

    4.3 Validate that the suggested projects will achieve the desired DR capability.

    Outputs

    Potential DR projects identified.

    DRP project roadmap defined.

    Desired-state incident response plan defined, and project roadmap validated.

    5 Establish a Framework for Documenting Your DRP, and Summarize Next Steps

    The Purpose

    Outline how to create concise, usable DRP documentation.

    Summarize workshop results. 

    Key Benefits Achieved

    A realistic and practical approach to documenting your DRP.

    Next steps documented. 

    Activities

    5.1 Outline a strategy for using flowcharts and checklists to create concise, usable documentation.

    5.2 Review Info-Tech’s DRP templates for creating system recovery procedures and a DRP summary document.

    5.3 Summarize the workshop results, including current potential downtime and action items to close gaps.

    Outputs

    Current-state and desired-state incident response plan flowcharts.

    Templates to create more detailed documentation where necessary.

    Executive communication deck that outlines current DR gaps, how to close those gaps, and recommended next steps.

    Further reading

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    ANALYST PERSPECTIVE

    An effective disaster recovery plan (DRP) is not just an insurance policy.

    "An effective DRP addresses common outages such as hardware and software failures, as well as regional events, to provide day-to-day service continuity. It’s not just insurance you might never cash in. Customers are also demanding evidence of an effective DRP, so organizations without a DRP risk business impact not only from extended outages but also from lost sales. If you are fortunate enough to have executive buy-in, whether it’s due to customer pressure or concern over potential downtime, you still have the challenge of limited time to dedicate to disaster recovery (DR) planning. Organizations need a practical but structured approach that enables IT leaders to create a DRP without it becoming their full-time job."

    Frank Trovato,

    Research Director, Infrastructure

    Info-Tech Research Group

    Is this research for you?

    This Research Is Designed For:

    • Senior IT management responsible for executing DR.
    • Organizations seeking to formalize, optimize, or validate an existing DRP.
    • Business continuity management (BCM) professionals leading DRP development.

    This Research Will Help You:

    • Create a DRP that is aligned with business requirements.
    • Prioritize technology enhancements based on DR requirements and risk-impact analysis.
    • Identify and address process and technology gaps that impact DR capabilities and day-to-day service continuity.

    This Research Will Also Assist:

    • Executives who want to understand the time and resource commitment required for DRP.
    • Members of BCM and crisis management teams who need to understand the key elements of an IT DRP.

    This Research Will Help Them:

    • Scope the time and effort required to develop a DRP.
    • Align business continuity, DR, and crisis management plans.

    Executive summary

    Situation

    • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a DRP.
    • Industry standards and government regulations are driving external pressure to develop business continuity and IT DR plans.
    • Customers are asking suppliers and partners to provide evidence that they have a workable DRP before agreeing to do business.

    Complication

    • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors, but will not be effective in a crisis.
    • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
    • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

    Resolution

    • Create an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity:
      • Define appropriate objectives for service downtime and data loss based on business impact.
      • Document an incident response plan that captures all of the steps from event detection to data center recovery.
      • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

    Info-Tech Insight

    1. At its core, DR is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
    2. Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
    3. Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

    An effective DRP is critical to reducing the cost of downtime

    If you don’t have an effective DRP when failure occurs, expect to face extended downtime and exponentially rising costs due to confusion and lack of documented processes.

    Image displayed is a graph that shows that delay in recovery causes exponential revenue loss.

    Potential Lost Revenue

    The impact of downtime tends to increase exponentially as systems remain unavailable (graph at left). A current, tested DRP will significantly improve your ability to execute systems recovery, minimizing downtime and business impact. Without a DRP, IT is gambling on its ability to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.

    Adapted from: Philip Jan Rothstein, 2007

    Cost of Downtime for the Fortune 1000

    Cost of unplanned apps downtime per year: $1.25B to $2.5B.

    Cost of critical apps failure per hour: $500,000 to $1M.

    Cost of infrastructure failure per hour: $100,000.

    35% reported to have recovered within 12 hours.

    17% of infrastructure failures took more than 24 hours to recover.

    13% of application failures took more than 24 hours to recover.

    Source: Stephen Elliot, 2015

    Info-Tech Insight

    The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). Downtime cost increase since 2010:

    Hospitality: 129% increase

    Transportation: 108% increase

    Media organizations: 104% increase

    An effective DRP also sets clear recovery objectives that align with system criticality to optimize spend

    The image displays a disaster recovery plan example, where different tiers are in place to support recovery in relation to time.

    Take a practical approach that creates a more concise and actionable DRP

    DR planning is not your full-time job, so it can’t be a resource- and time-intensive process.

    The Traditional Approach Info-Tech’s Approach

    Start with extensive risk and probability analysis.

    Challenge: You can’t predict every event that can occur, and this delays work on your actual recovery procedures.

    Focus on how to recover regardless of the incident.

    We know failure will happen. Focus on improving your ability to failover to a DR environment so you are protected regardless of what causes primary site failure.

    Build a plan for major events such as natural disasters.

    Challenge: Major destructive events only account for 12% of incidents while software/hardware issues account for 45%. The vast majority of incidents are isolated local events.

    An effective DRP improves day-to-day service continuity, and is not just for major events.

    Leverage DR planning to address both common (e.g. power/network outage or hardware failure) as well as major events. It must be documentation you can use, not shelfware.

    Create a DRP manual that provides step-by-step instructions that anyone could follow.

    Challenge: The result is lengthy, dense manuals that are difficult to maintain and hard to use in a crisis. The usability of DR documents has a direct impact on DR success.

    Create concise documentation written for technical experts.

    Use flowcharts, checklists, and diagrams. They are more usable in a crisis and easier to maintain. You aren’t going to ask a business user to recover your SQL Server databases, so you can afford to be concise.

    DR must be integrated with day-to-day incident management to ensure service continuity

    When a tornado takes out your data center, it’s an obvious DR scenario and the escalation towards declaring a disaster is straightforward.

    The challenge is to be just as decisive in less-obvious (and more common) DR scenarios such as a critical system hardware/software failure, and knowing when to move from incident management to DR. Don’t get stuck troubleshooting for days when you could have failed over in hours.

    Bridge the gap with clearly-defined escalation rules and criteria for when to treat an incident as a disaster.

    Image displays two graphs. The graph on the left measures the extent that service management processes account for disasters by the success meeting RTO and RPO. The graph on the right is a double bar graph that shows DRP being integrated and not integrated in the following categories: Incident Classifications, Severity Definitions, Incident Models, Escalation Procedures. These are measured based on the success meeting RTO and RPO.

    Source: Info-Tech Research Group; N=92

    Myth busted: The DRP is separate from day-to-day ops and incident management.

    The most common threats to service continuity are hardware and software failures, network outages, and power outages

    The image displayed is a bar graph that shows the common threats to service continuity. There are two areas of interest that have labels. The first is: 45% of service interruptions that went beyond maximum downtime guidelines set by the business were caused by software and hardware issues. The second label is: Only 12% of incidents were caused by major destructive events.

    Source: Info-Tech Research Group; N=87

    Info-Tech Insight

    Does this mean I don’t need to worry about natural disasters? No. It means DR planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common but less dramatic causes of service interruptions, you are diminishing the business value of a DRP.

    Myth busted: DRPs are just for destructive events – fires, floods, and natural disasters.

    DR isn’t about identifying risks; it’s about ensuring service continuity

    The traditional approach to DR starts with an in-depth exercise to identify risks to IT service continuity and the probability that those risks will occur.

    Here’s why starting with a risk register is ineffective:

    • Odds are, you won’t think of every incident that might occur. If you think of twenty risks, it’ll be the twenty-first that gets you. If you try to guard against that twenty-first risk, you can quickly get into cartoonish scenarios and much more costly solutions.
    • The ability to failover to another site mitigates the risk of most (if not all) incidents (fire, flood, hardware failure, tornado, etc.). A risk and probability analysis doesn’t change the need for a plan that includes a failover procedure.

    Where risk is incorporated in this methodology:

    • Use known risks to further refine your strategy (e.g. if you are prone to hurricanes, plan for greater geographic separation between sites; ensure you have backups, in addition to replication, to mitigate the risk of ransomware).
    • Identify risks to your ability to execute DR (e.g. lack of cross-training, backups that are not tested) and take steps to mitigate those risks.

    Myth busted: A risk register is the critical first step to creating an effective DR plan.

    You can’t outsource accountability and you can’t assume your vendor’s DR capabilities meet your needs

    Outsourcing infrastructure services – to a cloud provider, co-location provider, or managed service provider (MSP) – can improve your DR and service continuity capabilities. For example, a large public cloud provider will generally have:

    • Redundant telecoms service providers, network infrastructure, power feeds, and standby power.
    • Round-the-clock infrastructure and security monitoring.
    • Multiple data centers in a given region, and options to replicate data and services across regions.

    Still, failure is inevitable – it’s been demonstrated multiple times1 through high-profile outages. When you surrender direct control of the systems themselves, it’s your responsibility to ensure the vendor can meet your DR requirements, including:

    • A DR site and acceptable recovery times for systems at that site.
    • An acceptable replication/backup schedule.

    Sources: Kyle York, 2016; Shaun Nichols, 2017; Stephen Burke, 2017

    Myth busted: I outsource infrastructure services so I don’t have to worry about DR. That’s my vendor’s responsibility.

    Choose flowcharts over process guides, checklists over procedures, and diagrams over descriptions

    IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

    In reality, you write a DR plan for knowledgeable technical staff, which allows you to summarize key details your staff already know. Concise, visual documentation is:

    • Quicker to create.
    • Easier to use.
    • Simpler to maintain.

    "Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

    – Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

    A graph is displayed. It shows a line graph where the DR success is higher by using flowcharts, checklists, and diagrams.

    Source: Info-Tech Research Group; N=95

    *DR Success is based on stated ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs), and reported confidence in ability to consistently meet targets.

    Myth busted: A DRP must include every detail so anyone can execute recovery.

    A DRP is part of an overall business continuity plan

    A DRP is the set of procedures and supporting documentation that enables an organization to restore its core IT services (i.e. applications and infrastructure) as part of an overall business continuity plan (BCP), as described below. Use the templates, tools, and activities in this blueprint to create your DRP.

    Overall BCP
    IT DRP BCP for Each Business Unit Crisis Management Plan
    A plan to restore IT services (e.g. applications and infrastructure) following a disruption. This includes:
    • Identifying critical applications and dependencies.
    • Defining an appropriate (desired) recovery timeline based on a business impact analysis (BIA).
    • Creating a step-by-step incident response plan.
    A set of plans to resume business processes for each business unit. Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization. A set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communication plans, and the steps to invoke BC/DR plans when applicable. Info-Tech’s Implement Crisis Management Best Practices blueprint provides a structured approach to develop a crisis management process.

    Note: For DRP, we focus on business-facing IT services (as opposed to the underlying infrastructure), and then identify required infrastructure as dependencies (e.g. servers, databases, network).

    Take a practical but structured approach to creating a concise and effective DRP

    Image displayed shows the structure of this blueprint. It shows the structure of phases 1-4 and the related tools and templates for each phase.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Info-Tech advisory services deliver measurable value

    Info-Tech members save an average of $22,983 and 22 days by working with an Info-Tech analyst on DRP (based on client response data from Info-Tech Research Group’s Measured Value Survey, following analyst advisory on this blueprint).

    Why do members report value from analyst engagement?

    1. Expert advice on your specific situation to overcome obstacles and speed bumps.
    2. Structured project and guidance to stay on track.
    3. Project deliverables review to ensure the process is applied properly.

    Guided implementation overview

    Your trusted advisor is just a call away.

    Define DRP scope (Call 1)

    Scope requirements, objectives, and your specific challenges. Identify applications/ systems to focus on first.

    Define current status and system dependencies (Calls 2-3)

    Assess current DRP maturity. Identify system dependencies.

    Conduct a BIA (Calls 4-6)

    Create an impact scoring scale and conduct a BIA. Identify RTO and RPO for each system.

    Recovery workflow (Calls 7-8)

    Create a recovery workflow based on tabletop planning. Identify gaps in recovery capabilities.

    Projects and action items (Calls 9-10)

    Identify and prioritize improvements. Summarize results and plan next steps.

    Your guided implementations will pair you with an advisor from our analyst team for the duration of your DRP project.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Image displays the workshop overview for this blueprint. It is a workshop that runs for 4 days and covers various activities and produces many deliverables.

    End-user complaints distract from serious IT-based risks to business continuity

    Case Study

    Industry: Manufacturing
    Source: Info-Tech Research Group Client Engagement

    A global manufacturer with annual sales over $1B worked with Info-Tech to improve DR capabilities.

    DRP BIA

    Conversations with the IT team and business units identified the following impact of downtime over 24 hours:

    • Email: Direct Cost: $100k; Goodwill Impact Score: 8.5/16
    • ERP: Direct Cost: $1.35mm; Goodwill Impact Score: 12.5/16

    Tabletop Testing and Recovery Capabilities

    Reviewing the organization’s current systems recovery workflow identified the following capabilities:

    • Email: RTO: minutes, RPO: minutes
    • ERP: RTO: 14 hours, RPO: 24 hours

    Findings

    Because of end-user complaints, IT had invested heavily in email resiliency though email downtime had a relatively minimal impact on the business. After working through the methodology, it was clear that the business needed to provide additional support for critical systems.

    Insights at each step:

    Identify DR Maturity and System Dependencies

    Conduct a BIA

    Outline Incident Response and Recovery Workflow With Tabletop Exercises

    Mitigate Gaps and Risks

    Create a Right-Sized Disaster Recovery Plan

    Phase 1

    Define DRP Scope, Current Status, and Dependencies

    Step 1.1: Set Scope, Kick-Off the DRP Project, and Create a Charter

    This step will walk you through the following activities:

    • Establish a team for DR planning.
    • Retrieve and review existing, relevant documentation.
    • Create a project charter.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team (Key IT SMEs)
    • IT Managers

    Results and Insights

    • Set scope for the first iteration of the DRP methodology.
    • Don’t try to complete your DR and BCPs all at once.
    • Don’t bite off too much at once.

    Kick-off your DRP project

    You’re ready to start your DR project.

    This could be an annual review – but more likely, this is the first time you’ve reviewed the DR plan in years.* Maybe a failed audit might have provided a mandate for DR planning, or a real disaster might have highlighted gaps in DR capabilities. First, set appropriate expectations for what the project is and isn’t, in terms of scope, outputs, and resource commitments. Very few organizations can afford to hire a full-time DR planner, so it’s likely this won’t be your full-time job. Set objectives and timelines accordingly.

    Gather a team

    • Often, DR efforts are led by the infrastructure and operations leader. This person can act as the DRP coordinator or may delegate this role.
    • Key infrastructure subject-matter experts (SMEs) are usually part of the team and involved through the project.

    Find and review existing documentation

    • An existing DRP may have information you can re-purpose rather than re-create.
    • High-level architecture diagrams and network diagrams can help set scope (and will become part of your DR kit).
    • Current business-centric continuity of operations plans (COOPs) or BCPs are important to understand.

    Set specific, realistic objectives

    • Create a project charter (see next slide) to record objectives, timelines, and assumptions.
    *Only 20% of respondents to an Info-Tech Research Group survey (N=165) had a complete DRP; only 38% of respondents with a complete or mostly complete DRP felt it would be effective in a crisis.

    List DRP drivers and challenges

    1(a) Drivers and roadblocks

    Estimated Time: 30 minutes

    Identify the drivers and challenges to completing a functional DRP plan with the core DR team.

    DRP Drivers

    • Past outages (be specific):
      • Hardware and software failures
      • External network and power outages
      • Building damage
      • Natural disaster(s)
    • Audit findings
    • Events in the news
    • Other?

    DRP Challenges

    • Lack of time
    • Insufficient DR budget
    • Lack of executive support
    • No internal DRP expertise
    • Challenges making the case for DRP
    • Other?

    Write down insights from the meeting on flip-chart paper or a whiteboard and use the findings to inform your DRP project (e.g. challenges to address).

    Clarify expectations with a project charter

    1(b) DRP Project Charter Template

    DRP Project Charter Template components:

    Define project parameters, roles, and objectives, and clarify expectations with the executive team. Specific subsections are listed below and described in more detail in the remainder of this phase.

    • Project Overview: Includes objectives, deliverables, and scope. Leverage relevant notes from the “Project Drivers” brainstorming exercise (e.g. past outages and near misses which help make the case).
    • Governance and Management: Includes roles, responsibilities, and resource requirements.
    • Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies, as well as any assumptions and constraints.
    • Project Sign-Off: Includes IT and executive sign-off (if required).

    Note: Identify the initial team roles and responsibilities first so they can assist in defining the project charter.

    The image is a screenshot of the first page of the DRP Project Charter Template.

    Step 1.2: Assess Current State DRP Maturity

    This step will walk you through the following activities:

    • Complete Info-Tech’s DRP Maturity Scorecard.

    This step involves the following participants:

    • DRP Coordinator
    • IT SMEs

    Results and Insights

    • Identify the current state of the organization’s DRP and continuity management. Set a baseline for improvement.
    • Discover where improvement is most needed to create an effective plan.

    Only 38% of IT departments believe their DRPs would be effective in a real crisis

    Even organizations with documented DRPs struggle to make them actionable.

    • Even when a DRP does become a priority (e.g. due to regulatory or customer drivers), the challenge is knowing where to start and having a methodical step-by-step process for doing the work. With no guide to plan and resource the project, it becomes work that you complete piecemeal when you aren’t working on other projects, or at night after the kids go to bed.
    • Far too many organizations create a document to satisfy auditors rather than creating a usable plan. People in this group often just want a fill-in-the-blanks template. What they will typically find is a template for the traditional 300-page manual that goes in a binder that sits on a shelf, is difficult to maintain, and is not effective in a crisis.
    Two bar graphs are displayed. The graph on the left shows that only 20% of survey respondents indicate they have a complete DRP. The graph on the right shows that 38% of those who have a mostly completed or full DRP actually feel it would be effective in a crisis.

    Use the DRP Maturity Scorecard to assess the current state of your DRP and identify areas to improve

    1(c) DRP Maturity Scorecard

    Info-Tech’s DRP Maturity Scorecard evaluates completion status and process maturity for a comprehensive yet practical assessment across three aspects of an effective DRP program – Defining Requirements, Implementation, and Maintenance.

    Image has three boxes. One is labelled Completion status, another below it is labelled Process Maturity. There is an addition sign in between them. With an arrow leading from both boxes is another box that is labelled DRP Maturity Assessment

    Completion Status: Reflects the progress made with each component of your DRP Program.

    Process Maturity: Reflects the consistency and quality of the steps executed to achieve your completion status.

    DRP Maturity Assessment: Each component (e.g. BIA) of your DRP Program is evaluated based on completion status and process maturity to provide an accurate holistic assessment. For example, if your BIA completion status is 4 out of 5, but process maturity is a 2, then requirements were not derived from a consistent defined process. The risk is inconsistent application prioritization and misalignment with actual business requirements.

    Step 1.3: Identify Applications, Systems, and Dependencies

    This step will walk you through the following activities:

    • Identify systems, applications, and services, and the business units that use them.
    • Document applications, systems, and their dependencies in the DRP Business Impact Analysis Tool.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team

    Results and Insights

    • Identify core services and the applications that depend on them.
    • Add applications and dependencies to the DRP Business Impact Analysis Tool.

    Select 5-10 services to get started on the DRP methodology

    1(d) High-level prioritization

    Estimated Time: 30 minutes

    Working through the planning process the first time can be challenging. If losing momentum is a concern, limit the BIA to a few critical systems to start.

    Run this exercise if you need a structured exercise to decide where to focus first and identify the business users you should ask for input on the impact of system downtime.

    1. On a whiteboard or flip-chart paper, list business units in a column on the left. List key applications/systems in a row at the top. Draw a grid.
    2. At a high level, review how applications are used by each unit. Take notes to keep track of any assumptions you make.
      • Add a ✓ if members of the unit use the application or system.
      • Add an ✱ if members of the unit are heavy users of the application or system and/or use it for time sensitive tasks.
      • Leave the box blank if the app isn’t used by this unit.
    3. Use the chart to prioritize systems to include in the BIA (e.g. systems marked with an *) but also include a few less-critical systems to illustrate DRP requirements for a range of systems.

    Image is an example of what one could complete from step 1(d). There is a table shown. In the column on the left lists sales, marketing, R&D, and Finance. In the top row, there is listed: dialer, ERP. CRM, Internet, analytics, intranet

    Application Notes
    CRM
    • Supports time-critical sales and billing processes.
    Dialer
    • Used for driving the sales-call queue, integration with CRM.

    Draw a high-level sketch of your environment

    1(e) Sketch your environment

    Estimated Time: 1-2 hours

    A high-level topology or architectural diagram is an effective way to identify dependencies, application ownership, outsourced services, hardware redundancies, and more.

    Note:

    • Network diagrams or high-level architecture diagrams help to identify dependencies and redundancies. Even a rough sketch is a useful reference tool for participants, and will be valuable documentation in the final DR plan.
    • Keep the drawings tidy. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
    • Collaborate with relevant SMEs to identify dependencies. Keep the drawing high-level.
    • Illustrate connections between applications or components with lines. Use color coding to illustrate where applications are hosted (e.g. in-house, at a co-lo, in a cloud or MSP environment).
    Example of a high-level topology or architectural diagram

    Document systems and dependencies

    Collaborate with system SMEs to identify dependencies for each application or system. Document the dependencies in the DRP Business Impact Analysis Tool (see image below)

    • When listing applications, focus on business-facing systems or services that business users will recognize and use terminology they’ll understand.
    • Group infrastructure components that support all other services as a single core infrastructure service to simplify dependency mapping (e.g. core router, virtual hosts, ID management, and DNS).
    • In general, each data center will have its own core infrastructure components. List each data center separately – especially if different services are hosted at each data center.
    • Be specific when documenting dependencies. Use existing asset tracking tables, discovery tools, asset management records, or configuration management tools to identify specific server names.
    • Core infrastructure dependencies, such as the network infrastructure, power supply, and centralized storage, will be a common set of dependencies for most applications, so group these into a separate category called “Core Infrastructure” to minimize repetition in your DR planning.
    • Document production components in the BIA tool. Capture in-production, redundant components performing the same work on a single dependency line. List standby systems in the notes.

    Info-Tech Best Practice

    In general, visual documentation is easier to use in a crisis and easier to maintain over time. Use Info-Tech’s research to help build your own visual SOPs.

    Document systems and dependencies

    1(f) DRP Business Impact Analysis Tool – Record systems and dependencies

    A screenshot of Info-Tech's DRP Business Impact Analysis Tool.

    Stories from the field: Info-Tech clients find value in Phase 1 in the following ways

    An organization uncovers a key dependency that needed to be treated as a Tier 1 system

    Reviewing the entire ecosystem for applications identified key dependencies that were previously considered non-critical. For example, a system used to facilitate secure data transfers was identified as a key dependency for payroll and other critical business processes, and elevated to Tier 1.

    A picture’s worth a thousand words (and 1600 servers)

    Drawing a simple architectural diagram was an invaluable tool to identify key dependencies and critical systems, and to understand how systems and dependencies were interconnected. The drawing was an aha moment for IT and business stakeholders trying to make sense of their 1600-server environment.

    Make the case for DRP

    A member of the S&P 500 used Info-Tech’s DRP Maturity Scorecard to provide a reliable objective assessment and make the case for improvements to the board of directors.

    State government agency initiates a DRP project to complement an existing COOP

    Info-Tech's DRP Project Charter enabled the CIO to clarify their DRP project scope and where it fit into their overall COOP. The project charter example provided much of the standard copy – objectives, scope, project roles, methodology, etc. – required to outline the project.

    Phase 1: Insights and accomplishments

    Image has two screenshots from Info-Tech's Phase 1 tools and templates.

    Created a charter and identified current maturity

    Image has two screenshots. One is from Info-Tech's DRP Business Impact Analysis Tool and the other is from the example in step 1(d).

    Identified systems and dependencies for the BIA

    Summary of Accomplishments:

    • Created a DRP project charter.
    • Completed the DRP Maturity Scorecard and identified current DRP maturity.
    • Prioritized applications/systems for a first pass through DR planning.
    • Identified dependencies for each application and system.

    Up Next: Conduct a BIA to establish recovery requirements

    Create a Right-Sized Disaster Recovery Plan

    Phase 2

    Conduct a BIA to Determine Acceptable RTOs and RPOs

    Step 2.1: Define an Objective Impact Scoring Scale

    This step will walk you through the following activities:

    • Create a scoring scale to measure the business impact of application and system downtime.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team

    Results and Insights

    • Use a scoring scale tied to multiple categories of real business impact to develop a more objective assessment of application and system criticality.

    Align capabilities to appropriate and acceptable RTOs and RPOs with a BIA

    Too many organizations avoid a BIA because they perceive it as onerous or unneeded. A well-managed BIA is straightforward and the benefits are tangible.

    A BIA enables you to identify appropriate spend levels, maintain executive support, and prioritize DR planning for a more successful outcome. Info-Tech has found that a BIA has a measurable impact on the organization’s ability to set appropriate objectives and investment goals.

    Two bar graphs are depicted. The one on the left shows 93% BIA impact on appropriate RTOs. The graph on the right shows that with BIA, there is 86% on BIA impact on appropriate spending.

    Info-Tech Insight

    Business input is important, but don’t let a lack of it delay a draft BIA. Complete a draft based on your knowledge of the business. Create a draft within IT, and use it to get input from business leaders. It’s easier to edit estimates than to start from scratch; even weak estimates are far better than a blank sheet.

    Pick impact categories that are relevant to your business to develop a holistic view of business impact

    Direct Cost Impact Categories

    • Revenue: permanently lost revenue.
      • Example: one third of daily sales are lost due to a website failure.
    • Productivity: lost productivity.
      • Example: finance staff can’t work without the accounting system.
    • Operating costs: additional operating costs.
      • Example: temporary staff are needed to re-key data.
    • Financial penalties: fines/penalties that could be incurred due to downtime.
      • Example: failure to meet contractual service-level agreements (SLAs) for uptime results in financial penalties.

    Goodwill, Compliance, and Health and Safety Categories

    • Stakeholder goodwill: lost customer, staff, or business partner goodwill due to harm, frustration, etc.
      • Example: customers can’t access needed services because the website is down.
      • Example: a payroll system outage delays paychecks for all staff.
      • Example: suppliers are paid late because the purchasing system is down.
    • Compliance, health, and safety:
      • Example: financial system downtime results in a missed tax filing.
      • Example: network downtime disconnects security cameras.

    Info-Tech Insight

    You don’t have to include every impact category in your BIA. Include categories that could affect your business. Defer or exclude other categories. For example, the bulk of revenue for governmental organizations comes from taxes, which won’t be permanently lost if IT systems fail.

    Modify scoring criteria to help you measure the impact of downtime

    The scoring scales define different types of business impact (e.g. costs, lost goodwill) using a common four-point scale and 24-hour timeframe to simplify BIA exercises and documentation.

    Use the suggestions below as a guide as you modify scoring criteria in the DRP Business Impact Analysis Tool:

    • All the direct cost categories (revenue, productivity, operating costs, financial penalties) require the user to define only a maximum value; the tool will populate the rest of the criteria for that category. Use the suggestions below to find the maximum scores for each of the direct cost categories:
      • Revenue: Divide total revenue for the previous year by 365 to estimate daily revenue. Assume this is the most revenue you could lose in a day, and use this number as the top score.
      • Loss of Productivity: Divide fully-loaded labor costs for the organization by 365 to estimate daily productivity costs. Use this as a proxy measure for the work lost if all business stopped for one day.
      • Increased Operating Costs: Isolate this to known additional costs that result from a disruption (e.g. costs for overtime or temporary staff). Estimate the maximum cost for the organization.
      • Financial Penalties: Isolate this to known financial penalties (e.g. due to failure to meet SLAs or compliance requirements). Use the estimated maximum penalty as the highest value on the scale.
    • Impact on Goodwill: Use an estimate of the percentage of all stakeholders impacted to assess goodwill impact.
    • Impact on Compliance; Impact on Health and Safety: The BIA tool contains default scoring criteria that account for the severity of the impact, the likelihood of occurrence, and in the case of compliance, whether a grace period is available. Use this scale as-is, or adapt this scale to suit your needs.

    Modify the default scoring scale in the DRP Business Impact Analysis Tool to reflect your organization

    2(a) DRP Business Impact Analysis Tool – Scoring criteria


    A screenshot of Info-Tech's DRP Business Impact Analysis Tool's scoring criteria

    Step 2.2: Estimate the Impact of Downtime

    This step will walk you through the following activities:

    • Identify the business impact of service/system/application downtime.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team
    • IT Service SMEs
    • Business-Side Technology Owners (optional)

    Results and Insights

    • Apply the scoring scale to develop a more objective assessment of the business impact of downtime.
    • Create criticality tiers based on the business impact of downtime.

    Estimate the impact of downtime for each system and application

    2(b) Estimate the impact of systems downtime

    Estimated Time: 3 hours

    On tab 3 of the DRP Business Impact Analysis Tool indicate the costs of downtime, as described below:

    1. Have a copy of the “Scoring Criteria” tab available to use as a reference (e.g. printed or on a second display). In tab 3 use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the “Scoring Criteria” tab.
    2. Work horizontally across all categories for a single system or application. This will familiarize you with your scoring scales for all impact categories, and allow you to modify the scoring scales if needed before you proceed much further.
    3. For example, if a core call center phone system was down:

    • Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 1 or 2 depending on the percent of sales that are processed by the call center.
    • The Impact on Customers might be a 2 or 3 depending on the extent that some customers might be using the call center to receive support or purchase new products or services.
    • The Legal/Regulatory Compliance and Health or Safety Risk might be a 0, as the call center has no impact in either area.
  • Next, work vertically across all applications or systems within a single impact category. This will allow you to compare scores within the category as you create them to ensure internal consistency.
  • Add impact scores to the DRP Business Impact Analysis Tool

    2(c) DRP Business Impact Analysis Tool

    Screenshot of Info-Tech's DRP Business Impact Analysis Tool

    Record business reasons and assumptions that drive BIA scores

    2(d) DRP BIA Scoring Context Example

    Info-Tech suggests that IT leadership and staff identify the impact of downtime first to create a version that you can then validate with relevant business owners. As you work through the BIA as a team, have a notetaker record assumptions you make to help you explain the results and drive business engagement and feedback.

    Some common assumptions:

    • You can’t schedule a disaster, so Info-Tech suggests you assume the worst possible timing for downtime. Base the impact of downtime on the worst day for a disaster (e.g. year-end close, payroll run).
    • Record assumptions made about who and what are impacted by system downtime.
    • Record assumptions made about impact severity.
    • If you deviate from the scoring scale, or if a particular impact doesn’t fit well into the defined scoring scale, document the exception.

    Screenshot of Info-Tech's DRP BIA Scoring Context Example

    Use Info-Tech’s DRP BIA Scoring Context Example as a note-taking template.

    Info-Tech Insight

    You can’t build a perfect scoring scale. It’s fine to make reasonable assumptions based on your judgment and knowledge of the business. Just write down your assumptions. If you don’t write them down, you’ll forget how you arrived at that conclusion.

    Assign a criticality rating based on total direct and indirect costs of downtime

    2(e) DRP Business Impact Analysis Tool – Assign criticality tiers

    Once you’ve finished estimating the impact of downtime, use the following rough guideline to create an initial sort of applications into Tiers 1, 2, and 3.

    1. In general, sort applications based on the Total Impact on Goodwill, Compliance, and Safety first.
      • An effective tactic for a quick sort: assign a Tier 1 rating where scores are 50% or more of the highest total score, Tier 2 where scores are between 25% and 50%, and Tier 3 where scores are below 25%. Some organizations will also include a Tier 0 for the highest-scoring systems.
      • Then review and validate these scores and assignments.
    2. Next, consider the Total Cost of Downtime.
      • The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the impact scores on tab 3.
      • Decide if the total cost impact justifies increasing the criticality rating (e.g. from Tier 2 to Tier 1 due to high cost impact).
    3. Review the assigned impact scores and tiers to check that they’re in alignment. If you need to make an exception, document why. Keep exceptions to a minimum.

    Example: Highest total score is 12

    Screenshot of Info-Tech's DRP Business Impact Analysis Tool

    Step 2.3: Determine Acceptable RTO/RPO Targets

    This step will walk you through the following activities:

    • Review the “Debate Space” approach to setting RTO and RPO (recovery targets).
    • Set preliminary RTOs and RPOs by criticality tier.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team

    Results and Insights

    • Align recovery targets with the business impact of downtime and data loss.

    Use the “Debate Space” approach to align RTOs and RPOs with the impact of downtime

    The business must validate acceptable and appropriate RTOs and RPOs, but IT can use the guidelines below to set an initial estimate.

    Right-size recovery.

    A shorter RTO typically requires higher investment. If a short period of downtime has minimal impact, setting a low RTO may not be justifiable. As downtime continues, impact begins to increase exponentially to a point where downtime is intolerable – an acceptable RTO must be shorter than this. Apply the same thinking to RPOs – how much data loss is unnoticeable? How much is intolerable?

    A diagram to show the debate space in relation to RTOs and RPOs

    The “Debate Space” is between minimal impact and maximum tolerance for downtime.

    Estimate appropriate, acceptable RTOs and RPOs for each tier

    2(f) Set recovery targets

    Estimated Time: 30 minutes

    RTO and RPO tiers simplify management by setting similar recovery goals for systems and applications with similar criticality.

    Use the “Debate Space” approach to set appropriate and acceptable targets.

    1. For RTO, establish a recovery time range that is appropriate based on impact.
      • Overall, the RTO tiers might be 0-4 hours for gold, 4-24 hours for silver, and 24-48 hours for bronze.
    2. RPOs reflect target data protection measures.
      • Identify the lowest RPO within a tier and make that the standard.
      • For example, RPO for gold data might be five minutes, silver might be four hours, and bronze might be one day.
      • Use this as a guideline. RPO doesn’t always align perfectly with RTO tiers.
    3. Review RTOs and RPOs and make sure they accurately reflect criticality.

    Info-Tech Insight

    In general, the more critical the system, the shorter the RPO. But that’s not always the case. For example, a service bus might be Tier 1, but if it doesn’t store any data, RPO might be longer than other Tier 1 systems. Some systems may have a different RPO than most other systems in that tier. As long as the targets are acceptable to the business and appropriate given the impact, that’s okay.

    Add recovery targets to the DRP Business Impact Analysis Tool

    2(g) DRP Business Impact Analysis Tool – Document recovery objectives

    A screenshot of Info-Tech's DRP Business Impact Analysis Tool – Document recovery objectives

    Stories from the field: Info-Tech clients find value in Phase 2 in the following ways

    Most organizations discover something new about key applications, or the way stakeholders use them, when they work through the BIA and review the results with stakeholders. For example:

    Why complete a BIA? There could be a million reasons

    • A global manufacturer completed the DRP BIA exercise. When email went down, Service Desk phones lit up until it was resolved. That grief led to a high availability implementation for email. However, the BIA illustrated that ERP downtime was far more impactful.
    • ERP downtime would stop production lines, delay customer orders, and ultimately cost the business a million dollars a day.
    • The BIA results clearly showed that the ERP needed to be prioritized higher, and required business support for investment.

    Move from airing grievances to making informed decisions

    The DRP Business Impact Analysis Tool helped structure stakeholder consultations on DR requirements for a large university IT department. Past consultations had become an airing of grievances. Using objective impact scores helped stakeholders stay focused and make informed decisions around appropriate RTOs and RPOs.

    Phase 2: Insights and accomplishments

    Screenshots of the tools and templates from this phase.

    Estimated the business impact of downtime

    Screenshot of a tools from this phase

    Set recovery targets

    Summary of Accomplishments

    • Created a scoring scale tied to different categories of business impact.
    • Applied the scoring scale to estimate the business impact of system downtime.
    • Identified appropriate, acceptable RTOs and RPOs.

    Up Next:Conduct a tabletop planning exercise to establish current recovery capabilities

    Create a Right-Sized Disaster Recovery Plan

    Phase 3

    Identify and Address Gaps in the Recovery Workflow

    Step 3.1: Determine Current Recovery Workflow

    This step will walk you through the following activities:

    • Run a tabletop exercise.
    • Outline the steps for the initial response (notification, assessment, disaster declaration) and systems recovery (i.e. document your recovery workflow).
    • Identify any gaps and risks in your initial response and systems recovery.

    This step involves the following participants:

    • DRP Coordinator
    • IT Infrastructure SMEs (for systems in scope)
    • Application SMEs (for systems in scope)

    Results and Insights

    • Use a repeatable practical exercise to outline and document the steps you would use to recover systems in the event of a disaster, as well as identify gaps and risks to address.
    • This is also a knowledge-sharing opportunity for your team, and a practical means to get their insights, suggestions, and recovery knowledge down on paper.

    Tabletop planning: an effective way to test and document your recovery workflow

    In a tabletop planning exercise, the DRP team walks through a disaster scenario to map out what should happen at each stage, and effectively defines a high-level incident response plan (i.e. recovery workflow).

    Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

    A bar graph is displayed that shows that tabletop planning has the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

    *Note: Relative importance indicates the contribution an individual testing methodology, conducted at least annually, had on predicting success meeting recovery objectives, when controlling for all other types of tests in a regression model. The relative-importance values have been standardized to sum to 100%.

    Success was based on the following items:

    • RTOs are consistently met.
    • IT has confidence in the ongoing ability to meet RTOs.
    • RPOs are consistently met.
    • IT has confidence in the ongoing ability to meet RPOs.

    Why is tabletop planning so effective?

    • It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more frequently than other testing methodologies.
    • It easily translates into the backbone of your recovery documentation, as it allows you to review all aspects of your recovery plan.

    Focus first on IT DR

    Your DRP is IT contingency planning. It is not crisis management or BCP.

    The goal is to define a plan to restore applications and systems following a disruption. For your first tabletop exercise, Info-Tech recommends you use a non-life-threatening scenario that requires at least a temporary relocation of your data center (i.e. failing over to a DR site/environment). Assume a gas leak or burst water pipe renders the data center inaccessible. Power is shut off and IT must failover systems to another location. Once you create the master procedure, review the plan to ensure it addresses other scenarios.

    Info-Tech Insight

    When systems fail, you are faced with two high-level options: failover or recover in place. If you document the plan to failover systems to another location, you’ll have documented the core of your DR procedures. This differs from traditional scenario planning where you define separate plans for different what-if scenarios. The goal is one plan that can be adapted to different scenarios, which reduces the effort to build and maintain your DRP.

    Conduct a tabletop planning exercise to outline DR procedures in your current environment

    3(a) Tabletop planning

    Estimated Time: 2-3 hours

    For each high-level recovery step, do the following:

    1. On white cue cards:
      • Record the step.
      • Indicate the task owner (if required for clarity).
      • Note time required to complete the step. After the exercise, use this to build a running recovery time where 00:00 is when the incident occurred.
    2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
    3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).
    An example is shown on what can be done during step 3(a). Three cue cards are showing in white, yellow, and red.

    Do:

    • Review the complete workflow from notification all the way to user acceptance testing.
    • Keep focused; stay on task and on time.
    • Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
    • Revise and improve the plan with task owners.

    Don't:

    • Get weighed down by tools.
    • Document the details right away – stick to the high-level plan for the first exercise.
    • Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.

    Flowchart the current-state incident response plan (i.e. document the recovery workflow)

    3(b) DRP Recovery Workflow Template and Case Study: Practical, Right-Sized DRP

    Why use flowcharts?

    • Flowcharts provide an at-a-glance view, ideal for disaster scenarios where pressure is high and quick upward communication is necessary.
    • For experienced staff, a high-level reminder of key steps is sufficient.

    Use the completed tabletop planning exercise results to build this workflow.

    "We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director, IT Operations, Healthcare Industry

    Source: Info-Tech Research Group Interview

    Screenshot of Info-Tech's DRP Recovery Workflow Template

    For a formatted template you can use to capture your plan, see Info-Tech’s DRP Recovery Workflow Template.

    For a completed example of tabletop planning results, review Info-Tech’s Case Study: Practical, Right-Sized DRP.

    Identify RPA

    What’s my RPA? Consider the following case:

    • Once a week, a full backup is taken of the complete ERP system and is transferred over the WAN to a secondary site 250 miles away, where it is stored on disk.
    • Overnight, an incremental backup is taken of the day’s changes, and is transferred to the same secondary site, and also stored on disk.
    • During office hours, the SAN takes a snapshot of changes which are kept on local storage (information on the accounting system usually only changes during office hours).
    • So what’s the RPA? One hour (snapshots), one day (incrementals), or one week (full backups)?

    When identifying RPA, remember the following:

    You are planning for a disaster scenario, where on-site systems may be inaccessible and any copies of data taken during the disaster may fail, be corrupt, or never make it out of the data center (e.g. if the network fails before the backup file ships). In the scenario above, it seems likely that off-site incremental backups could be restored, leading to a 24-hour RPA. However, if there were serious concerns about the reliability of the daily incrementals, the RPA could arguably be based on the weekly full backups.

    Info-Tech Best Practice

    The RPA is a commitment to the maximum data you would lose in a DR scenario with current capabilities (people, process, and technology). Pick a number you can likely achieve. List any situations where you couldn’t meet this RPA, and identify those for a risk tolerance discussion. In the example above, complete loss of the primary SAN would also mean losing the snapshots, so the last good copy of the data could be up to 24-hours old.

    Add recovery actuals (RTA/RPA) to your copy of the BIA

    3(c) DRP Business Impact Analysis Tool– Recovery actuals

    On the “Impact Analysis” tab in the DRP Business Impact Analysis Tool, enter the estimated maximum downtime and data loss in the RTA and RPA columns.

    1. Estimate the RTA based on the required time for complete recovery. Review your recovery workflow to identify this timeline. For example, if the notification, assessment, and declaration process takes two hours, and systems recovery requires most of a day, the estimated RTA could be 24 hours.
    2. Estimate the RPA based on the longest interval between copies of the data being shipped offsite. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and estimated RPA could be 24 hours. Note: Enter 9999 to indicate that data is unrecoverable.

    A screenshot of Info-Tech's DRP Business Impact Analysis Tool – Recovery actuals

    Info-Tech Best Practice

    It’s okay to round numbers to the nearest shift, day, or week for simplicity (e.g. 24 hours rather than 22.5 hours, or 8 hours rather than 7.25 hours).

    Test the recovery workflow against additional scenarios

    3(d) Workflow review

    Estimated Time: 1 hour

    Review your recovery workflow with a different scenario in mind.

    • Work from and update the soft copy of your recovery workflow.
    • Would any steps be different if the scenario changes? If yes, capture the different flow with a decision diamond. Identify any new gaps or risks you encounter with red and yellow cards. Use as few decision diamonds as possible.

    Screenshot of testing the workflow against the additional scenarios

    Info-Tech Best Practice

    As you start to consider scenarios where injuries or loss of life are a possibility, remember that health and safety risks are the top priority in a crisis. If there’s a fire in the data center, evacuating the building is the first priority, even if that means foregoing a graceful shut down. For more details on emergency response and crisis management, see Implement Crisis Management Best Practices.

    Consider additional IT disaster scenarios

    3(e) Thought experiment – Review additional scenarios

    Walk through your recovery workflow in the context of additional, different scenarios to ensure there are no gaps. Collaborate with your DR team to identify changes that might be required, and incorporate these changes in the plan.

    Scenario Type Considerations
    Isolated hardware/software failure
    • Failover to the DR site may not be necessary (or only for affected systems).
    Power outage or network outage
    • Do you have standby power? Do you have network redundancy?
    Local hazard (e.g. chemical leak, police incident)
    • Systems might be accessible remotely, but hands-on maintenance will be required eventually.
    • An alternate site is required for service continuity.
    Equipment/building damage (e.g. fire, roof collapse)
    • Staff injuries or loss of life are a possibility.
    • Equipment may need repair or replacement (vendor involvement).
    • An alternate site is required for service continuity.
    Regional natural disasters
    • Staff injuries or loss of life are a possibility.
    • Utilities may be affected (power, running water, etc.).
    • Expect staff to take care of their families first before work.
    • A geographically distant alternate site may be required for service continuity.

    Step 3.2: Identify and Prioritize Projects to Close Gaps

    This step will walk you through the following activities:

    • Analyze the gaps that were identified from the maturity scorecard, tabletop planning exercise, and the RTO/RPO gaps analysis.
    • Brainstorm solutions to close gaps and mitigate risks.
    • Determine a course of action to close these gaps. Prioritize each project. Create a project implementation timeline.

    This step involves the following participants:

    • DRP Coordinator
    • IT Infrastructure SMEs

    Results and Insights

    • Prioritized list of projects and action items that can improve DR capabilities.
    • Often low-cost, low-effort quick wins are identified to mitigate at least some gaps/risks. Higher-cost, higher-effort projects can be part of a longer-term IT strategy. Improving service continuity is an ongoing commitment.

    Brainstorm solutions to address gaps and risk

    3(f) Solutioning

    Estimated Time: 1.5 hours

    1. Review each of the risk and gap cards from the tabletop exercise.
    2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip-chart paper. The solutions can range from quick-wins and action items to major capital investments.
    3. Try to avoid debates about feasibility at this point – that should happen later. The goal is to get all ideas on the board.

    An example of how to complete Activity 3(f). Three cue cards showing various steps are attached by arrows to steps on a whiteboard.

    Info-Tech Best Practice

    It’s about finding ways to solve the problem, not about solving the problem. When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution; other ideas can expand on and improve that first idea.

    Select an optimal DR deployment model from a world of choice

    There are many options for a DR deployment. What makes sense for you?

    • Sifting through the options for a DR site can be overwhelming. Simplify by eliminating deployment models that aren’t a good fit for your requirements or organization using Info-Tech’s research.
    • Someone will ask you about DR in the cloud. Cut to the chase and evaluate cloud for fit with your organization’s current capabilities and requirements. Read about the 10 Secrets for Successful DR in the Cloud.
    • Selecting and deploying a DR site is an exercise in risk mitigation. IT’s role is to advise the business on options to address the risk of not having a DR site, including cost and effort estimates. The business must then decide how to manage risk. Build total cost of ownership (TCO) estimates and evaluate possible challenges and risks for each option.

    Is it practical to invest in greater geo-redundancy that meets RTOs and RPOs during a widespread event?

    Info-Tech suggests you consider events that impact both sites, and your risk tolerance for that impact. Outline the impact of downtime at a high level if both the primary and secondary site were affected. Research how often events severe enough to have impacted both your primary and secondary sites have occurred in the past. What’s the business tolerance for this type of event?

    A common strategy: have a primary and DR site that are close enough to support low RPO/RTO, but far enough away to mitigate the impact of known regional events. Back up data to a remote third location as protection against a catastrophic event.

    Info-Tech Insight

    Approach site selection as a project. Leverage Select an Optimal Disaster Recovery Deployment Model to structure your own site-selection project.

    Set up the DRP Roadmap Tool

    3(g) DRP Roadmap Tool – Set up tool

    Use the DRP Roadmap Tool to create a high-level roadmap to plan and communicate DR action items and initiatives. Determine the data you’ll use to define roadmap items.

    Screenshot of Info-Tech's DRP Roadmap Tool

    Plan next steps by estimating timeline, effort, priority, and more

    3(h) DRP Roadmap Tool – Describe roadmap items

    A screenshot of Info-Tech's DRP Roadmap Tool to show how to describe roadmap items

    Review and communicate the DRP Roadmap Tool

    3(i) DRP Roadmap Tool – View roadmap chart

    A screenshot of Info-Tech's DRP Roadmap Tool's Roadmap tab

    Step 3.3: Review the Future State Recovery Process

    This step will walk you through the following activities:

    • Update the recovery workflow to outline your future recovery procedure.
    • Summarize findings from DR exercises and present the results to the project sponsor and other interested executives.

    This step involves the following participants:

    • DRP Coordinator
    • IT SMEs (Future State Recovery Flow)
    • DR Project Sponsor

    Results and Insights

    • Summarize results from DR planning exercises to make the case for needed DR investment.

    Outline your future state recovery flow

    3(j) Update the recovery workflow to outline response and recovery in the future

    Estimated Time: 30 minutes

    Outline your expected future state recovery flow to demonstrate improvements once projects and action items have been completed.

    1. Create a copy of your DRP recovery workflow in a new tab in Visio.
    2. Delete gap and risk cards that are addressed by proposed projects. Consolidate or eliminate steps that would be simplified or streamlined in the future if projects are implemented.
    3. Create a short-, medium-, and long-term review of changes to illustrate improvements over time to the project roadmap.
    4. Update this workflow as you implement and improve DR capabilities.

    Screenshot of the recovery workflow

    Validate recovery targets and communicate actual recovery capabilities

    3(k) Validate findings, present recommendations, secure budget

    Estimated Time: time required will vary

    1. Interview managers or process owners to validate RTO, RPO, and business impact scores.Use your assessment of “heavy users” of particular applications (picture at right) to remind you which business users you should include in the interview process.
    2. Present an overview of your findings to the management team.Use Info-Tech’s DRP Recap and Results Template to summarize your findings.
    3. Take projects into the budget process.With the management team aware of the rationale for investment in DRP, build the business case and secure budget where needed.

    Present DRP findings and make the case for needed investment

    3(I) DRP Recap and Results Template

    Create a communication deck to recap key findings for stakeholders.

    • Write a clear problem statement. Identify why you did this project (what problem you’re solving).
    • Clearly state key findings, insights, and recommendations.
    • Leverage the completed tools and templates to populate the deck. Callouts throughout the template presentation will direct you to take and populate screenshots throughout the document.
    • Use the presentation to communicate key findings to, and gather feedback from, business unit managers, executives, and IT staff.
    Screenshots of Info-Tech's DRP Recap and Results Template

    Stories from the field: Info-Tech clients find value in Phase 3 in the following ways

    Tabletop planning is an effective way to discover gaps in recovery capabilities. Identify issues in the tabletop exercise so you can manage them before disaster strikes. For example:

    Back up a second…

    A client started to back up application data offsite. To minimize data transfer and storage costs, the systems themselves weren’t backed up. Working through the restore process at the DR site, the DBA realized 30 years of COBOL and SQR code – critical business functionality – wasn’t backed up offsite.

    Net… work?

    A 500-employee professional services firm realized its internet connection could be a significant roadblock to recovery. Without internet, no one at head office could access critical cloud systems. The tabletop exercise identified this recovery bottleneck and helped prioritize the fix on the roadmap.

    Someone call a doctor!

    Hospitals rely on their phone systems for system downtime procedures. A tabletop exercise with a hospital client highlighted that if the data center were damaged, the phone system would likely be damaged as well. Identifying this provided more urgency to the ongoing VOIP migration.

    The test of time

    A small municipality relied on a local MSP to perform systems restore, but realized it had never tested the restore procedure to identify RTA. Contacting the MSP to review capabilities became a roadmap item to address this risk.

    Phase 3: Insights and accomplishments

    Screenshot of Info-Tech's DRP recovery workflow template

    Outlined the DRP response and risks to recovery

    Screenshots of activities completed related to brainstorming risk mitigation measures.

    Brainstormed risk mitigation measures

    Summary of Accomplishments

    • Planned and documented your DR incident response and systems recovery workflow.
    • Identified gaps and risks to recovery and incident management.
    • Brainstormed and identified projects and action items to mitigate risks and close gaps.

    Up Next: Leverage the core deliverables to complete, extend, and maintain your DRP

    Create a Right-Sized Disaster Recovery Plan

    Phase 4

    Complete, Extend, and Maintain Your DRP

    Phase 4: Complete, Extend, and Maintain Your DRP

    This phase will walk you through the following activities:

    • Identify progress made on your DRP by reassessing your DRP maturity.
    • Prioritize the highest value major initiatives to complete, extend, and maintain your DRP.

    This phase involves the following participants:

    • DRP Coordinator
    • Executive Sponsor

    Results and Insights

    • Communicate the value of your DRP by demonstrating progress against items in the DRP Maturity Scorecard.
    • Identify and prioritize future major initiatives to support the DRP, and the larger BCP.

    Celebrate accomplishments, plan for the future

    Congratulations! You’ve completed the core DRP deliverables and made the case for investment in DR capabilities. Take a moment to celebrate your accomplishments.

    This milestone is an opportunity to look back and look forward.

    • Look back: measure your progress since you started to build your DRP. Revisit the assessments completed in phase 1, and assess the change in your overall DRP maturity.
    • Look forward: prioritize future initiatives to complete, extend, and maintain your DRP. Prioritize initiatives that are the highest impact for the least requirement of effort and resources.

    We have completed the core DRP methodology for key systems:

    • BIA, recovery objectives, high-level recovery workflow, and recovery actuals.
    • Identify key tasks to meet recovery objectives.

    What could we do next?

    • Repeat the core methodology for additional systems.
    • Identify a DR site to meet recovery requirements, and review vendor DR capabilities.
    • Create a summary DRP document including requirements, capabilities, and change procedures.
    • Create a test plan and detailed recovery documentation.
    • Coordinate the creation of BCPs.
    • Integrate DR in other key operational processes.

    Revisit the DRP Maturity Scorecard to measure progress and identify remaining areas to improve

    4(a) DRP Maturity Scorecard – Reassess your DRP program maturity

    1. Find the copy of the DRP Maturity Scorecard you completed previously. Save a second copy of the completed scorecard in the same folder.
    2. Update scoring where you have improved your DRP documentation or capabilities.
    3. Review the new scores on tab 3. Compare the new scores to the original scores.

    Screenshot of DRP Maturity Assessment Results

    Info-Tech Best Practice

    Use the completed, updated DRP Maturity Scorecard to demonstrate the value of your continuity program, and to help you decide where to focus next.

    Prioritize major initiatives to complete, extend, and maintain the DRP

    4(b) Prioritize major initiatives

    Estimated Time: 2 hours

    Prioritize major initiatives that mitigate significant risk with the least cost and effort.

    1. Use the scoring criteria below to evaluate risk, effort, and cost for potential initiatives. Modify the criteria if required for your organization. Write this out on a whiteboard or flip-chart paper.
    2. Assign a score from 1 to 3. Multiply the scores for each initiative together for an aggregate score. In general, prioritize initiatives with higher scores.
    Score A: How significant are the risks this initiative will mitigate? B: How easily can we complete this initiative? C: How cost-effective is this initiative?
    3: High Critical impact on +50% of stakeholders, or major impact to compliance posture, or significant health/safety risk. One sprint, can be completed by a few individuals with minor supervision. Within the IT discretionary budget.
    2: Medium Impacts <50% of stakeholders, or minor impact on compliance, or degradation to health or safety controls. One quarter, and/or some increased effort required, some risk to completion. Requires budget approval from finance.
    1: Low Impacts limited to <25% of stakeholders, no impact on compliance posture or health/safety. One year, and/or major vendor or organizational challenges. Requires budget approval from the board of directors.

    Info-Tech Best Practice

    You can use a similar scoring exercise to prioritize and schedule high-benefit, low-effort, low-cost items identified in the roadmap in phase 3.

    Example: Prioritize major initiatives

    4(b) Prioritize major initiatives continued

    Write out the table on a whiteboard (record the results in a spreadsheet for reference). In the case below, IT might decide to work on repeating the core methodology first as they create the active testing plans, and tackle process changes later.

    Initiative A: How significant are the risks this initiative will mitigate? B: How easily can we complete this initiative? C: How cost-effective is this initiative? Aggregate score (A x B x C)
    Repeat the core methodology for all systems 2 – will impact some stakeholders, no compliance or safety impact. 2 – will require about 3 months, no significant complications. 3 – No cost. 12
    Add DR to project mgmt. and change mgmt. 1 – Mitigates some recovery risks over the long term. 1 – Requires extensive consultation and process review. 3 – No cost. 3
    Active failover testing on plan 2 – Mitigates some risks; documentation and cross training is already in place. 2 – Requires 3-4 months of occasional effort to prepare for test. 2 – May need to purchase some equipment before testing. 8

    Info-Tech Best Practice

    Find a pace that allows you to keep momentum going, but also leaves enough time to act on the initial findings, projects, and action items identified in the DRP Roadmap Tool. Include these initiatives in the Roadmap tool to visualize how identified initiatives fit with other tasks identified to improve your recovery capabilities.

    Repeat the core DR methodology for additional systems and applications


    You have created a DR plan for your most critical systems. Now, add the rest:

    • Build on the work you’ve already done. Re-use the BIA scoring scale. Update your existing recovery workflows, rather than creating and formatting an entirely new document. A number of steps in the recovery will be shared with, or similar to, the recovery procedures for your Tier 1 systems.

    Risks and Challenges Mitigated

    • DR requirements and capabilities for less-critical systems have not been evaluated.
    • Gaps in the recovery process for less critical systems have not been evaluated or addressed.
    • DR capabilities for less critical systems may not meet business requirements.
    Sample Outputs
    Add Tier 2 & 3 systems to the BIA.
    Complete another tabletop exercise for Tier 2 & 3 systems recovery, and add the results to the recovery workflow.
    Identify projects to close additional gaps in the recovery process. Add projects to the project roadmap.

    Info-Tech Best Practice

    Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

    Extend your core DRP deliverables

    You’ve completed the core DRP deliverables. Continue to create DRP documentation to support recovery procedures and governance processes:

    • DR documentation efforts fail when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s long, hard to maintain, and ends up as shelfware.
    • Create documentation in layers to keep it manageable. Build supporting documentation over time to support your high-level recovery workflow.

    Risks and Challenges Mitigated

    • Key contact information, escalation, and disaster declaration responsibilities are not identified or formalized.
    • DRP requirements and capabilities aren’t centralized. Key DRP findings are in multiple documents, complicating governance and oversight by auditors, executives, and board members.
    • Detailed recovery procedures and peripheral information (e.g. network diagrams) are not documented.
    Sample Outputs
    Three to five detailed systems recovery flowcharts/checklists.
    Documented team roles, succession plans, and contact information.
    Notification, assessment, and disaster declaration plan.
    DRP summary.
    Layer 1, 2 & 3 network diagrams.

    Info-Tech Best Practice

    Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

    Select an optimal DR deployment model and deployment site

    Your DR site has been identified as inadequate:

    • Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.
    • Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
    • A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.

    Risks and Challenges Mitigated

    • Without an identified DR site, you’ll be scrambling when a disaster hits to find and contract for a location to restore IT services.
    • Without systems and application data backed up offsite, you stand to lose critical business data and logic if all copies of the data at your primary site were lost.
    Sample Outputs
    Application assessment for cloud DR.
    TCO tool for different environments.
    Solution decision and executive presentation.

    Info-Tech Best Practice

    Use Info-Tech’s blueprint, Select the Optimal Disaster Recovery Deployment Model, to help you make sense of a world of choice for your DR site.

    Extend DRP findings to business process resiliency with a BCP pilot

    Integrate your findings from DRP into the overall BCP:

    • As an IT leader you have the skillset and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP – they know their processes and requirements to resume business operations better than anyone else.
    • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces.

    Risks and Challenges Mitigated

    • No formal plan exists to recover from a disruption to critical business processes.
    • Business requirements for IT systems recovery may change following a comprehensive review of business continuity requirements.
    • Outside of core systems recovery, IT could be involved in relocating staff, imaging and issuing new end-user equipment, etc. Identifying these requirements is part of BCP.
    Sample Outputs
    Business process-focused BIA for one business unit.
    Recovery workflows for one business unit.
    Provisioning list for one business unit.
    BCP project roadmap.

    Info-Tech Best Practice

    Use Info-Tech’s blueprint, Develop a Business Continuity Plan, to develop and deploy a repeatable BCP methodology.

    Test the plan to validate capabilities and cross-train staff on recovery procedures

    You don’t have a program to regularly test the DR plan:

    • Most DR tests are focused solely on the technology and not the DR management process – which is where most plans fail.
    • Be proactive – establish an annual test cycle and identify and coordinate resources well in advance.
    • Update DRP documentation with findings from the plan, and track the changes you make over time.

    Risks and Challenges Mitigated

    • Gaps likely still exist in the plan that are hard to find without some form of testing.
    • Customers and auditors may ask for some form of DR testing.
    • Staff may not be familiar with DR documentation or how they can use it.
    • No formal cycle to validate and update the DRP.
    Sample Outputs
    DR testing readiness assessment.
    Testing handbooks.
    Test plan summary template.
    DR test issue log and analysis tool.

    Info-Tech Best Practice

    Uncover deficiencies in your recovery procedures by using Info-Tech’s blueprint Reduce Costly Downtime Through DR Testing.

    “Operationalize” DRP management

    Inject DR planning in key operational processes to support plan maintenance:

    • Major changes, or multiple routine changes, can materially alter DR capabilities and requirements. It’s not feasible to update the DR plan after every routine change, so leverage criticality tiers in the BIA to focus your change management efforts. Critical systems require more rigorous change procedures.
    • Likewise, you can build criticality tiers into more focused project management and performance measurement processes.
    • Schedule regular tasks in your ticketing system to verify capabilities and cross-train staff on key recovery procedures (e.g. backup and restore).

    Risks and Challenges Mitigated

    • DRP is not updated “as needed” – as requirements and capabilities change due to business and technology changes.
    • The DRP is disconnected from day-to-day operations.
    Sample Outputs
    Reviewed and updated change, project, and performance management processes.
    Reviewed and updated internal SLAs.
    Reviewed and updated data protection and backup procedures.

    Review infrastructure service provider DR capabilities

    Insert DR planning in key operational processes to support plan maintenance:

    • Reviewing vendor DR capabilities is a core IT vendor management competency.
    • As your DR requirements change year-to-year, ensure your vendors’ service commitments still meet your DR requirements.
    • Identify changes in the vendor’s service offerings and DR capabilities, e.g. higher costs for additional DR support, new offerings to reduce potential downtime, or conversely, a degradation in DR capabilities.

    Risks and Challenges Mitigated

    • Vendor capabilities haven’t been measured against business requirements.
    • No internal capability exists currently to assess vendor ability to meet promised SLAs.
    • No internal capability exists to track vendor performance on recoverability.
    Sample Outputs
    A customized vendor DRP questionnaire.
    Reviewed vendor SLAs.
    Choose to keep or change service levels or vendor offerings based on findings.

    Phase 4: Insights and accomplishments

    Screenshot of DRP Maturity Assessment Results

    Identified progress against targets

    Screenshot of prioritized further initiatives.

    Prioritized further initiatives

    Screenshot of DRP Planning Roadmap

    Added initiatives to the roadmap

    Summary of Accomplishments

    • Developed a list of high-priority initiatives that can support the extension and maintenance of the DR plan over the long term.
    • Reviewed and update maturity assessments to establish progress and communicate the value of the DR program.

    Summary of accomplishment

    Knowledge Gained

    • Conduct a BIA to determine appropriate targets for RTOs and RPOs.
    • Identify DR projects required to close RTO/RPO gaps and mitigate risks.
    • Use tabletop planning to create and validate an incident response plan.

    Processes Optimized

    • Your DRP process was optimized, from BIA to documenting an incident response plan.
    • Your vendor evaluation process was optimized to identify and assess a vendor’s ability to meet your DR requirements, and to repeat this evaluation on an annual basis.

    Deliverables Completed

    • DRP Maturity Scorecard
    • DRP Business Impact Analysis Tool
    • DRP Roadmap Tool
    • Incident response plan and systems recovery workflow
    • Executive presentation

    Info-Tech’s insights bust the most obstinate myths of DRP

    Myth #1: DRPs need to focus on major events such as natural disasters and other highly destructive incidents such as fire and flood.

    Reality: The most common threats to service continuity are hardware and software failures, network outages, and power outages.

    Myth #2: Effective DRPs start with identifying and evaluating potential risks.

    Reality: DR isn’t about identifying risks; it’s about ensuring service continuity.

    Myth #3: DRPs are separate from day-to-day operations and incident management.

    Reality: DR must be integrated with service management to ensure service continuity.

    Myth #4: I use a co-lo or cloud services so I don’t have to worry about DR. That’s my vendor’s responsibility.

    Reality: You can’t outsource accountability. You can’t just assume your vendor’s DR capabilities will meet your needs.

    Myth #5: A DRP must include every detail so anyone can execute the recovery.

    Reality: IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

    Supplement the core documentation with these tools and templates

    • An Excel workbook workbook to track key roles on DR, business continuity, and emergency response teams. Can also track DR documentation location and any hardware purchases required for DR.
    • A questionnaire template and a response tracking tool to structure your investigation of vendor DR capabilities.
    • Integrate escalation with your DR plan by defining incident severity and escalation rules . Use this example as a template or integrate ideas into your own severity definitions and escalation rules in your incident management procedures.
    • A minute-by-minute time-tracking tool to capture progress in a DR or testing scenario. Monitor progress against objectives in real time as recovery tasks are started and completed.

    Next steps: Related Info-Tech research

    Select the Optimal Disaster Recovery Deployment Model Evaluate cloud, co-lo, and on-premises disaster recovery deployment models.

    Develop a Business Continuity Plan Streamline the traditional approach to make BCP development manageable and repeatable.

    Prepare for a DRP Audit Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

    Document and Maintain Your Disaster Recovery Plan Put your DRP on a diet: keep it fit, trim, and ready for action.

    Reduce Costly Downtime Through DR Testing Improve your DR plan and your team’s ability to execute on it.

    Implement Crisis Management Best Practices An effective crisis response minimizes the impact of a crisis on reputation, profitability, and continuity.

    Research contributors and experts

    • Alan Byrum, Director of Business Continuity, Intellitech
    • Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
    • Paul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International Limited
    • Yogi Schulz, President, Corvelle Consulting

    Glossary

    • Business Continuity Management (BCM) Program: Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (Source: ISO 22301:2012)
    • Business Continuity Plan (BCP): Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. The BCP is not necessarily one document, but a collection of procedures and information.
    • Crisis: A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. (Source: ISO 22300)
    • Crisis Management Team (CMT): A group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.
    • Disaster Recovery Planning (DRP): The activities associated with the continuing availability and restoration of the IT infrastructure.
    • Incident: An event that has the capacity to lead to loss of, or a disruption to, an organization’s operations, services, or functions – which, if not managed, can escalate into an emergency, crisis, or disaster.
    • BCI Editor’s Note: In most countries “incident” and “crisis” are used interchangeably, but in the UK the term “crisis” has been generally reserved for dealing with wide-area incidents involving Emergency Services. The BCI prefers the use of “incident” for normal BCM purposes. (Source: The Business Continuity Institute)

    • Incident Management Plan: A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
    • IT Disaster: A service interruption requiring IT to rebuild a service, restore from backups, or activate redundancy at the backup site.
    • Recovery Point: Time elapsed between the last good copy of the data being taken and failure/corruption on the production environment; think of this as data loss.
    • Recovery Point Actual (RPA): The currently achievable recovery point after a disaster event, given existing people, processes, and technology. This reflects expected maximum data loss that could actually occur in a disaster scenario.
    • Recovery Point Objective (RPO): The target recovery point after a disaster event, usually calculated in hours, on a given system, application, or service. Think of this as acceptable and appropriate data loss. RPO should be based on a business impact analysis (BIA) to identify an acceptable and appropriate recovery target.
    • Recovery Time: Time required to restore a system, application, or service to a functional state; think of this as downtime.
    • Recovery Time Actual (RTA): The currently achievable recovery time after a disaster event, given existing people, processes, and technology. This reflects expected maximum downtime that could actually occur in a disaster scenario.
    • Recovery Time Objective (RTO): The target recovery time after a disaster event for a given system, application, or service. RTO should be based on a business impact analysis (BIA) to identify acceptable and appropriate downtime.

    Bibliography

    BCMpedia. “Recovery Objectives: RTO, RPO, and MTPD.” BCMpedia, n.d. Web.

    Burke, Stephen. “Public Cloud Pitfalls: Microsoft Azure Storage Cluster Loses Power, Puts Spotlight On Private, Hybrid Cloud Advantages.” CRN, 16 Mar. 2017. Web.

    Elliot, Stephen. “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified.” IDC, 2015. Web.

    FEMA. Planning & Templates. FEMA, 2015. Web.

    FINRA. “Business Continuity Plans and Emergency Contact Information.” FINRA, 2015. Web.

    FINRA. “FINRA, the SEC and CFTC Issue Joint Advisory on Business Continuity Planning.” FINRA, 2013. Web.

    Gosling, Mel, and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 2009. Web.

    Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, n.d. Web.

    Homeland Security. Federal Information Security Management Act (FISMA). Homeland Security, 2015. Web.

    Nichols, Shaun. “AWS's S3 Outage Was So Bad Amazon Couldn't Get Into Its Own Dashboard to Warn the World.” The Register, 1 Mar. 2017. Web.

    Potter, Patrick. “BCM Regulatory Alphabet Soup.” RSA Archer Organization, 2012. Web.

    Rothstein, Philip Jan. “Disaster Recovery Testing: Exercising Your Contingency Plan.” Rothstein Associates Inc., 2007. Web.

    The Business Continuity Institute. “The Good Practice Guidelines.” The Business Continuity Institute, 2013. Web.

    The Disaster Recovery Journal. “Disaster Resource Guide.” The Disaster Recovery Journal, 2015. Web.

    The Disaster Recovery Journal. “DR Rules & Regulations.” The Disaster Recovery Journal, 2015. Web.

    The Federal Financial Institution Examination Council (FFIEC). Business Continuity Planning. IT Examination Handbook InfoBase, 2015. Web.

    York, Kyle. “Read Dyn’s Statement on the 10/21/2016 DNS DDoS Attack.” Oracle, 22 Oct. 2016. Web.

    IT Governance

    • Buy Link or Shortcode: {j2store}22|cart{/j2store}
    • Related Products: {j2store}22|crosssells{/j2store}
    • Up-Sell: {j2store}22|upsells{/j2store}
    • member rating overall impact: 9.2/10
    • member rating average dollars saved: $124,127
    • member rating average days saved: 37
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: /strategy-and-governance
    Read our concise Executive Brief to find out why you may want to redesign your IT governance, Review our methodology, and understand how we can support you in completing this process.

    Get Started With Customer Advocacy

    • Buy Link or Shortcode: {j2store}565|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Getting started with customer advocacy (CA) is no easy task. Many customer success professionals carry out ad hoc customer advocacy activities to address immediate needs but lack a more strategic approach.

    Our Advice

    Critical Insight

    • Customer success leaders must reposition their CA program around growth; the recognition that customer advocacy is a strategic growth initiative is necessary to succeed in today’s competitive market.
    • Get key stakeholders on board early – especially Sales!
    • Always link your CA efforts back to retention and growth.
    • Make building genuine relationships with your advocates the cornerstone of your CA program.

    Impact and Result

    • Enable the organization to identify and develop meaningful relationships with top customers and advocates.
    • Understand the concepts and benefits of CA and how CA can be used to improve marketing and sales and fuel growth and competitiveness.
    • Follow SoftwareReviews’ methodology to identify where to start to apply CA within the organization.
    • Develop a customer advocacy proof of concept/pilot program to gain stakeholder approval and funding to get started with or expand efforts around customer advocacy.

    Get Started With Customer Advocacy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get Started With Customer Advocacy Executive Brief – An overview of why customer advocacy is critical to your organization and the recommended approach for getting started with a pilot program.

    Understand the strategic benefits and process for building a formal customer advocacy program. To be successful, you must reposition CA as a strategic growth initiative and continually link any CA efforts back to growth.

    • Get Started With Customer Advocacy Storyboard

    2. Define Your Advocacy Requirements – Assess your current customer advocacy efforts, identify gaps, and define your program requirements.

    With the assessment tool and steps outlined in the storyboard, you will be able to understand the gaps and pain points, where and how to improve your efforts, and how to establish program requirements.

    • Customer Advocacy Maturity Assessment Tool

    3. Win Executive Approval and Launch Pilot – Develop goals, success metrics, and timelines, and gain approval for your customer advocacy pilot.

    Align on pilot goals, key milestones, and program elements using the template and storyboard to effectively communicate with stakeholders and gain executive buy-in for your customer advocacy pilot.

    • Get Started With Customer Advocacy Executive Presentation Template

    Infographic

    Further reading

    Get Started With Customer Advocacy

    Develop a customer advocacy program to transform customer satisfaction into revenue growth.

    EXECUTIVE BRIEF

    Analyst perspective

    Customer advocacy is critical to driving revenue growth

    The image contains a picture of Emily Wright.

    Customer advocacy puts the customer at the center of everything your organization does. By cultivating a deep understanding of customer needs and how they define value and by delivering positive experiences throughout the customer journey, organizations inspire and empower customers to become evangelists for their brands or products. Both the client and solution provider enjoy satisfying and ongoing business outcomes as a result.

    Focusing on customer advocacy is critical for software solutions providers. Business-to-business (B2B) buyers are increasingly looking to their peers and third-party resources to arm themselves with information on solutions they feel they can trust before they choose to engage with solution providers. Your satisfied customers are now your most trusted and powerful resource.

    Customer advocacy helps build strong relationships with your customers, nurtures brand advocacy, gives your marketing messaging credibility, and differentiates your company from the competition; it’s critical to driving revenue growth. Companies that develop mature advocacy programs can increase Customer Lifetime Value (CLV) by 16% (Wharton Business School, 2009), increase customer retention by 35% (Deloitte, 2011), and give themselves a strong competitive advantage in an increasingly competitive marketplace.

    Emily Wright
    Senior Research Analyst, Advisory
    SoftwareReviews

    Executive summary

    Your Challenge

    Ad hoc customer advocacy (CA) efforts and reference programs, while still useful, are not enough to drive growth. Providers increase their chance for success by assessing if they face the following challenges:

    • Lack of referenceable customers that can turn into passionate advocates, or a limited pool that is at risk of burnout.
    • Lack of references for all key customer types, verticals, etc., especially in new growth segments or those that are hard to recruit.
    • Lack of a consistent program for gathering customer feedback and input to make improvements and increase customer satisfaction.
    • Lack of executive and stakeholder (e.g. Sales, Customer Success, channel partners, etc.) buy-in for the importance and value of customer advocacy.

    Building a strong customer advocacy program must be a high priority for customer service/success leaders in today’s highly competitive software markets.

    Common Obstacles

    Getting started with customer advocacy is no easy task. Many customer success professionals carry out ad hoc customer advocacy activities to address immediate needs but lack a more strategic approach. What separates them from success are several nagging obstacles:

    • Efforts lack funding and buy-in from stakeholders.
    • Senior management doesn’t fully understand the business value of a customer advocacy program.
    • Duplicate efforts are taking place between Sales, Marketing, product teams, etc., because ownership, roles, and responsibilities have not been determined.
    • Relationships are guarded/hoarded by those who feel they own the relationship (e.g. Sales, Customer Success, channel partners, etc.).
    • Customer-facing staff often lack the necessary skills to foster customer advocacy.

    SoftwareReviews’ Approach

    This blueprint will help leaders of customer advocacy programs get started with developing a formalized pilot program that will demonstrate the value of customer advocacy and lay a strong foundation to justify rollout. Through SoftwareReviews’ approach, customer advocacy leaders will:

    • Enable the organization to identify and develop meaningful relationships with top customers and advocates.
    • Understand the concepts and benefits of CA and how CA can be used to improve marketing and sales and fuel growth and competitiveness.
    • Follow SoftwareReviews’ methodology to identify where to start to apply CA within the organization.
    • Develop a customer advocacy proof of concept/pilot program to gain stakeholder approval and funding to get started with or expand efforts around customer advocacy.

    What is customer advocacy?

    “Customer advocacy is the act of putting customer needs first and working to deliver solution-based assistance through your products and services." – Testimonial Hero, 2021

    Customer advocacy is designed to keep customers loyal through customer engagement and advocacy marketing campaigns. Successful customer advocacy leaders experience decreased churn while increasing return on investment (ROI) through retention, acquisition, and cost savings.

    Businesses that implement customer advocacy throughout their organizations find new ways of supporting customers, provide additional customer value, and ensure their brands stand unique among the competition.

    Customer Advocacy Is…

    • An integral part of any marketing and/or business strategy.
    • Essential to improving and maintaining high levels of customer satisfaction.
    • Focused on delivering value to customers.
    • Not only a set of actions, but a mindset that should be fostered and reinforced through a customer-centric culture.
    • Mutually beneficial relationships for both company and customer.

    Customer Advocacy Is Not…

    • Only referrals and testimonials.
    • Solely about what you can get from your advocates.
    • Brand advocacy. Brand advocacy is the desired outcome of customer advocacy.
    • Transactional. Brand advocates must be engaged.
    • A nice-to-have.
    • Solved entirely by software. Think about what you want to achieve and how a software solution can you help you reach those goals.

    SoftwareReviews Insight

    Customer advocacy has evolved into being a valued company asset versus a simple referral program – success requires an organization-wide customer-first mindset and the recognition that customer advocacy is a strategic growth initiative necessary to succeed in today’s competitive market.

    Customer advocacy: Essential to high retention

    When customers advocate for your company and products, they are eager to retain the value they receive

    • Customer acts of advocacy correlate to high retention.
    • Acts of advocacy won’t happen unless customers feel their interests are placed ahead of your company’s, thereby increasing satisfaction and customer success. That’s the definition of a customer-centric culture.
    • And yet your company does receive significant benefits from customer advocacy:
      • When customers advocate and renew, your costs go down and margins rise because it costs less to keep a happy customer than it does to bring a new customer onboard.
      • When renewal rates are high, customer lifetime value increases, also increasing profitability.

    Acquiring a new customer can cost five times more than retaining an existing customer (Huify, 2018).

    Increasing customer retention by 5% can increase profits by 25% to 95% (Bain & Company, cited in Harvard Business Review, 2014).

    SoftwareReviews Insight

    Don’t overlook the value of customer advocacy to retention! Despite the common knowledge that it’s far easier and cheaper to sell to an existing customer than to sell to a new prospect, most companies fail to leverage their customer advocacy programs and continue to put pressure on Marketing to focus their budgets on customer acquisition.

    Customer advocacy can also be your ultimate growth strategy

    In your marketing and sales messaging, acts of advocacy serve as excellent proof points for value delivered.

    Forty-five percent of businesses rank online reviews as a top source of information for selecting software during this (top of funnel) stage, followed closely by recommendations and referrals at 42%. These sources are topped only by company websites at 54% (Clutch, 2020).

    With referrals coming from customer advocates to prospects via your lead gen engine and through seller talk tracks, customer advocacy is central to sales, marketing, and customer experience success.

    ✓ Advocates can help your new customers learn your solution and ensure higher adoption and satisfaction.
    ✓ Advocates can provide valuable, honest feedback on new updates and features.

    The image contains a picture to demonstrate the cycle of customer advocacy. The image has four circles, with one big circle in the middle and three circles surrounding with arrows pointing in both directions in between them. The middle circle is labelled customer advocacy. The three circles are labelled: sales, customer success, marketing.

    “A customer advocacy program is not just a fancy buzz word or a marketing tool that’s nice to have. It’s a core discipline that every major brand needs to integrate into their overall marketing, sales and customer success strategies if they expect to survive in this trust economy. Customer advocacy arguably is the common asset that runs throughout all marketing, sales and customer success activities regardless of the stage of the buyer’s journey and ties it all together.” – RO Innovation, 2017

    Positive experience drives acts of advocacy

    More than price or product, experience now leads the way in customer advocacy and retention

    Advocacy happens when customers recommend your product. Our research shows that the biggest drivers of likeliness to recommend and acts of customer advocacy are the positive experiences customers have with vendors and their products, not product features or cost savings. Customers want to feel that:

    1. Their productivity and performance is enhanced and the vendor is helping them to innovate and grow as a company.
    2. Their vendor inspires them and helps them to continually improve.
    3. They can rely on the vendor and the product they purchased.
    4. They are respected by the vendor.
    5. They can trust that the vendor will be on their side and save them time.

    The image contains a graph to demonstrate the correlation of likeliness to recommend a satisfaction driver. Where anything above a 0.5 indicates a strong driver of satisfaction.

    Note that anything above 0.5 indicates a strong driver of satisfaction.
    Source: SoftwareReviews buyer reviews (based on 82,560 unique reviews).

    SoftwareReviews Insight

    True customer satisfaction comes from helping customers innovate, enhancing their performance, inspiring them to continually improve, and being reliable, respectful, trustworthy, and conscious of their time. These true drivers of satisfaction should be considered in your customer advocacy and retention efforts. The experience customers have with your product and brand is what will differentiate your brand from competitors, drive advocacy, and ultimately, power business growth. Talk to a SoftwareReviews advisor to learn how users rate your product on these satisfaction drivers in the SoftwareReviews Emotional Footprint Report.

    Yet challenges exist for customer advocacy program leaders

    Customer success leaders without a strong customer advocacy program feel numerous avoidable pains:

    • Lack of compelling stories and proof points for the sales team, causing long sales cycles.
    • Heavy reliance on a small pool of worn-out references.
    • Lack of references for all needed customer types, verticals, etc.
    • Lack of a reliable customer feedback process for solution improvements.
    • Overspending on acquiring new customers due to a lack of customer proof points.
    • Missed opportunities that could grow the business (customer lifetime value, upsell/cross-sell, etc.).

    Marketing, customer success, and sales teams experiencing any one of the above challenges must consider getting started with a more formalized customer advocacy program.

    Obstacles to customer advocacy programs

    Leaders must overcome several barriers in developing a customer advocacy program:

    • Stakeholders are often unclear on the value customer advocacy programs can bring and require proof of benefits to invest.
    • Efforts are duplicated among sales, marketing, product, and customer success teams, given ownership and collaboration practices are ill-defined or nonexistent.
    • There is a culture of guarding or hoarding customer relationships by those who feel they own the relationship, or there’s high turnover among employees who own the customer relationships.
    • The governance, technology, people, skills, and/or processes to take customer advocacy to the next level are lacking.
    • Leaders don’t know where to start with customer advocacy, what needs to be improved, or what to focus on first.

    A lack of customer centricity hurts organizations

    12% of people believe when a company says they put customers first. (Source: HubSpot, 2019)

    Brands struggle to follow through on brand promises, and a mismatch between expectations and lived experience emerges. Customer advocacy can help close this gap and help companies live up to their customer-first messaging.

    42% of companies don’t conduct any customer surveys or collect feedback. (Source: HubSpot, 2019)

    Too many companies are not truly listening to their customers. Companies that don’t collect feedback aren’t going to know what to change to improve customer satisfaction. Customer advocacy will orient companies around their customer and create a reliable feedback loop that informs product and service enhancements.

    Customer advocacy is no longer a nice-to-have but a necessity for solution providers

    B2B buyers increasingly turn to peers to learn about solutions:

    “84% of B2B decision makers start the buying process with a referral.” (Source: Influitive, Gainsight & Pendo, 2020)

    “46% of B2B buyers rely on customer references for information before purchasing.” (Source: RO Innovation, 2017)

    “91% of B2B purchasers’ buying decisions are influenced by word-of-mouth recommendations.” (Source: ReferralRock, 2022)

    “76% of individuals admit that they’re more likely to trust content shared by ‘normal’ people than content shared by brands.” (Source: TrustPilot, 2020)

    By ignoring the importance of customer advocacy, companies and brands are risking stagnation and missing out on opportunities to gain competitive advantage and achieve growth.

    Getting Started With Customer Advocacy: SoftwareReviews' Approach

    1 BUILD
    Build the business case
    Identify your key stakeholders, steering committee, and working team, understand key customer advocacy principles, and note success barriers and ways to overcome them as your first steps.

    2 DEVELOP
    Develop your advocacy requirements
    Assess your current customer advocacy maturity, identify gaps in your current efforts, and develop your ideal advocate profile.

    3 WIN
    Win executive approval and implement pilot
    Determine goals and success metrics for the pilot, establish a timeline and key project milestones, create advocate communication materials, and finally gain executive buy-in and implement the pilot.

    SoftwareReviews Insight
    Building and implementing a customer advocacy pilot will help lay the foundation for a full program and demonstrate to executives and key stakeholders the impact on revenue, retention, and CLV that can be achieved through coordinated and well-planned customer advocacy efforts.

    Customer advocacy benefits

    Our research benefits customer advocacy program managers by enabling them to:

    • Explain why having a centralized, proactive customer advocacy program is important.
    • Clearly communicate the benefits and business case for having a formalized customer advocacy program.
    • Develop a customer advocacy pilot to provide a proof of concept (POC) and demonstrate the value of customer advocacy.
    • Assess the maturity of your current customer advocacy efforts and identify what to improve and how to improve to grow your customer advocacy function.

    "Advocacy is the currency for business and the fuel for explosive growth. Successful marketing executives who understand this make advocacy programs an essential part of their go-to-market strategy. They also know that advocacy isn't something you simply 'turn on': ... ultimately, it's about making human connections and building relationships that have enduring value for everyone involved."
    - Dan Cote, Influitive, Dec. 2021

    Case Study: Advocate impact on sales at Genesys

    Genesys' Goal

    Provide sales team with compelling customer reviews, quotes, stories, videos, and references.

    Approach to Advocacy

    • Customers were able to share their stories through Genesys' customer hub GCAP as quotes, reviews, etc., and could sign up to host reference forum sessions for prospective customers.
    • Content was developed that demonstrated ROI with using Genesys' solutions, including "top-tier logos, inspiring quotes, and reference forums featuring some of their top advocates" (Influitive, 2021).
    • Leveraged customer advocacy-specific software solution integration with the CRM to easily identify reference recommendations for Sales.

    Advocate Impact on Sales

    According to Influitive (2021), the impacts were:

    • 386% increase in revenue influences from references calls
    • 82% of revenue has been influence by reference calls
    • 78 reference calls resulted in closed-won opportunities
    • 250 customers and prospects attended 7 reference forums
    • 112 reference slides created for sales enablement
    • 100+ quotes were collect and transformed into 78 quote slides

    Who benefits from getting started with customer advocacy?

    This Research Is Designed for:

    • Customer advocacy leaders and marketers who are looking to:
      • Take a more strategic, proactive, and structured approach to customer advocacy.
      • Find a more effective and reliable way to gather customer feedback and input on products and services.
      • Develop and nurture a customer-oriented mindset throughout the organization.
      • Improve marketing credibility both within the company and outside to prospective customers.

    This Research Will Help You:

    • Explain why having a centralized, proactive customer advocacy program is important.
    • Clearly communicate the benefits and business case for having a formalized customer advocacy program.
    • Develop a customer advocacy pilot to provide a proof of concept (POC) and demonstrate the value of customer advocacy.
    • Assess the maturity of your current customer advocacy efforts and identify what to improve and how to improve to grow your customer advocacy function.

    This Research Will Also Assist:

    • Customer success leaders and sales directors who are responsible for:
      • Gathering customer references and testimonials.
      • Referral or voice of the customer (VoC) programs.

    This Research Will Help Them:

    • Align stakeholders on an overall program of identifying ideal advocates.
    • Coordinate customer advocacy efforts and actions.
    • Gather and make use of customer feedback to improve products, solutions, and service provided.
    • Provide an amazing customer experience throughout the entirety of the customer journey.

    SoftwareReviews’ methodology for getting started with customer advocacy

    Phase Steps

    1. Build the business case

    1. Identify your key stakeholders, steering committee, and working team
    2. Understand the concepts and benefits of customer advocacy as they apply to your organization
    3. Outline barriers to success, risks, and risk mitigation tactics

    2. Develop your advocacy requirements

    1. Assess your customer advocacy maturity using the SoftwareReviews CA Maturity Assessment Tool
    2. Identify gaps/pains in current CA efforts and add tasks to your action plan
    3. Develop ideal advocate profile/identify target advocate segment(s)

    3. Create implementation plan and pitch CA pilot

    1. Determine pilot goals and success metrics
    2. Establish timeline and create advocate communication materials
    3. Gain executive buy-in and implement pilot

    Phase Outcomes

    1. Common understanding of CA concepts and benefits
    2. Buy-in from CEO and head of Sales
    3. List of opportunities, risks, and risk mitigation tactics
    1. Identification of gaps in current customer advocacy efforts and/or activities
    2. Understanding customer advocacy readiness
    3. Identification of ideal advocate profile/target segment
    4. Basic actions to bridge gaps in CA efforts
    1. Clear objective for CA pilot
    2. Key metrics for program success
    3. Pilot timelines and milestones
    4. Executive presentation with business case for CA

    Insight summary

    Customer advocacy is a critical strategic growth initiative
    Customer advocacy (CA) has evolved into being a highly valued company asset as opposed to a simple referral program, but not everyone in the organization sees it that way. Customer success leaders must reposition their CA program around growth instead of focusing solely on retention and communicate this to key stakeholders. The recognition that customer advocacy is a strategic growth initiative is necessary to succeed in today’s competitive market.

    Get key stakeholders on board early – especially Sales!
    Work to bring the CEO and the head of Sales on your side early. Sales is the gatekeeper – they need to open the door to customers to turn them into advocates. Clearly reposition CA for growth and communicate that to the CEO and head of Sales; wider buy-in will follow.

    Identify the highest priority segment for generating acts of advocacy
    By focusing on the highest priority segment, you accomplish a number of things: generating growth in a critical customer segment, proving the value of customer advocacy to key stakeholders (especially Sales), and setting a strong foundation for customer advocacy to build upon and expand the program out to other segments.

    Always link your CA efforts back to retention and growth
    By clearly demonstrating the impact that customer advocacy has on not only retention but also overall growth, marketers will gain buy-in from key stakeholders, secure funding for a full CA program, and gain the resources needed to expand customer advocacy efforts.

    Focus on providing value to advocates
    Many organizations take a transactional approach to customer advocacy, focusing on what their advocates can do for them. To truly succeed with CA, focus on providing your advocates with value first and put them in the spotlight.

    Make building genuine relationships with your advocates the cornerstone of your CA program
    "57% of small businesses say that having a relationship with their consumers is the primary driver of repeat business" (Factory360).

    Guided Implementation

    What does our GI on getting started with building customer advocacy look like?

    Build the Business Case

    Call #1: Identify key stakeholders. Map out motivations and anticipate any concerns or objections. Determine steering committee and working team. Plan next call – 1 week.

    Call #2: Discuss concepts and benefits of customer advocacy as they apply to organizational goals. Plan next call – 1 week.

    Call #3: Discuss barriers to success, risks, and risk mitigation tactics. Plan next call – 1 week.

    Call #4: Finalize CA goals, opportunities, and risks and develop business case. Plan next call – 2 weeks.

    Develop Your Advocacy Requirements

    Call #5: Review the SoftwareReviews CA Maturity Assessment Tool. Assess your current level of customer advocacy maturity. Plan next call – 1 week.

    Call #6: Review gaps and pains in current CA efforts. Discuss tactics and possible CA pilot program goals. Begin adding tasks to action plan. Plan next call – 2 weeks.

    Call #7: Discuss ideal advocate profile and target segments. Plan next call – 2 weeks.

    Call #8: Validate and finalize ideal advocate profile. Plan next call – 1 week.

    Win Executive Approval and Implement Pilot

    Call #9: Discuss CA pilot scope. Discuss performance metrics and KPIs. Plan next call – 3 days.

    Call #10: Determine timeline and key milestones. Plan next call –2 weeks.

    Call #11: Develop advocate communication materials. Plan next call – 3 days.

    Call #12: Review final business case and coach on executive presentation. Plan next call – 1 week.

    A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization. For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst. Your engagement managers will work with you to schedule analyst calls.


    Customer Advocacy Workshop

    Pre-Workshop Day 1 Day 2 Day 3 Day 4 Day 5 Post-Workshop
    Activities Identify Stakeholders & CA Pilot Team Build the Business Case Assess Current CA Efforts Develop Advocacy Goals & Ideal Advocate Profile Develop Project Timelines, Materials, and Exec Presentation Next Steps and Wrap-Up (offsite) Pitch CA Pilot
    0.1 Identify key stakeholders to involve in customer advocacy pilot and workshop; understand their motivations and anticipate possible concerns. 1.1 Review key CA concepts and identify benefits of CA for the organization.
    1.2 Outline barriers to success, risks, and risk mitigation tactics.
    2.1 Assess your customer advocacy maturity using the SoftwareReviews CA Maturity Assessment Tool.
    2.2 Identify gaps/pains in current CA efforts.
    2.3 Prioritize gaps from diagnostic and any other critical pain points.
    3.1 Identify and document the ideal advocate profile and target customer segment for pilot.
    3.2 Determine goal(s) and success metrics for program pilot.
    4.1 Develop pilot timelines and key milestones.
    4.2 Outline materials needed and possible messaging.
    4.3 Build the executive buy-in presentation.
    5.1 Complete in-progress deliverables from the previous four days. 6.1 Present to executive team and stakeholders.
    6.2 Gain executive buy-in and key stakeholder approval.
    6.3 Execute CA pilot.
    Deliverables
    1. Rationale for CA pilot; clear benefits, and how they apply to the organization.
    2. Documented barriers to success, risks, and risk mitigation tactics.
    1. CA Maturity Assessment results.
    2. Identification of gaps in current customer advocacy efforts and/or activities.
    1. Documented ideal advocate profile/target customer segment.
    2. Clear goal(s) and success metrics for CA pilot.
    1. Documented pilot timelines and key milestones.
    2. Draft/outlines of advocate materials.
    3. Draft executive presentation with business case for CA.
    1. Finalized implementation plan for CA pilot.
    2. Finalized executive presentation with business case for CA.
    1. Buy-in from decision makers and key stakeholders.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Get started!

    Know your target market and audience, deploy well-designed strategies based on shared values, and make meaningful connections with people.

    Phase 1
    Build the Business Case

    Phase 2
    Develop Your Advocacy Requirements

    Phase 3
    Win Executive Approval and Implement Pilot

    Phase 1: Build the Business Case

    Steps
    1.1 Identify your key stakeholders, steering committee, and working team
    1.2 Understand the concepts and benefits of customer advocacy as they apply to your organization
    1.3 Outline barriers to success, risks, and risk mitigation tactics

    Phase Outcome

    • Common understanding of CA concepts and benefits
    • Buy-in from CEO and head of Sales
    • List of barriers to success, risks, and risk mitigation tactics

    Build the business case

    Step 1.1 Identify your key stakeholders, steering committee, and working team

    Total duration: 2.5-8.0 hours

    Objective
    Identify, document, and finalize your key stakeholders to know who to involve and how to get them onboard by truly understanding the forces of influence.

    Output

    • Robust stakeholder list with key stakeholders identified.
    • Steering committee and working team decided.

    Participants

    • Customer advocacy lead
    • Identified stakeholders
    • Workstream leads

    MarTech
    None

    Tools

    1.1.1 Identify Stakeholders
    (60-120 min.)

    Identify
    Using the guidance on slide 28, identify all stakeholders who would be involved or impacted by your customer advocacy pilot by entering names and titles into columns A and B on slide 27 "Stakeholder List Worksheet."

    Document
    Document as much information about each stakeholder as possible in columns C, D, E, and F into the table on slide 27.

    1.1.2 Select Steering Committee & Working Team
    (60-90 min.)

    Select
    Using the guidance on slides 28 and 29 and the information collected in the table on slide 27, identify the stakeholders that are steering committee members, functional workstream leads, or operations; document in column G on slide 27.

    Document
    Open the Executive Presentation Template to slides 5 and 6 and document your final steering committee and working team selections. Be sure to note the Executive Sponsor and Program Manager on slide 5.

    Tips & Reminders

    1. It is critical to identify "key stakeholders"; a single missed key stakeholder can disrupt an initiative. A good way to ensure that nobody is missed is to first uncover as many stakeholders as possible and later decide how important they are.
    2. Ensure steering committee representation from each department this initiative would impact or that may need to be involved in decision-making or problem-solving endeavors.

    Consult Info-Tech's Manage Stakeholder Relations blueprint for additional guidance on identifying and managing stakeholders, or contact one of our analysts for more personalized assistance and guidance.

    Stakeholder List Worksheet

    *Possible Roles
    Executive Sponsor
    Program Manager
    Workstream Lead
    Functional Lead
    Steering Committee
    Operations
    A B C D E F G
    Name Position Decision Involvement
    (Driver / Approver / Contributor / Informe
    Direct Benefit?
    (Yes / No)
    Motivation Concerns *Role in Customer Advocacy Pilot
    E.g. Jane Doe VP, Customer Success A N
    • Increase customer retention
    • Customer advocate burnout
    Workstream Lead

    Customer advocacy stakeholders

    What to consider when identifying stakeholders required for CA:
    Customer advocacy should be done as a part of a cross-functional company initiative. When identifying stakeholders, consider:

    • Who can make the ultimate decision on approving the CA program?
    • Who are the senior leadership members you need buy-in from?
    • Who do you need to support the CA program?
    • Who is affected by the CA program?
    • Who will help you build the CA program?
    • Where and among who is there enthusiasm for customer advocacy?
    • Consider stakeholders from Customer Success, Marketing, Sales, Product, PR & Social, etc.
    Key Roles Supporting an Effective Customer Advocacy Pilot
    Executive Sponsor
    • Owns the function at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with organizational strategy
    • CMO, VP of Marketing, and in SMB providers, the CEO
    Program Manager
    • Typically, a senior member of the marketing team
    • Responsible for organizing the customer advocacy pilot, preparing summary executive-level communications, and approval requests
    • Program manages the customer advocacy pilot, and in many cases, the continued formal program
    • Product Marketing Director, or other Marketing Director, who has strong program management skills, has run large-scale marketing or product programs, and is familiar with the stakeholder roles and enabling technologies
    Functional / Workstream Leads
    • Works alongside the Program Manager on planning and implementing the customer advocacy pilot and ensures functional workstreams are aligned with pilot objectives
    • Typical customer advocacy pilots will have a team comprised of representatives from Marketing, Sales, and Customer Success
    Steering Committee
    • Comprised of C-suite/management-level individuals that guide key decisions, approve requests, and mitigate any functional conflicts
    • Responsible for validating goals and priorities, enabling adequate resourcing, and critical decision making
    • CMO, CRO/Head of Sales, Head of Customer Success
    Operations
    • Comprised of individuals whose application and tech tools knowledge and skills support integration of customer advocacy functions into existing tech stack/CRM (e.g. adding custom fields into CRM)
    • Responsible for helping select technology that enables customer advocacy program activities
    • CRM, Marketing Applications, and Analytics Managers, IT Managers

    Customer advocacy working team

    Consider the skills and knowledge required for planning and executing a customer advocacy pilot.

    Workstream leads should have strong project management and collaboration skills and deep understanding of both product and customers (persona, journeys, satisfaction, etc.).

    Required Skills Suggested Functions
    • Project management
    • CRM knowledge
    • Marketing automation experience
    • MarTech knowledge
    • Understanding of buyer persona and journey
    • Product knowledge
    • Understanding of executive-level goals for the pilot
    • Content creation
    • Customer advocacy experience, if possible
    • Customer satisfaction
    • Email and event marketing experience
    • Customer Success
    • Marketing
    • Sales
    • Product
    • PR/Corporate Comms.

    Build the business case

    Step 1.2 Understand key concepts and benefits of customer advocacy

    Total duration: 2.0-4.0 hours

    Objective
    Understand customer advocacy and what benefits you seek from your customer advocacy program, and get set up to best communicate them to executives and decision makers.

    Output

    • Documented customer advocacy benefits

    Participants

    • Customer advocacy lead

    MarTech
    None

    Tools

    1.2.1 Discuss Key Concepts
    (60-120 min.)

    Envision
    Schedule a visioning session with key stakeholders and share the Get Started With Customer Advocacy Executive Brief (slides 3-23 in this deck).

    Discuss how key customer advocacy concepts can apply to your organization and how CA can contribute to organizational growth.

    Document
    Determine the top benefits sought from the customer advocacy program pilot and record them on slides 4 and 12 in the Executive Presentation Template.

    Finalize
    Work with the Executive Sponsor to finalize the "Message from the CMO" on slide 4 in the Executive Presentation Template.

    Tips & Reminders

    Keep in mind that while we're starting off broadly, the pilot for your customer advocacy program should be narrow and focused in scope.

    Build the business case

    Step 1.3 Understand barriers to success, risks, and risk mitigation tactics

    Total duration: 2.0-8.0 hours

    Objective
    Anticipate threats to pilot success; identify barriers to success, any possible risks, and what can be done to reduce the chances of a negative pilot outcome.

    Output

    • Awareness of barriers
    • Tactics to mitigate risk

    Participants

    • Customer advocacy lead
    • Key stakeholders

    MarTech
    None

    Tools

    1.3.1 Brainstorm Barriers to Success & Possible Risks
    (60-120 min.)

    Identify
    Using slide 7 of the Executive Presentation Template, brainstorm any barriers to success that may exist and risks to the customer advocacy program pilot success. Consider the people, processes, and technology that may be required.

    Document
    Document all information on slide 7 of the Executive Presentation Template.

    1.3.2 Develop Risk Mitigation Tactics
    (60-300 min.)

    Develop
    Brainstorm different ways to address any of the identified barriers to success and reduce any risks. Consider the people, processes, and technology that may be required.

    Document
    Document all risk mitigation tactics on slide 7 of the Executive Presentation Template.

    Tips & Reminders
    There are several types of risk to explore. Consider the following when brainstorming possible risks:

    • Damage to brand (if advocate guidance not provided)
    • Legal (compliance with regulations and laws around contact, incentives, etc.)
    • Advocate burnout
    • Negative advocate feedback

    Phase 2: Develop Your Advocacy Requirements

    Steps
    2.1 Assess your customer advocacy maturity
    2.2 Identify and document gaps and pain points
    2.3 Develop your ideal advocate profile

    Phase Outcome

    • Identification of gaps in current customer advocacy efforts or activities
    • Understanding of customer advocacy readiness and maturity
    • Identification of ideal advocate profile/target segment
    • Basic actions to bridge gaps in CA efforts

    Develop your advocacy requirements

    Step 2.1 Assess your customer advocacy maturity

    Total duration: 2.0-8.0 hours

    Objective
    Use the Customer Advocacy Maturity Assessment Tool to understand your organization's current level of customer advocacy maturity and what to prioritize in the program pilot.

    Output

    • Current level of customer advocacy maturity
    • Know areas to focus on in program pilot

    Participants

    • Customer advocacy lead
    • Key stakeholders

    MarTech
    None

    Tools

    2.1.1 Diagnose Current Customer Advocacy Maturity
    (60-120 min.)

    Diagnose
    Begin on tab 1 of the Customer Advocacy Maturity Assessment Tool and read all instructions.

    Navigate to tab 2. Considering the current state of customer advocacy efforts, answer the diagnostic questions in the Diagnostic tab of the Customer Advocacy Maturity Assessment Tool.

    After completing the questions, you will receive a diagnostic result on tab 3 that will identify areas of strength and weakness and make high-level recommendations for your customer advocacy program pilot.

    2.1.2 Discuss Results
    (60-300 min.)

    Discuss
    Schedule a call to discuss your customer advocacy maturity diagnostic results with a SoftwareReviews Advisor.

    Prioritize the recommendations from the diagnostic, noting which will be included in the program pilot and which require funding and resources to advance.

    Transfer
    Transfer results into slides 8 and 11 of the Executive Presentation Template.

    Tips & Reminders
    Complete the diagnostic with a handful of key stakeholders identified in the previous phase. This will help provide a more balanced and accurate assessment of your organization’s current level of customer advocacy maturity.

    Develop your advocacy requirements

    Step 2.2 Identify and document gaps and pain points

    Total duration: 2.5-8.0 hours

    Objective
    Understand the current pain points within key customer-related processes and within any current customer advocacy efforts taking place.

    Output

    • Prioritized list of pain points that could be addressed by a customer advocacy program.

    Participants

    • Customer advocacy lead
    • Key stakeholders

    MarTech
    None

    Tools

    2.2.1 Identify Pain Points
    (60-120 min.)

    Identify
    Identify and list current pain points being experienced around customer advocacy efforts and processes around sales, marketing, customer success, and product feedback.

    Add any gaps identified in the diagnostic to the list.

    Transfer
    Transfer key information into slide 9 of Executive Presentation Template.

    2.2.2 Prioritize Pain Points
    (60-300 min.)

    Prioritize
    Indicate which pains are the most important and that a customer advocacy program could help improve.

    Schedule a call to discuss the outputs of this step with a SoftwareReviews Advisor.

    Document
    Document priorities on slide 9 of Executive Presentation Template.

    Tips & Reminders

    Customer advocacy won't solve for everything; it's important to be clear about what pain points can and can't be addressed through a customer advocacy program.

    Develop your advocacy requirements

    Step 2.3 Develop your ideal advocate profile

    Total duration: 3.0-9.0 hours

    Objective
    Develop an ideal advocate persona profile that can be used to identify potential advocates, guide campaign messaging, and facilitate advocate engagement.

    Output

    • Ideal advocate persona profile

    Participants

    • Customer advocacy lead
    • Key stakeholders
    • Sales lead
    • Marketing lead
    • Customer Success lead
    • Product lead

    MarTech
    May require the use of:

    • CRM or marketing automation platform
    • Available and up-to-date customer database

    Tools

    2.3.1 Brainstorm Session Around Ideal Advocate Persona
    (60-150 min.)

    Brainstorm
    Lead the team to prioritize an initial, single, most important persona and to collaborate to complete the template.

    Choose your ideal advocate for the pilot based on your most important audience. Start with firmographics like company size, industry, and geography.

    Next, consider satisfaction levels and behavioral attributes, such as renewals, engagement, usage, and satisfaction scores.

    Identify motivations and possible incentives for advocate activities.

    Document
    Use slide 10 of the Executive Presentation Template to complete this exercise.

    2.3.2 Review and Refine Advocate Persona
    (60-300 min.)

    Review & Refine
    Place the Executive Presentation Template in a shared drive for team collaboration. Encourage the team to share persona knowledge within the shared drive version.

    Hold any necessary follow-up sessions to further refine persona.

    Validate
    Interview advocates that best represent your ideal advocate profile on their type of preferred involvement with your company, their role and needs when it comes to your solution, ways they'd be willing to advocate, and rewards sought.

    Confirm
    Incorporate feedback and inputs into slide 10 of the Executive Presentation Template. Ensure everyone agrees on persona developed.

    Tips & Reminders

    1. When identifying potential advocates, choose based on your most important audience.
    2. Ensure you're selecting those with the highest satisfaction scores.
    3. Ideally, select candidates that have, on their own, advocated previously such as in social posts, who may have acted as a reference, or who have been highly visible as a positive influence at customer events.
    4. Knowing motivations will determine the type of acts of advocacy they would be most willing to perform and the incentives for participating in the program.

    Consider the following criteria when identifying advocates and developing your ideal advocate persona:

    Demographics Firmographics Satisfaction & Needs/Value Sought Behavior Motivation
    Role - user, decision-maker, etc. Company size: # of employees Satisfaction score Purchase frequency & repeat purchases (renewals), upgrades Career building/promotion
    Department Company size: revenue NPS score Usage Collaboration with peers
    Geography CLV score Engagement (e.g. email opens, response, meetings) Educate others
    Industry Value delivered (outcomes, occasions used, etc.) Social media interaction, posts Influence (on product, service)
    Tenure as client Benefits sought
    Account size ($) Minimal and resolved service tickets, escalations
    1. When identifying potential advocates, choose based on your most important audience/segments. 2. Ensure you're selecting those with the highest satisfaction, NPS, and CLV scores. 3. When identifying potential advocates, choose based on high engagement and interaction, regular renewals, and high usage. 4. Knowing motivations will determine the type of acts of advocacy they would be most willing to perform and incentives for participating in the program.

    Phase 3: Win Executive Approval and Implement Pilot

    Steps
    3.1 Determine pilot goals and success metrics
    3.2 Establish timeline and create advocate communication materials
    3.3 Gain executive buy-in and implement pilot

    Phase Outcome

    • Clear objective for CA pilot
    • Key metrics for program success
    • Pilot timelines and milestones
    • Executive presentation with business case for CA

    Win executive approval and implement pilot

    Step 3.1 Determine pilot goals and success metrics

    Total duration: 2.0-4.0 hours

    Objective
    Set goals and determine the scope for the customer advocacy program pilot.

    Output

    • Documented business objectives for the pilot
    • Documented success metrics

    Participants

    • Customer advocacy lead
    • Key stakeholders
    • Sales lead
    • Marketing lead
    • Customer Success lead
    • Product lead

    MarTech
    May require to use, set up, or install platforms like:

    • Register to a survey platform
    • CRM or marketing automation platform

    Tools

    3.1.1 Establish Pilot Goals
    (60-120 min.)

    Set
    Organize a meeting with department heads and review organizational and individual department goals.

    Using the Venn diagram on slide 39 in this deck, identify customer advocacy goals that align with business goals. Select the highest priority goal for the pilot.

    Check that the goal aligns with benefits sought or addresses pain points identified in the previous phase.

    Document
    Document the goals on slides 9 and 16 of the Executive Presentation Template.

    3.1.2 Establish Pilot Success Metrics
    (60-120 min.)

    Decide
    Decide how you will measure the success of your program pilot using slide 40 in this document.

    Document
    Document metrics on slide 16 of the Executive Presentation Template.

    Tips & Reminders

    1. Don't boil the ocean. Pick the most important goal that can be achieved through the customer advocacy pilot to gain executive buy-in and support or resources for a formal customer advocacy program. Once successfully completed, you'll be able to tackle new goals and expand the program.
    2. Keep your metrics simple, few in number, and relatively easy to track

    Connect customer advocacy goals with organizational goals

    List possible customer advocacy goals, identifying areas of overlap with organizational goals by taking the following steps:

    1. List organizational/departmental goals in the green oval.
    2. List possible customer advocacy program goals in the purple oval.
    3. Enter goals that are covered in both the Organizational Goals and Customer Advocacy Goals sections into the Shared Goals section in the center.
    4. Highlight the highest priority goal for the customer advocacy program pilot to tackle.
    Organizational Goals Shared Goals Customer Advocacy Goals
    Example Example: Gain customer references to help advance sales and improve win rates Example: Develop pool of customer references
    [insert goal] [insert goal] Example: Gather customer feedback
    [insert goal] [insert goal] [insert goal]
    [insert goal] [insert goal] [insert goal]

    Customer advocacy success metrics for consideration

    This table provides a starting point for measuring the success of your customer advocacy pilot depending on the goals you've set.

    This list is by no means exhaustive; the metrics here can be used, or new metrics that would better capture success measurement can be created and tracked.

    Metric
    Revenue influenced by reference calls ($ / % increase)
    # of reference calls resulting in closed-won opportunities
    # of quotes collected
    % of community growth YoY
    # of pieces of product feedback collected
    # of acts of advocacy
    % membership growth
    % product usage amongst community members
    # of social shares, clicks
    CSAT score for community members
    % of registered qualified leads
    # of leads registered
    # of member sign-ups
    # of net-new referenceable customers
    % growth rate of products used by members
    % engagement rate
    # of published third-party reviews
    % increase in fulfilled RFPs

    When selecting metrics, remember:
    When choosing metrics for your customer advocacy pilot, be sure to align them to your specific goals. If possible, try to connect your advocacy efforts back to retention, growth, or revenue.

    Do not choose too many metrics; one per goal should suffice.

    Ensure that you can track the metrics you select to measure - the data is available and measuring won't be overly manual or time-consuming.

    Win executive approval and implement pilot

    Step 3.2 Establish timeline and create advocate communication materials

    Total duration: 2.5-8.0 hours

    Objective
    Outline who will be involved in what roles and capacities and what tasks and activities need to completed.

    Output

    • Timeline and milestones
    • Advocate program materials

    Participants

    • Customer advocacy lead
    • Key stakeholders
    • Sales lead
    • Marketing lead
    • Customer Success lead
    • Product lead

    MarTech
    None

    Tools

    3.2.1 Establish Timeline & Milestones
    (30-60 min.)

    List & Assign
    List all key tasks, phases, and milestones on slides 13, 14, and 15 in the Executive Presentation Template.

    Include any activities that help close gaps or address pain points from slide 9 in the Executive Presentation Template.

    Assign workstream leads on slide 15 in the Executive Presentation Template.

    Finalize all tasks and activities with working team.

    3.2.2 Design & Build Advocate Program Materials
    (180-300 min.)

    Decide
    Determine materials needed to recruit advocates and explain the program to advocate candidates.

    Determine the types of acts of advocacy you are looking for.

    Determine incentives/rewards that will be provided to advocates, such as access to new products or services.

    Build
    Build out all communication materials.

    Obtain incentives.

    Tips & Reminders

    1. When determining incentives, use the validated ideal advocate profile for guidance (i.e. what motivates your advocates?).
    2. Ensure to leave a buffer in the timeline if the need to adjust course arises.

    Win executive approval and implement pilot

    Step 3.3 Implement pilot and gain executive buy-in

    Total duration: 2.5-8.0 hours

    Objective
    Successfully implement the customer advocacy pilot program and communicate results to gain approval for full-fledged program.

    Output

    • Deliver Executive Presentation
    • Successful customer advocacy pilot
    • Provide regular updates to stakeholders, executives

    Participants

    • Customer advocacy lead
    • Workstream leads

    MarTech
    May require the use of:

    • CRM or Marketing Automation Platform
    • Available and up-to-date customer database

    Tools

    3.3.1 Complete & Deliver Executive Presentation
    (60-120 min.)

    Present
    Finalize the Executive Presentation.

    Hold stakeholder meeting and introduce the program pilot.

    3.3.2 Gain Executive Buy-in
    (60-300 min.)

    Pitch
    Present the final results of the customer advocacy pilot using the Executive Presentation Template and gain approval.

    3.3.3 Implement the Customer Advocacy Program Pilot
    (30-60 min.)

    Launch
    Launch the customer advocacy program pilot. Follow the timelines and activities outlined in the Executive Presentation Template. Track/document all advocate outreach, activity, and progress against success metrics.

    Communicate
    Establish a regular cadence to communicate with steering committee, stakeholders. Use the Executive Presentation Template to present progress and resolve roadblocks if/as they arise.

    Tips & Reminders

    1. Continually collect feedback and input from advocates and stakeholders throughout the process.
    2. Don't be afraid to make changes on the go if it helps to achieve the end goal of your pilot.
    3. If the pilot program was successful, consider scaling it up and rolling it out to more customers.

    Summary of Accomplishment

    Mission Accomplished

    • You successfully launched your customer advocacy program pilot and demonstrated clear benefits and ROI. By identifying the needs of the business and aligning those needs with key customer advocacy activities, marketers and customer advocacy leaders can prioritize the most important tasks for the pilot while also identifying potential opportunities for expansion pending executive approval.
    • SoftwareReviews' comprehensive and tactical approach takes you through the steps to build the foundation for a strategic customer advocacy program. Our methodology ensures that a customer advocacy pilot is developed to deliver the desired outcomes and ROI, increasing stakeholder buy-in and setting up your organization for customer advocacy success.

    If you would like additional support, contact us and we'll make sure you get the professional expertise you need.

    Contact your account representative for more information.
    info@softwarereviews.com
    1-888-670-8889

    Related SoftwareReviews Research

    Measure and Manage the Customer Satisfaction Metrics That Matter the Most
    Understand what truly keeps your customer satisfied. Measure what matters to improve customer experience and increase satisfaction and advocacy.

    • Understand the true drivers of satisfaction and dissatisfaction among your customer segments.
    • Establish process and cadence for effective satisfaction measurement and monitoring.
    • Know where resources are needed most to improve satisfaction levels and increase retention.

    Develop the Right Message to Engage Buyers
    Sixty percent of marketers find it hard to produce high-quality content consistently. SaaS marketers have an even more difficult job due to the technical nature of content production.

    • Create more compelling and relevant content that aligns with a buyer's needs and journey.
    • Shrink marketing and sales cycles.
    • Increase the pace of content production.

    Create a Buyer Persona and Journey
    Get deeper buyer understanding and achieve product-market fit, with easier access to market and sales.

    • Reduce time and resources wasted chasing the wrong prospects.
    • Increase open and click-through rates.
    • Perform more effective sales discovery.
    • Increase win rate.

    Bibliography

    "15 Award-Winning Customer Advocacy Success Stories." Influitive, 2021. Accessed 8 June 2023.

    "Advocacy Marketing." Influitive, June 2016. Accessed 26 Oct. 2021.

    Andrews, Marcus. "42% of Companies Don’t Listen to their Customers. Yikes." HubSpot, June 2019. Accessed 2 Nov. 2021.

    "Before you leap! Webcast." Point of Reference, Sept. 2019. Accessed 4 Nov. 2021.

    "Brand Loyalty: 5 Interesting Statistics." Factory360, Jan. 2016. Accessed 2 Nov. 2021.

    Brenner, Michael. "The Data Driven Guide to Customer Advocacy." Marketing Insider Group, Sept. 2021. Accessed 3 Feb. 2022.

    Carroll, Brian. "Why Customer Advocacy Should Be at the Heart of Your Marketing." Marketing Insider Group, Sept. 2017. Accessed 3 Feb. 2022.

    Cote, Dan. "Advocacy Blooms and Business Booms When Customers and Employees Engage." Influitive, Dec. 2021. Accessed 3 Feb. 2022.

    "Customer Success Strategy Guide." ON24, Jan. 2021. Accessed 2 Nov. 2021.

    Dalao, Kat. "Customer Advocacy: The Revenue-Driving Secret Weapon." ReferralRock, June 2017. Accessed 7 Dec. 2021.

    Frichou, Flora. "Your guide to customer advocacy: What is it, and why is it important?" TrustPilot, Jan. 2020. Accessed 26 Oct. 2021.

    Gallo, Amy. "The Value of Keeping the Right Customers." Harvard Business Review, Oct. 2014. Accessed 10 March 2022.

    Huhn, Jessica. "61 B2B Referral Marketing Statistics and Quotes." ReferralRock, March 2022. Accessed 10 March 2022.

    Kemper, Grayson. "B2B Buying Process: How Businesses Purchase B2B Services and Software." Clutch, Feb. 2020. Accessed 6 Jan. 2022.

    Kettner, Kyle. "The Evolution of Ambassador Marketing." BrandChamp.io, Oct. 2018. Accessed 2 Nov. 2021.

    Landis, Taylor. "Customer Retention Marketing vs. Customer Acquisition Marketing." OutboundEngine, April 2022. Accessed 23 April 2022.

    Miels, Emily. "What is customer advocacy? Definition and strategies." Zendesk Blog, June 2021. Accessed 27 Oct. 2021.

    Mohammad, Qasim. "The 5 Biggest Obstacles to Implementing a Successful B2B Customer Advocacy Program." HubSpot, June 2018. Accessed 6 Jan. 2022.

    Murphy, Brandon. "Brand Advocacy and Social Media - 2009 GMA Conference." Deloitte, Dec. 2009. Accessed 8 June 2023.

    Patel, Neil. "Why SaaS Brand Advocacy is More Important than Ever in 2021." Neil Patel, Feb. 2021. Accessed 4 Nov. 2021.

    Pieri, Carl. "The Plain-English Guide to Customer Advocacy." HubSpot, Apr. 2020. Accessed 27 Oct. 2021.

    Schmitt, Philipp; Skiera, Bernd; Van den Bulte, Christophe. "Referral Programs and Customer Value." Wharton Journal of Marketing, Jan. 2011. Accessed 8 June 2023.

    "The Complete Guide to Customer Advocacy." Gray Group International, 2020. Accessed 15 Oct. 2021.

    "The Customer-powered Enterprise: Playbook." Influitive, Gainsight & Pendo. 2020. Accessed 26 Oct. 2021.

    "The Winning Case for a Customer Advocacy Solution." RO Innovation, 2017. Accessed 26 Oct. 2021.

    Tidey, Will. "Acquisition vs. Retention: The Importance of Customer Lifetime Value." Huify, Feb. 2018. Accessed 10 Mar. 2022.

    "What a Brand Advocate Is and Why Your Company Needs One." RockContent, Jan. 2021. Accessed 7 Feb. 2022.

    "What is Customer Advocacy? A Definition and Strategies to Implement It." Testimonial Hero, Oct. 2021. Accessed 26 Jan. 2022.

    Build Your Data Quality Program

    • Buy Link or Shortcode: {j2store}127|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $40,241 Average $ Saved
    • member rating average days saved: 33 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Experiencing the pitfalls of poor data quality and failing to benefit from good data quality, including:
      • Unreliable data and unfavorable output.
      • Inefficiencies and costly remedies.
      • Dissatisfied stakeholders.
    • The chances of successful decision-making capabilities are hindered with poor data quality.

    Our Advice

    Critical Insight

    • Address the root causes of your data quality issues and form a viable data quality program.
      • Be familiar with your organization’s data environment and business landscape.
      • Prioritize business use cases for data quality fixes.
      • Fix data quality issues at the root cause to ensure proper foundation for your data to flow.
    • It is important to sustain best practices and grow your data quality program.

    Impact and Result

    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.
    • Develop a prioritized data quality improvement project roadmap and long-term improvement strategy.
    • Build related practices such as artificial intelligence and analytics with more confidence and less risk after achieving an appropriate level of data quality.

    Build Your Data Quality Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a data quality program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your organization’s data environment and business landscape

    Learn about what causes data quality issues, how to measure data quality, what makes a good data quality practice in relation to your data and business environments.

    • Business Capability Map Template

    2. Analyze your priorities for data quality fixes

    Determine your business unit priorities to create data quality improvement projects.

    • Data Quality Problem Statement Template
    • Data Quality Practice Assessment and Project Planning Tool

    3. Establish your organization’s data quality program

    Revisit the root causes of data quality issues and identify the relevant root causes to the highest priority business unit, then determine a strategy for fixing those issues.

    • Data Lineage Diagram Template
    • Data Quality Improvement Plan Template

    4. Grow and sustain your data quality practices

    Identify strategies for continuously monitoring and improving data quality at the organization.

    Infographic

    Workshop: Build Your Data Quality Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Organization’s Data Environment and Business Landscape

    The Purpose

    Evaluate the maturity of the existing data quality practice and activities.

    Assess how data quality is embedded into related data management practices.

    Envision a target state for the data quality practice.

    Key Benefits Achieved

    Understanding of the current data quality landscape

    Gaps, inefficiencies, and opportunities in the data quality practice are identified

    Target state for the data quality practice is defined

    Activities

    1.1 Explain approach and value proposition

    1.2 Detail business vision, objectives, and drivers

    1.3 Discuss data quality barriers, needs, and principles

    1.4 Assess current enterprise-wide data quality capabilities

    1.5 Identify data quality practice future state

    1.6 Analyze gaps in data quality practice

    Outputs

    Data Quality Management Primer

    Business Capability Map Template

    Data Culture Diagnostic

    Data Quality Diagnostic

    Data Quality Problem Statement Template

    2 Create a Strategy for Data Quality Project 1

    The Purpose

    Define improvement initiatives

    Define a data quality improvement strategy and roadmap

    Key Benefits Achieved

    Improvement initiatives are defined

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy

    A roadmap is defined to depict when and how to tackle the improvement initiatives

    Activities

    2.1 Create business unit prioritization roadmap

    2.2 Develop subject areas project scope

    2.3 By subject area 1 data lineage analysis, root cause analysis, impact assessment, and business analysis

    Outputs

    Business Unit Prioritization Roadmap

    Subject area scope

    Data Lineage Diagram

    3 Create a Strategy for Data Quality Project 2

    The Purpose

    Define improvement initiatives

    Define a data quality improvement strategy and roadmap

    Key Benefits Achieved

    Improvement initiatives are defined

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy

    A roadmap is defined to depict when and how to tackle the improvement initiatives

    Activities

    3.1 Understand how data quality management fits in with the organization’s data governance and data management programs

    3.2 By subject area 2 data lineage analysis, root cause analysis, impact assessment, and business analysis

    Outputs

    Data Lineage Diagram

    Root Cause Analysis

    Impact Analysis

    4 Create a Strategy for Data Quality Project 3

    The Purpose

    Determine a strategy for fixing data quality issues for the highest priority business unit

    Key Benefits Achieved

    Strategy defined for fixing data quality issues for highest priority business unit

    Activities

    4.1 Formulate strategies and actions to achieve data quality practice future state

    4.2 Formulate a data quality resolution plan for the defined subject area

    4.3 By subject area 3 data lineage analysis, root cause analysis, impact assessment, and business analysis

    Outputs

    Data Quality Improvement Plan

    Data Lineage Diagram

    5 Create a Plan for Sustaining Data Quality

    The Purpose

    Plan for continuous improvement in data quality

    Incorporate data quality management into the organization’s existing data management and governance programs

    Key Benefits Achieved

    Sustained and communicated data quality program

    Activities

    5.1 Formulate metrics for continuous tracking of data quality and monitoring the success of the data quality improvement initiative

    5.2 Workshop Debrief with Project Sponsor

    5.3 Meet with project sponsor/manager to discuss results and action items

    5.4 Wrap up outstanding items from the workshop, deliverables expectations, GIs

    Outputs

    Data Quality Practice Improvement Roadmap

    Data Quality Improvement Plan (for defined subject areas)

    Further reading

    Build Your Data Quality Program

    Quality Data Drives Quality Business Decisions

    Executive Brief

    Analyst Perspective

    Get ahead of the data curve by conquering data quality challenges.

    Regardless of the driving business strategy or focus, organizations are turning to data to leverage key insights and help improve the organization’s ability to realize its vision, key goals, and objectives.

    Poor quality data, however, can negatively affect time-to-insight and can undermine an organization’s customer experience efforts, product or service innovation, operational efficiency, or risk and compliance management. If you are looking to draw insights from your data for decision making, the quality of those insights is only as good as the quality of the data feeding or fueling them.

    Improving data quality means having a data quality management practice that is sustainably successful and appropriate to the use of the data, while evolving to keep pace with or get ahead of changing business and data landscapes. It is not a matter of fixing one data set at a time, which is resource and time intensive, but instead identifying where data quality consistently goes off the rails, and creating a program to improve the data processes at the source.

    Crystal Singh

    Research Director, Data and Analytics

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Your organization is experiencing the pitfalls of poor data quality, including:

    • Unreliable data and unfavorable output.
    • Inefficiencies and costly remedies.
    • Dissatisfied stakeholders.

    Poor data quality hinders successful decision making.

    Common Obstacles

    Not understanding the purpose and execution of data quality causes some disorientation with your data.

    • Failure to realize the importance/value of data quality.
    • Unsure of where to start with data quality.
    • Lack of investment in data quality.

    Organizations tend to adopt a project mentality when it comes to data quality instead of taking the strategic approach that would be all-around more beneficial in the long term.

    Info-Tech’s Approach

    Address the root causes of your data quality issues by forming a viable data quality program.

    • Be familiar with your organization’s data environment and business landscape.
    • Prioritize business use cases for data quality fixes.
    • Fixing data quality issues at the root cause to ensure a proper foundation for your data to flow.

    It is important to sustain best practices and grow your data quality program.

    Info-Tech Insight

    Fix data quality issues as close as possible to the source of data while understanding that business use cases will each have different requirements and expectations from data quality.

    Data is the foundation of your organization’s knowledge

    Data enables your organization to make decisions.

    Reliable data is needed to facilitate data consumers at all levels of the enterprise.

    Insights, knowledge, and information are needed to inform operational, tactical, and strategic decision-making processes. Data and information are needed to manage the business and empower business processes such as billing, customer touchpoints, and fulfillment.

    Raw Data

    Business Information

    Actionable Insights

    Data should be at the foundation of your organization’s evolution. The transformational insights that executives are constantly seeking can be uncovered with a data quality practice that makes high-quality, trustworthy information readily available to the business users who need it.

    98% of companies use data to improve customer experience. (Experian Data Quality, 2019)

    High-Level Data Architecture

    The image is a graphic, which at the top shows different stages of data, and in the lower part of the graphic shows the data processes.

    Build Your Data Quality Program

    1. Data Quality & Data Culture Diagnostics Business Landscape Exercise
    2. Business Strategy & Use Cases
    3. Prioritize Use Cases With Poor Quality

    Info-Tech Insight

    As data is ingested, integrated, and maintained in the various streams of the organization's system and application architecture, there are multiple points where the quality of the data can degrade.

    1. Understand the organization's data culture and data quality environment across the business landscape.
    2. Prioritize business use cases with poor data quality.
    3. For each use case, identify data quality issues and requirements throughout the data pipeline.
    4. Fix data quality issues at the root cause.
    5. As data flow through quality assurance monitoring checkpoints, monitor data to ensure good quality output.

    Insight:

    Proper application of data quality dimensions throughout the data pipeline will result in superior business decisions.

    Data quality issues can occur at any stage of the data flow.

    The image shows the flow of data through various stages: Data Creation; Data Ingestion; Data Accumulation and Engineering; Data Delivery; and Reporting & Analytics. At the bottom, there are two bars: the left one labelled Fix data quality root causes here...; and the right reads: ...to prevent expensive cures here.

    The image is a legend that accompanies the data flow graphic. It indicates that a white and green square icon indicates Data quality dimensions; a red cube indicates a potential point of data quality degradation; the pink square indicates Root cause of poor data quality; and a green flag indicates Quality Assurance Monitoring.

    Prevent the domino effect of poor data quality

    Data is the foundation of decisions made at data-driven organizations.

    Therefore, if there are problems with the organization’s underlying data, this can have a domino effect on many downstream business functions.

    Let’s use an example to illustrate the domino effect of poor data quality.

    Organization X is looking to migrate their data to a single platform, System Y. After the migration, it has become apparent that reports generated from this platform are inconsistent and often seem wrong. What is the effect of this?

    1. Time must be spent on identifying the data quality issues, and often manual data quality fixes are employed. This will extend the time to deliver the project that depends on system Y by X months.
    2. To repair these issues, the business needs to contract two additional resources to complete the unforeseen work. The new resources cost $X each, as well as additional infrastructure and hardware costs.
    3. Now, the strategic objectives of the business are at risk and there is a feeling of mistrust in the new system Y.

    Three key challenges impacting the ability to deliver excellent customer experience

    30% Poor data quality

    30% Method of interaction changing

    30% Legacy systems or lack of new technology

    95% Of organizations indicated that poor data quality undermines business performance.

    (Source: Experian Data Quality, 2019)

    Maintaining quality data will support more informed decisions and strategic insight

    Improving your organization’s data quality will help the business realize the following benefits:

    Data-Driven Decision Making

    Business decisions should be made with a strong rationale. Data can provide insight into key business questions, such as, “How can I provide better customer satisfaction?”

    89% Of CIOs surveyed say lack of quality data is an obstacle to good decision making. (Larry Dignan, CIOs juggling digital transformation pace, bad data, cloud lock0in and business alignment, 2020)

    Customer Intimacy

    Improve marketing and the customer experience by using the right data from the system of record to analyze complete customer views of transactions, sentiments, and interactions.

    94% Percentage of senior IT leaders who say that poor data quality impinges business outcomes. (Clint Boulton, Disconnect between CIOs and LOB managers weakens data quality, 2016)

    Innovation Leadership

    Gain insights on your products, services, usage trends, industry directions, and competitor results to support decisions on innovations, new products, services, and pricing.

    20% Businesses lose as much as 20% of revenue due to poor data quality. (RingLead Data Management Solutions, 10 Stats About Data Quality I Bet You Didn’t Know)

    Operational Excellence

    Make sure the right solution is delivered rapidly and consistently to the right parties for the right price and cost structure. Automate processes by using the right data to drive process improvements.

    10-20% The implementation of data quality initiatives can lead to reductions in corporate budget of up to 20%. (HaloBI, 2015)

    However, maintaining data quality is difficult

    Avoid these pitfalls to get the true value out of your data.

    1. Data debt drags down ROI – a high degree of data debt will hinder you from attaining the ROI you’re expecting.
    2. Lack of trust means lack of usage – a lack of confidence in data results in a lack of data usage in your organization, which negatively effects strategic planning, KPIs, and business outcomes.
    3. Strategic assets become a liability – bad data puts your business at risk of failing compliance standards, which could result in you paying millions in fines.
    4. Increased costs and inefficiency – time spent fixing bad data means less workload capacity for your important initiatives and the inability to make data-based decisions.
    5. Barrier to adopting data-driven tech – emerging technologies, such as predictive analytics and artificial intelligence, rely on quality data. Inaccurate, incomplete, or irrelevant data will result in delays or a lack of ROI.
    6. Bad customer experience – Running your business on bad data can hinder your ability to deliver to your customers, growing their frustration, which negatively impacts your ability to maintain your customer base.

    Info-Tech Insight

    Data quality suffers most at the point of entry. This is one of the causes of the domino effect of data quality – and can be one of the most costly forms of data quality errors due to the error propagation. In other words, fix data ingestion, whether through improving your application and database design or improving your data ingestion policy, and you will fix a large majority of data quality issues.

    Follow Our Data & Analytics Journey

    Data Quality is laced into Data Strategy, Data Management, and Data Governance.

    • Data Strategy
      • Data Management
        • Data Quality
        • Data Governance
          • Data Architecture
            • MDM
            • Data Integration
            • Enterprise Content Management
            • Information Lifecycle Management
              • Data Warehouse/Lake/Lakehouse
                • Reporting and Analytics
                • AI

    Data quality is rooted in data management

    Extract Maximum Benefit Out of Your Data Quality Management.

    • Data management is the planning, execution, and oversight of policies, practices, and projects that acquire, control, protect, deliver, and enhance the value of data and information assets (DAMA, 2009).
    • In other words, getting the right information, to the right people, at the right time.
    • Data quality management exists within each of the data practices, information dimensions, business resources, and subject areas that comprise the data management framework.
    • Within this framework, an effective data quality practice will replace ad hoc processes with standardized practices.
    • An effective data quality practice cannot succeed without proper alignment and collaboration across this framework.
    • Alignment ensures that the data quality practice is fit for purpose to the business.

    The DAMA DMBOK2 Data Management Framework

    • Data Governance
      • Data Quality
      • Data Architecture
      • Data Modeling & Design
      • Data Storage & Operations
      • Data Security
      • Data Integration & Interoperability
      • Documents & Content
      • Reference & Master Data
      • Data Warehousing & Business Intelligence
      • Meta-data

    (Source: DAMA International)

    Related Info-Tech Research

    Build a Robust and Comprehensive Data Strategy

    • People often think that the main problems they need to fix first are related to data quality when the issues transpire at a much larger level. This blueprint is the key to building and fostering a data-driven culture.

    Create a Data Management Roadmap

    • Refer to this blueprint to understand data quality in the context of data disciplines and methods for improving your data management capabilities.

    Establish Data Governance

    • Define an effective data governance strategy and ensure the strategy integrates well with data quality with this blueprint.

    Info-Tech’s methodology for Data Quality

    Phase Steps 1. Define Your Organization’s Data Environment and Business Landscape 2. Analyze Your Priorities for Data Quality Fixes 3. Establish Your Organization’s Data Quality Program 4. Grow and Sustain Your Data Quality Practice
    Phase Outcomes This step identifies the foundational understanding of your data and business landscape, the essential concepts around data quality, as well as the core capabilities and competencies that IT needs to effectively improve data quality. To begin addressing specific, business-driven data quality projects, you must identify and prioritize the data-driven business units. This will ensure that data improvement initiatives are aligned to business goals and priorities. After determining whose data is going to be fixed based on priority, determine the specific problems that they are facing with data quality, and implement an improvement plan to fix it. Now that you have put an improvement plan into action, make sure that the data quality issues don’t keep cropping up. Integrate data quality management with data governance practices into your organization and look to grow your organization’s overall data maturity.

    Info-Tech Insight

    “Data Quality is in the eyes of the beholder.”– Igor Ikonnikov, Research Director

    Data quality means tolerance, not perfection

    Data from Info-Tech’s CIO Business Vision Diagnostic, which represents over 400 business stakeholders, shows that data quality is very important when satisfaction with data quality is low.

    However, when data quality satisfaction hit a threshold, it became less important.

    The image is a line graph, with the X-axis labelled Satisfaction with Data Quality, and the Y axis labelled Rated Importance for Data Quality. The line begins high, and then descends. There is text inside the graph, which is transcribed below.

    Respondents were asked “How satisfied are you with the quality, reliability, and effectiveness of the data you use to manage your group?” as well as to rank how important data quality was to their organization.

    When the business satisfaction of data quality reached a threshold value of 71-80%, the rated importance reached its lowest value.

    Info-Tech Insight

    Data needs to be good, but truly spectacular data may go unnoticed.

    Provide the right level of data quality, with the appropriate effort, for the correct usage. This blueprint will help you to determine what “the right level of data quality” means, as well as create a plan to achieve that goal for the business.

    Data Roles and Responsibilities

    Data quality occurs through three main layers across the data lifecycle

    Data Strategy

    Data Strategy should contain Data Quality as a standard component.

    ← Data Quality issues can occur throughout at any stage of the data flow →

    DQ Dimensions

    Timeliness – Representation – Usability – Consistency – Completeness – Uniqueness – Entry Quality – Validity – Confidence – Importance

    Source System Layer

    • Data Resource Manager/Collector: Enters data into a database and ensures that data collection sources are accurate

    Data Transformation Layer

    • ETL Developer: Designs data storage systems
    • Data Engineer: Oversees data integrations, data warehouses and data lakes, data pipelines
    • Database Administrator: Manages database systems, ensures they meet SLAs, performances, backups
    • Data Quality Engineer: Finds and cleanses bad data in data sources, creates processes to prevent data quality problems

    Consumption Layer

    • Data Scientist: Gathers and analyses data from databases and other sources, runs models, and creates data visualizations for users
    • BI Analyst: Evaluates and mines complex data and transforms it into insights that drive business value. Uses BI software and tools to analyze industry trends and create visualizations for business users
    • Data Analyst: Extracts data from business systems, analyzes it, and creates reports and dashboards for users
    • BI Engineer: Documents business needs on data analysis and reporting and develops BI systems, reports, and dashboards to support them
    Data Creation → [SLA] Data Ingestion [ QA] →Data Accumulation & Engineering → [SLA] Data Delivery [QA] →Reporting & Analytics
    Fix Data Quality root causes here… to prevent expensive cures here.

    Executive Brief Case Study

    Industry: Healthcare

    Source: Primary Info-Tech Research

    Align source systems to maximize business output.

    A healthcare insurance agency faced data quality issues in which a key business use case was impacted negatively. Business rules were not well defined, and default values instead of real value caused a concern. When dealing with multiple addresses, data was coming from different source systems.

    The challenge was to identify the most accurate address, as some were incomplete, and some lacked currency and were not up to date. This especially challenged a key business unit, marketing, to derive business value in performing key activities by being unable to reach out to existing customers to advertise any additional products.

    For this initiative, this insurance agency took an economic approach by addressing those data quality issues using internal resources.

    Results

    Without having any MDM tools or having a master record or any specific technology relating to data quality, this insurance agency used in-house development to tackle those particular issues at the source system. Data quality capabilities such as data profiling were used to uncover those issues and address them.

    “Data quality is subjective; you have to be selective in terms of targeting the data that matters the most. When getting business tools right, most issues will be fixed and lead to achieving the most value.” – Asif Mumtaz, Data & Solution Architect

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4
    • Call #1: Learn about the concepts of data quality and the common root causes of poor data quality.
    • Call #2: Identify the core capabilities of IT for improving data quality on an enterprise scale.
    • Call #3: Determine which business units use data and require data quality remediation.
    • Call #4: Create a plan for addressing business unit data quality issues according to priority of the business units based on value and impact of data.
    • Call #5: Revisit the root causes of data quality issues and identify the relevant root causes to the highest priority business unit.
    • Call #6: Determine a strategy for fixing data quality issues for the highest priority business unit.
    • Call #7: Identify strategies for continuously monitoring and improving data quality at the organization.
    • Call #8: Learn how to incorporate data quality practices in the organization’s larger data management and data governance frameworks.
    • Call #9: Summarize results and plan next steps on how to evolve your data landscape.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between eight to twelve calls over the course of four to six months.

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Define Your Organization’s Data Environment and Business Landscape Create a Strategy for Data Quality Project 1 Create a Strategy for Data Quality Project 2 Create a Strategy for Data Quality Project 3 Create a Plan for Sustaining Data Quality
    Activities
    1. Explain approach and value proposition.
    2. Detail business vision, objectives, and drivers.
    3. Discuss data quality barriers, needs, and principles.
    4. Assess current enterprise-wide data quality capabilities.
    5. Identify data quality practice future state.
    6. Analyze gaps in data quality practice.
    1. Create business unit prioritization roadmap.
    2. Develop subject areas project scope.
    3. By subject area 1:
    • Data lineage analysis
    • Root cause analysis
    • Impact assessment
    • Business analysis
    1. Understand how data quality management fits in with the organization’s data governance and data management programs.
    2. By subject area 2:
    • Data lineage analysis
    • Root cause analysis
    • Impact assessment
    • Business analysis
    1. Formulate strategies and actions to achieve data quality practice future state.
    2. Formulate data quality resolution plan for defined subject area.
    3. By subject area 3:
    • Data lineage analysis
    • Root cause analysis
    • Impact assessment
    • Business analysis
    1. Formulate metrics for continuous tracking of data quality and monitoring the success of the data quality improvement initiative.
    2. Workshop Debrief with Project Sponsor.
    • Meet with project sponsor/manager to discuss results and action items.
    • Wrap up outstanding items from the workshop, deliverables expectations, GIs.
    Deliverables
    1. Data Quality Management Primer
    2. Business Capability Map Template
    3. Data Culture Diagnostic
    4. Data Quality Diagnostic
    5. Data Quality Problem Statement Template
    1. Business Unit Prioritization Roadmap
    2. Subject area scope
    3. Data Lineage Diagram
    1. Data Lineage Diagram
    2. Root Cause Analysis
    3. Impact Analysis
    1. Data Lineage Diagram
    2. Data Quality Improvement Plan
    1. Data Quality Practice Improvement Roadmap
    2. Data Quality Improvement Plan (for defined subject areas)

    Phase 1

    Define Your Organization’s Data Environment and Business Landscape

    Build Your Data Quality Program

    Data quality is a methodology and must be treated as such

    A comprehensive data quality practice includes appropriate business requirements gathering, planning, governance, and oversight capabilities, as well as empowering technologies for properly trained staff, and ongoing development processes.

    Some common examples of appropriate data management methodologies for data quality are:

    • The data quality team has the necessary competencies and resources to perform the outlined workload.
    • There are processes that exist for continuously evaluating data quality performance capabilities.
    • Improvement strategies are designed to increase data quality performance capabilities.
    • Policies and procedures that govern data quality are well-documented, communicated, followed, and updated.
    • Change controls exist for revising policies and procedures, including communication of updates and changes.
    • Self-auditing techniques are used to ensure business-IT alignment when designing or recalibrating strategies.

    Effective data quality practices coordinate with other overarching data disciplines, related data practices, and strategic business objectives.

    “You don’t solve data quality with a Band-Aid; you solve it with a methodology.” – Diraj Goel, Growth Advisor, BC Tech

    Data quality can be defined by four key quality indicators

    Similar to measuring the acidity of a substance with a litmus test, the quality of your data can be measured using a simple indicator test. As you learn about common root causes of data quality problems in the following slides, think about these four quality indicators to assess the quality of your data:

    • Completeness – Closeness to the correct value. Encompasses accuracy, consistency, and comparability to other databases.
    • Usability – The degree to which data meets current user needs. To measure this, you must determine if the user is satisfied with the data they are using to complete their business functions.
    • Timeliness – Length of time between creation and availability of data.
    • Accessibility – How easily a user can access and understand the data (including data definitions and context). Interpretability can also be used to describe this indicator.

    Info-Tech Insight

    Quality is a relative term. Data quality is measured in terms of tolerance. Perfect data quality is both impossible and a waste of time and effort.

    How to get investment for your data quality program

    Follow these steps to convince leadership of the value of data quality:

    “You have to level with people, you cannot just start talking with the language of data and expect them to understand when the other language is money and numbers.” – Izabela Edmunds, Information Architect at Mott MacDonald

    1. Perform Phases 0 & 1 of this blueprint as this will offer value in carrying out the following steps.
    2. Build credibility. Show them your understanding of data and how it aligns to the business.
    3. Provide tangible evidence of how significant business use cases are impacted by poor quality data.
    4. Present the ROI of fixing the data quality issues you have prioritized.
    5. Explain how the data quality program will be established, implemented, and sustained.
    6. Prove the importance of fixing data quality issues at the source and how it is the most efficient, effective, and cost-friendly solution.

    Phase 1 deliverables

    Each of these deliverables serve as inputs to detect key outcomes about your organization and to help complete this blueprint:

    1. Data Culture Diagnostic

    Use this report to understand where your organization lies across areas relating to data culture.

    While the Quality & Trust area of the report might be most prevalent to this blueprint, this diagnostic may point out other areas demanding more attention.

    Please speak to your account manager for access

    2. Business Capability Map Template

    Perform this process to understand the capabilities that enable specific value streams. The output of this deliverable is a high-level view of your organization’s defined business capabilities.

    Download this tool

    Info-Tech Insight

    Understanding your data culture and business capabilities are foundational to starting the journey of data quality improvement.

    Key deliverable:

    3. Data Quality Diagnostic

    The Data Quality Report is designed to help you understand, assess, and improve key organizational data quality issues. This is where respondents across various areas in the organization can assess Data Quality across various dimensions.

    Download this tool

    Data Quality Diagnostic Value

    Prioritize business use cases with our data quality dimensions.

    • Complete this diagnostic for each major business use case. The output from the Data Culture Diagnostic and the Business Capability Map should help you understand which use cases to address.
    • Involve all key stakeholders involved in the business use case. There may be multiple business units involved in a single use case.
    • Prioritize the business use cases that need the most attention pertaining to data quality by comparing the scores of the Importance and Confidence data quality dimensions.

    If there are data elements that are considered of high importance and low confidence, then they must be prioritized.

    Sample Scorecard

    The image shows a screen capture of a scorecard, with sample information filled in.

    The image shows a screen capture of a scorecard, with sample information filled in.

    Poor data quality develops due to multiple root causes

    After you get to know the properties of good quality data, understand the underlying causes of why those indicators can point to poor data quality.

    If you notice that the usability, completeness, timeliness, or accessibility of the organization’s data is suffering, one or more of the following root causes are likely plaguing your data:

    Common root causes of poor data quality, through the lens of Info-Tech’s Five-Tier Data Architecture:

    The image shows a graphic of Info-Tech's Five-Tier Data Architecture, with root causes of poor data quality identified. In the data creation and ingestion stages, the root causes are identified as Poor system/application design, Poor database design, Inadequate enterprise integration. The root causes identified in the latter stages are: Absence of data quality policies, procedures, and standards, and Incomplete/suboptimal business processes

    These root causes of poor data quality are difficult to avoid, not only because they are often generated at an organization’s beginning stages, but also because change can be difficult. This means that the root causes are often propagated through stale or outdated business processes.

    Data quality problems root cause #1:

    Poor system or application design

    Application design plays one of the largest roles in the quality of the organization’s data. The proper design of applications can prevent data quality issues that can snowball into larger issues downstream.

    Proper ingestion is 90% of the battle. An ounce of prevention is worth a pound of cure. This is true in many different topics, and data quality is one of them. Designing an application so that data gets entered properly, whether by internal staff or external customers, is the single most effective way to prevent data quality issues.

    Some common causes of data quality problems at the application/system level include:

    • Too many open fields (free-form text fields that accept a variety of inputs).
    • There are no lookup capabilities present. Reference data should be looked up instead of entered.
    • Mandatory fields are not defined, resulting in blank fields.
    • No validation of data entries before writing to the underlying database.
    • Manual data entry encourages human error. This can be compounded by poor application design that facilitates the incorrect data entry.

    Data quality problems root cause #2:

    Poor database design

    Database design also affects data quality. How a database is designed to handle incoming data, including the schema and key identification, can impact the integrity of the data used for reporting and analytics.

    The most common type of database is the relational database. Therefore, we will focus on this type of database.

    When working with and designing relational databases, there are some important concepts that must be considered.

    Referential integrity is a term that is important for the design of relational database schema, and indicates that table relationships must always be consistent.

    For table relationships to be consistent, primary keys (unique value for each row) must uniquely identify entities in columns of the table. Foreign keys (field that is defined in a second table but refers to the primary key in the first table) must agree with the primary key that is referenced by the foreign key. To maintain referential integrity, any updates must be propagated to the primary parent key.

    Info-Tech Insight

    Other types of databases, including databases with unstructured data, need data quality consideration. However, unstructured data may have different levels of quality tolerance.

    At the database level, some common root causes include:

    1. Lack of referential integrity.
    2. Lack of unique keys.
    3. Don’t have restricted data range.
    4. Incorrect datatype, string fields that can hold too many characters.
    5. Orphaned records.

    Databases and People:

    Even though database design is a technology issue, don’t forget about the people.

    A lack of training employees on database permissions for updating/entering data into the physical databases is a common problem for data quality.

    Data quality problems root cause #3:

    Improper integration and synchronization of enterprise data

    Data ingestion is another category of data-quality-issue root causes. When moving data in Tier 2, whether it is through ETL, ESB, point-to-point integration, etc., the integrity of the data during movement and/or transformation needs to be maintained.

    Tier 2 (the data ingestion layer) serves to move data for one of two main purposes:

    • To move data from originating systems to downstream systems to support integrated business processes.
    • To move data to Tier 3 where data rests for other purposes. This movement of data in its purest form means we move raw data to storage locations in an overall data warehouse environment reflecting any security, compliance and other standards in our choices for how to store. Also, it is where data is transformed for unique business purpose that will also be moved to a place of rest or a place of specific use. Data cleansing and matching and other data-related blending tasks occur at this layer.

    This ensures the data is pristine throughout the process and improves trustworthiness of outcomes and speed to task completion.

    At the integration layer, some common root causes of data quality problems include:

    1. No data mask. For example, zip code should have a mask of five numeric characters.
    2. Questionable aggregation, transformation process, or incorrect logic.
    3. Unsynchronized data refresh process in an integrated environment.
    4. Lack of a data matching tool.
    5. Lack of a data quality tool.
    6. Don’t have data profiling capability.
    7. Errors with data conversion or migration processes – when migrating, decommissioning, or converting systems – movement of data sets.
    8. Incorrect data mapping between data sources and targets.

    Data quality problems root cause #4:

    Insufficient and ineffective data quality policies and procedures

    Data policies and procedures are necessary for establishing standards around data and represent another category of data-quality-issue root causes. This issue spans across all five of the 5 Tier Architecture.

    Data policies are short statements that seek to manage the creation, acquisition, integrity, security, compliance, and quality of data. These policies vary amongst organizations, depending on your specific data needs.

    • Policies describe what to do, while standards and procedures describe how to do something.
    • There should be few data policies, and they should be brief and direct. Policies are living documents and should be continuously updated to respond to the organization’s data needs.
    • The data policies should highlight who is responsible for the data under various scenarios and rules around how to manage it effectively.

    Some common root causes of data quality issues related to policies and procedures include:

    1. Policies are absent or out of date.
    2. Employees are largely unaware of policies in effect.
    3. Policies are unmonitored and unenforced.
    4. Policies are in multiple locations.
    5. Multiple versions of the same policy exist.
    6. Policies are managed inconsistently across different silos.
    7. Policies are written poorly by untrained authors.
    8. Inadequate policy training program.
    9. Draft policies stall and lose momentum.
    10. Weak policy support from senior management.

    Data quality problems root cause #5:

    Inefficient or ineffective business processes

    Some common root causes of data quality issues related to business processes include:

    1. Multiple entries of the same record leads to duplicate records proliferating in the database.
    2. Many business definitions of data.
    3. Failure to document data manipulations when presenting data.
    4. Failure to train people on how to understand data.
    5. Manually intensive processes can result in duplication of effort (creates room for errors).
    6. No clear delineation of dependencies of business processes within or between departments, which leads to a siloed approach to business processes, rather than a coordinated and aligned approach.

    Business processes can impact data quality. How data is entered into systems, as well as employee training and knowledge about the correct data definitions, can impact the quality of your organization’s data.

    These problematic business process root causes can lead to:

    Duplicate records

    Incomplete data

    Improper use of data

    Wrong data entered into fields

    These data quality issues will result in costly and inefficient manual fixes, wasting valuable time and resources.

    Phase 1 Summary

    1. Data Quality Understanding

    • Understanding that data quality is a methodology and should be treated as such.
    • Data quality can be defined by four key indicators which are completeness, usability, timeliness, and accessibility.
    • Explained how to get investment for your data quality program and showcasing its value to leadership.

    2. Phase 0 Deliverables

    Introduced foundational tools to help you throughout this blueprint:

    • Complete the Data Culture Diagnostic and Business Capability Map Template as they are foundational in understanding your data culture and business capabilities to start the journey of data quality improvement.
    • Involve key relevant stakeholders when completing the Data Quality Diagnostic for each major business use case. Use the Importance and Confidence dimensions to help you prioritize which use case to address.

    3. Common Root Causes

    Addressed where multiple root causes can occur throughout the flow of your data.

    Analyzed the following common root causes of data quality:

    1. Poor system or application design
    2. Poor database design
    3. Improper integration and synchronization of enterprise data
    4. Insufficient and ineffective data quality policies and procedures
    5. Inefficient or ineffective business processes

    Phase 2

    Analyze Your Priorities for Data Quality Fixes

    Build Your Data Quality Program

    Business Context & Data Quality

    Establish the business context of data quality improvement projects at the business unit level to find common goals.

    • To ensure the data improvement strategy is business driven, start your data quality project evaluation by understanding the business context. You will then determine which business units use data and create a roadmap for prioritizing business units for data quality repairs.
    • Your business context is represented by your corporate business vision, mission, goals and objectives, differentiators, and drivers. Collectively, they provide essential information on what is important to your organization, and some hints on how to achieve that. In this step, you will gather important information about your business view and interpret the business view to establish a data view.

    Business Vision

    Business Goals

    Business Drivers

    Business Differentiators

    Not every business unit uses data to the same extent

    A data flow diagram can provide value by allowing an organization to adopt a proactive approach to data quality. Save time by knowing where the entry points are and where to look for data flaws.

    Understanding where data lives can be challenging as it is often in motion and rarely resides in one place. There are multiple benefits that come from taking the time to create a data flow diagram.

    • Mapping out the flow of data can help provide clarity on where the data lives and how it moves through the enterprise systems.
    • Having a visual of where and when data moves helps to understand who is using data and how it is being manipulated at different points.
    • A data flow diagram will allow you to elicit how data is used in a different use case.

    Info-Tech’s Four-Column Model of Data will help you to identify the essential aspects of your data:

    Business Use Case →Used by→Business Unit →Housed in→Systems→Used for→Usage of the Data

    Not every business unit requires the same standard of data quality

    To prioritize your business units for data quality improvement projects, you must analyze the relative importance of the data they use to the business. The more important the data is to the business, the higher the priority is of fixing that data. There are two measures for determining the importance of data: business value and business impact.

    Business Value of Data

    Business value of data can be evaluated by thinking about its ties to revenue generation for the organization, as well as how it is used for productivity and operations at the organization.

    The business value of data is assessed by asking what would happen to the following parameters if the data is not usable (due to poor quality, for example):

    • Loss of Revenue
    • Loss of Productivity
    • Increased Operating Costs

    Business Impact of Data

    Business impact of data should take into account the effects of poor data on both internal and external parties.

    The business impact of data is assessed by asking what the impact would be of bad data on the following parameters:

    • Impact on Customers
    • Impact on Internal Staff
    • Impact on Business Partners

    Value + Impact = Data Priority Score

    Ensure that the project starts on the right foot by completing Info-Tech’s Data Quality Problem Statement Template

    Before you can identify a solution, you must identify the problem with the business unit’s data.

    Download this tool

    Use Info-Tech’s Data Quality Problem Statement Template to identify the symptoms of poor data quality and articulate the problem.

    Info-Tech’s Data Quality Problem Statement Template will walk you through a step-by-step approach to identifying and describing the problems that the business unit feels regarding its data quality.

    Before articulating the problem, it helps to identify the symptoms of the problem. The following W’s will help you to describe the symptoms of the data quality issues:

    What

    Define the symptoms and feelings produced by poor data quality in the business unit.

    Where

    Define the location of the data that are causing data quality issues.

    When

    Define how severe the data quality issues are in frequency and duration.

    Who

    Define who is affected by the data quality problems and who works with the data.

    Info-Tech Best Practice

    Symptoms vs. Problems. Often, people will identify a list of symptoms of a problem and mistake those for the problem. Identifying the symptoms helps to define the problem, but symptoms do not help to identify the solution. The problem statement helps you to create solutions.

    Define the project problem to articulate the purpose

    1 hour

    Input

    • Symptoms of data quality issues in the business unit

    Output

    • Refined problem description

    Materials

    • Data Quality Problem Statement Template

    Participants

    • Data Quality Improvement Project team
    • Business line representatives

    A defined problem helps you to create clear goals, as well as lead your thinking to determine solutions to the problem.

    A problem statement consists of one or two sentences that summarize a condition or issue that a quality improvement team is meant to address. For the improvement team to fix the problem, the problem statement therefore has to be specific and concise.

    Instructions

    1. Gather the Data Quality Improvement Project Team in a room and start with an issue that is believed to be related to data quality.
    2. Ask what are the attributes and symptoms of that reality today; do this with the people impacted by the issue. This should be an IT and business collaboration.
    3. Draw your conclusions of what it all means: what have you collectively learned?
    4. Consider the implications of your conclusions and other considerations that must be taken into account such as regulatory needs, compliance, policy, and targets.
    5. Develop solutions – Contain the problem to something that can be solved in a realistic timeframe, such as three months.

    Download the Data Quality Problem Statement Template

    Case Study

    A strategic roadmap rooted in business requirements primes a data quality improvement plan for success.

    MathWorks

    Industry

    Software Development

    Source

    Primary Info-Tech Research

    As part of moving to a formalized data quality practice, MathWorks leveraged an incremental approach that took its time investigating business cases to support improvement actions. Establishing realistic goals for improvement in the form of a roadmap was a central component for gaining executive approval to push the project forward.

    Roadmap Creation

    In constructing a comprehensive roadmap that incorporated findings from business process and data analyses, MathWorks opted to document five-year and three-year overall goals, with one-year objectives that supported each goal. This approach ensured that the tactical actions taken were directed by long-term strategic objectives.

    Results – Business Alignment

    In presenting their roadmap for executive approval, MathWorks placed emphasis on communicating the progression and impact of their initiatives in terms that would engage business users. They focused on maintaining continual lines of communication with business stakeholders to demonstrate the value of the initiatives and also to gradually shift the corporate culture to one that is invested in an effective data quality practice.

    “Don’t jump at the first opportunity, because you may be putting out a fire with a cup of water where a fire truck is needed.” – Executive Advisor, IT Research and Advisory Firm

    Use Info-Tech’s Practice Assessment and Project Planning Tool to create your strategy for improving data quality

    Assess IT’s capabilities and competencies around data quality and plan to build these as the organization’s data quality practice develops. Before you can fix data quality, make sure you have the necessary skills and abilities to fix data quality correctly.

    The following IT capabilities are developed on an ongoing basis and are necessary for standardizing and structuring a data quality practice:

    • Meeting Business Needs
    • Services and Projects
    • Policies, Procedures, and Standards
    • Roles and Organizational Structure
    • Oversight and Communication
    • Data Quality of Different Data Types

    Download this Tool

    Data Handling and Remediation Competencies:

    • Data Standardization: Formatting values into consistent standards based on industry standards and business rules.
    • Data Cleansing: Modification of values to meet domain restrictions, integrity constraints, or other business rules for sufficient data quality for the organization.
    • Data Matching: Identification, linking, and merging related entries in or across sets of data.
    • Data Validation: Checking for correctness of the data.

    After these capabilities and competencies are assessed for a current and desired target state, the Data Quality Practice Assessment and Project Planning Tool will suggest improvement actions that should be followed in order to build your data quality practice. In addition, a roadmap will be generated after target dates are set to create your data quality practice development strategy.

    Benchmark current and identify target capabilities for your data quality practice

    1 hour

    Input

    • Current and desired data quality practices in the organization

    Output

    • Assessment of where the gaps lie in your data quality practice

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality Project Lead
    • Business Line Representatives
    • Business Architects

    Use the Data Quality Practice Assessment and Project Planning Tool to evaluate the baseline and target capabilities of your practice in terms of how data quality is approached and executed.

    Download this Tool

    Instructions

    1. Invite the appropriate stakeholders to participate in this exercise. Examples:
      1. Business executives will have input in Tab 2
      2. Unique stakeholders: communications expert or executive advisors may have input
    2. On Tab 2: Practice Components, assess the current and target states of each capability on a scale of 1–5. Note: “Ad hoc” implies a capability is completed, but randomly, informally, and without a standardized method.

    These results will set the baseline against which you will monitor performance progress and keep track of improvements over time.

    Info-Tech Insight

    Focus on early alignment. Assessing capabilities within specific people’s job functions can naturally result in disagreement or debate, especially between business and IT people. Remind everyone that data quality should ultimately serve business needs wherever possible.

    Visualization improves the holistic understanding of where gaps exist in your data quality practice

    To enable deeper analysis on the results of your practice assessment, Tab 3: Data Quality Practice Scorecard in the Data Quality Practice Assessment and Project Planning Tool creates visualizations of the gaps identified in each of your practice capabilities and related data management practices. These diagrams serve as analysis summaries.

    Gap assessment of “Meeting Business Needs” capabilities

    The image shows a screen capture of the Gap assessment of 
“Meeting Business Needs” capabilities, with sample information filled in.

    Visualization of gap assessment of data quality practice capabilities

    The image shows a bar graph titled Data Quality Capabilities.

    1. Enhance your gap analyses by forming a relative comparison of total gaps in key practice capability areas, which will help in determining priorities.
    • Example: In Tab 2 compare your capabilities within “Policies, Procedures, and Standards.” Then in Tab 3, compare your overall capabilities in “Policies, Procedures, and Standards” versus “Empowering Technologies.”
  • Put these up on display to improve discussion in the gap analyses and prioritization sessions.
  • Improve the clarity and flow of your strategy template, final presentations, and summary documents by copying and pasting the gap assessment diagrams.
  • Before engaging in the data quality improvement project plan, receive signoff from IT regarding feasibility

    The final piece of the puzzle is to gain sign-off from IT.

    Hofstadter's law: It always takes longer than you expect, even when you take into account Hofstadter’s Law.

    This means that before engaging IT in data quality projects to fix the business units’ data in Phase 2, IT must assess feasibility of the data quality improvement plan. A feasibility analysis is typically used to review the strengths and weaknesses of the projects, as well as the availability of required skills and technologies needed to complete them. Use the following workflow to guide you in performing a feasibility analysis:

    Project evaluation process:

    Present capabilities

    • Operational Capabilities
    • System Capabilities
    • Schedule Capabilities
      • Summary of Evaluation Results
        • Recommendations/ modifications to the project plan

    Info-Tech Best Practice

    While the PMO identifies and coordinates projects, IT must determine how long and for how much.

    Conduct gap analysis sessions to review and prioritize the capability gaps

    1 hour

    Input

    • Current and Target State Assessment

    Output

    • Documented initiatives to help you get to the target state

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality team
    • IT representatives

    Instructions

    • Analyze Gap Analysis Results – As a group, discuss the high-level results on Tab 3: Data Quality Practice Score. Discuss the implications of the gaps identified.
    • Do a line-item review of the gaps between current and target levels for each assessed capability by using Tab 2: Practice Components.
    • Brainstorm Alignment Strategies – Brainstorm the effort and activities that will be necessary to support the practice in building its capabilities to the desired target level. Ask the following questions:
      • What activities must occur to enable this capability?
      • What changes/additions to resources, process, technology, business involvement, and communication must occur?
    • Document Data Quality Initiatives – Turn activities into initiatives by documenting them in Tab 4. Data Quality Practice Roadmap. Review the initiatives and estimate the start and end dates of each one.
    • Continue to evaluate the assessment results in order to create a comprehensive set of data quality initiatives that support your practice in building capabilities.

    Download this Tool

    Create the organization’s data quality improvement strategy roadmap

    1 hour

    Input

    • Data quality practice gaps and improvement actions

    Output

    • Data quality practice improvement roadmap

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality Project Lead
    • Business Executives
    • IT Executives
    • Business Architects

    Generating Your Roadmap

    1. Plan the sequence, starting time, and length of each initiative in the Data Quality Practice Assessment and Project Planning Tool.
    2. The tool will generate a Gantt chart based on the start and length of your initiatives.
    3. The Gantt chart is generated in Tab 4: Data Quality Practice Roadmap, and can be used to organize and ensure that all of the essential aspects of data quality are addressed.

    Use the Practice Roadmap to plan and improve data quality capabilities

    Download this Tool

    Info-Tech Best Practice

    To help get you started, Info-Tech has provided an extensive list of data quality improvement initiatives that are commonly undertaken by organizations looking to improve their data quality.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    2 hours

    Create practice-level metrics to monitor your data quality practice.

    Instructions:

    1. Establish metrics for both the business and IT that will be used to determine if the data quality practice development is effective.
    2. Set targets for each metric.
    3. Collect current data to calculate the metrics and establish a baseline.
    4. Assign an owner for tracking each metric to be accountable for performance.
    Metric Current Goal
    Usage (% of trained users using the data warehouse)
    Performance (response time)
    Performance (response time)
    Resource utilization (memory usage, number of machine cycles)
    User satisfaction (quarterly user surveys)
    Data quality (% values outside valid values, % fields missing, wrong data type, data outside acceptable range, data that violates business rules. Some aspects of data quality can be automatically tracked and reported)
    Costs (initial installation and ongoing, Total Cost of Ownership including servers, software licenses, support staff)
    Security (security violations detected, where violations are coming from, breaches)
    Patterns that are used
    Reduction in time to market for the data
    Completeness of data that is available
    How many "standard" data models are being used
    What is the extra business value from the data governance program?
    How much time is spent for data prep by BI & analytics team?

    Phase 2 summary

    As you improve your data quality practice and move from reactive to stable, don’t rest and assume that you can let data quality keep going by itself. Rapidly changing consumer requirements or other pains will catch up to your organization and you will fall behind again. By moving to the proactive and predictive end of the maturity scale, you can stay ahead of the curve. By following the methodology laid out in Phase 1, the data quality practices at your organization will improve over time, leading to the following results:

    Chaotic

    Before Data Quality Practice Improvements

    • No standards to data quality

    Reactive

    Year 1

    • Processes defined
    • Data cleansing approach to data quality

    Stable

    Year 2

    • Business rules/ stewardship in place
    • Education and training

    Proactive

    Year 3

    • Data quality practices fully in place and embedded in the culture
    • Trusted and intelligent enterprise

    (Global Data Excellence, Data Excellence Maturity Model)

    Phase 3

    Establish Your Organization’s Data Quality Program

    Build Your Data Quality Program

    Create a data lineage diagram to map the data journey and identify the data subject areas to be targeted for fixes

    It is important to understand the various data that exist in the business unit, as well as which data are essential to business function and require the highest degree of quality efforts.

    Visualize your databases and the flow of data. A data lineage diagram can help you and the Data Quality Improvement Team visualize where data issues lie. Keeping the five-tier architecture in mind, build your data lineage diagram.

    Reminder: Five-Tier Architecture

    The image shows the Five-Tier Architecture graphic.

    Use the following icons to represent your various data systems and databases.

    The image shows four icons. They are: the image of a square and a computer monitor, labelled Application; the image of two sheets of paper, labelled Desktop documents; the image of a green circle next to a computer monitor, labelled Web Application; and a blue cylinder labelled Database.

    Use Info-Tech’s Data Lineage Diagram to document the data sources and applications used by the business unit

    2 hours

    Input

    • Data sources and applications used by the business unit

    Output

    • Data lineage diagram

    Materials

    • Data Lineage Diagram Template

    Participants

    • Business Unit Head/Data Owner
    • Business Unit SMEs
    • Data Analysts/Architects

    Map the flow and location of data within a business unit by creating a system context diagram.

    Gain an accurate view of data locations and uses: Engage business users and representatives with a wide breadth of knowledge-related business processes and the use of data by related business operations.

    1. Sit down with key business representatives of the business unit.
    2. Document the sources of data and processes in which they’re involved, and get IT confirmation that the sources of the data are correct.
    3. Map out the sources and processes in a system context diagram.

    Download this Tool

    Sample Data Lineage Diagram

    The image shows a sample data lineage diagram, split into External Applications and Internal Applications, and showing the processes involved in each.

    Leverage Info-Tech’s Data Quality Practice Assessment and Project Planning Tool to document business context

    1 hour

    Input

    • Business vision, goals, and drivers

    Output

    • Business context for the data quality improvement project

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality project lead
    • Business line representatives
    • IT executives

    Develop goals and align them with specific objectives to set the framework for your data quality initiatives.

    In the context of achieving business vision, mission, goals, and objectives and sustaining differentiators and key drivers, think about where and how data quality is a barrier. Then brainstorm data quality improvement objectives that map to these barriers. Document your list of objectives in Tab 5. Prioritize business units of the Data Quality Practice Assessment and Project Planning Tool.

    Establishing Business Context Example

    Healthcare Industry

    Vision To improve member services and make service provider experience more effective through improving data quality and data collection, aggregation, and accessibility for all the members.
    Goals

    Establish meaningful metrics that guide to the improvement of healthcare for member effectiveness of health care providers:

    • Data collection
    • Data harmonization
    • Data accessibility and trust by all constituents.
    Differentiator Connect service consumers with service providers, that comply with established regulations by delivering data that is accurate, trusted, timely, and easy to understand to connect service providers and eliminate bureaucracy and save money and time.
    Key Driver Seamlessly provide a healthcare for members.

    Download this Tool

    Document the identified business units and their associated data

    30 minutes

    Input

    • Business units

    Output

    • Documented business units to begin prioritization

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Project Manager

    Instructions

    1. Using Tab 5: Prioritize Business Units of the Data Quality Practice Assessment and Project Planning Tool, document the business units that use data in the organization. This will likely be all business units in the organization.
    2. Next, document the primary data used by those business units.
    3. These inputs will then be used to assess business unit priority to generate a data quality improvement project roadmap.

    The image shows a screen capture of Tab 5: Prioritize Business Units, with sample information inputted.

    Reminder – Not every business unit requires the same standard of data quality

    To prioritize your business units for data quality improvement projects, you must analyze the relative importance of the data they use to the business. The more important the data is to the business, the higher the priority is of fixing that data. There are two measures for determining the importance of data: business value and business impact.

    Business Value of Data

    Business value of data can be evaluated by thinking about its ties to revenue generation for the organization, as well as how it is used for productivity and operations at the organization.

    The business value of data is assessed by asking what would happen to the following parameters if the data is not usable (due to poor quality, for example):

    • Loss of Revenue
    • Loss of Productivity
    • Increased Operating Costs

    Business Impact of Data

    Business impact of data should take into account the effects of poor data on both internal and external parties.

    The business impact of data is assessed by asking what the impact would be of bad data on the following parameters:

    • Impact on Customers
    • Impact on Internal Staff
    • Impact on Business Partners

    Value + Impact = Data Priority Score

    Assess the business unit priority order for data quality improvements

    2 hours

    Input

    • Assessment of value and impact of business unit data

    Output

    • Prioritization list for data quality improvement projects

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Project Manager
    • Data owners

    Instructions

    Instructions In Tab 5: Prioritize Business Units of the Data Quality Practice Assessment and Project Planning Tool, assess business value and business impact of the data within each documented business unit.

    Use the ratings High, Medium, and Low to measure the financial, productivity, and efficiency value and impact of each business unit’s data.

    In addition to these ratings, assess the number of help desk tickets that are submitted to IT regarding data quality issues. This parameter is an indicator that the business unit’s data is high priority for data quality fixes.

    Download this Tool

    Create a business unit order roadmap for your data quality improvement projects

    1 hour

    Input

    • Rating of importance of data for each business unit

    Output

    • Roadmap for data quality improvement projects

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Project Manager
    • Product Manager
    • Business line representatives

    Instructions

    After assessing the business units for the business value and business impact of their data, the Data Quality Practice Assessment and Project Planning Tool automatically assesses the prioritization of the business units based on your ratings. These prioritizations are then summarized in a roadmap on Tab 6: Data Quality Project Roadmap. The following is an example of a project roadmap:

    The image shows an example of a project roadmap, with three business units listed vertically along the left hand side, and a Gantt chart showing the time periods in which each Business Unit would work. At the bottom, a table shows the Length of the Project in days (100), and the start date for the first project.

    On Tab 6, insert the timeline for your data quality improvement projects, as well as the starting date of your first data quality project. The roadmap will automatically update with the chosen timing and dates.

    Download this Tool

    Identify metrics at the business unit level to track data quality improvements

    As you improve the data quality for specific business units, measuring the benefits of data quality improvements will help you demonstrate the value of the projects to the business.

    Use the following table to guide you in creating business-aligned metrics:

    Business Unit Driver Metrics Goal
    Sales Customer Intimacy Accuracy of customer data. Percent of missing or incomplete records. 10% decrease in customer record errors.

    Marketing

    Customer Intimacy Accuracy of customer data. Percent of missing or incomplete records. 10% decrease in customer record errors.
    Finance Operational Excellence Relevance of financial reports. Decrease in report inaccuracy complaints.
    HR Risk Management Accuracy of employee data. 10% decrease in employee record errors.
    Shipping Operational Excellence Timeliness of invoice data. 10% decrease in time to report.

    Info-Tech Insight

    Relating data governance success metrics to overall business benefits keeps executive management and executive sponsors engaged because they are seeing actionable results. Review metrics on an ongoing basis with those data owners/stewards who are accountable, the data governance steering committee, and the executive sponsors.

    Case Study

    Address data quality with the right approach to maximize the ROI

    EDC

    Industry: Government

    Source: Environment Development of Canada (EDC)

    Challenge

    Environment Development Canada (EDC) would initially identify data elements that are important to the business purely based on their business instinct.

    Leadership attempted to tackle the enterprise’s data issues by bringing a set of different tools into the organization.

    It didn’t work out because the fundamental foundational layer, which is the data and infrastructure, was not right – they didn't have the foundational capabilities to enable those tools.

    Solution

    Leadership listened to the need for one single team to be responsible for the data persistence.

    Therefore, the data platform team was granted that mandate to extensively execute the data quality program across the enterprise.

    A data quality team was formed under the Data & Analytics COE. They had the mandate to profile the data and to understand what quality of data needed to be achieved. They worked constantly with the business to build the data quality rules.

    Results

    EDC tackled the source of their data quality issues through initially performing a data quality management assessment with business stakeholders.

    From then on, EDC was able to establish their data quality program and carry out other key initiatives that prove the ROI on data quality.

    Begin your data quality improvement project starting with the highest priority business unit

    Now that you have a prioritized list for your data quality improvement projects, identify the highest priority business unit. This is the business unit you will work through Phase 3 with to fix their data quality issues.

    Once you have initiated and identified solutions for the first business unit, tackle data quality for the next business unit in the prioritized list.

    The image is a graphic labelled as Phase 2. On the left, there is a vertical arrow pointing upward labelled Priority of Business Units. Next to it, there are three boxes, with downward pointing arrows between them, each box labelled as each Business Unit's Data Quality Improvement Project. From there an arrow points right to a circle. Inside the circle are the steps necessary to complete the data quality improvement project.

    Create and document your data quality improvement team

    1 hour

    Input

    • Individuals who fit the data quality improvement plan team roles

    Output

    • Project team

    Materials

    • Data Quality Improvement Plan Template

    Participants

    • Data owner
    • Project Manager
    • Product Manager

    The Data Quality Improvement Plan is a concise document that should be created for each data quality project (i.e. for each business unit) to keep track of the project.

    Instructions

    1. Meet with the data owner of the business unit identified for the data quality improvement project.
    2. Identify individuals who fit the data quality improvement plan team roles.
    3. Using the Data Quality Improvement Plan Template to document the roles and individuals who will fit those roles.
    4. Have an introductory meeting with the Improvement team to clarify roles and responsibilities for the project.

    Download this Tool

    Team role Assigned to
    Data Owner [Name]
    Project Manager [Name]
    Business Analyst/BRM [Name]
    Data Steward [Name]
    Data Analyst [Name]

    Document the business context of the Data Quality Improvement Plan

    1 hour

    Input

    • Project team
    • Identified data attributes

    Output

    • Business context for the data quality improvement plan

    Materials

    • Data Quality Improvement Plan Template

    Participants

    • Data owner
    • Project Sponsor
    • Product owner

    Data quality initiatives have to be relevant to the business, and the business context will be used to provide inputs to the data improvement strategy. The context can then be used to determine exactly where the root causes of data quality issues are, which will inform your solutions.

    Instructions

    The business context of the data quality improvement plan includes documenting from previous activities:

    1. The Data Quality Improvement Team.
    2. Your Data Lineage Diagram.
    3. Your Data Quality Problem Statement.

    Info-Tech Best Practice

    While many organizations adopt data quality principles, not all organizations express them along the same terms. Have multiple perspectives within your organization outline principles that fit your unique data quality agenda. Anyone interested in resolving the day-to-day data quality issues that they face can be helpful for creating the context around the project.

    Download this tool

    Now that you have a defined problem, revisit the root causes of poor data quality

    You previously fleshed out the problem with data quality present in the business unit chosen as highest priority. Now it is time to figure out what is causing those problems.

    In the table below, you will find some of the common categories of causes of data quality issues, as well as some specific root causes.

    Category Description
    1. System/Application Design Ineffective, insufficient, or even incorrect system/application design accepts incorrect and missing data elements to the source applications and databases. The data records in those source systems may propagate into systems in tiers 2, 3, 4, and 5 of the 5-tier architecture, creating domino and ripple effects.
    2. Database design Database is created and modeled in an incorrect manner so that the management of the data records is incorrect, resulting in duplicated and orphaned records, and records that are missing data elements or records that contain incorrect data elements. Poor operational data in databases often leads to issues in tiers 2, 3, 4, and 5.
    3. Enterprise Integration Data or information is improperly integrated, transformed, masked, and aggregated in tier 2. In addition, some data integration tasks might not be timely, resulting in out-of-date data or even data that contradicts with other data. Enterprise integration is a precursor of loading a data warehouse and data marts. Issues in this layer affect tier 3, 4 and 5 on the 5-tier architecture.
    4. Policies and Procedures Policies and procedures are not effectively used to reinforce data quality. In some situations, policy gaps are found. In others, policies are overlapped and duplicated. Policies may also be out-of-date or too complex, affecting the users’ ability to interpret the policy objectives. Policies affect all tiers in the 5-tier architecture.
    5. Business Processes Improper business process design introduces poor data into the data systems. Failure to create processes around approving data changes, failure to document key data elements, and failure to train employees on the proper uses of data make data quality a burning problem.

    Leverage a root cause analysis approach to pinpoint the origins of your data issues

    A root cause analysis is a systematic approach to decompose a problem into its components. Use fishbone diagrams to help reveal the root causes of data issues.

    The image shows a fishbone diagram on the left, which starts with Process on the left, and then leads to Application and Integration, and then Database and Policies. This section is titled Root causes. The right hand section is titled Lead to problems with data... and includes 4 circles with the word or in between each. The circles are labelled: Completeness; Usability; Timeliness; Accessibility.

    Info-Tech recommends five root cause categories for assessing data quality issues:

    Application Design. Is the issue caused by human error at the application level? Consider internal employees, external partners/suppliers, and customers.

    Database Design. Is the issue caused by a particular database and stems from inadequacies in its design?

    Integration. Data integration tools may not be fully leveraged, or data matching rules may be poorly designed.

    Policies and Procedures. Do the issues take place because of lack of governance?

    Business Processes. Do the issues take place due to insufficient processes?

    For Example:

    When performing a deeper analysis of your data issues related to the accuracy of the business unit’s data, you would perform a root cause analysis by assessing the contribution of each of the five categories of data quality problem root causes:

    The image shows another fishbone diagram, with example information filled in. The first section on the left is titled Application Design, and includes the text: Data entry problems lead to incorrect accounting entries. The second is Integration, and includes the text: Data integration tools are not fully leveraged. The third section is Policies, and includes the text: No policy on standardizing name and address. The last section is Database design, with text that reads: Databases do not contain unique keys. The diagram ends with an arrow pointing right to a blue circle with Accuracy in it.

    Leverage a combination of data analysis techniques to identify and quantify root causes

    Info-Tech Insight

    Including all attributes of the key subject area in your data profiling activities may produce too much information to make sense of. Conduct data profiling primarily at the table level and undergo attribute profiling only if you are able to narrow down your scope sufficiently.

    Data Profiling Tool

    Data profiling extracts a sample of the target data set and runs it through multiple levels of analysis. The end result is a detailed report of statistics about a variety of data quality criteria (duplicate data, incomplete data, stale data, etc.).

    Many data profiling tools have built-in templates and reports to help you uncover data issues. In addition, they quantify the occurrences of the data issues.

    E-Discovery Tool

    This supplements a profiling tool. For Example, use a BI tool to create a custom grouping of all the invalid states (e.g. “CAL,” “AZN,” etc.) and visualize the percentage of invalid states compared to all states.

    SQL Queries

    This supplements a profiling tool. For example, use a SQL statement to group the customer data by customer segment and then by state to identify which segment–state combinations contain poor data.

    Identify the data issues for the particular business unit under consideration

    2 hours

    Input

    • Issues with data quality felt by the business unit
    • Data lineage diagram

    Output

    • Categorized data quality issues

    Materials

    • Whiteboard, markers, sticky notes
    • Data Quality Improvement Plan Template

    Participants

    • Data quality improvement project team
    • Business line representatives

    Instructions

    1. Gather the data quality improvement project team in a room, along with sticky notes and a whiteboard.
    2. Display your previously created data lineage diagram on the whiteboard.
    3. Using color-coded sticky notes, attach issues to each component of the data lineage diagram that team members can identify. Use different colors for the four quality attributes: Completeness, Usability, Timeliness, and Accessibility.

    Example:

    The image shows the data lineage diagram that has been shown in previous sections. In addition, the image shows 4 post-its arranges around the diagram, labelled: Usability; Completeness; Timeliness; and Accessibility.

    Map the data issues on fishbone diagrams to identify root causes

    1 hour

    Input

    • Categorized data quality issues

    Output

    • Completed fishbone diagrams

    Materials

    • Whiteboard, markers, sticky notes
    • Data Quality Improvement Plan Template

    Participants

    • Data quality improvement project team

    Now that you have data quality issues classified according to the data quality attributes, map these issues onto four fishbone diagrams.

    The image shows a fishbone diagram, which is titled Example: Root cause analysis diagram for data accuracy.

    Download this Tool

    Get to know the root causes behind system/application design mistakes

    Suboptimal system/application design provides entry points for bad data.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Insufficient data mask No data mask is defined for a free-form text field in a user interface. E.g. North American phone number should have 4 masks – country code (1-digit), area code (3-digit), and local number (7-digit). X X
    Too many free-form text fields Incorrect use of free-form text fields (fields that accept a variety of inputs). E.g. Use a free-form text field for zip code instead of a backend look up. X X
    Lack of value lookup Reference data is not looked up from a reference list. E.g. State abbreviation is entered instead of being looked up from a standard list of states. X X
    Lack of mandatory field definitions Mandatory fields are not identified and reinforced. Resulting data records with many missing data elements. E.g. Some users may fill up 2 or 3 fields in a UI that has 20 non-mandatory fields. X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Application Design section is highlighted.

    Get to know the root causes behind common database design mistakes

    Improper database design allows incorrect data to be stored and propagated.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Incorrect referential integrity Referential integrity constraints are absent or incorrectly implemented, resulting in child records without parent records, or related records are updated or deleted in a cascading manner. E.g. An invoice line item is created before an invoice is created. X X
    Lack of unique keys Lack of unique keys creating scenarios where record uniqueness cannot be guaranteed. E.g. Customer records with the same customer_ID. X X
    Data range Fail to define a data range for incoming data, resulting in data values that are out of range. E.g. The age field is able to store an age of 999. X X
    Incorrect data type Incorrect data types are used to store data fields. E.g. A string field is used to store zip codes. Some users use that to store phone numbers, birthdays, etc. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Database Design section is highlighted

    Get to know the root causes behind enterprise integration mistakes

    Improper data integration or synchronization may create poor analytical data.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Incorrect transformation Transformation is done incorrectly. A wrong formula may have been used, transformation is done at the wrong data granularity, or aggregation logic is incorrect. E.g. Aggregation is done for all customers instead of just active customers. X X
    Data refresh is out of sync Data is synchronized at different intervals, resulting in a data warehouse where data domains are out of sync. E.g. Customer transactions are refreshed to reflect the latest activities but the account balance is not yet refreshed. X X
    Data is matched incorrectly Fail to match records from disparate systems, resulting in duplications and unmatched records. E.g. Unable to match customers from different systems because they have different cust_ID. X X
    Incorrect data mapping Fields from source systems are not properly matched with data warehouse fields. E.g. Status fields from different systems are mixed into one field. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Integration section is highlighted

    Get to know the root causes behind policy and procedure mistakes

    Suboptimal policies and procedures undermine the effect of best practices.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Policy Gaps There are gaps in the policy landscape in terms of some missing key policies or policies that are not refreshed to reflect the latest changes. E.g. A data entry policy is absent, leading to inconsistent data entry practices. X X
    Policy Communications Policies are in place but the policies are not communicated effectively to the organization, resulting in misinterpretation of policies and under-enforcement of policies. E.g. The data standard is created but very few developers are aware of its existence. X X
    Policy Enforcement Policies are in place but not proactively re-enforced and that leads to inconsistent application of policies and policy adoption. E.g. Policy adoption is dropping over time due to lack of reinforcement. X X
    Policy Quality Policies are written by untrained authors and they do not communicate the messages. E.g. A non-technical data user may find a policy that is loaded with technical terms confusing. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Policies section is highlighted

    Get to know the root causes behind common business process mistakes

    Ineffective and inefficient business processes create entry points for poor data.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Lack of training Key data personnel and business analysts are not trained in data quality and data governance, leading to lack of accountability. E.g. A data steward is not aware of downstream impact of a duplicated financial statement. X X
    Ineffective business process The same piece of information is entered into data systems two or more times. Or a piece of data is stalled in a data system for too long. E.g. A paper form is scanned multiple times to extract data into different data systems. X X
    Lack of documentation Fail to document the work flows of the key business processes. A lack of work flow results in sub-optimal use of data. E.g. Data is modeled incorrectly due to undocumented business logic. X X
    Lack of integration between business silos Business silos hold on to their own datasets resulting in data silos in which data is not shared and/or data is transferred with errors. E.g. Data from a unit is extracted as a data file and stored in a shared drive with little access. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Processes section is highlighted

    Phase 3 Summary

    1. Data Lineage Diagram
    • Creating the data lineage diagram is recommended to help visualize the flow of your data and to map the data journey and identify the data subject areas to be targeted for fixes.
    • The data lineage diagram was leveraged multiple times throughout this Phase. For example, the data lineage diagram was used to document the data sources and applications used by the business unit
  • Business Context
    • Business context was documented through the Data Quality Practice Assessment and Project Planning Tool.
    • The same tool was used to document identified business units and their associated data.
    • Metrics were also identified at the business unit level to track data quality improvements.
  • Common Root Causes
    • Leverage a root cause analysis approach to pinpoint the origins of your data quality issues.
    • Analyzed and got to know the root causes behind the following:
      1. System/application design mistakes
      2. Common database design mistakes
      3. Enterprise integration mistakes
      4. Policies and procedures mistakes
      5. Common business processes mistakes
  • Phase 4

    Grow and Sustain Your Data Quality Program

    Build Your Data Quality Program

    For the identified root causes, determine the solutions for the problem

    As you worked through the previous step, you identified the root causes of your data quality problems within the business unit. Now, it is time to identify solutions.

    The following slides provide an overview of the solutions to common data quality issues. As you identify solutions that apply to the business unit being addressed, insert the solution tables in Section 4: Proposed Solutions of the Data Quality Improvement Plan Template.

    All data quality solutions have two components to them:

    • Technology
    • People

    For the next five data quality solution slides, look for the slider for the contributions of each category to the solution. Use this scale to guide you in creating solutions.

    When designing solutions, keep in mind that solutions to data quality problems are not mutually exclusive. In other words, an identified root cause may have multiple solutions that apply to it.

    For example, if an application is plagued with inaccurate data, the application design may be suboptimal, but also the process that leads to data being entered may need fixing.

    Data quality improvement strategy #1:

    Fix data quality issues by improving system/application design.

    Technology

    Application Interface Design

    Restrict field length – Capture only the characters you need for your application.

    Leverage data masks – Use data masks in standardized fields like zip code and phone number.

    Restrict the use of open text fields and use reference tables – Only present open text fields when there is a need. Use reference tables to limit data values.

    Provide options – Use radio buttons, drop-down lists, and multi-select instead of using open text fields.

    Data Validation at the Application Level

    Validate data before committing – Use simple validation to ensure the data entered is not random numbers and letters.

    Track history – Keep track of who entered what fields.

    Cannot submit twice – Only design for one-time submission.

    People

    Training

    Data-entry training – Training that is related to data entry, creating, or updating data records.

    Data resolution training – Training data stewards or other dedicated data personnel on how to resolve data records that are not entered properly.

    Continuous Improvement

    Standards – Develop application design principles and standards.

    Field testing – Field data entry with a few people to look for abnormalities and discrepancies.

    Detection and resolution – Abnormal data records should be isolated and resolved ASAP.

    Application Testing

    Thorough testing – Application design is your first line of defence against poor data. Test to ensure bad data is kept out of the systems.

    Case Study

    HMS

    Industry: Healthcare

    Source: Informatica

    Improve your data quality ingestion procedures to provide better customer intimacy for your users

    Healthcare Management Systems (HMS) provides cost containment services for healthcare sponsors and payers, and coordinates benefits services. This is to ensure that healthcare claims are paid correctly to both government agencies and individuals. To do so, HMS relies on data, and this data needs to be of high quality to ensure the correct decisions are made, the right people get the correct claims, and the appropriate parties pay out.

    To improve the integrity of HMS’s customer data, HMS put in place a framework that helped to standardize the collection of high volume and highly variable data.

    Results

    Working with a data quality platform vendor to establish a framework for data standardization, HMS was able to streamline data analysis and reduce new customer implementations from months to weeks.

    HMS data was plagued with a lack of standardization of data ingestion procedures.

    Before improving data quality processes After improving data quality processes
    Data Ingestion Data Ingestion
    Many standards of ingestion. Standardized data ingestion
    Data Storage Data Storage
    Lack of ability to match data, creating data quality errors.
    Data Analysis Data Analysis
    = =
    Slow Customer Implementation Time 50% Reduction in Customer Implementation Time

    Data quality improvement strategy #2:

    Fix data quality issues using proper database design.

    Technology

    Database Design Best Practices

    Referential integrity – Ensure parent/child relationships are maintained in terms of cascade creation, update, and deletion.

    Primary key definition – Ensure there is at least one key to guarantee the uniqueness of the data records, and primary key should not allow null.

    Validate data domain – Create triggers to check the data values entered in the database fields.

    Field type and length – Define the most suitable data type and length to hold field values.

    One-Time Data Fix (more on the next slide)

    Explore solutions – Where to fix the data issues? Is there a case to fix the issues?

    Running profiling tools to catch errors – Run scans on the database with defined criteria to identify occurrences of questionable data.

    Fix a sample before fixing all records – Use a proof-of-concept approach to explore fix options and evaluate impacts before fixing the full set.

    People

    The DBA Team

    Perform key tasks in pairs – Take a pair approach to perform key tasks so that validation and cross-check can happen.

    Skilled DBAs – DBAs should be certified and accredited.

    Competence – Assess DBA competency on an ongoing basis.

    Preparedness – Develop drills to stimulate data issues and train DBAs.

    Cross train – Cross train team members so that one DBA can cover another DBA.

    Data quality improvement strategy #3:

    Improve integration and synchronization of enterprise data.

    Technology

    Integration Architecture

    Info-Tech’s 5-Tier Architecture – When doing transformations, it is good practice to persist the integration results in tier 3 before the data is further refined and presented in tier 4.

    Timing, timing, and timing – Think of the sequence of events. You may need to perform some ETL tasks before other tasks to achieve synchronization and consistence.

    Historical changes – Ensure your tier 3 is robust enough to include historical data. You need to enable type 2 slowly, changing dimension to recreate the data at a point in time.

    Data Cleansing

    Standardize – Leverage data standardization to standardize name and address fields to improve matching and integration.

    Fuzzy matching – When there are no common keys between datasets. The datasets can only be matched by fuzzy matching. Fuzzy matching is not hard science; define a confidence level and think about a mechanism to deal with the unmatched.

    People

    Reporting and Documentations

    Business data glossary and data lineage – Define a business data glossary to enhance findability of key data elements. Document data mappings and ETL logics.

    Create data quality reports – Many ETL platforms provide canned data quality reports. Leverage those quality reports to monitor the data health.

    Code Review

    Create data quality reports – Many ETL platforms provide canned data quality reports. Leverage those quality reports to monitor the data health.

    ARB (architectural review board) – All ETL codes should be approved by the architectural review board to ensure alignment with the overall integration strategy.

    Data quality improvement strategy #4:

    Improve data quality policies and procedures.

    Technology

    Policy Reporting

    Data quality reports – Leverage canned data quality reports from the ETL platforms to monitor data quality on an on-going basis. When abnormalities are found, provoke the right policies to deal with the issues.

    Store policies in a central location that is well known and easy to find and access. A key way that technology can help communicate policies is by having them published on a centralized website.

    Make the repository searchable and easily navigable. myPolicies helps you do all this and more.

    myPolicies helps you do all this and more.

    Go to this link

    People

    Policy Review and Training

    Policy review – Create a schedule for reviewing policies on a regular basis – invite professional writers to ensure polices are understandable.

    Policy training – Policies are often unread and misread. Training users and stakeholders on policies is an effective way to make sure those users and stakeholders understand the rationale of the policies. It is also a good practice to include a few scenarios that are handled by the policies.

    Policy hotline/mailbox – To avoid misinterpretation of the policies, a policy hotline/mailbox should be set up to answer any data policy questions from the end users/stakeholders.

    Policy Communications

    Simplified communications – Create handy one-pagers and infographic posters to communicate the key messages of the polices.

    Policy briefing – Whenever a new data project is initiated, a briefing of data policies should be given to ensure the project team follows the policies from the very beginning.

    Data quality improvement strategy #5:

    Streamline and optimize business processes.

    Technology

    Requirements Gathering

    Data Lineage – Leverage a metadata management tool to construct and document data lineage for future reference.

    Documentations Repository – It is a best practice to document key project information and share that knowledge across the project team and with the stakeholder. An improvement understanding of the project helps to identify data quality issues early on in the project.

    “Automating creation of data would help data quality most. You have to look at existing processes and create data signatures. You can then derive data off those data codes.” – Patrick Bossey, Manager of Business Intelligence, Crawford and Company

    People

    Requirements Gathering

    Info-Tech’s 4-Column Model – The datasets may exist but the business units do not have an effective way of communicating the quality needs. Use our four-column model and the eleven supporting questions to better understand the quality needs. See subsequent slides.

    I don’t know what the data means so I think the quality is poor – It is not uncommon to see that the right data presented to the business but the business does not trust the data. They also do not understand the business logic done on the data. See our Business Data Glossary in subsequent slides.

    Understand the business workflow – Know the business workflow to understand the manual steps associated with the workflow. You may find steps in which data is entered, manipulated, or consumed inappropriately.

    “Do a shadow data exercise where you identify the human workflows of how data gets entered, and then you can identify where data entry can be automated.” – Diraj Goel, Growth Advisor, BC Tech

    Brainstorm solutions to your data quality issues

    4 hours

    Input

    • Data profiling results
    • Preliminary root cause analyses

    Output

    • Proposals for data fix
    • Fixed issues

    Materials

    • Data Quality Improvement Plan Template

    Participants

    • Business and Data Analysts
    • Data experts and stewards

    After walking through the best-practice solutions to data quality issues, propose solutions to fix your identified issues.

    Instructions

    1. Review Root Cause Analyses: Revisit the root cause analysis and data lineage diagram you have generated in Step 3.2. to understand the issues in greater details.
    2. Characterize Each Issue: You may need to generate a data profiling report to characterize the issue. The report can be generated by using data quality suites, BI platforms, or even SQL statements.
    3. Brainstorm the Solutions: As a group, discuss potential ways to fix the issue. You can tackle the issues by approaching from these areas:
    Solution Approaches
    Technology Approach
    People Approach

    X crossover with

    Problematic Areas
    Application/System Design
    Database Design
    Data Integration and Synchronization
    Policies and Procedures
    Business Processes
    1. Document and Communicate: Document the solutions to your data issues. You may need to reuse or refer to the solutions. Also brainstorm some ideas on how to communicate the results back to the business.

    Download this Tool

    Sustaining your data quality requires continuous oversight through a data governance practice

    Quality data is the ultimate outcome of data governance and data quality management. Data governance enables data quality by providing the necessary oversight and controls for business processes in order to maintain data quality. There are three primary groups (at right) that are involved in a mature governance practice. Data quality should be tightly integrated with all of them.

    Define an effective data governance strategy and ensure the strategy integrates well with data quality with Info-Tech’s Establish Data Governance blueprint.

    Visit this link

    Data Governance Council

    This council establishes data management practices that span across the organization. This should be comprised of senior management or C-suite executives that can represent the various departments and lines of business within the organization. The data governance council can help to promote the value of data governance, facilitate a culture that nurtures data quality, and ensure that the goals of the data governance program are well aligned with business objectives.

    Data Owners

    Identifying the data owner role within an organization helps to create a greater degree of accountability for data issues. They often oversee how the data is being generated as well as how it is being consumed. Data owners come from the business side and have legal rights and defined control over a data set. They ensure data is available to the right people within the organization.

    Data Stewards

    Conflict can occur within an organization’s data governance program when a data steward’s role is confused with that of the steering committee’s role. Data stewards exist to enforce decisions made about data governance and data management. Data stewards are often business analysts or power users of a particular system/dataset. Where a data owner is primarily responsible for access, a data steward is responsible for the quality of a dataset.

    Integrate the data quality management strategy with existing data governance committees

    Ongoing and regular data quality management is the responsibility of the data governance bodies of the organization.

    The oversight of ongoing data quality activities rests on the shoulders of the data governance committees that exist in the organization.

    There is no one-size-fits-all data governance structure. However, most organizations follow a similar pattern when establishing committees, councils, and cross-functional groups. They strive to identify roles and responsibilities at a strategic, tactical, and operational level:

    The image shows a pyramid, with Executive Sponsors at the top, with the following roles in descending order: DG Council; Steering Committee; Working Groups; Data Owners and Data Stewards; and Data Users. Along the left side of the pyramid, there are three labels, in ascending order: Operational, Tactical, and Strategic.

    The image is a flow chart showing project roles, in two sections: the top section is labelled Governing Bodies, and the lower section is labelled Data Quality Improvement Team. There is a note indicating that the Data Owner reports to and provides updates regarding the state of data quality and data quality initiatives.

    Create and update the organization’s Business Data Glossary to keep up with current data definitions

    2 hours

    Input

    • Metrics and goals for data quality

    Output

    • Regularly scheduled data quality checkups

    Materials

    • Business Data Glossary Template
    • Data Quality Dashboard

    Participants

    • Data steward

    A crucial aspect of data quality and governance is the Business Data Glossary. The Business Data Glossary helps to align the terminology of the business with the organization’s data assets. It allows the people who interact with the data to quickly identify the applications, processes, and stewardship associated with it, which will enhance the accuracy and efficiency of searches for organization data definitions and attributes, enabling better access to the data. This will, in turn, enhance the quality of the organization’s data because it will be more accurate, relevant, and accessible.

    Use the Business Data Glossary Template to document key aspects of the data, such as:

    • Definition
    • Source System
    • Possible Values
    • Data Steward
    • Data Sensitivity
    • Data Availability
    • Batch or Live
    • Retention

    Data Element

    • Mkt-Product
    • Fin-Product

    Info-Tech Insight

    The Business Data Glossary ensures that the crucial data that has key business use by key business systems and users is appropriately owned and defined. It also establishes rules that lead to proper data management and quality to be enforced by the data owners.

    Download this Tool

    Data Steward(s): Use the Data Quality Improvement Plan of the business unit for ongoing quality monitoring

    Integrating your data quality strategy into the organization’s data governance program requires passing the strategy over to members of the data governance program. The data steward role is responsible for data quality at the business unit level, and should have been involved with the creation and implementation of the data quality improvement project. After the data quality repairs have been made, it is the responsibility of the data steward to regularly monitor the quality of the business unit’s data.

    Create Improvement Plan ↓
    • Data Quality Improvement Team identifies root cause issues.
    • Brainstorm solutions.
    Implement Improvement Plan ↓
    • Data Quality Improvement Team works with IT.
    Sustain Improvement Plan
    • Data Steward should regularly monitor data quality.

    Download this tool

    See Info-Tech’s Data Steward Job Description Template for a detailed understanding of the roles and responsibilities of the data steward.

    Responsible for sustaining

    The image shows a screen capture of a document entitled Business Context & Subject Area Selection.

    Develop a business-facing data quality dashboard to show improvements or a sudden dip in data quality

    One tool that the data steward can take advantage of is the data quality dashboard. Initiatives that are implemented to address data quality must have metrics defined by business objectives in order to demonstrate the value of the data quality improvement projects. In addition, the data steward should have tools for tracking data quality in the business unit to report issues to the data owner and data governance steering committee.

    • Example 1: Marketing uses data for direct mail and e-marketing campaigns. They care about customer data in particular. Specifically, they require high data quality in attributes such as customer name, address, and product profile.
    • Example 2: Alternatively, Finance places emphasis on financial data, focusing on attributes like account balance, latency in payment, credit score, and billing date.

    The image is Business dashboard on Data Quality for Marketing. It features Data Quality metrics, listed in the left column, and numbers for each quarter over the course of one year, on the right.

    Notes on chart:

    General improvement in billing address quality

    Sudden drop in touchpoint accuracy may prompt business to ask for explanations

    Approach to creating a business-facing data quality dashboard:

    1. Schedule a meeting with the functional unit to discuss what key data quality metrics are essential to their business operations. You should consider the business context, functional area, and subject area analyses you completed in Phase 1 as a starting point.
    2. Discuss how to gather data for the key metrics and their associated calculations.
    3. Discuss and decide the reporting intervals.
    4. Discuss and decide the unit of measurement.
    5. Generate a dashboard similar to the example. Consider using a BI or analytics tool to develop the dashboard.

    Data quality management must be sustained for ongoing improvements to the organization’s data

    • Data quality is never truly complete; it is a set of ongoing processes and disciplines that requires a permanent plan for monitoring practices, reviewing processes, and maintaining consistent data standards.
    • Setting the expectation to stakeholders that a long-term commitment is required to maintain quality data within the organization is critical to the success of the program.
    • A data quality maintenance program will continually revise and fine-tune ongoing practices, processes, and procedures employed for organizational data management.

    Data quality is a program that requires continual care:

    →Maintain→Good Data →

    Data quality management is a long-term commitment that shifts how an organization views, manages, and utilizes its corporate data assets. Long-term buy-in from all involved is critical.

    “Data quality is a process. We are trying to constantly improve the quality over time. It is not a one-time fix.” – Akin Akinwumi, Manager of Data Governance, Startech.com

    Define a data quality review agenda for data quality sustainment

    2 hours

    Input

    • Metrics and goals for data quality

    Output

    • Regularly scheduled data quality checkups

    Materials

    • Data Quality Diagnostic
    • Data Quality Dashboard

    Participants

    • Data Steward

    As a data steward, you are responsible for ongoing data quality checks of the business unit’s data. Define an improvement agenda to organize the improvement activities. Organize the activities yearly and quarterly to ensure improvement is done year-round.

    Quarterly

    • Measure data quality metrics against milestones. Perform a regular data quality health check with Info-Tech’s Data Quality Diagnostic.
    • Review the business unit’s Business Data Glossary to ensure that it is up to date and comprehensive.
    • Assess progress of practice area initiatives (time, milestones, budget, benefits delivered).
    • Analyze overall data quality and report progress on key improvement projects and corrective actions in the executive dashboard.
    • Communicate overall status of data quality to oversight body.

    Annually

    • Calculate your current baseline and measure progress by comparing it to previous years.
    • Set/revise quality objectives for each practice area and inter-practice hand-off processes.
    • Re-evaluate/re-establish data quality objectives.
    • Set/review data quality metrics and tracking mechanisms.
    • Set data quality review milestones and timelines.
    • Revisit data quality training from an end-user perspective and from a practitioner perspective.

    Info-Tech Insight

    Do data quality diagnostic at the beginning of any improvement plan, then recheck health with the diagnostic at regular intervals to see if symptoms are coming back. This should be a monitoring activity, not a data quality fixing activity. If symptoms are bad enough, repeat the improvement plan process.

    Take the next step in your Data & Analytics Journey

    After establishing your data quality program, look to increase your data & analytics maturity.

    • Artificial Intelligence (AI) is a concept that many organizations strive to implement. AI can really help in areas such as data preparation. However, implementing AI solutions requires a level of maturity that many organizations are not at.
    • While a solid data quality foundation is essential for AI initiatives being successful, AI can also ensure high data quality.
    • An AI analytics solution can address data integrity issues at the earliest point of data processing, rapidly transforming these vast volumes of data into trusted business information. This can be done through Anomaly detection, which flags “bad” data, identifying suspicious anomalies that can impact data quality. By tracking and evaluating data, anomaly detection gives critical insights into data quality as data is processed. (Ira Cohen, The End to a Never-Ending Story? Improve Data Quality with AI Analytics, anodot, 2020)

    Consider… “Garbage in, garbage out.”

    Lay a solid foundation by addressing your data quality issues prior to investing heavily in an AI solution.

    Related Info-Tech Research

    Are You Ready for AI?

    • Use AI as a compelling event to expedite funding, resources, and project plans for your data-related initiatives. Check out this note to understand what it takes to be ready to implement AI solutions.

    Get Started With Artificial Intelligence

    • Current AI technology is data-enabled, automated, adaptive decision support. Once you believe you are ready for AI, check out this blueprint on how to get started.

    Build a Data Architecture Roadmap

    • The data lineage diagram was a key tool used in establishing your data quality program. Check out this blueprint and learn how to optimize your data architecture to provide greatest value from data.

    Create an Architecture for AI

    • Build your target state architecture from predefined best practice building blocks. This blueprint assists members first to assess if they have the maturity to embrace AI in their organization, and if so, which AI acquisition model fits them best.

    Phase 4 Summary

    1. Data Quality Improvement Strategy
    • Brainstorm solutions to your data quality issues using the following data quality improvement strategies as a guide:
      1. Fix data quality issues by improving system/application design
      2. Fix data quality issues using proper database design
      3. Improve integration and synchronization of enterprise data
      4. Improve data quality policies and procedures
      5. Streamline and optimize business processes
  • Sustain Your Data Quality Program
    • Quality data is the ultimate outcome of data governance and data quality management.
    • Sustaining your data quality requires continuous oversight through a data governance practice.
    • There are three primary groups (Data Governance Council, Data Owners, and Data Stewards) that are involved in a mature governance practice.
  • Grow Your Data & Analytics Maturity
    • After establishing your data quality program, take the next step in increasing your data & analytics maturity.
    • Good data quality is the foundation of pursuing different ways of maximizing the value of your data such as implementing AI solutions.
    • Continue your data & analytics journey by referring to Info-Tech’s quality research.
  • Research Contributors and Experts

    Izabela Edmunds

    Information Architect Mott MacDonald

    Akin Akinwumi

    Manager of Data Governance Startech.com

    Diraj Goel

    Growth Advisor BC Tech

    Sujay Deb

    Director of Data Analytics Technology and Platforms Export Development Canada

    Asif Mumtaz

    Data & Solution Architect Blue Cross Blue Shield Association

    Patrick Bossey

    Manager of Business Intelligence Crawford and Company

    Anonymous Contributors

    Ibrahim Abdel-Kader

    Research Specialist Info-Tech Research Group

    Ibrahim is a Research Specialist at Info-Tech Research Group. In his career to date he has assisted many clients using his knowledge in process design, knowledge management, SharePoint for ECM, and more. He is expanding his familiarity in many areas such as data and analytics, enterprise architecture, and CIO-related topics.

    Reddy Doddipalli

    Senior Workshop Director Info-Tech Research Group

    Reddy is a Senior Workshop Director at Info-Tech Research Group, focused on data management and specialized analytics applications. He has over 25 years of strong industry experience in IT leading and managing analytics suite of solutions, enterprise data management, enterprise architecture, and artificial intelligence–based complex expert systems.

    Andy Neill

    Practice Lead, Data & Analytics and Enterprise Architecture Info-Tech Research Group

    Andy leads the data and analytics and enterprise architecture practices at ITRG. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and development of industry standard data models.

    Crystal Singh

    Research Director, Data & Analytics Info-Tech Research Group

    Crystal is a Research Director at Info-Tech Research Group. She brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.

    Igor Ikonnikov

    Research Director, Data & Analytics Info-Tech Research Group

    Igor is a Research Director at Info-Tech Research Group. He has extensive experience in strategy formation and execution in the information management domain, including master data management, data governance, knowledge management, enterprise content management, big data, and analytics.

    Andrea Malick

    Research Director, Data & Analytics Info-Tech Research Group

    Andrea Malick is a Research Director at Info-Tech Research Group, focused on building best practices knowledge in the enterprise information management domain, with corporate and consulting leadership in enterprise architecture and content management (ECM).

    Natalia Modjeska

    Research Director, Data & Analytics Info-Tech Research Group

    Natalia Modjeska is a Research Director at Info-Tech Research Group. She advises members on topics related to AI, machine learning, advanced analytics, and data science, including ethics and governance. Natalia has over 15 years of experience in developing, selling, and implementing analytical solutions.

    Rajesh Parab

    Research Director, Data & Analytics Info-Tech Research Group

    Rajesh Parab is a Research Director at Info-Tech Research Group. He has over 20 years of global experience and brings a unique mix of technology and business acumen. He has worked on many data-driven business applications. In his previous architecture roles, Rajesh created a number of product roadmaps, technology strategies, and models.

    Bibliography

    Amidon, Kirk. "Case Study: How Data Quality Has Evolved at MathWorks." The Fifth MIT Information Quality Industry Symposium. 13 July 2011. Web. 19 Aug. 2015.

    Boulton, Clint. “Disconnect between CIOs and LOB managers weakens data quality.” CIO. 05 February 2016. Accessed June 2020.

    COBIT 5: Enabling Information. Rolling Meadows, IL: ISACA, 2013. Web.

    Cohen, Ira. “The End to a Never-Ending Story? Improve Data Quality with AI Analytics.” anodot. 2020.

    “DAMA Guide to the Data Management Body of Knowledge (DAMA-DMBOK Guide).” First Edition. DAMA International. 2009. Digital. April 2014.

    "Data Profiling: Underpinning Data Quality Management." Pitney Bowes. Pitney Bowes - Group 1 Software, 2007. Web. 18 Aug. 2015.

    Data.com. “Data.com Clean.” Salesforce. 2016. Web. 18 Aug. 2015.

    “Dawn of the CDO." Experian Data Quality. 2015. Web. 18 Aug. 2015.

    Demirkan, Haluk, and Bulent Dal. "Why Do So Many Analytics Projects Fail?" The Data Economy: Why Do so Many Analytics Projects Fail? Analytics Magazine. July-Aug. 2014. Web.

    Dignan, Larry. “CIOs juggling digital transformation pace, bad data, cloud lock-in and business alignment.” ZDNet. 11 March 2020. Accessed July.

    Dumbleton, Janani, and Derek Munro. "Global Data Quality Research - Discussion Paper 2015." Experian Data Quality. 2015. Web. 18 Aug. 2015.

    Eckerson, Wayne W. "Data Quality and the Bottom Line - Achieving Business Success through a Commitment to High Quality Data." The Data Warehouse Institute. 2002. Web. 18 Aug. 2015.

    “Infographic: Data Quality in BI the Costs and Benefits.” HaloBI. 2015 Web.

    Lee, Y.W. and Strong, D.M. “Knowing-Why About Data Processes and Data Quality.” Journal of Management Information Systems. 2004.

    “Making Data Quality a Way of Life.” Cognizant. 2014. Web. 18 Aug. 2015.

    "Merck Serono Achieves Single Source of Truth with Comprehensive RIM Solutions." www.productlifegroup.com. ProductLife Group. 15 Apr. 2015. Web. 23 Nov. 2015.

    Myers, Dan. “List of Conformed Dimensions of Data Quality.” Conformed Dimensions of Data Quality (CDDQ). 2019. Web.

    Redman, Thomas C. “Make the Case for Better Data Quality.” Harvard Business Review. 24 Aug. 2012. Web. 19 Aug. 2015.

    RingLead Data Management Solutions. “10 Stats About Data Quality I Bet You Didn’t Know.” RingLead. Accessed 7 July 2020.

    Schwartzrock, Todd. "Chrysler's Data Quality Management Case Study." Online video clip. YouTube. 21 April. 2011. Web. 18 Aug. 2015

    “Taking control in the digital age.” Experian Data Quality. Jan 2019. Web.

    “The data-driven organization, a transformation in progress.” Experian Data Quality. 2020. Web.

    "The Data Quality Benchmark Report." Experian Data Quality. Jan. 2015. Web. 18 Aug. 2015.

    “The state of data quality.” Experian Data Quality. Sept. 2013. Web. 17 Aug. 2015.

    Vincent, Lanny. “Differentiating Competence, Capability and Capacity.” Innovation Management Services. Web. June 2008.

    “7 ways poor data quality is costing your business.” Experian Data Quality. July 2020. Web.

    Mitigate the Risk of Cloud Downtime and Data Loss

    • Buy Link or Shortcode: {j2store}412|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Senior leadership is asking difficult questions about the organization’s dependency on third-party cloud services and the risk that poses.
    • IT leaders have limited control over third-party incidents and that includes cloud services. Yet they are on the hot seat when cloud services go down.
    • While vendors have swooped in to provide resilience options for the more-common SaaS solutions, it is not the case for all cloud services.

    Our Advice

    Critical Insight

    • No control over the software does not mean no recovery options. Solutions range from designing an IT workaround using alternate technologies to pre-defined third-party service continuity options (e.g. see options for O365) to business workarounds.
    • Even where there is limited control, you can at least define an incident response plan to streamline notification, assessment, and implementation of workarounds. Leadership wants more options than simply waiting for the service to come back online.
    • At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA issues and overall resilience gaps.

    Impact and Result

    • Follow a structured process to assess cloud resilience risk.
    • Identify opportunities to mitigate risk – at the very least, ensure critical data is protected.
    • Summarize cloud services risk, mitigation options, and incident response for senior leadership.

    Mitigate the Risk of Cloud Downtime and Data Loss Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Mitigate the Risk of Cloud Downtime and Data Loss – Step-by-step guide to assess risk, identify risk mitigation options, and create an incident response plan.

    Even where there is limited control, you can define an incident response plan to streamline notification, assessment, and implementation of workarounds.

    • Mitigate the Risk of Cloud Downtime and Data Loss Storyboard

    2. Cloud Services Incident Risk and Mitigation Review – Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy.

    At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA and overall resilience gaps.

    • Cloud Services Incident Risk and Mitigation Review Tool

    3. SaaS Incident Response Workflows – Use these examples to guide your efforts to create cloud incident response workflows.

    The examples illustrate different approaches to incident response depending on the criticality of the service and options available.

    • SaaS Incident Response Workflows (Visio)
    • SaaS Incident Response Workflows (PDF)

    4. Cloud Services Resilience Summary – Use this template to capture your results.

    Summarize cloud services risk, mitigation options, and incident response for senior leadership.

    • Cloud Services Resilience Summary
    [infographic]

    Further reading

    Mitigate the Risk of Cloud Downtime and Data Loss

    Resilience and disaster recovery in an increasingly Cloudy and SaaSy world.

    Analyst Perspective

    If you think cloud means you don’t need a response plan, then get your resume ready.

    Frank Trovato

    Most organizations are now recognizing that they can’t ignore the risk of a cloud outage or data loss, and the challenge is “what can I do about it?” since there is limited control.

    If you still think “it’s in the cloud, so I don’t need to worry about it,” then get your resume ready. When O365 goes down, your executives are calling IT, not Microsoft, for an answer of what’s being done and what can they do in the meantime to get the business up and running again.

    The key is to recognize what you can control and what actions you can take to evaluate and mitigate risk. At a minimum, you can ensure senior leadership is aware of the risk and define a plan for how you will respond to an incident, even if that is limited to monitoring and communicating status.

    Often you can do more, including defining IT workarounds, backing up your SaaS data for additional protection, and using business process workarounds to bridge the gap, as illustrated in the case studies in this blueprint.

    Frank Trovato
    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Use this blueprint to expand your DRP and BCP to account for cloud services

    As more applications are migrated to cloud-based services, disaster recovery (DR) and business continuity plans (BCP) must include an understanding of cloud risks and actions to mitigate those risks. This includes evaluating vendor and service reliability and resilience, security measures, data protection capabilities, and technology and business workarounds if there is a cloud outage or incident.

    Use the risk assessments and cloud service incident response plans developed through this blueprint to supplement your DRP and BCP as well as further inform your crisis management plans (e.g. account for cloud risks in your crisis communication planning).

    Overall Business Continuity Plan

    IT Disaster Recovery Plan

    A plan to restore IT application and infrastructure services following a disruption.

    Info-Tech’s Disaster Recovery Planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

    BCP for Each Business Unit

    A set of plans to resume business processes for each business unit.

    Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization.

    Crisis Management Plan

    A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

    Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Senior leadership is asking difficult questions about the organization’s dependency on third-party cloud services and the risk that poses.
    • Migrating to cloud services transfers much of the responsibility for day-to-day platform maintenance but not accountability for resilience.
    • IT leaders are often responsible for not just the organization’s IT DRP but also BCP and other elements of overall resilience. Cloud risk adds another element IT leaders need to consider.
    • IT leaders have limited control over third-party incidents and that includes cloud services. With SaaS services in particular, recovery or continuity options may be limited.
    • While vendors have swooped in to provide resilience options for the more common SaaS solutions, that is not the case for all cloud services.
    • Part of the solution is defining business process workarounds and that depends on cooperation from business leaders.
    • At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA and overall resilience gaps.
    • Adapt how you approach downtime and data loss risk, particularly for SaaS solutions where there is limited or no control over the system.
    • Even where there is limited control, you can define an incident response plan to streamline notification, assessment, and implementation of workarounds. Leadership wants more options than simply waiting for the service to come back online.

    Info-Tech Insight

    Asking vendors about their DRP, BCP, and overall resilience has become commonplace. Expect your vendors to provide answers so you can assess risk. Furthermore, your vendor may have additional offerings to increase resilience or recommendations for third parties who can further assist your goals of improving cloud service resilience.

    Key deliverable

    Cloud Services Resilience Summary

    Provide leadership with a summary of cloud risk, downtime workarounds implemented, and additional data protection.

    The image contains a screenshot of the Cloud Services Resilience Summary.

    Additional tools and templates in this blueprint

    Cloud Services Incident Risk and Mitigation Review Tool

    Use this tool to gather vendor input, evaluate vendor SLAs and overall resilience, and track your own risk mitigation efforts.

    The image contains a screenshot of the Cloud Services Incident Risk and Mitigation Review Tool.

    SaaS Incident Response Workflows

    Use the examples in this document as a model to develop your own incident response workflows for cloud outages or data loss.

    The image contains a screenshot of the SaaS Incident Response Workflows.

    This blueprint will step you through the following actions to evaluate and mitigate cloud services risk

    1. Assess your cloud risk
    • Review your cloud services to determine potential impact of downtime/data loss, vendor SLA gaps, and vendor’s current resilience.
  • Identify options to mitigate risk
    • Explore your cloud vendor’s resilience offerings, third-party solutions, DIY recovery options, and business workarounds.
  • Create an incident response plan
    • Document your cloud risk mitigation strategy and incident response plan, which might include a failover strategy, data protection, and/or business continuity.

    Cloud Risk Mitigation

    Identify options to mitigate risk

    Create an incident response plan

    Assess risk

    Phase 1: Assess your cloud risk

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Cloud does not guarantee uptime

    Public cloud services (e.g. Azure, GCP, AWS) and popular SaaS solutions experience downtime every year.

    A few cloud outage examples:

    • Microsoft Azure AD outage, March 15, 2022:
      Many users could not log into O365, Dynamics, or the Azure Portal.
      Cause: software change.
    • Three AWS outages in December 2021: December 7 (Netflix and others impacted), December 15 (Duo, Zoom, Slack, others), December 20 (Slack, Epic Games, others). Cause: network issues, power outage.
    • Salesforce outage, May 12, 2022: Users could not access the Lightning platform. Cause: expired certificate.

    Cloud availability

    • Migrating to cloud services can improve availability, as they typically offer more resilience than most organizations can afford to implement themselves.
    • However, having multiple data centers, zones, and regions doesn’t prevent all outages, as we see every year with even the largest cloud vendors.

    DR challenges for IaaS, PaaS, and cloud-native

    While there are limits to what you control, often traditional “failover” DR strategy can apply.

    High-level challenges and resilience options:

    • IaaS: No control over the hardware, but you can failover to another region. This is fairly similar to traditional DR.
    • PaaS: No control over the software platform (e.g. SQL server as a service), but you can back up your data and explore vendor options to replicate your environment.
    • Cloud-native applications: As with PaaS, you can back up your data and explore vendor options to replicate your environment.

    Plan for resilience

    • Include DR requirements when designing cloud service implementation. For example, for IaaS solutions, identify what data would need to be replicated and what services may need to be “always on” (e.g. database services where high-availability is demanded).
    • Similarly, for PaaS and cloud-native solutions, consult your vendor regarding options to build in resilience options (e.g. ability to failover to another environment).

    DR challenges for SaaS solutions

    SaaS is the biggest challenge because you have no control over any part of the base application stack.

    High-level challenges and resilience options:

    • No control over the hardware (or the facility, maintenance processes, and so on).
    • No control over the base application (control is limited to configuration settings and add-on customizations or integrations).
    • Options to back up your data will depend on the service.

    Note: The rest of this blueprint is focused primarily on SaaS resilience due to the challenges listed here. For other cloud services, leverage traditional DR strategies and vendor management to mitigate risk (as summarized on the previous slides).

    Focus on what you can control

    • For SaaS solutions in particular, you must toss out traditional DR. If Salesforce has an outage, you won’t be involved in recovering the system.
    • Instead, DR for SaaS needs to focus on improving resilience where you do have control and implementing business workarounds to bridge the gap.

    Evaluate your cloud services to clarify your specific risks

    Time and money is limited, so focus first on cloud services that are most critical and evaluate the vendors’ SLA and existing resilience capabilities.

    The activities on the next two slides will evaluate risk through two approaches:

    Activity 1: Estimate potential impact of downtime and data loss to quantify the risk and determine which cloud services are most critical and need to be prioritized. This is done through a business impact analysis that assesses:

    • Impact on revenue or costs (if applicable).
    • Impact on reputation (e.g. customer impact).
    • Impact on regulatory compliance and health and safety (if applicable).

    Activity 2: Review the vendor to identify risks and gaps. Specifically, evaluate the following:

    • Incident Management SLAs (e.g. does the SLA include RTO/RPO commitments? Do they meet your requirements?)
    • Incident Response Preparedness (e.g. does the vendor have a DRP, BCP, and security incident response plan?)
    • Data Protection (e.g. does their backup strategy and data security meet your standards?)

    Activity 1: Quantify potential impact and prioritize cloud services using a business impact analysis (BIA)

    1-3 hours

    1. Download the latest version of our DRP BIA: DRP Business Impact Analysis Tool. The tool includes instructions.
    2. Include the cloud services you want to assess in the list of applications/systems (see the tool excerpt below), and follow the BIA methodology outlined in the Create a Right-Sized Disaster Recovery Plan blueprint.
    3. Use the results to quantify potential impact and prioritize your efforts on the most-critical cloud services.

    The image contains a screenshot of the DRP Business Impact Analysis Tool.

    Materials
    • DRP BIA Tool
    Participants
    • Core group of IT management and staff who can provide a well-rounded perspective on potential impact. They will create the first draft of the BIA.
    • Review the draft BIA with relevant business leaders to refine and validate the results.

    Activity 2: Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy

    1-3 hours

    Use the Cloud Services Incident Risk and Mitigation Review Tool as follows:

    1. Send the Vendor Questionnaire tab to your cloud vendors to gather input, and review your existing agreements.
    2. Copy the vendor responses into the tool (see the instructions in the tool) and evaluate. See the example excerpt below.
    3. Identify action items to clarify gaps or address risks. Some action items might not be defined yet and will need to wait until you have had a chance to further explore risk mitigation options.

    The image contains a screenshot of the Cloud Services Incident Risk and Mitigation Review Tool.

    Materials
    • Cloud Services Incident Risk and Mitigation Review Tool
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.

    Phase 2: Identify options to mitigate risk

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Consult your vendor to identify options to improve resilience, as a starting point

    Your vendor might also be able to suggest third parties that offer additional support, backup, or service continuity options.

    • The Vendor Questionnaire tab in the Cloud Services Incident Risk and Mitigation Review Tool includes a section at the bottom where your vendor can name additional options to improve resilience (e.g. premium support packages, potentially their own DR services).
    • If your vendor has not completed that part of the questionnaire, meet with them to discuss this. Asking service vendors about resilience has become commonplace, so they should be prepared to answer questions about their own offerings and potentially can name trusted third-party vendors who can further assist you.
    • Leverage Info-Tech’s advisory services to evaluate options outlined by your vendor and potential third-party options (e.g. enterprise backup solutions that support backing up SaaS data).

    Some SaaS solutions have plenty of resilience options; others not so much

    • The pervasiveness of O365 has led vendors to close the service continuity gap, with options to send and receive email during an outage and back up your data.
    • With many SaaS solutions, there isn’t going to be a third-party service continuity option, but you might still be able to at least back up your data and implement business process workarounds to close the service gap.

    Example SaaS risk and mitigation: O365

    Risk

    • Several outages every year (e.g. MS Teams July 20, 2022).
    • SLA exceptions include “Scheduled Downtime,” which can occur with just five days’ notice.
    • The Recycling Bin is your data backup, depending on your setup.

    Options to mitigate risk (not an exhaustive list):

    • Third-party solutions for email service continuity.
    • Several backup vendors (e.g. Veeam, Rubrik) can protect most of your O365 suite.
    • Business continuity workarounds leveraging synced OneDrive, SharePoint, and Outlook (access to calendar invites).

    Example SaaS risk and mitigation: Salesforce

    Risk

    • Downtime has been infrequent, but Salesforce did have a major outage in May 2021 (DNS issue) and May 2022 (expired certificate).
    • At the time of this writing, the Main Services Agreement does not commit to a specific uptime value and specifies the usual exclusions.
    • Similarly, there are limited commitments regarding data protection.

    Options to mitigate risk (not an exhaustive list):

    • Salesforce provides a backup and restore service offering.
    • In addition, some third-party vendors support backing up Salesforce data for additional protection against data corruption or data loss.
    • Business continuity workarounds can further reduce the impact of downtime (e.g. record updates in MS Word and leverage Outlook for contact info until Salesforce is recovered).

    Establish a baseline standard for risk mitigation, regardless of cloud service

    At a minimum, set a goal to review vendor risk at least annually, define standard processes for monitoring outages, and review options to back up your SaaS data.

    Example baseline standard for cloud risk mitigation

    • Review vendor risk at least annually. This includes reviewing SLAs, vendor’s incident preparedness (e.g. do they have a current DRP, BCP, and Security IRP?), and the vendor’s data protection strategy.
    • Incident response plans must include, at a minimum, steps to monitor vendor outage and communicate status to relevant stakeholders. Where possible, business process workarounds are defined to bridge the service gap.
    • For critical data (based on your BIA and an evaluation of risk), maintain your own backups of SaaS data for additional protection.

    Embed risk mitigation standards into existing IT operations

    • Include specific SLA requirements, including incident management processes, in your RFP process and annual vendor review.
    • Define cloud incident response in your incident management procedures.
    • Include cloud data considerations in your backup strategy reviews.

    Phase 3: Create an incident response plan

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Activity 1: Review the example incident response workflows and case studies as a starting point

    1-3 hours

    1. Review the SaaS Incident Response Workflows examples. The examples illustrate different approaches to incident response depending on the criticality of the service and options available.
    2. Review the case studies on the next few slides, which further illustrate the resilience and incident response solutions implemented.
    3. Note the key elements:
    • Detection
    • Assessment
    • Monitoring status / contacting the vendor
    • Communication with key stakeholders
    • Invoking workarounds, if applicable

    Example SaaS Incident Response Workflow Excerpt

    The image contains a screenshot of an example of the SaaS Incident Response Workflow Excerpt.
    Materials
    • SaaS Incident Response Workflows examples
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Relevant business process owners to provide input and define business workarounds, where applicable.

    Case Study 1: Recovery plan for critical fundraising event

    If either critical SaaS dependency fails, the following plan is executed:

    1. Donors are redirected to a predefined alternate donation page hosted by a different service. The alternate page connects to the backup payment processing service (with predefined integrations).
    2. Marketing communications support the redirect.
    3. While the backup solution doesn’t gather as much data, the payment details provide enough information to follow up with donors where necessary.

    Criticality justified a failover option

    The Annual Day of Giving generates over 50% of fundraising for the year. It’s critically dependent on two SaaS solutions that host the donation page and payment processing.

    To mitigate the risk, the organization implemented the ability to failover to an alternate “environment” – much like a traditional DR solution – supported by workarounds to manage data collection.

    Case Study 2: Protecting customer data

    Daily exports from a SaaS-hosted donations site reduce potential data loss:

    1. Daily exports to a CRM support donor profile updates and follow-ups (tax receipts, thank-you letters, etc.).
    2. The exports also mitigate the risk of data loss due to an incident with the SaaS-hosted donation site.
    3. This company is exploring more-frequent exports to further reduce the risk of data loss.

    Protecting your data gives you options

    For critical data, do you want to rely solely on the vendor’s default backup strategy?

    If your SaaS vendor is hit by ransomware or if their backup frequency doesn’t meet your needs, having your own data backup gives you options.

    It can also support business process workarounds that need to access that data while waiting for SaaS recovery.

    Case Study 3: Recovery plan for payroll

    To enable a more accurate payroll workaround, the following is done:

    1. After each payroll run, export the payroll data from the SaaS solution to a secure location.
    2. If there is a SaaS outage when payroll must be submitted, the exported data can be modified and converted to an ACH file.
    3. The ACH file is submitted to the bank, which has preapproved this workaround.

    BCP can bridge the gap

    When leadership looks to IT to mitigate cloud risk, include BCP in the discussion.

    Payroll is a good example where the best recovery option might be a business continuity workaround.

    IT often still has a role in business continuity workarounds, as in this case study: specifically, providing a solution to modify and convert the payroll data to an ACH file.

    Activity 2: Run tabletop planning exercises as a starting point to build your incident response plan

    1-3 hours

    1. Follow the tabletop planning instructions provided in the Create a Right-Sized Disaster Recovery Plan blueprint.
    2. Run the exercise for each cloud service. Keep the scenario generic at first (e.g. cloud service is down with no reported root cause) so you can focus on your response. Capture response steps and gaps.
    3. Add complexity in subsequent exercises (e.g. data loss plus downtime), and use that to expand and refine the workflow as needed.
    4. Use the resulting workflows as the core piece of your incident response plan.
    5. Supplement the workflow with relevant checklists or procedures. At this point you can choose to incorporate this into your DRP or BCP or maintain these documents as supplements to those plans.
      See the DRP Case Study and BCP Case Study for an example of DRP-BCP documentation.

    Example tabletop planning results excerpt with gaps identified

    The image contains an example tabletop planning results excerpt with gaps identified.

    Materials
    • SaaS Incident Response Workflows examples
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Review results with relevant business process owners to provide input and define business workarounds where applicable.

    Activity 3: Summarize cloud services resilience to inform senior leadership of current risks and mitigation efforts

    1-3 hours

    1. Use the Cloud Services Resilience Summary example as a template to capture the following:
    • The results of your vendor review (i.e. incident management SLAs, incident response preparedness, data protections strategy).
    • The current state of your downtime workarounds and additional data loss protection.
    • Your baseline standard for cloud services risk mitigation.
    • Summary of resilience, risks, workarounds, and data loss protection for each individual cloud service that you have reviewed.
  • Present the results to senior leadership to:
    • Highlight risks to inform business decisions to mitigate or accept those risks.
    • Summarize actions already taken to mitigate risks.
    • Communicate next steps (e.g. action items to address remaining risks).

    Cloud Services Resilience Summary – Table of Contents

    The image contains a screenshot of Cloud Services Resilience Summary – Table of Contents.
    Materials
    • Cloud Services Resilience Summary
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Review results with relevant business process owners to provide input and define business workarounds where applicable.

    Summary: For cloud services, after evaluating risk, IT must adapt how they approach risk mitigation

    1. Identify failover options where possible
    • A failover strategy is possible for many cloud services (e.g. IaaS replication to another region, or failing over SaaS to an alternate solution as in case study 1).
  • At least protect your data
    • Explore supplementary backup options to protect against ransomware, data corruption, or data loss and support business continuity workarounds (see case study 2).
  • Leverage BCP to close the gap
    • This doesn’t absolve IT of its role in mitigating cloud incident risk, but business process workarounds can bridge the gap where IT options are limited (see case study 3).

    Related Info-Tech Research

    IT DRP Maturity Assessment

    Get an objective assessment of your DRP program and recommendations for improvement.

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    Develop a Business Continuity Plan

    Streamline the traditional approach to make BCP development manageable and repeatable.

    Implement Crisis Management Best Practices

    Don’t be another example of what not to do. Implement an effective crisis response plan to minimize the impact on business continuity, reputation, and profitability.

    Recruit and Retain People of Color in IT

    • Buy Link or Shortcode: {j2store}546|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $19,184 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • Organizations have been trying to promote equality for many years. Diversity and inclusion strategies and a myriad of programs have been implemented in companies across the world. Despite the attempts, many organizations still struggle to ensure that their workforce is representative of the populations they support or want to support.
    • IT brings another twist. Many IT companies and departments are based on the culture of white males, and underrepresented ethnic communities find it more of a challenge to fit in.
    • This sometimes means that talented minorities are less incentivized to join or stay in technology.

    Our Advice

    Critical Insight

    • Diversity and inclusion cannot be a one-time campaign or a one-off initiative.
    • For real change to happen, every leader needs to internalize the value of creating and retaining diverse teams.

    Impact and Result

    • To stay competitive, IT leaders need to be more involved and commit to a plan to recruit and retain people of color in their departments and organizations. A diverse team is an answer to innovation that can differentiate your company.
    • Treat recruiting and retaining a diverse team as a business challenge that requires full engagement. Info-Tech offers a targeted solution that will help IT leaders build a plan to attract, recruit, engage, and retain people of color.

    Recruit and Retain People of Color in IT Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should recruit and retain people of color in your IT department or organization, review Info-Tech’s methodology, and understand the ways we can support you in this endeavor.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Recruit people of color in IT

    Diverse teams are necessary to foster creativity and guide business strategies. Overcome limitations by recruiting people of color and creating a diverse workforce.

    • Recruit and Retain People of Color in IT – Phase 1: Recruit People of Color in IT
    • Support Plan
    • IT Behavioral Interview Question Library

    2. Retain people of color in IT

    Underrepresented employees benefit from an expansive culture. Create an inclusive environment and retain people of color and promote value within your organization.

    • Recruit and Retain People of Color in IT – Phase 2: Retain People of Color in IT

    Infographic

    Workshop: Recruit and Retain People of Color in IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Setting the Stage

    The Purpose

    Introduce challenges and concerns around recruiting and retaining people of color.

    Key Benefits Achieved

    Gain a sense of direction.

    Activities

    1.1 Introduction to diversity conversations.

    1.2 Assess areas to focus on and determine what is right, wrong, missing, and confusing.

    1.3 Obtain feedback from your team about the benefits of working at your organization.

    1.4 Establish your employee value proposition (EVP).

    1.5 Discuss and establish your recruitment goals.

    Outputs

    Current State Analysis

    Right, Wrong, Missing, Confusing Quadrant

    Draft EVP

    Recruitment Goals

    2 Refine Your Recruitment Process

    The Purpose

    Identify areas in your current recruitment process that are preventing you from hiring people of color.

    Establish a plan to make improvements.

    Key Benefits Achieved

    Optimized recruitment process

    Activities

    2.1 Brainstorm and research community partners.

    2.2 Review current job descriptions and equity statement.

    2.3 Update job description template and equity statement.

    2.4 Set team structure for interview and assessment.

    2.5 Identify decision-making structure.

    Outputs

    List of community partners

    Updated job description template

    Updated equity statement

    Interview and assessment structure

    Behavioral Question Library

    3 Culture and Management

    The Purpose

    Create a plan for an inclusive culture where your managers are supported.

    Key Benefits Achieved

    Awareness of how to better support employees of color.

    Activities

    3.1 Discuss engagement and belonging.

    3.2 Augment your onboarding materials.

    3.3 Create an inclusive culture plan.

    3.4 Determine how to support your management team.

    Outputs

    List of onboarding content

    Inclusive culture plan

    Management support plan

    4 Close the Loop

    The Purpose

    Establish mechanisms to gain feedback from your employees and act on them.

    Key Benefits Achieved

    Finalize the plan to create your diverse and inclusive workforce.

    Activities

    4.1 Ask and listen: determine what to ask your employees.

    4.2 Create your roadmap.

    4.3 Wrap-up and next steps.

    Outputs

    List of survey questions

    Roadmap

    Completed support plan

    Explore the Secrets of IBM Software Contracts to Optimize Spend and Reduce Compliance Risk

    • Buy Link or Shortcode: {j2store}141|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • IBM customers want to make effective use of their paid-up licenses to avoid overspending and stay compliant with agreements.
    • Each IBM software product is subject to different rules.
    • Clients control and have responsibility for aligning usage and payments. Over time, the usage of the software may be out of sync with what the client has paid for, resulting in either overspending or violation of the licensing agreement.
    • IBM audits software usage in order to generate revenue from non-compliant customers.

    Our Advice

    Critical Insight

    • You have a lot of work to do if you haven’t been paying attention to your IBM software.
    • Focus on needs first. Conduct and document a thorough requirements assessment. Well-documented needs will be your core asset in negotiation.
    • Know what’s in IBM’s terms and conditions. Failure to understand these can lead to major penalties after an audit.
    • Review your agreements and entitlements quarterly. IBM may have changed the rules, and you have almost certainly changed your usage.

    Impact and Result

    • Establish clear licensing requirements.
    • Maintain an effective process for managing your IBM license usage and compliance.
    • Identify any cost-reduction opportunities.
    • Prepare for penalty-free IBM audits.

    Explore the Secrets of IBM Software Contracts to Optimize Spend and Reduce Compliance Risk Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why you need to invest effort in managing usage and licensing of your IBM software.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review terms and conditions for your IT contract

    Use Info-Tech’s licensing best practices to avoid the common mistakes of overspending on IBM licensing or failing an IBM audit.

    • IBM Passport Advantage Software RFQ Template
    • IBM 3-Year Bundled Price Analysis Tool
    [infographic]

    Create a Service Management Roadmap

    • Buy Link or Shortcode: {j2store}394|cart{/j2store}
    • member rating overall impact: 8.9/10 Overall Impact
    • member rating average dollars saved: $71,003 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Our Advice

    Critical Insight

    • Having effective service management practices in place will allow you to pursue activities, such as innovation, and drive the business forward.
    • Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value.
    • Providing consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Impact and Result

    • Understand the foundational and core elements that allow you to build a successful service management practice focused on outcomes.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s current state, identify the gaps, and create a roadmap for success.
    • Increase business and customer satisfaction by delivering services focused on creating business value.

    Create a Service Management Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why many service management maturity projects fail to address foundational and core elements, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Kick-off the project and complete the project charter.

    • Create a Service Management Roadmap – Phase 1: Launch Project
    • Service Management Roadmap Project Charter

    2. Assess the current state

    Determine the current state for service management practices.

    • Create a Service Management Roadmap – Phase 2: Assess the Current State
    • Service Management Maturity Assessment Tool
    • Organizational Change Management Capability Assessment Tool
    • Service Management Roadmap Presentation Template

    3. Build the roadmap

    Build your roadmap with identified initiatives.

    • Create a Service Management Roadmap – Phase 3: Identify the Target State

    4. Build the communication slide

    Create the communication slide that demonstrates how things will change, both short and long term.

    • Create a Service Management Roadmap – Phase 4: Build the Roadmap
    [infographic]

    Workshop: Create a Service Management Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Service Management

    The Purpose

    Understand service management.

    Key Benefits Achieved

    Gain a common understanding of service management, the forces that impact your roadmap, and the Info-Tech Service Management Maturity Model.

    Activities

    1.1 Understand service management.

    1.2 Build a compelling vision and mission.

    Outputs

    Constraints and enablers chart

    Service management vision, mission, and values

    2 Assess the Current State of Service Management

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand attitudes, behaviors, and culture.

    Understand governance and process ownership needs.

    Understand strengths, weaknesses, opportunities, and threats.

    Defined desired state.

    Activities

    2.1 Assess cultural ABCs.

    2.2 Assess governance needs.

    2.3 Perform SWOT analysis.

    2.4 Define desired state.

    Outputs

    Cultural improvements action items

    Governance action items

    SWOT analysis action items

    Defined desired state

    3 Continue Current-State Assessment

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand the current maturity of service management processes.

    Understand organizational change management capabilities.

    Activities

    3.1 Perform service management process maturity assessment.

    3.2 Complete OCM capability assessment.

    3.3 Identify roadmap themes.

    Outputs

    Service management process maturity activities

    OCM action items

    Roadmap themes

    4 Build Roadmap and Communication Tool

    The Purpose

    Use outputs from previous steps to build your roadmap and communication one-pagers.

    Key Benefits Achieved

    Easy-to-understand roadmap one-pager

    Communication one-pager

    Activities

    4.1 Build roadmap one-pager.

    4.2 Build communication one-pager.

    Outputs

    Service management roadmap

    Service management roadmap – Brought to Life communication slide

    Further reading

    Create a Service Management Roadmap

    Implement service management in an order that makes sense.

    ANALYST PERSPECTIVE

    "More than 80% of the larger enterprises we’ve worked with start out wanting to develop advanced service management practices without having the cultural and organizational basics or foundational practices fully in place. Although you wouldn’t think this would be the case in large enterprises, again and again IT leaders are underestimating the importance of cultural and foundational aspects such as governance, management practices, and understanding business value. You must have these fundamentals right before moving on."

    Tony Denford,

    Research Director – CIO

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • Senior IT Management

    This Research Will Help You:

    • Create or maintain service management (SM) practices to ensure user-facing services are delivered seamlessly to business users with minimum interruption.
    • Increase the level of reliability and availability of the services provided to the business and improve the relationship and communication between IT and the business.

    This Research Will Also Assist

    • Service Management Process Owners

    This Research Will Help Them:

    • Formalize, standardize, and improve the maturity of service management practices.
    • Identify new service management initiatives to move IT to the next level of service management maturity.

    Executive summary

    Situation

    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Complication

    • IT organizations want to be seen as strategic partners, but they fail to address the cultural and organizational constraints.
    • Without alignment with the business goals, services often fail to provide the expected value.
    • Traditional service management approaches are not adaptable for new ways of working.

    Resolution

    • Follow Info-Tech’s methodology to create a service management roadmap that will help guide the optimization of your IT services and improve IT’s value to the business.
    • The blueprint will help you right-size your roadmap to best suit your specific needs and goals and will provide structure, ownership, and direction for service management.
    • This blueprint allows you to accurately identify the current state of service management at your organization. Customize the roadmap and create a plan to achieve your target service management state.

    Info-Tech Insight

    Having effective service management practices in place will allow you to pursue activities such as innovation and drive the business forward. Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value. Consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Poor service management manifests in many different pains across the organization

    Immaturity in service management will not result in one pain – rather, it will create a chaotic environment for the entire organization, crippling IT’s ability to deliver and perform.

    Low Service Management Maturity

    These are some of the pains that can be attributed to poor service management practices.

    • Frequent service-impacting incidents
    • Low satisfaction with the service desk
    • High % of failed deployments
    • Frequent change-related incidents
    • Frequent recurring incidents
    • Inability to find root cause
    • No communication with the business
    • Frequent capacity-related incidents

    And there are many more…

    Mature service management practices are a necessity, not a nice-to-have

    Immature service management practices are one of the biggest hurdles preventing IT from reaching its true potential.

    In 2004, PwC published a report titled “IT Moves from Cost Center to Business Contributor.” However, the 2014-2015 CSC Global CIO Survey showed that a high percentage of IT is still considered a cost center.

    And low maturity of service management practices is inhibiting activities such as agility, DevOps, digitalization, and innovation.

    A pie chart is shown that is titled: Where does IT sit? The chart has 3 sections. One section represents IT and the business have a collaborative partnership 28%. The next section represents at 33% where IT has a formal client/service provider relationship with the business. The last section has 39% where IT is considered as a cost center.
    Source: CSC Global CIO Survey: 2014-2015 “CIOs Emerge as Disruptive Innovators”

    39%: Resources are primarily focused on managing existing IT workloads and keeping the lights on.

    31%: Too much time and too many resources are used to handle urgent incidents and problems.

    There are many misconceptions about what service management is

    Misconception #1: “Service management is a process”

    Effective service management is a journey that encompasses a series of initiatives that improves the value of services delivered.

    Misconception #2: “Service Management = Service Desk”

    Service desk is the foundation, since it is the main end-user touch point, but service management is a set of people and processes required to deliver business-facing services.

    Misconception #3: “Service management is about the ITSM tool”

    The tool is part of the overall service management program, but the people and processes must be in place before implementing.

    Misconception #4: “Service management development is one big initiative”

    Service management development is a series of initiatives that takes into account an organization’s current state, maturity, capacities, and objectives.

    Misconception #5: “Service management processes can be deployed in any order, assuming good planning and design”

    A successful service management program takes into account the dependencies of processes.

    Misconception #6: “Service management is resolving incidents and deploying changes”

    Service management is about delivering high-value and high-quality services.

    Misconception #7: “Service management is not the key determinant of success”

    As an organization progresses on the service management journey, its ability to deliver high-value and high-quality services increases.

    Misconception #8: “Resolving Incidents = Success”

    Preventing incidents is the name of the game.

    Misconception #9: “Service Management = Good Firefighter”

    Service management is about understanding what’s going on with user-facing services and proactively improving service quality.

    Misconception #10: “Service management is about IT and technical services (e.g. servers, network, database)”

    Service management is about business/user-facing services and the value the services provide to the business.

    Service management projects often don’t succeed because they are focused on process rather than outcomes

    Service management projects tend to focus on implementing process without ensuring foundational elements of culture and management practices are strong enough to support the change.

    1. Aligning your service management goals with your organizational objectives leads to better understanding of the expected outcomes.
    2. Understand your customers and what they value, and design your practices to deliver this value.

    3. IT does not know what order is best when implementing new practices or process improvements.
    4. Don't run before you can walk. Fundamental practices must reach the maturity threshold before developing advanced practices. Implement continuous improvement on your existing processes so they continue to support new practices.

    5. IT does not follow best practices when implementing a practice.
    6. Our best-practice research is based on extensive experience working with clients through advisory calls and workshops.

    Info-Tech can help you create a customized, low-effort, and high-value service management roadmap that will shore up any gaps, prove IT’s value, and achieve business satisfaction.

    Info-Tech’s methodology will help you customize your roadmap so the journey is right for you

    With Info-Tech, you will find out where you are, where you want to go, and how you will get there.

    With our methodology, you can expect the following:

    • Eliminate or reduce rework due to poor execution.
    • Identify dependencies/prerequisites and ensure practices are deployed in the correct order, at the correct time, and by the right people.
    • Engage all necessary resources to design and implement required processes.
    • Assess current maturity and capabilities and design the roadmap with these factors in mind.

    Doing it right the first time around

    You will see these benefits at the end

      ✓ Increase the quality of services IT provides to the business.

      ✓ Increase business satisfaction through higher alignment of IT services.

      ✓ Lower cost to design, implement, and manage services.

      ✓ Better resource utilization, including staff, tools, and budget.

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Follow our model and get to your target state

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The canopy of the tree are labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Each step along the way, Info-Tech has the tools to help you

    Phase 1: Launch the Project

    Assemble a team with the right talent and vision to increase the chances of project success.

    Phase 2: Assess Current State

    Understand where you are currently on the service management journey using the maturity assessment tool.

    Phase 3: Build Roadmap

    Based on the assessments, build a roadmap to address areas for improvement.

    Phase 4: Build Communication slide

    Based on the roadmap, define the current state, short- and long-term visions for each major improvement area.

    Info-Tech Deliverables:

    • Project Charter
    • Assessment Tools
    • Roadmap Template
    • Communication Template

    CIO call to action

    Improving the maturity of the organization’s service management practice is a big commitment, and the project can only succeed with active support from senior leadership.

    Ideally, the CIO should be the project sponsor, even the project leader. At a minimum, the CIO needs to perform the following activities:

    1. Walk the talk – demonstrate personal commitment to the project and communicate the benefits of the service management journey to IT and the steering committee.
    2. Improving or adopting any new practice is difficult, especially for a project of this size. Thus, the CIO needs to show visible support for this project through internal communication and dedicated resources to help complete this project.

    3. Select a senior, capable, and results-driven project leader.
    4. Most likely, the implementation of this project will be lengthy and technical in some nature. Therefore, the project leader must have a good understanding of the current IT structure, senior standing within the organization, and the relationship and power in place to propel people into action.

    5. Help to define the target future state of IT’s service management.
    6. Determine a realistic target state for the organization based on current capability and resource/budget restraints.

    7. Conduct periodic follow-up meetings to keep track of progress.
    8. Reinforce or re-emphasize the importance of this project to the organization through various communication channels if needed.

    Stabilizing your environment is a must before establishing any more-mature processes

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • The business landscape was rapidly changing for this manufacturer and they wanted to leverage potential cost savings from cloud-first initiatives and consolidate multiple, self-run service delivery teams that were geographically dispersed.

    Solution

    Original Plan

    • Consolidate multiple service delivery teams worldwide and implement service portfolio management.

    Revised Plan with Service Management Roadmap:

    • Markets around the world had very different needs and there was little understanding of what customers value.
    • There was also no understanding of what services were currently being offered within each geography.

    Results

    • Plan was adjusted to understand customer value and services offered.
    • Services were then stabilized and standardized before consolidation.
    • Team also focused on problem maturity and drove a continuous improvement culture and increasing transparency.

    MORAL OF THE STORY:

    Understanding the value of each service allowed the organization to focus effort on high-return activities rather than continuous fire fighting.

    Understand the processes involved in the proactive phase

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • Services were fairly stable, but there were significant recurring issues for certain services.
    • The business was not satisfied with the service quality for certain services, due to periodic availability and reliability issues.
    • Customer feedback for the service desk was generally good.

    Solution

    Original Plan

    • Review all service desk and incident management processes to ensure that service issues were handled in an effective manner.

    Revised Plan with Service Management Roadmap:

    • Design and deploy a rigorous problem management process to determine the root cause of recurring issues.
    • Monitor key services for events that may lead to a service outage.

    Results

    • Root cause of recurring issues was determined and fixes were deployed to resolve the underlying cause of the issues.
    • Service quality improved dramatically, resulting in high customer satisfaction.

    MORAL OF THE STORY:

    Make sure that you understand which processes need to be reviewed in order to determine the cause for service instability. Focusing on the proactive processes was the right answer for this company.

    Have the right culture and structure in place before you become a service provider

    CASE STUDY

    Industry: Healthcare

    Source:Journal of American Medical Informatics Association

    Challenge

    • The IT organization wanted to build a service catalog to demonstrate the value of IT to the business.
    • IT was organized in technology silos and focused on applications, not business services.
    • IT services were not aligned with business activities.
    • Relationships with the business were not well established.

    Solution

    Original Plan

    • Create and publish a service catalog.

    Revised Plan: with Service Management Roadmap:

    • Establish relationships with key stakeholders in the business units.
    • Understand how business activities interface with IT services.
    • Lay the groundwork for the service catalog by defining services from the business perspective.

    Results

    • Strong relationships with the business units.
    • Deep understanding of how business activities map to IT services.
    • Service definitions that reflect how the business uses IT services.

    MORAL OF THE STORY:

    Before you build and publish a service catalog, make sure that you understand how the business is using the IT services that you provide.

    Calculate the benefits of using Info-Tech’s methodology

    To measure the value of developing your roadmap using the Info-Tech tools and methodology, you must calculate the effort saved by not having to develop the methods.

    A. How much time will it take to develop an industry-best roadmap using Info-Tech methodology and tools?

    Using Info-Tech’s tools and methodology you can accurately estimate the effort to develop a roadmap using industry-leading research into best practice.

    B. What would be the effort to develop the insight, assess your team, and develop the roadmap?

    This metric represents the time your team would take to be able to effectively assess themselves and develop a roadmap that will lead to service management excellence.

    C. Cost & time saving through Info-Tech’s methodology

    Measured Value

    Step 1: Assess current state

    Cost to assess current state:

    • 5 Directors + 10 Managers x 10 hours at $X an hour = $A

    Step 2: Build the roadmap

    Cost to create service management roadmap:

    • 5 Directors + 10 Managers x 8 hours at $X an hour = $B

    Step 3: Develop the communication slide

    Cost to create roadmaps for phases:

    • 5 Directors + 10 Managers x 6 hours at $X an hour = $C

    Potential financial savings from using Info-Tech resources:

    Estimated cost to do “B” – (Step 1 ($A) + Step 2 ($B) + Step 3 ($C)) = $Total Saving

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Create a Service Management Roadmap – project overview


    Launch the project

    Assess the current state

    Build the roadmap

    Build communication slide

    Best-Practice Toolkit

    1.1 Create a powerful, succinct mission statement

    1.2 Assemble a project team with representatives from all major IT teams

    1.3 Determine project stakeholders and create a communication plan

    1.4 Establish metrics to track the success of the project

    2.1 Assess impacting forces

    2.2 Build service management vision, mission, and values

    2.3 Assess attitudes, behaviors, and culture

    2.4 Assess governance

    2.5 Perform SWOT analysis

    2.6 Identify desired state

    2.7 Assess SM maturity

    2.8 Assess OCM capabilities

    3.1 Document overall themes

    3.2 List individual initiatives

    4.1 Document current state

    4.2 List future vision

    Guided Implementations

    • Kick-off the project
    • Build the project team
    • Complete the charter
    • Understand current state
    • Determine target state
    • Build the roadmap based on current and target state
    • Build short- and long-term visions and initiative list

    Onsite Workshop

    Module 1: Launch the project

    Module 2: Assess current service management maturity

    Module 3: Complete the roadmap

    Module 4: Complete the communication slide

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Activities

    Understand Service Management

    1.1 Understand the concepts and benefits of service management.

    1.2 Understand the changing impacting forces that affect your ability to deliver services.

    1.3 Build a compelling vision and mission for your service management program.

    Assess the Current State of Your Service Management Practice

    2.1 Understand attitudes, behaviors, and culture.

    2.2 Assess governance and process ownership needs.

    2.3 Perform SWOT analysis.

    2.4 Define the desired state.

    Complete Current-State Assessment

    3.1 Conduct service management process maturity assessment.

    3.2 Identify organizational change management capabilities.

    3.3 Identify themes for roadmap.

    Build Roadmap and Communication Tool

    4.1 Build roadmap one-pager.

    4.2 Build roadmap communication one-pager.

    Deliverables

    1. Constraints and enablers chart
    2. Service management vision, mission, and values
    1. Action items for cultural improvements
    2. Action items for governance
    3. Identified improvements from SWOT
    4. Defined desired state
    1. Service Management Process Maturity Assessment
    2. Organizational Change Management Assessment
    1. Service management roadmap
    2. Roadmap Communication Tool in the Service Management Roadmap Presentation Template

    PHASE 1

    Launch the Project

    Launch the project

    This step will walk you through the following activities:

    • Create a powerful, succinct mission statement based on your organization’s goals and objectives.
    • Assemble a project team with representatives from all major IT teams.
    • Determine project stakeholders and create a plan to convey the benefits of this project.
    • Establish metrics to track the success of the project.

    Step Insights

    • The project leader should have a strong relationship with IT and business leaders to maximize the benefit of each initiative in the service management journey.
    • The service management roadmap initiative will touch almost every part of the organization; therefore, it is important to have representation from all impacted stakeholders.
    • The communication slide needs to include the organizational change impact of the roadmap initiatives.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch the Project

    Step 1.1 – Kick-off the Project

    Start with an analyst kick-off call:

    • Identify current organization pain points relating to poor service management practices
    • Determine high-level objectives
    • Create a mission statement

    Then complete these activities…

    • Identify potential team members who could actively contribute to the project
    • Identify stakeholders who have a vested interest in the completion of this project

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Step 1.2 – Complete the Charter

    Review findings with analyst:

    • Create the project team; ensure all major IT teams are represented
    • Review stakeholder list and identify communication messages

    Then complete these activities…

    • Establish metrics to complete project planning
    • Complete the project charter

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Use Info-Tech’s project charter to begin your initiative

    1.1 Service Management Roadmap Project Charter

    The Service Management Roadmap Project Charter is used to govern the initiative throughout the project. It provides the foundation for project communication and monitoring.

    The template has been pre-populated with sample information appropriate for this project. Please review this sample text and change, add, or delete information as required.

    The charter includes the following sections:

    • Mission Statement
    • Goals & Objectives
    • Project Team
    • Project Stakeholders
    • Current State (from phases 2 & 3)
    • Target State (from phases 2 & 3)
    • Target State
    • Metrics
    • Sponsorship Signature
    A screenshot of Info-Tech's Service Management Roadmap Project Charter is shown.

    Use Info-Tech’s ready-to-use deliverable to customize your mission statement

    Adapt and personalize Info-Tech’s Service Management Roadmap Mission Statement and Goals & Objectives below to suit your organization’s needs.

    Goals & Objectives

    • Create a plan for implementing service management initiatives that align with the overall goals/objectives for service management.
    • Identify service management initiatives that must be implemented/improved in the short term before deploying more advanced initiatives.
    • Determine the target state for each initiative based on current maturity and level of investment available.
    • Identify service management initiatives and understand dependencies, prerequisites, and level of effort required to implement.
    • Determine the sequence in which initiatives should be deployed.
    • Create a detailed rollout plan that specifies initiatives, time frames, and owners.
    • Engage the right teams and obtain their commitment throughout both the planning and assessment of roadmap initiatives.
    • both the planning and assessment of roadmap initiatives. Obtain support for the completed roadmap from executive stakeholders.

    Example Mission Statement

    To help [Organization Name] develop a set of service management practices that will better address the overarching goals of the IT department.

    To create a roadmap that sequences initiatives in a way that incorporates best practices and takes into consideration dependencies and prerequisites between service management practices.

    To garner support from the right people and obtain executive buy-in for the roadmap.

    Create a well-balanced project team

    The project leader should be a member of your IT department’s senior executive team with goals and objectives that will be impacted by service management implementation. The project leader should possess the following characteristics:

    Leader

    • Influence and impact
    • Comprehensive knowledge of IT and the organization
    • Relationship with senior IT management
    • Ability to get things done

    Team Members

    Identify

    The project team members are the IT managers and directors whose day-to-day lives will be impacted by the service management roadmap and its implementation. The service management initiative will touch almost every IT staff member in the organization; therefore, it is important to have representatives from every single group, including those that are not mentioned. Some examples of individuals you should consider for your team:

    • Service Delivery Managers
    • Director/Manager of Applications
    • Director/Manager of Infrastructure
    • Director/Manager of Service Desk
    • Business Relationship Managers
    • Project Management Office

    Engage & Communicate

    You want to engage your project participants in the planning process as much as possible. They should be involved in the current-state assessment, the establishment of goals and objectives, and the development of your target state.

    To sell this project, identify and articulate how this project and/or process will improve the quality of their job. For example, a formal incident management process will benefit people working at the service desk or on the applications or infrastructure teams. Helping them understand the gains will help to secure their support throughout the long implementation process by giving them a sense of ownership.

    The project stakeholders should also be project team members

    When managing stakeholders, it is important to help them understand their stake in the project as well as their own personal gain that will come out of this project.

    For many of the stakeholders, they also play a critical role in the development of this project.

    Role & Benefits

    • CIO
    • The CIO should be actively involved in the planning stage to help determine current and target stage.

      The CIO also needs to promote and sell the project to the IT team so they can understand that higher maturity of service management practices will allow IT to be seen as a partner to the business, giving IT a seat at the table during decision making.

    • Service Delivery Managers/Process Owners
    • Service Delivery Managers are directly responsible for the quality and value of services provided to the business owners. Thus, the Service Delivery Managers have a very high stake in the project and should be considered for the role of project leader.

      Service Delivery Managers need to work closely with the process owners of each service management process to ensure clear objectives are established and there is a common understanding of what needs to be achieved.

    • IT Steering Committee
    • The Committee should be informed and periodically updated about the progress of the project.

    • Manager/Director – Service Desk
    • The Manager of the Service Desk should participate closely in the development of fundamental service management processes, such as service desk, incident management, and problem management.

      Having a more established process in place will create structure, governance, and reduce service desk staff headaches so they can handle requests or incidents more efficiently.

    • Manager/Director –Applications & Infrastructure
    • The Manager of Applications and Infrastructure should be heavily relied on for their knowledge of how technology ties into the organization. They should be consulted regularly for each of the processes.

      This project will also benefit them directly, such as improving the process to deploy a fix into the environment or manage the capacity of the infrastructure.

    • Business Relationship Manager
    • As the IT organization moves up the maturity ladder, the Business Relationship Manager will play a fundamental role in the more advanced processes, such as business relationship management, demand management, and portfolio management.

      This project will be an great opportunity for the Business Relationship Manager to demonstrate their value and their knowledge of how to align IT objectives with business vision.

    Ensure you get the entire IT organization on board for the project with a well-practiced change message

    Getting the IT team on board will greatly maximize the project’s chance of success.

    One of the top challenges for organizations embarking on a service management journey is to manage the magnitude of the project. To ensure the message is not lost, communicate this roadmap in two steps.

    1. Communicate the roadmap initiative

    The most important message to send to the IT organization is that this project will benefit them directly. Articulate the pains that IT is currently experiencing and explain that through more mature service management, these pains can be greatly reduced and IT can start to earn a place at the table with the business.

    2. Communicate the implementation of each process separately

    The communication of process implementation should be done separately and at the beginning of each implementation. This is to ensure that IT staff do not feel overwhelmed or overloaded. It also helps to keep the project more manageable for the project team.

    Continuously monitor feedback and address concerns throughout the entire process

    • Host lunch and learns to provide updates on the service management initiative to the entire IT team.
    • Understand if there are any major roadblocks and facilitate discussions on how to overcome them.

    Articulate the service management initiative to the IT organization

    Spread the word and bring attention to your change message through effective mediums and organizational changes.

    Key aspects of a communication plan

    The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

    In addition, it is important to know who will deliver the message (delivery strategy). You need IT executives to deliver the message – work hard on obtaining their support as they are the ones communicating to their staff and should be your project champions.

    Anticipate organizational changes

    The implementation of the service management roadmap will most likely lead to organizational changes in terms of structure, roles, and responsibilities. Therefore, the team should be prepared to communicate the value that these changes will bring.

    Communicating Change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    The Qualities of Leadership: Leading Change

    Create a project communication plan for your stakeholders

    This project cannot be successfully completed without the support of senior IT management.

    1. After the CIO has introduced this project through management meetings or informal conversation, find out how each IT leader feels about this project. You need to make sure the directors and managers of each IT team, especially the directors of application and infrastructure, are on board.
    2. After the meeting, the project leader should seek out the major stakeholders (particularly the heads of applications and infrastructure) and validate their level of support through formal or informal meetings. Create a list documenting the major stakeholders, their level of support, and how the project team will work to gain their approval.
    3. For each identified stakeholder, create a custom communication plan based on their role. For example, if the director of infrastructure is not a supporter, demonstrate how this project will enable them to better understand how to improve service quality. Provide periodic reporting or meetings to update the director on project progress.

    INPUT

    • A collaborative discussion between team members

    OUTPUT

    • Thorough briefing for project launch
    • A committed team

    Materials

    • Communication message and plan
    • Metric tracking

    Participants

    • Project leader
    • Core project team

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    A screenshot of activity 1.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    1.2

    A screenshot of activity 1.2 is shown.

    Assemble the project team

    Create a project team with representatives from all major IT teams. Engage and communicate to the project team early and proactively.

    1.3

    A screenshot of activity 1.3 is shown.

    Identify project stakeholders and create a communication plan

    Info-Tech will help you identify key stakeholders who have a vested interest in the success of the project. Determine the communication message that will best gain their support.

    1.4

    A screenshot of activity 1.4 is shown.

    Use metrics to track the success of the project

    The onsite analyst will help the project team determine the appropriate metrics to measure the success of this project.

    PHASE 2

    Assess Your Current Service Management State

    Assess your current state

    This step will walk you through the following activities:

    • Use Info-Tech’s Service Management Maturity Assessment Tool to determine your overall practice maturity level.
    • Understand your level of completeness for each individual practice.
    • Understand the three major phases involved in the service management journey; know the symptoms of each phase and how they affect your target state selection.

    Step Insights

    • To determine the real maturity of your service management practices, you should focus on the results and output of the practice, rather than the activities performed for each process.
    • Focus on phase-level maturity as opposed to the level of completeness for each individual process.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Determine Your Service Management Current State

    Step 2.1 – Assess Impacting Forces

    Start with an analyst kick-off call:

    • Discuss the impacting forces that can affect the success of your service management program
    • Identify internal and external constraints and enablers
    • Review and interpret how to leverage or mitigate these elements

    Then complete these activities…

    • Present the findings of the organizational context
    • Facilitate a discussion and create consensus amongst the project team members on where the organization should start

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.2 – Build Vision, Mission, and Values

    Review findings with analyst:

    • Review your service management vision and mission statement and discuss the values

    Then complete these activities…

    • Socialize the vision, mission, and values to ensure they are aligned with overall organizational vision. Then, set the expectations for behavior aligned with the vision, mission, and values

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.3 – Assess Attitudes, Behaviors, and Culture

    Review findings with analyst:

    • Discuss tactics for addressing negative attitudes, behaviors, or culture identified

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.4 – Assess Governance Needs

    Review findings with analyst:

    • Understand the typical types of governance structure and the differences between management and governance
    • Choose the management structure required for your organization

    Then complete these activities…

    • Determine actions required to establish an effective governance structure and add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.5 – Perform SWOT Analysis

    Review findings with analyst:

    • Discuss SWOT analysis results and tactics for addressing within the roadmap

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.6 – Identify Desired State

    Review findings with analyst:

    • Discuss desired state and commitment needed to achieve aspects of the desired state

    Then complete these activities…

    • Use the desired state to critically assess the current state of your service management practices and whether they are achieving the desired outcomes
    • Prep for the SM maturity assessment

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.7 – Perform SM Maturity Assessment

    Review findings with analyst:

    • Review and interpret the output from your service management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Service Management Maturity Assessment

    Step 2.8 – Review OCM Capabilities

    Review findings with analyst:

    • Review and interpret the output from your organizational change management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Organizational Change Management Assessment

    Understand and assess impacting forces – constraints and enablers

    Constraints and enablers are organizational and behavioral triggers that directly impact your ability and approach to establishing Service Management practices.

    A model is shown to demonstrate the possibe constraints and enablers on your service management program. It incorporates available resources, the environment, management practices, and available technologies.

    Effective service management requires a mix of different approaches and practices that best fit your organization. There’s not a one-size-fits-all solution. Consider the resources, environment, emerging technologies, and management practices facing your organization. What items can you leverage or use to mitigate to move your service management program forward?

    Use Info-Tech’s “Organizational Context” template to list the constraints and enablers affecting your service management

    The Service Management Roadmap Presentation Template will help you understand the business environment you need to consider as you build out your roadmap.

    Discuss and document constraints and enablers related to the business environment, available resources, management practices, and emerging technologies. Any constraints will need to be addressed within your roadmap and enablers should be leveraged to maximize your results.


    Screenshot of Info-Tech's Service Management Roadmap Presentation Template is shown.

    Document constraints and enablers

    1. Discuss and document the constrains and enablers for each aspect of the management mesh: environment, resources, management practices, or technology.
    2. Use this as a thought provoker in later exercises.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Organizational context constraints and enablers

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Build compelling vision and mission statements to set the direction of your service management program

    While you are articulating the vision and mission, think about the values you want the team to display. Being explicit can be a powerful tool to create alignment.

    A vision statement describes the intended state of your service management organization, expressed in the present tense.

    A mission statement describes why your service management organization exists.

    Your organizational values state how you will deliver services.

    Use Info-Tech’s “Vision, Mission, and Values” template to set the aspiration & purpose of your service management practice

    The Service Management Roadmap Presentation Template will help you document your vision for service management, the purpose of the program, and the values you want to see demonstrated.

    If the team cannot gain agreement on their reason for being, it will be difficult to make traction on the roadmap items. A concise and compelling statement can set the direction for desired behavior and help team members align with the vision when trying to make ground-level decisions. It can also be used to hold each other accountable when undesirable behavior emerges. It should be revised from time to time, when the environment changes, but a well-written statement should stand the test of time.

    A screenshot of the Service Management Roadmap Presentation Temaplate is shown. Specifically it is showing the section on the vision, mission, and values results.

    Document your organization’s vision, mission , and values

    1. Vision: Identify your desired target state, consider the details of that target state, and create a vision statement.
    2. Mission: Consider the fundamental purpose of your SM program and craft a statement of purpose.
    3. Values: As you work through the vision and mission, identify values that your organization prides itself in or has the aspiration for.
    4. Discuss common themes and then develop a concise vision statement and mission statement that incorporates the group’s ideas.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Vision statement
    • Mission statement
    • Organizational values

    Materials

    • Whiteboards or flip charts
    • Sample vision and mission statements

    Participants

    • All stakeholders
    • Senior leadership

    Understanding attitude, behavior, and culture

    Attitude

    • What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users.

    Any form of organizational change involves adjusting people’s attitudes, creating buy-in and commitment. You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive. It must be made visible and related to your desired behavior.

    Behaviour

    • What people do. This is influenced by attitude and the culture of the organization.

    To implement change within IT, especially at a tactical level, both IT and organizational behavior needs to change. This is relevant because people don’t like to change and will resist in an active or passive way unless you can sell the need, value, and benefit of changing their behavior.

    Culture

    • The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources.

    The organizational or corporate “attitude,” the impact on employee behavior and attitude is often not fully understood. Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed any organizational change or strategy.

    Culture is a critical and under-addressed success factor

    43% of CIOs cited resistance to change as the top impediment to a successful digital strategy.

    CIO.com

    75% of organizations cannot identify or articulate their culture or its impact.

    Info-Tech

    “Shortcomings in organizational culture are one of the main barriers to company success in the digital age.”

    McKinsey – “Culture for a digital age”

    Examples of how they apply

    Attitude

    • “I’ll believe that when I see it”
    • Positive outlook on new ideas and changes

    Behaviour

    • Saying you’ll follow a new process but not doing so
    • Choosing not to document a resolution approach or updating a knowledge article, despite being asked

    Culture

    • Hero culture (knowledge is power)
    • Blame culture (finger pointing)
    • Collaborative culture (people rally and work together)

    Why have we failed to address attitude, behavior, and culture?

      ✓ While there is attention and better understanding of these areas, very little effort is made to actually solve these challenges.

      ✓ The impact is not well understood.

      ✓ The lack of tangible and visible factors makes it difficult to identify.

      ✓ There is a lack of proper guidance, leadership skills, and governance to address these in the right places.

      ✓ Addressing these issues has to be done proactively, with intent, rigor, and discipline, in order to be successful.

      ✓ We ignore it (head in the sand and hoping it will fix itself).

    Avoidance has been a common strategy for addressing behavior and culture in organizations.

    Use Info-Tech’s “Culture and Environment” template to identify cultural constraints that should be addressed in roadmap

    The Service Management Roadmap Presentation Template will help you document attitude, behavior, and culture constraints.

    Discuss as a team attitudes, behaviors, and cultural aspects that can either hinder or be leveraged to support your vision for the service management program. Capture all items that need to be addressed in the roadmap.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically showing the culture and environment slide.

    Document your organization’s attitudes, behaviors, and culture

    1. Discuss and document positive and negative aspects of attitude, behavior, or culture within your organization.
    2. Identify the items that need to be addressed as part of your roadmap.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Culture and environment worksheet

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    The relationship to governance

    Attitude, behavior, and culture are still underestimated as core success factors in governance and management.

    Behavior is a key enabler of good governance. Leading by example and modeling behavior has a cascading impact on shifting culture, reinforcing the importance of change through adherence.

    Executive leadership and governing bodies must lead and support cultural change.

    Key Points

    • Less than 25% of organizations have formal IT governance in place (ITSM Tools).
    • Governance tends to focus on risk and compliance (controls), but forgets the impact of value and performance.

    Lack of oversight often limits the value of service management implementations

    Organizations often fail to move beyond risk mitigation, losing focus of the goals of their service management practices and the capabilities required to produce value.

    Risk Mitigation

    • Stabilize IT
    • Service Desk
    • Incident Management
    • Change Management

    Gap

    • Organizational alignment through governance
    • Disciplined focus on goals of SM

    Value Production

    • Value that meets business and consumer needs

    This creates a situation where service management activities and roadmaps focus on adjusting and tweaking process areas that no longer support how the organization needs to work.

    How does establishing governance for service management provide value?

    Governance of service management is a gap in most organizations, which leads to much of the failure and lack of value from service management processes and activities.

    Once in place, effective governance enables success for organizations by:

    1. Ensuring service management processes improve business value
    2. Measuring and confirming the value of the service management investment
    3. Driving a focus on outcome and impact instead of simply process adherence
    4. Looking at the integrated impact of service management in order to ensure focused prioritization of work
    5. Driving customer-experience focus within organizations
    6. Ensuring quality is achieved and addressing quality impacts and dependencies between processes

    Four common service management process ownership models

    Your ownership structure largely defines how processes will need to be implemented, maintained, and improved. It has a strong impact on their ability to integrate and how other teams perceive their involvement.

    An organizational structure is shown. In the image is an arrow, with the tip facing in the right direction. The left side of the arrow is labelled: Traditional, and the right side is labelled: Complex. The four models are noted along the arrow. Starting on the left side and going to the right are: Distributed Process Ownership, Centralized Process Ownership, Federated Process Ownership, and Service Management Office.

    Most organizations are somewhere within this spectrum of four core ownership models, usually having some combination of shared traits between the two models that are closest to them on the scale.

    Info-Tech Insight

    The organizational structure that is best for you depends on your needs, and one is not necessarily better than another. The next four slides describe when each ownership level is most appropriate.

    Distributed process ownership

    Distributed process ownership is usually evident when organizations initially establish their service management practices. The processes are assigned to a specific group, who assumes some level of ownership over its execution.

    The distributed process ownership model is shown. CIO is listed at the top with four branches leading out from below it. The four branches are labelled: Service Desk, Operations, Applications, and Security.

    Info-Tech Insight

    This model is often a suitable approach for initial implementations or where it may be difficult to move out of siloes within the organization’s structure or culture.

    Centralized process ownership

    Centralized process ownership usually becomes necessary for organizations as they move into a more functional structure. It starts to drive management of processes horizontally across the organization while still retaining functional management control.

    A centralized process ownership model is shown. The CIO is at the top and the following are branches below it: Service Manager, Support, Middleware, Development, and Infrastructure.

    Info-Tech Insight

    This model is often suitable for maturing organizations that are starting to look at process integration and shared service outcomes and accountability.

    Federated process ownership

    Federated process ownership allows for global control and regional variation, and it supports product orientation and Agile/DevOps principles

    A federated process ownership model is shown. The Sponsor/CIO is at the top, with the ITSM Executive below it. Below that level is the: Process Owner, Process Manager, and Process Manager.

    Info-Tech Insight

    Federated process ownership is usually evident in organizations that have an international or multi-regional presence.

    Service management office (SMO)

    SMO structures tend to occur in highly mature organizations, where service management responsibility is seen as an enterprise accountability.

    A service management office model is shown. The CIO is at the top with the following branches below it: SMO, End-User Services, Infra., Apps., and Architecture.

    Info-Tech Insight

    SMOs are suitable for organizations with a defined IT and organizational strategy. A SMO supports integration with other enterprise practices like enterprise architecture and the PMO.

    Determine which process ownership and governance model works best for your organization

    The Service Management Roadmap Presentation Template will help you document process ownership and governance model

    Example:

    Key Goals:

      ☐ Own accountability for changes to core processes

      ☐ Understand systemic nature and dependencies related to processes and services

      ☐ Approve and prioritize improvement and CSI initiatives related to processes and services

      ☐ Evaluate success of initiative outcomes based on defined benefits and expectations

      ☐ Own Service Management and Governance processes and policies

      ☐ Report into ITSM executive or equivalent body

    Membership:

      ☐ Process Owners, SM Owner, Tool Owner/Liaison, Audit

    Discuss as a team which process ownership model works for your organization. Determine who will govern the service management practice. Determine items that should be identified in your roadmap to address governance and process ownership gaps.

    Use Info-Tech’s “SWOT” template to identify strengths, weaknesses, opportunities & threats that should be addressed

    The Service Management Roadmap Presentation Template will help you document items from your SWOT analysis.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically the SWOT section is shown.

    Brainstorm the strengths, weaknesses, opportunities, and threats related to resources, environment, technology, and management practices. Add items that need to be addressed to your roadmap.

    Perform a SWOT analysis

    1. Brainstorm each aspect of the SWOT with an emphasis on:
    • Resources
    • Environment
    • Technologies
    • Management Practices
  • Record your ideas on a flip chart or whiteboard.
  • Add items to be addressed to the roadmap.
  • INPUT

    • A collaborative discussion

    OUTPUT

    • SWOT analysis
    • Priority items identified

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Indicate desired maturity level for your service management program to be successful

    Discuss the various maturity levels and choose a desired level that would meet business needs.

    The desired maturity model is depicted.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Desired state of service management maturity

    Materials

    • None

    Participants

    • All stakeholders

    Use Info-Tech’s Service Management Process Maturity Assessment Tool to understand your current state

    The Service Management Process Maturity Assessment Tool will help you understand the true state of your service management.

    A screenshot of Info-Tech's Service Management Process Assessment Tool is shown.

    Part 1, Part 2, and Part 3 tabs

    These three worksheets contain questions that will determine the overall maturity of your service management processes. There are multiple sections of questions focused on different processes. It is very important that you start from Part 1 and continue the questions sequentially.

    Results tab

    The Results tab will display the current state of your service management processes as well as the percentage of completion for each individual process.

    Complete the service management process maturity assessment

    The current-state assessment will be the foundation of building your roadmap, so pay close attention to the questions and answer them truthfully.

    1. Start with tab 1 in the Service Management Process Maturity Assessment Tool. Remember to read the questions carefully and always use the feedback obtained through the end-user survey to help you determine the answer.
    2. In the “Degree of Process Completeness” column, use the drop-down menu to input the results solicited from the goals and objectives meeting you held with your project participants.
    3. A screenshot of Info-Tech's Service Management Process Assessment Tool is shown. Tab 1 is shown.
    4. Host a meeting with all participants following completion of the survey and have them bring their results. Discuss in a round-table setting, keeping a master sheet of agreed upon results.

    INPUT

    • Service Management Process Maturity Assessment Tool questions

    OUTPUT

    • Determination of current state

    Materials

    • Service Management Process Maturity Assessment Tool

    Participants

    • Project team members

    Review the results of your current-state assessment

    At the end of the assessment, the Results tab will have action items you could perform to close the gaps identified by the process assessment tool.

    A screenshot of Info-Tech's Service Management Process Maturity Assessment Results is shown.

    INPUT

    • Maturity assessment results

    OUTPUT

    • Determination of overall and individual practice maturity

    Materials

    • Service Management Maturity Assessment Tool

    Participants

    • Project team members

    Use Info-Tech’s OCM Capability Assessment tool to understand your current state

    The Organizational Change Management Capabilities Assessment tool will help you understand the true state of your organizational change management capabilities.

    A screenshot of Info-Tech's Organizational Change Management Capabilities Assessment

    Complete the Capabilities tab to capture the current state for organizational change management. Review the Results tab for interpretation of the capabilities. Review the Recommendations tab for actions to address low areas of maturity.

    Complete the OCM capability assessment

    1. Open Organizational Change Management Capabilities Assessment tool.
    2. Come to consensus on the most appropriate answer for each question. Use the 80/20 rule.
    3. Review result charts and discuss findings.
    4. Identify roadmap items based on maturity assessment.

    INPUT

    • A collaborative discussion

    OUTPUT

    • OCM Assessment tool
    • OCM assessment results

    Materials

    • OCM Capabilities Assessment tool

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    2.2

    A screenshot of activity 2.2 is shown.

    Complete the assessment

    With the project team in the room, go through all three parts of the assessment with consideration of the feedback received from the business.

    2.3

    A screenshot of activity 2.3 is shown.

    Interpret the results of the assessment

    The Info-Tech onsite analyst will facilitate a discussion on the overall maturity of your service management practices and individual process maturity. Are there any surprises? Are the results reflective of current service delivery maturity?

    PHASE 3

    Build Your Service Management Roadmap

    Build Roadmap

    This step will walk you through the following activities:

    • Document your vision and mission on the roadmap one-pager.
    • Using the inputs from the current-state assessments, identify the key themes required by your organization.
    • Identify individual initiatives needed to address key themes.

    Step Insights

    • Using the Info-Tech thought model, address foundational gaps early in your roadmap and establish the management methods to continuously make them more robust.
    • If any of the core practices are not meeting the vision for your service management program, be sure to address these items before moving on to more advanced service management practices or processes.
    • Make sure the story you are telling with your roadmap is aligned to the overall organizational goals.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Determine Your Service Management Target State

    Step 3.1 – Document the Overall Themes

    Start with an analyst kick-off call:

    • Review the outputs from your current-state assessments to identify themes for areas that need to be included in your roadmap

    Then complete these activities…

    • Ensure foundational elements are solid by adding any gaps to the roadmap
    • Identify any changes needed to management practices to ensure continuous improvement

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 3.2 – Determine Individual Initiatives

    Review findings with analyst:

    • Determine the individual initiatives needed to close the gaps between the current state and the vision

    Then complete these activities…

    • Finalize and document roadmap for executive socialization

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Identify themes that can help you build a strong foundation before moving to higher level practices

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The top most branches of the tree is labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Use Info-Tech’s “Service Management Roadmap” template to document your vision, themes and initiatives

    The Service Management Roadmap Presentation Template contains a roadmap template to help communicate your vision, themes to be addressed, and initiatives

    A screenshot of Info-Tech's Service Management Roadmap template is shown.

    Working from the lower maturity items to the higher value practices, identify logical groupings of initiatives into themes. This will aid in communicating the reasons for the needed changes. List the individual initiatives below the themes. Adding the service management vision and mission statements can help readers understand the roadmap.

    Document your service management roadmap

    1. Document the service management vision and mission on the roadmap template.
    2. Identify, from the assessments, areas that need to be improved or implemented.
    3. Group the individual initiatives into logical themes that can ease communication of what needs to happen.
    4. Document the individual initiatives.
    5. Document in terms that business partners and executive sponsors can understand.

    INPUT

    • Current-state assessment outputs
    • Maturity model

    OUTPUT

    • Service management roadmap

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of activity 3.1 is shown.

    Identify themes to address items from the foundational level up to higher value service management practices

    Identify easily understood themes that will help others understand the expected outcomes within your organization.

    A screenshot of activity 3.2 is shown.

    Document individual initiatives that contribute to the themes

    Identify specific activities that will close gaps identified in the assessments.

    PHASE 2

    Build Communication Slide

    Complete your service management roadmap

    This step will walk you through the following activities:

    • Use the current-state assessment exercises to document the state of your service management practices. Document examples of the behaviors that are currently seen.
    • Document the expected short-term gains. Describe how you want the behaviors to change.
    • Document the long-term vision for each item and describe the benefits you expect to see from addressing each theme.

    Step Insights

    • Use the communication template to acknowledge the areas that need to be improved and paint the short- and long-term vision for the improvements to be made through executing the roadmap.
    • Write it in business terms so that it can be used widely to gain acceptance of the upcoming changes that need to occur.
    • Include specific areas that need to be fixed to make it more tangible.
    • Adding the values from the vision, mission, and values exercise can also help you set expectations about how the team will behave as they move towards the longer-term vision.

    Phase 4 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build the Service Management Roadmap

    Step 4.1: Document the Current State

    Start with an analyst kick-off call:

    • Review the pain points identified from the current state analysis
    • Discuss tactics to address specific pain points

    Then complete these activities…

    • Socialize the pain points within the service delivery teams to ensure nothing is being misrepresented
    • Gather ideas for the future state

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 4.2: List the Future Vision

    Review findings with analyst:

    • Review short- and long-term vision for improvements for the pain points identified in the current state analysis

    Then complete these activities…

    • Prepare to socialize the roadmap
    • Ensure long-term vision is aligned with organizational objectives

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Use Info-Tech’s “Service Management Roadmap – Brought to Life” template to paint a picture of the future state

    The Service Management Roadmap Presentation Template contains a communication template to help communicate your vision of the future state

    A screenshot of Info-Tech's Service Management Roadmap - Brought to Life template

    Use this template to demonstrate how existing pain points to delivering services will improve over time by painting a near- and long-term picture of how things will change. Also list specific initiatives that will be launched to affect the changes. Listing the values identified in the vision, mission, and values exercise will also demonstrate the team’s commitment to changing behavior to create better outcomes.

    Document your current state and list initiatives to address them

    1. Use the previous assessments and feedback from business or customers to identify current behaviors that need addressing.
    2. Focus on high-impact items for this document, not an extensive list.
    3. An example of step 1 and 2 are shown.
    4. List the initiatives or actions that will be used to address the specific pain points.

    An example of areas for improvement.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    Document your future state

    An example of document your furture state is shown.

    1. For each pain point document the expected behaviors, both short term and longer term.
    2. Write in terms that allow readers to understand what to expect from your service management practice.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation Template

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is shown.

    Identify the pain points and initiatives to address them

    Identify items that the business can relate to and initiatives or actions to address them.

    4.2

    A screenshot of activity 4.2 is shown.

    Identify short- and long-term expectations for service management

    Communicate the benefits of executing the roadmap both short- and long-term gains.

    Research contributors and experts

    Photo of Valence Howden

    Valence Howden, Principal Research Director, CIO Practice

    Info-Tech Research Group

    Valence helps organizations be successful through optimizing how they govern, design, and execute strategies, and how they drive service excellence in all work. With 30 years of IT experience in the public and private sectors, he has developed experience in many information management and technology domains, with focus in service management, enterprise and IT governance, development and execution of strategy, risk management, metrics design and process design, and implementation and improvement.

    Photo of Graham Price

    Graham Price, Research Director, CIO Practice

    Info-Tech Research Group

    Graham has an extensive background in IT service management across various industries with over 25 years of experience. He was a principal consultant for 17 years, partnering with Fortune 500 clients throughout North America, leveraging and integrating industry best practices in IT service management, service catalog, business relationship management, IT strategy, governance, and Lean IT and Agile.

    Photo of Sharon Foltz

    Sharon Foltz, Senior Workshop Director

    Info-Tech Research Group

    Sharon is a Senior Workshop Director at Info-Tech Research Group. She focuses on bringing high value to members via leveraging Info-Tech’s blueprints and other resources enhanced with her breadth and depth of skills and expertise. Sharon has spent over 15 years in various IT roles in leading companies within the United States. She has strong experience in organizational change management, program and project management, service management, product management, team leadership, strategic planning, and CRM across various global organizations.

    Related Info-Tech Research

    Build a Roadmap for Service Management Agility

    Extend the Service Desk to the Enterprise

    Bibliography

    • “CIOs Emerge as Disruptive Innovators.” CSC Global CIO Survey: 2014-2015. Web.
    • “Digital Transformation: How Is Your Organization Adapting?” CIO.com, 2018. Web.
    • Goran, Julie, Laura LaBerge, and Ramesh Srinivasan. “Culture for a digital age.” McKinsey, July 2017. Web.
    • The Qualities of Leadership: Leading Change. Cornelius & Associates, 14 April 2012.
    • Wilkinson, Paul. “Culture, Ethics, and Behavior – Why Are We Still Struggling?” ITSM Tools, 5 July 2018. Web.

    Improve Service Desk Ticket Queue Management

    • Buy Link or Shortcode: {j2store}492|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Service desk tickets pile up in the queue, get lost or buried, jump between queues without progress, leading to slow response and resolution times, a seemingly insurmountable backlog and breached SLAs.
    • There are no defined rules or processes for how tickets should be assigned and routed and technicians don’t know how to prioritize their assigned work, meaning tickets take too long to get to the right place and aren’t always resolved in the correct or most efficient order.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Our Advice

    Critical Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue, then it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Impact and Result

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Once processes have been defined, identify opportunities to build in automation to improve efficiency.
    • Ensure everyone who handles tickets is clear on their responsibilities and establish clear ownership and accountability for queue management.

    Improve Service Desk Ticket Queue Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Ticket Queue Management Deck – A guide to service desk ticket queue management best practices and advice

    This storyboard reviews the top ten pieces of advice for improving ticket queue management at the service desk.

    • Improve Service Desk Ticket Queue Management Storyboard

    2. Service Desk Queue Structure Template – A template to help you map out and optimize your service desk ticket queues

    This template includes several examples of service desk queue structures, followed by space to build your own model of your optimal service desk queue structure and document who is assigned to each queue and responsible for managing each queue.

    • Service Desk Queue Structure Template
    [infographic]

    Further reading

    Improve Service Desk Ticket Queue Management

    Strong queue management is the foundation to good customer service

    Analyst Perspective

    Secure your foundation before you start renovating.

    Service Desk and IT leaders who are struggling with low efficiency, high backlogs, missed SLAs, and poor service desk metrics often think they need to hire more resources or get a new ITSM tool with better automation and AI capabilities. However, more often than not, the root cause of their challenges goes back to the fundamentals.

    Strong ticket queue management processes are critical to the success of all other service desk processes. You can’t resolve incidents and fulfill service requests in time to meet SLAs without first getting the ticket to the right place efficiently and then managing all tickets in the queue effectively. It sounds simple, but we see a lot of struggles around queue management, from new tickets sitting too long before being assigned, to in-progress tickets getting buried in favor of easier or higher-priority tickets, to tickets jumping from queue to queue without progress, to a seemingly insurmountable backlog.

    Once you have taken the time to clearly structure your queues, assign resources, and define your processes for routing tickets to and from queues and resolving tickets in the queue, you will start to see response and resolution time decrease along with the ticket backlog. However, accountability for queue management is often overlooked and is really key to success.
    This is an image of Dr. Natalie Sansone, Senior Research Analyst at Info-Tech Research Group

    Natalie Sansone, PhD
    Senior Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Tickets come into the service desk via multiple channels (email, phone, chat, portal) and aren’t consolidated into a single queue, making it difficult to know what to prioritize.
    • New tickets sit in the queue for too long before being assigned while assigned tickets sit for too long without progress or in the wrong queue, leading to slow response and resolution times.
    • Tickets quickly pile up in the queues, get lost or buried, or jump between queues without finding the right home, leading to a seemingly insurmountable backlog and breached SLAs.

    Common Obstacles

    • All tickets pile into the same queue, making it difficult to view, manage, or know who’s working on what.
    • There are no defined rules or processes for how tickets should be assigned and routed, meaning they often take too long to get to the right place.
    • Technicians have no guidelines as to how to prioritize their work, and no easy way to organize their tickets or queue to know what to work on next.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Info-Tech’s Approach

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Ensure everyone who handles tickets is clear on their responsibilities.
    • Establish clear ownership and accountability for queue management.
    • Once processes have been defined, identify opportunities to build in automation to improve efficiency.

    Info-Tech Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Timeliness is essential to customer satisfaction

    And timeliness can’t be achieved without good queue management practices.

    As soon as that ticket comes in, the clock starts ticking…

    A host of different factors influence service desk response time and resolution time, including process optimization and documentation, workflow automation, clearly defined prioritization and escalation rules, and a comprehensive and easily accessible knowledgebase.

    However, the root cause of poor response and resolution time often comes down to the basics like ticket queue management. Without clearly defined processes and ownership for assigning and actioning tickets from the queue in the most effective order and manner, customer satisfaction will suffer.

    For every 12-hour delay in response time*, CSAT drops by 9.6%.

    *to email and web support tickets
    Source: Freshdesk, 2021

    A Freshworks analysis of 107 million service desk interactions found the relationship between CSAT and response time is stronger than resolution time - when customers receive prompt responses and regular updates, they place less value on actual resolution time.

    A queue is simply a line of people (or tickets) waiting to be helped

    When customers reach out to the service desk for help, their messages are converted into tickets that are stored in a queue, waiting to be actioned appropriately.

    Ticket Queue

    Email/web
    Ideally, the majority of tickets come into the ticket queue through email or a self-service portal, allowing for appropriate categorization, prioritization, and assignment.

    Phone
    For IT teams with a high volume of support requests coming in through the phone, reducing wait time in queue may be a priority.

    Chat
    Live chat is growing in popularity as an intake method and may require routing and distribution rules to prevent long or multiple queues.

    Queue Management

    Queue management is a set of processes and tools to direct and monitor tickets or manage ticket flow. It involves the following activities:

    • Review incoming tickets
    • Categorize and prioritize tickets
    • Route or assign appropriately
    • View or update ticket status
    • Monitor resource workload
    • Ensure tickets are being actioned in time
    • Proactively identify SLA breaches

    Ineffective queue management can bury you in backlog

    Ticket backlog with poor queue management

    Without a clear and efficient process or accountability for moving incoming tickets to the right place, tickets will be worked on randomly, older tickets will get buried, the backlog will grow, and SLAs will be missed.

    Ticket backlog with good queue management

    With effective queue management and ownership, tickets are quickly assigned to the right resource, worked on within the appropriate SLO/SLA, and actively monitored, leading to a more manageable backlog and good response and resolution times.

    A growing backlog will quickly lead to dissatisfied end users and staff

    Failing to efficiently move tickets from the queue or monitor tickets in the queue can quickly lead to tickets being buried and support staff feeling buried in tickets.

    Common challenges with queue management include:

    • Tickets come in through multiple channels and aren’t consolidated into a single queue
    • New tickets sit unassigned for too long, resulting in long response times
    • Tickets move around between multiple queues with no clear ownership
    • Assigned tickets sit too long in a queue without progress and breach SLA
    • No accountability for queue ownership and monitoring
    • Technicians cherry pick the easiest tickets from the queue
    • Technicians have no easy way to organize their queue to know what to work on next

    This leads to:

    • Long response times
    • Long resolution times
    • Poor workload distribution and efficiency
    • High backlog
    • Disengaged, frustrated staff
    • Dissatisfied end users

    Info-Tech Insight

    A growing backlog will quickly lead to frustrated and dissatisfied customers, causing them to avoid the service desk and seek alternate methods to get what they need, whether going directly to their favorite technician or their peers (otherwise known as shadow IT).

    Dig yourself out with strong queue management

    Strong queue management is the foundation to good customer service.

    Build a mature ticket queue management process that allows your team to properly prioritize, assign, and work on tickets to maximize response and resolution times.

    A mature queue management process will:

    • Reduce response time to address tickets.
    • Effectively prioritize tickets and ensure everyone knows what to work on next.
    • Ensure tickets get assigned and routed to the right queue and/or resource efficiently.
    • Reduce overall resolution time to resolve tickets.
    • Enable greater accountability for queue management and monitoring of tickets.
    • Improve customer and employee satisfaction.

    As queue management maturity increases:
    Response time decreases
    Resolution time decreases
    Backlog decreases
    End-user satisfaction increases

    Ten Tips to Effectively Manage Your Queue

    The remaining slides in this deck will review these ten pieces of advice for designing and managing your ticket queues effectively and efficiently.

    1. Define your optimal queue structure
    2. Design and assign resources to relevant queues
    3. Define and document queue management processes
    4. Clearly define queue management responsibilities for every team member
    5. Establish clear ownership & accountability over all queues
    6. Always keep ticket status and documentation up to date
    7. Shift left to reduce queue volume
    8. Build-in automation to improve efficiency
    9. Configure your ITSM tool to support and optimize queue management processes
    10. Don’t lose visibility of the backlog

    #1: Define your optimal queue structure

    There is no one right way to do queue management; choose the approach that will result in the highest value for your customers and IT staff.

    Sample queue structures

    This is an image of a sample Queue structure, where Incoming Tickets from all channels pass through auto or manual Queue assignment, to a numbered queue position.

    *Queues may be defined by skillset, role, ticket category, priority, or a hybrid.

    Triage and Assign

    • All incoming tickets are assigned to an appropriate queue based on predefined criteria.
    • Queue assignment may be done through automated workflows based on specific fields within the ticket, or manually by a
    • Queue Manager, dedicated coordinator, or Tier 1 staff.
    • Queues may be defined based on:
      • Skillset/team (e.g. Infrastructure, Security, Apps, etc.)
      • Ticket category (e.g. Network, Office365, Hardware, etc.)
      • Priority (e.g. P1, P2, P3, P4, P5)
    • Resources may be assigned to multiple queues.

    Define your optimal queue structure (cont.)

    Tiered generalist model

    • All incidents and service requests are routed to Tier 1 first, who prioritize and, if appropriate, conduct initial triage, troubleshooting, and resolution on a wide range of issues.
    • More complex or high-priority tickets are escalated to resources at Tier 2 and/or Tier 3, who are specialists working on projects in addition to support tickets.
    This is an image of the Tiered Generalist Model

    Unassigned queue

    • Very small teams may work from an unassigned queue if there are processes in place to monitor tickets and workload balance.
    • Typically, these teams work by resolving the oldest tickets first regardless of complexity (also known as First In, First Out or FIFO). However, this doesn’t allow for much flexibility in terms of priority of the request or customer.
    This is an image of an unassigned queue model

    #2: Design and assign resources to relevant queues

    Once you’ve defined your overall structure, define the content of each queue.

    This image depicts a sample queue organization structure. The bin titles are: Workgroup; Customer Group; Problem Type; and Hybrid

    Info-Tech Insight

    Start small; don’t create a queue for every possible ticket type. Remember that someone needs to be accountable for each of these queues, so only build what you can monitor.

    #3 Define and document queue management processes

    A clear, comprehensive, easily digestible SOP or workflow outlining the steps for handling new tickets and working tickets from the queue will help agents deliver a consistent experience.

    PROCESS INCLUDES:

    DEFINE THE FOLLOWING:

    TRIAGING INCOMING TICKETS

    • Ensure a ticket is created for every issue coming from every channel (e.g. phone, email, chat, walk-in, portal).
    • Assign a priority to each ticket.
    • Categorize ticket and add any necessary documentation
    • Update ticket status.
    • Delete spam, merge duplicate tickets, clean up inbox.
    • Assign tickets to appropriate queue or resource, escalate when necessary.
    • How should tickets be prioritized?
    • How should tickets from each channel be prioritized and routed? (e.g. are phone calls resolved right away? Are chats responded to immediately?)
    • Criteria that determine where a ticket should be sent or assigned (i.e. ticket category, priority, customer type).
    • How should VIP tickets be handled?
    • When should tickets be automatically escalated?
    • Which tickets require hierarchical escalation (i.e. to management)?

    WORKING ON ASSIGNED TICKETS

    • Continually update ticket status and documentation.
    • Assess which tickets should be worked on or completed ahead of others.
    • Troubleshoot, resolve, or escalate tickets.
    • In what order should tickets be worked on (e.g. by priority, by age, by effort, by time to breach)?
    • How long should a ticket be worked on without progress before it should be escalated to a different tier or queue?
    • Exceptions to the rule (e.g. in which circumstances should a lower priority ticket be worked on over a higher priority ticket).

    Process recommendations

    As you define queue management processes, keep the following advice in mind:

    Rotate triage role

    The triage role is critical but difficult. Consider rotating your Tier 1 resources through this role, or your service desk team if you’re a very small group.

    Limit and prioritize channels

    You decide which channels to enable and prioritize, not your users. Phone and chat are very interrupt-driven and should be reserved for high-priority issues if used. Your users may not understand that but can learn over time with training and reinforcement.

    Prioritize first

    Priority matrixes are necessary for consistency but there are always circumstances that require judgment calls. Think about risk and expected outcome rather than simply type of issue alone. And if the impact is bigger than the initial classification, change it.

    Define VIP treatment

    In some organizations, the same issue can be more critical if it happens to a certain user role (e.g. client facing, c-suite). Identify and flag VIP users and clearly define how their tickets should be prioritized.

    Consider time zone

    If users are in different time zones, take their current business hours into account when choosing which ticket to work on.

    Info-Tech Insight

    Think of your service desk as an emergency room. Patients come in with different symptoms, and the triage nurse must quickly assess these symptoms to decide who the patient should see and how soon. Some urgent cases will need to see the doctor immediately, while others can wait in another queue (the waiting room) for a while before being dealt with. Some cases who come in through a priority channel (e.g. ambulance) may jump the queue. Checklists and criteria can help with this decision making, but some degree of judgement is also required and that comes with experience. The triage role is sometimes seen as a junior-level role, but it actually requires expertise to be done well.

    For more detailed process guidance, see Standardize the Service Desk

    Info-Tech’s blueprint Standardize the Service Desk will help you standardize and document core service desk processes and functions, including:

    • Service desk structure, roles, and responsibilities
    • Metrics and reporting
    • Ticket handling and ticket quality
    • Incident and critical incident management
    • Ticket categorization
    • Prioritization and escalation
    • Service request fulfillment
    • Self-service considerations
    • Building a knowledgebase
    this image contains three screenshots from Info-Tech's Standardize the Service Desk Blueprint

    #4 Clearly define queue management responsibilities for every team member

    This may be one of the most critical yet overlooked keys to queue management success. Define the following:

    Who will have overall accountability?

    Someone must be responsible for monitoring all incoming and open tickets as well as assigned tickets in every queue to ensure they are routed and fulfilled appropriately. This person must have authority to view and coordinate all queues and Queue Managers.

    Who will manage each queue?

    Someone must be responsible for managing each queue, including assigning resources, balancing workload, and ensuring SLOs are met for the tickets within their queue. For example, the Apps Manager may be the Queue Manager for all tickets assigned to the Apps team queue.

    Who is responsible for assigning tickets?

    Will you have a triage team who monitors and assigns all incoming tickets? What are their specific responsibilities (e.g. prioritize, categorize, attempt troubleshooting, assign or escalate)? If not, who is responsible for assigning new tickets and how is this done? Will the triage role be a rotating role, and if so, what will the schedule be?

    What are everyone’s responsibilities?

    Everyone who is assigned tickets should understand the ticket handling process and their specific responsibilities when it comes to queue management.

    #5 Establish clear ownership & accountability over all queues

    If everyone is accountable, then no one is accountable. Ownership for each queue and all queues must be clearly designated.

    You may have multiple queue manager roles: one for each queue, and one who has visibility over all the queues. Typically, these roles make up only part of an individual’s job. Clearly define the responsibilities of the Queue Manager role; sample responsibilities are on the right.

    Info-Tech Insight

    Lack of authority over queues – especially those outside Tier 1 of the service desk – is one of the biggest pitfalls we see causing aging tickets and missed SLAs. Every queue needs clear ownership and accountability with everyone committed to meeting the same SLOs.

    The Queue Manager or Coordinator is accountable for ensuring tickets are routed to the correct resources service level objectives or agreements are met.

    Specific responsibilities may include:

    • Monitors queues daily
    • Ensures new tickets are assigned to appropriate resources for resolution
    • Verifies tickets have been routed and assigned correctly and reroutes if necessary
    • Reallocates tickets if assigned resource is suddenly unavailable or away
    • Ensures ticket handling process is met, ticket status is up to date and correct, and ticket documentation is complete
    • Escalates tickets that are aging or about to breach
    • Ensures service level objectives or agreements are met
    • Facilitates resource allocation based on workload
    • Coordinates tickets that require collaboration across workgroups to ensure resolution is achieved within SLA
    • Associates child and parent tickets
    • Prepares reports on ticket status and volume by queues
    • Regularly reviews reports to identify and act on issues and make improvements or changes where needed
    • Identifies opportunities for improvement

    #6 Always keep ticket status and documentation up to date

    Anyone should be able to quickly understand the status and progress on a ticket without needing to ask the technician working on it. This means both the ticket status and documentation must be continually and accurately updated.

    Ticket Documentation
    Ticket descriptions and documentation must be kept accurate and up to date. This ensures that if the ticket is escalated or assigned to a new person, or the Queue Manager or Service Desk Manager needs to know what progress has been made on a ticket, that person doesn’t need to waste time with back-and-forth communication with the technician or end user.

    Ticket Status
    The ticket status field should change as the ticket moves toward resolution, and must be updated every time the status changes. This ensures that anyone looking at the ticket queue can quickly learn and communicate the status of a ticket, tickets don’t get lost or neglected, metrics are accurate (such as time to resolve), and SLAs are not impacted if a ticket is on hold.

    Common ticket statuses include:

    • New/open
    • Assigned
    • In progress
    • Declined
    • Canceled
    • Pending/on hold
    • Resolved
    • Closed
    • Reopened

    For more guidance on ticket handling and documentation, download Info-Tech’s blueprint: Standardize the Service Desk.

    • For ticket handling and documentation, see Step 1.4
    • For ticket status fields, see Step 2.2.

    #7 Shift left to reduce queue volume

    Enable processes such as knowledge management, self-service, and problem management to prevent tickets from even coming into the queue.

    Shift left means enabling fulfilment of repeatable tasks and requests via faster, lower-cost delivery channels, self-help tools, and automation.

    This image contains a graph, where the Y axis is labeled Cost, and the X axis is labeled Time to Resolve.  On the graph are depicted service desk levels 0, 1, 2, and 3.

    Shift to Level 1

    • Identify tickets that are often escalated beyond Tier 1 but could be resolved by Level 1 if they were given the tools, training, resources, or access they need to do so.
    • Provide tools to succeed at resolving those defined tasks (e.g. knowledge article, documentation, remote tools).
    • Embed knowledge management in resolution workflows.

    Shift to End User

    • Build a centralized, easily accessible self-service portal where users can search for solutions to resolve their issues without having to submit a ticket.
    • Communicate and train users on how to use the portal regularly update and improve it.

    Automate & Eliminate

    • Identify processes or tasks that could be automated to eliminate work.
    • Invest in problem management and event management to fix the root problem of recurring issues and prevent a problem from occurring in the first place, thereby preventing future tickets.

    #8 Build in automation to improve efficiency

    Manually routing every ticket can be time-consuming and prone to errors. Once you’ve established the process, automate wherever possible.

    Automation rules can be used to ensure tickets are assigned to the right person or queue, to alert necessary parties when a ticket is about to breach or has breached SLA, or to remind technicians when a ticket has sat in a queue or at a particular status for too long.

    This can improve efficiency, reduce error, and bring greater visibility to both high-priority tickets and aging tickets in the backlog.

    However, your processes, queues, and responsibilities must be clearly defined before you can build in automation.

    For more guidance on implementing automation and AI within your service desk, see these blueprints:

    https://tymansgrpup.com/research/ss/accelerate-your-automation-processes https://tymansgrpup.com/research/ss/improve-it-operations-with-ai-and-ml

    For examples of rules, triggers, and fields you can automate to improve the efficiency of your queue management processes, see the next slide.

    Sample automation rules

    Criteria or triggers you can automate actions based on:

    • Ticket type
    • Specific field in a ticket web form
    • Ticket form that was used (e.g. specific service request form from the portal)
    • Ticket category
    • Ticket priority
    • Keyword in an email subject line
    • Keywords or string in a chat
    • Requester name or email
    • Requester location
    • Requester/ticket language
    • Requester VIP status
    • Channel ticket was received through
    • SLAs or time-based automations
    • Agent skill
    • Agent status or capacity

    Fields or actions those triggers can automate

    • Priority
    • Category
    • Ticket routing
    • Assigned agent
    • Assigned queue
    • SLA/due date
    • Notifications/communication

    Sample Automation Rules

    • When ticket is about to breach, send alert to Queue Manager and Service Desk Manager.
    • When ticket comes from VIP user, set urgency to high.
    • When ticket status has been set to “open” for ten hours, send an alert to Queue Manager.
    • When ticket status has been set to “on hold” for five days, send a reminder to assignee.
    • When ticket is categorized as “Software-ERP,” send to ERP queue.
    • When ticket is prioritized as P1/critical, send alert to emergency response team.
    • When ticket is prioritized as P1 and hasn’t been updated for one hour, send an alert to Incident Manager.
    • When an in-progress ticket is reassigned to a new queue, alert Queue Manager.
    • When ticket has not been resolved within seven days, flag as aging ticket.

    #9 Configure your ITSM tool to support and optimize queue management processes

    Configure your tool to support your needs; don’t adjust your processes to match the tool.

    • Most ITSM tools have default queues out of the box and the option to create as many custom queues, filters, and views as you need. Custom queues should allow you to name the queue, decide which tickets will be sent to the queue, and what columns or information are displayed in the queue.
    • Before you configure your queues and dashboards, sit down with your team to decide what you need and what will best enable each agent to manage their workload.
    • Decide which queues each role should have access to – most should only need to see their own queue and their team’s queue.
    • Configure which queues or views new tickets will be sent to.
    • Configure automation rules defined earlier (e.g. automate sending certain tickets to specific queues or sending notifications to specific parties when certain conditions are met).
    • Configure dashboards and reports on queue volume and ticket status data relevant to each team to help them manage their workload, increase visibility, and identify issues or actions.

    Info-Tech Insight

    It can be overwhelming to support agents when their view is a long and never-ending queue. Set the default dashboard view to show only those tickets assigned to the viewer to make it appear more manageable and easier to organize.

    Configure queues to maximize productivity

    Info-Tech Insight

    The queue should quickly give your team all the information they need to prioritize their work, including ticket status, priority, category, due date, and updated timestamps. Configuration is important - if it’s confusing, clunky, or difficult to filter or sort, it will impact response and resolution times and can lead to missed tickets. Give your team input into configuration and use visuals such as color coding to help agents prioritize their work – for example, VIP tickets may be clearly flagged, critical or high priority tickets may be highlighted, tickets about to breach may be red.

    this image contains a sample queue organization which demonstrates how to maximize productivity

    #10 Don’t lose visibility of the backlog

    Be careful not to focus so much on assigning new tickets that you forget to update aging tickets, leading to an overwhelming backlog and dissatisfied users.

    Track metrics that give visibility into how quickly tickets are being resolved and how many aging tickets you have. Metrics may include:

    • Ticket resolution time by priority, by workgroup
    • Ticket volume by status (i.e. open, in progress, on hold, resolved)
    • Ticket volume by age
    • Ticket volume by queue and assignee

    Regularly review reports on these metrics with the team.

    Make it an agenda item to review aging tickets, on hold tickets, and tickets about to breach or past breach with the team.

    Take action on aging tickets to ensure progress is being made.

    Set rules to close tickets after a certain number of attempts to reach unresponsive users (and change ticket status appropriately).

    Schedule times for your team to tackle aged tickets or tickets in the backlog.

    Info-Tech Insight

    It can be easy for high priority work to constantly push down low priority work, leaving the lower priority tickets to constantly be ignored and users to be frustrated. If you’re struggling with aging tickets, backlog, and tickets breaching SLA, experiment with your team and queue structure to figure out the best resource distribution to handle your workload. This could mean rotating people through the triage role to allow them time to work through the backlog, reducing the number of people doing triage during slower volume periods, or giving technicians dedicated time to work through tickets. For help with forecasting demand and optimizing resources, see Staff the Service Desk to Meet Demand.

    Activity 1.1: Define ticket queues

    1 hour

    Map out your optimal ticket queue structure using the Service Desk Queue Structure Template. Follow the instructions in the template to complete it as a team.

    The template includes several examples of service desk queue structures followed by space to build your own model of an optimal service desk queue structure and to document who is assigned to each queue and responsible for managing each queue.

    Note:

    The template is not meant to map out your entire service desk structure (e.g. tiers, escalation paths) or ticket resolution process, but simply the ticket queues and how a ticket moves between queues. For help documenting more detailed process workflows or service desk structure, see the blueprint Standardize the Service Desk.

    this image contains screenshot from Info-Tech's blueprint: Service Desk Queue structure Template

    Input

    • Current queue structure and roles

    Output

    • Defined service desk ticket queues and assigned responsibilities

    Materials

    • Org chart
    • ITSM tool for reference, if needed

    Participants

    • Service Desk Manager
    • IT Director
    • Queue Managers

    Document in the Service Desk Queue Structure Template.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

    Optimize the Service Desk With a Shift-Left Strategy

    This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

    Improve Service Desk Ticket Intake

    This project will help you streamline your ticket intake process and identify improvements to your intake channels.

    Staff the Service Desk to Meet Demand

    This project will help you determine your optimal service desk structure and staffing levels based on your unique environment, workload, and trends.

    Works Cited

    “What your Customers Really Want.” Freshdesk, 31 May 2021. Accessed May 2022.

    Map Your Business Architecture to Define Your Strategy

    • Buy Link or Shortcode: {j2store}579|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $357,799 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • Organizations need to innovate rapidly to respond to the changing forces in their industry, but their IT initiatives often fail to deliver meaningful outcomes.
    • Planners face challenges in understanding the relationships between the important customer-focused innovations they’re trying to introduce and the resources (capabilities) that make them possible, including applications, human resources, information, and processes. For example, are we risking the success of a new service offering by underpinning it with a legacy or manual solution?

    Our Advice

    Critical Insight

    Successful execution of business strategy requires planning that:

    1. Accurately reflects organizational capabilities.
    2. Is traceable so all levels can understand how decisions are made.
    3. Makes efficient use of organizational resources.

    To accomplish this, the business architect must engage stakeholders, model the business, and drive planning with business architecture.

    • Business architecture is often regarded as an IT function when its role and tools should be fixtures within the business planning and innovation practice.
    • Any size of organization – from start-ups to global enterprises -- can benefit from using a common language and modeling rigor to identify the opportunities that will produce the greatest impact and value.
    • You don’t need sophisticated modeling software to build an effective business architecture knowledgebase. In fact, the best format for engaging business stakeholders is intuitive visuals using business language.

    Impact and Result

    • Execute more quickly on innovation and transformation initiatives.
    • More effectively target investments in resources and IT according to what goals and requirements are most important.
    • Identify problematic areas (e.g. legacy applications, manual processes) that hinder the business strategy and create inefficiencies in our information technology operation.

    Map Your Business Architecture to Define Your Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Map Your Business Architecture Deck – A step-by-step document that walks you through how to properly engage business and IT in applying a common language and process rigor to build key capabilities required to achieve innovation and growth goals.

    Build a structured, repeatable framework for both IT and business stakeholders to appraise the activities that deliver value to consumers; and assess the readiness of their capabilities to enable them.

    • Map Your Business Architecture to Define Your Strategy – Phases 1-3

    2. Stakeholder Engagement Strategy Template – A best-of-breed template to help you build a clear, concise, and compelling strategy document for identifying and engaging stakeholders.

    This template helps you ensure that your business architecture practice receives the resources, visibility, and support it needs to be successful, by helping you develop a strategy to engage the key stakeholders involved.

    • Stakeholder Engagement Strategy Template

    3. Value Stream Map Template – A template to walk through the value streams that are tied to your strategic goals.

    Record the complete value stream and decompose it into stages. Add a description of the expected outcome of the value stream and metrics for each stage.

    • Value Stream Map Template

    4. Value Stream Capability Mapping Template – A template to define capabilities and align them to selected value streams.

    Build a business capability model for the organization and map capabilities to the selected value stream.

    • Value Stream – Capability Mapping Template
    [infographic]

    Workshop: Map Your Business Architecture to Define Your Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Discover the Business Context

    The Purpose

    Identify and consult stakeholders to discover the business goals and value proposition for the customer.

    Key Benefits Achieved

    Engage stakeholders and SMEs in describing the business and its priorities and culture.

    Identify focus for the areas we will analyze and work on.

    Activities

    1.1 Select key stakeholders

    1.2 Plan for engaging stakeholders

    1.3 Gather business goals and priorities

    Outputs

    Stakeholder roles

    Engagement plan

    Business strategy, value proposition

    2 Define Value Streams

    The Purpose

    Describe the main value-adding activities of the business from the consumer’s point of view, e.g. provide product or service.

    Key Benefits Achieved

    Shared understanding of why we build resources and do what we do.

    Starting point for analyzing resources and investing in innovation.

    Activities

    2.1 Define or update value streams

    2.2 Decompose selected value stream(s) into value stages and identify problematic areas and opportunities

    Outputs

    Value streams for the enterprise

    Value stages breakdown for selected value stream(s)

    3 Build Business Capability Map

    The Purpose

    Describe all the capabilities that make up an organization and enable the important customer-facing activities in the value streams.

    Key Benefits Achieved

    Basis for understanding what resources the organization has and their ability to support its growth and success.

    Activities

    3.1 Define and describe all business capabilities (Level 1)

    3.2 Decompose and analyze capabilities for a selected priority value stream.

    Outputs

    Business Capability Map (Level 1)

    Business Capabilities Level 2 for selected value stream

    4 Develop a Roadmap

    The Purpose

    Use the Business Capability Map to identify key capabilities (e.g. cost advantage creator), and look more closely at what applications or information or business processes are doing to support or hinder that critical capability.

    Key Benefits Achieved

    Basis for developing a roadmap of IT initiatives, focused on key business capabilities and business priorities.

    Activities

    4.1 Identify key capabilities (cost advantage creators, competitive advantage creators)

    4.2 Assess capabilities with the perspective of how well applications, business processes, or information support the capability and identify gaps

    4.3 Apply analysis tool to rank initiatives

    Outputs

    Business Capability Map with key capabilities: cost advantage creators and competitive advantage creators

    Assessment of applications or business processes or information for key capabilities

    Roadmap of IT initiatives

    Further reading

    Map Your Business Architecture to Define Your Strategy

    Plan your organization’s capabilities for best impact and value.

    Info-Tech Research Group

    Info-Tech is a provider of best-practice IT research advisory services that make every IT leader’s job easier.

    35,000 members sharing best practices you can leverage Millions spent developing tools and templates annually Leverage direct access to over 100 analysts as an extension of your team Use our massive database of benchmarks and vendor assessments Get up to speed in a fraction of the time

    Analyst perspective

    Know your organization’s capabilities to build a digital and customer-driven culture.

    Business architecture provides a holistic and unified view of:

    • All the organization’s activities that provide value to their clients (value streams).
    • The resources that make them possible and effective (capabilities, i.e. its employees, software, processes, information).
    • How they inter-relate, i.e. depend on and impact each other to help deliver value.

    Without a business architecture it is difficult to see the connections between the business’s activities for the customer and the IT resources supporting them – to demonstrate that what we do in IT is customer-driven.

    As a map of your business, the business architecture is an essential input to the digital strategy:

    • Develop a plan to transform the business by investing in the most important capabilities.
    • Ensure project initiatives are aligned with business goals as they evolve.
    • Respond more quickly to customer requirements and to disruptions in the industry by streamlining operations and information sharing across the enterprise.

    Crystal Singh, Research Director, Data and Analytics

    Crystal Singh
    Research Director, Data and Analytics
    Info-Tech Research Group

    Andrea Malick, Research Director, Data and Analytics

    Andrea Malick
    Research Director, Data and Analytics
    Info-Tech Research Group

    Executive summary

    Your Challenge Common Obstacles Info-Tech’s Approach

    Organizations need to innovate rapidly to respond to ever-changing forces and demands in their industry. But they often fail to deliver meaningful outcomes from their IT initiatives within a reasonable time.

    Successful companies are transforming, i.e. adopting fluid strategies that direct their resources to customer-driven initiatives and execute more quickly on those initiatives. In a responsive and digital organization, strategies, capabilities, information, people, and technology are all aligned, so work and investment are consistently allocated to deliver maximum value.

    You don’t have a complete reference map of your organization’s capabilities on which to base strategic decisions.

    You don’t know how to prioritize and identify the capabilities that are essential for achieving the organization’s customer-driven objectives.

    You don’t have a shared enterprise vision, where everyone understands how the organization delivers value and to whom.

    Begin important business decisions with a map of your organization – a business reference architecture. Model the business in the form of architectural blueprints.

    Engage your stakeholders. Recognize the opportunity for mapping work, and identify and engage the right stakeholders.

    Drive business architecture forward to promote real value to the organization. Assess your current projects to determine if you are investing in the right capabilities. Conduct business capability assessments to identify opportunities and prioritize projects.

    Info-Tech Insight
    Business architecture is the set of strategic planning techniques that connects organization strategy to execution in a manner that is accurate and traceable and promotes the efficient use of organizational resources.

    Blueprint activities summary

    Phase Purpose Activity Outcome
    1. Business context:
    Identify organization goals, industry drivers, and regulatory requirements in consultation with business stakeholders.
    Identify forces within and outside the organization to consider when planning the focus and timing of digital growth, through conducting interviews and surveys and reviewing existing strategies. Business value canvas, business strategy on a page, customer journey
    2. Customer activities (value stream):
    What is the customer doing? What is our reason for being as a company? What products and services are we trying to deliver?
    Define or update value streams, e.g. purchase product from supplier, customer order, and deliver product to customer. Value streams enterprise-wide (there may be more than one set of value streams, e.g. a medical school and community clinic)
    Prioritize value streams:
    Select key value streams for deeper analysis and focus.
    Assess value streams. Priority value streams
    Value stages:
    Break down the selected value stream into its stages.
    Define stages for selected value streams. Selected value stream stages
    3. Business capability map, level 1 enterprise:
    What resources and capabilities at a high level do we have to support the value streams?
    Define or update the business capabilities that align with and support the value streams. Business capability map, enterprise-wide capabilities level 1
    Business capability map, level 2 for selected area:
    List resources and capabilities that we have at a more detailed level.
    Define or update business capabilities for selected value stream to level 2. Business capability map, selected value stream, capability level 2
    Heatmap Business Capability Map: Flag focus areas in supporting technology, applications, data and information.

    Info-Tech’s workshop methodology

    Day 1: Discover Business Context Day 2: Define Value Streams Day 3: Build Business Capability Map Day 4: Roadmap Business Architecture
    Phase Steps

    1.1 Collect corporate goals and strategies

    1.2 Identify stakeholders

    2.1 Build or update value streams

    2.2 Decompose selected value stream into value stages and analyze for opportunities

    3.1 Update business capabilities to level 1 for enterprise

    3.2 For selected value streams, break down level 1 to level 2

    3.3 Use business architecture to heatmap focus areas: technology, information, and processes

    3.4 Build roadmap of future business architecture initiatives

    Phase Outcomes
    • Organizational context and goals
    • Business strategy on a page, customer journey map, business model canvas
    • Roles and responsibilities
    • Value stream map and definitions
    • Selected value stream(s) decomposed into value stages
    • Enterprise business capabilities map to level 1
    • Business architecture to level 2 for prioritized value stream
    • Heatmap business architecture
    • Business architecture roadmap, select additional initiatives

    Key concepts for this blueprint

    INDUSTRY VALUE CHAIN DIGITAL TRANSFORMATION BUSINESS ARCHITECTURE
    A high-level analysis of how the industry creates value for the consumer as an overall end-to-end process. The adoption of digital technologies to innovate and re-invent existing business, talent ,and operating models to drive growth, business value, and improved customer experience. A holistic, multidimensional business view of capabilities, end-to-end value, and operating model in relation to the business strategy.
    INDUSTRY VALUE STREAM STRATEGIC OBJECTIVES CAPABILITY ASSESSMENTS
    A set of activities, tasks, and processes undertaken by a business or a business unit across the entire end-to-end business function to realize value. A set of standard objectives that most industry players will feature in their corporate plans. A heat-mapping effort to analyze the maturity and priority of each capability relative to the strategic priorities that they serve.

    Info-Tech’s approach

    1 Understand the business context and drivers
    Deepen your understanding of the organization’s priorities by gathering business strategies and goals. Talking to key stakeholders will allow you to get a holistic view of the business strategy and forces shaping the strategy, e.g. economy, workforce, and compliance.
    2 Define value streams; understand the value you provide
    Work with senior leadership to understand your customers’ experience with you and the ways your industry provides value to them.
    Assess the value streams for areas to explore and focus on.
    3 Customize the industry business architecture; develop business capability map
    Work with business architects and enterprise architects to customize Info-Tech’s business architecture for your industry as an enterprise-wide map of the organization and its capabilities.
    Extend the business capability map to more detail (Level 2) for the value stream stages you select to focus on.

    Business architecture is a planning function that connects strategy to execution

    Business architecture provides a framework that connects business strategy and IT strategy to project execution through a set of models that provide clarity and actionable insights. How well do you know your business?

    Business architecture is:

    • Inter-disciplinary: Business architecture is a core planning activity that supports all important decisions in the organization, for example, organizational resources planning. It’s not just about IT.
    • Foundational: The best way to answer the question, “Where do we start?” or “Where is our investment best directed?”, comes from knowing your organization, what its core functions and capabilities are (i.e. what’s important to us as an organization), and where there is work to do.
    • Connecting: Digital transformation and modernization cannot work with siloes. Connecting siloes means first knowing the organization and its functions and recognizing where the siloes are not communicating.

    Business architecture must be branded as a front-end planning function to be appropriately embedded in the organization’s planning process.

    Brand business architecture as an early planning pre-requisite on the basis of maintaining clarity of communication and spreading an accurate awareness of how strategic decisions are being made.

    As an organization moves from strategy toward execution, it is often unclear as to exactly how decisions pertaining to execution are being made, why priority is given to certain areas, and how the planning function operates.

    The business architect’s primary role is to model this process and document it.

    In doing so, the business architect creates a unified view as to how strategy connects to execution so it is clearly understood by all levels of the organization.

    Business architecture is part of the enterprise architecture framework

    Business Architecture
    Business strategy map Business model canvas Value streams
    Business capability map Business process flows Service portfolio
    Data Architecture Application Architecture Infrastructure Architecture
    Conceptual data model Application portfolio catalog Technology standards catalog
    Logical data model Application capability map Technology landscape
    Physical data model Application communication model Environments location model
    Data flow diagram Interface catalog Platform decomposition diagram
    Data lifecycle diagram Application use-case diagram Network computing / hardware diagram
    Security Architecture
    Enterprise security model Data security model Application security model

    Business architecture is a set of shared and practical views of the enterprise

    The key characteristic of the business architecture is that it represents real-world aspects of a business, along with how they interact.

    Many different views of an organization are typically developed. Each view is a diagram that illustrates a way of understanding the enterprise by highlighting specific information about it:

    • Business strategy view captures the tactical and strategic goals that drive an organization forward.
    • Business capabilities view describes the primary business functions of an enterprise and the pieces of the organization that perform those functions.
    • Value stream view defines the end-to-end set of activities that deliver value to external and internal stakeholders.
    • Business knowledge view establishes the shared semantics (e.g. customer, order, and supplier) within an organization and relationships between those semantics (e.g. customer name, order date, supplier name) – an information map.
    • Organizational view captures the relationships among roles, capabilities, and business units, the decomposition of those business units into subunits, and the internal or external management of those units.

    Business architect connects all the pieces

    The business owns the strategy and operating model; the business architect connects all the pieces together.

    R Business Architect (Responsible)
    A Business Unit Leads (Accountable)
    C Subject Matter Experts (Consulted)
    – Business Lines, Operations, Data, Technology Systems & Infrastructure Leads
    I Business Operators (Informed)
    – Process, Data, Technology Systems & Infrastructure

    Choose a key business challenge to address with business architecture

     Choose a key business challenge to address with business architecture

    Picking the right project is critical to setting the tone for business architecture work in the organization.

    Best practices for business architecture success

    Consider these best practices to maintain a high level of engagement from key stakeholders throughout the process of establishing or applying business architecture.

    Balance short-term cost savings with long-term benefits

    Participate in project governance to facilitate compliance

    Create a center of excellence to foster dialogue

    Identify strategic business objectives

    Value streams: Understand how you deliver value today

    It is important to understand the different value-generating activities that deliver an outcome for and from your customers.

    We do this by looking at value streams, which refer to the specific set of activities an industry player undertakes to create and capture value for and from the end consumer (and so the question to ask is, how do you make money as an organization?).

    Our approach helps you to strengthen and transform those value streams that generate the most value for your organization.

    Understand how you deliver value today

    An organization can have more than one set of streams.
    For example, an enterprise can provide both retail shopping and financial services, such as credit cards.

    Define the organization’s value streams

    • Value streams connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities. Those activities are dependent on the specific industry segment an organization operates within. Value streams can extend beyond the organization into the supporting ecosystem, whereas business processes are contained within and the organization has complete control over them.
    • There are two types of value streams: core value streams and support value streams. Core value streams are mostly externally facing: they deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map. Support value streams are internally facing and provide the foundational support for an organization to operate.
    • An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers. Info-Tech recommends identifying and organizing the value streams with customers and partners as end-value receivers.

    Example: Value stream descriptions for the retail industry

    Value Streams Create or Purchase the Product Manage Inventory Distribute Product Sell Product, Make Product Available to Customers
    • Product is developed before company sells it.
    • Make these products by obtaining raw materials from external suppliers or using their own resources.
    • Retailers purchase the products they are going to sell to customers from manufacturers or wholesale distributors.
    • Retailer success depends on its ability to source products that customers want and are willing to buy.
    • Inventory products are tracked as they arrive in the warehouse, counted, stored, and prepared for delivery.
    • Estimate the value of your inventory using retail inventory management software.
    • Optimizing distribution activities is an important capability for retailers. The right inventory needs to be at a particular store in the right quantities exactly when it is needed. This helps to maximize sales and minimize how much cash is held up in inventory.
    • Proper supply chain management can not only reduce costs for retailers but drive revenues by enhancing shopping experiences.
    • Once produced, retailers need to sell the products. This is done through many channels including physical stores, online, the mail, or catalogs.
    • After the sale, retailers typically have to deliver the product, provide customer care, and manage complaints.
    • Retailers can use loyalty programs, pricing, and promotions to foster repeat business.

    Value streams describe your core business

    Value streams describe your core business

    Value streams – the activities we do to provide value to customers – require business capabilities.

    Value streams are broken down further into value stages, for example, the Sell Product value stream has value stages Evaluate Options, Place Order, and Make Payment.

    Think of value streams as the core operations: the reason for your organization’s being. A professional consulting organization may have a legal team but it does not brand itself as a law firm. A core value stream is providing research products and services; a business capability that supports it is legal counsel.

    Decompose the value stream into stages

    The stages of a value stream are usually action-oriented statements or verbs that make up the individual steps involved throughout the scope of the value stream, e.g. Place Order or Make Payment.

    Each value stream should have a trigger or starting point and an end result for a client or receiver.

    Decompose the value stream into stages

    There should be measurable value or benefits at each stage. These are key performance indicators (KPIs). Spot problem areas in the stream.

    Value streams usually fall into one of these categories:

    1. Fulfillment of products and services
    2. Manufacturing
    3. Software products
    4. Supporting value streams (procurement of supplies, product planning)

    Value streams need capabilities

    • Value streams connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities.
    • There are two types of value streams: core value streams and support value streams. Core value streams are mostly externally facing: they deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map. Support value streams are internally facing and provide the foundational support for an organization to operate.
    • There can be different end-value receivers. Info-Tech recommends identifying and organizing the value streams with customers and partners as end-value receivers.

    Value streams need business capabilities

    Business capabilities are built up to allow the business to perform the activities that bring value to customers. Map capabilities to the value-add activities in the value stream. Business capabilities lie at the top layer of the business architecture:

    • They are the most stable reference for planning organizations.
    • They make strategy more tangible.
    • If properly defined, they can help overcome organizational silos.

    Value streams need business capabilities

    Example business capability map – Higher Education

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Example business capability map for: Higher Education

    Example business capability map for Higher Education

    Example business capability map – Local Government

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Example business capability map for: Local Government

    Example business capability map for Local Government

    Value streams need business capabilities

    Value streams – the activities we do to provide value to customers – require business capabilities. Value streams are broken down further into value stages.

    Business capabilities are built up to allow the business to perform the activities that bring value to customers. Map capabilities to the activities in the value stage to spot opportunities and problems in delivering services and value.

    Business processes fulfill capabilities. They are a step-by-step description of who is performing what to achieve a goal. Capabilities consist of networks of processes and the resources – people, technology, materials – to execute them.

    Capability = Processes + Software, Infrastructure + People

    Prioritize a value stream and identify its supporting capabilities

    Prioritize your improvement objectives and business goals and identify a value stream to transform.

    Align the business objectives of your organization to your value streams (the critical actions that take place within your organization to add value to a customer).

    Prioritize a value stream to transform based on the number of priorities aligned to a value stream, and/or the business value (e.g. revenue, EBITDA earnings, competitive differentiation, or cost efficiency).

    Decompose the selected value stream into value stages.

    Align capabilities level 1 and 2 to value stages. One capability may support several value stages in the stream.

    Build a business architecture for the prioritized value stream with a map of business capabilities up to level 2.

    NOTE: We can’t map all capabilities all at once: business architecture is an ongoing practice; select key mapping initiatives each year based on business goals.

    Prioritize a value stream and identify its supporting capabilities

    Map business capabilities to Level 2

     Map business capabilities to Level 2

    Map capabilities to value stage

    Map capabilities to value stage

    Business value realization

    Business value defines the success criteria of an organization as manifested through organizational goals and outcomes, and it is interpreted from four perspectives:

    • Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies.
    • Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies.
    • Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies.
    • Customer and market reach: The improved reach and insights of the business in existing or new markets.

    Business Value Matrix

    Value, goals, and outcomes cannot be achieved without business capabilities

    Break down your business goals into strategic and achievable initiatives focused on specific value streams and business capabilities.

    Business goals and outcomes

    Accelerate the process with an industry business architecture

    It’s never a good idea to start with a blank page.

    The business capability map available from Info-Tech and with industry standard models can be used as an accelerator. Assemble the relevant stakeholders – business unit leads and product/service owners – and modify the business capability map to suit your organization’s context.

    Acceleration path: Customize generic capability maps with the assistance of our industry analysts.

    Accelerate the process with an industry business architecture

    Identify goals and drivers

    Consider organizational goals and industry forces when planning.

    Business context Define value streams Build business capability map
    1.1 Select key stakeholders
    1.2 Collect and understand corporate goals
    2.1 Update or define value streams
    2.2 Decompose and analyze selected value stream
    3.1 Build level 1 capability map
    3.2 Build level 2 capability map
    3.3 Heatmap capability map
    3.4 Roadmap

    Use inputs from business goals and strategies to understand priorities.

    It is not necessary to have a comprehensive business strategy document to start – with key stakeholders, the business architect should be able to gather a one-page business value canvas or customer journey.

    Determine how the organization creates value

    Begin the process by identifying and locating the business mission and vision statements.

    What is business context?

    “The business context encompasses an understanding of the factors impacting the business from various perspectives, including how decisions are made and what the business is ultimately trying to achieve. The business context is used by IT to identify key implications for the execution of its strategic initiatives.”

    Source: Businesswire, 2018

    Identify the key stakeholders who can help you promote the value of business architecture

    First, as the CIO, you must engage executive stakeholders and secure their support.
    Focus on key players who have high power and high interest in business architecture.

    Engage the stakeholders who are impacted the most and have the power to impede the success of business architecture.

    For example, if the CFO – who has the power to block funding – is disengaged, business architecture will be put at risk.

    Use Info-Tech’s Stakeholder Power Map Template to help prioritize time spent with stakeholders.

    Sample power map

    Identify the key stakeholders concerned with the business architecture project

    A business architecture project may involve the following stakeholders:

    Business architecture project stakeholders

    You must identify who the stakeholders are for your business architecture work.

    Think about:

    • Who are the decision makers and key influencers?
    • Who will impact the business architecture work? Who will the work impact?
    • Who has vested interest in the success or failure of the practice?
    • Who has the skills and competencies necessary to help us be successful?

    Avoid these common mistakes:

    • Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
    • Don’t ignore subject-matter experts on either the business or IT side. You will need to consider both.

    1.1 Identify and assemble key stakeholders

    1-3 hours

    Build an accurate depiction of the business.

    1. It is important to make sure the right stakeholders participate in this exercise. The exercise of identifying capabilities for an organization is very introspective and requires deep analysis.
    2. Consider:
      1. Who are the decision makers and key influencers?
      2. Who will impact the business capability work? Who has a vested interest in the success or failure of the outcome?
      3. Who has the skills and competencies necessary to help you be successful?
    3. Avoid:
      1. Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
      2. Don’t ignore subject matter experts on either the business or IT side. You will need to consider both.
    Input Output
    • List of who is accountable for key business areas and decisions
    • Organizational chart
    • List of who has decision-making authority
    • A list of the key stakeholders
    Materials Participants
    • Whiteboard/Flip Charts
    • Modeling software (e.g. Visio, ArchiMate)
    • Business capability map industry models
    • CIO
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • Departmental Executives & Senior Managers

    Conduct interviews with the business to gather intelligence for strategy

    Talking to key stakeholders will allow you to get a holistic view of the business strategy.

    Stakeholder interviews provide holistic view of business strategy

    Build a strategy on a page through executive interviews and document reviews

    Understanding the business mandate and priorities ensures alignment across the enterprise.

    A business strategy must articulate the long-term destination the business is moving into. This illustration shapes all the strategies and activities in every other part of the business, including what IT capabilities and resources are required to support business goals. Ultimately, the benefits of a well-defined business strategy increase as the organization scales and as business units or functions are better equipped to align the strategic planning process in a manner that reflects the complexity of the organization.

    Using the Business Strategy on a Page canvas, consider the questions in each bucket to elicit the overall strategic context of the organization and uncover the right information to build your digital strategy. Interview key executives including your CEO, CIO, CMO, COO, CFO, and CRO, and review documents from your board or overall organizational strategy to uncover insights.

    Info-Tech Insight
    A well-articulated and clear business strategy helps different functional and business units work together and ensures that individual decisions support the overall direction of the business.

    Focus on business value and establish a common goal

    Business architecture is a strategic planning function and the focus must be on delivering business value.

    Examples business objectives:

    • Digitally transform the business, redefining its customer interactions.
    • Identify the root cause for escalating customer complaints and eroding satisfaction.
    • Identify reuse opportunities to increase operational efficiency.
    • Identify capabilities to efficiently leverage suppliers to handle demand fluctuations.

    Info-Tech Insight
    CIOs are ideally positioned to be the sponsors of business architecture given that their current top priorities are digital transformation, innovation catalyzation, and business alignment.

    1.2 Collect and understand business objectives

    1-3 hours

    Having a clear understanding of the business is crucial to executing on the strategic IT initiatives.

    1. Discover the strategic CIO initiatives your organization will pursue:
    • Schedule interviews.
    • Use the CIO Business Vision diagnostic or Business Context Discovery Tool.
  • Document the business goals.
  • Update and finalize business goals.
  • InputOutput
    • Existing business goals and strategies
    • Existing IT strategies
    • Interview findings
    • Diagnostic results
    • List of business goals
    • Strategy on a page
    • Business model canvas
    • Customer journey
    MaterialsParticipants
    • CIO Business Vision diagnostic
    • Interview questionnaire
    • CIO
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • Departmental Executives & Senior Managers

    CIO Business Vision Diagnostic

    CEO

    Vision

    Where do you want to go?
    What is the problem your organization is addressing?

    Mission/Mandate

    What do you do?
    How do you do?
    Whom do you do it for?

    Value Streams

    Why are you in business? What do you do?
    What products and services do you provide?
    Where has your business seen persistent demand?

    Key Products & Services

    What are your top three to five products and services?

    Key Customer Segments

    Who are you trying to serve or target?
    What are the customer segments that decide your value proposition?

    Value Proposition

    What is the value you deliver to your customers?

    Future Value Proposition

    What is your value proposition in three to five years’ time?

    Digital Experience Aspirations

    How can you create a more effective value stream?
    For example, greater value to customers or better supplier relationships.

    Business Resilience Aspirations

    How can you reduce business risks?
    For example, compliance, operational, security, or reputational.

    Sustainability (or ESG) Aspirations

    How can you deliver ESG and sustainability goals?

    Interview the following executives for each business goal area.

    CEO
    CRO
    COO

    Core Business Goals

    What are the core business goals to meet business objectives?

    Top Priorities & Initiatives

    What are the top initiatives and priorities over the planning horizon?

    Performance Insights/Metrics

    What do we need to achieve?
    How can the success be measured?

    CMO
    COO
    CFO

    Shared Business Goals

    What are the shared (operational) business goals to meet business objectives?

    Top Priorities & Initiatives

    What are the top initiatives and priorities over the planning horizon?

    Performance Insights/Metrics

    What do we need to achieve?
    How can the success be measured?

    CFO
    CIO
    COO
    CHRO

    Enabling Business Goals

    What are the enabling (supporting/enterprise) business goals to meet business objectives?

    Top Priorities & Initiatives

    What are the top initiatives and priorities over the planning horizon?

    Performance Insights/Metrics

    What do we need to achieve?
    How can the success be measured?

    Craft a strategy to increase stakeholder support and participation

    The BA practice’s supporters are potential champions who will help you market the value of BA; engage with them first to create positive momentum. Map out the concerns of each group of stakeholders so you can develop marketing tactics and communications vehicles to address them.

    Example Communication Strategy

    Stakeholder Concerns Tactics to Address Concerns Communication Vehicles Frequency
    Supporters
    (High Priority)
    • Build ability to execute BA techniques
    • Build executive support
    • Build understanding of how they can contribute to the success of the BA practice
    • Communicate the secured executive support
    • Help them apply BA techniques in their projects
    • Show examples of BA work (case studies)
    • Personalized meetings and interviews
    • Department/functional meetings
    • Communities of practice or centers of excellent (education and case studies)
    Bi-Monthly
    Indifferent
    (Medium Priority)
    • Build awareness and/or confidence
    • Feel like BA has nothing to do with them
    • Show quick wins and case studies
    • Centers of excellence (education and case studies
    • Use the support of the champions
    Quarterly
    Resistors
    (Medium Priority)
    • BA will cause delays
    • BA will step in their territory
    • BA’s scope is too broad
    • Lack of understanding
    • Prove the value of BA – case studies and metrics
    • Educate how BA complements their work
    • Educate them on the changes resulting from the BA practice’s work, and involve them in crafting the process
    • Individual meetings and interviews
    • Political jockeying
    • Use the support of the champions
    Tailored to individual groups

    1.3 Craft a strategy to increase stakeholder support and participation

    1-2 hours

    Now that you have organized and categorized your stakeholders based on their power, influence, interest, and knowledge of business architecture, it is time to brainstorm how you are going to gain their support and participation.

    Think about the following:

    • What are your stakeholders’ concerns?
    • How can you address them?
    • How will you deliver the message?
    • How often will you deliver the message?

    Avoid these common mistakes:

    • Your communication strategy development should be an iterative process. Do not assume to know the absolute best way to get through to every resistor right away. Instead, engage with your supporters for their input on how to communicate to resistors and repeat the process for indifferent stakeholders as well.
    Input Output
  • Stakeholder Engagement Map
    • Stakeholder Communications Strategy
    Materials Participants
    • Stakeholder Engagement Strategy Template
    • A computer
    • A whiteboard and markers CIO
    • Business Architect
    • IT Department Leads

    Download the Stakeholder Engagement Strategy Template for this project.

    Engaging the right stakeholders

    CASE STUDY

    Industry
    Financial - Banking

    Source
    Anonymous

    Situation Complication Result

    To achieve success with the business architecture initiative, the bank’s CIO needed to put together a plan to engage the right stakeholders in the process.

    Without the right stakeholders, the initiative would suffer from inadequate information and thus would run the risk of delivering an ineffective solution.

    The bank’s culture was resistant to change and each business unit had its own understanding of the business strategy. This was a big part of the problem that led to decreasing customer satisfaction.

    The CIO needed a unified vision for the business architecture practice involving people, process, and technology that all stakeholders could support.

    Starting with enlisting executive support in the form of a business sponsor, the CIO identified the rest of the key stakeholders, in this case, the business unit heads, who were necessary to engage for the initiative.

    Once identified, the CIO promoted the benefits of business architecture to each of the business unit heads while taking stock of their individual needs.

    1.4 Develop a plan to engage key stakeholders

    1 hour

    Using your stakeholder power map as a starting point, focus on the three most important quadrants: those that contain stakeholders you must keep informed, those to keep satisfied, and the key players.

    Plot the stakeholders from those quadrants on a stakeholder engagement map.

    Think about the following:

    • Who are your resistors? These individuals will actively detract from project’s success if you don’t address their concerns.
    • Who is indifferent? These individuals need to be educated more on the benefits of business architecture to have an opinion either way.
    • Who are your supporters? These individuals will support you and spread your message if you equip them to do so.

    Avoid these common mistakes:

    • Do not jump to addressing resistor concerns first. Instead, equip your supporters with the info they need to help your cause and gain positive momentum before approaching resistors.
    InputOutput
    • Stakeholder Engagement Map
    • Stakeholder Communications Strategy
    MaterialsParticipants
    • Stakeholder Engagement Strategy Template
    • A computer
    • A whiteboard and markers
    • CIO
    • Business Architect
    • IT Department Leads

    Download the Stakeholder Engagement Strategy Template for this project.

    1.5 Craft a strategy to increase stakeholder support and participation

    1-2 hours

    Now that you have organized and categorized your stakeholders based on their power, influence, interest, and knowledge of business architecture, it is time to brainstorm how you are going to gain their support and participation.

    Think about the following:

    • What are your stakeholders’ concerns?
    • How can you address them?
    • How will you deliver the message?
    • How often will you deliver the message?

    Avoid these common mistakes:

    • Your communication strategy development should be an iterative process. Do not assume to know the absolute best way to get through to every resistor right away. Instead, engage with your supporters for their input on how to communicate to resistors and repeat the process for indifferent stakeholders as well.
    InputOutput
    • Stakeholder Engagement Map
    • Stakeholder Communications Strategy
    MaterialsParticipants
    • Stakeholder Engagement Strategy Template
    • A computer
    • A whiteboard and markers
    • CIO
    • Business Architect
    • IT Department Leads

    Download the Stakeholder Engagement Strategy Template for this project.

    Define value streams

    Identify the core activities your organization does to provide value to your customers.

    Business context Define value streams Build business capability map

    1.1 Select key stakeholders
    1.2 Collect and understand corporate goals

    2.1 Update or define value streams
    2.2 Decompose and analyze selected value stream

    3.1 Build Level 1 capability map
    3.2 Build Level 2 capability map
    3.3 Heatmap capability map
    3.4 Roadmap

    This phase will walk you through the following activities:

    • Note: It is recommended that you gather and leverage relevant industry standard business architecture models you may have available to you. Example: Info-Tech Industry Business Architecture, BIZBOK, APQC.
    • Defining or updating the organization’s value streams.
    • Selecting priority value streams for deeper analysis.

    This phase involves the following participants:

    • Business Architect, Enterprise Architect
    • Relevant Business Stakeholder(s): Business Unit Leads, Departmental Executives, Senior Mangers, Business Analysts

    Define the organization’s value streams

    • Value streams connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the marketplace by engaging in a set of interconnected activities. Those activities are dependent on the specific industry segment an organization operates within. Value streams can extend beyond the organization into the supporting ecosystem, whereas business processes are contained within and the organization has complete control over them.
    • There are two types of value streams: core value streams and support value streams. Core value streams are mostly externally facing: they deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map. Support value streams are internally facing and provide the foundational support for an organization to operate.
    • An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers. Info-Tech recommends identifying and organizing the value streams with customers and partners as end-value receivers.

    Connect business goals to value streams

    Example strategy map and value stream

    Identifying value streams

    Value streams connect business goals to organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities.

    There are several key questions to ask when endeavoring to identify value streams.

    Key Questions
    • Who are your customers?
    • What are the benefits we deliver to them?
    • How do we deliver those benefits?
    • How does the customer receive the benefits?

    Example: Value stream descriptions for the retail industry

    Value StreamsCreate or Purchase ProductManage InventoryDistribute ProductSell Product
    • Retailers need to purchase the products they are going to sell to customers from manufacturers or wholesale distributors.
    • A retailer’s success depends on its ability to source products that customers want and are willing to buy.
    • In addition, they need to purchase the right amount and assortment of products based on anticipated demand.
    • The right inventory needs to be at a particular store in the right quantities exactly when it is needed. This helps to maximize sales and minimize how much cash is held up in inventory.
    • Inventory management includes tracking, ordering, and stocking products, e.g. raw materials, finished products, buffer inventory.
    • Optimizing distribution activities is important for retailers.
    • Proper supply chain management can not only reduce costs for retailers but also drive revenues by enhancing shopping experiences.
    • Distribution includes transportation, packaging and delivery.
    • As business becomes global, it is important to ensure the whole distribution channel is effective.
    • Once produced, retailers need to sell the products. This is done through many channels including physical stores, online, the mail, or catalogs.
    • After the sale, retailers typically have to deliver the product, provide customer care, and manage complaints.
    • Retailers can use loyalty programs, pricing, and promotions to foster repeat business.

    Value streams describe your core business

    Value streams – the activities we do to provide value to customers – require business capabilities.

    Value streams are broken down further into value stages, for example, Sell Product value stream has value stages Evaluate Options, Place Order, and Make Payment.

    Think of value streams as the core operations, the reason for our organization’s being. A professional consulting organization may have a legal team but it does not brand itself as a law firm. A core value stream is providing research products and services – a business capability that supports it is legal counsel.

    2.1 Define value streams

    1-3 hours

    Unify the organization’s perspective on how it creates value.

    1. Write a short description of the value stream that includes a statement about the value provided and a clear start and end for the value stream. Validate the accuracy of the descriptions with your key stakeholders.
    2. Consider:
      1. How does the organization deliver those benefits?
      2. How does the customer receive the benefits?
      3. What is the scope of your value stream? What will trigger the stream to start and what will the final value be?
    3. Avoid: Don’t start with a blank page. Use Info-Tech’s business architecture models for sample value streams.
    Input Output
    • Business strategy or goals
    • Financial statements
    • Info-Tech’s industry-specific business architecture
    • List of organizational specific value streams
    • Detailed value stream definition(s)
    Materials Participants
    • Whiteboard / Kanban Board
    • Reference Architecture Template – See your Account Representative for details
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Info-Tech Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    See your Info-Tech Account Representative for access to the Reference Architecture Template

    Decompose the value stream into stages

    The stages of a value stream are usually action-oriented statements or verbs that make up the individual steps involved throughout the scope of the value stream, e.g. Place Order or Make Payment.

    Each value stream should have a trigger or starting point and an end result for a client or receiver.

    Decompose the value stream into stages

    There should be measurable value or benefits at each stage.
    These are key performance indicators (KPIs).
    Spot problem areas in the stream.

    Value streams usually fall into one of these categories:

    1. Fulfillment of products and services
    2. Manufacturing
    3. Software products
    4. Supporting value streams (procurement of supplies, product planning)

    Value stream and value stages examples

    Customer Acquisitions
    Identify Prospects > Contact Prospects > Verify Interests

    Sell Product
    Identify Options > Evaluate Options > Negotiate Price and Delivery Date > Place Order > Get Invoice > Make Payment

    Product Delivery
    Confirm Order > Plan Load > Receive Warehouse > Fill Order > Ship Order > Deliver Order > Invoice Customer

    Product Financing
    Initiate Loan Application > Decide on Application > Submit Documents > Review & Satisfy T&C > Finalize Documents > Conduct Funding > Conduct Funding Audits

    Product Release
    Ideate > Design > Build > Release

    Sell Product is a value stream, made up of value stages Identify options, Evaluate options, and so on.

    2.2 Decompose selected value streams

    1-3 hours

    Once we have a good understanding of our value streams, we need to decide which ones to focus on for deeper analysis and modeling, e.g. extend the business architecture to more detailed level 2 capabilities.

    Organization has goals and delivers products or services.

    1. Identify which value propositions are most important, e.g. be more productive or manage money more simply.
    2. Identify the value stream(s) that create the value proposition.
    3. Break the selected value stream into value stages.
    4. Analyze value stages for opportunities.

    Practical Guide to Agile Strategy Execution

    InputOutput
    • Value stream maps and definitions
    • Business goals, business model canvas, customer journey (value proposition) Selected value streams decomposed into value stages
    • Analysis of selected value streams for opportunities
    • Value stream map
    MaterialsParticipants
    • Whiteboard / Kanban Board
    • Reference Architecture Template – See your Account Representative for details
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Build your value stream one layer at a time to ensure clarity and comprehensiveness

    The first step of creating a value stream is defining it.

    • In this step, you create the parameters around the value stream and document them in a list format.
    • This allows you to know where each value stream starts and ends and the unique value it provides.

    The second step is the value stream mapping.

    • The majority of the mapping is done here where you break down your value stream into each of its component stages.
    • Analysis of these stages allows for a deeper understanding of the value stream.
    • The mapping layer connects the value stream to organizational capabilities.

    Define the value streams that are tied to your strategic goals and document them in a list

    Title

    • Create a title for your value stream that indicates the value it achieves.
    • Ensure your title is clear and will be understood the same way across the organization.
    • The common naming convention for value streams is to use nouns, e.g. product purchase.

    Scope

    • Determine the scope of your value stream by defining the trigger to start the value stream and final value delivered to end the value stream.
    • Be precise with your trigger to ensure you do not mistakenly include actions that would not trigger your value stream.
    • A useful tip is creating a decision tree and outlining the path that results in your trigger.

    Objectives

    • Determine the objectives of the value stream by highlighting the outcome it delivers.
    • Identify the desired outcomes of the value stream from the perspective of your organization.

    Example Value Streams List

    Title Scope Objectives
    Sell Product From option identification to payment Revenue Growth

    Create a value stream map

    A Decompose the Value Stream Into Stages B Add the Customer Perspective
    • Determine the different stages that comprise the value stream.
    • Place the stages in the correct order.
    • Outline the likely sentiment and meaningful needs of the customer at each value stage.
    C Add the Expected Outcome D Define the Entry and Exit Criteria
    • Define the desired outcome of each stage from the perspective of the organization.
    • Define both the entry and exit criteria for each stage.
    • Note that the entry criteria of the first stage is what triggers the value stream.
    E Outline the Metrics F Assess the Stages
    • For each stage of the value stream, outline the metrics the organization can use to identify its ability to attain the desired outcome.
    • Assess how well each stage of the value stream is performing against its target metrics and use this as the basis to drill down into how/where improvements can be made.

    Decompose the value stream into its value stages

    The first step in creating a value stream map is breaking it up into its component stages.

    The stages of a value stream are usually action-oriented statements or verbs that make up the individual steps involved throughout the scope of the value stream.

    Illustration of decomposing value stream into its value stages

    The Benefit
    Segmenting your value stream into individual stages will give you a better understanding of the steps involved in creating value.

    Connect the stages of the value stream to a specific customer perspective

    Example of a sell product value stream

    The Benefit
    Adding the customer’s perspective will inform you of their priorities at each stage of the value stream.

    Connect the stages of the value stream to a desired outcome

    Example of a sell product value stream

    The Benefit
    Understanding the organization’s desired outcome at each stage of the value stream will help set objectives and establish metrics.

    Define the entry and exit criteria of each stage

    Example of entry and exit criteria for each stage

    The Benefit
    Establishing the entry and exit criteria for each stage will help you understand how the customer experience flows from one end of the stream to the other.

    Outline the key metric(s) for each stage

    Outline the key metrics for each stage

    The Benefit
    Setting metrics for each stage will facilitate the tracking of success and inform the business architecture practitioner of where investments should be made.

    Example value stream map: Sell Product

    Assess the stages of your value stream map to determine which capabilities to examine further

    To determine which specific business capabilities you should seek to assess and potentially refine, you must review performance toward target metrics at each stage of the value stream.

    Stages that are not performing to their targets should be examined further by assessing the capabilities that enable them.

    Value Stage Metric Description Metric Target Current Measure Meets Objective?
    Evaluate Options Number of Product Demonstrations 12,000/month 9,000/month No
    Identify Options Google Searches 100K/month 100K/month Yes
    Identify Options Product Mentions 1M/month 1M/month Yes
    Website Traffic (Hits)
    Average Deal Size
    Number of Deals
    Time to Complete an Order
    Percentage of Invoices Without Error
    Average Time to Acquire Payment in Full

    Determine the business capabilities that support the value stage corresponding with the failing metric

    Sell Product

    Identify Options > Evaluate Options > Negotiate Price and Delivery Date > Place Order > Get Invoice > Make Payment

    The value stage(s) that doesn’t meet its objective metrics should be examined further.

    • This is done through business capability mapping and assessment.
    • Starting at the highest level (level 0) view of a business, the business architecture practitioner must drill down into the lower level capabilities that support the specific value stage to diagnose/improve an issue.

    Info-Tech Insight
    In the absence of tangible metrics, you will have to make a qualitative judgement about which stage(s) of the value stream warrant further examination for problems and opportunities.

    Build business capability map

    Align supporting capabilities to priority activities.

    Business context Define value streams Build business capability map
    1.1 Select key stakeholders
    1.2 Collect and understand corporate goals
    2.1 Update or define value streams
    2.2 Decompose and analyze selected value stream
    3.1 Build Level 1 capability map
    3.2 Build Level 2 capability map
    3.3 Heatmap capability map
    3.4 Roadmap

    This step will walk you through the following activities:

    • Determine which business capabilities support value streams
    • Accelerate the process with an industry reference architecture
    • Validate the business capability map
    • Establish level 2 capability

    This step involves the following participants:

    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Outcomes of this step

  • A validated level 1 business capability map
  • Level 2 capabilities for selected value stream(s)
  • Heatmapped business capability map
  • Business architecture initiatives roadmap
  • Develop a business capability map – level 1

    • Business architecture consists of a set of techniques to create multiple views of an organization; the primary view is known as a business capability map.
    • A business capability defines what a business does to enable value creation and achieve outcomes, rather than how. Business capabilities are business terms defined using descriptive nouns such as “Marketing” or “Research and Development.” They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome. Business capabilities should not be defined as organizational units and are typically longer lasting than organizational structures.
    • A business capability mapping process should begin at the highest-level view of an organization, the level 1, which presents the entire business on a page.
    • An effective method of organizing business capabilities is to split them into logical groupings or categories. At the highest level, capabilities are either “core” (customer-facing functions) or “enabling” (supporting functions).
    • As a best practice, Info-Tech recommends dividing business capabilities into the categories illustrated to the right.

    The Business Capability Map is the primary visual representation of the organization’s key abilities or services that are delivered to stakeholders. This model forms the basis of strategic planning discussions.

    Example of a business capability map

    Example business capability map – Higher Education

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Example business capability map for: Higher Education

    Example business capability map for higher education

    Example business capability map – Local Government

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Example business capability map for: Local Government

    Example business capability map for local government

    Map capabilities to value stage

    Example of a value stage

    Source: Lambert, “Practical Guide to Agile Strategy Execution”

    3.1 Build level 1 business capability map

    1-3 hours

    1. Analyze the value streams to identify and describe the organization’s capabilities that support them. This stage requires a good understanding of the business and will be a critical foundation for the business capability map. Use the reference business architecture’s business capability map for your industry for examples of level 1 and 2 business capabilities and the capability map template to work in.
    2. Avoid:
      1. Don’t repeat capabilities. Capabilities are typically mutually exclusive activities.
      2. Don’t include temporary initiatives. Capabilities should be stable over time. The people, processes, and technologies that support capabilities will change continuously.

    Ensure you engage with the right stakeholders:

    Don’t waste your efforts building an inaccurate depiction of the business: The exercise of identifying capabilities for an organization is very introspective and requires deep analysis.

    It is challenging to develop a common language that everyone will understand and be able to apply. Invest in the time to ensure the right stakeholders are brought into the fold and bring their business area expertise and understanding to the table.

    InputOutput
    • Existing business capability maps
    • Value stream map
    • Info-Tech’s industry-specific business architecture
    • Level 1 business capability map for enterprise
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Prioritize one value stream and build a business architecture to level 2 capabilities

    Prioritize your innovation objectives and business goals, and identify a value stream to transform.

    Align the innovation goals and business objectives of your organization to your value streams (the critical actions that take place within your organization to add value to a customer).
    Prioritize a value stream to transform based on the number of priorities aligned to a value stream and/or the business value (e.g. revenue, EBITDA earnings, competitive differentiation, or cost efficiency).
    Working alongside a business or enterprise architect, build a reference architecture for the prioritized value stream up to level 2.

    Example of a value stream to business architecture level 2 capabilities

    Info-Tech Insight
    To produce maximum impact, focus on value streams that provide two-thirds of your enterprise value (EBITDA earnings).

    From level 1 to level 2 business capabilities

    Example moving from level 1 to level 2 business capabilities

    3.2 Build level 2 business capability map

    1-3 hours

    It is only at level 2 and further that we can pinpoint the business capabilities – the exact resources, whether applications or data or processes – that we need to focus on to realize improvements in the organization’s performance and customer experience.

    1. Gather industry reference models and any existing business capability maps.
    2. For the selected value stream, further break down its level 1 business capabilities into level 2 capabilities.
    3. You can often represent the business capabilities on a single page, providing a holistic visual for decision makers.
    4. Use meaningful names for business capabilities so that planners, stakeholders, and subject matter experts can easily search the map.
    InputOutput
    • Existing business capability maps
    • Value stream map
    • Info-Tech’s industry-specific business architecture
    • Level 1 business capability map
    • Level 2 Business Capability Map for selected Value Stream
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details.
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Download: See your Account Representative for access to Info-Tech’s Reference Architecture Template

    3.3 Heatmap business capability map

    1-3 hours

    Determine the organization’s key capabilities.

    1. Determine cost advantage creators. If your organization has a cost advantage over competitors, the capabilities that enable it should be identified and prioritized. Highlight these capabilities and prioritize the programs that support them.
    2. Determine competitive advantage creators. If your organization does not have a cost advantage over competitors, determine if it can deliver differentiated end-customer experiences. Once you have identified the competitive advantages, understand which capabilities enable them. These capabilities are critical to the success of the organization and should be highly supported.
    3. Define key future state capabilities. In addition to the current and competitive advantage creators, the organization may have the intention to enhance new capabilities. Discuss and select the capabilities that will help drive the attainment of future goals.
    4. Assess how well information, applications, and processes support capabilities.
    InputOutput
    • Business capability map
    • Cost advantage creators
    • Competitive advantage creators
    • IT and business assessments
    • Key business capabilities
    • Business process review
    • Information assessment
    • Application assessment
    • List of IT implications
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details.
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Download: See your Account Representative for access to Info-Tech’s Reference Architecture Template

    Business capability map: Education

    Illustrative example of a business capability map for education

    Define key capabilities

    Illustrative example of Define key capabilities

    Note: Illustrative Example

    Business process review

    Illustrative example of a business process review

    Note: Illustrative Example

    Information assessment

     Illustrative example of an Information assessment

    Note: Illustrative Example

    Application assessment

     Illustrative example of an Application assessment

    Note: Illustrative Example

    MoSCoW analysis for business capabilities

     Illustrative example of a MoSCoW analysis for business capabilities

    Note: Illustrative Example

    Ranked list of IT implications

    MoSCoW Rank IT Implication Value Stream Impacted Comments/Actions
    M [Implication] [Value Stream]
    M [Implication] [Value Stream]
    M [Implication] [Value Stream]
    S [Implication] [Value Stream]
    S [Implication] [Value Stream]
    S [Implication] [Value Stream]
    C [Implication] [Value Stream]
    C [Implication] [Value Stream]
    C [Implication] [Value Stream]
    W [Implication] [Value Stream]
    W [Implication] [Value Stream]
    W [Implication] [Value Stream]

    3.4 Roadmap business architecture initiatives

    1-3 hours

    Unify the organization’s perspective on how it creates value.

    1. Write a short description of the value stream that includes a statement about the value provided and a clear start and end for the value stream. Validate the accuracy of the descriptions with your key stakeholders.
    2. Consider:
      1. How does the organization deliver those benefits?
      2. How does the customer receive the benefits?
      3. What is the scope of your value stream? What will trigger the stream to start and what will the final value be?
    3. Don’t start with a blank page. Use Info-Tech’s business architecture models for sample value streams.
    InputOutput
    • Existing business capability maps
    • Value stream map
    • Info-Tech’s industry-specific business architecture
    • Level 1 business capability map
    • Heatmapped business capability map
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details.
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Download: See your Account Representative for access to Info-Tech’s Reference Architecture Template

    Example: Business architecture deliverables

    Enterprise Architecture Domain Architectural View Selection
    Business Architecture Business strategy map Required
    Business Architecture Business model canvas Optional
    Business Architecture Value streams Required
    Business Architecture Business capability map Not Used
    Business Architecture Business process flows
    Business Architecture Service portfolio
    Data Architecture Conceptual data model
    Data Architecture Logical data model
    Data Architecture Physical data model
    Data Architecture Data flow diagram
    Data Architecture Data lineage diagram

    Tools and templates to compile and communicate your business architecture work

    The Industry Business Reference Architecture Template for your industry is a place for you to collect all of the activity outputs and outcomes you’ve completed for use in next-steps.

    Download the Industry Business Reference Architecture Template for your industry

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options

    Research Contributors and Experts

    Name Role Organization
    Ibrahim Abdel-Kader Research Analyst, Data & Analytics Info-Tech Research Group
    Ben Abrishami-Shirazi Technical Counselor, Enterprise Architecture Info-Tech Research Group
    Andrew Bailey Consulting, Manager Info-Tech Research Group
    Dana Dahar Research & Advisory Director, CIO / Digital Business Strategy Info-Tech Research Group
    Larry Fretz VP Info-Tech Research Group
    Shibly Hamidur Enterprise Architect Toronto Transit Commission (TTC)
    Rahul Jaiswal Principal Research Director, Industry Info-Tech Research Group
    John Kemp Executive Counselor, Executive Services Info-Tech Research Group
    Gerald Khoury Senior Executive Advisor Info-Tech Research Group
    Igor Ikonnikov Principal Advisory Director, Data & Analytics Info-Tech Research Group
    Daniel Lambert VP Benchmark Consulting
    Milena Litoiu Principal Research Director, Enterprise Architecture Info-Tech Research Group
    Andy Neill AVP Data & Analytics, Chief Enterprise Architect Info-Tech Research Group
    Rajesh Parab Research Director, Data & Analytics Info-Tech Research Group
    Rick Pittman VP, Research Info-Tech Research Group
    Irina Sedenko Research Director, Data & Analytics Info-Tech Research Group

    Bibliography

    Andriole, Steve. “Why No One Understands Enterprise Architecture & Why Technology Abstractions Always Fail.” Forbes, 18 September 2020. Web.

    “APQC Process Classification Framework (PCF) – Retail.” American Productivity & Quality Center, 9 January 2019. Web.

    Brose, Cari. “Who’s on First? Architecture Roles and Responsibilities in SAFe.” Business Architecture Guild, 9 March 2017. Web.

    Burlton, Roger, Jim Ryne, and Daniel St. George. “Value Streams and Business Processes: The Business Architecture Perspective.” Business Architecture Guild, December 2019. Web.

    “Business Architecture: An overview of the business architecture professional.” Capstera, 5 January 2022. Web.

    Business Architecture Guild. “What is Business Architecture?” Business Analyst Mentor, 18 November 2022. Web.

    “Business Architecture Overview.” The Business Architecture Working Group of the Object Management Group (OMG), n.d. Web.

    “Delivering on your strategic vision.” The Business Architecture Guild, n.d. Web.

    Ecker, Grant. “Deploying business architecture.” LinkedIn, 11 November 2021. (Presentation)

    IRIS. “Retail Business Architecture Framework and Examples.” IRIS Business Architect, n.d. Web.

    IRIS. “What Is Business Architecture?” IRIS Business Architect, 8 May 2014. Web.

    IRIS. “Your Enterprise Architecture Practice Maturity 2021 Assessment.” IRIS Business Architect, 17 May 2021. Web.

    Khuen, Whynde. “How Business Architecture Breaks Down and Bridges Silos.” Biz Arch Mastery, January 2020. Web.

    Lambert, Daniel. “Practical Guide to Agile Strategy Execution.” 18 February 2020.

    Lankhorst, Marc, and Bernd Ihnen. “Mapping the BIZBOK Metamodel to the ArchiMate Language.” Bizzdesign, 2 September 2021. Web.

    Ramias, Alan, and Andrew Spanyi, “Demystifying the Relationship Between Processes and Capabilities: A Modest Proposal.” BPTrends, 2 February 2015. Web.

    Newman, Daniel. “NRF 2022: 4 Key Trends From This Year’s Big Show.” Forbes, 20 January 2022. Web.

    Research and Markets. “Define the Business Context Needed to Complete Strategic IT Initiatives: 2018 Blueprint.” Business Wire, 1 February 2018. Web.

    Sabanoglu, Tugba. “Retail market worldwide - Statistics & Facts.” Statista, 21 April 2022. Web.

    Spacey, John. “Capability vs Process.” Simplicable, 18 November 2016. Web.

    “The Definitive Guide to Business Capabilities.” LeanIX, n.d. Web.

    TOGAF 9. Version 9.1. The Open Group, 2011. Web.

    “What is Business Architecture?” STA Group, 2017. PDF.

    Whittie, Ralph. “The Business Architecture, Value Streams and Value Chains.” BA Institute, n.d. Web.

    Spread Best Practices With an Agile Center of Excellence

    • Buy Link or Shortcode: {j2store}152|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $97,499 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization is looking to create consistency across all Agile teams to drive greater business results and alignment.
    • You are seeking to organically grow Agile capabilities within the organization through a set of support structures and facilitated through shared learning and capabilities.

    Our Advice

    Critical Insight

    • Social capital can be an enabler, but also a barrier. People can only manage a finite number of relationships; ensure that the connections the Center of Excellence (CoE) facilitates are purposeful.
    • Don’t over govern. Empowerment is critical to enable improvements; set boundaries and let teams work inside them with autonomy.
    • Legitimize through listening. A CoE will not be leveraged unless it aligns with the needs of its users. Invest the time to align with the functional expectations of your Agile teams.

    Impact and Result

    • Create a set of service offerings aligned with both corporate objectives and the functional expectations of its customers to ensure broad support and utility of the invested resources.
    • Understand some of the cultural and processual challenges you will face when forming a center of excellence, and address them using Info-Tech’s Agile adoption model.

    Spread Best Practices With an Agile Center of Excellence Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build an Agile Center of Excellence, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Strategically align the Center of Excellence

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.

    • Spread Best Practices With an Agile Center of Excellence – Phase 1: Strategically Align the Center of Excellence

    2. Standardize the Center of Excellence’s service offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization.

    • Spread Best Practices With an Agile Center of Excellence – Phase 2: Standardize the Center of Excellence’s Service Offerings

    3. Operate the Center of Excellence

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change.

    • Spread Best Practices With an Agile Center of Excellence – Phase 3: Operationalize Your Agile Center of Excellence
    • ACE Satisfaction Survey
    • CoE Maturity Diagnostic Tool
    • ACE Benefits Tracking Tool
    • ACE Communications Deck
    [infographic]

    Workshop: Spread Best Practices With an Agile Center of Excellence

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Vision of CoE

    The Purpose

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.

    Understand how your key stakeholders will impact the longevity of your CoE.

    Determine your CoE structure and staff.

    Key Benefits Achieved

    Top-down alignment with strategic aims of the organization.

    A set of high-level use cases to form the CoE’s service offerings around.

    Visualization of key stakeholders, with their current and desired power and involvement documented.

    Activities

    1.1 Identify and prioritize organizational business objectives.

    1.2 Form use cases for the points of alignment between your Agile Center of Excellence (ACE) and business objectives.

    1.3 Prioritize your ACE stakeholders.

    Outputs

    Prioritized business objectives

    Business-aligned use cases to form CoE’s service offerings

    Stakeholder map of key influencers

    2 Define Service Offerings of CoE

    The Purpose

    Document the functional expectations of the Agile teams.

    Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.

    Create a capability map that visualizes and prioritizes your key service offerings.

    Key Benefits Achieved

    Understanding of some of the identified concerns, pain points, and potential opportunities from your stakeholders.

    Refined use cases that define the service offerings the CoE provides to its customers.

    Prioritization for the creation of service offerings with a capability map.

    Activities

    2.1 Classified pains and opportunities.

    2.2 Refine your use cases to identify your ACE functions and services.

    2.3 Visualize your ACE functions and service offerings with a capability map.

    Outputs

    Classified pains and opportunities

    Refined use cases based on pains and opportunities identified during ACE requirements gathering

    ACE Capability Map

    3 Define Engagement Plans

    The Purpose

    Align service offerings with an Agile adoption model so that teams have a structured way to build their skills.

    Standardize the way your organization will interact with the Center of Excellence to ensure consistency in best practices.

    Key Benefits Achieved

    Mechanisms put in place for continual improvement and personal development for your Agile teams.

    Interaction with the CoE is standardized via engagement plans to ensure consistency in best practices and predictability for resourcing purposes.

    Activities

    3.1 Further categorize your use cases within the Agile adoption model.

    3.2 Create an engagement plan for each level of adoption.

    Outputs

    Adoption-aligned service offerings

    Role-based engagement plans

    4 Define Metrics and Plan Communications

    The Purpose

    Develop a set of metrics for the CoE to monitor business-aligned outcomes with.

    Key Benefits Achieved

    The foundations of continuous improvement are established with a robust set of Agile metrics.

    Activities

    4.1 Define metrics that align with your Agile business objectives.

    4.2 Define target ACE performance metrics.

    4.3 Define Agile adoption metrics.

    4.4 Assess the interaction and communication points of your Agile team.

    4.5 Create a communication plan for change.

    Outputs

    Business objective-aligned metrics

    CoE performance metrics

    Agile adoption metrics

    Assessment of organizational design

    CoE communication plan

    Further reading

    Spread Best Practices With an Agile Center of Excellence

    Achieve ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    ANALYST PERSPECTIVE

    "Inconsistent processes and practices used across Agile teams is frequently cited as a challenge to adopting and scaling Agile within organizations. (VersionOne’s 13th Annual State of Agile Report [N=1,319]) Creating an Agile Center of Excellence (ACE) is a popular way to try to impose structure and improve performance. However, simply establishing an ACE does not guarantee you will be successful with Agile. When setting up an ACE you must: Define ACE services based on identified stakeholder needs. Staff the ACE with respected, “hands on” people, who deliver identifiable value to your Agile teams. Continuously evolve ACE service offerings to maximize stakeholder satisfaction and value delivered."

    Alex Ciraco, Research Director, Applications Practice Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • A CIO who is looking for a way to optimize their Agile capabilities and ensure ongoing alignment with business objectives.
    • An applications director who is looking for mechanisms to inject continuous improvement into organization-wide Agile practices.

    This Research Will Help You:

    • Align your Agile support structure with business objectives and the functional expectations of its users.
    • Standardize the ways in which Agile teams develop and learn to create consistency in purpose and execution.
    • Track and communicate successes to ensure the long-term viability of an Agile Center of Excellence (ACE).

    This Research Will Also Assist

    • Project managers who are tasked with managing Agile projects.
    • Application development managers who are struggling with establishing consistency, transparency, and collaboration across their teams.

    This Research Will Help Them:

    • Provide service offerings to their team members that will help them personally and collectively to develop desired skills.
    • Provide oversight and transparency into Agile projects and outcomes through ongoing monitoring.

    Executive summary

    Situation

    • Your organization has had some success with Agile, but needs to drive consistency across Agile teams for better business results and alignment.
    • You are seeking to organically grow Agile capabilities within the organization through a set of support services and facilitated through shared learning and capabilities.

    Complication

    • Organizational constraints, culture clash, and lack of continuous top-down support are hampering your Agile growth and maturity.
    • Attempts to create consistency across Agile teams and processes fail to account for the expectations of users and stakeholders, leaving them detached from projects and creating resistance.

    Resolution

    • Align the service offerings of your ACE with both corporate objectives and the functional expectations of its stakeholders to ensure broad support and utilization of the invested resources.
    • Understand some of the culture and process challenges you will face when forming an ACE, and address them using Info-Tech’s Agile adoption journey model.
    • Track the progress of the ACE and your Agile teams. Use this data to find root causes for issues, and ideate to implement solutions for challenges as they arise over time.
    • Effectively define and propagate improvements to your Agile teams in order to drive business-valued results.
    • Communicate progress to interested stakeholders to ensure long-term viability of the Center of Excellence (CoE).

    Info-Tech Insight

    1. Define ACE services based on stakeholder needs.Don’t assume you know what your stakeholders need without talking to them.
    2. Staff the ACE strategically. Choose those who are thought leaders and proven change agents.
    3. Continuously improve based on metrics and feedback.Constantly monitor how your ACE is performing and adjust to feedback.

    Info-Tech’s Agile Journey related Blueprints

    1. Stabilize

    Implement Agile Practices That Work

    Begin your Agile transformation with a comprehensive readiness assessment and a pilot project to adopt Agile development practices and behaviors that fit.

    2. Sustain

    YOU ARE HERE

    Spread Best Practices with an Agile Center of Excellence

    Form an ACE to support Agile development at all levels of the organization with thought leadership, strategic development support & process innovation.

    3. Scale

    Enable Organization-Wide Collaboration by Scaling Agile

    Extend the benefits of your Agile pilot project into your organization by strategically scaling Agile initiatives that will meet stakeholders’ needs.

    4. Satisfy

    Transition to Product Delivery Introduce product-centric delivery practices to drive greater benefits and better delivery outcomes.

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    2.1 Define an adoption plan for Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives

    Supporting Capabilities and Practices

    Modernize Your SDLC

    Remodel the stages of your lifecycle to standardize your definition of a successful product.

    Build a Strong Foundation for Quality

    Instill quality assurance practices and principles in each stage of your software development lifecycle.

    Implement DevOps Practices That Work

    Fix, deploy, and support applications quicker though development and operations collaboration.

    What is an Agile Center of Excellence?

    NOTE: Organizational change is hard and prone to failure. Determine your organization’s level of readiness for Agile transformation (and recommended actions) by completing Info-Tech’s Agile Transformation Readiness Tool.

    An ACE amplifies good practices that have been successfully employed within your organization, effectively allowing you to extend the benefits obtained from your Agile pilot(s) to a wider audience.

    From the viewpoint of the business, members of the ACE provide expertise and insights to the entire organization in order to facilitate Agile transformation and ensure standard application of Agile good practices.

    From the viewpoint of your Agile teams, it provides a community of individuals that share experiences and lessons learned, propagate new ideas, and raise questions or concerns so that delivering business value is always top of mind.

    An ACE provides the following:

    1. A mechanism to gather thought leadership to maximize the accessibility and reach of your Agile investment.
    2. A mechanism to share innovations and ideas to facilitate knowledge transfer and ensure broadly applicable innovations do not go to waste.
    3. Strategic alignment to ensure that Agile practices are driving value towards business objectives.
    4. Purposeful good practices to ensure that the service offerings provided align with expectations of both your Agile practitioners and stakeholders.

    SIDEBAR: What is a Community of Practice? (And how does it differ from a CoE?)

    Some organizations prefer Communities of Practice (CoP) to Centers of Excellence (CoE). CoPs are different from CoEs:

    A CoP is an affiliation of people who share a common practice and who have a desire to further the practice itself … and of course to share knowledge, refine best practices, and introduce standards. CoPs are defined by their domain of interest, but the membership is a social structure comprised of volunteer practitioners

    – Wenger, E., R. A. McDermott, et al. (2002) Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.

    CoPs differ from a CoE mainly in that they tend to have no geographical boundaries, they hold no hierarchical power within a firm, and they definitely can never have structure determined by the company. However, one of the most obvious and telling differences lies in the stated motive of members – CoPs exist because they have active practitioner members who are passionate about a specific practice, and the goals of a CoP are to refine and improve their chosen domain of practice – and the members provide discretionary effort that is not paid for by the employer

    – Matthew Loxton (June 1, 2011) CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com

    What to know about CoPs:

    1. Less formal than a CoE
      • Loosely organized by volunteer practitioners who are interested in advancing the practice.
    2. Not the Authoritative Voice
      • Stakeholders engage the CoP voluntarily, and are not bound by them.
    3. Not funded by Organization
      • CoP members are typically volunteers who provide support in addition to their daily responsibilities.
    4. Not covered in this Blueprint
      • In depth analysis on CoPs is outside the scope of this Blueprint.

    What does an ACE do? Six main functions derived from Info-Tech’s CLAIM+G Framework

    1. Learning
    • Provide training and development and enable engagement based on identified interaction points to foster organizational growth.
  • Tooling
    • Promote the use of standardized tooling to improve efficiency and consistency throughout the organization.
  • Supporting
    • Enable your Agile teams to access subject-matter expertise by facilitating knowledge transfer and documenting good practices.
  • Governing
    • Create operational boundaries for Agile teams, and monitor their progress and ability to meet business objectives within these boundaries.
  • Monitoring
    • Demonstrate the value the CoE is providing through effective metric setting and ongoing monitoring of Agile’s effectiveness.
  • Guiding
    • Provide guidance, methodology, and knowledge for teams to leverage to effectively meet organizational business objectives.
  • Many organizations encounter challenges to scaling Agile

    Tackle the following barriers to Agile adoption with a business-aligned ACE.

    List based on reported impediments from VersionOne’s 13th Annual State of Agile Report (N=1,319)

    1. Organizational culture at odds with Agile values
    • The ACE identifies and measures the value of Agile to build support from senior business leaders for shifting the organizational culture and achieving tangible business benefits.
  • General organizational resistance to change
    • Resistance comes from a lack of trust. Optimized value delivery from Info-Tech’s Agile adoption model will build the necessary social capital to drive cultural change.
  • Inadequate management support and sponsorship
    • Establishing an ACE will require senior management support and sponsorship. Its formation sends a strong signal to the organizational leadership that Agile is here to stay.
  • Lack of skills/experience with Agile methods
    • The ACE provides a vehicle to absorb external training into an internal development program so that Agile capabilities can be grown organically within the organization.
  • Inconsistent processes and practices across teams
    • The ACE provides support to individual Agile teams and will guide them to adopt consistent processes and practices which have a proven track record in the organization.
  • Insufficient training and education
    • The ACE will assist teams with obtaining the Agile skills training they need to be effective in the organization, and support a culture of continuous learning.
  • Overcome your Agile scaling challenges with a business aligned ACE

    An ACE drives consistency and transparency without sacrificing the ability to innovate. It can build on the success of your Agile pilot(s) by encouraging practices known to work in your organization.

    Support Agile Teams

    Provide services designed to inject evolving good practices into workflows and remove impediments or roadblocks from your Agile team’s ability to deliver value.

    Maintain Business Alignment

    Maintain alignment with corporate objectives without impeding business agility in the long term. The ACE functions as an interface layer so that changing expectations can be adapted without negatively impacting Agile teams.

    Facilitate Learning Events

    Avoid the risk of innovation and subject-matter expertise being lost or siloed by facilitating knowledge transfer and fostering a continuous learning environment.

    Govern Improvements

    Set baselines, monitor metrics, and run retrospectives to help govern process improvements and ensure that Agile teams are delivering expected benefits.

    Shift Culture

    Instill Agile thinking and behavior into the organization. The ACE must encourage innovation and be an effective agent for change.

    Use your ACE to go from “doing” Agile to “being” Agile

    Organizations that do Agile without embracing the changes in behavior will not reap the benefits.

    Doing what was done before

    • Processes and Tools
    • Comprehensive Documentation
    • Contract Negotiation
    • Following a Plan

    Being Prescriptive

    Going through the motions

    • Uses SCRUM and tools such as Jira
    • Plans multiple sprints in detail
    • Talks to stakeholders once in a release
    • Works off a fixed scope BRD

    Doing Agile

    Living the principles

    • Individuals and Interactions
    • Working Software
    • Customer Collaboration
    • Responding to Change

    Being Agile

    “(‘Doing Agile’ is) just some rituals but without significant change to support the real Agile approach as end-to-end, business integration, value focus, and team empowerment.” - Arie van Bennekum

    Establishing a CoE does not guarantee success

    Simply establishing a Center of Excellence for any discipline does not guarantee its success:

    The 2019 State of DevOps Report found that organizations which had established DevOps CoEs underperformed compared to organizations which adopted other approaches for driving DevOps transformation. (Accelerate State of DevOps Report 2019 [N=~1,000])

    Still, Agile Centers of Excellence can and do successfully drive Agile adoption in organizations. So what sets the successful examples apart from the others? Here’s what some have to say:

    The ACE must be staffed with qualified people with delivery experience! … [It is] effectively a consulting practice, that can evolve and continuously improve its services … These services are collectively about ‘enablement’ as an output, more than pure training … and above all, the ability to empirically measure the progress” – Paul Blaney, TD Bank

    “When leaders haven’t themselves understood and adopted Agile approaches, they may try to scale up Agile the way they have attacked other change initiatives: through top-down plans and directives. The track record is better when they behave like an Agile team. That means viewing various parts of the organization as their customers.” – HBR, “Agile at Scale”

    “the Agile CoE… is truly meant to be measured by the success of all the other groups, not their own…[it] is meant to be serving the teams and helping them improve, not by telling them what to do, but rather by listening, understanding and helping them adapt.” - Bart Gerardi, PMI

    The CoE must also avoid becoming static, as it’s crucial the team can adjust as quickly as business and customer needs change, and evolve the technology as necessary to remain competitive.” – Forbes, “RPA CoE (what you need to know)”

    "The best CoEs are formed from thought leaders and change agents within the CoE domain. They are the process and team innovators who will influence your CoE roadmap and success. Select individuals who feel passionate about Agile." – Hans Eckman, InfoTech

    To be successful with your ACE, do the following…

    Info-Tech Insight

    Simply establishing an Agile Center of Excellence does not guarantee its success. When setting up your ACE, optimize its impact on the organization by doing the following 3 things:

    1. Define ACE services based on stakeholder needs. Be sure to broadly survey your stakeholders and identify the ACE functions and services which will best meet their needs. ACE services must clearly deliver business value to the organization and the Agile teams it supports.
    2. Staff the ACE strategically. Select ACE team members who have real world, hands-on delivery experience, and are well respected by the Agile teams they will serve. Where possible, select internal thought leaders in your organization who have the credibility needed to effect positive change.
    3. Continuously improve ACE services based on metrics and feedback. The value your ACE brings to the organization must be clear and measurable, and do not assume that your functions and services will remain static. You must regularly monitor both your metrics and feedback from your Agile teams, and adjust ACE behavior to improve/maximize these over time.

    Spread Best Practices With an Agile Center of Excellence

    This blueprint will walk you through the steps needed to build the foundations for operational excellence within an Agile Center of Excellence.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Info-Tech’s Practice Adoption Journey

    Use Info-Tech’s Practice Adoption Journey model to establish your ACE. Building social capital (stakeholders’ trust in your ability to deliver positive outcomes) incrementally is vital to ensure that everyone is aligned to new mindsets and culture as your Agile practices scale.

    Trust & Competency ↓

    DEFINE

    Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.

    ITERATE

    Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.

    COLLABORATE

    Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.

    EMPOWER

    Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.

    INNOVATE

    Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.

    Align your ACE with your organization’s strategy

    This research set will assist you with aligning your ACEs services to the objectives of the business in order to justify the resources and funding required by your Agile program.

    Business Objectives → Alignment ←ACE Functions

    Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.

    Alignment leads to competitive advantage

    The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.

    Use Info-Tech’s CoE Operating Model to define the service offerings of your ACE

    Understand where your inputs and outputs lie to create an accessible set of service offerings for your Agile teams.

    The image shows a graphic of the COE Operating Model, showing the inputs and outputs, including Other CoEs (at top); Stakeholder Needs (at left); Metrics and Feedback (at bottom); and ACE Functions and Services (at right)

    Continuously improve the ACE to ensure long-term viability

    Improvement involves the continuous evaluation of the performance of your teams, using well-defined metrics and reasonable benchmarks that are supplemented by analogies and root-cause analysis in retrospectives.

    Monitor

    Monitor your metrics to ensure desired benefits are being realized. The ACE is responsible for ensuring that expected Agile benefits are achievable and on track. Monitor against your defined baselines to create transparency and accountability for desired outcomes.

    Iterate

    Run retrospectives to drive improvements and fixes into Agile projects and processes. Metrics falling short of expectations must be diagnosed and their root causes found, and fixes need to be communicated and injected back into the larger organization.

    Define

    Define metrics and set targets that align with the goals of the ACE. These metrics represent the ACEs expected value to the organization and must be measured against on a regular basis to demonstrate value to your key stakeholders.

    Beware the common risks of implementing your ACE

    Culture clash between Agile teams and larger organization

    Agile leverages empowered teams, meritocracy, and broad collaboration for success, but typical organizations are siloed and hierarchical with top down decision making. There needs to be a plan to enable a smooth transition from the current state towards the Agile target state.

    Persistence of tribal knowledge

    Agile relies on easy and open knowledge sharing, but organizational knowledge can sit in siloes. Employees may also try to protect their expertise for job security. It is important to foster knowledge sharing to ensure that critical know-how is accessible and doesn’t leave the organization with the individual.

    Rigid management structures

    Rigidity in how managers operate (performance reviews, human resource management, etc.) can result in cultural rejection of Agile. People need to be assessed on how they enable their teams rather than as individual contributors. This can help ensure that they are given sufficient opportunities to succeed. More support and less strict governance is key.

    Breakdown due to distributed teams

    When face-to-face interactions are challenging, ensure that you invest in the right communication technologies and remove cultural and process impediments to facilitate organization-wide collaboration. Alternative approaches like using documentation or email will not provide the same experience and value as a face-to-face conversation.

    The State of Maine used an ACE to foster positive cultural change

    CASE STUDY

    Industry - Government

    Source - Cathy Novak, Agile Government Leadership

    The State of Maine’s Agile Center of Excellence

    “The Agile CoE in the State of Maine is completely focused on the discipline of the methodology. Every person who works with Agile, or wants to work with Agile, belongs to the CoE. Every member of the CoE tells the same story, approaches the methodology the same way, and uses the same tools. The CoE also functions as an Agile research lab, experimenting with different standards and tools.

    The usual tools of project management – mission, goals, roles, and a high-level definition of done – can be found in Maine’s Agile CoE. For story mapping, teams use sticky notes on a large wall or whiteboard. Demonstrating progress this way provides for positive team dynamics and a psychological bang. The State of Maine uses a project management framework that serves as its single source of truth. Everyone knows what’s going on at all times and understands the purpose of what they are doing. The Agile team is continually looking for components that can be reused across other agencies and programs.”

    Results:

    • Realized positive culture change, leading to more collaborative and supportive teams.
    • Increased visibility of Agile benefits across functional groups.
    • Standardized methodology across Agile teams and increased innovation and experimentation with new standards and tools.
    • Improved traceability of projects.
    • Increased visibility and ability to determine root causes of problems and right the course when outcomes are not meeting expectations.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Spread Best Practices With an Agile Center of Excellence – project overview

    1. Strategically align the Center of Excellence 2. Standardize the CoEs service offerings 3. Operate the Center of Excellence
    Best-Practice Toolkit

    1.1 Determine the vision of your ACE.

    1.2 Define the service offerings of your ACE.

    2.1 Define an adoption plan for your Agile teams.

    2.2 Create an ACE engagement plan.

    2.3 Define metrics to measure success.

    3.1 Optimize the success of your ACE.

    3.2 Plan change to enhance your Agile initiatives.

    3.3 Conduct ongoing retrospectives of your ACE.

    Guided Implementations
    • Align your ACE with the business.
    • Align your ACE with its users.
    • Dissect the key attributes of Agile adoption.
    • Form engagement plans for your Agile teams.
    • Discuss effective ACE metrics.
    • Conduct a baseline assessment of your Agile environment.
    • Interface ACE with your change management function.
    • Build a communications deck for key stakeholders.
    Onsite Workshop Module 1: Strategically align the ACE Module 2: Standardize the offerings of the ACE Module 3: Prepare for organizational change
    Phase 1 Outcome: Create strategic alignment between the CoE and organizational goals.

    Phase 2 Outcome: Build engagement plans and key performance indicators based on a standardized Agile adoption plan.

    Phase 3 Outcome: Operate the CoEs monitoring function, identify improvements, and manage the change needed to continuously improve.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Module 1 Workshop Module 2 Workshop Module 3 Workshop Module 4
    Activities

    Determine vision of CoE

    1.1 Identify and prioritize organizational business objectives.

    1.2 Form use cases for the points of alignment between your ACE and business objectives.

    1.3 Prioritize your ACE stakeholders.

    Define service offerings of CoE

    2.1 Form a solution matrix to organize your pain points and opportunities.

    2.2 Refine your use cases to identify your ACE functions and services.

    2.3 Visualize your ACE functions and service offerings with a capability map.

    Define engagement plans

    3.1 Further categorize your use cases within the Agile adoption model.

    3.2 Create an engagement plan for each level of adoption.

    Define metrics and plan communications

    4.1 Define metrics that align with your Agile business objectives.

    4.2 Define target ACE performance metrics.

    4.3 Define Agile adoption metrics.

    4.4 Assess the interaction and communication points of your Agile team.

    4.5 Create a communication plan for change.

    Deliverables
    1. Prioritized business objectives
    2. Business-aligned use cases to form CoEs service offerings
    3. Prioritized list of stakeholders
    1. Classified pains and opportunities
    2. Refined use cases based on pains and opportunities identified during ACE requirements gathering
    3. ACE capability map
    1. Adoption-aligned service offerings
    2. Role-specific engagement plans
    1. Business objective-aligned metrics
    2. ACE performance metrics
    3. Agile adoption metrics
    4. Assessment of organization design
    5. ACE Communication Plan

    Phase 1

    Strategically Align the Center of Excellence

    Spread Best Practices With an Agile Center of Excellence

    Begin by strategically aligning your Center of Excellence

    The first step to creating a high-functioning ACE is to create alignment and consensus amongst your key stakeholders regarding its purpose. Engage in a set of activities to drill down into the organization’s goals and objectives in order to create a set of high-level use cases that will evolve into the service offerings of the ACE.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Strategically align the ACE

    Proposed Time to Completion (in weeks): 1

    Step 1.1: Determine the vision of your ACE

    Start with an analyst kick off call:

    • Align your ACE with the business.

    Then complete these activities…

    1.1.1 Optional: Baseline your ACE maturity.

    1.1.2 Identify and prioritize organizational business objectives.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives.

    1.1.4 Prioritize your ACE stakeholders.

    1.1.5 Select a centralized or decentralized model for your ACE.

    1.1.6 Staff your ACE strategically.

    Step 1.2: Define the service offerings of your ACE

    Start with an analyst kick off call:

    • Align your ACE with its users.

    Then complete these activities…

    1.2.1 Form the Center of Excellence.

    1.2.2 Gather and document your existing Agile practices for the CoE.

    1.2.3 Interview stakeholders to align ACE requirements with functional expectations.

    1.2.4 Form a solution matrix to organize your pain points and opportunities.

    1.2.5 Refine your use cases to identify your ACE functions and services.

    1.2.6 Visualize your ACE functions and service offerings with a capability map.

    Phase 1 Results & Insights:

    • Aligning your ACE with the functional expectations of its users is just as critical as aligning with the business. Invest the time to understand how the ACE fits at all levels of the organization to ensure its highest effectiveness.

    Phase 1, Step 1: Determine the vision of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    1.1.1 Optional: Baseline your ACE maturity.

    1.1.2 Identify and prioritize organizational business objectives.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives.

    1.1.4 Prioritize your ACE stakeholders.

    1.1.5 Select a centralized or decentralized model for your ACE.

    1.1.6 Staff your ACE strategically.

    Outcomes:

    • Gather your leadership to position the ACE and align it with business priorities.
    • Form a set of high-level use cases for services that will support the enablement of business priorities.
    • Map the stakeholders of the ACE to visualize expected influence and current support levels for your initiative.

    What does an ACE do? Six main functions derived from Info-Tech’s CLAIM+G Framework

    1. Learning
    • Provide training and development and enable engagement based on identified interaction points to foster organizational growth.
  • Tooling
    • Promote the use of standardized tooling to improve efficiency and consistency throughout the organization.
  • Supporting
    • Enable your Agile teams to access subject-matter expertise by facilitating knowledge transfer and documenting good practices.
  • Governing
    • Create operational boundaries for Agile teams, and monitor their progress and ability to meet business objectives within these boundaries.
  • Monitoring
    • Demonstrate the value the CoE is providing through effective metric setting and ongoing monitoring of Agile’s effectiveness.
  • Guiding
    • Provide guidance, methodology, and knowledge for teams to leverage to effectively meet organizational business objectives.
  • OPTIONAL: If you have an existing ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    1.1.1 Existing CoE Maturity Assessment

    Purpose

    If you already have established an ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline its current maturity level (this will act as a baseline for comparison after you complete this Blueprint). Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements.

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your current Maturity score.
    3. Document the results in the ACE Communications Deck.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    The image is a screen capture of the CoE Maturity Diagnostic Tool

    Download the CoE Maturity Diagnostic Tool.

    Get your Agile leadership together and position the ACE

    Stakeholder Role Why they are essential players
    CIO/ Head of IT Program sponsor: Champion and set the tone for the Agile program. Critical in gaining and maintaining buy-in and momentum for the spread of Agile service offerings. The head of IT has insight and influence to drive buy-in from executive stakeholders and ensure the long-term viability of the ACE.
    Applications Director Program executor: Responsible for the formation of the CoE and will ensure the viability of the initial CoE objectives, use cases, and service offerings. Having a coordinator who is responsible for collating performance data, tracking results, and building data-driven action plans is essential to ensuring continuous success.
    Agile Subject-Matter Experts Program contributor: Provide information on the viability of Agile practices and help build capabilities on existing best practices. Agile’s success relies on adoption. Leverage the insights of people who have implemented and evangelized Agile within your organization to build on top of a working foundation.
    Functional Group Experts Program contributor: Provide information on the functional group’s typical processes and how Agile can achieve expected benefits. Agile’s primary function is to drive value to the business – it needs to align with the expected capabilities of existing functional groups in order to enhance them for the better.

    Align your ACE with your organization’s strategy

    This research set will assist you with aligning your ACEs services to the objectives of the business in order to justify the resources and funding required by your Agile program.

    Business Objectives → Alignment ←ACE Functions

    Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.

    Alignment leads to competitive advantage

    The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.

    Activity: Identify and prioritize organizational business objectives

    1.1.2 2 Hours

    Input

    • Organizational business objectives

    Output

    • Prioritized business objectives

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. List the primary high-level business objectives that your organization aims to achieve over the course of the following year (focusing on those that ACE can impact/support).
    2. Prioritize these business objectives while considering the following:
    • Criticality of completion: How critical is the initiative in enabling the business to achieve its goals?
    • Transformational impact: To what degree is the foundational structure of the business affected by the initiative (rationale: Agile can support impact on transformational issues)?
  • Document the hypothesized role of Agile in supporting these business objectives. Take the top three prioritized objectives forward for the establishment of your ACE. While in future years or iterations you can inject more offerings, it is important to target your service offerings to specific critical business objectives to gain buy-in for long-term viability of the CoE.
  • Sample Business Objectives:

    • Increase customer satisfaction.
    • Reduce time-to-market of product releases.
    • Foster a strong organizational culture.
    • Innovate new feature sets to differentiate product. Increase utilization rates of services.
    • Reduce product delivery costs.
    • Effectively integrate teams from a merger.
    • Offer more training programs for personal development.
    • Undergo a digital transformation.

    Understand potential hurdles when attempting to align with business objectives

    While there is tremendous pressure to align IT functions and the business due to the accelerating pace of change and technology innovation, you need to be aware that there are limitations in achieving this goal. Keep these challenges at the top of mind as you bring together your stakeholders to position the service offerings of your ACE. It is beneficial to make your stakeholders self-aware of these biases as well, so they come to the table with an open mind and are willing to find common ground.

    The search for total alignment

    There are a plethora of moving pieces within an organization and total alignment is not a plausible outcome.

    The aim of a group should not be to achieve total alignment, but rather reframe and consider ways to ensure that stakeholders are content with the ways they interact and that misalignment does not occur due to transparency or communication issues.

    “The business” implies unity

    While it may seem like the business is one unified body, the reality is that the business can include individuals or groups (CEO, CFO, IT, etc.) with conflicting priorities. While there are shared business goals, these entities may all have competing visions of how to achieve them. Alignment means compromise and agreement more than it means accommodating all competing views.

    Cost vs. reputation

    There is a political component to alignment, and sometimes individual aspirations can impede collective gain.

    While the business side may be concerned with cost, those on the IT side of things can be concerned with taking on career-defining projects to bolster their own credentials. This conflict can lead to serious breakdowns in alignment.

    Panera Bread used Agile to adapt to changing business needs

    CASE STUDY

    Industry Food Services

    Source Scott Ambler and Associates, Case Study

    Challenge

    Being in an industry with high competition, Panera Bread needed to improve its ability to quickly deliver desired features to end customers and adapt to changing business demands from high internal growth.

    Solution

    Panera Bread engaged in an Agile transformation through a mixture of Agile coaching and workshops, absorbing best practices from these engagements to drive Agile delivery frameworks across the enterprise.

    Results

    Adopting Agile delivery practices resulted in increased frequency of solution delivery, improving the relationship between IT and the business. Business satisfaction increased both with the development process and the outcomes from delivery.

    The transparency that was needed to achieve alignment to rapidly changing business needs resulted in improved communication and broad-scale reduced risk for the organization.

    "Agile delivery changed perception entirely by building a level of transparency and accountability into not just our software development projects, but also in our everyday working relationships with our business stakeholders. The credibility gains this has provided our IT team has been immeasurable and immediate."

    – Mike Nettles, VP IT Process and Architecture, Panera Bread

    Use Info-Tech’s CoE Operating Model to define the service offerings of your ACE

    Understand where your inputs and outputs lie to create an accessible set of service offerings for your Agile teams.

    Functional Input

    • Application Development
    • Project Management
    • CIO
    • Enterprise Architecture
    • Data Management
    • Security
    • Infrastructure & Operations
    • Who else?

    The image shows a graphic of the COE Operating Model, showing the inputs and outputs, including Other CoEs (at top); Stakeholder Needs (at left); Metrics and Feedback (at bottom); and ACE Functions and Services (at right)

    Input arrows represent functional group needs, feedback from Agile teams, and collaboration with other CoEs and CoPs

    Output arrows represent the services the CoE delivers and the benefits realized across the organization.

    ACE Operating Model: Governance & Metrics

    Governance & Metrics involves enabling success through the management of the ACEs resources and services, and ensuring that organizational structures evolve in concert with Agile growth and maturity. Your focus should be on governing, measuring, implementing, and empowering improvements.

    Effective governance will function to ensure the long-term effectiveness and viability of your ACE. Changes and improvements will happen continuously and you need a way to decide which to adopt as best practices.

    "Organizations have lengthy policies and procedures (e.g. code deployment, systems design, how requirements are gathered in a traditional setting) that need to be addressed when starting to implement an Agile Center of Excellence. Legacy ideas that end up having legacy policy are the ones that are going to create bottlenecks, waste resources, and disrupt your progress." – Doug Birgfeld, Senior Partner, Agile Wave

    Governance & Metrics

    • Manage organizational Agile standards, policies, and procedures.
    • Define organizational boundaries based on regulatory, compliance, and cultural requirements.
    • Ensure ongoing alignment of service offerings with business objectives.
    • Adapt organizational change management policies to reflect Agile practices.
    • CoE governance functions include:
      • Policy Management
      • Change Management
      • Risk Management
      • Stakeholder Management
      • Metrics/Feedback Monitoring

    ACE Operating Model: Services

    Services refers to the ability to deliver resourcing, guidance, and assistance across all Agile teams. By creating a set of shared services, you enable broad access to specialized resources, knowledge, and insights that will effectively scale to more teams and departments as Agile matures in your organization.

    A Services model:

    • Supports the organization by standardizing and centralizing service offerings, ensuring consistency of service delivery and accessibility across functional groups.
    • Provides a mechanism for efficient knowledge transfer and on-demand support.
    • Helps to drive productivity and project efficiencies through the organization by disseminating best practices.

    Services

    • Provide reference, support, and re-assurance to implement and adapt organizational best practices.
    • Interface relevant parties and facilitate knowledge transfer through shared learning and communities of practice.
    • Enable agreed-upon service levels through standardized support structures.
    • Shared services functions include:
      • Engagement Planning
      • Knowledge Management
      • Subject-Matter Expertise
      • Agile Team Evaluation

    ACE Operating Model: Technology

    Technology refers to a broad range of supporting tools to enable employees to complete their day-to-day tasks and effectively report on their outcomes. The key to technological support is to strike the right balance between flexibility and control based on your organization's internal and external constraints (policy, equipment, people, regulatory, etc.).

    "We sometimes forget the obvious truth that technology provides no value of its own; it is the application of technology to business opportunities that produces return on investment." – Robert McDowell, Author, In Search of Business Value

    Technology

    • Provide common software tools to enable alignment to organizational best practices.
    • Enable access to locally desired tools while considering organizational, technical, and scaling constraints.
    • Enable communication with a technical subject matter expert (SME).
    • Enable reporting consistency through training and maintenance of reporting mechanisms.
    • Technology functions can include:
      • Vendor Management
      • Application Support
      • Tooling Standards
      • Tooling Use Cases

    ACE Operating Model: Staff

    Staff is all about empowerment. The ACE should support and facilitate the sharing of ideas and knowledge sharing. Create processes and spaces where people are encouraged to come together, learn from, and share with each other. This setting will bring up new ideas to enhance productivity and efficiency in day-to-day activities while maintaining alignment with business objectives.

    "An Agile CoE is legitimized by its ability to create a space where people can come together, share, and learn from one another. By empowering teams to grow by themselves and then re-connect with each other you allow the creativity of your employees to flow back into the CoE." – Anonymous, Founder, Agile consultancy group

    Staff

    • Develop and provide training and day-to-day coaching that are aligned with organizational engagement and growth plans.
    • Include workflow change management to assist traditional roles with accommodating Agile practices.
    • Support the facilitation of knowledge transfer from localized Agile teams into other areas of the organization.
    • Achieve team buy-in and engagement with ACE services and capabilities. Provide a forum for collaboration and innovation.
    • People functions can include:
      • Onboarding
      • Coaching
      • Learning Facilitation

    Form use cases to align your ACE with business objectives

    What is a use case?

    A use case tells a story about how a system will be used to achieve a goal from the perspective of a user of that system. The people or other systems that interact with the use case are called “actors.” Use cases describe what a system must be able to do, not how it will do it.

    How does a use case play a role in building your ACE?

    Use cases are used to guide design by allowing you to highlight the intended function of a service provided by the Center of Excellence while maintaining a business focus. Jumping too quickly to a solution without fully understanding user and business needs leads to the loss of stakeholder buy-in and the Centers of Excellence rejection by teams.

    Hypothesized ACE user needs →Use Case←Business objective

    Activity: Form use cases for the points of alignment between your ACE and business objectives

    1.1.3 2 Hours

    Input

    • Prioritized business objectives
    • ACE functions

    Output

    • ACE use cases

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives and the six functions of a CoE, create high-level use cases for each point of alignment that describe how the Center of Excellence will better facilitate the realization of that business objective.
    2. For each use case, define the following:
      • Name: Generalized title for the use case.
      • Description: A high-level description of the expected CoE action.
    AGILE CENTER OF EXCELLENCE FUNCTIONS:
    Guiding Learning Tooling Supporting Governing Monitoring
    BUSINESS OBJECTIVES Reduce time-to-market of product releases
    Reduce product delivery costs
    Effectively integrate teams from a merger

    Activity: Form use cases for the points of alignment between your ACE and business objectives (continued)

    1.1.3 2 Hours

    The image shows the Reduce time-to-market of product releases row from the table in the previous section, filled in with sample information.

    Your goal should be to keep these as high level and generally applicable as possible as they provide an initial framework to further develop your service offerings. Begin to talk about the ways in which the ACE can support the realization of your business objectives and what those interactions may look like to customers of the ACE.

    Involve all relevant stakeholders to discuss the organizational goals and objectives of your ACE

    Avoid the rifts in stakeholder representation by ensuring you involve the relevant parties. Without representation and buy-in from all interested parties, your ACE may omit and fail to meet long-term organizational goals.

    By ensuring every group receives representation, your service offerings will speak for the broad organization and in turn meet the needs of the organization as a whole.

    • Business Units: Any functional groups that will be expected to engage with the ACE in order to achieve their business objectives.
    • Team Leads: Representation from the internal Agile community who is aware of the backgrounds, capabilities, and environments of their respective Agile teams.
    • Executive Sponsors: Those expected to evangelize and set the tone and direction for the ACE within the executive ranks of the organization. These roles are critical in gaining buy-in and maintaining momentum for ACE initiatives.

    Organization

    • ACE
      • Executive Sponsors
      • Team Leads
      • Business Units

    Activity: Prioritize your ACE stakeholders

    1.1.4 1 Hour

    Input

    • Prioritized business objectives

    Output

    • Prioritized list of stakeholders

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives, brainstorm, as a group, the potential list of stakeholders (representatives from business units, team leads, and executive sponsors) that would need to be involved in setting the tone and direction of your ACE.
    2. Evaluate each stakeholder in terms of power, involvement, impact, and support.
    • Power: How much influence does the stakeholder have? Enough to drive the CoE forward or into the ground?
    • Involvement: How interested is the stakeholder? How involved is the stakeholder in the project already?
    • Impact: To what degree will the stakeholder be impacted? Will this significantly change how they do their job?
    • Support: Is the stakeholder a supporter of the project? Neutral? A resister?
  • Map each stakeholder to an area on the power map on the next slide based on his or her level of power and involvement.
  • Vary the size of the circle to distinguish stakeholders that are highly impacted by the ACE from those who are not. Color each circle to show each stakeholder’s estimated or gauged level of support for the project.
  • Prioritize your ACE stakeholders (continued)

    1.1.4 1 Hour

    The image shows a matrix on the left, and a legend on the right. The matrix is labelled with Involvement at the bottom, and Power on the left side, and has the upper left quadrant labelled Keep Satisfied, the upper right quadrant labelled Key players, the lower right quadrant labelled Keep informed, and the lower left quadrant labelled Minimal effort.

    Should your ACE be Centralized or Decentralized?

    An ACE can be organized differently depending on your organization’s specific needs and culture.

    The SAFe Model:©

    “For smaller enterprises, a single centralized [ACE] can balance speed with economies of scale. However, in larger enterprises—typically those with more than 500 – 1,000 practitioners—it’s useful to consider employing either a decentralized model or a hub-and-spoke model.”

    The image shows 3 models: centralized, represented by a single large circle; decentralized, represented by 5 smaller circles; and hub-and-spoke, represented by a central circle, connected to 5 surrounding circles.

    © Scaled Agile, Inc.

    The Spotify Model:

    Spotify avoids using an ACE and instead spreads agile practices using Squads, Tribes, Chapters, Guilds, etc.

    It can be a challenging model to adopt because it is constantly changing, and must be fundamentally supported by your organization’s culture. (Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.)

    Detailed analysis of The Spotify Model is out of scope for this Blueprint.

    The image shows the Spotify model, with two sections, each labelled Tribe, and members from within each Tribe gathered together in a section labelled Guild.

    Activity: Select a Centralized or Decentralized ACE Model

    1.1.5 30 minutes

    Input

    • Prioritized business objectives
    • Use Cases
    • Organization qualities

    Output

    • Centralized or decentralized ACE model

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives, your ACE use cases, your organization size, structure, and culture, brainstorm the relative pros and cons of a centralized vs decentralized ACE model.
    2. Consider this: to improve understanding and acceptance, ask participants who prefer a centralized model to brainstorm the pros and cons of a decentralized model, and vice-versa.
    3. Collectively decide whether your ACE should be centralized, decentralized or hub-and-spoke and document it.
    Centralized ACE Decentralized ACE
    Pros Cons Pros Cons
    Centralize Vs De-centralize Considerations Prioritized Business Objectives
    • Neutral (objectives don’t favor either model)
    • Neutral (objectives don’t favor either model)
    ACE Use Cases
    • Neutral (use cases don’t favor either model)
    • Neutral (use cases don’t favor either model)
    Organization Size
    • Org. is small enough for centralized ACE
    • Overkill for a small org. like ours
    Organization Structure
    • All development done in one location
    • Not all locations do development
    Organization Culture
    • All development done in one location
    • Decentralized ACE may have yield more buy-in

    SELECTED MODEL: Centralized ACE

    Activity: Staff your ACE strategically

    1.1.6 1 Hour

    Input

    • List of potential ACE staff

    Output

    • Rated list of ACE staff

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Identify your list of potential ACE staff (this may be a combination of full time and contract staff).
    2. Add/modify/delete the rating criteria to meet your specific needs.
    3. Discuss and adjust the relative weightings of the rating criteria to best suit your organization’s needs.
    4. Rate each potential staff member and compare results to determine the best suited staff for your ACE.
    Candidate: Jane Doe
    Rating Criteria Criteria Weighting Candidate's Score (1-5)
    Candidate has strong theoretical knowledge of Agile. 8% 4
    Candidate has strong hands on experience with Agile. 18% 5
    Candidate has strong hands on experience with Agile. 10% 4
    Candidate is highly respected by the Agile teams. 18% 5
    Candidate is seen as a thought leader in the organization. 18% 5
    Candidate is seen as a change agent in the organization. 18% 5
    Candidate has strong desire to be member of ACE staff. 10% 3
    Total Weighted Score 4.6

    Phase 1, Step 2: Define the service offerings of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    1.2.1 Form the Center of Excellence.

    1.2.2 Gather and document your existing Agile practices for the CoE.

    1.2.3 Interview stakeholders to align ACE requirements with functional expectations.

    1.2.4 Form a solution matrix to organize your pain points and opportunities.

    1.2.5 Refine your use cases to identify your ACE functions and services.

    1.2.6 Visualize your ACE functions and service offerings with a capability map.

    Outcomes:

    • Collect data regarding the functional expectations of the Agile teams.
    • Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.
    • Create a capability map that visualizes and prioritizes your key service offerings.

    Structure your ACE with representation from all of your key stakeholders

    Now that you have a prioritized list of stakeholders, use their influence to position the ACE to ensure maximum representation with minimal bottlenecks.

    By operating within a group of your key players, you can legitimize your Center of Excellence by propagating the needs and interests of those who interface and evangelize the CoE within the larger organization.

    The group of key stakeholders will extend the business alignment you achieved earlier by refining your service offerings to meet the needs of the ACEs customers. Multiple representations at the table will generate a wide arrangement of valuable insights and perspectives.

    Info-Tech Insight

    While holistic representation is necessary, ensure that the list is not too comprehensive and will not lead to progress roadblocks. The goal is to ensure that all factors relevant to the organization are represented; too many conflicting opinions may create an obstruction moving forward.

    ACE

    • Executive Sponsors
    • Team Leads
    • Business Units

    Determine how you will fund your ACE

    Choose the ACE funding model which is most aligned to your current system based on the scenarios provided below. Both models will offer the necessary support to ensure the success of your Agile program going forward.

    Funding Model Funding Scenario I Funding Scenario II
    Funded by the CIO Funded by the CIO office and a stated item within the general IT budget. Charged back to supported functional groups with all costs allocated to each functional group’s budget.
    Funded by the PMO Charged back to supported functional groups with all costs allocated to each functional group’s budget. Charged back to supported functional groups with all costs allocated to each functional group’s budget.

    Info-Tech Insight

    Your funding model may add additional key influencers into the mix. After you choose your funding model, ensure that you review your stakeholder map and add anyone who will have a direct impact in the viability and stability of your ACE.

    Determine how you will govern your ACE

    An Agile Center of Excellence is unique in the way you must govern the actions of its customers. Enable “flexible governance” to ensure that Agile teams have the ability to locally optimize and innovate while still operating within expected boundaries.

    ACE Governing Body

    ↑ Agile Team → ACE ← Agile Team ↑

    Who should take on the governance role?

    The governing body can be the existing executive or standing committees, or a newly formed committee involving your key ACE influencers and stakeholders.

    Flexible governance means that your ACE set boundaries based on your cultural, regulatory, and compliance requirements, and your governance group monitors your Agile teams’ adherence to these boundaries.

    Governing Body Responsibilities

    • Review and approve ACE strategy annually and ensure that it is aligned with current business strategy.
    • Provide detailed quality information for board members.
    • Ensure that the ACE is adequately resourced and that the organization has the capacity to deliver the service offerings.
    • Assure that the ACE is delivering benefits and achieving targets.
    • Assure that the record keeping and reporting systems are capable of providing the information needed to properly assess the quality of service.

    Modify your resourcing strategy based on organizational need

    Your Agile Center of Excellence can be organized either in a dedicated or a virtual configuration, depending on your company’s organizational structure and complexity.

    There is no right answer to how your Center of Excellence should be resourced. Consider your existing organizational structure and culture, the quality of relationships between functional groups, and the typical budgetary factors that would weigh on choosing between a virtual and dedicated CoE structure.

    COE Advantages Disadvantages
    Virtual
    • No change in organization structure required, just additional task delegation to your Agile manager or program manager.
    • Less effort and cost to implement.
    • Investment in quality is proportional to return.
    • Resources are shared between practice areas, and initiatives will take longer to implement.
    • Development and enhancement of best practices can become difficult without a centralized knowledge repository.
    Dedicated
    • Demonstrates a commitment to the ACEs long-term existence.
    • Allows for dedicated maintenance of best practices.
    • Clear lines of accountability for Agile processes.
    • Ability to develop highly skilled employees as their responsibilities are not shared.
    • Requires dedicated resources that can in turn be more costly.
    • Requires strong relationships with the functional groups that interface with the ACE.

    Staffing the ACE: Understand virtual versus dedicated ACE organizational models

    Virtual CoE

    The image shows an organizational chart titled Virtual CoE, with Head of IT at the top, then PMO and CoE Lead/Apps Director at the next level. The chart shows that there is crossover between the CoE Lead's reports, and the PMO's, indicated through dotted lines that connect them.

    • Responsibilities for CoE are split and distributed throughout departments on a part-time basis.
    • CoE members from the PMO report to apps director who also functions as the CoE lead on a part-time basis.

    The image shows a organizational chart titled Dedicated CoE, with all CoE members under the CoE.

    • Requires re-organization and dedicated full-time staff to run the CoE with clear lines of responsibility and accountability.
    • Hiring or developing highly skilled employees who have a sole function to facilitate and monitor quality best practices within the IT department may be necessary.

    Activity: Form the Center of Excellence

    1.2.1 1 Hour

    Input

    • N/A

    Output

    • ACE governance and resourcing plan

    Materials

    • Whiteboard

    Participants

    • Agile leadership group
    1. As a group, discuss if there is an existing body that would be able to govern the Center of Excellence. This body will monitor progress on an ongoing basis and assess any change requests that would impact the CoEs operation or goals.
    • List current governing bodies that are closely aligned with your current Agile environment and determine if the group could take on additional responsibilities.
    • Alternatively, identify individuals who could form a new ACE governing body.
  • Using the results of Exercise 1.1.6 in Step 1, select the individuals who will participate in the Center of Excellence. As a rough rule of thumb for sizing, an ACE staffed with 3-5 people can support 8-12 Agile Teams.
  • Document results in the ACE Communications Deck.

    Leverage your existing Agile practices and SMEs when establishing the ACE

    The synergy between Agile and CoE relies on its ability to build on existing best practices. Agile cannot grow without a solid foundation. ACE gives you the way to disseminate these practices and facilitate knowledge transfer from a centralized sharing environment. As part of defining your service offerings, engage with stakeholders across the organization to evaluate what is already documented so that it can be accommodated in the ACE.

    Documentation

    • Are there any existing templates that can be leveraged (e.g. resource planning, sprint planning)?
    • Are there any existing process documents that can be leveraged (e.g. SIPOC, program frameworks)?
    • Are there any existing standards documents the CoE can incorporate (e.g. policies, procedures, guidelines)?

    SMEs

    • Interview existing subject-matter experts that can give you an idea of your current pains and opportunities.
    • You already have feedback from those in your workshop group, so think about the rest of the organization:
      • Agile practitioners
      • Business stakeholders
      • Operations
      • Any other parties not represented in the workshop group

    Metrics

    • What are the current metrics being used to measure the success of Agile teams?
    • What metrics are currently being used to measure the completion of business objectives?
    • What tools or mediums are currently used for recording and communicating metrics?

    Info-Tech Insight

    When considering existing practices, it is important to evaluate the level of adherence to these practices. If they have been efficiently utilized, injecting them into ACE becomes an obvious decision. If they have been underutilized, however, it is important to understand why this occurred and discuss how you can drive higher adherence.

    Examples of existing documents to leverage

    People

    • Agile onboarding planning documents
    • Agile training documents
    • Organizational Agile manifesto
    • Team performance metrics dashboard
    • Stakeholder engagement and communication plan
    • Development team engagement plan
    • Organizational design and structure
    • Roles and responsibilities chart (i.e. RACI)
    • Compensation plan Resourcing plan

    Process

    • Tailored Scrum process
    • Requirements gathering process
    • Quality stage-gate checklist (including definitions of ready and done)
    • Business requirements document
    • Use case document
    • Business process diagrams
    • Entity relationship diagrams
    • Data flow diagrams
    • Solution or system architecture
    • Application documentation for deployment
    • Organizational and user change management plan
    • Disaster recovery and rollback process
    • Test case templates

    Technology

    • Code review policies and procedures
    • Systems design policies
    • Build, test, deploy, and rollback scripts
    • Coding guidelines
    • Data governance and management policies
    • Data definition and glossary
    • Request for proposals (RFPs)
    • Development tool standards and licensing agreements
    • Permission to development, testing, staging, and production environments
    • Application, system, and data integration policies

    Build upon the lessons learned from your Agile pilots

    The success of your Center of Excellence relies on the ability to build sound best practices within your organization’s context. Use your previous lessons learned and growing pains as shared knowledge of past Agile implementations within the ACE.

    Implement Agile Practices That Work

    Draw on the experiences of your initial pilot where you learned how to adapt the Agile manifesto and practices to your specific context. These lessons will help onboard new teams to Agile since they will likely experience some of the same challenges.

    Download

    Documents for review include:

    • Tailored Scrum Process
    • Agile Pilot Metrics
    • Info-Tech’s Agile Pilot Playbook

    Enable Organization-Wide Collaboration by Scaling Agile

    Draw on previous scaling Agile experiences to help understand how to interface, facilitate, and orchestrate cross-functional teams and stakeholders for large and complex projects. These lessons will help your ACE teams develop collaboration and problem-solving techniques involving roles with different priorities and lines of thinking.

    Download

    Documents for review include:

    • Agile Program Framework
    • Agile Pilot Program Metrics
    • Scaled Agile Development Process
    • Info-Tech’s Scaling Agile Playbook

    Activity: Gather and document your existing Agile practices for the CoE

    1.2.2 Variable time commitment based on current documentation state

    Input

    • Existing practices

    Output

    • Practices categorized within operating model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Compile a list of existing practices that will be shared by the Center of Excellence. Consider any documents, templates, or tools that are used regularly by Agile teams.
    2. Evaluate the level of adherence to use of the practices (whether the practice is complied with regularly or not) with a high, medium, or low. Low compliance will need a root-cause analysis to understand why and how to remedy the situation.
    3. Determine the best fit for each practice under the ACE operational model.
    Name Type Adherence Level CoE Best Fit Source
    1 Tailored Scrum process Process High Shared Services Internal Wiki
    2
    3

    Activity: Interview stakeholders to understand the ACE functional expectations

    1.2.3 30-60 Minutes per interview

    Interview Stakeholders (from both Agile teams and functional areas) on their needs from the ACE. Ensure you capture both pain points and opportunities. Capture these as either Common Agile needs or Functional needs. Document using the tables below:

    Common Agile Needs
    Common Agile Needs
    • Each Agile Team interprets Agile differently
    • Need common approach to Agile with a proven track record within the organization
    • Making sure all Team members have a good understanding of Agile
    • Common set of tool(s) with a proven track record, along with a strong understanding of how to use the tool(s) efficiently and effectively
    • Help troubleshooting process related questions
    • Assistance with addressing the individual short comings of each Agile Team
    • Determining what sort of help each Agile Team needs most
    • Better understanding of the role played by Scrum Master and associated good practices
    • When and how do security/privacy/regulatory requirements get incorporated into Agile projects
    Functional Needs Ent Arch Needs
    • How do we ensure Ent Arch has insight and influence on Agile software design
    • Better understanding of Agile process
    • How to measure compliance with reference architectures

    PMO Needs

    • Better understanding of Agile process
    • Understanding role of PM in Agile
    • Project status reports that determine current level of project risk
    • How does project governance apply on Agile projects
    • What deliverables/artifacts are produced by Agile projects and when are they completed

    Operations Needs

    • Alignment on approaches for doing releases
    • Impact of Agile on change management and support desk processes
    • How and when will installation and operation instructions be available in Agile

    Activity: Form a solution matrix to organize your pain points and opportunities

    1.2.4 Half day

    Input

    • Identified requirements

    Output

    • Classified pains and opportunities

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Review the listed pain points from the data gathering process. Sort the pain points on sticky notes into technology, governance, people, and shared services.
    2. Consider opportunities under each defining element based on the identified business requirements.
    3. Document your findings.
    4. Discuss the results with the project team and prioritize the opportunities.
      • Where do the most pains occur?
      • What opportunities exist to alleviate pains?
    Governance Shared Services Technology People
    Pain Points
    Opportunities

    Document results in the ACE Communications Deck.

    Activity: Refine your use cases to identify your ACE functions and services

    1.2.5 1 Hour

    Input

    • Use cases from activity 1.1.2

    Output

    • Refined use cases based on data collection

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Refine your initial use cases for the points of alignment between your ACE and business objectives using your classified pain points and opportunities.
    2. Add use cases to address newly realized pain points.
    3. Determine the functions and services the CoE can offer to address the identified requirements.
    4. Evaluate the outputs in the form of realized benefits and extracted inefficiencies.

    Possible ACE use cases:

    • Policy Management
    • Change Management
    • Risk Management
    • Stakeholder Management
    • Engagement Planning
    • Knowledge Management
    • Subject-Matter Expertise
    • Agile Team Evaluation
    • Operations Support
    • Onboarding
    • Coaching
    • Learning Facilitation
    • Communications Training
    • Vendor Management
    • Application Support
    • Tooling Standards

    Document results in the ACE Communications Deck.

    Activity: Visualize your ACE functions and service offerings with a capability map

    1.2.6 1 Hour

    Input

    • Use cases from activity 1.2.4

    Output

    • ACE capability map

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Review the refined and categorized list of service offerings.
    2. Determine how these new capabilities will add, remove, or enhance your existing service and capabilities.
    3. Categorize the capabilities into the following groups:
    • Governance and Metrics
    • Services
    • Staff
    • Technology
  • Label the estimated impact of the service offering based on your business priorities for the year. This will guide your strategy for implementing your Agile Center of Excellence moving forward.
  • Document results in the ACE Communications Deck.

    Activity: Visualize your ACE functions and service offerings with a capability map (continued)

    Governance

    Policy Management (Medium Potential)

    Change Management (High Potential)

    Risk Management (High Potential)

    Stakeholder Management (High Potential)

    Metrics/Feedback Monitoring (High Potential)

    Shared Services

    Engagement Planning (High Potential)

    Knowledge Management (High Potential)

    Subject-Matter Expertise (High Potential)

    Agile Team Evaluation (High Potential)

    Operations Support (High Potential)

    People

    Onboarding (Medium Potential)

    Coaching (High Potential)

    Learning Facilitation (High Potential)

    Internal Certification Program (Low Potential)

    Communications Training (Medium Potential)

    Technology

    Vendor Management (Medium Potential)

    Application Support (Low Potential)

    Tooling Standards (High Potential)

    Checkpoint: Are you ready to standardize your CoEs service offerings?

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Self-Auditing Guidelines

    • Have you identified and prioritized the key business objectives for the upcoming year that the ACE will align with?
    • Do you have a high-level set of use cases for points of alignment between your ACE and business objectives?
    • Have you mapped your stakeholders and identified the key players that will have an influence over the future success of your ACE?
    • Have you identified how your organization will fund, resource, and govern the ACE?
    • Have you collected data to understand the functional expectations of the users the ACE is intended to serve?
    • Have you refined your use cases to align with both business objectives and functional expectations?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Identify and prioritize organizational business objectives

    Our analyst team will help you organize and prioritize your business objectives for the year in order to ensure that the service offerings the ACE offers are delivering consistent business value.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives

    Our analyst team will help you turn your prioritized business objectives into a set of high-level use cases that will provide the foundation for defining user-aligned services.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.1.4 Prioritize your ACE stakeholders

    Our analysts will walk you through an exercise of mapping and prioritizing your Centers of Excellence stakeholders based on impact and power within so you can ensure appropriate presentation of interests within the organization.

    1.2.4 Form a solution matrix to organize your pain points and opportunities

    Our analyst team will help you solidify the direction of your Center of Excellence by overlaying your identified needs, pain points, and potential opportunities in a matrix guided by Info-Tech’s CoE operating model.

    1.2.5 Refine your use cases to identify your ACE functions and services

    Our analyst team will help you further refine your business-aligned use cases with the functional expectations from your Agile teams and stakeholders, ensuring the ACEs long-term utility.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.2.6 Visualize your ACE functions and service offerings with a capability map

    Our analysts will walk you through creating your Agile Centers of Excellence capability map and help you to prioritize which service offerings are critical to the success of your Agile teams in meeting their objectives.

    Phase 2

    Standardize the Centers of Excellence Service Offerings

    Spread Best Practices With an Agile Center of Excellence

    The ACE needs to ensure consistency in service delivery

    Now that you have aligned the CoE to the business and functional expectations, you need to ensure its service offerings are consistently accessible. To effectively ensure accessibility and delegation of shared services in an efficient way, the CoE needs to have a consistent framework to deliver its services.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Standardize the CoEs Service Offerings

    Proposed Time to Completion (in weeks): 2

    Step 2.1: Define an adoption plan for your Agile teams

    Start with an analyst kick off call:

    • Dissect the key attributes of Agile adoption.

    Then complete these activities…

    2.1.1 Further categorize your use cases within the Agile adoption model.

    Step 2.2: Create an ACE engagement plan

    Start with an analyst kick off call:

    • Form engagement plans for your Agile teams.

    Then complete these activities…

    2.2.1 Create an engagement plan for each level of adoption.

    Step 2.3: Define metrics to measure success

    Finalize phase deliverable:

    • Discuss effective ACE metrics.

    Then complete these activities…

    2.3.1 Collect existing team-level metrics.

    2.3.2 Define metrics that align with your Agile business objectives.

    2.3.3 Define target ACE performance metrics.

    2.3.4 Define Agile adoption metrics.

    2.3.5 Consolidate metrics for stakeholder impact.

    2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.

    Phase 2 Results & Insights:

    • Standardizing your service offerings allows you to have direct influence on the dissemination of best practices.

    Phase 2, Step 1: Define an adoption plan for your Agile teams

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.1.1 Further categorize your use cases within the Agile adoption model.

    Outcomes:

    • Refine your previously determined use cases within the Agile adoption model to ensure that teams can be assisted at any level of Agile adoption.
    • Understand the key attributes of Agile adoption and how they impact success.

    Understand the implementation challenges that the ACE may face

    Culture clash between ACE and larger organization

    It is important to carefully consider the compatibility between the current organizational culture and Agile moving forward. Agile compels empowered teams, meritocracy, and broad collaboration for success; while typical organizational structures are siloed and hierarchical and decisions are delegated from the top down.

    This is not to say that the culture of the ACE has to match the larger organizational culture; part of the overarching aim of the ACE is to evolve the current organizational culture for the better. The point is to ensure you enable a smooth transition with sufficient management support and a team of Agile champions.

    The changing role of middle management

    Very similar to the culture clash challenge, cultural rigidity in how middle managers operate (performance review, human resource management, etc.) can cause cultural rejection. They need to become enablers for high performance and give their teams the sufficient tools, skills, and opportunities to succeed and excel.

    What impedes Agile adoption?

    Based on a global survey of Agile practitioners (N=1,319)*:

    52% Organizational culture at odds with agile values

    44% Inadequate management support and sponsorship

    48% General organization resistance to change

    *Respondents were able to make multiple selections

    (13th Annual State of Agile Report, VersionOne, 2019)

    Build competency and trust through a structured Agile adoption plan

    The reality of cultural incompatibility between Agile and traditional organization structures necessitates a structured adoption plan. Systematically build competency so teams can consistently achieve project success and solidify trust in your teams’ ability to meet business needs with Agile.

    By incrementally gaining the trust of management as you build up your Agile capabilities, you enable a smooth cultural transition to an environment where teams are empowered, adapt quickly to changing needs, and are trusted to innovate and make successes out of their failures.

    Optimized value delivery occurs when there is a direct relationship between competency and trust. There will be unrealized value when competency or trust outweigh the other. That value loss increases as either dimension of adoption continues to grow faster than the other.

    The image shows a graph with Competency on the x-axis and Trust on the y-axis. There are 3 sections: Level 1, Level 2, and Level 3, in subsequently larger arches in the background of the graph. The graph shows two diagonal arrows, the bottom one labelled Current Value Delivery and the top one labelled Optimized Value Delivery. The space between the two arrows is labelled Value Loss.

    Use Info-Tech’s Practice Adoption Optimization Model to systematically increase your teams’ ability to deliver

    Using Info-Tech’s Practice adoption optimization model will ensure you incrementally build competency and trust to optimize your value delivery.

    Agile adoption at its core, is about building social capital. Your level of trust with key influencers increases as you continuously enhance your capabilities, enabling the necessary cultural changes away from traditional organizational structures.

    Trust & Competency ↓

    DEFINE

    Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.

    ITERATE

    Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.

    COLLABORATE

    Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.

    EMPOWER

    Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.

    INNOVATE

    Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.

    Review these key attributes of Agile adoption

    Agile adoption is unique to every organization. Consider these key attributes within your own organizational context when thinking about levels of Agile adoption.

    Adoption Attributes

    Team Organization

    Considers the degree to which teams are able to self-organize based on internal organizational structures (hierarchy vs. meritocracy) and inter-team capabilities.

    Team Coordination

    Considers the degree to which teams can coordinate, both within and across functions.

    Business Alignment

    Considers the degree to which teams can understand and/or map to business objectives.

    Coaching

    Considers what kind of coaching/training is offered and how accessible the training is.

    Empowerment

    Considers the degree to which teams are able and capable to address project, process, and technical challenges without significant burden from process controls and bureaucracy.

    Failure Tolerance

    Considers the degree to which stakeholders are risk tolerant and if teams are capable of turning failures into learning outcomes.

    Why are these important?

    These key attributes function as qualities or characteristics that, when improved, will successively increase the degree to which the business trusts your Agile teams’ ability to meet their objectives.

    Systematically improving these attributes as you graduate levels of the adoption model allows the business to acclimatize to the increased capability the Agile team is offering, and the risk of culture clash with the larger organization decreases.

    Start to consider at what level of adoption each of your service offerings become useful. This will allow you to standardize the way your Agile teams interact with the CoE.

    Activity: Further categorize your use cases within the Agile adoption model

    2.1.1 1.5 Hours

    Input

    • List of service offerings

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. Gather the list of your categorized use cases.
    2. Based on Info-Tech’s Agile adoption model, categorize which use cases would be useful to help the Agile team graduate to the next level of adoption.
      • Conceptualize: Begin to document your workflow or value chain, implement a tracking system for KPIs, and gather metrics and report them transparently to the appropriate stakeholders.
      • Iterate: Use collected metrics to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.
      • Collaborate: Use information to drive changes and adopt appropriate Agile practices to make incremental improvements to the existing environment.
      • Empower: Drive behavioral and cultural changes that will empower teams to be accountable for their own successes given the appropriate resources.
      • Innovate: Use your built-up trust to begin to make calculated risks and innovate more, driving new best practices into the CoE.

    The same service offering could be offered at different levels of adoption. In these cases, you will need to re-visit the use case and differentiate how the service (if at all) will be delivered at different levels of adoption.

    1. Use this opportunity to brainstorm alternative or new use cases for any gaps identified. It is the CoEs goal to assist teams at every level of adoption to meet their business objectives. Use a different colored sticky note for these so you can re-visit and map out their inputs, outputs, metrics, etc.

    Activity: Further categorize your use cases within the Agile adoption model (continued)

    2.1.1 1.5 Hours

    Input

    • List of service offerings

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team

    Example:

    Service Offerings
    Level 5: Innovate
    Level 4: Empower
    Level 3: Collaborate Coaching -- Communications Training
    Level 2: Iterate Tooling Standards
    Level 1: Conceptualize

    Learning Facilitation

    Draw on the service offerings identified in activity 1.2.4

    Phase 2, Step 2: Create an ACE engagement plan

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.2.1 Create an engagement plan for each level of adoption.

    Outcomes:

    • Understand the importance of aligning with the functional expectations of your ACE customers.
    • Understand the relationship between engagement and continuous improvement.
    • Create an engagement plan for each level of adoption to standardize the way customers interact with the ACE.

    Enable Agile teams to interface with ACE service offerings to meet their business objectives

    A Center of Excellence aligned with your service offerings is only valuable if your CoEs customers can effectively access those services. At this stage, you have invested in ensuring that your CoE aligns to your business objectives and that your service offerings align to its customers. Now you need to ensure that these services are accessible in the day-to-day operation of your Agile teams.

    Engagement Process → Service Offering

    Use backwards induction from your delivery method to the service offering. This is an effective method to determine the optimal engagement action for the CoE, as it considers the end customer as the driver for best action for every possible situation.

    Info-Tech Insight

    Your engagement process should be largely informed by your ACE users. Teams have constraints as well as in-the-trenches concerns and issues. If your service offerings don’t account for these, it can lead to rejection of the culture you are trying to inspire.

    Show the way, do not dictate

    Do not fix problems for your Agile teams, give them the tools and knowledge to fix the problems themselves.

    Facilitate learning to drive success

    A primary function of your ACE is to transfer knowledge to Agile teams to increase their capability to achieve desired outcomes.

    While this can take the form of coaching, training sessions, libraries, and wikis, a critical component of ACE is creating interactions where individuals from Agile teams can come together and share their knowledge.

    Ideas come from different experiences. By creating communities of practice (CoP) around topics that the ACE is tasked with supporting (e.g. Agile business analysts), you foster social learning and decrease the likelihood that change will result in some sort of cultural rejection.

    Consider whether creating CoPs would be beneficial in your organization’s context.

    "Communities of practice are a practical way to frame the task of managing knowledge. They provide a concrete organizational infrastructure for realizing the dream of a learning organization." – Etienne Wenger, Digital Habitats: Stewarding technology for communities

    A lack of top-down support will result in your ACE being underutilized

    Top-down support is critical to validate the CoE to its customers and ensure they feel compelled to engage with its services. Relevancy is a real concern for the long-term viability of a CoE and championing its use from a position of authority will legitimize its function and deter its fading from relevancy of day-to-day use for Agile teams.

    Although you are aligning your engagement processes to the customers of your Agile Center of Excellence, you still need your key influencers to champion its lasting organizational relevancy. Don’t let your employees think the ACE is just a coordinating body or a committee that is convenient but non-essential – make sure they know that it drives their own personal growth and makes everyone better as a collective.

    "Even if a CoE is positioned to meet a real organizational need, without some measure of top-down support, it faces an uphill battle to remain relevant and avoid becoming simply one more committee in the eyes of the wider organization. Support from the highest levels of the organization help fight the tendency of the larger organization to view the CoE as a committee with no teeth and tip the scales toward relevancy for the CoE." – Joe Shepley, VP and Practice Lead, Doculabs

    Info-Tech Insight

    Stimulate top-down support with internal certifications. This allows your employees to gain accreditation while at the same time encouraging top-down support and creating a compliance check for the continual delivery and acknowledgement of your evolving best practices.

    Ensure that best practices and lessons learned are injected back into the ACE

    For your employees to continuously improve, so must the Center of Excellence. Ensure the ACE has the appropriate mechanisms to absorb and disseminate best practices that emerge from knowledge transfer facilitation events.

    Facilitated Learning Session →Was the localized adaption well received by others in similar roles? →Document Localized Adaptation →Is there broad applicability and benefit to the proposed innovation? →CoE Absorbs as Best Practice

    Continuous improvement starts with the CoE

    While facilitating knowledge transfer is key, it is even more important that the Center of Excellence can take localized adaptations from Agile teams and standardize them as best practices when well received. If an individual were to leave without sharing their knowledge, the CoE and the larger organization will lose that knowledge and potential innovation opportunities.

    Experience matters

    To organically grow your ACE and be cost effective, you want your teams to continuously improve and to share that knowledge. As individual team members develop and climb the adoption model, they should participate as coaches and champions for less experienced groups so that their knowledge is reaching the widest audience possible.

    Case study: Agile learning at Spotify

    CASE STUDY

    Industry Digital Media

    Source Henrik Kniberg & Anders Ivarsson, 2012

    Methods of Agile learning at Spotify

    Spotify has continuously introduced innovative techniques to facilitate learning and ensure that that knowledge gets injected back into the organization. Some examples are the following:

    • Hack days: Self-organizing teams, referred to as squads, come together, try new ideas, and share them with their co-workers. This facilitates a way to stay up to date with new tools and techniques and land new product innovations.
    • Coaching: Every squad has access to an Agile coach to help inject best practices into their workflow – coaches run retrospectives, sprint planning meetings, facilitate one-on-one coaching, etc.
    • Tribes: Collections of squads that hold regular gatherings to show the rest of the tribe what they’ve been working on so others can learn from what they are doing.
    • Chapters: People with similar skills within a tribe come together to discuss their area of expertise and their specific challenges.
    • Guilds: A wide-reaching community of interest where members from different tribes can come together to share knowledge, tools, and codes, and practice (e.g. a tester guild, an Agile coaching guild).

    The image shows the Spotify model, with two sections, each labelled Tribe, and members from within each Tribe gathered together in a section labelled Guild.

    "As an example of guild work, we recently had a ‘Web Guild Unconference,’ an open space event where all web developers at Spotify gathered up in Stockholm to discuss challenges and solutions within their field."

    Activity: Create an engagement plan for each level of adoption

    2.2.1 30 Minutes per role

    Input

    • Categorized use cases

    Output

    • Role-based engagement plans

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. On the top bar, define the role you are developing the engagement plan for. This will give you the ability to standardize service delivery across all individuals in similar roles.
    2. Import your categorized service offerings for each level of adoption that you think are applicable to the given role.
    3. Using backwards induction, determine the engagement processes that will ensure that those service offerings are accessible and fit the day-to-day operations of the role.
    4. Fill in the template available on the next slide with each role’s engagement plan.

    Document results in the ACE Communications Deck.

    Example engagement plan: Developer

    2.2.1 30 Minutes per role

    Role: Developer
    Level 1 Level 2 Level 3 Level 4 Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    3. Learning Facilitation
    1. Tooling Standards
    2. Learning Facilitation
    1. Communications Training
    2. Learning Facilitation
    1. Subject-Matter Expertise
    2. Coaching
    1. Knowledge Management
    Engagement Process
    1. Based on service request or need identified by dev. manager.
    2. Based on service request or need identified by dev. manager.
    3. Weekly mandatory community of practice meetings.
    1. When determined to have graduated to level 2, receive standard Agile tooling standards training.
    2. Weekly mandatory community of practice meetings.
    1. When determined to have graduated to level 3, receive standard Agile communications training.
    2. Weekly mandatory community of practice meetings
    1. Peer-based training on how to effectively self-organize.
    2. Based on service request or need identified by dev. manager.
    1. Review captured key learnings from last and have CoE review KPIs related to any area changed.

    Example engagement plan: Tester

    2.2.1 30 Minutes per role

    Role: Tester
    Level 1Level 2Level 3Level 4Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    1. Product Training
    2. Communications Training
    1. Communications Training
    2. Learning Facilitation
    1. Subject-Matter Expertise
    2. Coaching
    1. Tooling Standards
    2. Training
    3. Coaching
    Engagement Process
    1. Based on service request or need identified by dev. manager.
    1. Weekly mandatory community of practice meetings.
    2. Provide training on effective methods for communicating with development teams based on organizational best practices.
    1. When determined to have graduated to level 3, receive standard training based on organizational testing best practices. Weekly mandatory community of practice meetings.
    1. Peer-to-peer training with level 5 certified coach.
    2. Based on service request or need identified by dev. manager. .
    1. Periodic updates of organizational tooling standards based on community of practice results.
    2. Automation training.
    3. Provide coaching to level 1 developers on a rotating basis to develop facilitation skills.

    Example engagement plan: Product Owner

    2.2.1 30 Minutes per role

    Role: Product Owner
    Level 1 Level 2 Level 3 Level 4 Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    1. Coaching
    2. Learning Facilitation
    1. Coaching
    2. Communications Training
    3. Learning Facilitation
    1. Coaching
    2. Learning Facilitation
    1. Coaching
    2. Learning Facilitation
    Engagement Process
    1. Provide onboarding materials for Agile product owners.
    2. Provide bi-weekly reviews and subsequent guidance at the end of retrospective processes.
    1. Provide monthly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings
    1. When determined to have graduated to level 3, receive standard training based on organizational testing best practices.
    2. Bi-weekly mandatory community of practice meetings.
    1. Provide monthly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings
    1. Provide quarterly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings

    Phase 2, Step 3: Define metrics to measure success

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.3.1 Define existing team-level metrics.

    2.3.2 Define metrics that align with your Agile business objectives.

    2.3.3 Define target ACE performance metrics.

    2.3.4 Define Agile adoption metrics.

    2.3.5 Consolidate your metrics for stakeholder impact.

    2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.

    Outcomes:

    • Understand the importance of aligning with the functional expectations of your ACE customers.
    • Understand the relationship between engagement and continuous improvement.
    • Create an engagement plan for each level of adoption to standardize the way customers interact with the ACE.

    Craft metrics that will measure the success of your Agile teams

    Quantify measures that demonstrate the effectiveness of your ACE by establishing distinct metrics for each of your service offerings. This will ensure that you have full transparency over the outputs of your CoE and that your service offerings maintain relevance and are utilized.

    Questions to Ask

    1. What are leading indicators of improvements that directly affect the mandate of the CoE?
    2. How do you measure process efficiency and effectiveness?

    Creating meaningful metrics

    Specific

    Measureable

    Achievable

    Realistic

    Time-bound

    Follow the SMART framework when developing metrics for each service offering.

    Adhering to this methodology is a key component of the lean management methodology. This framework will help you avoid establishing general metrics that aren’t relevant.

    "It’s not about telling people what they are doing wrong. It’s about constantly steering everyone on the team in the direction of success, and never letting any individual compromise the progress of the team toward success." – Mary Poppendieck, qtd. in “Questioning Servant Leadership”

    For important advice on how to avoid the many risks associated with metrics, refer to Info-Tech’s Select and Use SDLC Metrics Effectively.

    Ensure your metrics are addressing criteria from different levels of stakeholders and enterprise context

    There will be a degree of overlap between the metrics from your business objectives, service offerings, and existing Agile teams. This is a positive thing. If a metric can speak to multiple benefits it is that much more powerful in commuting successes to your key stakeholders.

    Existing metrics

    Business objective metrics

    Service offering metrics

    Agile adoption metrics

    Finding points of overlap means that you have multiple stakeholders with a vested interest in the positive trend of a specific metric. These consolidated metrics will be fundamental for your CoE as they will help build consensus through communicating the success of the ACE in a common language for a diverse audience.

    Activity: Define existing team-level metrics

    2.3.1 1 Hour

    Input

    • Current metrics

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. Gather any metrics related documentation that you collected during your requirements gathering in Phase 1.
    2. Collect team-level metrics for your existing Agile teams:
      • Examine outputs from any feedback mechanisms you have (satisfaction surveys, emails, existing SLAs, burndown charts, resourcing costs, licensing costs per sprint, etc.).
      • Look at historical trends and figures when available. Be careful of frequent anomalies as these may indicate a root cause that needs to be addressed.
      • Explore the definition of specific metrics across different functional teams to ensure consistency of measurement and reporting.
    Team Objective Expected Benefits Metrics
    Improve productivity
    • Improve transparency with business decisions
    • Team burndown and velocity
    • Number of releases per milestone
    Increase team morale and motivation
    • Teams are engaged and motivated to develop new opportunities to deliver more value quicker.
    • Team satisfaction with Agile environment
    • Degree of engagement in ceremonies
    Improve transparency with business decisions
    • Teams are engaged and motivated to develop new opportunities to deliver more value quicker.
    • Stakeholder satisfaction with completed product
    • Number of revisions to products in demonstrations

    Activity: Define metrics that align with your Agile business objectives

    2.3.2 1 Hour

    Input

    • Organizational business objectives from Phase 1

    Output

    • Metrics aligned to organizational business objectives

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. List the business objectives that you determined in 1.1.2.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of completing those business objectives, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your business objectives. While engaging in this process, ensure to document the collection method for each metrics.
    Business Objectives Expected Benefits Metrics
    Decrease time-to-market of product releases
    • Faster feedback from customers.
    • Increased customer satisfaction.
    • Competitive advantage.
    Decrease time-to-market of product releases
    • Alignment to organizational best practices.
    • Improved team productivity.
    • Greater collaboration across functional teams.
    • Policy and practice adherence and acknowledgement
    • Number of requests for ACE services
    • Number of suggestions to improve Agile best practices and ACE operations

    Activity: Define target ACE performance metrics

    2.3.3 1 Hour

    Input

    • Service offerings
    • Satisfaction surveys
    • Usage rates

    Output

    • CoE performance metrics

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. Define metrics to measure the success of each of your service offerings.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of those service offerings, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your service offerings.
    4. Compare these to your team performance metrics.
    Service Offering Expected Benefits Metrics
    Knowledge management
    • Comprehensive knowledgebase that accommodates various company products and office locations.
    • Easily accessible resources.
    • Number of practices extracted from ACE and utilized
    • Frequency of updates to knowledgebase
    Tooling standards
    • Tools adhere to company policies, security guidelines, and regulations.
    • Improved support of tools and technologies.
    • Tools integrate and function well with enterprise systems.
    • Number of teams and functional groups using standardized tools
    • Number of supported standardized tools
    • Number of new tools added to the standards list
    • Number of tools removed from standards list

    Activity: Define Agile adoption metrics

    2.3.4 1 Hour

    Input

    • Agile adoption model

    Output

    • Agile adoption metrics
    1. Define metrics to measure the success of each of your service offerings.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of those service offerings, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your service offerings.
    4. It is possible that you will need to adjust these metrics after baselines are established when you begin to operate the ACE. Keep this in mind moving forward.
    Adoption attributes Expected Benefits Metrics
    Team organization
    • Acquisition of the appropriate roles and skills to successfully deliver products.
    • Degree of flexibility to adjust team compositions on a per project basis
    Team coordination
    • Ability to successfully undertake large and complex projects involving multiple functional groups.
    • Number of ceremonies involving teams across functional groups
    Business alignment
    • Increased delivery of business value from process optimizations.
    • Number of business-objective metrics surpassing targets
    Coaching
    • Teams are regularly trained with new and better best practices.
    • Number of coaching and training requests
    Empowerment
    • Teams can easily and quickly modify processes to improve productivity without following a formal, rigorous process.
    • Number of implemented changes from team retrospectives
    Failure tolerance
    • Stakeholders trust teams will adjust when failures occur during a project.
    • Degree of stakeholder trust to address project issues quickly and effectively

    Activity: Consolidate your metrics for stakeholder impact

    2.3.5 30 Minutes

    Input

    • New and existing Agile metrics

    Output

    • Consolidated Agile metrics

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. Take all the metrics defined from the previous activities and compare them as a group.
    2. If there are overlapping metrics that are measuring similar outcomes or providing similar benefits, see if there is a way to merge them together so that a single metric can report outcomes to multiple stakeholders. This reduces the amount of resources invested in metrics gathering and helps to show consensus or alignment between multiple stakeholder interests.
    3. Compare these to your existing Agile metrics, and explore ways to consolidate existing metrics that are established with some of your new metrics. Established metrics are trusted and if they can be continued it can be viewed as beneficial from a consensus and consistency perspective to your stakeholders.

    Activity: Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value

    2.3.6 1 Hour

    Purpose

    The CoE governance team can use this tool to take ownership of the project’s benefits, track progress, and act on any necessary changes to address gaps. In the long term, it can be used to identify whether the team is ahead, on track, or lagging in terms of benefits realization.

    Steps

    1. Enter your identified metrics from the following activities into the ACE Benefits Tracking Tool.
    2. Input your baselines from your data collection (Phase 3) and a goal value for each metric.
    3. Document the results at key intervals as defined by the tool.
    4. Use the summary report to identify metrics that are not tracking well for root cause analysis and communicate with key stakeholders the outcomes of your Agile Center of Excellence based on your communication schedule from Phase 3, Step 3.

    INFO-TECH DELIVERABLE

    Download the ACE Benefits Tracking Tool.

    Checkpoint: Are you ready to operate your ACE?

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Self Auditing Guidelines

    • Have you categorized your ACE service offerings within Info-Tech’s Agile adoption model?
    • Have you formalized engagement plans to standardize the access to your service offerings?
    • Do you understand the function of learning events and their criticality to the function of the ACE?
    • Do you understand the key attributes of Agile adoption and how social capital leads to optimized value delivery?
    • Have you defined metrics for different goals (adoption, effective service offerings, business objectives) of the ACE?
    • Do your defined metrics align to the SMART framework?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 Further categorize your use cases within the Agile adoption model

    Our analyst team will help you categorize the Centers of Excellence service offerings within Info-Tech’s Agile adoption model to help standardize the way your organization engages with the Center of Excellence.

    2.2.1 Create an engagement plan for each level of adoption

    Our analyst team will help you structure engagement plans for each role within your Agile environment to provide a standardized pathway to personal development and consistency in practice.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    2.3.2 Define metrics that align with your Agile business objectives

    Our analysts will walk you through defining a set of metrics that align with your Agile business objectives identified in Phase 1 of the blueprint so the CoEs monitoring function can ensure ongoing alignment during operation.

    2.3.3 Define target ACE performance metrics

    Our analysts will walk you through defining a set of metrics that monitors how successful the ACE has been at providing its services so that business and IT stakeholders can ensure the effectiveness of the ACE.

    2.3.4 Define Agile adoption metrics

    Our analyst team will help you through defining a set of metrics that aligns with your organization’s fit of the Agile adoption model in order to provide a mechanism to track the progress of Agile teams maturing in capability and organizational trust.

    Phase 3

    Operationalize Your Agile Center of Excellence

    Spread Best Practices With an Agile Center of Excellence

    Operate your ACE to drive optimized value from your Agile teams

    The final step is to engage in monitoring of your metrics program to identify areas for improvement. Using metrics as a driver for operating your ACE will allow you to identify and effectively manage needed change, as well as provide you with the data necessary to promote outcomes to your stakeholders to ensure the long-term viability of the ACE within your organization.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Operate the CoE

    Proposed Time to Completion (in weeks): Variable depending on communication plan

    Step 3.1: Optimize the success of your ACE

    Start with an analyst kick off call:

    • Conduct a baseline assessment of your Agile environment.

    Then complete these activities…

    3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.

    3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.

    3.1.3 Prioritize ACE actions by monitoring your metrics.

    Step 3.2: Plan change to enhance your Agile initiatives

    Start with an analyst kick off call:

    • Interface with the ACE with your change management function.

    Then complete these activities…

    3.2.1 Assess the interaction and communication points of your Agile teams.

    3.2.2 Determine the root cause of each metric falling short of expectations.

    3.2.3 Brainstorm solutions to identified issues.

    3.2.4 Review your metrics program.

    3.2.5 Create a communication plan for change.

    Step 3.3: Conduct ongoing retrospectives of your ACE

    Finalize phase deliverable:

    • Build a communications deck for key stakeholders.

    Then complete these activities…

    3.3.1 Use the outputs from your metrics tracking tool to communicate progress.

    3.3.2 Summarize adjustments in areas where the ACE fell short.

    3.3.3 Review the effectiveness of your service offerings.

    3.3.4 Evaluate your ACE Maturity.

    3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.

    Phase 3 Results & Insights:

    Inject improvements into your Agile environment with operational excellence. Plan changes and communicate them effectively, monitor outcomes on a regular basis, and keep stakeholders in the loop to ensure that their interests are being looked after to ensure long-term viability of the CoE.

    Phase 3, Step 1: Optimize the success of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Tools:

    3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.

    3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.

    3.1.3 Prioritize ACE actions by monitoring your metrics.

    Outcomes:

    • Conduct a baseline assessment of your ACE to measure against using a variety of data sources, including interviews, satisfaction surveys, and historical data.
    • Use the Benefits Tracking Tool to start monitoring the outcomes of the ACE and to keep track of trends.

    Ensure the CoE is able to collect the necessary data to measure success

    Establish your collection process to ensure that the CoE has the necessary resources to collect metrics and monitor progress, that there is alignment on what data sources are to be used when collecting data, and that you know which stakeholder is interested in the outcomes of that metric.

    Responsibility

    • Does the CoE have enough manpower to collect the metrics and monitor them?
    • If automated through technology, is it clear who is responsible for its function?

    Source of metric

    • Is the method of data collection standardized so that multiple people could collect the data in the same way?

    Impacted stakeholder

    • Do you know which stakeholder is interested in this metric?
    • How often should the interested stakeholder be informed of progress?

    Intended function

    • What is the expected benefit of increasing this metric?
    • What does the metric intend to communicate to the stakeholder?

    Conduct a baseline assessment of your ACE to measure success

    Establishing the baseline performance of the ACE allows you to have a reasonable understanding of the impact it is having on meeting business objectives. Use user satisfaction surveys, stakeholder interviews, and any current metrics to establish a concept of how you are performing now. Setting new metrics can be a difficult task so it is important to collect as much current data as possible. After the metrics have been established and monitored for a period of time, you can revisit the targets you have set to ensure they are realistic and usable.

    Without a baseline, you cannot effectively:

    • Establish reasonable target metrics that reflect the performance of your Center of Excellence.
    • Identify, diagnose, and resolve any data that deviates from expected outcomes.
    • Measure ongoing business satisfaction given the level of service.

    Info-Tech Insight

    Invest the needed time to baseline your activities. These data points are critical to diagnose successes and failures of the CoE moving forward, and you will need them to be able to refine your service offerings as business conditions or user expectations change. While it may seem like something you can breeze past, the investment is critical.

    Use a variety of sources to get the best picture of your current state; a combination of methods provides the richest insight

    Interviews

    What to do:

    • Conduct interviews (or focus groups) with key influencers and Agile team members.

    Benefits:

    • Data comes from key business decision makers.
    • Identify what is top of mind for your top-level stakeholders.
    • Ask follow-up questions for detail.

    Challenges:

    • This will only provide a very high-level view.
    • Interviewer biases may skew the results.

    Surveys

    What to do:

    • Distribute an Agile-specific stakeholder satisfaction survey. The survey should be specific to identify factors of your current environment.

    Benefits:

    • Every end user/business stakeholder will be able to provide feedback.
    • The survey will be simple to develop and distribute.

    Challenges:

    • Response rates can be low if stakeholders do not understand the value in their opinions.

    Historical Data

    What to do:

    • Collect and analyze existing Agile data such as past retrospectives, Agile team metrics, etc.

    Benefits:

    • Get a full overview of current service offerings, past issues, and current service delivery.
    • Allows you to get an objective view of what is really going on within your Agile teams.

    Challenges:

    • Requires a significant time investment and analytical skills to analyze the data and generate insights on business satisfaction and needs.

    Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline

    3.1.1 Baseline satisfaction survey

    Purpose

    Conduct a user satisfaction survey prior to setting your baseline for your ACE. This will include high-level questions addressing your overall Agile environment and questions addressing teams’ current satisfaction with their processes and technology.

    Steps

    1. Modify the satisfaction survey template to suit your organization and the service offerings you have defined for the Agile Center of Excellence.
    2. Distribute the satisfaction survey to any users who are expected to interface with the ACE.
    3. Document the results and communicate them with the relevant key stakeholders.
    4. Combine these results with historical data points (if available) and stakeholder interviews to get a holistic picture of your current state.

    INFO-TECH DELIVERABLE

    Download the ACE Satisfaction Survey.

    Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE

    3.1.2 CoE maturity assessment

    Purpose

    Assessing your ACEs maturity lets you know where they currently are and what to track to get them to the next step. This will help ensure your ACE is following good practices and has the appropriate mechanisms in place to serve your stakeholders.

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your maturity score.
    3. Document the results and communicate them with the relevant key stakeholders.
    4. Combine these results with historical data points (if available) and stakeholder interviews to get a holistic picture of your ACE maturity level.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    Download the CoE Maturity Diagnostic Tool.

    Activity: Prioritize ACE actions by monitoring your metrics

    3.1.3 Variable time commitment

    Input

    • Metrics from ACE Benefits Tracking Tool

    Output

    • Prioritized actions for the ACE

    Materials

    • ACE Benefits Tracking Tool

    Participants

    • ACE team
    1. Review your ACE Benefits Tracking Tool periodically (at the end of sprint cycles, quarterly, etc.) and document metrics that are trending or actively falling short of goals or expectations.
    2. Take the documented list and have the ACE staff consider what actions or decisions can be prioritized to help mend the identified gaps. Look for any trends that could potentially speak to a larger problem or a specific aspect of the ACE or the organizational Agile environment that is not functioning as expected.
    3. Take the opportunity to review metrics that are also tracking above expected value to see if there are any lessons learned that can be extended to other ACE service offerings (e.g. effective engagement or communication strategies) so that the organization can start to learn what is effective and what is not based on their internal struggles and challenges. Spreading successes is just as important as identifying challenges in a CoE model.

    Phase 3, Step 2: Plan change to enhance your Agile initiatives

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    3.2.1 Assess the interaction and communication points of your Agile teams.

    3.2.2 Determine the root cause of each metric falling short of expectations.

    3.2.3 Brainstorm solutions to identified issues

    3.2.4 Review your metrics program.

    3.2.5 Create a communication plan for change.

    Outcomes:

    • Understand how your existing change management process interfaces with the Center of Excellence.
    • Identify issues and ideate solutions to metrics falling short of expectations.
    • Create a communication plan to prepare groups for any necessary change.

    Manage the adaptation of teams as they adopt Agile capabilities

    As Agile spreads, be cognizant of your cultural tolerance to change and its ability to deliver on such change. Change will happen more frequently and continuously, and there may be conceptual (change tolerance) or capability (delivery tolerance) roadblocks along the way that will need to be addressed.

    The Agile adoption model will help to graduate both the tolerance to change and tolerance to deliver over time. As your level of competency to deliver change increases, organizational tolerance to change, especially amongst management, will increase as well. Remember that optimized value delivery comes from this careful balance of aptitude and trust.

    Tolerance to change

    Tolerance to change refers to the conceptual capacity of your people to consume and adopt change. Change tolerance may become a barrier to success because teams might be too engrained with current structures and processes and find any changes too disruptive and uncomfortable.

    Tolerance to deliver

    Tolerance to deliver refers to the capability to deliver on expected change. While teams may be tolerant, they may not have the necessary capacity, skills, or resources to deliver the necessary changes successfully. The ACE can help solve this problem with training and coaching, or possibly by obtaining outside help where necessary.

    Understand how the ACE interfaces with your current change management process

    As the ACE absorbs best practices and identifies areas for improvement, a change management process should be established to address the implementation and sustainability of change without introducing significant disruptions and costs.

    To manage a continuously changing environment, your ACE will need to align and coordinate with organizational change management processes. This process should be capable of evaluating and incorporating multiple change initiatives continuously.

    Desired changes will need to be validated, and localized adaptations will need to be disseminated to the larger organization, and current state policy and procedures will need to be amended as the adoption of Agile spreads and capabilities increase.

    The goal here is to have the ACE governance group identify and interface with parties relevant to successfully implementing any specific change.

    INFO-TECH RELATED RESEARCH:

    Strategy and Leadership: Optimize Change Management

    Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.

    Where should your Agile change requests come from?

    Changes to the services, structure, or engagement model of your ACE can be triggered from various sources in your organization. You will see that proposed changes may be requested with the best intentions; however, the potential impacts they may have to other areas of the organization can be significant. Consult all sources of ACE change requests to obtain a consensus that your change requests will not deteriorate the ACEs performance and use.

    ACE Governance

    • Sources of ACE Change Requests
      • ACE Policies/Stakeholders
        • Triggers for Change:
          • Changes in business and functional group objectives.
          • Dependencies and legacy policies and procedures.
      • ACE Customers
        • Triggers for Change:
          • Retrospectives and post-mortems.
          • Poor fit of best practices to projects.
      • Metrics
        • Triggers for Change:
          • Performance falling short of expectations.
          • Lack of alignment with changing objectives.
      • Tools and Technologies
        • Triggers for Change:
          • New or enhanced tools and technologies.
          • Changes in development and technology standards.

    Note: Each source of ACE change requests may require a different change management process to evaluate and implement the change.

    Activity: Assess the interaction and communication points of your Agile teams

    3.2.1 1.5 Hours

    Input

    • Understanding of team and organization structure

    Output

    • Current assessment of organizational design

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Development team
    1. Identify everyone who is directly or indirectly involved in projects completed by Agile teams. This can include those that are:
    • Informed of a project’s progress.
    • Expected to interface with the Agile team for solution delivery (e.g. DevOps).
    • Impacted by the success of the delivered solutions.
    • Responsible for the removal of impediments faced by the Agile team.
  • Indicate how each role interacts with the others and how frequently these interactions occur for a typical project. Do this by drawing a diagram on a whiteboard using labelled arrows to indicate types and frequency of interactions.
  • Identify the possible communication, collaboration, and alignment challenges the team will face when working with other groups.
  • Agile Team n
    Group Type of Interaction Potential challenges
    Operations
    • Release management
    • Past challenges transitioning to DevOps.
    • Communication barrier as an impediment.
    PMO
    • Planning
    • Product owner not located with team in organization.
    • PMO still primarily waterfall; need Agile training/coaching

    Activity: Determine the root cause of each metric falling short of expectations

    3.2.2 30 Minutes per metric

    Input

    • Metrics from Benefits Tracking Tool

    Output

    • Root causes to issues

    Materials

    • Whiteboard
    • Markers

    Participants

    • ACE team
    1. Take each metric from the ACE Benefits Tracking Tool that is lagging behind or has missed expectations and conduct an analysis of why it is performing that way.
    2. Conduct individual webbing sessions to clarify the issues. The goal is to drive out the reasons why these issues are present or why scaling Agile may introduce additional challenges.
    3. Share and discuss these findings with the entire team.

    Example:

    • Lack of best-practice documentation
      • Why?
        • Knowledge siloed within teams
        • No centralized repository for best practices
          • Why?
            • No mechanisms to share between teams
              • Why? Root causes
                • Teams are not sharing localized adaptations
                • CoE is not effectively monitoring team communications
            • Access issues at team level to wiki
              • Why? Root causes
                • Administration issues with best-practice wiki
                • Lack of ACE visibility into wiki access

    Activity: Brainstorm solutions to identified issues

    3.2.3 30 Minutes per metric

    Input

    • Root causes of issues

    Output

    • Fixes and solutions to scaling Agile issues

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Development team
    1. Using the results from your root-cause analysis, brainstorm potential solutions to the identified problems. Frame your brainstorming within the following perspectives: people, process, and technology. Map these solutions using the matrix below.
    2. Synthesize your ideas to create a consolidated list of initiatives.
      1. Highlight the solutions that can address multiple issues.
      2. Collaborate on how solutions can be consolidated into a single initiative.
    3. Write your synthesized solutions on sticky notes.
    SOLUTION CATEGORY
    People Process Technology
    ISSUES Poor face-to-face communication
    Lack of best-practice documentation

    Engage those teams affected by change early to ensure they are prepared

    Strategically managing change is an essential component to ensure that the ACE achieves its desired function. If the change that comes with adopting Agile best practices is going to impact other functions and change their expected workflows, ensure they are well prepared and the benefits for said changes are clearly communicated to them.

    Necessary change may be identified proactively (dependency assessments, system integrity, SME indicates need, etc.) or reactively (through retrospectives, discussions, completing root-cause analyses, etc.), but both types need to be handled the same way – through proper planning and communication with the affected parties.

    Plan any necessary change

    Understand the points where other groups will be affected by the adoption of Agile practices and recognize the potential challenges they may face. Plan changes to accommodate interactions between these groups without roadblocks or impediments.

    Communicate the change

    Structure a communication plan based on your identified challenges and proposed changes so that groups are well prepared to make the necessary adjustments to accommodate Agile workflows.

    Review and modify your metrics and baselines to ensure they are achievable in changing environments

    Consider the possible limitations that will exist from environmental complexities when measuring your Agile teams. Dependencies and legacy policies and procedures that pose a bottleneck to desired outcomes will need to be changed before teams can be measured justifiably. Take the time to ensure the metrics you crafted earlier are plausible in your current environment and there is not a need for transitional metrics.

    Are your metrics achievable?

    Specific

    Measureable

    Achievable

    • Adopting Agile is a journey, not just a destination. Ensure that the metrics a team is measured against reflect expectations for the team’s current level of Agile adoption and consider external dependencies that may limit their ability to achieve intended results.

    Realistic

    Time-bound

    Info-Tech Insight

    Use metrics as diagnostics, not as motivation. Teams will find ways to meet metrics they are measured by making sacrifices and taking unneeded risk to do so. To avoid dysfunction in your monitoring, use metrics as analytical tools to inform decision making, not as a yardstick for judgement.

    Activity: Review your metrics program

    3.2.4 Variable time commitment

    Input

    • Identified gaps
    • Agile team interaction points

    Output

    • ACE baselines
    • Past measurements

    Materials

    • ACE Benefits Tracking Tool

    Participants

    • ACE
    1. Now that you have identified gaps in your current state, see if those will have any impact on the achievability of your current metrics program.
    2. Review your root-cause analyses and brainstormed solutions, and hypothesize whether or not they will have any downstream impact to goal attainment. It is possible that there is no impact, but as cross-functional collaboration increases, the likelihood that groups will act as bottlenecks or impediments to expected performance will increase.
    3. Consider how any changes will impact the interaction points between teams based on the results from activity 3.2.1: Assess the interaction and communication points of your Agile teams. If there are too many negative impacts it may be a sign to re-consider the hypothesized solution to the problem and consider alternatives.
    4. In any cases where a metric has been altered, adjust its goal measurement to reflect its changes in the ACE Benefits Tracking Tool.

    Case study: Agile change at the GSA

    CASE STUDY

    Industry Government

    Source Navin Vembar, Agile Government Leadership

    Challenge

    The GSA is tasked with completed management of the Integrated Award Environment (IAE).

    • The IAE manages ten federal information technology systems that enable registering, searching, and applying for federal awards, as well as tracking them.
    • The IAE also manages the Federal Service Desk.

    The IAE staff had to find a way to break down the problem of modernization into manageable chunks that would demonstrate progress, but also had to be sure to capture a wide variety of user needs with the ability to respond to those needs throughout development.

    Had to work out the logistics of executing Agile change within the GSA, an agency that relies heavily on telework. In the case of modernization, they had a product owner in Florida while the development team was spread across the metro Washington, DC area.

    Solution

    Agile provided the ability to build incremental successes that allowed teams successful releases and built enthusiasm around the potential of adopting Agile practices offered.

    • GSA put in place an organization framework that allowed for planning of change at the portfolio level to enable the change necessary to allow for teams to execute tasks at the project level.
    • A four-year plan with incremental integration points allowed for larger changes on a quarterly basis while maintaining a bi-weekly sprint cycle.
    • They adopted IBM’s RTC tool for a Scrum board and on Adobe Connect for daily Scrum sessions to ensure transparency and effectiveness of outcomes across their collocated teams.

    Create a clear, concise communication plan

    Communication is key to avoid surprises and lost productivity created by the implementation of changes.

    User groups and the business need to be given sufficient notice of an impending change. Be concise, be comprehensive, and ensure that the message is reaching the right audience so that no one is blindsided and unable to deliver what is needed. This will allow them to make appropriate plans to accept the change, minimizing the impact of the change on productivity.

    Key Aspects of a Communication Plan

    • The method of communication (email, meetings, workshops, etc.).
    • The delivery strategy (who will deliver the message?).
    • The communication responsibility structure.
    • The communication frequency.
    • A feedback mechanism that allows you to review the effectiveness of your plan.
    • The message that you need to present.

    Communicating change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    (Cornelius & Associates, The Qualities of Leadership: Leading Change)

    Apply the following principles to enhance the clarity of your message

    1. Be Consistent
    • "This is important because..."
      • The core message must be consistent regardless of audience, channel, or medium.
      • Test your communication and obtain feedback before delivering your message.
      • A lack of consistency can be perceived as deception.
  • Be Clear
    • "This means..."
      • Say what you mean and mean what you say.
      • Choice of language is important.
      • Don’t use jargon.
  • Be Relevant
    • "This affects you because..."
      • Talk about what matters to the audience.
      • Talk about what matters to the change initiative.
      • Tailor the details of the message to each audience’s specific concerns.
      • Communicate truthfully; do not make false promises or hide bad news.
  • Be Concise
    • "In summary..."
      • Keep communication short and to the point so key messages are not lost in the noise.
  • Activity: Create a communication plan for change

    3.2.5 1.5 Hours

    Input

    • Desired messages
    • Stakeholder list

    Output

    • Communication plan

    Materials

    • Whiteboard
    • Markers

    Participants

    • CoE
    1. Define the audience(s) for your communications. Consider who needs to be the audience of your different communication events and how it will impact them.
    2. Identify who the messenger will be to deliver the message.
    3. Identify your communication methods. Decide on the methods you will use to deliver each communication event. Your delivery method may vary depending on the audience it is targeting.
    4. Establish a timeline for communication releases. Set dates for your communication events. This can be recurring (weekly, monthly, etc.) or one-time events.
    5. Determine what the content of the message must include. Use the guidelines on the following slide to ensure the message is concise and impactful.

    Note: It is important to establish a feedback mechanism to ensure that the communication has been effective in communicating the change to the intended audiences. This can be incorporated into your ACE satisfaction surveys.

    Audience Messenger Format Timing Message
    Operations Development team Email
    • Monthly (major release)
    • Ad hoc (minor release and fixes)
    Build ready for release
    Key stakeholders CIO Meeting
    • Monthly unless dictated otherwise
    Updates on outcomes from past two sprint cycles

    Phase 3, Step 3: Conduct ongoing retrospectives of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities/Tools:

    3.3.1 Use the outputs from your metrics tracking tool to communicate progress.

    3.3.2 Summarize adjustments in areas where the ACE fell short.

    3.3.3 Re-conduct satisfaction surveys and compare against your baseline.

    3.3.4 Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.

    Outcomes:

    • Conduct a retrospective of your ACE to enable the continuous improvement of your Agile program.
    • Structure a communications deck to communicate with stakeholders the outcomes from introducing the ACE to the organization.

    Reflect on your ACEs performance to lead the way to enterprise agility

    After functioning for a period of time, it is imperative to review the function of your ACE to ensure its continual alignment and see in what ways it can improve.

    At the end of the year, take the time to deliberately review and discuss:

    1. The effectiveness and use of your ACEs service offerings.
    2. What went well or wrong during the ACEs operation.
    3. What can be done differently to improve reach, usability, and effectiveness.
    4. Bring together Agile teams and discuss the processes they follow and inquire about suggestions for improvement.

    What is involved?

    • Use your metrics program to diagnose areas of issue and success. The diagnostic value of your metrics can help lead conversations with your Agile teams when attempting to inquire about suggestions for improvement.
    • Leverage your satisfaction surveys from the creation of your ACE and compare them against satisfaction surveys run after a year of operation. What are the lessons learned between then and now?
    • While it is primarily conducted by the ACE team, keep in mind it is a collaborative function and should involve all members, including Agile teams, product owners, Scrum masters, etc.

    Communicating with your key influencers is vital to ensure long-term operation of the ACE

    To ensure the long-term viability of your ACE and that your key influencers will continue funding, you need to demonstrate the ROI the Center of Excellence has provided.

    The overlying purpose of your ACE is to effectively align your Agile teams with corporate objectives. This means that there have to be communicable benefits that point to the effort and resources invested being valuable to the organization. Re-visit your prioritized stakeholder list and get ready to show them the impact the ACE has had on business outcomes.

    Communication with stakeholders is the primary method of building and developing a lasting relationship. Correct messaging can build bridges and tear down barriers, as well as soften opposition and bolster support.

    This section will help you to prepare an effective communication piece that summarizes the metrics stakeholders are interested in, as well as some success stories or benefits that are not communicable through metrics to provide extra context to ongoing successes of the ACE.

    INFO-TECH RELATED RESEARCH:

    Strategy and Leadership: Manage Stakeholder Relations

    Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.

    Involve key stakeholders in your retrospectives to justify the funding for your ACE

    Those who fund the ACE have a large influence on the long-term success of your ACE. If you have not yet involved your stakeholders, you need to re-visit your organizational funding model for the ACE and ensure that your key stakeholders include the key decision makers for your funding. While they may have varying levels of interest and desires for granularity of data reporting, they need to at least be informed on a high level and kept as champions of the ACE so that there are no roadblocks to the long-term viability of this program.

    Keep this in mind as the ACE begins to demonstrate success, as it is not uncommon to have additional members added to your funding model as your service scales, especially in the chargeback models.

    As new key influencers are included, the ACEs governing group must ensure that collective interests may align and that more priorities don’t lead to derailment.

    The image shows a matrix. The matrix is labelled with Involvement at the bottom, and Power on the left side, and has the upper left quadrant labelled Keep Satisfied, the upper right quadrant labelled Key players, the lower right quadrant labelled Keep informed, and the lower left quadrant labelled Minimal effort. In the matric, there are several roles shown, with roles such as CFO, Apps Director, Funding Group, and CIO highlighted in the Key players section.

    Use the outputs from your metrics tracking tool to communicate progress

    3.3.1 1 Hour

    Use the ACE Benefits Tracking Tool to track the progress of your Agile environment to monitor whether or not the ACE is having a positive impact on the business’ ability to meet its objectives. The outputs will allow you to communicate incremental benefits that have been realized and point towards positive trends that will ensure the long-term buy-in of your key influencers.

    For communication purposes, use this tool to:

    • Re-visit who the impacted or interested stakeholders are so you can tailor your communications to be as impactful as possible for each key influencer of the ACE.

    The image shows a screen capture of the Agile CoE Metrics Tracking sheet.

    • Collate the benefits of the current projects undertaken by the Center of Excellence to give an overall recap of the ACEs impact.

    The image is a screen capture of the Summary Report sheet.

    Communicate where the ACE fell short

    Part of communicating the effectiveness of your ACE is to demonstrate that it is able to remedy projects and processes when they fall short of expectations and brainstorm solutions that effectively address these challenges. Take the opportunity to summarize where results were not as expected, and the ways in which the ACE used its influence or services to drive a positive outcome from a problem diagnosis. Stakeholders do not want a sugar-coated story – they want to see tangible results based on real scenarios.

    Summarizing failures will demonstrate to key influencers that:

    • You are not cherry-picking positive metrics to report and that the ACE faced challenges that it was able to overcome to drive positive business outcomes.
    • You are being transparent with the successes and challenges faced by the ACE, fostering increased trust within your stakeholders regarding the capabilities of Agile.
    • Resolution mechanisms are working as intended, successfully building failure tolerance and trust in change management policies and procedures.

    Activity: Summarize adjustments in areas where the ACE fell short

    3.3.2 15 Minutes per metric

    Input

    • Diagnosed problems from tracking tool
    • Root-cause analyses

    Output

    • Summary of change management successes

    Materials

    • Whiteboard
    • Markers

    Participants

    • ACE
    1. Create a list of items from the ACE Benefits Tracking Tool that fell short of expectations or set goals.
    2. For each point, create a brief synopsis of the root-cause analysis completed and summarize the brainstormed solution and its success in remedying the issue. If this process is not complete, create a to-date summary of any progress.
    3. Choose two to three pointed success stories from this list that will communicate broad success to your set of stakeholders.
    Name of metric that fell short
    Baseline measurement 65% of users satisfied with ACE services.
    Goal measurement 80% of users satisfied with ACE services.
    Actual measurement 70% of users satisfied with ACE services.
    Results of root-cause analysis Onboarding was not extensive enough; teams were unaware of some of the services offered, rendering them unsatisfied.
    Proposed solution Revamp onboarding process to include capability map of service offered.
    Summary of success TBD

    Re-conduct surveys with the ACE Satisfaction Survey to review the effectiveness of your service offerings

    3.3.3 Re-conduct satisfaction surveys and compare against your baseline

    Purpose

    This satisfaction survey will give you a template to follow to monitor the effectiveness of your ACEs defined service offerings. The goal is to understand what worked, and what did not, so you can add, retract, or modify service offerings where necessary.

    Steps

    1. Re-use the satisfaction survey to measure the effectiveness of the service offerings. Add questions regarding specific service offerings where necessary.
    2. Cross-analyze your satisfaction survey with metrics tied to your service offerings to help understand the root cause of the issues.
    3. Use the root-cause analysis exercises from step 3.2 to find the root causes of issues.
    4. Create a set of recommendations to add, amend, or improve any existing service offerings.

    INFO-TECH DELIVERABLE

    Download the ACE Satisfaction Survey.

    Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    3.3.4 ACE Maturity Assessment

    Purpose

    Assess your ACEs maturity by using Info-Tech’s CoE Maturity Diagnostic Tool. Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements. Note that your optimal Maturity Level will depend on organizational specifics (e.g. a small organization with a handful of Agile Teams can be less mature than a large organization with hundreds of Agile Teams).

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your current Maturity score.
    3. Document the results in the ACE Communications Deck.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    Download the CoE Maturity Diagnostic Tool.

    Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders

    3.3.5 Structure communications to each of your key stakeholders

    Purpose

    The ACE Communications Deck will give you a template to follow to effectively communicate with your stakeholders and ensure the long-term viability of your Agile Center of Excellence. Fill in the slides as instructed and provide each stakeholder with a targeted view of the successes of the ACE.

    Steps

    1. Determine who your target audience is for the Communications Deck – you may desire to create one for each of your key stakeholders as they may have different sets of interests.
    2. Fill out the ACE Communications Deck with the suggested inputs from the exercises you have completed during this research set.
    3. Review communications with members of the ACE to ensure that there are no communicable benefits that have been missed or omitted in the deck.

    INFO-TECH DELIVERABLE

    Download the ACE Communications Deck.

    Summary of accomplishment

    Knowledge Gained

    • An understanding of social capital as the key driver for organizational Agile success, and how it optimizes the value delivery of your Agile teams.
    • Importance of flexible governance to balance the benefits of localized adaptation and centralized control.
    • Alignment of service offerings with both business objectives and functional expectations as critical to ensuring long-term engagement with service offerings.

    Processes Optimized

    • Knowledge management and transfer of Agile best practices to new or existing Agile teams.
    • Optimization of service offerings for Agile teams based on organizational culture and objectives.
    • Change request optimization via interfacing ACE functions with existing change management processes.
    • Communication planning to ensure transparency during cross-functional collaboration.

    Deliverables Completed

    • A set of service offerings offered by the Center of Excellence that are aligned with the business, Agile teams, and related stakeholders.
    • Engagement plans for Agile team members based on a standardized adoption model to access the ACEs service offerings.
    • A suite of Agile metrics to measure effectiveness of Agile teams, the ACE itself, and its ability to deliver positive outcomes.
    • A communications plan to help create cross-functional transparency over pending changes as Agile spreads.
    • A communications deck to communicate Agile goals, actions, and outcomes to key stakeholders to ensure long-term viability of the CoE.

    Research contributors and experts

    Paul Blaney, Technology Delivery Executive, Thought Leader and passionate Agile Advocate

    Paul has been an Agile practitioner since the manifesto emerged some 20 years ago, applying and refining his views through real life experience at several organizations from startups to large enterprises. He has recently completed the successful build out of the inaugural Agile Delivery Centre of Excellence at TD bank in Toronto.

    John Munro, President Scrum Masters Inc.

    John Munro is the President of Scrum Masters Inc., a software optimization professional services firm using Agile, Scrum, and Lean to help North American firms “up skill” their software delivery people and processes. Scrum Masters’ unique, highly collaborative “Master Mind” consulting model leverages Agile/Lean experts on a biweekly basis to solve clients’ technical and process challenges.

    Doug Birgfeld, Senior Partner Agile Wave

    Doug has been a leader in building great teams, Agile project management, and business process innovation for over 20 years. As Senior Partner and Chief Evangelist at Agile Wave, his mission is to educate and to learn from all those who care about effective government delivery, nationally.

    Related Info-Tech research

    Implement Agile Practices That Work

    Agile is a cultural shift. Don't just do Agile, be Agile.

    Enable Organization-Wide Collaboration by Scaling Agile

    Execute a disciplined approach to rolling out Agile methods in the organization.

    Improve Application Development Throughput

    Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

    Implement DevOps Practices That Work

    Accelerate software deployment through Dev and Ops collaboration.

    Related Info-Tech research (continued)

    Maximize the Benefits from Enterprise Applications with a Center of Excellence

    Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    Be proactive; it costs exponentially more to fix a problem the longer it goes unnoticed.

    Optimize the Change Management Process

    Right-size your change management process.

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Bibliography

    Ambler, Scott. “Agile Requirements Change Management.” Agile Modeling. Scott Amber + Associates, 2014. Web. 12 Apr. 2016.

    Ambler, Scott. “Center of Excellence (CoEs).” Disciplined Agile 2.0: A Process Decision Framework for Enterprise I.T. Scott Amber + Associates. Web. 01 Apr. 2016.

    Ambler, Scott. “Transforming From Traditional to Disciplined Agile Delivery.” Case Study: Disciplined Agile Delivery Adoption. Scott Amber + Associates, 2013. Web.

    Beers, Rick. “IT – Business Alignment Why We Stumble and the Path Forward.” Oracle Corporation, July 2013. Web.

    Cornelius & Associates. “The Qualities of Leadership: Leading Change.” Cornelius & Associates, n.d. Web.

    Craig, William et al. “Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report.” Carnegie Mellon University Research Showcase @ CMU – Software Engineering Institute. Dec. 2009. Web. 20 Apr. 2016.

    Forsgren, Dr. Nicole et al (2019), Accelerate: State of DevOps 2019, Google, https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

    Gerardi, Bart (2017), Agile Centers of Excellence, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/405819/Agile-Centers-of-Excellence

    Gerardi, Bart (2017), Champions of Agile Adoption, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/418151/Champions-of-Agile-Adoption

    Gerardi, Bart (2017), The Roles of an Agile COE, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/413346/The-Roles-of-an-Agile-COE

    Hohl, P. et al. “Back to the future: origins and directions of the ‘Agile Manifesto’ – views of the originators.” Journal of Software Engineering Research and Development, vol. 6, no. 15, 2018. https://link.springer.com/article/10.1186/s40411-0...

    Kaltenecker, Sigi and Hundermark, Peter. “What Are Self-Organising Teams?” InfoQ. 18 July 2014. Web. 14 Apr. 2016.

    Kniberg, Henrik and Anderson Ivarsson. “Scaling Agile @ Spotify with Tribes, Squads, Chapters & Guilds.” Oct. 2012. Web. 30 Apr. 2016.

    Kumar, Alok et al. “Enterprise Agile Adoption: Challenges and Considerations.” Scrum Alliance. 30 Oct. 2014. Web. 30 May 2016.

    Levison, Mark. “Questioning Servant Leadership.” InfoQ, 4 Sept. 2008. Web. https://www.infoq.com/news/2008/09/servant_leadership/

    Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.

    Loxton, Matthew (June 1, 2011), CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com

    McDowell, Robert, and Bill Simon. In Search of Business Value: Ensuring a Return on Your Technology Investment. SelectBooks, 2010

    Novak, Cathy. “Case Study: Agile Government and the State of Maine.” Agile Government Leadership, n.d. Web.

    Pal, Nirmal and Daniel Pantaleo. “Services are the Language and Building Blocks of an Agile Enterprise.” The Agile Enterprise: Reinventing your Organization for Success in an On-Demand World. 6 Dec. 2015. Springer Science & Business Media.

    Rigby, Darrell K. et al (2018), Agile at Scale, Harvard Business Review, https://hbr.org/2018/05/agile-at-scale

    Scaledagileframework.com, Create a Lean-Agile Center of Excellence, Scaled Agile, Inc, https://www.scaledagileframework.com/lace/

    Shepley, Joe. “8 reasons COEs fail (Part 2).” Agile Ramblings, 22 Feb. 2010. https://joeshepley.com/2010/02/22/8-reasons-coes-fail-part-2/

    Stafford, Jan. “How upper management misconceptions foster Agile failures.” TechTarget. Web. 07 Mar. 2016.

    Taulli, Tom (2020), RPA Center Of Excellence (CoE): What You Need To Know For Success, Forbes.com, https://www.forbes.com/sites/tomtaulli/2020/01/25/rpa-center-of-excellence-coe-what-you-need-to-know-for-success/#24364620287a

    Telang, Mukta. “The CMMI Agile Adoption Model.” ScrumAlliance. 29 May 2015. Web. 15 Apr. 2016.

    VersionOne. “13th Annual State of Agile Report.” VersionOne. 2019. Web.

    Vembar, Navin. “Case Study: Agile Government and the General Services Administration (Integrated Award Environment).” Agile Government Leadership, n.d. Web.

    Wenger, E., R. A. McDermott, et al. (2002), Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.

    Wenger, E., White, N., Smith, J.D. Digital Habitats; Stewarding Technology for Communities. Cpsquare (2009).

    Define Service Desk Metrics That Matter

    • Buy Link or Shortcode: {j2store}491|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Consolidate your metrics and assign context and actions to ones currently tracked.
    • Establish tension metrics to see and tell the whole story.
    • Split your metrics for each stakeholder group. Assign proper cadences for measurements as a first step to building an effective dashboard.

    Our Advice

    Critical Insight

    • Identify the metrics that serve a real purpose and eliminate the rest. Establish a formal review process to ensure metrics are still valid, continue to provide the answers needed, and are at a manageable and usable level.

    Impact and Result

    • Tracking goal- and action-based metrics allows you to make meaningful, data-driven decisions for your service desk. You can establish internal benchmarks to set your own baselines.
    • Predefining the audience and cadence of each metric allows you to construct targeted dashboards to aid your metrics analysis.

    Define Service Desk Metrics That Matter Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Service Desk Metrics That Matter Storyboard – A deck that shows you how to look beyond benchmarks and rely on internal metrics to drive success.

    Deciding which service desk metrics to track and how to analyze them can be daunting. Use this deck to narrow down your goal-oriented metrics as a starting point and set your own benchmarks.

    • Define Service Desk Metrics That Matter Storyboard

    2. Service Desk Metrics Workbook – A tool to organize your service desk metrics.

    For each metric, consider adding the relevant overall goal, audience, cadence, and action. Use the audience and cadence of the metric to split your tracked metrics into various dashboards. Your final list of metrics and reports can be added to your service desk SOP.

    • Service Desk Metrics Workbook
    [infographic]

    Further reading

    Define Service Desk Metrics That Matter

    Look beyond benchmarks and rely on internal metrics to drive success.

    Analyst Perspective

    Don’t get paralyzed by benchmarks when establishing metrics

    When establishing a suite of metrics to track, it’s tempting to start with the metrics measured by other organizations. Naturally, benchmarking will enter the conversation. While benchmarking is useful, measuring you organization against others with a lack of context will only highlight your failures. Furthermore, benchmarks will highlight the norm or common practice. It does not necessarily highlight best practice.

    Keeping the limitations of benchmarking in mind, establish your own metrics suite with action-based metrics. Define the audience, cadence, and actions for each metric you track and pair them with business goals. Measure only what you need to.

    Slowly improve your metrics process over time and analyze your environment using your own data as your benchmark.

    Benedict Chang

    Research Analyst, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Measure the business value provided by the service desk.
    • Consolidate your metrics and assign context and actions to ones currently tracked.
    • Establish tension metrics to see and tell the whole story.
    • Split your metrics for each stakeholder group. Assign proper cadences for measurements as a first step to building an effective dashboard or effective dashboards.

    Common Obstacles

    • Becoming too focused on benchmarks or unidimensional metrics (e.g. cost, first-contact resolution, time to resolve) can lead to misinterpretation of the data and poorly informed actions.
    • Sifting through the many sources of data post hoc can lead to stalling in data analysis or slow reaction times to poor metrics.
    • Dashboards can quickly become cluttered with uninformative metrics, thus reducing the signal-to-noise ratio of meaningful data.

    Info-Tech's Approach

    • Use metrics that drive productive change and improvement. Track only what you need to report on.
    • Ensure each metric aligns with the desired business goal, is action-based, and includes the answers to what, why, how, and who.
    • Establish internal benchmarks by analyzing the trends from your own data to set baselines.
    • Act on the results of your metrics by adjusting targets and measuring success.

    Info-Tech Insight

    Identify the metrics that serve a real purpose and eliminate the rest. Establish a formal review process to ensure metrics are still valid, continue to provide the answers needed, and are at a manageable and usable level.

    Improve your metrics to align IT with strategic business goals

    The right metrics can tell the business how hard IT works and how well they perform.

    • Only 19% of CXOs feel that their organization is effective at measuring the success of IT projects with their current metrics.
    • Implementing the proper metrics can facilitate communication between the business division and IT practice.
    • The proper metrics can help IT know what issues the business has and how the CEO and CIO should tackle them.
    • If the goals above resonate with your organization, our blueprint Take Control of Infrastructure and Operations Metrics will take you through the right steps.

    Current Metrics Suite

    19% Effective

    36% Some Improvement Necessary

    45% Significant Improvement Necessary

    Source: Info-Tech Research Group’s CEO/CIO Alignment Diagnostic, 2019; N=622

    CXOs stress that value is the most critical area for IT to improve in reporting

    • You most likely have to improve your metrics suite by addressing business value.
    • Over 80% of organizations say they need improvement to their business value metrics, with 32% of organizations reporting that significant improvement is needed.
    • Of course, measuring metrics for service desk operations is important, but don’t forget business-oriented metrics such as measuring knowledgebase articles written for shift-left enablement, cost (time and money) of service desk tickets, and overall end-user satisfaction.

    The image shows a bar graph with percentages on the Y-Acis, and the following categories on the X-Axis: Business value metrics; Stakeholder satisfaction reporting; Risk metrics; Technology performance & operating metrics; Cost & Salary metrics; and Ad hoc feedback from executives and staff. Each bar is split into two sections, with the blue section marked a Significant Improvement Necessary, and the purple section labelled Some Improvement necessary. Two sections are highlighted with red circles: Business Value metrics--32% blue; 52% purple; and Technology performance & operating metrics--23% blue and 51% purple.

    Source: Info-Tech Research Group’s CEO/CIO Alignment Diagnostic, 2019; N=622

    Benchmarking used in isolation will not tell the whole story

    Benchmarks can be used as a step in the metrics process

    They can be the first step to reach an end goal, but if benchmarks are observed in isolation, it will only highlight your failures.

    Benchmarking relies on standardized models

    This does not account for all the unique variables that make up an IT organization.

    For example, benchmarks that include cost and revenue may include organizations that prioritize first-call resolution (FCR), but the variables that make up this benchmark model will be quite different within your own organization.

    Info-Tech Insight

    Benchmarks reflect the norm and common practice, not best practice.

    Benchmarks are open to interpretation

    Taking the time to establish proper metrics is often more valuable time spent than going down the benchmark rabbit hole.

    Being above or below the norm is neither a good nor a bad thing.

    Determining what the results mean for you depends on what’s being measured and the unique factors, characteristics, and priorities in your organization.

    If benchmark data is a priority within your IT organization, you may look up organizations like MetricNet, but keep the following in mind:

    Review the collected benchmark data

    See where IT organizations in your industry typically stand in relation to the overall benchmark.

    Assess the gaps

    Large gaps between yourself and the overall benchmark could indicate areas for improvement or celebration. Use the data to focus your analysis, develop deeper self-awareness, and prioritize areas for potential concern.

    Benchmarks are only guidelines

    The benchmark source data may not come from true peers in every sense. Each organization is different, so always explore your unique context when interpreting any findings.

    Rely on internal metrics to measure and improve performance

    Measure internal metrics over time to define goals and drive real improvement

    • Internally measured metrics are more reliable because they provide information about your actual performance over time. This allows for targeted improvements and objective measurements of your milestones.
    • Whether a given metric is the right one for your service desk will depend on several different factors, including:
      • The maturity and capability of your service desk processes
      • The volume of service requests and incidents
      • The complexity of your environment when resolving tickets
      • The degree to which your end users are comfortable with self-service

    Take Info-Tech’s approach to metrics management

    Use metrics that drive productive change and improvement. Track only what you need to report on.

    Ensure each metric aligns with the desired business goal, is action-based, and includes the answers to what, why, how, and who.

    Establish internal benchmarks by analyzing the trends from your own data to set baselines.

    Act on the results of your metrics by adjusting targets and measuring success.

    Define action-based metrics to cut down on analysis paralysis

    Every metric needs to be backed with the following criteria:

    • Defining audience, cadence, goal, and action for each metric allows you to keep your tracked metrics to a minimum while maximizing the value.
    • The audience and cadence of each metric may allow you to define targeted dashboards.

    Audience - Who is this metric tracked for?

    Goal - Why are you tracking this metric? This can be defined along with the CSFs and KPIs.

    Cadence - How often are you going to view, analyze, and action this metric?

    Action - What will you do if this metric spikes, dips, trends up, or trends down?

    Activity 1. Define your critical success factors and key performance indicators

    Critical success factors (CSFs) are high-level goals that help you define the direction of your service desk. Key performance indicators (KPIs) can be treated as the trend of metrics that will indicate that you are moving in the direction of your CSFs. These will help narrow the data you have to track and action (metrics).

    CSFs, or your overall goals, typically revolve around three aspects of the service desk: time spent on tickets, resources spent on tickets, and the quality of service provided.

    1. As a group, brainstorm the CSFs and the KPIs that will help narrow your metrics. Use the Service Desk Metrics Workbook to record the results.
    2. Look at the example to the right as a starting point.

    Example metrics:

    Critical success factor Key performance indicator
    High End-User Satisfaction Increasing CSAT score on transactional surveys
    High end-user satisfaction score
    Proper resolution of tickets
    Low time to resolve
    Low Cost per Ticket Decreasing cost per ticket (due to efficient resolution, FCR, automation, self-service, etc.)
    Improve Access to Self-Service (tangential to improve customer service) High utilization of knowledgebase
    High utilization of portal

    Download the Service Desk Metrics Workbook

    Activity 2. Define action-based metrics that align with your KPIs and CSFs

    1. Now that you have defined your goals, continue to fill the workbook by choosing metrics that align with those goals.
    2. Use the chart below as a guide. For every metric, define the cadence of measurement, audience of the metric, and action associated with the metric. There may be multiple metrics for each KPI.
    3. If you find you are unable to define the cadence, audience, or action associated with a metric, you may not need to track the metric in the first place. Alternatively, if you find that you may action a metric in the future, you can decide to start gathering data now.

    Example metrics:

    Critical success factor Key performance indicator Metric Cadence Audience Action
    High End-User Satisfaction Increasing CSAT score on transactional surveys Monthly average of ticket satisfaction scores Monthly Management Action low scores immediately, view long-term trends
    High end-user satisfaction score Average end-user satisfaction score from annual survey Annually IT Leadership View IT satisfaction trends to align IT with business direction
    Proper resolution of tickets Number of tickets reopened Weekly Service Desk Technicians Action reopened tickets, look for training opportunities
    SLA breach rate Daily Service Desk Technicians Action reopened tickets, look for training opportunities
    Low time to resolve Average TTR (incidents) Weekly Management Look for trends to monitor resources
    Average TTR by priority Weekly Management Look for TTR solve rates to align with SLA
    Average TTR by tier Weekly Management Look for improperly escalated tickets or shift-left opportunities

    Download the Service Desk Metrics Workbook

    Activity 3. Define the data ownership, metric viability, and dashboards

    1. For each metric, define where the data is housed. Ideally, the data is directly in the ticketing tool or ITSM tool. This will make it easy to pull and analyze.
    2. Determine how difficult the metric will be to pull or track. If the effort is high, decide if the value of tracking the metric is worth the hassle of gathering it.
    3. Lastly, for each metric, use the cadence and audience to place the metric in a reporting dashboard. This will help divide your metrics and make them easier to report and action.
    4. You may use the output of this exercise to add your tracked metrics to your service desk SOP.
    5. A full suite of metrics can be found in our Infrastructure & Operations Metrics Library in the Take Control of Infrastructure Metrics Storyboard. The metrics have been categorized by low, medium, and advanced capabilities for you.

    Example metrics:

    Metric Who Owns the Data? Efforts to Track? Dashboards
    Monthly average of ticket satisfaction scores Service Desk Low Monthly Management Meeting
    Average end-user satisfaction score Service Desk Low Leadership Meeting
    Number of tickets reopened Service Desk Low Weekly Technician Standup
    SLA breach rate Service Desk Low Daily Technician Standup
    Average TTR (incidents) Service Desk Low Weekly Technician Standup
    Average TTR by priority Service Desk Low Weekly Technician Standup
    Average TTR by tier Service Desk Low Weekly Technician Standup
    Average TTR (SRs) Service Desk Low Weekly Technician Standup
    Number of tickets reopened Service Desk Low Daily Technician Standup

    Download the Service Desk Metrics Workbook

    Keep the following considerations in mind when defining which metrics matter

    Keep the customer in mind

    Metrics are typically focused on transactional efficiency and process effectiveness and not what was achieved against the customers’ need and satisfaction.

    Understand the relationships between performance and metrics management to provide the end-to-end service delivery picture you are aiming to achieve.

    Don’t settle for tool defaults

    ITSM solutions offer an abundance of metrics to choose from. The most common ones are typically built into the reporting modules of the tool suite.

    Do not start tracking everything. Choose metrics that are specifically aligned to your organization’s desired business outcomes.

    Establish tension metrics to achieve balance

    Don’t ignore the correlation and context between the suites of metrics chosen and how one interacts and affects the other.

    Measuring metrics in isolation may lead to an incomplete picture or undesired technician behavior. Tension metrics help complete the picture and lead to proper actions.

    Adjust those targets

    An arbitrary target on a metric that is consistently met month over month is useless. Each metric should inform the overall performance by combining capable service level management and customer experience programs to prove the value IT is providing to the organization.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes, including incident management, request fulfillment, and knowledge management, to create a sustainable service desk.

    Take Control of Infrastructure and Operations Metrics

    Make faster decisions and improve service delivery by using the right metrics for the job.

    Analyze Your Service Desk Ticket Data

    Take a data-driven approach to service desk optimization.

    IT Diagnostics: Build a Data-Driven IT Strategy

    Our data-driven programs ask business and IT stakeholders the right questions to ensure you have the inputs necessary to build an effective IT strategy.

    Modernize Your SDLC

    • Buy Link or Shortcode: {j2store}148|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $30,263 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
    • Many organizations lack the critical capabilities and resources needed to satisfy their growing backlog, jeopardizing product success.

    Our Advice

    Critical Insight

    • Delivery quality and throughput go hand in hand. Focus on meeting minimum process and product quality standards first. Improved throughput will eventually follow.
    • Business integration is not optional. The business must be involved in guiding delivery efforts, and ongoing validation and verification product changes.
    • The software development lifecycle (SDLC) must deliver more than software. Business value is generated through the products and services delivered by your SDLC. Teams must provide the required product support and stakeholders must be willing to participate in the product’s delivery.

    Impact and Result

    • Standardize your definition of a successful product. Come to an organizational agreement of what defines a high-quality and successful product. Accommodate both business and IT perspectives in your definition.
    • Clarify the roles, processes, and tools to support business value delivery and satisfy stakeholder expectations. Indicate where and how key roles are involved throughout product delivery to validate and verify work items and artifacts. Describe how specific techniques and tools are employed to meet stakeholder requirements.
    • Focus optimization efforts on most affected stages. Reveal the health of your SDLC from the value delivery, business and technical practice quality standards, discipline, throughput, and governance perspectives with a diagnostic. Identify and roadmap the solutions to overcome the root causes of your diagnostic results.

    Modernize Your SDLC Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize your SDLC, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set your SDLC context

    State the success criteria of your SDLC practice through the definition of product quality and organizational priorities. Define your SDLC current state.

    • Modernize Your SDLC – Phase 1: Set Your SDLC Context
    • SDLC Strategy Template

    2. Diagnose your SDLC

    Build your SDLC diagnostic framework based on your practice’s product and process objectives. Root cause your improvement opportunities.

    • Modernize Your SDLC – Phase 2: Diagnose Your SDLC
    • SDLC Diagnostic Tool

    3. Modernize your SDLC

    Learn of today’s good SDLC practices and use them to address the root causes revealed in your SDLC diagnostic results.

    • Modernize Your SDLC – Phase 3: Modernize Your SDLC
    [infographic]

    Workshop: Modernize Your SDLC

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Set Your SDLC Context

    The Purpose

    Discuss your quality and product definitions and how quality is interpreted from both business and IT perspectives.

    Review your case for strengthening your SDLC practice.

    Review the current state of your roles, processes, and tools in your organization.

    Key Benefits Achieved

    Grounded understanding of products and quality that is accepted across the organization.

    Clear business and IT objectives and metrics that dictate your SDLC practice’s success.

    Defined SDLC current state people, process, and technologies.

    Activities

    1.1 Define your products and quality.

    1.2 Define your SDLC objectives.

    1.3 Measure your SDLC effectiveness.

    1.4 Define your current SDLC state.

    Outputs

    Product and quality definitions.

    SDLC business and technical objectives and vision.

    SDLC metrics.

    SDLC capabilities, processes, roles and responsibilities, resourcing model, and tools and technologies.

    2 Diagnose Your SDLC

    The Purpose

    Discuss the components of your diagnostic framework.

    Review the results of your SDLC diagnostic.

    Key Benefits Achieved

    SDLC diagnostic framework tied to your SDLC objectives and definitions.

    Root causes to your SDLC issues and optimization opportunities.

    Activities

    2.1 Build your diagnostic framework.

    2.2 Diagnose your SDLC.

    Outputs

    SDLC diagnostic framework.

    Root causes to SDLC issues and optimization opportunities.

    3 Modernize Your SDLC

    The Purpose

    Discuss the SDLC practices used in the industry.

    Review the scope and achievability of your SDLC optimization initiatives.

    Key Benefits Achieved

    Knowledge of good practices that can improve the effectiveness and efficiency of your SDLC.

    Realistic and achievable SDLC optimization roadmap.

    Activities

    3.1 Learn and adopt SDLC good practices.

    3.2 Build your optimization roadmap.

    Outputs

    Optimization initiatives and target state SDLC practice.

    SDLC optimization roadmap, risks and mitigations, and stakeholder communication flow.

    Become a Strategic CIO

    • Buy Link or Shortcode: {j2store}80|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • As a CIO, you are currently operating in a stable and trusted IT environment, but you would like to advance your role to strategic business partner.
    • CIOs are often overlooked as a strategic partner by their peers, and therefore face the challenge of proving they deserve a seat at the table.

    Our Advice

    Critical Insight

    • To become a strategic business partner, you must think and act as a business person that works in IT, rather than an IT person that works for the business.
    • Career advancement is not a solo effort. Building relationships with your executive business stakeholders will be critical to becoming a respected business partner.

    Impact and Result

    • Create a personal development plan and stakeholder management strategy to accelerate your career and become a strategic business partner. For a CIO to be considered a strategic business partner, he or she must be able to:
      • Act as a business person that works in IT, rather than an IT person that works for the business. This involves meeting executive stakeholder expectations, facilitating innovation, and managing stakeholder relationships.
      • Align IT with the customer. This involves providing business stakeholders with information to support stronger decision making, keeping up with disruptive technologies, and constantly adapting to the ever-changing end-customer needs.
      • Manage talent and change. This involves performing strategic workforce planning, and being actively engaged in identifying opportunities to introduce change in your organization, suggesting ways to improve, and then acting on them.

    Become a Strategic CIO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should become a strategic CIO, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch

    Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.

    • Become a Strategic CIO – Phase 1: Launch

    2. Assess

    Evaluate strategic CIO competencies and business stakeholder relationships.

    • Become a Strategic CIO – Phase 2: Assess
    • CIO Strategic Competency Evaluation Tool
    • CIO Stakeholder Power Map Template

    3. Plan

    Create a personal development plan and stakeholder management strategy.

    • Become a Strategic CIO – Phase 3: Plan
    • CIO Personal Development Plan
    • CIO Stakeholder Management Strategy Template

    4. Execute

    Develop a scorecard to track personal development initiatives.

    • Become a Strategic CIO – Phase 4: Execute
    • CIO Strategic Competency Scorecard
    [infographic]

    Workshop: Become a Strategic CIO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Competencies & Stakeholder Relationships

    The Purpose

    Gather and review information from business stakeholders.

    Assess strategic CIO competencies and business stakeholder relationships.

    Key Benefits Achieved

    Gathered information to create a personal development plan and stakeholder management strategy.

    Analyzed the information from diagnostics and determined the appropriate next steps.

    Identified and prioritized strategic CIO competency gaps.

    Evaluated the power, impact, and support of key business stakeholders.

    Activities

    1.1 Conduct CIO Business Vision diagnostic

    1.2 Conduct CXO-CIO Alignment program

    1.3 Assess CIO competencies

    1.4 Assess business stakeholder relationships

    Outputs

    CIO Business Vision results

    CXO-CIO Alignment Program results

    CIO competency gaps

    Executive Stakeholder Power Map

    2 Take Control of Your Personal Development

    The Purpose

    Create a personal development plan and stakeholder management strategy.

    Track your personal development and establish checkpoints to revise initiatives.

    Key Benefits Achieved

    Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.

    Identified key performance indicators and benchmarks/targets to track competency development.

    Activities

    2.1 Create a personal development plan

    2.2 Create a stakeholder management strategy

    2.3 Establish key performance indicators and benchmarks/targets

    Outputs

    Personal Development Plan

    Stakeholder Management Strategy

    Strategic CIO Competency Scorecard

    Accelerate Business Growth and Valuation by Building Brand Awareness

    • Buy Link or Shortcode: {j2store}569|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

    • Lack of brand visibility and recognition
    • Inability to reach and engage with the buyers
    • Difficulties generating and converting leads
    • Low customer retention rate
    • Inability to justify higher pricing
    • Limited brand equity, business valuation, and sustainability

    Our Advice

    Critical Insight

    Awareness brings visibility and traction to brands, which is essential in taking the market leadership position and becoming the trusted brand that buyers think of first.

    Brand awareness also significantly contributes to increasing brand equity, market valuation, and business sustainability.

    Impact and Result

    Building brand awareness allows for the increase of:

    • Brand visibility, perception, recognition, and reputation
    • Interactions and engagement with the target audience
    • Digital advertising performance and ROI
    • Conversion rates and sales wins
    • Revenue and profitability
    • Market share & share of voice (SOV)
    • Talents, partners, and investors attraction and retention
    • Brand equity, business growth, and market valuation

    Accelerate Business Growth and Valuation by Building Brand Awareness Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Accelerate Business Growth and Valuation by Building Brand Awareness Storyboard - Learn how to establish the brand foundation, create assets and workflows, and deploy effective brand awareness strategies and tactics.

    A two-step approach to building brand awareness, starting with defining the brand foundations and then implementing effective brand awareness strategies and tactics.

    • Accelerate Business Growth and Valuation by Building Brand Awareness Storyboard

    2. Define Brand's Personality and Message - Analyze your target market and develop key elements of your brand guidelines.

    With this set of tools, you will be able to capture and analyze your target market, your buyers and their journeys, define your brand's values, personality, and voice, and develop all the key elements of your brand guidelines to enable people within your organization and external resources to build a consistent and recognizable image across all assets and platforms.

    • Market Analysis Template
    • Brand Recognition Survey and Interview Questionnaire and List Template
    • External and Internal Factors Analysis Template
    • Buyer Personas and Journey Presentation Template
    • Brand Purpose, Mission, Vision, and Values Template
    • Brand Value Proposition and Positioning Statement
    • Brand Voice Guidelines Template
    • Writing Style Guide Template
    • Brand Messaging Template
    • Writer Checklist

    3. Start Building Brand Awareness - Achieve strategic alignment.

    These tools will allow you to achieve strategic alignment and readiness, create assets and workflows, deploy tactics, establish Key Performance Indicators (KPIs), and monitor and optimize your strategy on an ongoing basis.

    • Brand Awareness Strategy and Tactics Template
    • Asset Creation and Management List
    • Campaign Workflows Template
    • Brand Awareness Strategy Rollout Plan Template
    • Survey Emails Best Practices Guidelines

    Infographic

    Further reading

    Accelerate Business Growth and Valuation By Building Brand Awareness

    Develop and deploy comprehensive, multi-touchpoint brand awareness strategies to become the trusted brand that buyers think of first.

    EXECUTIVE BRIEF

    Analyst perspective

    Building brand awareness

    Achieving high brand awareness in a given market and becoming the benchmark for buyers

    is what every brand wants to achieve, as it is a guarantee of success. Building brand awareness,

    even though its immediate benefits are often difficult to see and measure, is essential for companies that want to stand out from their competitors and continue to grow in a sustainable way. The return on investment (ROI) may take longer, but the benefits are also greater than those achieved through short-term initiatives with the expectation of immediate, albeit often limited, results.

    Brands that are familiar to their target market have greater credibility, generate more sales,

    and have a more loyal customer base. CMOs that successfully execute brand awareness programs

    build brand equity and grow company valuation.

    This is a picture of Nathalie Vezina

    Nathalie Vezina
    Marketing Research Director
    SoftwareReviews Advisory

    Executive summary

    Brand leaders know that brand awareness is essential to the success of all marketing and sales activities. Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

    • Lack of brand visibility and compelling storytelling.
    • Inability to reach the target audience.
    • Low engagement on digital platforms and with ads.
    • Difficulties generating and converting leads, or closing/winning sales/deals, and facing a high cost per acquisition.
    • Low/no interest or brand recognition, trust level, and customer retention rate.
    • Inability to justify higher pricing.

    Convincing stakeholders of the benefits of strong brand awareness can be difficult when the positive outcomes are hard to quantify, and the return on investment (ROI) is often long-term. Among the many obstacles brand leaders must overcome are:

    • Lack of longer-term corporate vision, focusing all efforts and resources on short-term growth strategies for a quick ROI.
    • Insufficient market and target buyers' information and understanding of the brand's key differentiator.
    • Misalignment of brand message, and difficulties creating compelling content that resonates with the target audience, generates interest, and keeps them engaged.
    • Limited or no resources dedicated to the development of the brand.

    Inspired by top-performing businesses and best practices, this blueprint provides the guidance and tools needed to successfully build awareness and help businesses grow. By following these guidelines, brand leaders can expect to:

    • Gain market intelligence and a clear understanding of the buyer's needs, your competitive advantage, and key differentiator.
    • Develop a clear and compelling value proposition and a human-centric brand messaging driven by the brand's values.
    • Increase online presence and brand awareness to attract and engage with buyers.
    • Develop a long-term brand strategy and execution plan.

    "A brand is the set of expectations, memories, stories, and relationships that, taken together, account for a consumer's decision to choose one product or service over another."

    – Seth Godin

    What is brand awareness?

    The act of making a brand visible and memorable.

    Brand awareness is the degree to which buyers are familiar with and recognize the attributes and image of a particular brand, product, or service. The higher the level of awareness, the more likely the brand is to come into play when a target audience enters the " buying consideration" phase of the buyer's journey.

    Brand awareness also plays an important role in building equity and increasing business valuation. Brands that are familiar to their target market have greater credibility, drive more sales and have a more loyal customer base.
    Building brand awareness allows increasing:

    • Brand visibility, perception, recognition, and reputation
    • Interactions and engagement with the target audience
    • Digital advertising performance and ROI
    • Conversion rates and sales wins
    • Revenue and profitability
    • Market share and share of voice (SOV)
    • Talents, partners, and investors attraction and retention
    • Brand equity, business growth, and market valuation

    "Products are made in a factory, but brands are created in the mind."
    Source: Walter Landor

    Capitalizing on a powerful brand

    A longer-term approach for an increased and more sustainable ROI.

    Market leader position

    Developing brand awareness is essential to increase the visibility and traction of a brand.

    Several factors may cause a brand to be not well-known. One reason might be that the brand recently launched, such as a startup. Another reason could be that the brand has rebranded or entered a new market.

    To become the trusted brand that buyers think of first in their target markets, it is critical for these brands to develop and deploy comprehensive, multi-touchpoint brand awareness strategies.

    A relationship leading to loyalty

    A longer-term brand awareness strategy helps build a strong relationship between the brand and the buyer, fostering a lasting and rewarding alliance.

    It also enables brands to reach and engage with their target audience effectively by using compelling storytelling and meaningful content.

    Adopting a more human-centric approach and emphasizing shared values makes the brand more attractive to buyers and can drive sales and gain loyalty.

    Sustainable business growth

    For brands that are not well established in their target market, short-term tactics that focus on immediate benefits can be ineffective. In contrast, long-term brand awareness strategies provide a more sustainable ROI (return on investment).

    Investing in building brand awareness can impact a business's ability to interact with its target audience, generate leads, and increase sales. Moreover, it can significantly contribute to boosting the business's brand equity and market valuation.

    "Quick wins may work in the short term, but they're not an ideal substitute for long-term tactics and continued success."
    Source: Forbes

    Impacts of low brand awareness on businesses

    Unfamiliar brands, despite their strong potential, won't thrive unless they invest in their notoriety.

    Brands that choose not to invest in longer-term awareness strategies and rely solely on short-term growth tactics in hopes of an immediate gain will see their ability to grow diminished and their longevity reduced due to a lack of market presence and recognition.

    Symptoms of a weakening brand include:

    • High marketing spending and limited result
    • Low market share or penetration
    • Low sales, revenue, and gross margin
    • Weak renewal rate, customer retention, and loyalty
    • Difficulties delivering on the brand promise, low/no trust in the brand
    • Limited brand equity, business valuation, and sustainability
    • Unattractive brand to partners and investors

    "Your brand is the single most important investment you can make in your business."
    Source: Steve Forbes

    Most common obstacles to increasing brand awareness

    Successfully building brand awareness requires careful preparation and planning.

    • Limited market intelligence
    • Unclear competitive advantage/key differentiator
    • Misaligned and inconsistent messaging and storytelling
    • Lack of long-term vision
    • and low prioritization
    • Limited resources to develop and execute brand awareness building tactics
    • Unattractive content that does not resonate, generates little or no interest and engagement

    Investing in the notoriety of the brand

    Become the top-of-mind brand in your target market.

    To stand out, be recognized by their target audience, and become major players in their industry, brands must adopt a winning strategy that includes the following elements:

    • In-depth knowledge and understanding of the market and audience
    • Strengthening digital presence and activities
    • Creating and publishing content relevant to the target audience
    • Reaching out through multiple touchpoints
    • Using a more human-centric approach
    • Ensure consistency in all aspects of the brand, across all media and channels

    How far are you from being the brand buyers think of first in your target market?

    This is an image of the Brand Awareness Pyramid.

    Brand awareness pyramid

    Based on David Aaker's brand loyalty pyramid

    Tactics for building brand awareness

    Focus on effective ways to gain brand recognition in the minds of buyers.

    This is an image of the Brand Awareness Journey Roadmap.

    Brand recognition requires in-depth knowledge of the target market, the creation of strong brand attributes, and increased presence and visibility.

    Understand the market and audience you're targeting

    Be prepared. Act smart.

    To implement a winning brand awareness-building strategy, you must:

    • Be aware of your competitor's strengths and weaknesses, as well as yours.
    • Find out who is behind the keyboard, and the user experience they expect to have.
    • Plan and continuously adapt your tactics accordingly.
    • Make your buyer the hero.

    Identify the brands' uniqueness

    Find your "winning zone" and how your brand uniquely addresses buyers' pain points.

    Focus on your key differentiator

    A brand has found its "winning zone" or key differentiator when its value proposition clearly shows that it uniquely solves its buyers' specific pain points.

    Align with your target audience's real expectations and successfully interact with them by understanding their persona and buyer's journey. Know:

    • How you uniquely address their pain points.
    • Their values and what motivates them.
    • Who they see as authorities in your field.
    • Their buying habits and trends.
    • How they like brands to engage with them.

    An image of a Venn diagram between the following three terms: Buyer pain point; Competitors' value proposition; your unique value proposition.  The overlapping zone is labeled the Winning zone.  This is your key differentiator.

    Give your brand a voice

    Define and present a consistent voice across all channels and assets.

    The voice reflects the personality of the brand and the emotion to be transmitted. That's why it's crucial to establish strict rules that define the language to use when communicating through the brand's voice, the type of words, and do's and don'ts.

    To be recognizable it is imperative to avoid inconsistencies. No matter how many people are behind the brand voice, the brand must show a unique, distinctive personality. As for the tone, it may vary according to circumstances, from lighter to more serious.

    Up to 80% Increased customer recognition when the brand uses a signature color scheme across multiple platforms
    Source: startup Bonsai
    23% of revenue increase is what consistent branding across channels leads to.
    Source: Harvard Business Review

    When we close our eyes and listen, we all recognize Ella Fitzgerald's rich and unique singing voice.

    We expect to recognize the writing of Stephen King when we read his books. For the brand's voice, it's the same. People want to be able to recognize it.

    Adopt a more human-centric approach

    If your brand was a person, who would it be?

    Human attributes

    Physically attractive

    • Brand identity
    • Logo and tagline
    • Product design

    Intellectually stimulating

    • Knowledge and ideas
    • Continuous innovation
    • Thought leadership

    Sociable

    • Friendly, likeable and fun
    • Confidently engage with audience through multiple touchpoints
    • Posts and shares meaningful content
    • Responsive

    Emotionally connected

    • Inspiring
    • Powerful influencer
    • Triggers emotional reactions

    Morally sound

    • Ethical and responsible
    • Value driven
    • Deliver on its promise

    Personable

    • Honest
    • Self-confident and motivated
    • Accountable

    0.05 Seconds is what it takes for someone to form an opinion about a website, and a brand.
    Source: 8ways

    90% of the time, our initial gut reaction to products is based on color alone.
    Source: startup Bonsai

    56% of the final b2b purchasing decision is based on emotional factors.
    Source: B@B International

    Put values at the heart of the brand-buyers relationship

    Highlight values that will resonate with your audience.

    Brands that focus on the values they share with their buyers, rather than simply on a product or service, succeed in making meaningful emotional connections with them and keep them actively engaged.

    Shared values such as transparency, sustainability, diversity, environmental protection, and social responsibility become the foundation of a solid relationship between a brand and its audience.

    The key is to know what motivates the target audience.

    86% of consumers claim that authenticity is one of the key factors they consider when deciding which brands they like and support.
    Source: Business Wire

    56% of the final decision is based on having a strong emotional connection with the supplier.
    Source: B2B International

    64% of today's customers are belief-driven buyers; they want to support brands that "can be a powerful force for change."
    Source: Edelman

    "If people believe they share values with a company, they will stay loyal to the brand."
    – Howard Schultz
    Source: Lokus Design

    Double-down on digital

    Develop your digital presence and reach out to your target audiences through multiple touchpoints.

    Beyond engaging content, reaching the target audience requires brands to connect and interact with their audience in multiple ways so that potential buyers can form an opinion.

    With the right message consistently delivered across multiple channels, brands increase their reach, create a buzz around their brand and raise awareness.

    73% of today's consumers confirm they use more than one channel during a shopping journey
    Source: Harvard Business Review

    Platforms

    • Website and apps
    • Social media
    • Group discussions

    Multimedia

    • Webinars
    • Podcasts
    • Publication

    Campaign

    • Ads and advertising
    • Landing pages
    • Emails, surveys drip campaigns

    Network

    • Tradeshows, events, sponsorships
    • Conferences, speaking opportunities
    • Partners and influencers

    Use social media to connect

    Reach out to the masses with a social media presence.

    Social media platforms represent a cost-effective opportunity for businesses to connect and influence their audience and tell their story by posting relevant and search-engine-optimized content regularly on their account and groups. It's also a nice gateway to their website.

    Building a relationship with their target buyer through social media is also an easy way for businesses to:

    • Understand the buyers.
    • Receive feedback on how the buyers perceive the brand and how to improve it.
    • Show great user experience and responsiveness.
    • Build trust.
    • Create awareness.

    75% of B2B buyers and 84% of C-Suite executives use social media when considering a purchase
    Source: LinkedIn Business

    92% of B2B buyers use social media to connect with leaders in the sales industry.
    Source: Techjury

    With over 4.5 billion social media users worldwide, and 13 new users signing up to their first social media account every second, social media is fast becoming a primary channel of communication and social interaction for many.
    Source: McKinsey

    Become the expert subject matter

    Raise awareness with thought leadership content.

    Thought leadership is about building credibility
    by creating and publishing meaningful, relevant content that resonates with a target audience.
    Thought leaders write and publish all kinds of relevant content such as white papers, ebooks, case studies, infographics, video and audio content, webinars, and research reports.
    They also participate in speaking opportunities, live presentations, and other high-visibility forums.
    Well-executed thought leadership strategies contribute to:

    • Raise awareness.
    • Build credibility.
    • Be recognized as a subject expert matter.
    • Become an industry leader.

    60% of buyers say thought leadership builds credibility when entering a new category where the brand is not already known.
    Source: Edelman | LinkedIn

    70% of people would rather learn about a company through articles rather than advertising.
    Source: Brew Interactive

    57% of buyers say that thought leadership builds awareness for a new or little-known brand.
    Source: Edelman | LinkedIn

    To achieve best results

    • Know the buyers' persona and journey.
    • Create original content that matches the persona of the target audience and that is close to their values.
    • Be Truthful and insightful.
    • Find the right tone and balance between being human-centric, authoritative, and bold.
    • Be mindful of people's attention span and value their time.
    • Create content for each phase of the buyer's journey.
    • Ensure content is SEO, keyword-loaded, and add calls-to-action (CTAs).
    • Add reason to believe, data to support, and proof points.
    • Address the buyers' pain points in a unique way.

    Avoid

    • Focusing on product features and on selling.
    • Publishing generic content.
    • Using an overly corporate tone.

    Promote personal branding

    Rely on your most powerful brand ambassadors and influencers: your employees.

    The strength of personal branding is amplified when individuals and companies collaborate to pursue personal branding initiatives that offer mutual benefits. By training and positioning key employees as brand ambassadors and industry influencers, brands can boost their brand awareness through influencer marketing strategies.

    Personal branding, when well aligned with business goals, helps brands leverage their key employee's brands to:

    • Increase the organization's brand awareness.
    • Broaden their reach and circle of influence.
    • Show value, gain credibility, and build trust.
    • Stand out from the competition.
    • Build employee loyalty and pride.
    • Become a reference to other businesses.
    • Increase speaking opportunities.
    • Boost qualified leads and sales.

    About 90% of organizations' employee network tends to be completely new to the brand.
    Source: Everyone Social

    8X more engagement comes from social media content shared by employees rather than brand accounts.
    Source: Entrepreneur

    561% more reach when brand messages are shared by employees on social media, than the same message shared by the Brand's social media.
    Source: Entrepreneur

    "Personal branding is the art of becoming knowable, likable and trustable."
    Source: Founder Jar, John Jantsch

    Invest in B2B influencer marketing

    Broaden your reach and audiences by leveraging the voice of influencers.

    Influencers are trusted industry experts and analysts who buyers can count on to provide reliable information when looking to make a purchase.

    Influencer marketing can be very effective to reach new audiences, increase awareness, and build trust. But finding the right influencers with the level of credibility and visibility brands are expecting can sometimes be challenging.

    Search for influencers that have:

    • Relevance of audience and size.
    • Industry expertise and credibility.
    • Ability to create meaningful content (written, video, audio).
    • Charismatic personality with values consistent with the brand.
    • Frequent publications on at least one leading media platform.

    76% of people say that they trust content shared by people over a brand.
    Source: Adweek


    44% increased media mention of the brand using B2B influencer marketers.
    Source: TopRank Marketing

    Turn your customers into brand advocates

    Establish customer advocacy programs and deliver a great customer experience.

    Retain your customers and turn them into brand advocates by building trust, providing an exceptional experience, and most importantly, continuously delivering on the brand promise.

    Implement a strong customer advocacy program, based on personalized experiences, the value provided, and mutual exchange, and reap the benefits of developing and growing long-term relationships.

    92% of individuals trust word-of-mouth recommendations, making it one of the most trust-rich forms of advertising.
    Source: SocialToaster

    Word-of-mouth (advocacy) marketing increases marketing effectiveness by 54%
    Source: SocialToaster

    Make your brand known and make it stick in people's minds

    Building and maintaining high brand awareness requires that each individual within the organization carry and deliver the brand message clearly and consistently across all media whether in person, in written communications, or otherwise.

    To achieve this, brand leaders must first develop a powerful, researched narrative that people will embrace and convey, which requires careful preparation.

    Target market and audience intel

    • Target market Intel
    • Buyer persona and journey/pain points
    • Uniqueness and positioning

    Brand attributes

    • Values at the heart of the relationship
    • Brand's human attributes

    Brand visibly and recall

    • Digital and social media presence
    • Thought leadership
    • Personal branding
    • Influencer marketing

    Brand awareness building plan

    • Long-term awareness and multi-touchpoint approach
    • Monitoring and optimization

    Short and long-term benefits of increasing brand awareness

    Brands are built over the long term but the rewards are high.

    • Stronger brand perception
    • Improved engagement and brand associations
    • Enhanced credibility, reputation, and trust
    • Better connection with customers
    • Increased repeat business
    • High-quality leads
    • Higher and faster conversion rate
    • More sales closed/ deals won
    • Greater brand equity
    • Accelerated growth

    "Strong brands outperform their less recognizable competitors by as much as 73%."
    Source: McKinsey

    Brand awareness building

    Building brand awareness, even though immediate benefits are often difficult to see and measure, is essential for companies to stand out from their competitors and continue to grow in a sustainable way.

    To successfully raise awareness, brands need to have:

    • A longer-term vision and strategy.
    • Market Intelligence, a clear value proposition, and key differentiator.
    • Consistent, well-aligned messaging and storytelling.
    • Digital presence and content.
    • The ability to reach out through multiple touchpoints.
    • Necessary resources.

    Without brand awareness, brands become less attractive to buyers, talent, and investors, and their ability to grow, increase their market value, and be sustainable is reduced.

    Brand awareness building methodology

    Define brands' personality and message

    • Gather market intel and analyze the market.
    • Determine the value proposition and positioning.
    • Define the brand archetype and voice.
    • Craft a compelling brand message and story.
    • Get all the key elements of your brand guidelines.

    Start building brand awareness

    • Achieve strategy alignment and readiness.
    • Create and manage assets.
    • Deploy your tactics, assets, and workflows.
    • Establish key performance indicators (KPIs).
    • Monitor and optimize on an ongoing basis.

    Toolkit

    • Market and Influencing Factors Analysis
    • Recognition Survey and Best Practices
    • Buyer Personas and Journeys
    • Purpose, Mission, Vision, Values
    • Value Proposition and Positioning
    • Brand Message, Voice, and Writing Style
    • Brand Strategy and Tactics
    • Asset Creation and Management
    • Strategy Rollout Plan

    Short and long-term benefits of increasing brand awareness

    Increase:

    • Brand perception
    • Brand associations and engagement
    • Credibility, reputation, and trust
    • Connection with customers
    • Repeat business
    • Quality leads
    • Conversion rate
    • Sales closed / deals won
    • Brand equity and growth

    It typically takes 5-7 brand interactions before a buyer remembers the brand.
    Source: Startup Bonsai

    Who benefits from this brand awareness research?

    This research is being designed for:
    Brand and marketing leaders who:

    • Know that brand awareness is essential to the success of all marketing and sales activities.
    • Want to make their brand unique, recognizable, meaningful, and highly visible.
    • Seek to increase their digital presence, connect and engage with their target audience.
    • Are looking at reaching a new segment of the market.

    This research will also assist:

    • Sales with qualified lead generation and customer retention and loyalty.
    • Human Resources in their efforts to attract and retain talent.
    • The overall business with growth and increased market value.

    This research will help you:

    • Gain market intelligence and a clear understanding of the target audience's needs and trends, competitive advantage, and key differentiator.
    • The ability to develop clear and compelling, human-centric messaging and compelling story driven by brand values.
    • Increase online presence and brand awareness activities to attract and engage with buyers.
    • Develop a long-term brand awareness strategy and deployment plan.

    This research will help them:

    • Increase campaign ROI.
    • Develop a longer-term vision and benefits of investing in longer-term initiatives.
    • Build brand equity and increase business valuation.
    • Grow your business in a more sustainable way.

    SoftwareReviews' brand awareness building methodology

    Phase 1 Define brands' personality and message

    Phase 2 Start building brand awareness

    Phase steps

    1.1 Gather market intelligence and analyze the market.

    1.2 Develop and document the buyer's persona and journey.

    1.3 Uncover the brand mission, vision statement, core values, value proposition and positioning.

    1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

    2.1 Achieve strategy alignment and readiness.

    2.2 Create assets and workflows and deploy tactics.

    2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Phase outcomes

    • Target market and audience are identified and documented.
    • A clear value proposition and positioning are determined.
    • The brand personality, voice, and messaging are developed.
    • All the key elements of the brand guidelines are in place and ready to use, along with the existing logo, typography, color palette, and imagery.
    • A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
    • A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
    • Resources are assigned.

    Insight summary

    Brands to adapt their strategies to achieve longer-term growth
    Brands must adapt and adjust their strategies to attract informed buyers who have access to a wealth of products, services, and brands from all over. Building brand awareness, even though immediate benefits are often difficult to see and measure, has become essential for companies that want to stand out from their competitors and continue to grow in a sustainable way.

    A more human-centric approach
    Brand personalities matter. Brands placing human values at the heart of the customer-brand relationship will drive interest in their brand and build trust with their target audience.

    Stand out from the crowd
    Brands that develop and promote a clear and consistent message across all platforms and channels, along with a unique value proposition, stand out from their competitors and get noticed.

    A multi-touchpoints strategy
    Engage buyers with relevant content across multiple media to address their pain points. Analyze touchpoints to determine where to invest your efforts.

    Going social
    Buyers expect brands to be active and responsive in their interactions with their audience. To build awareness, brands are expected to develop a strong presence on social media by regularly posting relevant content, engaging with their followers and influencers, and using paid advertising. They also need to establish thought leadership through content such as white papers, case studies, and webinars.

    Thought leaders wanted
    To enhance their overall brand awareness strategy, organizations should consider developing the personal brand of key executives. Thought leadership can be a valuable method to gain credibility, build trust, and drive conversion. By establishing thought leadership, businesses can increase brand mentions, social engagement, website traffic, lead generation, return on investment (ROI), and Net Promoter Score (NPS).

    Save time and money with SoftwareReviews' branding advice

    Collaborating with SoftwareReviews analysts for inquiries not only provides valuable advice but also leads to substantial cost savings during branding activities, particularly when partnering with an agency.

    Guided Implementation Purpose Measured Value
    Build brands' personality and message Get the key elements of the brand guidelines in place and ready to use, along with your existing logo, typography, color palette, and imagery, to ensure consistency and clarity across all brand touchpoints from internal communication to customer-facing materials. Working with SoftwareReviews analysts to develop brand guidelines saves costs compared to hiring an agency.

    Example: Building the guidelines with an agency will take more or less the same amount of time and cost approximately $80K.

    Start building brand awareness Achieve strategy alignment and readiness, then deploy tactics, assets, and other deliverables. Start building brand awareness and reap the immediate and long-term benefits.

    Working with SoftwareReviews analysts and your team to develop a long-term brand strategy and deployment will cost you less than a fraction of the cost of using an agency.

    Example: Developing and executing long-term brand awareness strategies with an agency will cost between $50-$75K/month over a 24-month period minimum.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Build brands' personality and message

    Phase 2

    Start building brand awareness

    • Call #1: Discuss concept and benefits of building brand awareness. Identify key stakeholders. Anticipate concerns and objections.
    • Call #2: Discuss target market intelligence, information gathering, and analysis.
    • Call #3: Review market intelligence information. Address questions or concerns.
    • Call #4: Discuss value proposition and guide to find positioning and key differentiator.
    • Call #5: Review value proposition. Address questions or concerns.
    • Call #6: Discuss how to build a comprehensive brand awareness strategy using SR guidelines and template.
    • Call #7: Review strategy. Address questions or concerns.
    • Call #8: Second review of the strategy. Address questions or concerns.
    • Call #9 (optional): Third review of the strategy. Address questions or concerns.
    • Call #10: Discuss how to build the Execution Plan using SR template.
    • Call #11: Review Execution Plan. Address questions or concerns.
    • Call #12: Second review of the Execution Plan. Address questions or concerns.
    • Call #13 (optional): Third review of the Execution Plan. Address questions or concerns.
    • Call #14: Discuss how to build a compelling storytelling and content creation.
    • Call #15: Discuss website and social media platforms and other initiatives.
    • Call #16: Discuss marketing automation and continuous monitoring.
    • Call #17 (optional): Discuss optimization and reporting
    • Call #18: Debrief and determine how we can help with next steps.

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

    Your engagement managers will work with you to schedule analyst calls.

    Brand awareness building tools

    Each step of this blueprint comes with tools to help you build brand awareness.

    Brand Awareness Tool Kit

    This kit includes a comprehensive set of tools to help you better understand your target market and buyers, define your brand's personality and message, and develop an actionable brand awareness strategy, workflows, and rollout plan.

    The set includes these templates:
    • Market and Influencing Factors Analysis
    • Recognition Survey and Best Practices
    • Buyer Personas and Journeys
    • Purpose, Mission, Vision, and Values
    • Value Proposition and Positioning
    • Brand Message, Voice, and Writing Style
    • Brand Strategy and Tactics
    • Asset Creation and Management
    • Strategy Rollout Plan
    An image of a series of screenshots from the templates listed in the column to the left of this image.

    Get started!

    Know your target market and audience, deploy well-designed strategies based on shared values, and make meaningful connections with people.

    Phase 1

    Define brands' personality and message

    Phase 2

    Start building brand awareness

    Phase 1

    Define brands' personality and message

    Steps

    1.1 Gather market intelligence and analyze the market.
    1.2 Develop and document the buyer's persona and journey.
    1.3 Uncover the brand mission, vision statement, core values, positioning, and value proposition.
    1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

    Phase outcome

    • Target market and audience are identified and documented.
    • A clear value proposition and positioning are determined.
    • The brand personality, voice, and messaging are developed.
    • All the key elements of the brand guidelines are in place. and ready to use, along with the existing logo, typography, color palette, and imagery..

    Build brands' personality and message

    Step 1.1 Gather market intelligence and analyze the market.

    Total duration: 2.5-8 hours

    Objective

    Analyze and document your competitive landscape, assess your strengths, weaknesses, opportunities,
    and threats, gauge the buyers' familiarity with your brand, and identify the forces of influence.

    Output

    This exercise will allow you to understand your market and is essential to developing your value proposition.

    Participants

    • Head of branding and key stakeholders

    MarTech
    May require you to:

    • Register to a Survey Platform.
    • Use, setup, or install platforms like CRM and/or Marketing Automation Platform.

    Tools

    1.1.1 SWOT and competitive landscape

    (60-120 min.)

    Analyze & Document

    Follow the instructions in the Market Analysis Template to complete the SWOT and Competitive Analysis, slides 4 to 7.

    1.1.3 Internal and External Factors

    (30-60 min.)

    Analyze

    Follow the instructions in the External and Internal Factors Analysis Template to perform the PESTLE, Porter's 5 Forces, and Internal Factors and VRIO Analysis.

    Transfer

    Transfer key information into slides 10 and 11 of the Market Analysis Template.

    Consult SoftwareReviews website to find the best survey and MarTech platforms or contact one of our analysts for more personalized assistance and guidance

    1.1.2 Brand recognition

    (60-300 min.)

    Prep

    Adapt the survey and interview questions in the Brand Recognition Survey Questionnaire and List Template.

    Determine how you will proceed to conduct the survey and interviews (internal or external resources, and tools).

    Refer to the Survey Emails Best Practices Guidelines for more information on how to conduct email surveys.

    Collect & Analyze

    Use the Brand Recognition Survey Questionnaire and List Template to build your list, conduct the survey /interviews, and collect and analyze the feedback received.

    Transfer

    Transfer key information into slides 8 and 9 of the Market Analysis Template.

    Brand performance diagnostic

    Have you considered diagnosing your brand's current performance before you begin building brand awareness?

    Audit your brand using the Diagnose Brand Health to Improve Business Growth blueprint.Collect and interpret qualitative and quantitative brand performance measures.

    The toolkit includes the following templates:

    • Surveys and interviews questions and lists
    • External and internal factor analysis
    • Digital and financial metrics analysis

    Also included is an executive presentation template to communicate the results to key stakeholders and recommendations to fix the uncovered issues.

    Build brands' personality and message

    Step 1.2 Develop and document the buyer's persona and journey.

    Total duration: 4-8 hours

    Objective

    Gather existing and desired customer insights and conduct market research to define and personify your buyers' personas and their buying behaviors.

    Output

    Provide people in your organization with clear direction on who your target buyers are and guidance on how to effectively reach and engage with them throughout their journey.
    Participants

    • Head of branding
    • Key stakeholders from sales and product marketing

    MarTech
    May require you to:

    • Register to an Online Survey Platform (free version or subscription).
    • Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.

    Tools

    1.2.1 Buyer Personas and Journeys

    (240-280 min.)

    Research

    Identify your tier 1 to 3 customers using the Ideal Client Profile (ICP) Workbook. (Recommended)

    Survey and interview existing and desired customers based using the Buyer Persona and Journey Interview Guide and Data Capture Tool. (Recommended)

    Create

    Define and document your tier 1 to 3 Buyer Personas and Journeys using the Buyer Personas and Journeys Presentation Template.

    Consult SoftwareReviews website to find the best survey platform for your needs or contact one of our analysts for more personalized assistance and guidance

    Buyer Personas and Journeys

    A well-defined buyer persona and journey is a great way for brands to ensure they are effectively reaching and engaging their ideal buyers through a personalized buying experience.

    When properly documented, it provides valuable insights about the ideal customers, their needs, challenges, and buying decision processes allowing the development of initiatives that correspond to the target buyers.

    Build brands' personality and message

    Step 1.3 Uncover the brand mission, vision statement, core values, value proposition, and positioning.

    Total duration: 4-5.5 hours

    Objective
    Define the "raison d'être" and fundamental principles of your brand, your positioning in the marketplace, and your unique competitive advantage.

    Output
    Allows everyone in an organization to understand and align with the brand's raison d'être beyond the financial dimension, its current positioning and objectives, and how it intends to achieve them.
    It also serves to communicate a clear and appealing value proposition to buyers.

    Participants

    • Head of branding
    • Chief Executive Officer (CEO)
    • Key stakeholders

    Tools

    • Brand Purpose, Mission, Vision, and Values Template
    • Value Proposition and Positioning Statement Template

    1.3.1 Brand Purpose, Mission, Vision, and Values

    (90-120 min.)

    Capture or Develop

    Capture or develop, if not already existing, your brand's purpose, mission, vision statement, and core values using slides 4 to 7 of the Brand Purpose, Mission, Vision, and Values Template.

    1.3.2 Brand Value Proposition and Positioning

    (150-210 min.)

    Define

    Map the brand value proposition using the canvas on slide 5 of the Value Proposition and Positioning Statement Template, and clearly articulate your value proposition statement on slide 4.

    Optional: Use canvas on slide 7 to develop product-specific product value propositions.

    On slide 8 of the same template, develop your brand positioning statement.

    Build brands' personality and message

    Steps 1.4 Define the brand's archetype and tone of voice, and craft a compelling brand messaging.

    Total duration: 5-8 hours

    Objective

    Define your unique brand voice and develop a set of guidelines, brand story, and messaging to ensure consistency across your digital and non-digital marketing and communication assets.
    Output

    A documented brand personality and voice, as well as brand story and message, will allow anyone producing content or communicating on behalf of your brand to do it using a unique and recognizable voice, and convey the right message.

    Participants

    • Head of branding
    • Content specialist
    • Chief Executive Officer and other key stakeholders

    Tools

    • Brand Voice Guidelines Template
    • Writing Style Guide Template
    • Brand Messaging Template
    • Writer Checklist Template

    1.4.1 Brand Archetype and Tone of Voice

    (120-240 min.)

    Define and document

    Refer to slides 5 and 6 of the Brand Voice Guidelines Template to define your brand personality (archetype), slide 7.

    Use the Brand Voice Guidelines Template to define your brand tone of voice and characteristics on slides 8 and 9, based on the 4 primary tone of voice dimensions, and develop your brand voice chart, slide 9.

    Set Rules

    In the Writing Style Guide template, outline your brand's writing principles, style, grammar, punctuation, and number rules.

    1.4.2 Brand Messaging

    (180-240 min.)

    Craft

    Use the Brand Messaging template, slides 4 to 7, to craft your brand story and message.

    Audit

    Create a content audit to review and approve content to be created prior to publication, using the Writer's Checklist template.

    Important Tip!

    A consistent brand voice leads to remembering and trusting the brand. It should stand out from the competitors' voices and be meaningful to the target audience. Once the brand voice is set, avoid changing it.

    Phase 2

    Start building brand awareness

    Steps

    2.1 Achieve strategy alignment and readiness.
    2.2 Create assets and workflows, and deploy tactics.
    2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Phase outcome

    • A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
    • A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
    • Resources are assigned.

    Start building brand awareness

    Step 2.1 Achieve strategy readiness and alignment.

    Total duration: 4-5 hours

    Objective

    Now that you have all the key elements of your brand guidelines in place, in addition to your existing logo, typography, color palette, and imagery, you can begin to build brand awareness.

    Start planning to build brand awareness by developing a comprehensive and actionable brand awareness strategy with tactics that align with the company's purpose and objectives. The strategy should include achievable goals and measurables, budget and staffing considerations, and a good workload assessment.

    Output

    A comprehensive long-term, actionable brand awareness strategy with KPIs and measurables.

    Participants

    • Head of branding
    • Key stakeholders

    Tools

    • Brand Awareness Strategy and Tactics Template

    2.1.1 Brand Awareness Analysis

    (60-120 min.)

    Identify

    In slide 5 of the Brand Awareness Strategy and Tactics Template, identify your top three brand awareness drivers, opportunities, inhibitors, and risks to help you establish your strategic objectives in building brand awareness.

    2.1.2 Brand Awareness Strategy

    (60-120 min.)

    Elaborate

    Use slides 6 to 10 of the Brand Awareness Strategy and Tactics Template to elaborate on your strategy goals, key issues, and tactics to begin or continue building brand awareness.

    2.1.3 Brand Awareness KPIs and Metrics

    (180-240 min.)

    Set

    Set the strategy performance metrics and KPIs on slide 11 of the Brand Awareness Strategy and Tactics Template.

    Monitor

    Once you start executing the strategy, monitor and report each quarter using slides 13 to 15 of the same document.

    Understanding the difference between strategies and tactics

    Strategies and tactics can easily be confused, but although they may seem similar at times, they are in fact quite different.

    Strategies and tactics are complementary.

    A strategy is a plan to achieve specific goals, while a tactic is a concrete action or set of actions used to implement that strategy.

    To be effective, brand awareness strategies should be well thought-out, carefully planned, and supported by a series of tactics to achieve the expected outcomes.

    Start building brand awareness

    Step 2.2 Create assets and workflows and deploy tactics.

    Total duration: 3.5-4.5 hours

    Objective

    Build a long-term rollout with deliverables, milestones, timelines, workflows, and checklists. Assign resources and proceed to the ongoing development of assets. Implement, manage, and continuously communicate the strategy and results to key stakeholders.

    Output

    Progressive and effective development and deployment of the brand awareness-building strategy and tactics.

    Participants

    • Head of branding

    Tools

    • Asset Creation and Management List
    • Campaign Workflows Template
    • Brand Awareness Strategy Rollout Plan Template

    2.2.1 Assets Creation List

    (60-120 min.)

    Inventory

    Inventory existing assets to create the Asset Creation and Management List.

    Assign

    Assign the persons responsible, accountable, consulted, and informed of the development of each asset, using the RACI model in the template. Ensure you identify and collaborate with the right stakeholders.

    Prioritize

    Prioritize and add release dates.

    Communicate

    Update status and communicate regularly. Make the list with links to the assets available to the extended team to consult as needed.

    2.2.2 Rollout Plan

    (60-120 min.)

    Inventory

    Map out your strategy deployment in the Brand Awareness Strategy Rollout Plan Template and workflow in the Campaign Workflow Template.

    Assign

    Assign the persons responsible, accountable, consulted, and informed for each tactic, using the RACI model in the template. Ensure you identify and collaborate with the right stakeholders.

    Prioritize

    Prioritize and adjust the timeline accordingly.

    Communicate

    Update status and communicate regularly. Make the list with links to the assets available to the extended team to consult as needed.

    Band Awareness Strategy Rollout Plan
    A strategy rollout plan typically includes the following:

    • Identifying a cross-functional team and resources to develop the assets and deploy the tactics.
    • Listing the various assets to create and manage.
    • A timeline with key milestones, deadlines, and release dates.
    • A communication plan to keep stakeholders informed and aligned with the strategy and tactics.
    • Ongoing performance monitoring.
    • Constant adjustments and improvements to the strategy based on data collected and feedback received.

    Start building brand awareness

    Step 2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Total duration: 3.5-4.5 hours

    Objective

    Brand awareness is built over a long period of time and must be continuously monitored in several ways. Measuring and monitoring the effectiveness of your brand awareness activities will allow you to constantly adjust your tactics and continue to build awareness.

    Output

    This step will provide you with a snapshot of your current level of brand awareness and interactions with the brand, and allow you to set up the tools for ongoing monitoring and optimization.

    Participants

    • Head of branding
    • Digital marketing manager

    MarTech
    May require you to:

    • Register to an Online Survey Platform(free version or subscription), or
    • Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.
    • Use Google Analytics or other tracking tools.
    • Use social media and campaign management tools.

    Tools

    • Brand Awareness Strategy and Tactics Template

    2.2.2 Rollout Plan

    (60-120 min.)

    Measure

    Monitor and record the strategy performance metrics in slides 12 to 15 of the Brand Awareness Strategy and Tactics template, and gauge its performance against preset KPIs in slide 11. Make ongoing improvements to the strategy and assets.

    Communicate

    The same slides in which you monitor strategy performance can be used to report on the results of the current strategy to key stakeholders on a monthly or quarterly basis, as appropriate.

    Take this opportunity to inform stakeholders of any adjustments you plan to make to the existing plan to improve its performance. Since brand awareness is built over time, be sure to evaluate the results based on how long the strategy has been in place before making major changes.

    Consult SoftwareReviews website to find the best survey, brand monitoring and feedback, and MarTech platforms, or contact one of our analysts for more personalized assistance and guidance

    Measuring brand strategy performance
    There are two ways to measure and monitor your brand's performance on an ongoing basis.

    • By registering to brand monitoring and feedback platforms and tools like Meltwater, Hootsuite, Insights, Brand24, Qualtrics, and Wooltric.
    • Manually, using native analytics built in the platforms you're already using, such as Google and Social Media Analytics, or by gathering customer feedback through surveys, or calculating CAC, ROI, and more in spreadsheets.

    SoftwareReviews can help you choose the right platform for your need. We also equip you with manual tools, available with the Diagnose Brand Health to Improve Business Growthblueprint to measure:

    • Surveys and interviews questions and lists.
    • External and internal factor analysis.
    • Digital and financial metrics analysis.
    • Executive presentation to report on performance.

    Related SoftwareReviews research

    An image of the title page for SoftwareReviews Create a Buyer Persona and Journey. An image of the title page for SoftwareReviews Diagnose Brand Health to Improve Business Growth.

    Create a Buyer Persona and Journey

    Get deeper buyer understanding and achieve product-market fit, with easier access to market and sales

    • Reduce time and resources wasted chasing the wrong prospects.
    • Increase open and click-through rates.
    • Perform more effective sales discovery.
    • Increase win rate.

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix them.

    • Increase brand awareness and equity.
    • Build trust and improve customer retention and loyalty.
    • Achieve higher and faster growth.

    Bibliography

    Aaker, David. "Managing Brand Equity." Simon & Schuster, 1991.
    "6 Factors for Brands to Consider While Designing Their Communication." Lokus Design, 23 Sept. 2022.
    "20 Advocacy Marketing Statistics You Need to Know." Social Toaster, n.d.
    Bazilian, Emma. "How Millennials and Baby Boomers Consume User-Generated Content And what brands can learn from their preferences." Adweek, January 2, 2017.
    B2B International, a Gyro: company, B2B Blog - Why Human-To-Human Marketing Is the Next Big Trend in a Tech-Obsessed World.
    B2B International, a Gyro: company, The State of B2B Survey 2019 - Winning with Emotions: How to Become Your Customer's First Choice.
    Belyh, Anastasia. "Brand Ambassador 101:Turn Your Personal Brand into Cash." Founder Jar, December 6, 2022.
    Brand Master Academy.com.
    Businesswire, a Berkshire Hathaway Company, "Stackla Survey Reveals Disconnect Between the Content Consumers Want & What Marketers Deliver." February 20, 2019.
    Chamat, Ramzi. "Visual Design: Why First Impressions Matter." 8 Ways, June 5, 2019.
    Cognism. "21 Tips for Building a LinkedIn Personal Brand (in B2B SaaS)."
    Curleigh, James. "How to Enhance and Expand a Global Brand." TED.
    "2019 Edelman Trust Barometer." Edelman.
    Erskine, Ryan. "22 Statistics That Prove the Value of Personal Branding." Entrepreneur, September 13, 2016.
    Forbes, Steve. "Branding for Franchise Success: How To Achieve And Maintain Brand Consistency Across A Franchise Network?" Forbes, 9 Feb. 2020.
    Godin, Seth. "Define: Brand." Seth's Blog, 30 Dec. 2009,
    Houragan, Stephen. "Learn Brand Strategy in 7 Minutes (2023 Crash Course)." YouTube.
    Jallad, Revecka. "To Convert More Customers, Focus on Brand Awareness." Forbes, October 22, 2019.
    Kingsbury, Joe, et al. "2021 B2B Thought Leadership Impact Study." Edelman, 2021.
    Kunsman, Todd. "The Anatomy of an Employee Influencer." EveryoneSocial, September 8, 2022.
    Landor, Walter. A Brand New World: The Fortune Guide to the 21st Century. Time Warner Books, 1999.
    Liedke, Lindsay. "37+ Branding Statistics For 2023: Stats, Facts & Trends." Startup Bonsai, January 2, 2023.
    Millman, Debbie. "How Symbols and Brands Shape our Humanity." TED, 2019.
    Nenova, Velina. "21 Eye-Opening B2B Marketing Statistics to Know in 2023." Techjury, February 9, 2023.
    Perrey, Jesko et al., "The brand is back: Staying relevant in an accelerating age." McKinsey & Company, May 1, 2015.
    Schaub, Kathleen. "Social Buying Meets Social Selling: How Trusted Networks Improve the Purchase Experience." LinkedIn Business, April 2014.
    Sopadjieva, Emma et al. "A Study of 46,000 Shoppers Shows That Omnichannel Retailing Works." Harvard Business Review, January 3, 2017.
    Shaun. "B2B Brand Awareness: The Complete Guide 2023." B2B House. 2023.
    TopRank Marketing, "2020 State of B2B Influencer Marketing Research Report." Influencer Marketing Report.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence

    • Buy Link or Shortcode: {j2store}367|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $129,465 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Processes pertaining to managing the application are inconsistent and do not drive excellence.
    • There is a lack of interdepartmental collaboration between different teams pertaining to the application.
    • There are no formalized roles and responsibilities for governance and support around enterprise applications.

    Our Advice

    Critical Insight

    • Scale the Center of Excellence (CoE) based on business needs. There is flexibility in how extensively the CoE methodology is applied and rigidity in how consistently it should be used.
    • The CoE is a refinery. It takes raw inputs from the business and produces an enhanced product, removing waste and isolating it from re-entering day-to-day operations.
    • Excellence is about people as much as it is about process. Documented best practices should include competencies, key resources, and identified champions to advocate the CoE practice.

    Impact and Result

    • Formalize roles and responsibilities for all application initiatives.
    • Develop a standard process of governance and oversight surrounding the application.
    • Develop a comprehensive support network that consists of IT, the business, and external stakeholders to address issues and problem areas surrounding the application.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a Center of Excellence for your enterprise application, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a vision for the CoE

    Understand the importance of developing an enterprise application CoE, define its scope, and identify key stakeholders.

    • Maximize the Benefits from Enterprise Applications with a Center of Excellence – Phase 1: Create a Vision for the Center of Excellence
    • Enterprise Application Center of Excellence Project Charter

    2. Design the CoE future state

    Gather high-level requirements to determine the ideal future state.

    • Maximize the Benefits from Enterprise Applications with a Center of Excellence – Phase 2: Design the Center of Excellence Future State
    • Center of Excellence Refinery Model Template

    3. Develop a CoE roadmap

    Assess the required capabilities to reach the ideal state CoE.

    • Maximize the Benefits from Enterprise Applications with a Center of Excellence – Phase 3: Develop a Center of Excellence Roadmap
    • Center of Excellence Exceptions Report
    • Track and Measure Benefits Tool
    • Enterprise Application Center of Excellence Stakeholder Presentation Template
    [infographic]

    Workshop: Maximize the Benefits from Enterprise Applications with a Center of Excellence

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Create a Vision for the CoE

    The Purpose

    Understand the importance of developing a CoE for enterprise applications.

    Determine how to best align the CoE mandate with business objectives.

    Complete a CoE project charter to gain buy-in, build a project team, and track project success. 

    Key Benefits Achieved

    Key stakeholders identified.

    Project team created with defined roles and responsibilities.

    Project charter finalized to gain buy-in.

    Activities

    1.1 Evaluate business needs and priorities.

    1.2 Identify key stakeholders and the project team.

    1.3 Align CoE with business priorities.

    1.4 Map current state CoE.

    Outputs

    Project vision

    Defined roles and responsibilities

    Strategic alignment of CoE and the business

    CoE current state schematic

    2 Design the CoE Future State

    The Purpose

    Gain a thorough understanding of pains related to the lack of application governance.

    Identify and recycle existing CoE practices.

    Visualize the CoE enhancement process.

    Visualize your ideal state CoE. 

    Key Benefits Achieved

    Requirements to strengthen the case for the enterprise application CoE.

    CoE value-add refinery.

    Future potential of the CoE.

    Activities

    2.1 Gather requirements.

    2.2 Map the CoE enhancement process.

    2.3 Sketch future state CoE.

    Outputs

    Classified pains, opportunities, and existing practices

    CoE refinery model

    Future state CoE sketch

    3 Develop a CoE Roadmap

    The Purpose

    Assess required capabilities and resourcing.

    List and prioritize CoE initiatives.

    Track and monitor CoE performance. 

    Key Benefits Achieved

    Next steps for the enterprise application CoE.

    CoE resourcing plan.

    CoE benefits realization tracking.

    Activities

    3.1 Build CoE capabilities.

    3.2 Identify risks and mitigation efforts.

    3.3 Prioritize and track CoE initiatives.

    3.4 Finalize stakeholder presentation.

    Outputs

    CoE potential capabilities

    Risk management plan

    CoE initiatives roadmap

    CoE stakeholder presentation

    Assess Infrastructure Readiness for Digital Transformation

    • Buy Link or Shortcode: {j2store}300|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    There are many challenges for I&O when it comes to digital transformation, including:

    • Legacy infrastructure technical debt
    • Skills and talent in the IT team
    • A culture that resists change
    • Fear of job loss

    These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.

    Our Advice

    Critical Insight

    By using the framework of culture, competencies, collaboration and capabilities, organizations can create dimensions in their I&O structure in order to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence though the effective integration of people, process, and technology.

    Impact and Result

    By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

    Assess Infrastructure Readiness for Digital Transformation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Infrastructure Readiness for Digital Transformation – Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers for success.

  • Be customer centric as opposed to being technology driven.
  • Understanding business needs and pain points is key to delivering solutions.
  • Approach infrastructure digital transformation in iterations and look at this as a journey.
    • Assess Infrastructure Readiness for Digital Transformation Storyboard
    • I&O Digital Transformation Maturity Assessment Tool

    Infographic

    Further reading

    Assess Infrastructure Readiness for Digital Transformation

    Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers to success.

    Analyst Perspective

    It’s not just about the technology!

    Many businesses fail in their endeavors to complete a digital transformation, but the reasons are complex, and there are many ways to fail, whether it is people, process, or technology. In fact, according to many surveys, 70% of digital transformations fail, and it’s mainly down to strategy – or the lack thereof.

    A lot of organizations think of digital transformation as just an investment in technology, with no vision of what they are trying to achieve or transform. So, out of the gate, many organizations fail to undergo a meaningful transformation, change their business model, or bring about a culture of digital transformation needed to be seriously competitive in their given market.

    When it comes to I&O leaders who have been given a mandate to drive digital transformation projects, they still must align to the vision and mission of the organization; they must still train and hire staff that will be experts in their field; they must still drive process improvements and align the right technology to meet the needs of a digital transformation.

    John Donovan

    John Donovan

    Principal Research Director, I&O
    Info-Tech Research Group

    Insight summary

    Overarching insight

    Digital transformation requires I&O teams to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence through effective integration of people, process, and technology.

    Insight 1

    Collaboration is a key component of I&O – Promote strong collaboration between I&O and other business functions. When doing a digital transformation, it is clear that this is a cross-functional effort. Business leaders and IT teams need to align their objectives, prioritize initiatives, and ensure that you are seamlessly integrating technologies with the new business functions.

    Insight 2

    Embrace agility and adaptability as core principles – As the digital landscape continues to evolve, it is paramount that I&O leaders are agile and adaptable to changing business needs, adopting new technology and implementing new innovative solutions. The culture of continuous improvement and openness to experimentation and learning will assist the I&O leaders in their journey.

    Insight 3

    Future-proof your infrastructure and operations – By anticipating emerging technologies and trends, you can proactively plan and organize your team for future needs. By investing in scalable, flexible infrastructure such as cloud services, automation, AI technologies, and continuously upskilling the IT staff, you can stay relevant and forward-looking in the digital space.

    Tactical insight

    An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployment of services.

    Tactical insight

    Having a clear strategy, with leadership commitment along with hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

    Executive Summary

    Your Challenge

    There are a lot of challenges for I&O when it comes to digital transformation, including:

    • Legacy infrastructure technical debt.
    • Skills and talent in the IT team.
    • A culture that resists change.
    • Fear of job loss.

    These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.

    Common Obstacles

    Many obstacles to digital transformation begin with non-I&O activities, including:

    • Lack of a clear vision and strategy.
    • Siloed organizational structure.
    • Lack of governance and data management.
    • Limited budget and resources.

    By addressing these obstacles, I&O will have a better chance of a successful transformation and delivering the full potential of digital technologies.

    Info-Tech's Approach

    Building a culture of innovation by developing clear goals and creating a vision will be key.

    • Be customer centric as opposed to being technology driven.
    • Understand the business needs and pain points in order to effectively deliver solutions.
    • Approach infrastructure digital transformation in iterations and look at it as a journey.

    By completing the Info-Tech digital readiness questionnaire, you will see where you are in terms of maturity and areas you need to concentrate on.

    Info-Tech Insight

    By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

    The cost of digital transformation

    The challenges that stand in the way of your success, and what is needed to reverse the risk

    What CIOs are saying about their challenges

    26% of those CIOs surveyed cite resistance to change, with entrenched viewpoints demonstrating a real need for a cultural shift to enhance the digital transformation journey.

    Source: Prophet, 2019.

    70% of digital transformation projects fall short of their objectives – even when their leadership is aligned, often with serious consequences.

    Source: BCG, 2020.

    Having a clear strategy and commitment from leadership, hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

    Info-Tech Insight

    Cultural change, business alignment, skills training, and setting a clear strategy with KPIs to demonstrate success are all key to being successful in your digital journey.

    Small and medium-sized enterprises

    What business owners and CEOs are saying about their digital transformation

    57% of small business owners feel they must improve their IT infrastructure to optimize their operations.

    Source: SMB Story, 2023.

    64% of CEOs believe driving digital transformation at a rapid pace is critical to attracting and retaining talent and customers.

    Source: KPMG, 2022.

    Info-Tech Insight

    An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployments.

    Drive Ongoing Adoption With an M365 Center of Excellence

    • Buy Link or Shortcode: {j2store}66|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: 20 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    There are roadblocks common to all CoEs: lack of in-house expertise, lack of resources (time, budget, etc.), and employee perception that this is just another burdensome administrative layer. These are exacerbated when building an M365 CoE.

    • Constant vendor-initiated change in M365 means expertise always needs updating.
    • The self-service architecture of M365 is at odds with centralized limits and controls.
    • M365 has a multitude of services that can be adopted across a huge swath of the organization compared to the specific capabilities and limited audience of traditional CoEs.

    Our Advice

    Critical Insight

    The M365 CoE should be somewhat decentralized to avoid an “us versus them” mentality. Having clear KPIs at the center of the program makes it easier to demonstrate improvements and competencies. COMMUNICATE these early successes! They are vital in gaining widespread credibility and momentum.

    Impact and Result

    Having a clear vision of what you want business outcomes you want your Microsoft 365 CoE to accomplish is key. This vision helps select the core competencies and deliverables of the CoE.

    • Ongoing measurement and reporting of business value generated from M365 adoption.
    • Servant leadership allows the CoE to work closely and deeply with end users, which builds them up to share knowledge with others
    • Focus and clear lines of accountability ensure that everyone involved feels part of the compromise when decisions are to be made.

    Drive Ongoing Adoption With an M365 Center of Excellence Research & Tools

    Build out your M365 CoE competencies, membership, and roles; create success metrics and build your M365 adoption, then communicate

    In this deck we explain why your M365 CoE needs to be distributed and how it should be organized. Using a roadmap will assist you in building competency and maturity through training, certifications, and building governance.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Drive Ongoing Adoption With an M365 Center of Excellence Storyboard
    [infographic]

    Further reading

    Drive Ongoing Adoption With an M365 Center of Excellence

    Accelerate business processes change and get more value from your subscription by building and sharing thanks to an effective Centre of Excellence.

    CLIENT ADVISORY DECK

    Drive Ongoing Adoption With an M365 Centre of Excellence

    Accelerate business processes change and get more value from your subscription by building and sharing thanks to an effective Centre of Excellence

    Research Team:
    John Donovan
    John Annand
    Principal Research Directors I&O Practice

    41 builds released in 2021!
    IT can no longer be expected to provide training to all users on all features

    • Traditional classroom training (online and self-paced) is time consuming and overly generic
    • Users tend to hold onto old familiar tools even as new ones roll out
    • Citizen Programming comes with a lot of promise but also the spectre of reliving the era of Access ‘97 databases
    • Seemingly small decisions around configuration have outsized impacts
    • Every enterprises’ journey through adoption is unique

    ▲20% $ spent in 2021

    148% more meetings
    66% more users collaborating on documents
    40.6B more emails

    2021 vs. 2022 Source: Microsoft The Work Trend Index

    • Who needs to be in a CoE? What daily tasks do they undertake?
    • How do you turn artifacts like best practice documents into actual behavioral change?
    • How does CoE differ from governance? And why is it going to be any more successful?
    • How does the CoE evolve over time as enterprises become more mature?

    CoE Competencies, Membership and Roles
    Communication, Standards Templates
    Adoption, and Business Success Metrics

    this image depicts the key CoE Competencies: Goals; Controls; Tools; Training; and Support

    Using these deliverables, Info-Tech will help you drive consistency in your enterprise collaboration, increase end-user satisfaction in the tools they are provided, optimize your license spending, fill the gaps between implementation of a technology and realization of business value, and empower end-users to innovate in ways that senior leadership had not imagined.

    Executive Summary

    Insight

    User adoption is the primary focus of the efforts in the CoE

    User adoption and setting up guardrails in governance are the focuses of the CoE in its early stages. Purging obsolete data from legacy share servers, and exchange, and rationalize legacy applications that are comparable to Microsoft offerings. The primary goal is M365 excellence, but that needs to be primed with a Roadmap, and laying down clear milestones to show progress, along with setting up quick wins to get buy in from the organization.

    Breakdown your CoE into distinct areas for improvement

    Due to the size and complexity of Microsoft 365, breaking it into clearly defined divisions makes sense. The parts that need to be fragmented into are, Collaboration, Power Apps, Office tools, Learning, Professional Training and Certifications, Governance and Support. Subject Matter experts needs to keep pace with the ever-changing M365 environment with enhancements continuously being rolled out. (There were 41 build releases in 2021 alone! )

    Set up your M365 CoE in a decentralized design

    Define how your CoE will be set up. It will either be centralized, distributed, or a combination of both. They all have their strengths and weaknesses; however a distributed CoE can ensure there is buy-in from the various departments across the CoE, as they participate in the decision making and therefore the direction the CoE goes. Additionally, it ensures that each segment of the CoE is accountable for the success of the M365 adoption, its usage, and delivering value to the organization.

    Summary

    Your Challenge

    You have purchased Microsoft 365 for your business, and you have determined that you are not realizing the full value and potential of the product, neither adoption nor usage – for example, you have legacy applications that the user base is reluctant to move away from, whether it be Skype, Jabber, or other collaboration tools available to them. You have released Teams to the organization but may have not shown how useful it is and you have not communicated to the business that it is your new collaboration tool, along with SharePoint Online and OneDrive. How do you fix this problem?

    Common Obstacles

    There are roadblocks common to all CoEs: lack of in-house expertise, lack of resources (time, budget, etc.) and employee perception of just another burdensome administrative layer. These are exacerbated when building an M365 CoE.

    • Constant vendor-initiated change in M365 means expertise always needs updating
    • The self-service architecture of M365 is at odds with centralized limits and controls
    • M365 is a multitude of services, adopted across a huge swath of the organization compared to the specific capabilities and limited audience of traditional CoEs

    Info-Tech’s Approach

    Having a clear vision of what business outcomes you want your Microsoft 365 CoE to accomplish is key. This vision helps select the core competencies and deliverables of the CoE.

    1. Ongoing measurement and reporting of business value generated from M365 adoption
    2. Servant leadership allows the CoE to work closely and deeply with end-users, which builds them up to share knowledge with others
    3. Focus and clear lines of accountability ensure that everyone involved feels part of the compromise when decisions are to be made

    Info-Tech Insight

    The M365 CoE should be somewhat decentralized to avoid an “us versus them” mentality. Having clear KPIs at the center of the program makes it easier to demonstrate improvements and competencies. COMMUNICATE these early successes! They are vital in gaining widespread credibility and momentum.

    Charter Mandate Authority to Operate

    Mission : To accelerate the value that M365 brings to the organization by using the M365 CoE to increase adoption, build competency through training and best practices, and deliver on end user innovation throughout the business.

    Vision Statement: To transform the organization’s efficiencies and performance through an optimized world-class M365 CoE by meeting all KPIs set out in the Charter.

    Info-Tech Insights

    A mission and vision for your M365 CoE are a necessary step to kick the program off. Not aving clear goals and a roadmap to get there will hinder your progress. It may even stall the whole objective if you cannot agree or measure what you are trying to accomplish

    • The scope of the M365 CoE is to build the adoption rate that can meet milestone goals to advance user competency, as well as the maturation of the SMEs in each segment of the CoE leadership and contributors.
    • Maturity will be measured through 100% adoption, specifically around collaboration tools and Office apps across the organization that use M365. Strategic value will be measured by core competencies within the CoE.
    • SMEs are developed and educated with certifications and other training throughout the course of the CoE development to bring “bench strength” to the vision of optimizing a world-class M365 CoE.
    • SMEs will all be certified Microsoft professionals. They will set the standard to be met within the CoE. The SMEs can either be internal candidates or external hires, depending on the current IT department competency.
    • Additional resources required will be tech savvy department leads that understand and can help in the training of staff, who also are willing to spend a certain amount of their work time in coaching colleagues.
    • They will be assisted by the training through the SMEs providing relevant material and various M365 courses both in class and self-paced online learning using M365 VIVA tools.

    Charter Metrics

    Areas in Scope:

    • Ensure Mission is aligned to the business objectives.
    • Form core team for M365 CoE, including steering committee.
    • Create document for signoff from business sponsors.
    • Build training plans for users, engineers, and admins.
    • Document best practices and build standard templates for organizational uniformity.
    • Build governance charter and priorities, setting up guardrails early to ensure compliance and security.
    • Transition away and retire all legacy on-Prem apps to M365 Cloud apps.
    • Build a RACI model for roles and responsibility.

    Info-Tech Insights

    If meaningful metrics are set up correctly, the CoE can produce results early in the one- or two-year process, demonstrating business value and increasing production amongst staff and demonstrating SME development.

    this image contains example metrics, spread across three phases.

    CoE

    What are the reason to build an M365 CoE, and what is it expected to deliver?

    What It IS NOT

    It does not design or build applications, migrate applications, or create migration plans. It does not deploy applications nor does it operate and monitor applications. While a steering committee is a key part of the M365 CoE, its real function is to set the standards to be achieved though metrics that can measure a successful, efficient, and best-in-class M365 operation. It does not set business goals but does align M365 goals to the business drivers. SMEs in the CoE give guidance on M365 best practices and assist in its adoption and users’ competency.

    What It IS

    M365 CoE means investing in and developing usage growth and adoption while maintaining governance and control. A CoE is designed to drive innovation and improvement, and as a business-wide functional unit, it can break down geographical and organizational silos that utilize their own tools and collaboration platforms. It builds a training and artifacts database of relevant and up-to-date materials.

    Why Build It

    Benefits that can be realized are:

    • Building efficiencies, delivering quality training and knowledge transfer, and reducing risk from an organized and effective governance.
    • Consistency in document and information management.
    • Reusable templates and blueprints that standardize the business processes.
    • Standardized and communicated business policies around security and best practices.
    • Overcoming the challenges that comes with the titan of a platform that is M365.

    Expected Goals and Benefits With Risk

    Demonstrated impact for sustainability
    Ensuring value is delivered
    Ability to escalate to executive branch

    The What?

    What does the M365 CoE solve?

    • M365 Adoption
    • M365 tools templates
    • SME in tools deployment and delivery
    • Training and education – create artifacts and organize training sessions and certifications
    • Empower users into super users
    • Build analytics around usage, adoption, and ROI from license optimization

    And the How?

    How does the M365 CoE do it?

    • By defining clear adoption goals and best practices
    • By building a dedicated team with the confidence to improve the user experience
    • By creating a collection of reusable artifacts.
    • By establishing a stable, tested environment ensures users are not hindered in execution of the tools
    • By continuously improving M365 processes

    What are the Risks?

    • All goals must be achievable
    • Timeline phases are based on core SME competency of the IT department and the training quality of end users
    • Current state of SMEs in house or hired to execute the mandate of the M365 CoE
    • Business success – if business is struggling to make profits and grow, its usually the CoE that will get chopped – mainly due to layoffs
    • Inability to find SMEs or train SMEs
    • Turnover in CoE due to job function changes or attrition
    • Overload of day-to-day responsibilities preventing SMEs from executing work for the CoE – Need to align SMEs and CoE steering chair to establish and enable shared responsibilities.

    Who needs to be in a CoE for M365

    Design the CoE – What model to be used?

    What are their daily tasks? Is the CoE centralized, decentralized, or a combination?

    a flow chart is depicted, starting with the executive steering committee, describing governance 365, and VP applications.

    Info-Tech Insights

    Due to the size and complexity of Microsoft 365, a decentralized model works best. Each segment of the group could in themselves be a CoE, as in governance, training, or collaboration CoE. Maintaining SME in each group will drive the success of the M365 CoE.

    Key Competencies for CoE

    • Build a team of experts in M365 with sub teams in Products.
    • Manage the business processes around M365.
    • Train and optimize technical teams.
    • Share best practices and create a knowledge base.
    • Build processes that are repeatable and self-provisioned.
    This image depicts the core Coe Competencies, Strategy; Technology; Governance; and Skills/Capabilities.

    CoE for M365

    What is the Structure? Is it centralized, decentralized, or combination? What are the pros and cons?

    Thought Model

    This image depicts a thought model describing CoE for M365.

    How does the CoE differ from governance?

    Why is it going to be any more successful?

    “These problems already exist and haven't been successfully addressed by governance – how is the CoE going to be any different?”

    • Leadership
    • Empower end users
    • Automation of processes
    • Retention policies
    • Governance priorities
    • Risk management
    • Standard procedures
    • Set metrics
    • Self service
    • Training
    • SMEs
    • Automation
    • Innovation

    CoE

    While M365 governance is an integral part of the M365 CoE, the CoE is a more strategic program aimed at providing guidance, experienced leadership, and training.

    The CoE is designed to drive innovation and improvements throughout the organization’s M365 deployment. It will build best practices, create artifacts, and mentor members to become SMEs.

    Governance

    CoE is a form of collaborative governance. Those responsible for making the rules are the same ones who are working through how the rules are implemented in practice.

    The word most associated with CoE is "nurture." The word most associated with governance is "prevent."

    The CoE is experimental and innovative and constantly revising its guidance compared to governance, which is opaque and static.

    RACI chart for CoE define activities and ownership

    The Work

    Build artifacts

    Templates

    Scripts

    Reference architecture

    Policies definition

    Blueprints

    Version control

    Measure usage and ROI

    Quality assurance

    Baseline creation and integrity

    ActivitiesSupport Steering CTraining TeamM365 Tools Admin M365 Security AdminDoc Mgt
    Monitor M365 ChangeAIRR
    CommunicationsIR
    TrainingAR
    Support – Microsoft + HelpdeskRI
    Monitor UsageR
    Security and ComplianceAR
    Decom On-PremAR
    Eliminate Shadow ITR
    Identity and AccessAR
    Automate Policies in TennantAR
    Audit MonitorAR
    Data and Information ProtectionARR
    Build TemplatesAAR
    Manage ArtifactsARA

    Steering Committee

    This image contains a screenshot of the organization of the CoE Steering Committee

    Roles and Responsibilities

    • Set the goals and metrics for the CoE charter
    • Ensure the CoE is aligned to the business objectives
    • Clear any roadblocks that may hinder progress for the team leads
    • Provide guidance on best practices
    • Set expectations for training and certifications
    • Build SME strength through mentoring
    • Promote and facilitate research into M365 developments and releases
    • Ensure knowledge transfer is documented
    • Create roadmap to ensure phase KPIs are met and drive toward excellence

    Info-Tech Insight

    Executive sponsorship is an element of the CoE that cannot be overlooked. If this occurs, the funding and longevity of the CoE will be limited. Additionally, ensure you determine if the CoE will have an end of life and what that looks like.

    M365 Governance CoE Team

    Governance and Management

    After you’ve developed and implemented your data classification framework, ongoing governance and maintenance will be critical to your success. In addition to tracking how sensitivity labels are used in practice, you’ll need to update your control requirements based on changes in regulations, cybersecurity leading practices, and the nature of the content you manage. Governance and maintenance efforts can include:

    • Establishing a governance body dedicated to data classification or adding a data classification responsibility to the charter of an existing information security body.
    • Defining roles and responsibilities for those overseeing Data Classification
    • Establishing KPIs to monitor and measure progress
    • Tracking cybersecurity leading practices and regulatory changes
    • Developing Standard Operating Procedures that support and enforce a data classification framework

    Governance CoE

    Tools Used in the Governance CoE Identity – MFA, SSO, Identity Manager, Conditional Access, AD , Microsoft Defender, Compliance Assessments Templates

    Security and Compliance - Azure Purview, Microsoft Defender Threat Analytics, Rules-Based Classification (AIP Client & Scanner), Endpoint DLP, Insider Risk Management

    Information Management – Audit Log Retention, Information Protection and Governance, Trainable Classifiers

    Licenses – Entitlement Management, Risk-Based Conditional Access.

     This image depicts the M365 Governance CoE Team organization.

    M365 Tools CoE Team

    • Collaboration tools are at the center of the product portfolio for M365.
    • Need to get users empowered to manage and operate Teams, OneDrive, and SharePoint Online and promote uniform communications and collaborate with document building, sharing, and storing.

    This image depicts a screenshot of the Tools CoE Team organization

    Collaboration SME – Teams admin, Exchange admin, SharePoint, One Drive admin, Viva Learning (Premium), and Viva Insights (Premium)

    Application SME – Covers all updates and new features related to Office programs

    Power BI SME – Covers Power Automate for Office 365, Power Apps for Office 365, and Power BI Pro

    Voice and Video – Tools-Calling Plan, Audio Conference (Full), Teams Phone, Mobility

    PMO – Manages all M365 products online and in production. Also coordinates enhancements, writes up documentation for updates, and releases them to the training CoE for publication.

    Microsoft 365 tools used to support business

    M365 Training CoE Team

    Training and certifications for both end users and technical staff managing the M365 platform. Ensure that you set goals and objectives with your training schedule.

    this image depicts the framework for the training CoE team.

    Training for SMEs can be broken into two categories:

    First line training is internal training for users, in the collaboration space. Teams, One Drive, SharePoint Online, Exchange, and specialty training on Office tools – Word, PowerPoint, Excel, and Microsoft Forms.

    Second line training is professional development for the SMEs including certifications in M365 admin, Global admin, Teams admin, and SharePoint administrator.

    Additional training and certification can be obtained in governance, information management, and in the admin center for licencing optimization and compliance.

    Tools used

    • Viva topics – Integrated knowledge and expert discovery
    • Viva Insight
    • Viva Learning
    • Viva Connections
    • Dynamics 365
    • Voice of the customer surveys

    Support M365 CoE Team

    This image depicts the framework for m365 CoE team support.

    Support CoE:

    In charge of creating a knowledge base for M365. Manages incidents with access, usage, and administering apps to desktop. Manages change issues related to updates in patching.

    Help Desk Admin:

    Resets passwords when self service fails, force sign out, manages service requests.

    Works with learning CoE to populate knowledge base with articles and templates.

    Manages end user issues with changes and enhancements for M365.

    Supporting Metrics

    • Number of calls for M365 support
    • Recurring M365 incidents
    • Number of unresolved Platform issues
    • First call resolution
    • Knowledge sharing of M365
    • Customer satisfaction
    • Turnaround time of tickets created

    Roadmap

    How does the CoE evolve over time as enterprises become more mature?

    • Depending on the complexity and regulatory requirements of the business, baseline governance and rules around external partners sharing internal documents will need to be set up.
    • Identifying your SMEs in the organization is a perquisite at the beginning stages of setting up the M365 working group.
    • Build a roadmap to get to maturity and competency that brings strategic business value.
    • Meet milestone goals through a two-year, three-phase process. Begin with setting up governance guardrails.
    • Set up foundational baselines against which metrics will be measured.
    • Set up the M365 CoE, at first with target easy wins through group training and policy communications throughout the organization.
    this image depicts the CoE Roadmap, from Foundational Baseline, to Standardize Process, to Optimization

    How do you turn artifacts like best practice documents into actual behavior change?

    this image depicts the process of turning M365 ARtifacts into actual behavioural change within a company

    Info-Tech Insights

    Building Blocks
    The building blocks for a change in end user behavior are based on four criteria which must be clearly communicated. Knowledge transfer from SMEs to the training team is key. That in turn leads to effective knowledge transfer, allowing end users to develop skills quickly that can be shared with their teams. Sharing practices leads to best practices and maintaining these in a repository that can be quickly accessed will build on the efficiencies and effectiveness of the employees.

    How Do You Empower End Users to Innovate?

    Info-Tech Insights

    Understand the Vision

    Empowering End users starts with understanding the business vision that is embedded into the M365 CoE charter.

    Ensure that the business innovation goals are aligned to the organizational strategies.

    The innovative strategies need to be clearly communicated to the employees and the tools to achieve this needs to be mapped out and trained. Clearly lay out the goals, outcomes, and expectations.

    End users need to understand how the M365 CoE will assist them in their day-to-day operations, whether in the collaboration space with their colleagues, or with power BI that assists them in their decision making though analytics.

    The Right Resources

    Arm your team with the resources they need to be successful. Building use cases as part of the training program will give the employees insight into how the M365 tools can be used in their daily work environment. It will also address the pervasive use of nonstandard tools as is seen throughout organizations that are operated in a vacuum.

    Empowering your user base though the knowledge transfer borne through the building of artifacts that deal with real life examples that join the dots for employees.

    By painting a picture of how the innovative use of the M365 platform can be achieved, users will feel empowered and use those use cases to build out their own innovative ideas.

    Hybrid Work

    Digital fabric

    Collaboration – Communication – Creation

    Cloud Services – Innovative Apps – Security

    Productivity anywhere any place

    Shared working documents in secure cloud

    Mesh for Microsoft Teams/Viva

    Power apps and dataverse for Teams

    Self Service M365

    My Apps

    My Sign-Ins

    My Groups

    My Staff

    My Access

    My Account

    Password reset

    Sample Best Practices
    Tools and Standards Templates

    Then communicate them

    Collaboration Best Practices

    Sharing documents

    Real time co-authoring

    Comment

    Meet

    Mobile

    Version History

    Security Best Practices

    This is a screenshot of the Security Best Practices

    Default Security Settings

    Microsoft Security Score

    Enable Alert Policies

    Assign RBAC for Admins

    Enable Continuous Access Evaluation

    Admin Roles Best Practices in M365

    This is a screenshot of the admin roles best ractices in M365.

    Business Success Metrics for M365 CoE

    What does success look like?

    • Are you aligning the M365 metrics to business goals?
    • Are your decisions data driven?
    • Are you able to determine opportunities to improve with your metrics – continuous process improvement?
    • Are you seeing productivity gains, and are they being measured?
    This image contains a screenshot of the Business Success Metrics for M365-CoE: SMC Training; Content published and tagged; Usage Metrics; Cost Metrics; Adoption Metrics; New Product Introduction

    Activity Output

    Start building your M365 CoE and considering the steps for the Phase 1 checklist

    BUILD A FOUNDATIONAL BASELINE

    Step 1

    1. Select Resources to create a CoE working group
    2. Define your goals and objectives
    3. Identify SMEs within the business and do a gap analysis
    4. Build the M365 charter, mission, and vision
    5. Build consensus and sponsorship from C suite
    6. Create an organizational M365 framework that provides best coverage for all touch points to the platform, from support to training to controls.
    7. Determine the type of CoE you want to create that fits your business (centralized, distributed, or a combination).

    Step 2

    1. Build training plans for SMEs and M365 teams
    2. Populate company intranet with artifacts, knowledge articles, and user training portal with all things M365
    3. Build out best practice workbooks, tools, and templates that encompass all departments
    4. Create roles and responsibilities matrix
    5. Identify “super users” in departments to assist with promoting learning and knowledge sharing.
    6. Develop Metrics scorecards on success criteria ensuring they align to business goals

    Step 3

    1. Rational M365 licensing
    2. Create communication plan promoting CoE and M365 advantages
    3. Align your governance posture and building guardrails
    4. Identify legacy apps that can be retired and replaced
    5. Train support team and analysts with metrics supporting M365 CoE goals
    6. Create baseline metrics with clear alignment to business KPIs

    Related Blueprints

    Modernize Your Microsoft Licensing for the Cloud Era

    • Take control of your Microsoft licensing and optimize spend

    Govern Office 365

    • Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals

    Migrate to Office 365 Now

    • One small step to cloud, one big leap to Office 365. The key is to look before you leap

    Build a Data Classification MVP for M365

    • Kickstart your governance with data classification users will actually use!

    Bibliography

    “Five Guiding Principles of a successful Center of Excellence” Perficient, n.d. Web.

    “Self Service in Microsoft 365.” Janbakker.tech, n.d. Web.

    “My Apps portal overview.” Microsoft, June 2, 2022. Web.

    “Collaboration Best Practices Microsoft365.” Microsoft, n.d. Web.

    “Security Best Practices Microsoft 365” Microsoft, July 1, 2022. Web.

    Implement Risk-Based Vulnerability Management

    • Buy Link or Shortcode: {j2store}296|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $122,947 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
    • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

    Our Advice

    Critical Insight

    • Patches are often considered the only answer to vulnerabilities, but these are not always the most suitable solution.
    • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
    • There is more than one way to tackle the problem. Leverage your existing security controls to protect the organization.

    Impact and Result

    • After this blueprint, you will have created a full vulnerability management program that allows you to take a risk-based approach to vulnerability remediation.
    • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
    • The risk-based approach allows you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
    • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
    • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    Implement Risk-Based Vulnerability Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Implement Risk-Based Vulnerability Management – Phases 1-4

    1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

    • Vulnerability Management SOP Template

    2. Triage vulnerabilities and assign priorities

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

    • Vulnerability Tracking Tool
    • Vulnerability Management Risk Assessment Tool
    • Vulnerability Management Workflow (Visio)
    • Vulnerability Management Workflow (PDF)

    3. Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

     

    4. Measure and formalize

    Evolve the program continually by developing metrics and formalizing a policy.

    • Vulnerability Management Policy Template
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template

    Infographic

    Workshop: Implement Risk-Based Vulnerability Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Vulnerability Sources

    The Purpose

    Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

    Key Benefits Achieved

    Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

    Activities

    1.1 Define the scope & boundary of your organization’s security program.

    1.2 Assign responsibility for vulnerability identification and remediation.

    1.3 Develop a monitoring and review process of third-party vulnerability sources.

    1.4 Review incident management and vulnerability management

    Outputs

    Defined scope and boundaries of the IT security program

    Roles and responsibilities defined for member groups

    Process for review of third-party vulnerability sources

    Alignment of vulnerability management program with existing incident management processes

    2 Triage and Prioritize

    The Purpose

    We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

    Key Benefits Achieved

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Activities

    2.1 Evaluate your identified vulnerabilities.

    2.2 Determine high-level business criticality.

    2.3 Determine your high-level data classifications.

    2.4 Document your defense-in-depth controls.

    2.5 Build a classification scheme to consistently assess impact.

    2.6 Build a classification scheme to consistently assess likelihood.

    Outputs

    Adjusted workflow to reflect your current processes

    List of business operations and their criticality and impact to the business

    Adjusted workflow to reflect your current processes

    List of defense-in-depth controls

    Vulnerability Management Risk Assessment tool formatted to your organization

    Vulnerability Management Risk Assessment tool formatted to your organization

    3 Remediate Vulnerabilities

    The Purpose

    Identifying potential remediation options.

    Developing criteria for each option in regard to when to use and when to avoid.

    Establishing exception procedure for testing and remediation.

    Documenting the implementation of remediation and verification.

    Key Benefits Achieved

    Identifying and selecting the remediation option to be used

    Determining what to do when a patch or update is not available

    Scheduling and executing the remediation activity

    Planning continuous improvement

    Activities

    3.1 Develop risk and remediation action.

    Outputs

    List of remediation options sorted into “when to use” and “when to avoid” lists

    4 Measure and Formalize

    The Purpose

    You will determine what ought to be measured to track the success of your vulnerability management program.

    If you lack a scanning tool this phase will help you determine tool selection.

    Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    Key Benefits Achieved

    Outline of metrics that you can then configure your vulnerability scanning tool to report on.

    Development of an inaugural policy covering vulnerability management.

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Activities

    4.1 Measure your program with metrics, KPIs, and CSFs.

    4.2 Update the vulnerability management policy.

    4.3 Create an RFP for vulnerability scanning tools.

    4.4 Create an RFP for penetration tests.

    Outputs

    List of relevant metrics to track, and the KPIs, CSFs, and business goals for.

    Completed Vulnerability Management Policy

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Further reading

    Implement Risk-Based Vulnerability Management

    Get off the patching merry-go-round and start mitigating risk!

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    6 Common Obstacles

    8 Risk-based approach to vulnerability management

    16 Step 1.1: Vulnerability management defined

    24 Step 1.2: Defining scope and roles

    34 Step 1.3: Cloud considerations for vulnerability management

    33 Step 1.4: Vulnerability detection

    46 Step 2.1: Triage vulnerabilities

    51 Step 2.2: Determine high-level business criticality

    56 Step 2.3: Consider current security posture

    61 Step 2.4: Risk assessment of vulnerabilities

    71 Step 3.1: Assessing remediation options

    Table of Contents

    80 Step 3.2: Scheduling and executing remediation

    85 Step 3.3: Continuous improvement

    89 Step 4.1: Metrics, KPIs, and CSFs

    94 Step 4.2: Vulnerability management policy

    97 Step 4.3: Select & implement a scanning tool

    107 Step 4.4: Penetration testing

    118 Summary of accomplishment

    119 Additional Support

    120 Bibliography

    Analyst Perspective

    Vulnerabilities will always be present. Know the unknowns!

    In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

    The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

    A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

    Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

    Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group. Jimmy Tom
    Research Advisor – Security, Privacy, Risk, and Compliance
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

    Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

    Common Obstacles

    Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

    Some systems deemed vulnerable simply cannot be patched or easily replaced.

    Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

    Info-Tech’s Approach

    Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

    Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

    Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

    Info-Tech Insight

    Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

    Common obstacles

    These barriers make vulnerability management difficult to address for many organizations:
    • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
    • Many organizations feel that a “patch everything” approach is the most effective path.
    • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
    • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
    CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
    (Source: NIST National Vulnerability Database Dashboard)

    Leverage risk to sort, triage, and prioritize vulnerabilities

    Reduce your risk surface to avoid cost to your business; everything else is table stakes.

    Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

    Identify vulnerability sources

    An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

    Triage and prioritize

    Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

    Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

    Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    Measure and formalize

    Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

    Tactical Insight 1

    All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

    Tactical Insight 2

    Reduce the risk surface down below the risk threshold.

    The industry has shifted to a risk-based approach

    Traditional vulnerability management is no longer viable.

    “For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

    “Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

    “Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

    “A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

    Why a take risk-based approach?

    Vulnerabilities, by the numbers

    60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

    74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

    Info-Tech Insight

    Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

    The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

    Vulnerability Management

    A risk-based approach

    Reduce the risk surface to avoid cost to your business, everything else is table stakes

    Logo for Info-Tech.
    Logo for #iTRG.

    1

    Identify

    4

    Address

      Mitigate the risk surface by reducing the time across the phases › Mitigate the risk by implementing:
    • patch systems & apps
    • compensating controls
    • systems and apps hardening
    • systems segregation
    Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

    Objective: reduce risk surface by reducing time to address

    Your organization's risk tolerance threshold

      Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.) Vulnerability information feeds:
    • scanning tool
    • external threat intel
    • internal threat intel

    2

    Analyze

      Assign actual risk (impact x urgency) to the organization based on current security posture

    Triage based on risk ›

    Your organization's risk tolerance threshold

    Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

    3

    Assess

      Plan risk mitigation strategy › Consider:
    • risk tolerance
    • compensating controls
    • business impact

    Info-Tech’s vulnerability management methodology

    Focus on developing the most efficient processes.

    Vulnerability management isn’t “old school.”

    The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

    Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

    Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

    Equation to find 'Vulnerability Priority'.

    When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

    Info-Tech Insight

    Vulnerability management is not only patch management. Patching is only one aspect.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Vulnerability Management SOP

    The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

    Sample of the key deliverable, Vulnerability Management SOP.
    Vulnerability Management Policy

    Template for your vulnerability management policy.

    Sample of the Vulnerability Management Policy blueprint. Vulnerability Tracking Tool

    This tool offers a template to track vulnerabilities and how they are remedied.

    Sample of the Vulnerability Tracking Tool blueprint.
    Vulnerability Scanning RFP Template

    Request for proposal template for the selection of a vulnerability scanning tool.

    Sample of the Vulnerability Scanning RFP Template blueprint. Vulnerability Risk Assessment Tool

    Methodology to assess vulnerability risk by determining impact and likelihood.

    Sample of the Vulnerability Risk Assessment Tool blueprint.

    Blueprint benefits

    IT Benefits

    • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
    • A risk-based approach that aligns with what’s important to the business.
    • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
    • Identification of “where to start” in terms of vulnerability management.
    • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
    • Knowledge of what to do when patching is simply not possible or feasible.

    Business Benefits

    • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
    • A consistent program that the business can plan around and predict when interruptions will occur.
    • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

    Info-Tech’s process can save significant financial resources

    Phase Measured Value
    Phase 1: Identify vulnerability sources
      Define the process, scope, roles, vulnerability sources, and current state
      • Consultant at $100 an hour for 16 hours = $1,600
    Phase 2: Triage vulnerabilities and assign urgencies
      Establish triaging and vulnerability evaluation process
      • Consultant at $100 an hour for 16 hours = $1,600
      Determine high-level business criticality and data classifications
      • Consultant at $100 an hour for 40 hours = $4,000
      Assign urgencies to vulnerabilities
      • Consultant at $100 an hour for 8 hours = $800
    Phase 3: Remediate vulnerabilities
      Prepare documentation for the vulnerability process
      • Consultant at $100 an hour for 8 hours = $800
      Establish defense-in-depth modelling
      • Consultant at $100 an hour for 24 hours = $2,400
      Identify remediation options and establish criteria for use
      • Consultant at $100 an hour for 40 hours = $4,000
      Formalize backup and testing procedures, including exceptions
      • Consultant at $100 an hour for 8 hours = $800
      Remediate vulnerabilities and verify
      • Consultant at $100 an hour for 24 hours = $2,400
    Phase 4: Continually improve the vulnerability management process
      Establish a metrics program for vulnerability management
      • Consultant at $100 an hour for 16 hours = $1,600
      Update vulnerability management policy
      • Consultant at $100 an hour for 8 hours = $800
      Develop a vulnerability scanning tool RFP
      • Consultant at $100 an hour for 40 hours = $4,000
      Develop a penetration test RFP
      • Consultant at $100 an hour for 40 hours = $4,000
    Potential financial savings from using Info-Tech resources Phase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Discuss current state and vulnerability sources.

    Call #3: Identify triage methods and business criticality.

    Call #4:Review current defense-in-depth and discuss risk assessment.

    Call #5: Discuss remediation options and scheduling.

    Call #6: Review release and change management and continuous improvement.

    Call #7: Identify metrics, KPIs, and CSFs.

    Call #8: Review vulnerability management policy.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

      Day 1 Day 2 Day 3 Day 4 Day 5
    Activities
    Identify vulnerability sources

    1.1 What is vulnerability management?

    1.2 Define scope and roles

    1.3 Cloud considerations for vulnerability management

    1.4 Vulnerability detection

    Triage and prioritize

    2.1 Triage vulnerabilities

    2.2 Determine high-level business criticality

    2.3 Consider current security posture

    2.4 Risk assessment of vulnerabilities

    Remediate vulnerabilities

    3.1 Assess remediation options

    3.2 Schedule and execute remediation

    3.3 Drive continuous improvement

    Measure and formalize

    4.1 Metrics, KPIs & CSFs

    4.2 Vulnerability Management Policy

    4.3 Select & implement a scanning tool

    4.4 Penetration testing

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Scope and boundary definition of vulnerability management program
    2. Responsibility assignment for vulnerability identification and remediation
    3. Monitoring and review process of third-party vulnerability sources
    4. Incident management and vulnerability convergence
    1. Methodology for evaluating identified vulnerabilities
    2. Identification of high-level business criticality
    3. Defined high-level data classifications
    4. Documented defense-in-depth controls
    5. Risk assessment criteria for impact and likelihood
    1. Documented risk assessment methodology and remediation options
    1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
    2. Initial draft of vulnerability management policy
    3. Scanning tool selection criteria
    4. Introduction to penetration testing
    1. Completed vulnerability management standard operating procedure
    2. Defined vulnerability management risk assessment criteria
    3. Vulnerability management policy draft

    Implement Risk-Based Vulnerability Management

    Phase 1

    Identify Vulnerability Sources

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

     

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

     

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

    This phase involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Step 1.1

    Vulnerability Management Defined

    Activities

    None for this section

    This step will walk you through the following activities:

    Establish a common understanding of vulnerability management and its place in the IT organization.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Foundational knowledge of vulnerability management in your organization.

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    What is vulnerability management?

    It’s more than just patching.

    • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
    • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
    • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

    “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

    Effective vulnerability management

    It’s not easy, but it’s much harder without a process in place.
    • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
    • Patching isn’t the only solution, but it’s the one that often draws focus.
    • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
    • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
    • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
    • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

    You’re not just doing this for yourself. It’s also for your auditors.

    Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

    Vulnerability management revolves around your asset security services

    Diagram with 'Asset Security Services' at the center. On either side are 'Network Security Services' and 'Identity Security Services', all three of which flow up into 'Security Analytics | Security Incident Response', and all four share a symbiotic flow with 'Management' below and contribute to 'Mega Trend Mapping' above. Management is supported by 'Governance'. Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.

    Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

    Vulnerability management works in tandem with SecOps and ITOps

    Vulnerability Management Process Inputs/Outputs:
    'Vulnerability Management (Process and Tool)' outputs are 'Incident Management', 'Release Management', 'Change Management', 'IT Asset Management', 'Application Security Testing', 'Threat Intelligence', and 'Security Risk Management'; inputs are 'Vulnerability Disclosure', 'Threat Intelligence', and 'Security Risk Management'.

    Arrows denote direction of information feed

    Vulnerability management serves as the input into a number of processes for remediation, including:
    • Incident management, to deal with issues
    • Release management, for patch management
    • Change management, for change control
    • IT asset management, to track version information, e.g. for patching
    • Application security testing, for the verification of vulnerabilities

    A two-way data flow exists between vulnerability management and:

    • Security risk management, for the overall risk posture of the organization
    • Threat intelligence, as vulnerability management reveals only one of several threat vectors

    For additional information please refer to Info-Tech’s research for each area:

    • Vulnerability management can leverage your existing processes to gain an operational element for the program.
    • As you strive to mature each of the processes on their own, vulnerability management will benefit accordingly.
    • Review our research for each of these areas and speak to one of our analysts if you wish to improve any of the listed processes.

    Info-Tech’s Information Security Program Framework

    Vulnerability management is a component of the Infrastructure Security section of Security Management

    Information Security Framework with Level 1 and Level 2 capabilities in two main sections, 'Management' and 'Governance'. Level 2 capabilities are grouped within Level 1 capabilities. For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.

    Info-Tech Insight

    Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

    Case Study

    Logo for Cimpress.
    INDUSTRY: Manufacturing
    SOURCE: Cimpress, 2016

    One organization is seeing immediate benefits by formalizing its vulnerability management program.

    Challenge

    Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable.

    Solution

    The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports.

    Results

    Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems.

    Step 1.2

    Defining the scope and roles

    Activities
    • 1.2.1 Define the scope and boundary of your organization’s security program
    • 1.2.2 Assign responsibility for vulnerability identification and remediation

    This step will walk you through the following activities:

    Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    Determine the scope of your security program

    This will help you adjust the depth and breadth of your vulnerability management program.
    • Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee.
    • Scope can be defined along four aspects:
      • Data Scope – What data elements in your organization does your security program cover? How is data classified?
      • Physical Scope – What physical scope, such as geographies, does the security program cover?
      • Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations?
      • IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?
    Stock image of figures standing in connected circles.

    1.2.1 Define the scope and boundary of your organization’s security program

    60 minutes

    Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

    Output: Defined scope and boundaries of the IT security program

    Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

    Participants: Business stakeholders, IT leaders, Security team members

    1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
    2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
    3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

    The goal is to identify what your vulnerability management program is responsible for and document it.

    Consider the following:

    How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

    Download the Vulnerability Management SOP Template

    Assets are part of the scope definition

    An inventory of IT assets is necessary if there is to be effective vulnerability management.

    • Organizations need an up-to-date and comprehensive asset inventory for vulnerability management. This is due to multiple reasons:
      • When vulnerabilities are announced, they will need to be compared to an inventory to determine if the organization has any relevant systems or versions.
      • It indicates where all IT assets can be found both physically and logically.
      • Asset inventories typically have owners assigned to the assets and systems whose responsibility it is to carry out remediations for vulnerabilities.
    • Furthermore, asset inventories can provide insight into where data can be found within the organization. This is extremely useful within a formal data classification program, which plays a large factor in vulnerability management.
    If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.

    Info-Tech Insight

    Create a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program.

    Assign responsibility for vulnerability identification and remediation

    Determine who is critical to effectively detecting and managing vulnerabilities.
    • Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability.
    • Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems.
      • Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion?
    • The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.
    Stock image of many connected profile photos in a cloud network.

    1.2.2 Assign responsibility for vulnerability identification and remediation

    60 minutes

    Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

    Output: Defined set of roles and responsibilities for member groups

    Materials: Vulnerability Management SOP Template

    Participants: CIO, CISO, IT Management representatives for each area of IT

    1. Display the table of responsibilities that need to be assigned.
    2. List all the positions within the IT security team.
    3. Map these to the positions that require IT security team members.
    4. List all positions that are part of the IT team.
    5. Map these to the positions that require IT team members.

    If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

    Download the Vulnerability Management SOP Template Sample of the Roles and Responsibilities table from the Vulnerability Management SOP Template.

    Step 1.3

    Cloud considerations for vulnerability management

    Activities

    None for this section.

    This step will walk you through the following activities:

    Review cloud considerations for vulnerability management

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    Cloud considerations

    Cloud will change your approach to vulnerability management.
    • There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed.
    • Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations.
    • With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased.
    • Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments.
    • In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.
    Table outlining who has control, between the 'Organization' and the 'Vendor', of different cloud capabilities in different cloud strategies.

    For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

    Cloud environment scanning

    Cloud scanning is becoming a more common necessity but still requires special consideration.

    An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

    Private Cloud
    If your organization owns a private cloud, these environments can be tested normally.
    Public Cloud
    Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.

    In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner.

    Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities.

    Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
    • There is a general trend for PaaS and IaaS vendors to allow testing if given due notice.
    • Your contract with the cloud vendor or the vendor’s terms and conditions will outline the permissibility of customer vulnerability scanning. In some cases, a cloud vendor will deny the ability to do vulnerability scanning if they already provide a solution as part of their service.
    • Always ensure that the vendor is aware of your vulnerability scanning activity so that false positives aren’t triggering their security measures as possible denial-of-service (DoS) attacks.
    Software-as-a-Service (SaaS) Environments
    • SaaS offers very limited visibility to the services behind the software that the customer sees. You therefore cannot test for patch levels or vulnerabilities.
    • SaaS customers must rely exclusively on the provider for the regular scanning and remediation of vulnerabilities in the back-end technologies supporting the SaaS application.
    • You can only test the connection points to SaaS environments. This involves trying to figure out what you can see, e.g. looking for encrypted traffic.

    Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations.

    Step 1.4

    Vulnerability detection

    Activities
    • 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
    • 1.4.2 Incident management and vulnerability management

    This step will walk you through the following activities:

    Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

    Determine how incident management and vulnerability management interoperate.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    Vulnerability detection

    Vulnerabilities can be identified through numerous mediums.

    Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

    Vulnerability Assessment and Scanning Tools
    • Computer programs that function to identify and assess security vulnerabilities and weaknesses within computers, computer systems, applications, or networks.
    • Using a known vulnerability database, the tool scans targeted hosts or systems to identify flaws and generate reports and recommendations based on the results.
    • There are four main types of tools under this category: network and operating system vulnerability scanners, application scanning and testing tools, web application scanners, and exploitation tools.
    Penetration Tests
    • The act of identifying vulnerabilities on computers, computer systems, applications, or networks followed by testing of the vulnerability to validate the findings.
    • Penetration tests are considered a service that is offered by third-parties in which a variety of products, tools, and methods are used to exploit systems and gain access to data.
    Open Source Monitoring
    • New vulnerabilities are detected daily with each vulnerability’s information being uploaded to an information-sharing platform to enable other organizations to be able to identify the same vulnerability on their systems.
    • Open source platforms are used to alert and distribute information on newly discovered vulnerabilities to security professionals.
    Security Incidents
    • Any time an incident response plan is called into action to mitigate an incident, there should be formal communication with the vulnerability management team.
    • Any IT incident an organization experiences should provide a feed for analysis into your vulnerability management program.

    Automate with a vulnerability scanning tool

    Vulnerabilities are too numerous for manual scanning and detection.
    • Vulnerability management is not only the awareness of the existence of vulnerabilities but that they are actively present in your environment.
    • A vulnerability scanner will usually report dozens, if not hundreds, of vulnerabilities on a regular and recurring basis. Typical IT environments have several dozen, if not hundreds, of servers. We haven’t even considered the amount of network equipment or the hundreds of user workstations in an environment.
    • This tool will give you information of the presence of a vulnerability in your environment and the host on which the vulnerability exists. This includes information on the version of software that contains a vulnerability and whether you are running that version. The tool will also report on the criticality of the vulnerability based on industry criticality ratings.
    • The tools are continually updated by the vendor with the latest definition updates for the latest vulnerabilities out there. This ensures you are always scanning for the greatest number of potential vulnerabilities.
    Automation requires oversight.
    1. Vulnerability scanners bring great automation to the task of scanning and detecting vulnerabilities in high numbers.
    2. Vulnerability scanners, however, do not have your level of intelligence. Any compensating controls, network segregation, or other risk mitigation features that you have in place will not be known by the tool.
    3. Determining the risk and urgency of a vulnerability within the context of your specific environment will still require internal review by you or your SecOps team.

    For guidance on tool selection

    Refer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint.

    Vulnerability scanning tool considerations

    Select a vulnerability scanning tool with the features you need to be effective.
    • Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting.
    • In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered.
    • A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities.
    • A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.
    Stock photo of a smartphone scanning a barcode.

    For guidance on tool vendors

    Visit SoftwareReviews for information on vulnerability management tools and vendors.

    Vulnerability scanning tool best practices

    How often should scans be performed?

    One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

    The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

    ANALYST PERSPECTIVE: Organizations should look for continuous scanning

    Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

    Continuous Scanning Methods

    Continuous agent scanning

    Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes.

    On-demand scanning

    Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan.

    Cloud-based scanning

    Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model.

    Vulnerability scanning tool best practices

    Where to perform a scan.

    What should be scanned How to point a scanner
    The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
    Mobile Devices

    You need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs.

    Several ways to scan mobile devices:

    • Intercept the device when it remotes into your network using a VPN. You catch the device with a remote scan. This can only be done if a VPN is required.
    • An agent-based approach can be used for mobile devices. Locally installed software gives the information needed to evaluate the security posture of a device. Discernibly, concerns around device processing, memory, and network bandwidth come into play. Ease of installation becomes key for agents.
    Virtualization
    • In a virtual environment, you will have servers being dynamically spun up. Ensure your tool is able to scan these new servers automatically.
    • Often, vulnerability scanning tool providers will restrict scanning to preapproved scanners. Look for tools that are preapproved by the VM vendors.
    Cloud Environments
    • You can set your tool to scan a given cloud environment. The main concern here is who owns the cloud. If it is a private cloud, there is little concern.
    • If it is a third-party cloud (AWS, Azure, etc.) you need to confirm with the cloud service provider that scanning of your cloud environment can occur.
    • There is a trend to allow more scanning of cloud environments.
    • You need to tell the scanner an IP address, a group of IP addresses, an asset group, or a combination of those.
    • You can categorize by functional classifications – internet-facing servers, workstations, network devices, etc., or by organizational structure – Finance, HR, Legal, etc.
    • If you have a strong change management system, you can better hone when and where to perform a scan based on actual changes.
    • You can set the number of concurrent outbound TCP connections that are being made. For example, set the tool so it sends out to 10 ports at a time, rather than pinging at 64k ports on a machine, which would flood the NIC.
    • Side Note: Flooding a host with pings from a scanning tool can be done to find out DoS thresholds on a machine. There are no bandwidth concerns for a network DoS, however, because the packets are so small.

    Vulnerability scanning tool best practices

    Communication and measurement

    Pre-Scan Communication With Users

    • It is always important to inform owners and users of systems that a scan will be happening.
    • Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
    • Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.
    Vulnerability Scanning Tool Tracking Metrics
    • Vulnerability score by operating system, application, or organization division.
      • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
    • Most vulnerable applications and application version.
      • This provides insight into how outdated applications are creating risk exposure for an organization.
      • This will also provide metrics on the effectiveness of your patching program.
    • Number of assets scanned within the last number of days.
      • This provides visibility into how often your assets are being scanned and thus protected.
    • Number of unowned devices or unapproved applications.
      • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Proactively identify new vulnerabilities as they are announced.

    By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

    Common sources:
    • Vendor websites and mailing lists
      • Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included.
      • There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually.
    • Third-party websites
      • A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors.
      • However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching.
    • Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds
      • These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts.
    • Vulnerability databases
      • These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).
    Stock photo of a student checking a bulletin board.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Third-party sources for vulnerabilities

    • Open Source Vulnerability Database (OSVDB)
      • An open-source database that is run independently of any vendors.
    • Common Vulnerabilities and Exposures (CVE)
      • Free, international dictionary of publicly known information security vulnerabilities and exposures.
    • National Vulnerability Database (NVD)
      • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
      • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
      • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
    • Open Web Application Security Project (OWASP)
      • OWASP is another free project helping to expose vulnerabilities within software.
    • US-CERT National Cyber Alert System (US-CERT Alerts)
      • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
      • Cybersecurity Tips – Provide advice about common security issues for the general public.
      • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
    • US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
      • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
    • Open Vulnerability Assessment Language (OVAL)
      • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

    1.4.1 Develop a monitoring and review process for third-party vulnerability sources

    60 minutes

    Input: Third-party resources list

    Output: Process for review of third-party vulnerability sources

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

    1. Identify what third-party resources are useful and relevant.
    2. Shortlist your third-party sources.
    3. Identify what is the best way to receive information from a third party.
    4. Document the method to receive or check information from the third-party source.
    5. Identify who is responsible for maintaining third-party vulnerability information sources
    6. Capture this information in the Vulnerability Management SOP Template.
    Download the Vulnerability Management SOP Template Sample of the Third Party Vulnerability Monitoring tables from the Vulnerability Management SOP Template.

    Incidents and vulnerability management

    Incidents can also be a sources of vulnerabilities.

    When any incident occurs, for example:

    • A security incident, such as malware detected on a machine
    • An IT incident, such as an application becomes unresponsive
    • A crisis occurs, like a worker accident

    There can be underlying vulnerabilities that need to be processed.

    Three Types of IT Incidents exist:
    1. Information Security Incident
    2. IT Incident and/or Problem
    3. Crisis

    Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process.
    If you are missing an incident response plan, take a look at Info-Tech’s Related Resources.

    Info-Tech Related Resources:
    If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management.

    If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices.

    1.4.2 Incident management and vulnerability management

    60 minutes

    Input: Existing incident response processes, Existing crisis communications plans

    Output: Alignment of vulnerability management program with existing incident management processes

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    1. Inventory what incident response plans the organization has. These include:
      1. Information Security Incident Response Plan
      2. IT Incident Plan
      3. Problem Management Plan
      4. Crisis Management Plan
    2. Identify what part of those plans contains the post-response recap or final analysis.
    3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

    Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

    Download the Vulnerability Management SOP Template

    Implement Risk-Based Vulnerability Management

    Phase 2

    Triage & prioritize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

     

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

     

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Step 2.1

    Triage vulnerabilities

    Activities
    • 2.1.1 Evaluate your identified vulnerabilities

    This step will walk you through the following activities:

    Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Triaging vulnerabilities

    Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

    When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

    • The intrinsic qualities of the vulnerability
    • The business criticality of the affected asset
    • The sensitivity of the data stored on the affected asset

    Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

    Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

    Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

    Info-Tech Insight

    This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

    Triage your vulnerabilities, filter out the noise

    Triaging enables your vulnerability management program to focus on what it should focus on.

    Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear.

    Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
    Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory.

    There are two major use cases for this process:
    1. For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory.
    2. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.
    The Info-Tech methodology for initial triaging of vulnerabilities:
    Flowchart of the Info-Tech methodology for initial triaging of vulnerabilities, beginning with 'Vulnerability has been identified' and ending with either 'Vulnerability has been triaged' or 'No action needed'.

    Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

    After eliminating the noise, evaluate your vulnerabilities to determine urgency

    Consider the intrinsic risk to the organization.

    Is there an associated, verified exploit?
    • For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
    • Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
    • Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.
    Is there a CVSS base score of 7.0 or higher?
    • Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
    • CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
    • Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.
    Is there potential for significant lateral movement?
    • Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
    • Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

    2.1.1 Evaluate your identified vulnerabilities

    60 minutes

    Input: Visio workflow of Info-Tech’s vulnerability management process

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

    The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

    1. Review the evaluation process in the Vulnerability Management Workflow library.
    2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
    3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

    Download the Vulnerability Management SOP Template

    Step 2.2

    Determine high-level business criticality

    Activities
    • 2.2.1 Determine high-level business criticality
    • 2.2.2 Determine your high-level data classifications

    This step will walk you through the following activities:

    Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Understanding business criticality is key to determining vulnerability urgency

    Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

    Use the questions below to help assess which operations are critical for the business to continue functioning.

    For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.

    Questions to ask Description
    Is there a hard-dollar impact from downtime? This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it impacts sales, and therefore, revenue.
    Is there an impact on goodwill/ customer trust? If downtime means delays in service delivery or otherwise impacts goodwill, there is an intangible impact on revenue that may make the associated systems mission critical.
    Is regulatory compliance a factor? Depending on the circumstances of the vulnerabilities, it can be a violation of regulatory compliance and would cause significant fines.
    Is there a health or safety risk? Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure that individuals’ health and safety are maintained. An exploited vulnerability that prevents these operations can directly impact the lives of these individuals.
    Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.

    Analyst Perspective

    When assessing the criticality of business operations, most core business applications may be deemed business critical over the long term.

    Consider instead what the impact is over the first 24 or 48 hours of downtime.

    2.2.1 Determine high-level business criticality

    120 minutes; less time if a Disaster recovery plan business impact analysis exists

    Input: List of business operations, Insight into business operations impacts to the business

    Output: List of business operations and their criticality and impact to the business

    Materials: Vulnerability Management SOP Template

    Participants: Participants from the business, IT Security Manager, CISO, CIO

    1. List your core business operations at a high level.
    2. Use a High, Medium, or Low ranking to prioritize the business operations based on mission-critical criteria and the impact of the vulnerability.
    3. When using the process flow, consider if the vulnerability directly affects any of these business operations and move through the process flow based on the corresponding High, Medium, or Low ranking.
    Example prioritization of business operations for a manufacturing company: Questions to ask:
    1. Is there a hard-dollar impact from downtime?
    2. Is there impact on goodwill or customer trust?
    3. Is regulatory compliance a factor?
    4. Is there a health or safety risk?

    Download the Vulnerability Management SOP Template

    Determine vulnerability urgency by its data classification

    Consider how to classify your data based on if the Confidentiality, Integrity, or Availability (CIA) is compromised.

    To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    Integrity

    Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity.

    Availability

    Ensuring timely and reliable access to and use of information.

    Each piece of data should be ranked as High, medium, or low across confidentiality, integrity, and availability based on adverse effect. Arrow pointing right. Low — Limited adverse effect

    Moderate — Serious adverse effect

    High — Severe or catastrophic adverse effect

    If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint.

    How to determine data classification when CIA differs:

    The overall ranking of the data will be impacted by the highest objective’s ranking.

    For example, if confidentiality and availability are low, but integrity is high, the overall impact is high.

    This process was developed in part by Federal Information Processing Standards Publication 199.

    2.2.2 Determine your high-level data classifications

    120 minutes, less time if data classification already exists

    Input: Knowledge of data use and sensitivity

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, CISO, CIO

    If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:

    1. List common assets or applications that are prone to vulnerabilities.
    2. Consider the data that is on these devices and provide a high (severe or catastrophic adverse effect), medium (serious adverse effect), or low (limited adverse effect) ranking based on confidentiality, availability, and integrity.
      1. Use the table on the previous slide to assist in providing the ranking.
      2. Remember that it is the highest ranking that dictates the overall ranking of the data.
    3. Document which data belongs in each of the categories to provide contextual evidence.

    Download the Vulnerability Management SOP Template

    This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.

    Step 2.3

    Consider current security posture

    Activities
    • 2.3.1 Document your defense-in-depth controls

    This step will walk you through the following activities:

    Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Understanding and documentation of your current defense-in-depth controls.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Review your current security posture

    What you have today matters.
    • In most cases, your vulnerability scanning tool alone will not have the context of your security posture in the results of its scans. This can skew the true urgency of detected vulnerabilities in your environment.
    • What you have in place today is what comprises your organization’s overall security posture. This bears high relevance to the determination of the risk that a vulnerability poses to your environment.
    • Elements such as enterprise architecture and defense in depth mechanisms should be factored into determining the risk of a vulnerability and what kind of immediacy is warranted to address it.
    • Details of your current security posture will also contribute to the assessment and selection of remediation options.
    Stock image of toy soldiers split into two colours, facing eachother down.

    Enterprise architecture considerations

    What does your network look like?
    • Most organizations have a network topology that has been put in place with operational needs in mind. These includes specific vLANs or subnets, broadcast domains, or other methods of traffic segregation.
    • The firewall and network ACLs (access control lists) will manage traffic and the routes that data packets follow to traverse a network.
    • Organizations may physically separate data network types, for example, a network for IT services and one for operational technology (OT)(OT is often known as ICS (industrial control systems) or SCADA (supervisory control and data acquisition)) or other types of production technology.
    • The deployment of distribution and access switches across an enterprise can also be a factor, where a flatter network will have fewer network devices within the topology.
    • In a directory services environment such as Windows Active Directory, servers and applications can be segregated by domains and trust relationships, organizational units, and security groups.
    What’s the relevance to vulnerability management?

    For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question.

    Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit.

    This may potentially “buy time” for SecOps to address and remediate the vulnerability.

    Defense-in-depth

    Defense-in-depth provides extra layers of protection to the organization.

    • Defense-in-depth refers to the coordination of security controls to add layers of security to the organization.
      • This means that even if attackers are able to get past one control or layer, they are hindered by additional security.
    • Defense-in-depth is distinct from the previous section on enterprise architecture as these are security controls put in place with the purpose of being lines of defense within your security posture.
    • This can be extremely useful in managing vulnerabilities; thus, it is important to establish the existing defense-in-depth controls. By establishing the base model for your defense-in-depth, it will allow you to leverage these controls to manage vulnerabilities.
    • Controls are typically distributed across endpoints, network infrastructure, servers, and physical security.

    Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems.

    Examples of defense-in-depth controls can consist of any of the following:
    • Antivirus software
    • Authentication security
    • Multi-factor authentication
    • Firewalls
    • Demilitarized zones (DMZ)
    • Sandboxing
    • Network zoning
    • Application whitelisting
    • Access control lists
    • Intrusion detection & prevention systems
    • Airgapping
    • User security awareness training

    2.3.1 Document your defense-in-depth controls

    2 hours, less time if a security services catalog exists

    Input: List of technologies within your environment, List of IT security controls that are in place

    Output: List of defense-in-depth controls

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO

    1. Document the existing defense-in-depth controls within your system.
    2. Review the initial list that has been provided and see if these are controls that currently exist.
    3. Indicate any other controls that are being used by the organization. This may already exist if you have a security services catalog.
    4. Indicate who the owners of the different controls are.
    5. Track the information in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Sample table of security controls within a Defense-in-depth model with column headers 'Defense-in-depth control', 'Description', 'Workflow', and 'Control Owner'.

    Step 2.4

    Risk assessment of vulnerabilities

    Activities
    • 2.4.1 Build a classification scheme to consistently assess impact
    • 2.4.2 Build a classification scheme to consistently assess likelihood

    This step will walk you through the following activities:

    Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.

    This step involves the following participants:

    • IT Security Manager
    • IT Operations Management
    • CISO
    • CIO

    Outcomes of this step

    A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Vulnerabilities and risk

    Vulnerabilities must be addressed to mitigate risk to the business.
    • Vulnerabilities are a concern because they are potential threats to the business. Vulnerabilities that are not addressed can turn from potential threats into actual threats; it is only a matter of time and opportunity.
    • Your organization will already be familiar with risk management, as every decision carries a business risk component. There may even be a senior manager assigned as corporate risk officer to manage organizational risk.
    • The organization likely has a risk tolerance level that defines the organization’s risk appetite. This may be measured in dollars, non-productivity time, or other units of inefficiency.
    • The risk of a vulnerability can be calculated using impact and likelihood. Impact is the effect that the vulnerability will have if it is exploited by a malicious actor. Likelihood is the degree to which a vulnerability exploit can possibly occur.
    Stock image of a cartoon character in a tie hanging on the needle of a 'RISK' meter as it sits at 'LOW'.

    Info-Tech Insight

    Risk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line.

    A risk-based approach to vulnerability management

    CVSS scores are just the starting point!

    Vulnerabilities are constant.
    • There will always be vulnerabilities in the environment, many of which won’t be reported as they are currently unknown.
    • Don’t focus on trying to resolve all vulnerabilities in your environment. You are neither resourced for it nor can the business tolerate the downtime needed to remediate every single vulnerability.
      • The constant follow of new vulnerabilities will quickly render your efforts useless and it will become a game of “whack-a-mole.”
    • Being able to prioritize which vulnerabilities require appropriate levels of response is crucial to ensuring that an organization stays ahead of the continual flow.
    • Your vulnerability scanning tool will report the severity of a vulnerability, often using an industry Common Vulnerability Scoring System (CVSS) system ranging from 0 to 10. It will then scan your environment for the presence of the vulnerability and report accordingly.
      • Your vulnerability scanning tool will not be aware of any mitigation components in your environment, such as compensating controls, network segregation, server/application hardening, or any other measures that can reduce the risk. That is why determining actual risk is a crucial step.

    Stock image of a whack-a-mole game.

    Info-Tech Insight

    Vulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment.

    Prioritize remediation by levels of risk

    Address critical and high risk with high immediacy.

    • Addressing the critical and high-risk vulnerabilities with urgency will ensure that you are addressing a more manageable number of vulnerabilities.
    • An optimized vulnerability management process will address the medium and low risk vulnerabilities within the regular cycle.
    • This may be very similar to what you do today in an ad hoc fashion:
      • Zero-day vulnerabilities tend to warrant a stop in operations and are dealt with immediately (or as soon as a vendor has a fix).
      • The standard remediation process (patching/updating, change of configuration, etc.) happens within a regular controlled time cycle.
    • Formalizing this process will ensure that appropriate attention is given to vulnerabilities that warrant it and that the remaining vulnerabilities are dealt with as a regular, recurring activity.

    Mitigate the risk surface by reducing the time across the phases

    Chart titled 'Mitigate the risk surface by reducing the time across the phases' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. A note on the line reads 'Objective: Reduce risk surface by reducing time to address'. The area between the line and your organization's risk tolerance is labelled 'Risk Surface, to be addressed with high priority'. A bracket around Risk levels 'High' and 'Critical' reads 'Priority focus zone (risk surface)'. Risk lines within levels 'Low' and 'Medium' read 'Follow standard vulnerability management cycles'.

    Risk matrix

    Risk = Impact x Likelihood
    • Info-Tech’s Vulnerability Management Risk Assessment Tool provides a method of calculating the risk of a vulnerability. The risk rating is assigned using the impact of the risk and the likelihood or probability that the event may occur.
    • The tool puts the vulnerability into your organization’s context: How many people will be affected? What service types are vulnerable and how does that impact the business? Is there an anticipated update from the vendor of the system being affected?
    • Urgency of remediation should be based on the business consequences if the vulnerability were to be exploited, relative to the business’ risk tolerance.

    Info-Tech Insight

    Risk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting.

    A risk matrix is useful in calculating a risk rating for vulnerabilities. Risk matrix with axes 'Impact' and 'Time' and individual vulnerabilities mapped onto it via their risk rating. The example 'Organizational Risk Tolerance Threshold' line runs diagonally through the 'Medium' squares.

    2.4.1 Build a classification scheme to consistently assess impact

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Impact. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', 'Network vulnerability', and 'Vendor patch release'.

    2.4.2 Build a classification scheme to consistently assess likelihood

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Likelihood. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', and 'Network vulnerability'.

    Prioritize based on risk

    Select the best remediation option to minimize risk.

    Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.

    • Remediation options will be identified for the higher urgency vulnerabilities.
    • Options will be assessed for whether they are appropriate.
    • They will be further tested to determine if they can be used adequately prior to full implementation.
    • Based on the assessments, the remediation will be implemented or another option will be considered.
    Prioritization
    1. Assignment of risk
    2. Identification of remediation options
    3. Assessment of options
    4. Implementation

    Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process.

    Implement Risk-Based Vulnerability Management

    Phase 3

    Remediate vulnerabilities

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

     

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

     

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • Identifying potential remediation options.
    • Developing criteria for each option with regards to when to use and when to avoid.
    • Establishing exception procedure for testing and remediation.
    • Documenting the implementation of remediations and verification.

    This phase involves the following participants:

    • CISO, or equivalent
    • Security Manager/Analyst
    • Network, Administrator, System, Database Manager
    • Other members of the vulnerability management team
    • Risk managers for the risk-related steps

    Determining how to remediate

    Patching is only one option.

    This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
    • Identifying and selecting the remediation option to be used.
    • Determining what to do when a patch or update is not available.
    • Scheduling and executing the remediation activity.
    • Continuous improvement.

    Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program.

    It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities.

    Step 3.1

    Assessing remediation options

    Activities
    • 3.1.1 Develop risk and remediation action

    This step will walk you through the following activities:

    With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    List of remediation options and criteria on when to consider each.

    Remediate vulnerabilities
    Step 3.1 Step 3.2 Step 3.3

    Identify remediation options

    There are four options when it comes to vulnerability remediation.

    Patches and Updates

    Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected.

    Configuration Changes

    Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether.

    Remediation

    Compensating Controls

    By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term.

    Risk Acceptance

    Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business.

    Patches and updates

    Patches are often the easiest and most common method of remediation.

    Patches are usually the most desirable remediation solution when it comes to vulnerability management. They are typically provided by the vendor of the vulnerable application or system and are meant to eliminate the existing vulnerability.

    When to use

    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching for the affected systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.

    When to avoid

    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches, which is often the case for critical systems.
    When to consider other remediation options
    • For critical systems, it can be difficult to implement a patch as they often require the system to be rebooted or go through some downtime. There must be consideration towards whether there is a change window approaching if a patch is to be implemented on a business-critical system.
      • If there is no opportunity to implement the patch, or no approaching change window, it is wise to leverage another remediation option.
    • When patches are not currently available from the vendor or they are in production, other remediation options are needed.
    • Other remediation options can be used in tandem with the patch. For example, if a patch is being deferred until the change window, it would be wise to use alternate remediation options to close the vulnerability.

    Compensating controls

    Compensating controls can decrease the risk of vulnerabilities that cannot be (immediately) remediated.

    • Compensating controls are measures put in place when direct remediation measures are impractical or non-existent.
    • Similar to the payment card industry’s PCI DSS 1.0 provision of compensating controls, these are meant to meet the intent or rigor of the original requirement; unlike PCI DSS, these measures are to mitigate risk rather than meet compliance.
    • The compensating control should be viewed as only a temporary measure for dealing with a vulnerability, although circumstances may dictate a degree of permanence in the application of the compensating control.
    • Examples where compensating controls may be needed are:
      • The software vendor is developing an update or patch to address a vulnerability.
      • Through your testing process, a patch will adversely affect the performance or operation of the target system and be detrimental to the business.
      • A critical application will only run on a legacy operating system, the latter of which is no longer supported by the vendor.
      • A legacy application is no longer being supported but is critical to your operations. A replacement, if one exists, will take time to implement.
    Examples of compensating controls
    • Segregating a vulnerable server or application on the network, physically or logically.
    • Hardening the operating system or application.
    • Restricting user logins to the system or application.
    • Implementing access controls on the network route to the system.
    • Instituting application whitelisting.

    Configuration changes

    Configuration changes involve making changes directly to the application or system in which there is a vulnerability. This can vary from disabling or removing the vulnerable element or, in the case of applications built in-house, changing the coding of the application itself. These are commonly used in network vulnerabilities such as open ports.

    When to use

    • A patch is not available.
    • The vulnerable element can be significantly changed, or even disabled, without significantly disrupting the business.
    • The application is built in-house, as the vulnerability must be closed internally.
    • There is adequate testing to ensure that the configuration change does not affect the business.
    • A configuration change in your network or system can affect numerous endpoints or systems, reducing endpoint patching or use of defense-in-depth controls.

    When to avoid

    • When a suitable patch is available.
    • When the vulnerability is on a business-critical element with no nearby change window or it cannot be disabled.
    • When there is no opportunity in which to perform testing to ensure that there are no unintended consequences.
    When to consider other remediation options
    • Configuration changes require careful documentation as changes are occurring to the system and applications. If there is a need to perform a back-out process and return to the original configuration, this can be extremely difficult without clear documentation of what occurred.
    • If business systems are too critical or important to the regular business function to perform any changes, it is necessary to consider other options.

    Info-Tech Insight

    Remember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes.

    Case Study

    Remediation options do not have to be used separately. Use the Shellshock 2014 case as an example.

     
    INDUSTRY: All
    SOURCE: Public Domain
    Challenge

    Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014.

    This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it.

    This was rated a 10/10 by CVSS – the highest possible score.

    Within hours of the announcement, hackers began to exploit this vulnerability across many organizations.

    Solution

    Organizations had to react quickly and multiple remediation options were identified:

    • Configuration changes – Companies were recommended to use other shells instead of the Bash shell.
    • Defense-in-depth controls – Using HTTP server logs, it could be possible to identify if the vulnerability had been exploited.
    • Patches – Many vendors released patches to close this vulnerability including Debian, Ubuntu, and Red Hat.
    Results

    Companies began to protect themselves against these vulnerabilities.

    While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim.

    However, even today, many still have the Shellshock vulnerability and exploits continue to occur.

    Accept the risk and do nothing

    By choosing not to remediate vulnerabilities, you must accept the associated risk. This should be your very last option.

    Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.

    Common criteria for vulnerabilities that are not remediated:
    • Affected systems are of extremely low criticality.
    • Affected systems are deemed too critical to take offline to perform adequate remediation.
    • Low urgency is assigned to those vulnerabilities.
    • Cost and time required for the remediation are too high.
    • No adequate solutions exist – the vendor has not released a patch, there are weak defense-in-depth controls, and it is not possible to perform a configuration change.

    Risk acceptance is not uncommon…

    • With an ever-increasing number of vulnerabilities, organizations are struggling to keep up and often, intentionally or unintentionally, accept the risk associated.
    • In the end, non-remediation means full acceptance of the risk and any consequences.

    Enterprise risk management
    Arrow pointing up.
    Risk acceptance of vulnerabilities

    While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.

    Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit.

    Risk considerations

    When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.

    Don’t accept the risk because it seems easy. Consider the financial impact of leaving vulnerabilities open.

    With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:

    Cost not to mitigate = W * T * R

    Where (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.

    As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:

    “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits:

    1,000 computers * 8 hours * $70/hour = $560,000”

    Info-Tech Insight

    Always consider the financial impact that can occur from an exploited vulnerability that was not remediated.

    3.1.1 Develop risk and remediation action

    90 minutes

    Input: List of remediation options

    Output: List of remediation options sorted into “when to use” and “when to avoid” lists

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO

    It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.

    1. List each remediation option on a flip chart and create two headings: “When to use” and “When to avoid.”
    2. Each person will list “when to use” criteria on a green sticky note and “when to avoid” criteria on a red one for each option; these will be placed on the appropriate flip chart.
    3. Discuss as a group which criteria are appropriate and which should be removed.
    4. Move on to the next remediation option when completed.
      • Ensure to include when there are remediation options that will be connected. For example, the risk may be accepted until the next available change window, or a defense-in-depth control is used before a patch can be fully installed.
    5. Once the criteria has been established, document this in the Vulnerability Management SOP Template.
    When to use:
    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching, especially for critical systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.
    When to avoid:
    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it has caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches.
    (Example from the Vulnerability Management SOP Template for Patches.)

    Download the Vulnerability Management SOP Template

    Step 3.2

    Scheduling and executing remediation

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!

    Remediate vulnerabilities
    Step 3.1 Step 3.2 Step 3.3

    Implementing the remediation

    Vulnerability management converges with your IT operations functions.
    • Once a remediation strategy has been formulated, you can leverage your release and change management processes to orchestrate the testing, version tracking, scheduling, approval, and implementation activities.
    • Each of these processes should exist in your environment in some form. Leveraging these will engage the IT operations team to carry out their tasks in the remediation process.
    • There can be a partial or full handoff to these processes, however, the owner of the vulnerability management program is responsible for verifying the application of the remediation measure and that the overall risk has been reduced.
    • Although full blueprints exist that cover each of these processes in great detail, the following slides provide an overview of each of these IT operations processes and how they intersect with vulnerability management.
    Stock image of a person on a laptop overlaid by an icon with gears indicating settings.

    Release Management

    Control the quality of deployments and releases of software updates.

    • The release management process exists to ensure that new software releases (such as patches and updates) are properly tested and documented with version control prior to their implementation into the production environment.
    • The process should map out the logistics of the deployment process to ensure that it is consistent and controlled.
    • Testing is an important part of release management and the urgency of a vulnerability remediation operation can expedite this process to ensure minimal delays. Once testing has been completed successfully, the update is then “promoted” to production-ready status and submitted into the change management process.
    • Often a separate release team may not exist, however, release management still occurs.

    For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts.

    Info-Tech Insight

    Many organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process.

    For guidance on the change management process review our Optimize Change Management blueprint.

    Change Management

    Leverage change control, interruption management, approval, and scheduling.
    • Change management likely exists in some shape or form in your organization. There is usually someone or a committee, such as a change advisory board (CAB), that gives approval for a change.
    • Leveraging the change management process will ensure that your vulnerability remediation has undergone the proper review and approval before implementation. There will usually be business sign-off as part of a change management approval process.
    • Communication will also be integrated in the change management process, so the change manager will ensure that appropriate, timely communications are sent to the proper key stakeholders.
    • The change management process will link to release management and configuration management processes if they exist.

    For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union)

    Post-implementation activities

    Vulnerability remediation isn’t a “set it and forget it” activity.
    • Once vulnerability remediation has occurred, it is imperative that the results are reported back to the vulnerability management program manager. This ensures that the loop is closed and the tracking of the remediation activity is done properly.
      • Organizations that are subject to audit by external entities will understand the importance of such documentation.
    • The results of post-implementation review from the change management process will be of great interest, particularly if there was any deviation from the planned activities.
    • Although change execution will usually undergo some form of testing during the maintenance window, there is always the possibility that something has broken as a result of the software update. Be quick to respond to these types of incidents!
      • One example of an issue that is near impossible to test during a maintenance window is one that manifests only when the system or software comes under load. This is what makes for busy Monday mornings after a weekend change window.
    A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.

    Info-Tech Insight

    After every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls.

    Step 3.3

    Continuous improvement

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although this section has no activities, it will review the process by which you may continually improve vulnerability management.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    An understanding of the importance of ongoing improvements to the vulnerability management program.

    Remediate vulnerabilities
    Step 3.1 Step 3.2 Step 3.3

    Drive continuous improvement

    • Also known as “Continual Improvement” within the ITIL best practice framework.
    • Your vulnerability management program will not be perfect on first launch. In fact, due to the ever-changing nature of vulnerabilities and the technology designed to detect and combat vulnerabilities, the processes within your vulnerability management program will need to be tweaked from time to time.
    • Continuous improvement is a sustained, proactive approach to process improvement. The practice allows for all process participants to observe and suggest incremental improvements that can help improve the overall process.
    • In many cases, continuous improvement can be triggered by changes in the environment. This makes perfect sense for vulnerability management process improvement as a change in the environment will require vulnerability scanning to ensure that such changes have not introduced new vulnerabilities into the environment, increasing your risk surface.
    • One key method to tracking continuous improvement is through the effective use of metrics, covered in Section 4.1 of this blueprint.
    “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014)

    Continuous Improvement

    Continuously re-evaluate the vulnerability management process.

    As your systems and assets change, your vulnerability management program may need updates in two ways.

    When new assets and systems are introduced:

    • When new systems and assets are introduced, it is important for organizations to recognize how these can affect vulnerability management.
    • It will be necessary to identify the business criticality of the new assets and systems and the sensitivity of the data that can be found on them.
    • Without doing so, these will be considered rogue systems or assets – there is no clear process for assigning urgencies.
    • This will only cause problems as actions may be taken that are not aligned with the organization’s risk management framework.

    Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help.

    Document any changes to the vulnerability management program in the Vulnerability Management SOP Template.

    When defense-in-depth capabilities are modified:

    • As you build an effective security program, more controls will be added that can be used to protect the organization.
    • These should be documented and evaluated based on ability to mitigate against vulnerabilities.
    • The defense-in-depth model that was previously established should be updated to include the new capabilities that can be used.
    • Defense-in-depth models are continually evolving as the security landscape evolves, and organizations must be ready for this.

    To assist in building a defense-in-depth model, review Build an Information Security Strategy.

    Implement Risk-Based Vulnerability Management

    Phase 4

    Measure and formalize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

     

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

     

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • You will determine what ought to be measured to track the success of your vulnerability management program.
    • If you lack a scanning tool this phase will help you determine tool selection.
    • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • Procurement representatives
    • CISO
    • CIO

    Step 4.1

    Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Activities
    • 4.1.1 Measure your program with metrics, KPIs, and CSFs

    This step will walk you through the following activities:

    After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    Outline of metrics you can configure your vulnerability scanning tool to report on.

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    You can’t manage what you can’t measure

    Metrics provides visibility.

    • Management consultant Peter Drucker introduced the concept of metrics tied to key performance indicators (KPIs), and the concept holds true: without metrics, you lack the visibility to manage or improve a process.
    • Metrics aren’t just a collection of statistics, they have to be meaningful, they have to tell the story, and most importantly, they have to answer the “so what?” question. What is the significance of a metric – do they illustrate a trend or an anomaly? What actions should be carried out when a metric hits a certain threshold?
    • It would be prudent to track several metrics that can be combined to tell the full story. For example, tracking the number of critical vulnerabilities alone does not give a sense of the overall risk to the organization, nor does it offer any information on how quickly they have been remediated or what amount of effort was invested.
    Stock image of measuring tape.

    Metrics, KPIs, and CSFs

    Tracking the right information and making the information relevant.
    • There is often confusion between raw metrics, key performance indicators, and critical success factors.
    • Raw metrics are what is trackable from your systems and processes as a set of measurements without any context. Raw metrics in themselves are useful in telling the story of “what are we doing?”
    • KPIs are the specific metric or combination of metrics that help you track or gauge performance. KPIs tell the story of “how are we doing?” or “how well are we doing?”
    • CSFs are the specific KPIs that track the activities that are absolutely critical to accomplish for the business or business unit to be successful.
    The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.

    If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:

    • The raw metrics are your heart rate, step count, hours of sleep, caloric intake, etc.
    • KPIs are the individual goals that you have set: maintain a heart rate within the appropriate range for your age/activity level, achieve a step count goal per day, get x hours of sleep per night, consume a calorie range of y per day, etc.
    • CSFs are your overall goal: increase your cardiovascular capacity, lose weight, feel more energetic, etc.

    Your security systems can be similarly measured and tracked – transfer this skill!

    Tracking relevant information

    Tell the story in the numbers.

    Below are a number of suggested metrics to track, and why.

    Business Goal

    Critical Success Factor

    Key Performance Indicator

    Metric to track

    Minimize overall risk exposure Reduction of overall risk due to vulnerabilities Decrease in vulnerabilities Track the number of vulnerabilities year after year.
    Appropriate allocation of time and resources Proper prioritization of vulnerability mitigation activities Decrease of critical and high vulnerabilities Track the number of high-urgency vulnerabilities.
    Consistent timely remediation of threats to the business Minimize risk when vulnerabilities are detected Remediate vulnerabilities more quickly Mean time to detect: track the average time between the identification to remediation.
    Track effectiveness of scanning tool Minimize the ratio, indicating that the tool sees everything Ratio between known assets and what the scanner tracks Scanner coverage compared to known assets in the organization.
    Having effective tools to track and address Accuracy of the scanning tool Difference or ratio between reported vulnerabilities and verified ones Number of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality.
    Reduction of exceptions to ensure minimal exposure Visibility into persistent vulnerabilities and risk mitigation measures Number of exceptions granted Number of vulnerabilities in which little or no remediation action was taken.

    4.1.1 Measure your program with metrics, KPIs, and CSFs

    60 minutes

    Input: List of metrics current being measured by the vulnerability management tool

    Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT operations management, CISO

    Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.

    1. Determine the high-level vulnerability management goals for the organization.
    2. Even with a formal process in place, the organization should be considering ways it can improve.
    3. Determine metrics that can help quantify those goals and how they can be measured.
    4. Metrics should always be easy to measure. If it’s a complex process to find the information required, it means that it is not a metric that should be used.
    5. Document your list of metrics in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Step 4.2

    Vulnerability Management Policy

    Activities
    • 4.2.1 Update the vulnerability management program policy

    This step will walk you through the following activities:

    If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.

    This step involves the following participants:

    • IT Security Manager
    • CISO
    • CIO
    • Human resources representative

    Outcomes of this step

    An inaugural policy covering vulnerability management

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    Vulnerability Management Program Policy

    Policies provide governance and enforcement of processes.
    • Policies offer formal guidance on the “rules” of a program, describing its purpose, scope, detailed program description, and consequences of non-compliance. Often they will have a employee sign-off acknowledging understanding.
    • In many organizations, policies are endorsed by senior executives, which gives the policy its “teeth” across the company. The human resources department will always have input due to the implications of the non-compliance aspect.
    • Policies are written to ensure an outcome of consistent expected behavior and are often written to protect the company from liability.
    • Policies should be easy to understand and unambiguous, reflect the current state, and be enforceable. Enforceability can come in the form of audit, technology, or any other means of determining compliance and enforcing behavior.
    Stock image of a judge's gavel.

    4.2.1 Update the vulnerability management policy

    60 minutes

    Input: Vulnerability Management SOP, HR guidance on policy creation and approval

    Output: Completed Vulnerability Management Policy

    Materials: Vulnerability Management SOP, Vulnerability Management Policy Template

    Participants: IT Security Manager, IT operations management, CISO, Human resources representative

    After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.

    This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
    1. Review Info-Tech’s Vulnerability Management Policy and customize it to your organization’s specifications.
    2. Use your Vulnerability Management SOP as a resource when specifying some of the details within the policy.
    Sample of Info-Tech's Vulnerability Management Policy Template

    Download the Vulnerability Management Policy Template

    Step 4.3

    Select and implement a scanning tool

    Activities
    • 4.3.1 Create an RFP for vulnerability scanning tools

    This step will walk you through the following activities:

    If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    Vulnerability management and penetration testing

    Similar in nature, yet provide different security functions.

    Vulnerability Scanning Tools

    Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities.

    Exploitation Tools

    These tools will look to exploit a detected vulnerability to validate it.

    Penetration Tests

    A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test)

    ‹————— What’s the difference again? —————›
    Vulnerability scanning tools are just one type of tool. When you add an exploitation tool to the mix, you move down the spectrum. Penetration tests will use scanning tools, exploitation tools, and people.

    What is the value of each?

    • For vulnerability scans, the person performing the scan provides the value – value comes from the organization itself.
    • For exploitation tools on their own, the value comes from the tool itself being used in a safe environment.
    • For penetration tests, the tester is providing the value. They are the value add.

    What’s the implication for me?

    Info-Tech Recommends:
    • A combination of vulnerability scanning and penetration testing. This will improve your security posture through systematic risk reduction and improve your security program through the testing of prevention, detection, and response capabilities with unique recommendations being generated.
    • Start with as much vulnerability scanning as possible to identify gaps to fix and then move onto a penetration test to do a more robust and validated assessment.
    • For penetration tests, start with a transparent box test first, then move to an opaque box. Ideally, this is done with different third parties.

    Vulnerability scanning software

    All organizations can benefit from having one.

    Scanning tools will benefit areas beyond just vulnerability management

    • Network security: It improves the accuracy and granularity of your network security technologies such as WAFs, NGFWs, IDPS, and SIEM.
    • Asset management: Vulnerability scanning can identify new or unknown assets and provide current status information on assets.
    • System management: Information from a vulnerability scan supports baselining activities and determination of high-value and high-risk assets.

    Vulnerability Detection Use Case

    Most organizations use scanners to identify and assess system vulnerabilities and prioritize efforts.

    Compliance Use Case

    Others will use scanners just for compliance, auditing, or larger GRC reasons.

    Asset Discovery Use Case

    Many organizations will use scanners to perform active host and application identification.

    Scanning Tool Market Trends

    Vulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection.

    Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:

    • Core Impact is an exploitation tool with vulnerability scanning aspects.
    • Metasploit is an exploitation tool with some new vulnerability scanning aspects.
    • Nessus is mainly a vulnerability scanning tool but has some exploitation aspects.

    Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management.

    Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party.

    Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service.

    Vulnerability scanning market

    There are several technology types or functional differentiators that divide the market up.

    Vulnerability Exploitation Tools

    • These will actually test defences and better emulate real life than just scanning. These tools include packet manipulation tools (such as hping) and password cracking tools (such as John the Ripper or Cain and Abel).
    • These tools will provide much more granular information on your network, operations systems, and applications.
    • The main limitation of these tools is how to use them. If you do not have development or test environments that mimic your real production environments to run the exploit tools, these tools may not be appropriate. It may work if you can find some downtime on production systems, but only in very specific and careful instances.
    • Lower maturity security programs usually just do network and application vulnerability scanning. Higher maturity programs will also use penetration testing, application testing, and vulnerability exploitation tools.
    • Network vulnerability scanning tools should always be used. Once you identify any servers or ports running web applications, then you run a web application vulnerability scanner.
    • Exploitation tools and application testing tools are used in more specific use cases that are often related to more-demanding security programs.

    Scanning Tool Market Trends

    • These are considered baseline tools and are near commoditization.
    • Vulnerability scanning tools are not granular enough to detect application-level vulnerabilities (thus the need for application scanners and testing tools) and they don’t validate the exploitability of the vulnerability (thus the need for exploit tools).

    Web Application Scanning Tools

    These tools perform dynamic application security testing (DAST) and static application security testing (SAST).

    Application Scanning and Testing Tools

    • These perform a detailed scan against an application to detect any problematic or malicious code and try to break the application using known vulnerabilities.
    • These tools will identify if something is vulnerable to an exploit but won’t actually run the exploit.
    • These tools are evaluated based on their ability to detect application-specific issues and validate them.

    Vulnerability scanning tool features

    Evaluate vulnerability scanning tools on specific features or functions that are the best differentiators.

    Differentiator

    Description

    Deployment Options Do you want a traditional on-premises, cloud-based, or managed service?
    Vulnerability Database Coverage Scanners use a library of known vulnerabilities to test for. Evaluate based on the amount of exploits/vulnerabilities the tool can scan for.
    Scanning Method Evaluate if you want agent-based, authenticated active, unauthenticated active, passive, or some combination of those scanning methods.
    Integration What is the breadth of other security and non-security technologies the tool can integrate with?
    Remediation How detailed are the recommended remediation actions? The more granular, the better.
     

    Differentiator

    Description

    Prioritization Does the tool evaluate vulnerabilities based on commonly accepted methods or through a custom-designed prioritization methodology?
    Platform Support What is the breadth of environment, application, and device support in the tool? Consider your need for virtual support, cloud support, device support, and application-specific support. Also consider how often new scanning modules are supported (e.g. how quickly Windows 10 was supported).
    Pricing As with many security controls that have been around for a long time and are commonly used, pricing becomes a main consideration, especially when there are so many open-source options available.

    Common areas people mistake as tool differentiators:

    • Accuracy – Scanning tools are evaluated more on efficiency than effectiveness. Evaluate on the ability to detect, remediate, and manage vulnerabilities rather than real vulnerability detection and the number of false positives. To reduce false positives, you need to use exploitation tools.
    • Performance – Scanning tools have such a small footprint in an environment and the actual scanning itself is such a small impact that evaluation on performance doesn’t matter.

    For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews.

    Vulnerability scanning deployment options

    Understand the different deployment options to identify which is best for your security program.

    Option

    Description

    Pros

    Cons

    Use Cases

    On-Premises Either an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning.
    • Small resource need, so limited network impact.
    • Strong internal scanning.
    • Easier integration with other technologies.
    • Network footprint and resource usage.
    • Maintenance and support costs.
    • Most common deployment option.
    • Appropriate if you have cloud concerns or strong internal network scanning, or if you require strong integration with other systems.
    Cloud Either hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.”
    • Small network footprint.
    • On-demand scanning as needed.
    • Optimal external scanning capabilities.
    • Can only do edge-related scanning unless authenticated or agent based.
    • No internal network scanning with passive or unauthenticated active scanning methods.
    • Very limited network resources.
    • Compliance obligations that dictate external vulnerability scanning.
    Managed A third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere.
    • Expert management of environment scanning, optimizing tool usage.
    • Most scanning work time is report customization and tuning and remediation efforts; thus, managed doesn’t provide sizable resource alleviation.
    • Third party has and owns the vulnerability information.
    • Limited staff resources or expertise to maintain and manage scanner.

    Vulnerability scanning methods

    Understand the different scanning methods to identify which tool best supports your needs.

    Method

    Description

    Pros

    Cons

    Use Cases

    Agent-Based Scanning Locally installed software gives the information needed to evaluate the security posture of a device.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Device processing, memory, and network bandwidth impact.
    • Asset without an agent is not scanned.
    • Need for continuous scanning.
    • Organization has strong asset management
    Authenticated Active Scanning Tool uses authenticated credentials to log in to a device or application to perform scanning.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Best accuracy for vulnerability detection across a network.
    • Aggregation and centralization of authenticated credentials creates a major risk.
    • All use cases.
    Unauthenticated Active Scanning Scanning of devices without any authentication.
    • Emulates realistic scan by an attacker.
    • Provides limited scope of scanning.
    • Some compliance use cases.
    • Perform after either agent or authenticated scanning.
    Passive Scanning Scanning of network traffic.
    • Lowest resource impact.
    • Not enough information can be provided for true prioritization and remediation.
    • Augmenting scanning technique to agent or authenticated scanning.

    IP Management and IPv6

    IP management and the ability to manage IPv6 is a new area for scanning tool evaluation.

    Scanning on IPv4

    Scanning tools create databases of systems and devices with IP addresses.
    Info-Tech Recommends:

    • It is easier to do discovery by directing the scanner at a set IP address or range of IP addresses; thus, it’s useful to organize your database by IPs.
    • Do discovery by phases: Start with internet-facing systems. Your perimeter usually is well-defined by IP addresses and system owners and is most open to attack.
    • Stipulate a list of your known IP addresses through the DHCP registration and perform a scan on that.
    • Depending on your IP address space, another option is to scan your entire IP address space.

    Current Problem With IP Addresses

    IP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties.

    Even if it is your range, chances are you don't do static IP ranges today.

    Info-Tech Recommends:

    • Agent-based scanning or MAC address-based scanning
    • Use your DHCP for scanning

    Scanning on IPv6

    First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations.

    If you are moving to IPv6, Info-Tech recommends the following:

    • Because you cannot point a scanner at an IPv6 IP range, any scanning tool needs to have a strategy around how to handle IPv6 and properly scan based on IP ranges.
    • You need to know IPv4 to IPv6 translations.
    • Evaluate vulnerability scanning tools on whether any IPv6 features are on par with IPv4 features.

    If you are already on IPv6, Info-Tech recommends the following:

    • If you are on an IPv6 native network, it is nearly impossible to scan the network. You have to always scan your known addresses from your DHCP.

    4.3.1 Create an RFP for vulnerability scanning tools

    2 hours

    Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your scanning tool RFP, based on people, process, and technology requirements.
    2. Consider items such as the desired capabilities and the scope of the scanning.
    3. Conduct interviews with relevant stakeholders to determine the exact requirements needed.
    4. Use Info-Tech’s Vulnerability Scanning Tool RFP Template. It lists many requirements but can be customized to your organization’s specific needs.

    Download the Vulnerability Scanning Tool RFP Template

    4.3.1 Create an RFP for vulnerability scanning tools (continued)

    Things to Consider:
    • Ensure there is adequate resource dedication to support and maintenance for vulnerability scanning.
    • Consider if you will benefit from an RFP. If there is a more appropriate option for your need and your organization, consider that instead.
    • If you don’t know the product you want, then perform an RFI.
    • In the RFP, you need to express your driving needs for the tool so the vendor can best understand your use case.
    • Identify who should participate in the RFP creation and evaluation. Make sure they have time available and it does not conflict with other items.
    • Determine if you want to send it to a select few or if you want to send it to a lot of vendors.
    • Determine a response date so you can know who is soliciting your business.
    • You need to have a process to handle questions from vendors.
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Vulnerability Scanning Tool RFP Template

    Step 4.4

    Penetration testing

    Activities
    • 4.1.1 Create an RFP for penetration tests

    This step will walk you through the following activities:

    We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.

    We provide a request for proposal (RFP) template that we can review if this is an area of interest.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    Penetration testing

    Penetration tests are critical parts of any strong security program.

    Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.

    Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability.

    The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems.

    Reasons to Test:

    • Assess current security control effectiveness
    • Develop an action plan of items
    • Build a business case for a better security program
    • Increased security budget through vulnerability validation
    • Third-party, unbiased validation
    • Adhere to compliance or regulatory requirements
    • Raise security awareness
    • Demonstrate how an attacker can escalate privileges
    • Effective way to test incident response

    Regulatory Considerations:

    • There is a lot of regulatory wording saying that organizations can’t get a system that is managed, integrated, and supported by one vendor and then have it tested by the same vendor.
    • There is the need for separate third-party testing.
    • Penetration testing is required for PCI, cloud providers, and federal entities.

    How and where is the value being generated?

    Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone.

    “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group)

    Start by considering the spectrum of penetration tests

    Network Penetration Tests

    Conventional testing of network defences.

    Testing vectors include:

    • Perimeter infrastructure
    • Wireless, WEP/WPA cracking
    • Cloud penetration testing
    • Telephony systems or VoIP
    Types of tests:
    • Denial-of-service testing
    • Out-of-band attacks
    • War dialing
    • Wireless network testing/war driving
    • Spoofing
    • Trojan attacks
    • Brute force attacks
    • Watering hole attacks
    • Honeypots
    • Cloud-penetration testing
    Application Penetration Tests

    Core business functions are now being provided through web applications, either to external customers or to internal end users.

    Types: Web apps, non-web apps, mobile apps

    Application penetration and security testing encompasses:

    • Code review – analyzing the application code for sensitive information of vulnerabilities in the code.
    • Authorization testing – testing systems responsible for user session management to see if unauthorized access can be permitted.
    • Authentication process for user testing.
    • Functionality testing – test the application functionality itself.
    • Website pen testing – active analysis of weaknesses or vulnerabilities.
    • Encryption testing – testing things like randomness or key strength.
    • User-session integrity testing.
    Human-Centric Testing
    • Penetration testing is developing a people aspect as opposed to just being technology focused.
    • End users and their susceptibility to social engineering attacks (spear phishing, phone calls, physical site testing, etc.) is now a common area to test.
    • Social engineering penetration testing is not only about identifying your human vulnerabilities, but also about proactively training your end users. As well as discovering and fixing potential vulnerabilities, social engineering penetration testing will help to raise security awareness within an organization.

    Info-Tech Insight

    Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.

    Penetration testing types

    Evaluate four variables to determine which type of penetration test is most appropriate for your organization.

    Evaluate these dimensions to determine relevant penetration testing.

    Network, Application, or Human

    Evaluate your need to perform different types of penetration testing.

    Some level of network and application testing is most likely appropriate.

    The more common decision point is to consider to what degree your organization requires human-centric penetration testing.

    External or Internal

    External: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.)

    Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached.

    Transparent, Semi-Transparent, or Opaque Box

    Opaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability.
    Use cases: emulating a real-life attack; testing detection and response capabilities; limited network segmentation.

    Transparent Box: Tester is provided full disclosure of information. The tester will have access to everything they need: building floor plans, data flow designs, network topology, etc. This represents what a credentialed and knowledgeable insider would do.
    Use cases: full assessment of security controls; testing of attacker traversal capabilities.

    Aggressiveness of the Test

    Not Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.

    Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming.

    Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test.

    Penetration testing scope

    Establish the scope of your penetration test before engaging vendors.

    Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.

    Organizations need to define boundaries, objectives, and key success factors.

    For scope:
    • If you go too narrow, the realism of the test suffers.
    • If you go too broad, it is more costly and there’s a possible increase in false positives.
    • Balance scope vs. budget.
    Boundaries to scope before a test:
    • IP addresses
    • URLs
    • Applications
    • Who is in scope for social engineering
    • Physical access from roof to dumpsters defined
    • Scope prioritized for high-value assets
    Objectives and key success factors to scope:
    • When is the test complete? Is it at the point of validated exploitation?
    • Are you looking for as many holes as possible, or are you looking for how many ways each hole can be exploited?

    What would be out of scope?

    • Are there systems, IP addresses, or other things you want out of scope? These are things you don’t explicitly want any penetration tester to touch.
    • Are there third-party connections to your environment that you don’t want to be tested? These are instances such as cloud providers, supply chain connections, and various services.
    • Are there things that would be awkward to test? For example, determine if you include high-level people in a social engineering test. Do you conduct social engineering for the CEO? If you get their credentials, it could be an awkward moment.

    Ways to break up a penetration test:

    • Location – This is the most common way to break up a penetration test.
    • Division – Self-contained business units are often done as separate tests so you can see how each unit does.
    • IT systems – For example, you put certain security controls in a firewall and want to test its effectiveness.
    • Applications – For example, you are launching a new website or a new portal and you want to test it.

    Penetration testing appropriateness

    Determine your penetration testing appropriateness.

    Usual instances to conduct a penetration test:
    • Setting up a new physical office. Penetration testing will not only test security capabilities but also resource availability and map out network flows.
    • New infrastructure hardware implemented. All new infrastructure needs to be tested.
    • Changes or upgrades to existing infrastructure. Need for testing varies depending on the size of the change.
    • New application deployment. Need to test before being pushed to production environments.
    • Changes or upgrades to existing applications. When fundamental functional changes occur, perform testing:
      • Before upgrades or patching
      • After upgrades or patching
    • Periodic testing. It is a best practice to periodically test your security control effectiveness. Consider at least an annual test.

    Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed.

    Assess your threats to determine your appropriate test type:

    Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.

    • Are external attackers concerning to you? Are you distressed about how an attacker can use brute force to enter your network? If so, focus on ingress points, such as FWs, routers, and DMZ.
    • Is social engineering a concern for you (i.e. phone-based or email-based)? Then you are concerned about a credentialed hacker.
    • Is it an insider threat, a disgruntled employee, etc.? This also includes an internal system that is under command and control (C&C).

    ANALYST PERSPECTIVE: Do a test only after you take a first pass.
    If you have not done some level of vulnerability assessment on your own (performing a scan, checking third-party sources, etc.) don’t waste your money on a penetration test. Only perform a penetration test after you have done a first pass and identified and remediated all the low-hanging fruit.

    4.4.1 Create an RFP for penetration tests

    2 hours

    Input: List of criteria and scope for the penetration test, Systems and application information if white box

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Penetration Test RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your penetration test RFP based on people, process, and technology requirements.
      • Consider items such as your technology environment and the scope of the penetration tests.
    2. Conduct an interview with relevant stakeholders to determine the exact requirements needed.
    3. Use Info-Tech’s Penetration Test RFP Template, which lists many requirements but can be customized to your organization’s specific needs.

    Download the Penetration Test RFP Template

    4.4.1 Create an RFP for penetration tests (continued)

    Steps of a penetration test:
    1. Determine scope
    2. Gather targeted intelligence
    3. Review exploit attempts, such as access and escalation
    4. Test the collection of sensitive data
    5. Run reporting
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Penetration Test RFP Template

    Penetration testing considerations – service providers

    Consider what type of penetration testing service provider is best for your organization

    Professional Service Providers

    Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.

    Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.

    Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.

    Integrators

    Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.

    Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.

    Info-Tech Recommends:

    • Always be conscientious of who is conducting the testing and what else they offer. Even if you get another party to test rather than your technology provider, they will try to obtain you as a client. Remember that for larger technology vendors, security testing is a small revenue stream for them and it’s a way to find technology clients. They may offer penetration testing for free to obtain other business.
    • Most of the penetration testers were systems administrators (for network testing) or application developers (for application testing) at some point before becoming penetration testers. Remember this when evaluating providers and evaluating remediation recommendations.
    • Evaluate what kind of open-source tools, commercial tools, and proprietary tools are being used. In general, you don’t want to rely on an open-source scanner. For open source, they will have more outdated vulnerability databases, system identification can also be limited compared to commercial, and reporting is often lacking.
    • Above all else, ensure your testers are legally capable, experienced, and abide by non-disclosure agreements.

    Penetration testing best practices – communications

    Communication With Service Provider

    • During testing there should be designated points of contact between the service provider and the client.
    • There needs to be secure channels for communication of information between the tester and the client both during the test and for any results.
    • Results should always be explained to the client by the tester, regardless of the content or audience.
    • There should be a formal debrief with the results report.
    Immediate reporting of issues
    • Before any testing commences, immediate reporting conditions need to be defined. These are instances when you would want immediate notification of something occurring.
    • Stipulate certain systems or data types that if broken into or compromised, you would want to be notified right away.
    • Example:
      • If you are conducting social engineering, require notification for all account credentials that are compromised. Once credentials are compromised, it destroys all accountability for those credentials and the actions associated with those credentials by any user.
      • Require immediate reporting of specific high-critical systems that are compromised or if access is even found.
      • Require immediate reporting when regulated data is discovered or compromised in any way.

    Communication With Internal Staff

    Do you tell your internal staff that this is happening?

    This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring.

    Pros to notifying:
    • This tests the organization’s security monitoring, incident detection, and response capabilities.
    • Letting the team know they are going to see some activity will make sure they don’t get too worried about it.
    • There may be systems you can’t jeopardize but still need to test so notification beforehand is essential (e.g. you wouldn’t allow ERP testing with notification).
    Cons:
    • It does not give you a real-life example of how you respond if something happens.
    • Potential element of disrespect to IT people.

    Penetration testing best practices – results and remediation

    What to expect from penetration test results report:

    A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.

    Expect four major sections:
    • Introduction. An overview of the penetration test methodology including rating methodology of vulnerabilities.
    • Executive Summary. A management-level description of the test, often including a summary of any recommendations.
    • Technical Review. An overview of each item that was looked at and touched. This area breaks down what was done, how it was done, what was found, and any related remediation recommendations. Expect graphs and visuals in this section.
    • Detailed Findings. An in-depth breakdown of all testing methods used and results. Each vulnerability will be explained regarding how it was detected, what the risk is, and what the remediation recommendation is.
    Two areas that will vary by service provider:

    Prioritization

    • Most providers will boast their unique prioritization methodology.
    • A high, medium, and low rating scale based on some combination of variables (e.g. ease of exploitation, breadth of hole, information accessed resulting in further exploitation).
    • The prioritization won’t take into account asset value or criticality.
    • Keep in mind the penetration test is not an input into ultimate vulnerability prioritization, but it can help determine your urgency.

    Remediation

    • Remediation recommendations will vary across providers.
    • Generally, fairly generic recommendations are provided (e.g. remove your old telnet and input up-to-date SSH).
    • Most of the time, it is along the lines of “we found a hole; close the hole.”

    Summary of Accomplishment

    Problem Solved

    At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

    Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.

    The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.

    With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.

    Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Jimmy Tom.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Sample of the Implement Vulnerability Management storyboard.
    Review of the Implement Vulnerability Management storyboard
    Sample of the Vulnerability Mitigation SOP template.
    Build your vulnerability management SOP

    Contributors

    Contributors from 2016 version of this project:

    • Morey Haber, Vice President of Technology, BeyondTrust
    • Richard Barretto, Manager, Information Privacy and Security, Cimpress
    • Joel Shapiro, Vice President Sales, Digital Boundary Group

    Contributors from current version of this project:

    • 2 anonymous contributors from the manufacturing sector
    • 1 anonymous contributor from a US government agency
    • 2 anonymous contributors from the financial sector
    • 1 anonymous contributor from the medical technology industry
    • 2 anonymous contributors from higher education
    • 1 anonymous contributor from a Canadian government agency
    • 7 anonymous others; information gathered from advisory calls

    Bibliography

    Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.

    Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.

    Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.

    “CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.

    Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.

    Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.

    Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.

    Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.

    “National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.

    “OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.

    “OVAL.” OVAL. Accessed 21 Oct. 2020.

    Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.

    Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.

    “Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.

    Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.

    “The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.

    “Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.

    Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.

    “Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.

    “What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.

    White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.

    Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.

    Prepare Your Organization to Successfully Embrace the “New Normal”

    • Buy Link or Shortcode: {j2store}422|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $61,749 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • The COVID-19 pandemic is creating significant challenges across every sector, but even the deepest crisis will eventually pass. However, many of the changes it has brought to how organizations function are here to stay.
    • As an IT leader, it can be challenging to envision what this future state will look like and how to position IT as a trusted partner to the business to help steer the ship as the crisis abates.

    Our Advice

    Critical Insight

    • Organizations need to cast their gaze into the “New Normal” and determine an appropriate strategy to stabilize their operations, mitigate ongoing challenges, and seize new opportunities that will be presented in a post-COVID-19 world.
    • IT needs to understand the key trends and permanent changes that will exist following the crisis and develop a proactive roadmap for rapidly adapting their technology stack, processes, and resourcing to adjust to the new normal.

    Impact and Result

    • Info-Tech recommends a three-step approach for adapting to the new normal: begin by surveying crucial changes that will occur as a result of the COVID-19 pandemic, assess their relevance to your organization’s unique situation, and create an initiatives roadmap to support the new normal.
    • This mini-blueprint will examine five key themes: changing paradigms for remote work, new product delivery models, more self-service options for customers, greater decentralization and agility for organizational decision making, and a renewed emphasis on security architecture.

    Prepare Your Organization to Successfully Embrace the “New Normal” Research & Tools

    Read the Research

    Understand the five key trends that will persist after the pandemic has passed and create a roadmap of initiatives to help your organization adapt to the "New Normal."

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Prepare Your Organization to Successfully Embrace the “New Normal” Storyboard
    [infographic]

    Establish Realistic IT Resource Management Practices

    • Buy Link or Shortcode: {j2store}435|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $36,337 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As CIO, you oversee a department that lacks the resource capacity to adequately meet organizational demand for new projects and services.
    • More projects are approved by the steering committee (or equivalent) than your department realistically has the capacity for, and you and your staff have little recourse to push back. If you have a PMO – and that PMO is one of the few that provides usable resource capacity projections – that information is rarely used to make strategic approval and prioritization decisions.
    • As a result, project quality and timelines suffer, and service delivery lags. Your staff are overallocated, but you lack statistical evidence because of incomplete estimates, allocations, and very little accurate data.

    Our Advice

    Critical Insight

    • IT’s capacity for new project work is largely overestimated. Much of IT’s time is lost to tasks that go unregulated and untracked (e.g. operations and support work, break-fixes and other reactive work) before project work is ever approved. When projects are approved, it is done so with little insight or concern for IT’s capacity to realistically complete that work.
    • The shift to matrix work structures has strained traditional methods of time tracking. Day-to-day demand is chaotic, and staff are pulled in multiple directions by numerous people. As fast-paced, rapidly changing, interruption-driven environments become the new normal, distractions and inefficiencies interfere with productive project work and usable capacity data.
    • The executive team approves too many projects, but it is not held to account for this malinvestment of time. Instead, it’s up to individual workers to sink or swim, as they attempt to reconcile, day after day, seemingly infinite organizational demand for new services and projects with their finite supply of working hours.

    Impact and Result

    • Instill a culture of capacity awareness. For years, the project portfolio management (PPM) industry has helped IT departments report on demand and usage, but has largely failed to make capacity part of the conversation. This research helps inject capacity awareness into project and service portfolio planning, enabling IT to get proactive about constraints before overallocation spirals, and project and service delivery suffers.
    • Build a sustainable process. Efforts to improve resource management often falter when you try to get too granular too quickly. Info-Tech’s approach starts at a high level, ensuring that capacity data is accurate and usable, and that IT’s process discipline is mature enough to maintain the data, before drilling down into greater levels of precision.
    • Establish a capacity book of record. You will ultimately need a tool to help provide ongoing resource visibility. Follow the advice in this blueprint to help with your tool selection, and ensure you meet the reporting needs of both your team and executives.

    Establish Realistic IT Resource Management Practices Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a resource management strategy, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take stock of organizational supply and demand

    Set the right resource management approach for your team and create a realistic estimate of your resource supply and organizational demand.

    • Balance Supply and Demand with Realistic Resource Management Practices – Phase 1: Take Stock of Organizational Supply and Demand
    • Resource Management Supply-Demand Calculator
    • Time Audit Workbook
    • Time-Tracking Survey Email Template

    2. Design a realistic resource management process

    Build a resource management process to ensure data accuracy and sustainability, and make the best tool selection to support your processes.

    • Balance Supply and Demand with Realistic Resource Management Practices – Phase 2: Design a Realistic Resource Management Process
    • Resource Management Playbook
    • PPM Solution Vendor Demo Script
    • Portfolio Manager Lite 2017

    3. Implement sustainable resource management practices

    Develop a plan to pilot your resource management processes to achieve maximum adoption, and anticipate challenges that could inhibit you from keeping supply and demand continually balanced.

    • Balance Supply and Demand with Realistic Resource Management Practices – Phase 3: Implement Sustainable Resource Management Practices
    • Process Pilot Plan Template
    • Project Portfolio Analyst / PMO Analyst
    • Resource Management Communications Template
    [infographic]

    Workshop: Establish Realistic IT Resource Management Practices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Take Stock of Organizational Supply and Demand

    The Purpose

    Obtain a high-level view of current resource management practices.

    Identify current and target states of resource management maturity.

    Perform an in-depth time-tracking audit and gain insight into how time is spent on project versus non-project work to calculate realized capacity.

    Key Benefits Achieved

    Assess current distribution of accountabilities in resource management.

    Delve into your current problems to uncover root causes.

    Validate capacity and demand estimations with a time-tracking survey.

    Activities

    1.1 Perform a root-cause analysis of resourcing challenges facing the organization.

    1.2 Create a realistic estimate of project capacity.

    1.3 Map all sources of demand on resources at a high level.

    1.4 Validate your supply and demand assumptions by directly surveying your resources.

    Outputs

    Root-cause analysis

    Tab 2 of the Resource Management Supply-Demand Calculator, the Time Audit Workbook, and survey templates

    Tabs 3 and 4 of the Resource Management Supply-Demand Calculator

    Complete the Time Audit Workbook

    2 Design a Realistic Resource Management Process

    The Purpose

    Construct a resource management strategy that aligns with your team’s process maturity levels.

    Determine the resource management tool that will best support your processes.

    Key Benefits Achieved

    Activities

    2.1 Action the decision points in Info-Tech’s seven dimensions of resource management.

    2.2 Review resource management tool options, and depending on your selection, prepare a vendor demo script or review and set up Info-Tech’s Portfolio Manager Lite.

    2.3 Customize a workflow and process steps within the bounds of your seven dimensions and informed by your tool selection.

    Outputs

    A wireframe for a right-sized resource management strategy

    A vendor demo script or Info-Tech’s Portfolio Manager Lite.

    A customized resource management process and Resource Management Playbook.

    3 Implement Sustainable Resource Management Practices

    The Purpose

    Develop a plan to pilot your new processes to test whether you have chosen the right dimensions for maintaining resource data.

    Develop a communication plan to guide you through the implementation of the strategy and manage any resistance you may encounter.

    Key Benefits Achieved

    Identify and address improvements before officially instituting the new resource management strategy.

    Identify the other factors that affect resource productivity.

    Implement a completed resource management solution.

    Activities

    3.1 Develop a pilot plan.

    3.2 Perform a resource management start/stop/continue exercise.

    3.3 Develop plans to mitigate executive stakeholder, team, and structural factors that could inhibit your implementation.

    3.4 Finalize the playbook and customize a presentation to help explain your new processes to the organization.

    Outputs

    Process Pilot Plan Template

    A refined resource management process informed by feedback and lessons learned

    Stakeholder management plan

    Resource Management Communications Template

    Further reading

    Establish Realistic IT Resource Management Practices

    Holistically balance IT supply and demand to avoid overallocation.

    Analyst perspective

    Restore the right accountabilities for reconciling supply and demand.

    "Who gets in trouble at the organization when too many projects are approved?

    We’ve just exited a period of about 20-25 years where the answer to the above question was usually “nobody.” The officers of the corporation held nobody to account for the malinvestment of resources that comes from approving too many projects or having systemically unrealistic project due dates. Boards of directors failed to hold the officers accountable for that. And shareholders failed to hold boards of directors accountable for that.

    But this is shifting right under our feet. Increasingly, PMOs are being managed with the mentality previously reserved for those in the finance department. In many cases, the PMOs are now reporting to the CFO! This represents a very simple and basic reversion to the concept of fiduciary duty: somebody will be held to account for the consumption of all those hours, and somebody should be the approver of projects who created the excess demand." – Barry Cousins Senior Director of Research, PMO Practice Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • IT leaders who lack actionable evidence of a resource-supply, work-demand imbalance.
    • CIOs whose departments struggle to meet service and project delivery expectations with given resources.
    • Portfolio managers, PMO directors, and project managers whose portfolio and project plans suffer due to unstable resource availability.

    This Research Will Help You:

    • Build trustworthy resource capacity data to support service and project portfolio management.
    • Develop sustainable resource management practices to help you estimate, and continually validate, your true resource capacity for services and projects.
    • Identify the demands that deplete your resource capacity without creating value for IT.

    This Research Will Also Assist:

    • Steering committee and C-suite management who want to improve IT’s delivery of projects.
    • Project sponsors that want to ensure their projects get the promised resource time by their project managers.

    This Research Will Help Them:

    • Ensure sufficient supply of time for projects to be successfully completed with high quality.
    • Communicate the new resource management practice and get stakeholder buy-in.

    Executive summary

    Situation

    • As CIO, you oversee a department that lacks the resource capacity to adequately meet organizational demand for new projects and services. As a result, project quality and timelines suffer, and service delivery lags.
    • You need a resource management strategy to help bring balance to supply and demand in order to improve IT’s ability to deliver.

    Complication

    • The shift to matrix work structures has strained traditional methods of time tracking. Day-to-day demand is chaotic; staff are pulled in multiple directions by numerous people, making usable capacity data elusive.
    • The executive team approves too many projects, but is not held to account for the overspend on time. Instead, the IT worker is made liable, expected to simply get things done under excessive demands.

    Resolution

    • Instill a culture of capacity awareness. For years, the project portfolio management (PPM) industry has helped IT departments report on demand and usage, but it has largely failed to make capacity part of the conversation. This research helps inject capacity awareness into project and service portfolio planning, enabling IT to get proactive about constraints before overallocation spirals, and project and service delivery suffers.
    • Build a sustainable process. Efforts to get better at resource management often falter when you try to get too granular too quickly. Info-Tech’s approach starts at a high level, ensuring that capacity data is accurate and usable, and that IT’s process discipline is mature enough to maintain the data, before drilling down into greater levels of precision.
    • Establish a capacity hub. You will ultimately need a tool to help provide ongoing resource visibility. Follow the advice in this blueprint to help with your tool selection and ensure the reporting needs of both your team and executives are met.

    Info-Tech Insight

    1. Take a realistic approach to resource management. New organizational realities have made traditional, rigorous resource projections impossible to maintain. Accept reality and get realistic about where IT’s time goes.
    2. Make IT’s capacity perpetually transparent. The best way to ensure projects are approved and scheduled based upon the availability of the right teams and skills is to shine a light into IT’s capacity and hold decision makers to account with usable capacity reports.

    The availability of staff time is rarely factored into IT project and service delivery commitments

    As a result, a lot gets promised and worked on, and staff are always busy, but very little actually gets done – at least not within given timelines or to expected levels of quality.

    Organizations tend to bite off more than they can chew when it comes to project and service delivery commitments involving IT resources.

    While the need for businesses to make an excess of IT commitments is understandable, the impacts of systemically overallocating IT are clearly negative:

    • Stakeholder relations suffer. Promises are made to the business that can’t be met by IT.
    • IT delivery suffers. Project timelines and quality frequently suffer, and service support regularly lags.
    • Employee engagement suffers. Anxiety and stress levels are consistently high among IT staff, while morale and engagement levels are low.

    76% of organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to. (Cooper, 2014)

    Almost 70% of workers feel as though they have too much work on their plates and not enough time to do it. (Reynolds, 2016)

    Resource management can help to improve workloads and project results, but traditional approaches commonly fall short

    Traditional approaches to resource management suffer from a fundamental misconception about the availability of time in 2017.

    The concept of resource management comes from a pre-World Wide Web era, when resource and project plans could be based on a relatively stable set of assumptions.

    In the old paradigm, the availability of time was fairly predictable, as was the demand for IT services, so there was value to investing time into rigorous demand forecasts and planning.

    Resource projections could be based in a secure set of assumptions – i.e. 8 hour days, 40 hour weeks – and staff had the time to support detailed resource management processes that provided accurate usage data.

    Old Realities

    • Predictability. Change tended to be slow and deliberate, providing more stability for advanced, rigorous demand forecasts and planning.
    • Fixed hierarchy. Tasks, priorities, and decisions were communicated through a fixed chain of command.
    • Single-task focus. The old reality was more accommodating to sustained focus on one task at a time.

    96% of organizations report problems with the accuracy of information on employee timesheets. (Dimensional, 2013)

    Old reality resource forecasting inevitably falters under the weight of unpredictable demands and constant distractions

    New realities are causing demands on workers’ time to be unpredictable and unrelenting, making a sustained focus on a specific task for any length of time elusive.

    Part of the old resource management mythology is the idea that a person can do (for example) eight different one-hour tasks in eight hours of continuous work. This idea has gone from harmlessly mistaken to grossly unrealistic.

    The predictability and focus have given way to more chaotic workplace realities. Technology is ubiquitous, and the demand for IT services is constant.

    A day in IT is characterized by frequent task-switching, regular interruptions, and an influx of technology-enabled distractions.

    Every 3 minutes and 5 seconds: How often the typical office worker switches tasks, either through self-directed or other-directed interruptions. (Schulte, 2015)

    12 minutes, 40 seconds: The average amount of time in-between face-to-face interruptions in matrix organizations. (Anderson, 2015)

    23 minutes, 15 seconds: The average amount of time it takes to become on task, productive, and focused again after an interruption. (Schulte, 2015)

    759 hours: The average number of hours lost per employee annually due to distractions and interruptions. (Huth, 2015)

    The validity of traditional, rigorous resource planning has long been an illusion. New realities are making the sustained focus and stable assumptions that old reality projections relied on all but impossible to maintain.

    For resource management practices to be effective, they need to evolve to meet new realities

    New organizational realities have exacerbated traditional approaches to time tracking, making accurate and usable resource data elusive.

    The technology revolution that began in the 1990s ushered in a new paradigm in organizational structures. Matrix reporting structures, diminished supervision of knowledge workers, massive multi-tasking, and a continuous stream of information and communications from the outside world have smashed the predictability and stability of the old paradigm.

    The resource management industry has largely failed to evolve. It remains stubbornly rooted in old realities, relying on calculations and rollups that become increasingly unsustainable and irrelevant in our high-autonomy staff cultures and interruption-driven work days.

    New Realities

    • Unpredictable. Technologies and organizational strategies change before traditional IT demand forecasts and project plans can be realized.
    • Matrix management. Staff can be accountable to multiple project managers and functional managers at any given time.
    • Multi-task focus. In the new reality, workers’ attentions are scattered across multiple tasks and projects at any given time.

    87% of organizations report challenges with traditional methods of time tracking and reporting. (Dimensional, 2013)

    40% of working time is not tracked or tracked inaccurately by staff. (actiTIME, 2016)

    Poor resource management practices cost organizations dearly

    While time is money, the statistics around resource visibility and utilization suggest that the vast majority of organizations don’t spend their available time all that wisely.

    Research shows that ineffective resource management directly impacts an organization’s bottom line, contributing to such cost drains as the systemic late delivery of projects and increased project costs.

    Despite this, the majority of organizations fail to treat staff time like the precious commodity it is.

    As the results of a 2016 survey show, the top three pain points for IT and PMO leaders all revolve around a wider cultural negligence concerning staff time (Alexander, TechRepublic, 2016):

    • Overcommitted resources
    • Constant change that affects staff assignments
    • An inability to prioritize shared resources

    Top risks associated with poor resource management

    Inability to complete projects on time – 52%

    Inability to innovate fast enough – 39%

    Increased project costs – 38%

    Missed business opportunities – 34%

    Dissatisfied customers or clients – 32%

    12 times more waste – Organizations with poor resource management practices waste nearly 12 times more resource hours than high-performing organizations. (PMI, 2014)

    The concept of fiduciary duty represents the best way to bring balance to supply and demand, and improve project outcomes

    Unless someone is accountable for controlling the consumption of staff hours, too much work will get approved and committed to without evidence of sufficient resourcing.

    Who is accountable for controlling the consumption of staff hours?

    In many ways, no question is more important to the organization’s bottom line – and certainly, to the effectiveness of a resource management strategy.

    Historically, the answer would have been the executive layer of the organization. However, in the 1990s management largely abdicated its obligation to control resources and expenditures via “employee empowerment.”

    Controls on approvals became less rigid, and accountability for choosing what to do (and not do) shifted onto the shoulders of the individual worker. This creates a current paradigm where no one is accountable for the malinvestment…

    …of resources that comes from approving too many projects. Instead, it’s up to individual workers to sink-or-swim, as they attempt to reconcile, day after day, seemingly infinite organizational demand with their finite supply of working hours.

    If your organization has higher demand (i.e. approved project work) than supply (i.e. people’s time), your staff will be the final decision makers on what does and does NOT get worked on.

    Effective time leadership distinguishes top performing senior executives

    "Everything requires time… It is the one truly universal condition. All work takes place in time and uses up time. Yet most people take for granted this unique, irreplaceable and necessary resource. Nothing else, perhaps, distinguishes effective executives as much as their tender loving care of time." – Peter Drucker (quoted in Frank)

    67% of employees surveyed believe their CEOs focus too much on decisions based in short-term financial results and not enough time on decisions that create a stable, positive workplace for staff. (2016 Edelman Trust Barometer)

    Bring balance to supply and demand with realistic resource management practices

    Use Info-Tech’s approach to resource management to capture an accurate view of where your time goes and achieve sustained visibility into your capacity for new projects.

    Realistic project resource management starts by aligning demand with capacity, and then developing tactics to sustain alignment, even in the chaos of our fast-paced, rapidly changing, interruption-driven project environments.

    This blueprint will help you develop practices to promote and maintain accurate resourcing data, while developing tactics to continually inform decision makers’ assumptions about how much capacity is realistically available for project work.

    This research follows a three-phase approach to sustainable practices:

    1. Take Stock of Organizational Supply and Demand
    2. Design a Realistic Resource Management Process
    3. Implement Sustainable Resource Management Practices

    Info-Tech’s three-phase framework is structured around a practical, tactical approach to resource management. It’s not about what you put together as a one-time snapshot. It’s about what you can and will maintain every week, even during a crisis. When you stop maintaining resource management data, it’s nearly impossible to catch up and you’re usually forced to start fresh.

    Info-Tech’s approach is rooted in our seven dimensions of resource management

    Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

    Default project vs. non-project ratio

    How much time is available for projects once non-project demands are factored in?

    Reporting frequency

    How often is the allocation data verified, reconciled, and reported for use?

    Forecast horizon

    How far into the future can you realistically predict resource supply?

    Scope of allocation

    To whom is time allocated?

    Allocation cadence

    How long is each allocation period?

    Granularity of time allocation

    What’s the smallest unit of time to allocate?

    Granularity of work assignment

    What is time allocated to?

    This blueprint will help you make the right decisions for your organization across each of these dimensions to ensure your resource management practices match your current process maturity levels.

    Once your framework is defined, we’ll equip you with a tactical plan to help keep supply and demand continually balanced

    This blueprint will help you customize a playbook to ensure your allocations are perpetually balanced week after week, month after month.

    Developing a process is one thing, sustaining it is another.

    The goal of this research isn’t just to achieve a one-time balancing of workloads and expect that this will stand the test of time.

    The true test of a resource management process is how well it facilitates the flow of accurate and usable data as workloads become chaotic, and fires and crises erupt.

    • Info-Tech’s approach will help you develop a playbook and a “rebalancing routine” that will help ensure your allocations remain perpetually current and balanced.
    • The sample routine to the right shows you an example of what this rebalancing process will look like (customizing this process is covered in Phase 3 of the blueprint).

    Sample “rebalancing” routine

    • Maintain a comprehensive list of the sources of demand (i.e. document the matrix).
    • Catalog the demand.
    • Allocate the supply.
    • Forecast the capacity to your forecast horizon.
    • Identify and prepare work packages or tasks for unsatisfied demand to ensure that supply can be utilized if it becomes free.
    • Reconcile any imbalance by repeating steps 1-5 on update frequency, say, weekly or monthly.

    Info-Tech’s method is complemented by a suite of resource management tools and templates

    Each phase of this blueprint is accompanied by supporting deliverables to help plan your resource management strategy and sustain your process implementation.

    Resource management depends on the flow of information and data from the project level up to functional managers, project managers, and beyond – CIOs, steering committees, and senior executives.

    Tools are required to help plan, organize, and facilitate this flow, and each phase of this blueprint is centered around tools and templates to help you successfully support your process implementation.

    Take Stock of Organizational Supply and Demand

    Tools and Templates:

    Design a Realistic Resource Management Process

    Tools and Templates:

    Implement Sustainable Resource Management Practices

    Tools and Templates:

    Use Info-Tech’s Portfolio Manager Lite to support your new process without a heavy upfront investment in tools

    Spreadsheets can provide a viable alternative for organizations not ready to invest in an expensive tool, or for those not getting what they need from their commercial selections.

    While homegrown solutions like spreadsheets and intranet sites lack the robust functionality of commercial offerings, they have dramatically lower complexity and cost-in-use.

    Info-Tech’s Portfolio Manager Lite is a sophisticated, scalable, and highly customizable spreadsheet-based solution that will get your new resource management process up and running, without a heavy upfront cost.

    Kinds of PPM solutions used by Info-Tech clients

    Homemade – 46%

    Commercial – 33%

    No Solution – 21%

    (Info-Tech Research Group (2016), N=433)

    The image shows 3 sheets with charts and graphs.

    Samples of Portfolio Manager Lite's output and reporting tabs

    Info-Tech’s approach to resource management is part of our larger project portfolio management framework

    This blueprint will help you master the art of resource management and set you up for greater success in other project portfolio management capabilities.

    Resource management is one capability within Info-Tech’s larger project portfolio management (PPM) framework.

    Resource visibility and capacity awareness permeates the whole of PPM, helping to ensure the right intake decisions get made, and projects are scheduled according to resource and skill availability.

    Whether you have an existing PPM strategy that you are looking to optimize or you are just starting on your PPM journey, this blueprint will help you situate your resource management processes within a larger project and portfolio framework.

    Info-Tech’ s PPM framework is based on extensive research and practical application, and complements industry standards such as those offered by PMI and ISACA.

    Project Portfolio Management
    Status & Progress Reporting
    Intake, Approval, & Prioritization Resource Management Project Management Project Closure Benefits Tracking
    Organizational Change Management
    Intake → Execution→ Closure

    Realize the value that improved resource management practices could bring to your organization

    Spend your company’s HR dollars more efficiently.

    Improved resource management and capacity awareness will allow your organization to improve resource utilization and increase project throughput.

    CIOs, PMOs, and portfolio managers can use this blueprint to improve the alignment between supply and demand. You should be able to gauge the value through the following metrics:

    Near-Term Success Metrics (6 to 12 months)

    • Increased frequency of currency (i.e. more accurate and usable resource data and reports).
    • Improved job satisfaction from project resources due to more even workloads.
    • Better ability to schedule project start dates and estimate end dates due to recourse visibility.

    Long-Term Success Metrics (12 to 24 months)

    • More projects completed on time.
    • Reclaimed capacity for project work.
    • A reduction in resource waste and increased resource utilization on productive project work.
    • Ability to track estimated vs. actual budget and work effort on projects.

    In the past 12 months, Info-Tech clients have reported an average measured value rating of $550,000 from the purchase of workshops based on this research.

    Info-Tech client masters resource management by shifting the focus to capacity forecasting

    CASE STUDY

    Industry Education

    Source Info-Tech Client

    Situation

    • There are more than 200 people in the IT organization.
    • IT is essentially a shared services environment with clients spanning multiple institutions across a wide geography.
    • The PMO identified dedicated resources for resource management.

    Complication

    • The definition of “resource management” was constantly shifting between accounting the past (i.e. time records), the present (i.e. work assignments), and the future (i.e. long term project allocations).
    • The task data set (i.e. for current work assignments) was not aligned to the historic time records or future capacity.
    • It was difficult to predict or account for the spend, which exceeded 30,000 hours per month.

    “We’re told we can’t say NO to projects. But this new tool set and approach allows us to give an informed WHEN.” – Senior PMO Director, Education

    Resolution

    • The leadership decided to forecast and communicate their resource capacity on a 3-4 month forecast horizon using Info-Tech’s Portfolio Manager 2017.
    • Unallocated resource capacity was identified within certain skill sets that had previously been assessed as fully allocated. While some of the more high-visibility staff were indeed overallocated, other more junior personnel had been systemically underutilized on projects.
    • The high demand for IT project resourcing was immediately placed in the context of a believable, credible expression of supply.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Establish Realistic IT Resource Management Practices – project overview

    1. Take Stock of Organizational Supply and Demand 2. Design a Realistic Resource Management Process 3. Implement Sustainable Resource Management Practices
    Best-Practice Toolkit

    1.1 Set a resource management course of action

    1.2 Create realistic estimates of supply and demand

    2.1 Customize the seven dimensions of resource management

    2.2 Determine the resource management tool that will best support your process

    2.3 Build process steps to ensure data accuracy and sustainability

    3.1 Pilot your resource management process to assess viability

    3.2 Plan to engage your stakeholders with your playbook

    Guided Implementations
    • Scoping call
    • Assess how accountability for resource management is currently distributed
    • Create a realistic estimate of project capacity
    • Map all sources of demand on resources at a high level
    • Set your seven dimensions of resource management
    • Jump-start spreadsheet-based resource management with Portfolio Manager Lite
    • Build on the workflow to determine how data will be collected and who will support the process
    • Define the scope of a pilot and determine logistics
    • Finalize resource management roles and responsibilities
    • Brainstorm and plan for potential resistance to change, objections, and fatigue from stakeholders
    Onsite Workshop

    Module 1:

    • Take Stock of Organizational Supply and Demand

    Module 2:

    • Design a Realistic Resource Management Process

    Module 3:

    • Implement Sustainable Resource Management Practices

    Phase 1 Outcome:

    • Resource Management Supply-Demand Calculator

    Phase 2 Outcome:

    • Resource Management Playbook

    Phase 3 Outcome:

    • Resource Management Communications Template

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Introduction to PPM and resource management

    1.1 Complete and review PPM Current State Scorecard Assessment

    1.2 Perform root cause analysis of resource management challenges

    1.3 Initiate time audit survey of management and staff

    Take stock of supply and demand

    2.1 Review the outputs of the time audit survey and analyze the data

    2.2 Analyze project and non-project demands, including the sources of those demands

    2.3 Set the seven dimensions of resource management

    Design a resource management process

    3.1 Review resource management tool options

    3.2 Prepare a vendor demo script or review Portfolio Manager Lite

    3.3 Build process steps to ensure data accuracy and sustainability

    Pilot and refine the process

    4.1 Define methods for piloting the strategy (after the workshop)

    4.2 Complete the Process Pilot Plan Template

    4.3 Conduct a mock resource management meeting

    4.4 Perform a RACI exercise

    Communicate and implement the process

    5.1 Brainstorm potential implications of the new strategy and develop a plan to manage stakeholder and staff resistance to the strategy

    5.2 Customize the Resource Management Communications Template

    5.3 Finalize the playbook

    Deliverables
    1. PPM Current State Scorecard Assessment
    2. Root cause analysis
    3. Time Audit Workbook and survey templates
    1. Resource Management Supply-Demand Calculator
    1. Portfolio Manager Lite
    2. PPM Solution Vendor Demo Script
    3. Tentative Resource Management Playbook
    1. Process Pilot Plan Template
    2. RACI chart
    1. Resource Management Communications Template
    2. Finalized Resource Management Playbook

    Phase 1

    Take Stock of Organizational Resource Supply and Demand

    Phase 1 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Take Stock of Organizational Resource Supply and Demand

    Proposed Time to Completion (in weeks): 1-2 weeks

    Step 1.1: Analyze the current state

    Start with an analyst kick-off call:

    • Discuss the goals, aims, benefits, and challenges of resource management
    • Identify who is currently accountable for balancing resource supply and demand

    Then complete these activities…

    • Assess the current distribution of accountabilities in resource management
    • Delve into your current problems to uncover root causes
    • Make a go/no-go decision on developing a new resource management practice
    Step 1.2: Estimate your supply and demand

    Review findings with analyst:

    • Root causes of resource management
    • Your current impression about the resource supply-demand imbalance

    Then complete these activities…

    • Estimate your resource capacity for each role
    • Estimate your project/non-project demand on resources
    • Validate the findings with a time-tracking survey

    With these tools & templates:

    • Resource Management Supply-Demand Calculator
    • Time-Tracking Survey Email Template

    Phase 1 Results & Insights:

    A matrix organization creates many small, untraceable demands that are often overlooked in resource management efforts, which leads to underestimating total demand and overcommitting resources. To capture them and enhance the success of your resource management effort, focus on completeness rather than precision. Precision of data will improve over time as your process maturity grows.

    Step 1.1: Set a resource management course of action

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Determine your resource management process capability level
    • Assess how accountability for resource management is currently distributed
    This step involves the following participants:
    • CIO / IT Director
    • PMO Director/ Portfolio Manager
    • Functional / Resource Managers
    • Project Managers
    Outcomes of this step
    • Current distribution of accountability for resource management practice
    • Root-cause analysis of resourcing challenges facing the organization
    • Commitment to implementing a right-sized resource management practice

    “Too many projects, not enough resources” is the reality of most IT environments

    A profound imbalance between demand (i.e. approved project work and service delivery commitments) and supply (i.e. people’s time) is the top challenge IT departments face today..

    In today’s organizations, the desires of business units for new products and enhancements, and the appetites of senior leadership to approve more and more projects for those products and services, far outstrip IT’s ability to realistically deliver on everything.

    The vast majority of IT departments lack the resourcing to meet project demand – especially given the fact that day-to-day operational demands frequently trump project work.

    As a result, project throughput suffers – and with it, IT’s reputation within the organization.

    Info-Tech Insight

    Where does the time go? The portfolio manager (or equivalent) should function as the accounting department for time, showing what’s available in IT’s human resources budget for projects and providing ongoing visibility into how that budget of time is being spent.

    Resource management can help to even out staff workloads and improve project and service delivery results

    As the results of a recent survey* show, the top three pain points for IT and PMO leaders all revolve around a wider cultural negligence concerning staff time:

    • Overcommitted resources
    • Constant change that affects staff assignments
    • An inability to prioritize shared resources

    A resource management strategy can help to alleviate these pain points and reconcile the imbalance between supply and demand by achieving the following outcomes:

    • Improving resource visibility
    • Reducing overallocation, and accordingly, resource stress
    • Reducing project delay
    • Improving resource efficiency and productivity

    Top risks associated with poor resource management

    Inability to complete projects on time – 52%

    Inability to innovate fast enough – 39%

    Increased project costs – 38%

    Missed business opportunities – 34%

    Dissatisfied customers or clients – 32%

    12 times more waste – Organizations with poor resource management practices waste nearly 12 times more resource hours than high-performing organizations. (PMI, 2014)

    Resource management is a core process in Info-Tech’s project portfolio management framework

    Project portfolio management (PPM) creates a stable and secure infrastructure around projects.

    PPM’s goal is to maximize the throughput of projects that provide strategic and operational value to the organization. To do this, a PPM strategy must help to:

    Info-Tech's Project Portfolio Management Process Model
    3. Status & Progress Reporting [make sure the projects are okay]
    1. Intake, Approval, & Prioritization [select the right projects] 2. Resource Management [Pick the right time and people to execute the projects Project Management

    4. Project Closure

    [make sure the projects get done]

    5. Benefits Tracking

    [make sure they were worth doing]

    Organizational Change Management
    Intake → Execution→ Closure

    If you don’t yet have a PPM strategy in place, or would like to revisit your existing PPM strategy before implementing resource management practices, see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

    Effective resource management is rooted in a relatively simple set of questions

    However, while the questions are rather simple, the answers become complicated by challenges unique to matrix organizations and other workplace realities in 2017.

    To support the goals of PPM more generally, resource management must (1) supply quality work-hours to approved and ongoing projects, and (2) supply reliable data with which to steer the project portfolio.

    To do this, a resource management strategy must address a relatively straightforward set of questions.

    Key Questions

    • Who assigns the resources?
    • Who feeds the data on resources?
    • How do we make sure it’s valid?
    • How do we handle contingencies when projects are late or when availability changes?

    Challenges

    • Matrix organizations require project workers to answer to many masters and balance project work with “keep the lights on” activities and other administrative work.
    • Interruptions, distractions, and divided attention create consistent challenges for workplace productivity.

    "In matrix organizations, complicated processes and tools get implemented to answer the deceptively simple question “what’s Bob going to work on over the next few months?” Inevitably, the data captured becomes the focus of scrutiny as functional and project managers complain about data inaccuracy while simultaneously remaining reluctant to invest the effort necessary to improve quality." – Kiron Bondale

    Determine your organization’s resource management capability level with a maturity assessment

    1.1.1
    10 minutes

    Input

    • Organizational strategy and culture

    Output

    • Resource management capability level

    Materials

    • N/A

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Resource Managers

    Kick-off the discussion on the resource management process by deciding which capability level most accurately describes your organization’s current state.

    Capability Level Descriptions
    Capability Level 5: Optimized Our organization has an accurate picture of project versus non-project workloads and allocates resources accordingly. We periodically reclaim lost capacity through organizational and behavioral change.
    Capability Level 4: Aligned We have an accurate picture of how much time is spent on project versus non-project work. We allocate resources to these projects accordingly. We are checking in on project progress bi-weekly.
    Capability Level 3: Pixelated We are allocating resources to projects and tracking progress monthly. We have a rough estimate of how much time is spent on project versus non-project work.
    Capability Level 2: Opaque We match resource teams to projects and check in annually, but we do not forecast future resource needs or track project versus non-project work.
    Capability Level 1: Unmanaged Our organization expects projects to be finished, but there is no process in place for allocating resources or tracking project progress.

    If resources are poorly managed, they prioritize work based on consequences rather than on meeting demand

    As a result, matrix organizations are collectively steered by each resource and its individual motives, not by managers, executives, or organizational strategy.

    In a matrix organization, demands on a resource’s time come from many directions, each demand unaware of the others. Resources are expected to prioritize their work, but they typically lack the authority to formally reject demand, so demand frequently outstrips the supply of work-hours the resource can deliver.

    When this happens, the resource has three options:

    1. Work more hours, typically without compensation.
    2. Choose tasks not to do in a way that minimizes personal consequences.
    3. Diminish work quality to meet quantity demands.

    The result is an unsustainable system for those involved:

    1. Resources cannot meet expectations, leading to frustration and disengagement.
    2. Managers cannot deliver on the projects or services they manage and struggle to retain skilled resources who are looking elsewhere for “greener pastures.”
    3. Executives cannot execute strategic plans as they lose decision-making power over their resources.

    Scope your resource management practices within a matrix organization by asking “who?”

    Resource management boils down to a seemingly simple question: how do we balance supply and demand? Balancing requires a decision maker to make choices; however, in a matrix organization, identifying this decision maker is not straightforward:

    Balance

    • Who decides how much capacity should be dedicated to project work versus administrative or operational work?
    • Who decides how to respond to unexpected changes in supply or demand?

    Supply

    • Who decides how much total capacity we have for each necessary skill set?
    • Who manages the contingency, or redundancy, of capacity?
    • Who validates the capacity supply as a whole?
    • Who decides what to report as unexpected changes in supply (and to whom)?

    Demand

    • Who generates demand on the resource that can be controlled by their manager?
    • Who generates demand on the capacity that cannot be controlled by their manager?
    • Who validates the demand on capacity as a whole?
    • Who decides what to report as unexpected changes in demand (and to whom)?

    The individual who has the authority to make choices, and who is ultimately liable for those decisions, is an accountable person. In a matrix organization, accountability is dispersed, sometimes spilling over to those without the necessary authority.

    To effectively balance supply and demand, senior management must be held accountable

    Differentiate between responsibility and accountability to manage the organization’s project portfolio effectively.

    Responsibility

    The responsible party is the individual (or group) who actually completes the task.

    Responsibility can be shared.

    VS.

    Accountability

    The accountable person is the individual who has the authority to make choices, and is ultimately answerable for the decision.

    Accountability cannot be shared.

    Resources often do not have the necessary scope of authority to make resource management choices, so they can never be truly accountable for the project portfolio. Instead, resources are accountable for making available trustworthy data, so the right people can make choices driven by organizational strategy.

    The next activity will assess how accountability for resource management is currently distributed in your organization.

    Assess the current distribution of accountability for resource management practice

    1.1.2
    15 minutes

    Input

    • Organizational strategy and culture

    Output

    • Current distribution of accountabilities for resource management

    Materials

    • Whiteboard/flip chart
    • Markers

    Participants

    • CIO
    • PMO Director/ Portfolio Manager

    Below is a list of tasks in resource management that require choices. Discuss who is currently accountable and whether they have the right authority and ability to deliver on that accountability.

    Resource management tasks that require choices Accountability
    Current Effective?
    Identify all demands on resources
    Prioritize identified project demands
    Prioritize identified operational demands
    Prioritize identified administrative demands
    Prioritize all of the above demands
    Enumerate resource supply
    Validate resource supply
    Collect and validate supply and demand data
    Defer or reject work beyond available supply
    Adjust resource supply to meet demand

    Develop coordination between project and functional managers to optimize resource management

    Because resources are invariably responsible for both project and non-project work, efforts to procure capacity for projects cannot exist in isolation.

    IT departments need many different technical skill sets at their disposal for their day-to-day operations and services, as well as for projects. A limited hiring budget for IT restricts the number of hires with any given skill, forcing IT to share resources between service and project portfolios.

    This resource sharing produces a matrix organization divided along the lines of service and projects. Functional and project managers provide respective oversight for services and projects. Resources split their available work-hours toward service and project tasks according to priority – in theory.

    However, in practice, two major challenges exist:

    1. Poor coordination between functional and project managers causes commitments beyond resource capacity, disputes about resource oversight, and animosity among management, all while resources struggle to balance unclear priorities.
    2. Resources have a “third boss,” namely uncontrolled demands from the rest of the business, which lack both visibility and accountability.

    The image shows a board balanced on a ball (labelled Resource Management), with two balls on either end of it (Capacity Supply on the left, and Demand on the right), and another board balanced on top of the right ball, with two more balls balanced on either side of it (Projects on the left and Operational, Administrative, Etc. on the right).

    Resource management processes must account for the numerous small demands generated in a matrix organization

    Avoid going bankrupt $20 at a time: small demands add up to a significant chunk of work-hours.

    Because resource managers must cover both projects and services within IT, the typical solution to allocation problems in matrix organizations is to escalate the urgency and severity of demands by involving the executive steering committee. Unfortunately, the steering committee cannot expend time and resources on all demands. Instead, they often set a minimum threshold for cases – 100-1,000 work-hours depending on the organization.

    Under this resource management practice, small demands – especially the quick-fixes and little projects from “the third boss” – continue to erode project capacity. Eventually, projects fail to get resources because pesky small demands have no restrictions on the resources they consumed.

    Realistic resource management needs to account for demand from all three bosses; however…

    Info-Tech Insight

    Excess project or service request intake channels lead to the proliferation of “off-the-grid” projects and tasks that lack visibility from the IT leadership. This can indicate that there may be too much red tape: that is, the request process is made too complex or cumbersome. Consider simplifying the request process and bring IT’s visibility into those requests.

    Interrogate your resource management problems to uncover root causes

    1.1.3
    30 minutes to 1 hour

    Input

    • Organizational strategy and culture

    Output

    • Root causes of resource management failures

    Materials

    • Whiteboard/flip chart
    • Sticky notes
    • Markers

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Functional Managers
    • Project Managers
    1. Pick a starting problem statement in resource management. e.g. projects can’t get resource work-hours.
    2. Ask the participants “why”? Use three generic headings – people, processes, and technology – to keep participants focused. Keep the responses solution-agnostic: do not jump to solutions. If you have a large group, divide into smaller groups and use sticky notes to encourage more participation in this brainstorming step.
    People Processes Technology
    • We don’t have enough people/skills.
    • People are tied up on projects that run late.
    • Functional and project managers appear to hoard resources.
    • Resources cannot prioritize work.
    • Resources are too busy responding to 911s from the business.
    • Resources cannot prioritize projects vs. operational tasks.
    • “Soft-closed” projects do not release resources for other work.
    • We don’t have tools that show resource availability.
    • Tools we have for showing resource availability are not being used.
    • Data is inaccurate and unreliable.
    1. Determine the root cause by iteratively asking “why?” up to five times, or until the chain of whys comes full circle. (i.e. Why A? B. Why B? C. Why C? A.) See below for an example.

    1.1.2 Example of a root-cause analysis: people

    The following is a non-exhaustive example:

    The image shows an example of a root-cause analysis. It begins on the left with the header People, and then lists a series of challenges below. Moving toward the right, there are a series of headers that read Why? at the top of the chart, and listing reasons for the challenges below each one. As you read through the chart from left to right, the reasons for challenges become increasingly specific.

    Right-size your resource management strategy with Info-Tech’s realistic resource management practice

    If precise, accurate, and complete data on resource supply and demand was consistently available, reporting on project capacity would be easy. Such data would provide managers complete control over a resource’s time, like a foreman at a construction site. However, this theoretical scenario is incompatible with today’s matrixed workplace:

    • Sources of demand can lie outside IT’s control.
    • Demand is generated chaotically, with little predictability.
    • Resources work with minimal supervision.

    Collecting and maintaining resource data is therefore nearly impossible:

    • Achieving perfect data accuracy creates unnecessary overhead.
    • Non-compliance by one project or resource makes your entire data set unusable for resource management.

    This blueprint will guide you through right-sizing your resource management efforts to achieve maximum value-to-effort ratio and sustainability.


    The image shows a graph with Quality, Value on the Y axis, and Required Effort on the X-Axis. The graph is divided into 3 categories, based on the criteria: Value-to-effort Ratio and Sustainability. The three sections are labelled at the top of the graph as: Reactive, “gut feel”-driven; Right-sized resource management; Full control, complete data. The 2nd section is bolded. The line in the graph starts low, rising through the 2nd section, and is stable at the top of the chart in the final section.

    Choose your resource management course of action

    Portfolio managers looking for a resource management solution have three mutually exclusive options:

    Option A: Do Nothing

    • Rely on expert judgment and intuition to make portfolio choices.
    • Allow the third boss to dictate the demands of your resources.

    Option B: Get Precise

    • Aim for granularity and precision of data with a solution that may demand more capacity than is realistically available by hiring, outsourcing, or over-allocating people’s time.
    • Require detailed, accurate time sheets for all project tasks.
    • For those choosing this option, proceed to Info-Tech’s Select and Implement a PPM Solution.

    Option C: Get Realistic

    • Balance capacity supply and demand using abstraction.
    • Implement right-sized resource management practices that rely on realistic, high-level capacity estimates.
    • Reduce instability in data by focusing on resource capacity, rather than granular project demands and task level details.

    This blueprint takes you through the steps necessary to accomplish Option C, using Info-Tech’s tools and templates for managing your resources.

    Step 1.2: Create realistic estimates of supply and demand

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Create a realistic estimate of project capacity
    • Map all sources of demand on resources at a high level
    • Validate your supply and demand assumptions by directly surveying your resources
    This step involves the following participants:
    • PMO Director / Portfolio Manager
    • Project Managers (optional)
    • Functional / Resource Managers (optional)
    • Project Resources (optional)
    Outcomes of this step
    • A realistic estimate of your total and project capacity, as well as project and non-project demand on their time
    • Quantitative insight into the resourcing challenges facing the organization
    • Results from a time-tracking survey, which are used to validate the assumptions made for estimating resource supply and demand

    Create a realistic estimate of your project capacity with Info-Tech’s Resource Management Supply-Demand Calculator

    Take an iterative approach to capacity estimates: use your assumptions to create a meaningful estimate, and then validate with your staff to improve its accuracy.

    Use Info-Tech’s Resource Management Supply-Demand Calculator to create a realistic estimate of your project capacity.

    The calculator tool requires minimal upfront staff participation: you can obtain meaningful results with participation from even a single person, with insight on the distribution of your resources and their average work week or month. As the number of participants increases, the quality of analysis will improve.

    The first half of this step guides you through how to use the calculator. The second half provides tactical advice on how to gather additional data and validate your resourcing data with your staff.

    Download Info-Tech’s Resource Management Supply-Demand Calculator

    Info-Tech Insight

    What’s first, process or tools? Remember that process determines the quality of your data while data quality limits the tool’s utility. Without quality data, you cannot evaluate the success of the tool, so nail down your collection process first.

    Break down your resource capacity into high-level buckets of time for each role

    1.2.1
    30 minutes - 1 hour

    Input

    • Staff resource types
    • Average work week
    • Estimated allocations

    Output

    A realistic estimate of project capacity

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Resource/Functional Managers (optional)

    We define four high-level buckets of resource time:

    • Absence: on average, a resource spends 14% of the year on vacation, statutory holidays, business holidays and other forms of absenteeism.
    • Administrative: time spent on meetings, recordkeeping, etc.
    • Operational: keeping the lights on; reactive work.
    • Projects: time to work on projects; typically, this bucket of time is whatever’s left from the above.

    The image shows a pie chart with four sections: Absence - 6,698 14%; Admin - 10,286 22%; Keep the Lights On - 15, 026 31%; Project Capacity 15, 831 33%.

    Instructions for working through Tab 2 of the Resource Management Supply-Demand Calculator are provided in the next two sections. Follow along to obtain your breakdown of annual resource capacity in a pie chart.

    Break down your resource capacity into high-level buckets of time for each role

    1.2.1
    Resource Management Supply-Demand Calculator, Tab 2: Capacity Supply

    Discover how many work-hours are at your disposal by first accounting for absences.

    The image shows a section of the Resource Management Supply-Demand Calculator, for calculating absences, with sample information filled in.

    1. Compile a list of each of the roles within your department.
    2. Enter the number of staff currently performing each role.
    3. Enter the number of hours in a typical work week for each role.
    4. Enter the foreseeable out-of-office time (vacation, sick time, etc.) Typically, this value is 12-16% depending on the region.

    Hours per Year represents your total resource capacity for each role, as well as the entire department. This column is automatically calculated.

    Working Time per Year represents your total resource capacity minus time employees are expected to spend out of office. This column is automatically calculated.

    Info-Tech Insight

    Example for a five-day work week:

    • 2 weeks (10 days) of statutory holidays
    • 3 weeks of vacation
    • 1.4 weeks (7 days) of sick days on average
    • 1 week (5 days) for company holidays

    Result: 7.4/52 weeks’ absence = 14.2%

    Break down your resource capacity into high-level buckets of time for each role (continued)

    1.2.1
    Resource Management Supply-Demand Calculator, Tab 2: Capacity Supply

    Determine the current distribution of your resources’ time and your confidence in whether the resources indeed supply those times.

    The image is a screen capture of the Working Time section of the calculator, with sample information filled in.

    5. Enter the percentage of working time across each role that, on an annual basis, goes toward administrative duties (non-project meetings, training, time spent checking email, etc.) and keep-the-lights-on work (e.g. support and maintenance work).

    While these percentages will vary by individual, a high-level estimate across each role will suffice for the purposes of this activity.

    6. Express how confident you are in each resource being able to deliver the calculated project work hours in percentages.

    Another interpretation for supply confidence is “supply control”: estimate your current ability to control this distribution of working time to meet the changing needs in percentages.

    Percentage of your working time that goes toward project work is calculated based upon what’s left after your non-project working time allocations have been subtracted.

    Create a realistic estimate of the demand from your project portfolio with the T-shirt sizing technique

    1.2.2
    15 minutes - 30 minutes

    Input

    • Average work-hours for a project
    • List of projects
    • PPM Current State Scorecard

    Output

    A realistic estimate of resource demand from your project portfolio

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Project Managers (optional)

    Quickly re-express the size of your project portfolio in resource hours required.

    Estimating the resources required for a project in a project backlog can take a lot of effort. Rather than trying to create an accurate estimate for each project, a set of standard project sizes (often referred to as the “T-shirt sizing” technique) will be sufficiently accurate for estimating your project backlog’s overall demand.

    Instructions for working through Tab 3 of the tool are provided here and in the next section.

    1. For each type of project, enter the average number for work-hours.

    Project Types Average Number of Work Hours for a Project
    Small 80
    Medium 200
    Large 500
    Extra-Large 1000

    Improve your estimate of demand from your project portfolio by accounting for unproductive capacity spending

    1.2.2
    Resource Management Supply-Demand Calculator, Tab 3: Project Demand

    2. Using your list of projects, enter the number of projects for each appropriate field.

    The image shows a screen capture of the number of projects section of the Resource Management Supply-Demand Calculator, with sample information filled in.

    3. Enter your resource waste data from the PPM Current State Scorecard (see next section). Alternatively, enter your best guess on how much project capacity is spent wastefully per category.

    The image shows a screen capture of the Waste Assessment section of the Resource Management Supply-Demand Calculator, with sample information filled in, and a pie chart on the right based on the sample data.

    Info-Tech Insight

    The calculator estimates the project demand by T-shirt-sizing the work-hours required by projects to be delivered within the next 12 months and then adding the corresponding wasted capacity. This may be a pessimistic estimate, but it is more realistic because projects tend to be delivered late more than early.

    Estimate how much project capacity is wasted with Info-Tech’s PPM Current State Scorecard

    Call 1-888-670-8889 or contact your Account Manager for more information.

    This step is highly recommended but not required.

    Info-Tech’s PPM Current State Scorecard diagnostic provides a comprehensive view of your portfolio management strengths and weaknesses, including project portfolio management, project management, customer management, and resource utilization.

    Use the wisdom-of-the-crowd to estimate resource waste in:

    • Cancelled projects
    • Inefficiency
    • Suboptimal assignment of resources
    • Unassigned resources
    • Analyzing, fixing, and redeploying

    50% of PPM resource is wasted on average, effectively halving your available project capacity.

    Estimate non-project demand on your resources by role

    1.2.3
    45 minutes - 1 hour

    Input

    • Organizational chart
    • Knowledge of staff non-project demand

    Output

    Documented non-project demands and their estimated degree of fluctuation

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Functional Managers (optional)
    Document non-project demand that could eat into your project capacity.

    When discussing project demands, non-project demands (administrative and operational) are often underestimated and downplayed – even though, in reality, they take a de facto higher priority to project work. Use Tab 4 of the tool to document these non-project demands, as well as their sources.

    The image shows a screen capture from Tab 4 of the tool, with sample information filled in.

    1. Choose a role using a drop-down list.

    2. Enter the type and the source of the demand.

    3. Enter the size and the frequency of the demand in hours.

    4. Estimate how stable the non-project demands are for each role.

    Examine and discuss your supply-demand analysis report

    1.2.4
    30 minutes - 1 hour

    Input

    Completed Resource Management Supply-Demand Calculator

    Output

    Supply-Demand Analysis Report

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Functional Managers
    • Project Managers

    Start a data-driven discussion on resource management using the capacity supply-demand analysis report.

    Tab 5 of the calculator is a report that contains the following analysis:

    1. Overall resource capacity supply and demand gap
    2. Project capacity supply vs. demand gap
    3. Non-project capacity supply vs. demand balance
    4. Resource capacity confidence

    Each analysis is described and explained in the following four sections. Examine the report and discuss the following among the activity participants:

    1. How is your perception of the current resource capacity supply-demand balance affected by this analysis? How is it confirmed? Is it changed?
    2. Perform a root-cause analysis of problems revealed by the report. For each observation, ask “why?” repeatedly – generally, you can arrive at the root cause in four iterations.
    3. Refer back to Activity 1.1.2: current distribution of accountability for resource management. In your situation, how would you prioritize which resource management tasks to improve? Who are the involved stakeholders?

    Examine your supply-demand analysis report: overall resource capacity gap

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    1. Examine your resource capacity supply and demand gap.

    The top of the report on Tab 5 shows a breakdown of your annual resource supply and demand, with resource capacity shown in both total hours and percentage of the total. For the purposes of the analysis, absence is averaged. If total demand is less than available resource supply, the surplus capacity will be displayed as “Free Capacity” on the demand side.

    The Supply & Demand Analysis table displays the realistic project capacity, which is calculated by subtracting non-project supply deficit from the project capacity. This is based on the assumption that all non-project work must get done. The difference between the project demand and the realistic project capacity is your supply-demand gap, in work-hours.

    If your supply-demand gap is zero, recognize that the project demand does not take into account the project backlog: it only takes into account the projects that are expected to be delivered within the next 12 months.

    Examine your supply-demand analysis report: project capacity gap

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    2. Examine your project capacity supply vs. demand gap.

    The project capacity supply and demand analysis compares your available annual project capacity with the size of your project portfolio, expressed in work-hours.

    The supply side is further broken down to productive vs. wasted project capacity. The demand side is broken down to three buckets of projects: those that are active, those that sit in the backlog, and those that are expected to be added within 12 months. Percentage values are expressed in terms of total project capacity.

    A key observation here is the limitation to which reducing wasteful spending of resources can get to the project portfolio backlog. In this example, even a theoretical scenario of 100% productive project capacity will not likely result in net shrinkage of the project portfolio backlog. To achieve that, either the total project capacity must be increased, or less projects must be approved.

    Note: the work-hours necessary for delivering projects that are expected to be completed within 12 months is not shown in this visualization, as they should be represented within the other three categories of projects.

    Examine your supply-demand analysis report: non-project capacity gap

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    3. Drill down on the non-project capacity supply-demand balance by each role.

    The non-project capacity supply and demand analysis compares your available non-project capacity and their demands in a year, for each role, in work-hours.

    With this chart, you can:

    1. Observe which roles are “running hot,” (i.e. they have more demand than available supply).
    2. Verify your non-project/project supply ratio assumptions in Tab 2 of the tool / Activity 1.2.1.

    Tab 5 also provides similar breakdowns for administrative and keep-the-lights-on capacity supply and demand by each role.

    Examine your supply-demand analysis report: resource capacity confidence (RCC)

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    4. Examine your resource capacity confidence.

    In our approach, we introduce a metric called Resource Capacity Confidence (RCC). Conceptually, RCC is defined as follows:

    Resource Capacity Confidence = SC × DS × SDR

    Term Name Description
    SC Supply Control How confident are you that the supply of your resources’ project capacity will be delivered?
    DS Demand Stability How wildly does demand fluctuate? If it cannot be controlled, can it be predicted?
    SDR Supply-Demand Ratio How severely does demand outstrip supply?

    In this context, RCC can be defined as follows:

    "Given the uncertainty that our resources can supply hours according to the assumed project/non-project ratio, the fluctuations in non-project demand, and the overall deficit in project capacity, there is about 50% chance that we will be able to deliver the projects we are expected to deliver within the next 12 months."

    Case study: Non-project work is probably taking far more time than you might like

    CASE STUDY

    Industry Government

    Source Info-Tech Client

    "When our customers get a budget for a project, it’s all in capital. It never occurs to them that IT has a limited number of hours. "

    Challenge

    • A small municipal government was servicing a wide geographic area for information technology and infrastructure services.
    • There was no meaningful division of IT resources between support and project work.
    • Previous IT leadership tried a commercial PPM tool and stopped paying maintenance fees for it because of lack of adoption.
    • Projects were tracked inconsistently in multiple places.

    Solution

    • New project requests were approved with IT involvement.
    • Project approvals were entirely associated with the capital budget required and resourcing was never considered to be a constraint.
    • The broad assumption was that IT time was generally available for project work.
    • In reality, the IT personnel had almost no time for project work.

    Results

    • The organization introduced Info-Tech’s Grow Your Own PPM Solution template with minor modifications.
    • They established delivery dates for projects based on available time.
    • Time was allocated for projects based on person, project, percentage of time, and month.
    • They prioritized project allocations above reactive support work.

    Validate your resourcing assumptions with your staff by surveying their use of time

    Embrace the reality of imperfect IT labor efficiency to improve your understanding of resource time spend.

    Use Info-Tech’s time-tracking survey to validate your resourcing assumptions and get additional information to improve your understanding of resource time spent: imperfect labor efficiency and continuous partial attention.

    Causes of imperfect IT labor inefficiency
    • Most IT tasks are unique to their respective projects and contexts. A component that took 30 minutes to install last year might take two hours to install this year due to system changes that occurred since then.
    • Many IT tasks come up unexpectedly due to the need to maintain and support systems implemented on past projects. This work is unpredictable in terms of specifics (what will break where, when, or how).
    • Task switching slows people down and consumes time.
    • Problem solving and solution design often requires unstructured time to think more openly. Some of the most valuable solutions are conceived or discovered when people aren’t regimented and focused on getting things done.

    Info-Tech Insight

    Part of the old resource management mythology is the idea that a person can do (for example) eight different one-hour tasks in eight hours of continuous work. This idea has gone from harmlessly mistaken to grossly unrealistic.

    Constant interruptions lead to continuous partial attention that threatens real productivity

    There’s a difference between being busy and getting things done.

    “Working” on multiple tasks at once can often feel extremely gratifying in the short term because it distracts people from thinking about work that isn’t being done.

    The bottom line is that continuous partial attention impedes the progress of project work.

    Research on continuous partial attention
    • A study that analyzed interruptions and their effects on individuals in the workplace found that that “41% of the time an interrupted task was not resumed right away” (Mark, 2015).
    • Research has also shown that it can take people an average of 23 minutes to return to a task after being interrupted (Schulte, 2015).
    • Delays following interruptions are typically due to switching between multiple other activities before returning to the original task. In many cases, those tasks are much lower priorities – and in some cases not even work-related.

    Info-Tech Insight

    It may not be possible to minimize interruptions in the workplace, as many of these are considered to be urgent at the time. However, setting guidelines for how and when individuals can be interrupted may help to limit the amount of lost project time.

    "Like so many things, in small doses, continuous partial attention can be a very functional behavior. However, in large doses, it contributes to a stressful lifestyle, to operating in crisis management mode, and to a compromised ability to reflect, to make decisions, and to think creatively."

    – Linda Stone, Continuous Partial Attention

    Define the goals and the scope of the time-tracking survey

    1.2.5
    30 minutes

    Input

    Completed Resource Management Supply-Demand Calculator

    Output

    Survey design for the time-tracking survey

    Materials

    N/A

    Participants

    • PMO Director
    • Functional Managers
    • Project Managers

    Discuss the following with the activity participants:

    1. Define the scope of the survey
      • Respondents: Comprehensive survey of individuals vs. a representative sample using roles.
      • Granularity: decide how in-depth the questions will be and how often the survey will be delivered.
      • Data Collection: what information do you want to collect?
        • Proportion of project vs. non-project work.
        • Time spent on administrative tasks.
        • Prevalence and impact of distractions.
        • Worker satisfaction.
    2. Determine the sample time period covered by the survey
      • Info-Tech recommends 2-4 weeks. Less than 2 weeks might not be a representative sample, especially during vacation seasons.
      • More than 4 weeks will impose unreasonable time and effort for diminishing returns; data quality will begin to deteriorate as participation declines.
    3. Determine the survey method
      • Use your organization’s preferred survey distributor/online survey tool, or conduct one-on-one interviews to capture data.

    1.2.5 continued - Refine the questionnaire to improve the relevance and quality of insights produced by the survey

    Start with Info-Tech’s recommended weekly survey questions:

    1. Estimate your daily average for number of hours spent on:
      1. Total work
      2. Project work
      3. Non-project work
    2. How many times are you interrupted with “urgent” requests requiring immediate response in a given day?
    3. How many people or projects did you complete tasks for this week?
    4. Rate your overall satisfaction with work this week.
    5. Describe any special tasks, interruptions, or requests that took your time and attention away from project work this week.

    Customize these questions to suit your needs.

    Info-Tech Insight

    Maximize the number of survey responses you get by limiting the number of questions you ask. Info-Tech finds that participation drops off rapidly after five questions.

    1.2.5 continued - Communicate the survey goals and steps, and conduct the survey

    1. Communicate the purpose and goals of the survey to maximize participation and satisfaction.
      • Provide background for why the survey is taking place. Clarify that the intention is to improve working conditions and management capabilities, not to play “gotcha” or hold workers accountable.
    2. Provide a timeline so expectations are clear about when possible next steps will occur, such as
      • Sharing and analyzing results
      • Making decisions
      • Taking action
    3. Reiterate what people are required or expected to do and how much effort is required. Provide reasonable and realistic estimates of how much time and effort people should spend on audit participation.
    4. Distribute the survey; collect and analyze the data.

    Info-Tech Insight

    Make sure that employees understand the purpose of the survey. It is important that they give honest responses that reflect the struggles they are encountering with balancing project and non-project work, not simply telling management what they want to hear.

    Ensuring that employees know this survey is being used to help them, rather than scolding them for not completing work, will give you useful, insightful data on employee time.

    Use Info-Tech’s Time-Tracking Survey Email Template for facilitating your communications.

    Info-Tech Best Practice

    Provide guidance to your resources with examples on how to differentiate project work vs. non-project work, administrative vs. keep-the-lights-on work, what counts as interruptions, etc.

    Optimize your project portfolio to maintain continuous visibility into capacity

    Now that you have a realistic picture of your realized project capacity and demand amounts, it’s time to use these values to tailor and optimize your resource management practices.

    Based on desired outcomes for this phase, we have

    1. Determined the correct course of action to resolve your supply/demand imbalances.
    2. Assessed the overall project capacity of your portfolio.
    3. Cataloged sources of project and non-project demands.
    4. Performed a time audit to create an accurate and realistic picture of the time spent on different types of work.

    In the next phase, we will:

    1. Wireframe a resource management process.
    2. Choose a resource management tool.
    3. Define data collection, analysis, and reporting steps within a sustainable resource management process.

    The image is a screenshot from tab 6 of the Time Audit Workbook. The image shows two pie charts.

    The image is a screenshot from tab 6 of the Time Audit Workbook. The image shows a pie chart.

    Screenshots from tab 6 of the Time Audit Workbook.

    Info-Tech Insight

    The validity of traditional, rigorous resource planning has long been an illusion because the resource projections were typically not maintained. New realities such as faster project cycles, matrix organizations, and high-autonomy staff cultures have made the illusion impossible to maintain.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Assess the current distribution of accountability for resource management practice

    Discuss who is currently accountable for various facets of resource management, and whether they have the right authority and ability to deliver on that accountability.

    1.2.1 Create realistic estimates of supply and demand using Info-Tech’s Supply-Demand Calculator

    Derive actionable, quantitative insight into the resourcing challenges facing the organization by using Info-Tech’s methodology that prioritizes completeness over precision.

    Phase 2

    Design a Realistic Resource Management Process

    Phase 2 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Draft a Resource Management Process

    Proposed Time to Completion (in weeks): 3-6 weeks

    Step 2.1: Determine the dimensions of resource management

    Start with an analyst kick-off call:

    • Introduce the seven dimensions of resource management
    • Trade-off between granularity and utility of data

    Then complete these activities…

    • Decide on the seven dimensions
    • Examine the strategy’s cost-of-use

    With these tools & templates:

    Resource Management Playbook

    Step 2.2: Support your process with a resource management tool

    Discuss with the analyst:

    • Inventory of available PPM tools
    • Overview of Portfolio Manager Lite 2017

    Then complete these activities…

    • Populate the tool with data
    • Explore portfolio data with the workbook’s output tabs

    With these tools & templates:

    • Portfolio Manager Lite
    • PPM Solution Vendor Demo Script
    Step 2.3: Build process steps

    Discuss with the analyst:

    • Common challenges of resource management practice
    • Recommendations for a pilot initiative

    Then complete these activities…

    • Review and customize contents of the Resource Management Playbook

    With these tools & templates:

    • Resource Management Playbook

    Phase 2 Results & Insights:

    Draft the resource management practice with sustainability in mind. It is about what you can and will maintain every week, even during a crisis: it is not about what you put together as a one-time snapshot. Once you stop maintaining resource data, it's nearly impossible to catch up.

    Step 2.1: Customize the seven dimensions of resource management

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Establish a default project vs. non-project work ratio
    • Decide the scope of allocation for your strategy
    • Set your allocation cadence
    • Limit the granularity of time allocation
    • Define the granularity of work assignment
    • Apply a forecast horizon
    • Determine the update frequency
    This step involves the following participants:
    • CIO / IT Director
    • PMO Director / Portfolio Manager
    • Functional / Resource Managers
    • Project Managers
    Outcomes of this step
    • Seven dimensions of resource management, chosen to fit the current needs and culture of the organization
    • Parameters for creating a resource management process (downstream)

    There is no one-size-fits-all resource management strategy

    Don’t get boxed into a canned solution that doesn’t make sense for your department’s maturity level and culture.

    Resource management strategies are commonly implemented “out-of-the-box,” via a commercial PPM or time-tracking tool, or an external third-party consultant in partnership with those types of tools.

    While these solutions and best practices have insights to offer – and provide admirable maturity targets – they often outstrip the near-term abilities of IT teams to successfully implement, adopt, and support them.

    Tailor an approach that makes sense for your department and organization. You don’t need complex and granular processes to get usable resourcing data; you just need to make sure that you’ve carved out a process that works in terms of providing data you can use.

    • In this step, we will walk you through Info-Tech’s seven dimensions of resource management to help wireframe your resource management process.
    • In the subsequent steps in this phase, we will develop these dimensions from a wireframe into a functioning process.

    Info-Tech Insight

    Put processes before tools. Most commercial PPM tools include a resource management function that was designed for hourly granularity. This is part of the fallacy of an old reality that was never real. Determine which goals are realistic and fit your solution to your problem.

    Wireframe a strategy that will work for your department using Info-Tech’s seven dimensions of resource management

    Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

    In this step, we will walk you through the decision points in each dimension to determine the departmental specificities of your resource management strategy

    Default project vs. non-project ratio

    How much time is available for projects once non-project demands are factored in?

    Reporting frequency

    How often is the allocation data verified, reconciled, and reported for use?

    Forecast horizon

    How far into the future can you realistically predict resource supply?

    Scope of allocation

    To whom is time allocated?

    Allocation cadence

    How long is each allocation period?

    Granularity of time allocation

    What’s the smallest unit of time to allocate?

    Granularity of work assignment

    What is time allocated to?

    Info-Tech Best Practice

    Ensure that both the functional managers and the project managers participate in the following discussions. Without buy-in from both dimensions of the matrix organization, you will have difficulty making meaningful resource management data and process decisions.

    Establish your default project versus non-project work ratio

    2.1.1
    30 minutes

    Input

    • Completed Resource Management Supply-Demand Calculator

    Output

    • Default organizational P-NP ratio and role-specific P-NP ratios

    Materials

    • Resource Management Supply-Demand Calculator
    • Time Audit Workbook
    • Resource Management Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How much time is available for projects once non-project demands are factored in?

    The default project vs. non-project work ratio (P-NP Ratio) is a starting point for functional and project managers to budget the work-hours at their disposal as well as for resources to split their time – if not directed otherwise by their managers.

    How to set this dimension. The Resource Management Supply-Demand Calculator from step 1.2 shows the current P-NP ratio for the department, and how the percentages translate into work-hours. The Time Audit Workbook from step 1.2 shows the ratio for specific roles.

    For the work of setting this dimension, you can choose to keep the current ratio from step 1.2 as your default, or choose a new ratio based on the advice below.

    • Discuss and decide how the supply-demand gap should be reconciled from the project side vs. the functional side.
      • Use the current organizational priority as a guide, and keep in mind that the default P-NP ratio is to be adjusted over time to respond to changing needs and priorities of the organization.
      • Once the organizational default P-NP ratio is chosen, defining role-specific ratios may be helpful. A help desk employee may spend only 10% of their time on project work, while an analyst may spend 80% of their time on project work.

    Decide the scope of allocation for your strategy

    2.1.2
    15-30 minutes

    Input

    • Current practices for assigning work and allocating time
    • Distribution of RM accountability (Activity 1.1.2)

    Output

    • Resource management scope of allocation

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    To whom is time allocated?

    Scope of allocation is the “who” of the equation. At the lowest and most detailed level, allocations are made to individual resources. At the highest and most abstract level, though, allocations can be made to a department. Other “whos” in scope of allocation can include teams, roles, or skills.

    How to set this dimension. Consider how much granularity is required for your overall project capacity visibility, and the process overhead you’re willing to commit to support this visibility. The more low-level and detailed the scope of allocation (e.g. skills or individuals) the more data maintenance required to keep it current.

    • Discuss and decide to whom time will be allocated for the purposes of resource management.
      • Recall your prior discussion from activity 1.1.2 on how accountabilities for resource management are distributed within your organization.
      • The benefit of allocating teams to projects is that it is much easier to avoid overallocation. When a team is overallocated, it is visible. Individual overallocations can go unnoticed.
      • Once you have mastered the art of keeping resource data current and accurate at a higher level (e.g. team), it can be easier move lower level and assign and track allocations in a per-role or per-person basis.

    Set your allocation cadence

    2.1.3
    15-30 minutes

    Input

    • Current practices for assigning work and allocating time
    • Scope of allocation (Activity 2.1.2)

    Output

    • Determination of temporal frames over which time will be allotted

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How long is each allocation period?

    How long is each individual allocation period? In what “buckets of time” do you plan to spend time – week by week, month by month, or quarter by quarter? The typical allocation cadence is monthly; however, depending on the scope of allocation and the nature of work assigned, this cadence can differ.

    How to set this dimension. Allocation cadence can depend on a number of factors. For instance, if you’re allocating time to agile teams, the cadence would most naturally be bi-weekly; if work is assigned via programs, you might allocate time by quarters.

    • Discuss and decide the appropriate allocation cadence for the purposes of resource management. You could even be an environment that currently has different cadences for different teams. If so, it will be helpful to standardize a cadence for the purposes of centralized project portfolio resource management.
      • If the cadence is too short (e.g. days or weeks), it will require a dedicated effort to maintain the data.
      • If the cadence is too long (e.g. quarters or bi-annual), your resource management strategy could fail to produce actionable insight and lack the appropriate agility in being responsive to changes in direction.
      • Ultimately, your allocation cadence may be contingent upon the limitations of your resource management solution (see step 2.2).

    Limit the granularity of time allocation

    2.1.3
    15-30 minutes

    Input

    • Requirements for granularity of data
    • Resource management scope of allocation (Activity 2.1.2)

    Output

    • Determination of lowest level of granularity for time allocation

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    What’s the smallest unit of time that will be allocated?

    Granularity of time allocation refers to the smallest unit of time that can be allocated. You may not need to set firm limits on this, given that it could differ from PM to PM, and resource manager to resource manager. Nevertheless, it can be helpful to articulate an “as-low-as-you’ll-go” limit to help avoid getting too granular too soon in your data aspirations.

    How to set this dimension. At a high level, the granularity of allocation could be as high as a week. At its lowest level, it could be an hour. Other options include a full day (e.g. 8 hours), a half day (4 hours), or 2-hour increments.

    • Discuss and decide the appropriate granularity for all allocations in the new resource management practice.
      • As a guideline, granularity of allocation should be one order of magnitude smaller than the allocation cadence to provide enough precision for meaningfully dividing up each allocation cadence, without imposing an unreasonably rigorous expectation for resources to manage their time.
      • The purpose of codifying this dimension is to help provide a guideline for how granular allocations should be. Hourly granularity can be difficult to maintain, so (for instance) by setting a half-day granularity you can help avoid project managers and resource managers getting too granular.

    Define the granularity of work assignments

    2.1.4
    15-30 minutes

    Input

    • Requirements for granularity of work assignment
    • Resource management scope of allocation (Activity 2.1.2)

    Output

    • Determination of work assignment

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    To what is time allocated?

    Determine a realistic granularity for your allocation. This is the “what” of the equation: what your resources are working on or the size of work for which allocations are managed.

    How to set this dimension. A high level granularity of work assignment would assign an entire program, a mid-level scope would involve allocating a project or a phase of a project, and a low level, rigorous scope would involve allocating an individual task.

    • Discuss and decide the appropriate granularity for all work assignments in the new resource management strategy.
      • The higher granularity that is assigned, the more difficult it becomes to maintain the data. However, assigning at program level might not lead to useful, practical data.
      • Begin by allocating to projects to help you mature your organization, and once you have mastered data maintenance at this level, you can move on to a more granular work assignment.
        • If you are at a maturity level of 1 or 2, Info-Tech recommends beginning by assigning by project. If you are at a maturity level 3-4, it may be time to start allocating by phase or task.

    Apply a forecast horizon

    2.1.5
    15-30 minutes

    Input

    • Current practices for work planning, capacity forecasting
    • Allocation scope, cadence, and granularity (Activities 2.1.2-4)

    Output

    • Resource management forecast horizon

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How far into the future can you realistically predict resource supply?

    Determine a realistic forecasting horizon for your allocation. At this point you have decided “what” “who” is working on and how frequently this will be updated. Now it is time to decide how far resource needs will be forecasted, e.g. “what will this person be working on in 3 months?”

    How to set this dimension. A high-level forecast horizon would only look forward week-to-week, with little consideration of the long-term future. A mid-level forecast would involve predicting one quarter in advance and a low-level, rigorous scope would involve forecasting one or more years in advance.

    • Discuss and decide the appropriate forecast horizon that will apply to all allocations in the new resource management practice. It’s important that your forecast horizon helps to foster accurate data. If you can’t ensure data accuracy for a set period, make your forecast horizon shorter.
      • If you are at a maturity level of 1 or 2, Info-Tech recommends forecasting one month in advance.
      • If you are already at level 3-4 on the resource management maturity model, Info-Tech recommends forecasting one quarter to one year in advance.

    See the diagram below for further explanation

    2.1.5 Forecast horizon diagram

    Between today and the forecast horizon (“forecast window”), all stakeholders in resource management commit to reasonable accuracy of data. The aim is to create a reliable data set that can be used to determine true resource capacity, as well as the available resource capacity to meet unplanned, urgent demands.

    The image shows a Forecast horizon diagram, with Time on the x-axis and Data completeness on the Y-axis. The time between today and the forecast horizon is labelled as the forecast window. there is a line which descends in small degrees until the Forecast Horizon point, where the line is labelled Reasonable level of completeness.

    The image shows a chart that lines up with the sections before and after the Forecast Horizon. In the accuracy row, Data is accurate before the forecast horizon and a rough estimate after. In the planning row, before the horizon is reliable for planning, and can inform high-level planning after the horizon. In the free capacity row, before the horizon, it can be committed to urgent demands, and after the horizon, negotiate for capacity.

    Info-Tech Insight

    Ensure data accuracy. It is important to note that forecasting a year in advance does not necessarily make your organization more mature, unless you can actually rely on these estimates and use them. It is important to only forecast as far in advance as you can accurately predict.

    Determine the update frequency

    2.1.6
    30 minutes

    Input

    • Current practices for work planning, capacity reporting
    • Current practices for project intake, prioritization, and approval
    • RM core dimensions (Activities 2.1.1)

    Output

    • Resource management update frequency

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How often is the allocation data verified, reconciled, and reported for use?

    How often will you reconcile and rebalance your allocations? Your update frequency will determine this. It is very much the heartbeat of resource management, dictating how often reports on allocations will be updated and published for stakeholders’ consumption.

    How to set this dimension. Determine a realistic frequency with which to update project reports. This will be how you determine who is working on what during each measurement period.

    • Discuss and decide how often the supply-demand gap should be reconciled from the project side vs. the functional side.
      • Keep in mind that the more frequent the reporting period, the more time must go into data maintenance. A monthly frequency requires maintenance at the end of the month, while weekly requires it at the end of each week.
      • Also think about how accurately you can maintain the data. Having a quarterly update frequency may require less maintenance time than monthly, but this information may not stay up to date in between these long stretches.
      • Reports generated at each update frequency should both inform resources on what to work on, what not to work on, and how to prioritize tasks if something unexpected comes up, as well as the steering committee, to help inform project approval decisions.

    Finalize the dimensions for your provisional resource management process

    2.1.7
    10 minutes

    Input

    • 7 core dimensions of resource management (Activities 2.1.1-6)

    Output

    • Provisional resource management strategy

    Materials

    • Resource Management Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    Document the outputs from the preceding seven activities. These determinations will form the foundation of your resource management strategy, which we will go on to define in more detail in the subsequent steps of this phase.

    • Keep in mind, at this stage your dimensions are provisional and subject to change, pending the outcomes of steps 2.2 and 2.3.
    RM Core Dimensions Decision
    Default P-NP ratio 40%-60$ + exception by roles
    Scope of allocation Individual resource
    Allocation cadence Monthly
    Granularity of time allocation 4 hours
    Granularity of work assignment Projects
    Forecast horizon 3 months
    Reporting frequency Twice a month

    Document these dimensions in Section 1.1 of Info-Tech’s Resource Management Playbook. We will be further customizing this template in steps 2.3 and 3.1.

    Step 2.2: Determine the resource management tool that will best support your process

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:

    • Consider the pros and cons of commercial tools vs. spreadsheets as a resource management tool
    • Review the PPM Solution Vendor Demo Script to ensure your investment in a commercial tool meets your resource management needs
    • Jump-start spreadsheet-based resource management with Portfolio Manager Lite

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Functional / Resource Managers
    • Project Managers

    Outcomes of this step

    • Choice of tool to support the resource management process
    • Examination of the commercial tool’s ability to support the resource management process chosen
    • Set-up and initial use of Portfolio Manager Lite for a spreadsheet-based resource management solution

    Effective resource management practices require an effective resource management tool

    The discipline of resource management has largely become inextricable from the tools that help support it. Ensure that you choose the right tool for your environment.

    Resource management depends on the flow of information and data from the project level up to functional managers, project managers, and beyond.

    Tools are required to help facilitate this flow, and the project portfolio management landscape is littered with endless time-tracking and capacity management options.

    These options can each have their merits and their drawbacks. The success of implementing a resource management strategy very much hinges upon weighing these, and then choosing the right solution for your project eco-system.

    • This first part of this step will help you assess the tool landscape and make the right choice to help support your resource management practices.
    • In the second part of this step, we’ll take a deep-dive into Info-Tech’s Excel-based resource management solution. If you are implementing our solution, these sections will help you understand and set up the tool.

    Info-Tech Insight

    Establish a book of record. While it is possible to succeed using ad hoc tools and data sources, a centralized repository for capacity data works best. Your tool choice should help establish a capacity book of record to help ensure ongoing reconciliation of supply and demand at the portfolio level.

    Get to know your resource management tool options

    At a high level, those looking for a resource management solution have two broad options: a commercial project portfolio management (PPM) or time-tracking software on the one hand, and a spreadsheet-based tool, like Google Sheets or Excel, on the other.

    Obviously, if your team or department already has access to a PPM or time-tracking software, it makes sense to continue using this, as long as it will accommodate the process that was wireframed in the previous step.

    Otherwise, pursue the tool option that makes the most sense given both the strategy that you’ve wireframed and other organizational factors. See the table below and the next section for guidance.

    If you’re planning on doing resource allocation by hand, you’re not going to get very far.”

    Rachel Burger

    Commercial Solutions Spreadsheet-Based Solutions
    Description
    • These highly powerful solutions are purchased from a software/service provider.
    • These can be as simple as a list of current projects on a spreadsheet or a more advanced solution with resource capacity analysis.
    Pros
    • Extraordinary function
    • Potential for automated roll-ups
    • Collaboration functionality
    • Easy to deploy: high process maturity or organization-wide adoption not required.
    • Lower cost-in-use – in many cases, they are free.
    • Highly customizable.
    Cons
    • High process maturity required
    • High cost-in-use
    • Generally expensive to customize
    • Comprehensive, continual, and organization-wide adoption required
    • Easy to break.
    • Typically, they require a centralized deployment with a single administrator responsible for data entry.

    Option A: When pursuing commercial options, don’t bite off more functionality than your people can sustain

    While commercial options offer the most robust functionality for automation, collaboration, and reporting, they are also costly, difficult to implement, and onerous to sustain over the long run.

    It’s not uncommon for organizations to sink vast amounts of money into commercial PPM tools, year after year, and never actually get any usable resource or forecasting data from these tools.

    The reasons for this can vary, but in many cases it is because organizations mistake a tool for a PPM or a resource management strategy.

    A tool is no substitute for having a clearly defined process that staff can support. Be aware of these two factors before investing in a commercial tool:

    • Visibility cannot be automated. It is not uncommon for CIOs to believe that because they’ve invested in a tool, they have an automated portfolio that enables them to sit back and wait for the data to roll in. With many tools, the challenge is that the calculations driving the rollups have become increasingly unsustainable and irrelevant in our high-autonomy staff cultures and interruption-driven work days.
    • Information does not equal knowledge. While commercial tools have robust reporting features, the data outputs can lead to information overload – and, subsequently, disinterest – unless they are curated and filtered to suit your executive’s needs and expectations.

    47%
    Of those companies using automated software to assist in resource management, almost half report that those systems failed to accurately calculate resource forecasts.

    PM Solutions

    Info-Tech Insight

    Put process sustainability before enhanced tool functionality.

    Ensure that you have sustainable processes in place before investing in an expensive commercial tool. Your tool selection should help facilitate capability-matched processes and serve user adoption.

    Trying to establish processes around a tool with a functionality that exceeds your process maturity is a recipe for failure.

    Before jumping into a commercial tool, consider some basic parameters for your selection

    Use the table below as a starting point to help ensure you are pursuing a resource management tool that is right for your organization’s size and process maturity level.

    Tool Category Characteristics # of Users PPM Maturity Sample Vendors
    Enterprise tools
    • Higher professional services requirements for enterprise deployment
    • Larger reference customers
    1,000> High
    • MS Project Server
    • Oracle Primavera
    • Planisware
    Mid-market tools
    • Lower expectation of professional services engaged in initial deployment contract
    • Fewer globally recognizable reference clients
    • Faster deployments
    100> Intermediate-to-High
    • Workfront
    • Project Insight
    • Innotas
    Entry-level tools
    • Lower cost than mid-market and enterprise PPM tools
    • Limited configurability, reporting, and resource management functionalities
    • Compelling solutions to the organizations that want to get a fast start to a trial deployment
    <100 Low-to-Intermediate
    • 5PM
    • AceProject
    • Liquid Planner

    For a more in-depth treatment of choosing and implementing a commercial PPM tool to assist with your resource management practice, see Info-Tech’s blueprint, Select and Implement a PPM Solution.

    Use Info-Tech’s PPM Solution Vendor Demo Script to help ensure you get the functionality you need

    PPM Solution Vendor Demo Script (optional)

    To ensure your investment in a commercial tool meets your resource management needs, use Info-Tech’s PPM Solution Vendor Demo Script to structure your tool demos and interactions with vendors.

    For instance, some important scenarios to consider when looking at potential tools include:

    • How are overallocation and underallocation situations identified and reconciled in the solution?
    • How are users motivated to maintain their own timesheets (beyond simply being mandated as part of their job); how does the solution and timesheet functionality help team members do their job?
    • How will portfolio-level reports remain useful and accurate despite “zero-adoption” scenarios, in which some or all teams do not actively maintain task and timesheet data?

    Any deficiencies in answering these types of questions should alert you to the fact that a potential solution may not adequately meet the needs of your resource management strategy.

    Download Info-Tech’s PPM Solution Vendor Demo Script

    "[H]ow (are PPM solutions) performing in a matrix organization? Well, there are gaps. There will be employees who do not submit timesheets, who share their time between project and operational activities, and whose reporting relationships do not fit neatly into the PPM database structure. This creates exceptions in the PPM application, and you may just have the perfect solution to a small subset of your problems." – Vilmos Rajda

    Option B: When managing resourcing via spreadsheets, you don’t have to feel like you’re settling for the lesser option

    Spreadsheets can provide a viable alternative for organizations not ready to invest in an expensive tool or for those not getting what they need from their commercial selections.

    When it comes to resource management at a portfolio level, spreadsheets can be just as effective as commercial tools for facilitating the flow of accurate and maintainable resourcing data and for communicating resource usage and availability.

    Some of the benefits of spreadsheets over commercials tools include:

    • They are easy to set up and deploy. High process maturity or organization-wide user adoption are not required.
    • They have a low cost-in-use. In the case of Excel, the tool itself comes at no additional cost.
    • They are highly customizable. No development time/costs are required to tweak the solution to suit your needs.

    To be clear: spreadsheets have their drawbacks (for instance, they are easy to break, require a centralized data administrator, and are yours and yours alone to maintain). If your department has the budget and the process maturity to support a commercial tool, you should pursue the options covered in the previous sections.

    However, if you are looking for a viable alternative to an expensive tool, spreadsheets have the ability to support a rigorous resource management practice.

    "Because we already have enterprise licensing for an expensive commercial tool, everyone else thinks it’s logical to start there. I think we’re going to start with something quick and dirty like Excel." – EPMO Director, Law Enforcement Services

    Info-Tech Insight

    Make the choice to ensure adoption.

    When making your selection, the most important consideration across all the solution categories is data maintenance. You must be assured that you and your team can maintain the data.

    As soon as your portfolio data becomes inconsistent and unreliable, decision makers will lose trust in your resource data, and the authority of your resource management strategy will become very tenuous.

    While spreadsheets offer a viable resource management option, not all spreadsheets are created equal

    Lean on Info-Tech’s experience and expertise to get up and running quickly with a superior resource management Excel-based tool: Portfolio Manager Lite 2017.

    Spreadsheets are the most common PPM tool – and it’s not hard to understand why: they can be created with minimal cost and effort.

    But when something is easy to do, it’s important to keep in mind that it’s also easy to do badly. As James Kwak says in his article, “The Importance of Excel,” “The biggest problem is that anyone can create Excel Spreadsheets—badly.”

    • Info-Tech’s Portfolio Manager Lite 2017 offers an antidote to the deficiencies that can haunt home-grown resource management tools.
    • As an easy-to-deploy, highly evolved spreadsheet-based option, Portfolio Manager Lite enables you to mature your resource management processes, and provide effective resource visibility without the costly upfront investment.

    Download Info-Tech’s Portfolio Manager Lite 2017

    Info-Tech Insight

    Balance functionality and adoption. Clients often find it difficult to gain adoption with commercial tools. Though homegrown solutions may have less functionality, the higher adoption level can make up for this and also potentially save your organization thousands a year in licensing fees.

    Determine your resource management solution and revisit your seven dimensions of resource management

    2.2.1
    Times will vary

    Participants

    • PMO Director

    Based on input from the previous slides, determine the resource management solution option you will pursue and implement to help support your resource management strategy. Record this selection in section 1.2 of the Resource Management Playbook.

    • You may need to revisit the decisions made in step 2.1 to consider if the default values for your seven core dimensions of resource management are still sound. Keep these current and relevant as you become more familiar with your resource management solution.
    RM Core Dimensions Default Value
    Default P-NP ratio Role-specific
    Scope of allocation Individual resource
    Allocation cadence Monthly
    Granularity of allocation (not defined)
    Granularity of work assignment Project
    Forecast horizon 6 months
    Reporting frequency (not defined)

    Portfolio Manager Lite has comprehensive sample data to help you understand its functions.

    As you can see in this table, the tool itself assumes five of the seven resource management core dimensions. You will need to determine departmental values for granularity of allocation and reporting frequency. The other dimensions are determined by the tool.

    If you’re piloting Info-Tech’s Portfolio Manager Lite, review the subsequent slides in this step before proceeding to step 2.3. If you are not piloting Portfolio Manager Lite, proceed directly to step 2.3.

    Overview of Portfolio Manager Lite

    Portfolio Manager Lite has two set-up tabs, three data entry tabs, and six output-only tabs. The next 15 slides show how to use them. To use this tool, you need Excel 2013 or 2016. If you’re using Excel 2013, you must download and install Microsoft Power Query version 2.64 or later, available for download from Microsoft.

    The image shows an overview of the Portfolio Manager Lite tool. It shows the Input and Data Tabs on the left, and output tabs on the right. The middle of the graphic includes guidance to ensure that you refresh the outputs after each data entry, by using the Refresh All button

    Observe “table manners” to maintain table integrity and prevent Portfolio Manager Lite malfunctions

    Excel tables enable you to manage and analyze a group of related data. Since Portfolio Manager Lite uses tables extensively, maintaining the table’s integrity is critical. Here are some things to know for working with Excel tables.

    Do not leave empty rows at the end.

    Adjust the sizing handle to eliminate empty rows.

    Always paste values.

    Default pasting behavior can interrupt formula references and introduce unwanted external links. Always right-click and select Paste Values.

    Correctly add/remove rows within a table.

    Do not use row headings; instead, always right-click inside a table to manipulate table rows.

    Set up Portfolio Manager Lite

    2.2.1
    Portfolio Manager Lite, Tab 2a: Org Setup

    The Org Setup tab is divided into two sections, Resources and Projects. Each section contains several categories to group your resources and projects. Items listed under each category will be available via drop-down lists in the data tabs.

    These categorizations will be used later to “slice” your resource allocation data. For example, you’ll be able to visualize the resource allocations for each team, for each division, or for each role.

    The image shows a screenshot of Tab 2a, with sample information filled in.

    1. Role and Default Non-Project Ratio columns: From the Supply-Demand Calculator, copy the list of roles, and how much of each role’s time is spent on non-projects by default (see below; add the values marked with yellow arrows).

    2. Resource Type column: List the type of resource you have available.

    3. Team and Skill columns: List the teams, and skills for your resources.

    In the Resources tab, items in drop-down lists will appear in the same order as shown here. Sort them to make things easy to find.

    Do not delete tables you won’t use. Instead, leave or hide tables.

    Set up Portfolio Manager Lite (continued)

    2.2.1
    Portfolio Manager Lite, Tab 2a: Org Setup

    The projects section of the Org Setup tab contains several categories for entering project data. Items listed under each category will be available via drop-down lists in the Projects tab. These categorizations will be used later to analyze how your resources are allocated.

    The image shows the projects sections of Tab 2a.

    1. Project Type: Enter the names of project types, in which projects will be grouped. All projects must belong to a type. Examples of types may include sub-portfolios or programs.

    2. Project Category: Enter the names of project categories, in which projects will be grouped. Unlike types, category is an optional grouping.

    3. Phase: Enter the project phases. Ensure that your phases list has “In Progress” and “Complete” options. They are needed for the portfolio-wide Gantt chart (the Gantt tab).

    4. Priority and Status: Define the choices for project priorities and statuses if necessary (optional).

    5. Unused: An extra column with predefined choices is left for customization (optional).

    Set up Portfolio Manager Lite (continued)

    2.2.1
    Portfolio Manager Lite, Tab 2b: Calendar Setup

    Portfolio Manager Lite is set up for a monthly allocation cadence out of the box. Use this tab to set up the start date, the default resource potential capacity, and the months to include in your reports.

    The image shows fields in the calendar set-up section of Tab 2a, with a Start Date and Hours Assumed per day.

    1. Enter a start date for the calendar, e.g. start of your fiscal or calendar year.

    2. Enter how many hours are assumed in a working day. It is used to calculate the default maximum available hours in a month.

    The image shows the Calendar section of tab 2a, with sample information filled in.

    Maximum Available Hours, Weekdays, and Business Days are automatically generated.

    The current month is highlighted in green.

    3. Enter the number of holidays to correct the number of business days for each month.

    Year to Date Reporting and Forecast Reporting ranges are controlled by this table. Use the period above Maximum Available Hours.

    The image shows the Year-to-Date and Forecast Reporting sections.

    Info-Tech Best Practice

    Both Portfolio Manager Lite and Portfolio Manager 2017 can be customized for non-monthly resource allocation. Speak to an Info-Tech analyst to ask for more information.

    Enter resource information and their total capacity

    2.2.2
    Portfolio Manager Lite, Tab 3: Resources

    Portfolio Manager Lite is set up for allocating time to individual resources out of the box. Information on these resources is entered in the Resources tab. It has four sections, arranged horizontally.

    1. Enter basic information on your resources. Resource type, team, role, and skill will be used to help you analyze your resource data.

    The image shows a screenshot of the Resources tab with sample information filled in.

    Ensure that the resource names are unique.

    Sort or filter the table using the filter button in the header row.

    2. Their total capacity in work-hours is automatically calculated for each month, using the default numbers from the Calendar Setup tab. If necessary, overwrite the formula and enter in custom values.

    The image shows a screenshot of the total capacity in work-hours, with sample info filled in.

    Cells with less than 120 hours are highlighted in blue.

    Do not add or delete any columns, or modify this header row.

    Enter out-of-office time and non-project time for your resources

    2.2.2
    Portfolio Manager Lite, Tab 3: Resources

    3. Enter the resources’ out-of-office time for each month, as they are reported.

    The image shows the Absence (hours) section, with sample information filled in.

    Do not add or delete any columns, or modify the header row, below the dates.

    4. Resources’ percentages of time spent on non-projects are automatically calculated, based on their roles’ default P-NP ratios. If necessary, overwrite the formula and enter in custom values.

    The image shows the Non-Project Ratio section, with sample information filled in.

    Do not add or delete any columns, or modify the header row, below the dates.

    Populate your project records

    2.2.3
    Portfolio Manager Lite, Tab 4: Projects

    Portfolio Manager Lite is set up for allocating time to projects out of the box. Information on these projects is entered in the Projects tab.

    1. Enter project names and some basic information. These fields are mandatory.

    The image shows the section for filling in project names and basic information in the Projects tab. The image shows the table with sample information.

    Ensure that the project names are unique.

    Do not modify or change the headers of the first seven columns. Do not add to or delete these columns.

    2. Continue entering more information about projects. These fields are optional and can be customized.

    The image shows a section of the Projects tab, where you fill in more information.

    Headers of these columns can be changed. Extra columns can be added to the right of the Status column if desired. However, Info-Tech strongly recommends that you speak to an Info-Tech analyst before customizing.

    The Project Category, Phase, and Priority fields are entered using drop-down lists from the Org Setup tab.

    Allocate your resource project capacity to projects

    2.2.4
    Portfolio Manager Lite, Tab 5: Allocations

    Project capacity for each resource is calculated as follows, using the data from the Resources tab:

    Project capacity = (total project capacity – absence) x (100% – non-project%)

    In the Allocations tab, project capacity is allocated in percentages with 100% representing the allocation of all available project time of a resource to a project.

    This allocation-by-percentage model has some advantages and drawbacks:

    Advantages

    • Allocating all available project capacity to project is straightforward
    • Easy for project managers to coordinate with each other (e.g. “Jon’s project time will be split 50%-50% between two projects” = enter 50% allocation to each project)

    Drawbacks

    • How many hours is represented by a percentage of someone’s capacity is unclear
    • Must check whether enough work-hours are allocated for what’s needed (e.g. “Deliverable A needs 20 hours of work from Jon in November. Is 50% of his project capacity enough?”)

    The Allocations tab has a few features to help you mitigate these disadvantages.

    Info-Tech Best Practice

    For organizations with lower resource management practice maturity, start with percentages. In Portfolio Manager 2017, allocations are entered in work-hours to avoid the above drawbacks altogether, but this may require a higher practice maturity.

    Enter your resource project capacity allocations

    2.2.4
    Portfolio Manager Lite, Tab 5: Allocations

    A line item in the Allocations tab requires three pieces of information: a project, a resource, and the percentage of project capacity for each month.

    The image shows a screenshot from the Allocations tab, with sample information filled in.

    1. Choose a project. Type, Start date, and End date are automatically displayed.

    2. Choose a resource. Team is automatically displayed.

    This image is another screenshot of the Allocations tab, showing the section with dates, with sample information filled in.

    3. Enter the resource’s allocated hours for the project in percentages.

    Built-in functions in the Allocations tab display helpful information for balancing project supply and demand

    2.2.4
    Portfolio Manager Lite, Tab 5: Allocations

    The Allocations tab helps you preview the available project capacity of a resource, as well as the work-hours represented by each allocation line item, to mitigate the drawbacks of percentage allocations.

    In addition, overallocations (allocations for a given month add up to over 100%) are highlighted in red. These functions help resource managers balance the project supply and demand.

    The image shows a screenshot of the Allocations tab, with sample information filled in.

    To preview a resource’s project capacity in work-hours, choose a resource using a drop down. The resource’s available project capacity for each month is displayed to the right.

    Sort or filter the table using the filter button in the header row. Here, the Time table is sorted by Resource.

    The total work-hours for each line item is shown in the Hours column. Here, 25% of Bethel’s project capacity for 4 months adds up to only 16 work-hours for this project.

    A resource is overallocated when project capacity allocations add up to more than 100% for a given month. Overallocations are highlighted in red.

    Get the timeline of your project portfolio with the Gantt chart tab

    2.2.5
    Portfolio Manager Lite, Tab 6: Gantt

    The Gantt tab is a pivot-table-driven chart that graphically represents the start and end dates of projects and their project statuses.

    The image shows a screenshot of the Gantt tab, with sample information filled in.

    Filter entries by project type above the chart.

    The current month (9-17) is highlighted.

    You can filter and sort entries by project name, sponsor, or project manager.

    In progress (under Phase column) projects show the color of their overall status.

    Projects that are neither completed nor in progress are shown in grey.

    Completed (under Phase column) projects are displayed as black.

    Get a bird’s-eye view of your available project capacity with the Resource Load tab

    2.2.6
    Portfolio Manager Lite, Tab 7: Resource Load

    The Resource Load tab is a PivotTable showing the available project capacity for each resource.

    The image is a screenshot of the Resource Load tab, with sample information filled in.

    Change the thresholds for indicating project overallocation at the top right.

    You can filter and sort entries by resource or role.

    Values in yellow and red highlight overallocation.

    Values in green indicate resource availability.

    This table provides a bird’s-eye view of all available project capacity. Highlights for overallocated resources yield a simple heat map that indicates resourcing conflicts that need attention.

    The next two tabs contain graphical dashboards of available capacity.

    Tip: Add more resource information by dragging a column name into the Rows box in the PivotTable field view pane.

    Example: add the Team column by dragging it into the Rows box

    The image shows a screenshot demonstrating that you can add a Team column.

    Analyze your resource allocation landscape with the Capacity Slicer tab

    2.2.7
    Portfolio Manager Lite, Tab 8: Capacity Slicer

    The Capacity Slicer tab is a set of pivot charts showing the distribution of resource allocation and how they compare against the potential capacity.

    The image shows a collection of 5 graphs and charts, showing the distribution of resource allocation, and compared against potential capacity.

    At the top left of each chart, you can turn Forecast Reporting on (true) or off (false). For Year to Date reporting, replace Forecast with YTD in the Field View pane’s Filter field.

    In the Allocated Capacity, in % chart, capacity is shown as a % of total available capacity. Exceeding 100% indicates overallocation.

    In the Realized Project Capacity, in hours chart, the vertical axis is in work-hours. This gap between allocation and capacity represents available project capacity.

    The bottom plots show how allocated project capacity is distributed. If the boxes are empty, no allocation data is available.

    Use the Team slicer to drill down on resource capacity and allocation by groups of resources

    2.2.7
    Portfolio Manager Lite, Tab 8: Capacity Slicer

    A slicer filters the data shown in a PivotTable, a PivotChart, or other slicers. In this tab, the team slicer enables you to view resource capacity and allocation by each team or for multiple teams.

    The image shows a sample graph.

    The button next to the Team header enables multiple selection.

    The next button to the right clears the filter set by this slicer.

    All teams with capacity or allocation data are listed in the slicers.

    For example, if you select "App Dev":

    The image shows the same graph as previously shown, but this time with only App Dev selected in the left-hand column.

    The vertical axis scales automatically for filtered data.

    The capacity and allocation data for all application division teams is shown.

    Resources not in the App Dev team are filtered out.

    Drill down on individual-level resource allocation and demand with the Capacity Locator tab

    2.2.8
    Portfolio Manager Lite, Tab 9: Capacity Locator

    The Capacity Locator tab is a group of PivotCharts with multiple slicers to view available project capacity.

    For example: click on “Developer” under Role:

    The image shows the list of slicers available using the Capacity Locator tab.

    The image shows a series of graphs produced in the Capacity Locator tab.

    Primary skills of all developers are displayed on the left in the Primary Skill column. You can choose a skill to narrow down the list of resources from all developers to all developers with that skill.

    The selected resources are shown in the Resources column. Data on the right pertains to these resources.

    • The top left graph shows the average available project capacity for all selected resources.
    • The top right graph shows the sum of all available capacity from all selected resources.
    • In the lower left graph, pay attention to available total capacity, as selected resources may have significant non-project demands.
    • The lower right graph shows the number of assigned projects. Control the number of concurrent projects to reduce the need for multitasking and optimize your resource use.

    Where you see the filter button with an x, you can clear the filter imposed by this slicer.

    Check how your projects are resourced with the Project Viewer tab

    2.2.9
    Portfolio Manager Lite
    , Tab 10: Project Viewer

    The Project Viewer tab is a set of PivotCharts with multiple slicers to view how resources are allocated to different projects.

    The image shows a screenshot of the Project Viewer tab, with a bar graph at the top, filter selections at the bottom left, and four pie charts at the bottom right.

    Filtering by sponsor or project manager is useful for examining a group of projects by accountability (sponsor) or responsibility (project manager).

    The graphs show how project budgets are distributed across different categories and priorities of projects, and how resource allocations are distributed across different categories and priorities of projects.

    Report on your project portfolio status with the Project Updates tab

    2.2.10
    Portfolio Manager Lite
    , Tab 11: Project Updates

    The Project Updates tab is a PivotTable showing various fields from the Projects table to rapidly generate a portfolio-wide status report. You can add or remove fields from the Projects table using the PivotTable’s Field View pane.

    The image shows a screenshot of a large table, which is the Project Updates tab. A selection is open, showing how you can filter entries.

    Filter entries by phase. The screenshot shows an expansion of this drop down at the top left.

    Rearrange the columns by first clicking just below the header to select all cells in the column, and then dragging it to the desired position. Alternatively, arrange them in the Field View pane.

    Tools and other requirements needed to complete the resource management strategy

    2.2.11
    10 minutes

    • Recommended: If you are below a level 4 on Info-Tech’s resource management maturity scale, use Info-Tech’s Portfolio Manager Lite to start.
    • Use a commercial PPM tool if you already have one in use and feel that you can accurately maintain the data in this tool.
    • Use this chart to estimate the amount of time it will take to accurately maintain the data for each reporting period.
      • Determine who will be responsible for this maintenance.
      • If there is no one currently available to maintain the data, allocate time for someone or you may even need a portfolio analyst.
      • We will confirm roles and responsibilities in phase 3.
    Maturity Level Dimensions Time needed per month
    Small (1-25 employees) Medium (25-75) Large (75-100) Enterprise (100+)
    1-2 %, team, project, monthly update, 1 month forecast 2 hours 6 hours 20 hours 50 hours
    3-4 %, person, phase, weekly update, 1 quarter forecast 4 hours 12 hours 50 hours 150 hours
    5 %, person, task, continuous update, 1 year forecast 8+ hours 20+ hours 100+ hours 400+ hours

    See also: Grow Your Own PPM Solution with Info-Tech’s Portfolio Manager 2017

    Join hundreds of Info-Tech clients who are successfully growing their own PPM solution.

    If you are looking for a more robust resource management solution, or prefer to allocate staff time in hours rather than percentages, see Info-Tech’s Portfolio Manager 2017.

    Similar to Portfolio Manager Lite, Portfolio Manager 2017 is a Microsoft Excel-based PPM solution that provides project visibility, forecasting, historical insight, and portfolio analytics capabilities for your PMO without a large upfront investment for a commercial solution.

    Watch Info-Tech’s Portfolio Manager 2017 Video – Introduction and Demonstration.

    System Requirements

    To use all functions of Portfolio Manager 2017, you need Excel 2013 or Excel 2016 running on Windows, with the following add-ins:

    • Power Query (Excel 2013 only)
    • Power Pivot
    • Power View

    Power View is only available on select editions of Excel 2013 and 2016, but you can still use Portfolio Manager 2017 without Power View.

    If you are unsure, speak to your IT help desk or an Info-Tech analyst for help.

    For a new PMO, start with the new reality

    CASE STUDY

    Industry Law Enforcement

    Source Info-Tech Client

    Because we already have enterprise licensing for an expensive commercial tool, everyone else thinks it’s logical to start there. I think we’re going to start with something quick and dirty like Excel.” – EPMO Director, Law Enforcement Services

    Situation

    • This was an enterprise PMO, but with relatively low organizational maturity.
    • The IT department had relatively high project management maturity, but the enterprise was under-evolved at the portfolio level.
    • Other areas of the organization already had licensing and deployment of a top-tier commercial PPM tool.
    • There were no examples of a resource management practice.

    Complication

    • There was executive visibility on larger and more strategic projects.
    • There were no constraints on the use of resources for smaller projects.
    • The PMO was generally expected to provide project governance with their limited resources.
    • The organization lacked an understanding of the difference between project and portfolio management. Consequently, it was difficult to create resource management practices at the portfolio level due to a lack of resourcing.

    Resolution

    • The organization deferred the implementation of the commercial PPM tool.
    • They added high-level resource management using spreadsheets.
    • Executive focus was reoriented around overall resource capacity as the principle constraint for project approvals.
    • They introduced deeper levels of planning granularity over time.
    • When the planning granularity gets down to the task level, they move toward the commercial solution.

    Step 2.3: Build process steps to ensure data accuracy and sustainability

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Draft a high-level resource management workflow
    • Build on the workflow to determine how data will be collected at each step, and who will support the process
    • Document your provisional resource management process
    This step involves the following participants:
    • PMO Director / Portfolio Manager
    • Functional / Resource Managers
    • Project Managers
    Outcomes of this step
    • A high-level resource management workflow, customized from Info-Tech’s sample workflow
    • Process for collecting resource supply data for each reporting period
    • Process for capturing the project demand within each reporting period
    • Process for identifying and documenting resource constraints and issues for each reporting period
    • Standard protocol for resolving resource issues within each reporting period
    • Process for finalizing and communicating resource allocations for the forecast window
    • A customized Resource Management Playbook, documenting the standard operating procedure for the processes

    Make sustainability the goal of your resource management practices

    A resource management process is doing more harm than good if it doesn’t facilitate the flow of accurate and usable data week after week, month after month, year after year.

    When resource management strategies fail, it can typically be tied back to the same culprit: unrealistic expectations from the outset.

    If a resource management process strives for a level of data precision that staff cannot juggle day to day, over the long run, then things will eventually fall apart as staff and decision makers alike lose faith in the data and the relevancy of the process.

    Two things can be done to help avoid this fate:

    1. Strive for accuracy over precision. If your department’s process maturity is low, and staff are ping-ponged from task to task, fire to fire, throughout any given day, then striving for precise data is ill advised. Keep your granularity of allocation more high level, and strive for data that is “maintainably” accurate rather than “unmaintainably” precise.
    2. Keep the process simple. Use the advice in this step to develop a sustainable process, one that is easy to follow with clearly defined responsibilities and accountabilities at each step.

    Info-Tech Insight

    It's not about what you put together as a one-time snapshot. It's about what you can and will maintain every week, even during a crisis. When you stop maintaining resource management data, it’s nearly impossible to catch up and you’re usually forced to start fresh.

    Maintain reliable resourcing data with an easy-to-follow, repeatable process

    Info-Tech recommends following a simple five-step process for resource management.

    1. Collect resource supply data

    • Resources
    • Resource Managers

    2. Collect project demand data

    • Resource Managers
    • Project Managers
    • PMO

    3. Identify sources of supply/demand imbalance

    • PMO

    4. Resolve conflicts and balance project and non-project allocations

    • Resource Managers
    • Project Managers
    • PMO
    • Steering Committee, CIO, other executives

    5. Approve allocations for forecast window

    • PMO
    • Steering Committee, CIO, other executives

    This is a sample workflow with sample roles and responsibilities. This step will help you customize the appropriate steps for your department.

    Info-Tech Insight

    This process aims to control the resource supply to meet the demand – project and non-project alike. Coordinate this process with other portfolio management processes, ensuring that up-to-date resource data is available for project approval, portfolio reporting, closure, etc.

    Draft your own high-level resource management workflow

    2.3.1
    60 to 90 minutes

    Participants

    • Portfolio Manager
    • Project Managers
    • Resource Managers
    • Business Analysts

    Input

    • Process data requirements

    Output

    • High-level description of your target-state process

    Materials

    • Whiteboard or recipe cards

    Conduct a table-top planning exercise to map out, at a high-level, your required and desired process steps.

    While Info-Tech recommends a simple five-step process (see previous slide), you may need to flesh out your process into additional steps, depending upon the granularity of your seven dimensions and the complexity of your resource management tool. A table-top planning exercise can be helpful to ensure the right process steps are covered.

    1. On a whiteboard or using white 4x6 recipe cards, write the unique steps of a resource management process. Use the process example at the bottom of this slide as a guide.
    2. Use a green marker or green cards to write artifacts or deliverables that result from each step.
    3. Use a red marker or red cards to address potential issues, problems, or risks that you can foresee at each step.

    For the purposes of this activity, avoid getting into too much detail by keeping to your focus on the high-level data points that will be required to keep supply and demand balanced on an ongoing basis.

    "[I]t’s important not to get too granular with your time tracking. While it might be great to get lots of insight into how your team is performing, being too detailed can eat into your team’s productive work time. A good rule of thumb to work by is if your employees’ timesheets include time spent time tracking, then you’ve gone too granular."

    Nicolas Jacobeus

    Use Info-Tech’s Resource Management Playbook to help evolve your high-level steps into a repeatable practice

    Once you’ve determined a high-level workflow, you’ll need to flesh out the organizational details for how data will be collected at each step and who will support the process.

    Use Info-Tech’s Resource Management Playbook to help determine and communicate the “who, what, when, where, why, and how” of each of your high-level process steps.

    The playbook template is intended to function as your resource management standard operating procedure. Customize Section 3 of the template to record the specific organizational details of how data will be collected at each process step, and the actions and decisions the data collection process will necessitate.

    • Activities 2.3.2-2.3.6 in this step will help you customize the process steps in Info-Tech’s five-step resource management model and record these in the template. If you developed a customized process in activity 2.3.1, you will need to add to/take away from the activity slides and customize the template accordingly.
    • Lean on the seven dimensions of resource management that you developed in step 2.1 to determine the cadence and frequency of data collection. For instance, if your update frequency is monthly, you will need to ensure you collect your supply-demand data prior to that, giving yourself enough time to analyze it and reconcile imbalances with stakeholders before refreshing your monthly reporting data.

    Download Info-Tech’s Resource Management Playbook

    How the next five activities will help you develop your playbook

    2.3 Resource Management Playbook

    Each of the slides for activities 2.3.2-2.3.6 are comprised of a task-at-a glance box as well as “important decisions to document” for each step.

    Work as a group to complete the task-at-a-glance boxes for each step. Use the “important decisions to document” notes to help brainstorm the “how” for each step. These details should be recorded below the task-at-a-glance boxes in the playbook – see point 6 in the legend below.

    Screenshot of Section 3 of the RM Playbook.

    The image shows a screenshot of Section 3 of the RM Playbook. A legend is included below.

    Screenshot Legend:

    1. Review your existing steps, tools, and templates used for this task. Alternatively, review the example provided in the RM Playbook.
    2. Designate the responsible party/parties for this process. Who carries out the task?
    3. Document the inputs and outputs for the task: artifacts, consulted and informed parties.
    4. If applicable, document the tools and templates used for the task.
    5. Designate the accountable party for this task. Only a single party can be accountable.
    6. Describe the “how” of the task below the Task-at-a-Glance table.

    Step one: determine the logistics for collecting resource supply data for each reporting period

    2.3.2
    20 minutes

    Step one in your resource management process should be ensuring a perpetually current view into your resource supply.

    Resource supply in this context should be understood as the time, per your scope of allocation (i.e. individual, team, skill, etc.) that is leftover or available once non-project demands have been taken out of the equation. In short, the goal of this process step is to determine the non-project demands for the forecast period.

    The important decisions to document for this step include:

    1. What data will be collected and from whom? For example, functional managers to update resource potential capacity and non-project resource allocations.
    2. How often will data be collected and when? For example, data will be collected third Monday of the month, three days before our monthly update frequency.
    3. How will the data be collected? For example, tool admin to send out data to update on third Monday; resource managers update the data and email back to tool admin.

    Document your process for determining resource supply in Section 3.1 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance:

    Inputs Artifacts i.e. historical usage data
    Consulted i.e. project resources
    Tools & Templates i.e. time tracking template
    Outputs Artifacts i.e. updated template
    Informed i.e. portfolio analyst
    Timing i.e. every second Monday
    Responsible i.e. functional managers
    Accountable i.e. IT directors

    Step two: map out how project demand will be captured within each reporting period

    2.3.3
    20 minutes

    Step two in your resource management process will be to determine the full extent of project demand for your forecast period.

    Project demand in this context can entail both in-flight projects as well as new project plans or new project requests that are proposing to consume capacity during the forecast period. In short, the goal of this process step is to determine all of the project demands for the forecast period.

    The important decisions to document for this step include:

    1. What data will be collected and from whom? For example, project managers to update project allocations for in-flight projects, and PMO will provide proposed allocations for new project requests.
    2. How often will data be collected and when? For example, data will be collected third Tuesday of the month, two days before our monthly update frequency.
    3. How will the data be collected? For example, tool admin to send out data to update on third Tuesday; project managers update the data and email back to tool admin.

    Document your process for determining project demand in Section 3.2 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance

    Inputs Artifacts i.e. historical usage data
    Consulted i.e. project resources
    Tools & Templates i.e. project demand template
    Outputs Artifacts i.e. updated demand table
    Informed i.e. portfolio analyst
    Timing i.e. every second Monday
    Responsible i.e. project managers
    Accountable i.e. PMO director

    Step three: record how resource constraints and issues for each reporting period will be identified and documented

    2.3.4
    20 minutes

    Step three in your resource management process will be to analyze your resource supply and project demand data to identify points of conflict.

    Once the supply-demand data has been compiled, it will need to be analyzed for points of imbalance and conflict. The goal of this process step is to analyze the raw data and to make it consumable by other stakeholders in preparation for a reconciliation or rebalancing process.

    The important decisions to document for this step include:

    1. How will the data be checked for inaccuracies? For example, tool admin to enter and QA data; reach out by the following Wednesday at noon with inconsistencies; managers to respond no later than next day by noon.
    2. What reports will employed? For example, a refreshed demand spreadsheet will be made available.
    3. What is an acceptable range for over- and under-allocations? For example, the acceptable tolerance for allocation is 15%; that is, report only those resources that are less than 85% allocated, or more than 115% allocated.

    Document your process for identifying resource constraints and issues in Section 3.3 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance

    Inputs Artifacts i.e. supply/demand data
    Consulted i.e. no one
    Tools & Templates i.e. Portfolio Manager Lite
    Outputs Artifacts i.e. list of issues
    Informed i.e. no one
    Timing i.e. every second Tuesday
    Responsible i.e. portfolio analyst
    Accountable i.e. PMO director

    Step four: establish a standard protocol for resolving resource issues within each reporting period

    2.3.5
    20 minutes

    Step four in your resource management process should be to finalize your capacity management book of record for the reporting period and prepare recommendations for resolving conflicts and issues.

    The reconciliation process will likely take place at a meeting amongst the management of the PMO and representatives from the various functional groups within the department. The goal of this step is to get the right roles and individuals to agree upon proposed reconciliations and to sign-off on resource allocations.

    The important decisions to document for this step include:

    1. What reports will be distributed and in what form? For example, refreshed spreadsheet will be available on the PMO SharePoint site.
    2. When will the reports be generated and for whom? For example, fourth Tuesday of the month, end of day – accessible for all managers.
    3. Who has input into how conflicts should be resolved? For example, conflicts will be resolved at monthly resource management meeting. All meeting participants have input, but the PMO director will have ultimate decision-making authority.

    Document your process for resolving resource constraints and issues in Section 3.4 of Info-Tech’s Resource Management Playbook.

    Inputs Artifacts i.e. meeting agenda
    Consulted i.e. meeting participants
    Tools & Templates i.e. capacity reports
    Outputs Artifacts i.e. minutes and resolutions
    Informed i.e. steering committee
    Timing i.e. every second Thursday
    Responsible i.e. PMO director
    Accountable i.e. CIO

    Step five: record how resource allocations will be finalized and communicated for the forecast window

    2.3.6
    20 minutes

    The final step in your resource management process is to clarify how resource allocations will be documented in your resource management solution and reported to the department.

    Once a plan to rebalance supply and demand for the reporting period has been agreed on, you will need to ensure that the appropriate data is updated in your resource management book of record, and that allocation decisions are communicated to the appropriate stakeholders.

    The important decisions to document for this step include:

    1. Who has ultimate authority for allocation decisions? For example, the CIO has final authority when conflicts need to be escalated and must approve all allocations for the forecast period.
    2. Who will update the book of record and when? For example, the tool admin will update the data before the end of the day following the resource management meeting.
    3. Who needs to be informed and of what? For example, resource plans will be updated in SharePoint for resources and managers to review.

    Document your process for approving and finalizing allocation in Section 3.5 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance

    Inputs Artifacts i.e. minutes and resolutions
    Consulted i.e. CIO, IT directors
    Tools & Templates i.e. Portfolio Manager Lite
    Outputs Artifacts i.e. updated availability table
    Informed i.e. steering committee
    Timing i.e. every second Friday
    Responsible i.e. portfolio analyst
    Accountable i.e. PMO director

    Finalize your provisional resource management process in the Playbook Template

    2.3 Resource Management Playbook

    Use Info-Tech’s Resource Management Playbook to solidify your processes in a formalized operating plan.

    Throughout this phase, we have been customizing sections 1, 2, and 3 of the Resource Management Playbook.

    Before we move to pilot and implement your resource management strategy in the next phase of this blueprint, ensure that sections 1-3 of your playbook have been drafted and are ready to be communicated and shared with stakeholders.

    • Avoid getting too granular in your process requirements. Keep it to high-level data requirements. Imposing too much detail in your playbook is a recipe for failure.
    • The playbook should remain provisional throughout your pilot phase. Aspects of your process will likely need to be changed or tweaked as they are met with some day-to-day realities. As with any “living document,” it can be helpful to explicitly assign responsibilities for updating the playbook over the long term to ensure it stays relevant.

    "People are spending far more time creating these elaborate [time-tracking] systems than it would have taken just to do the task. You’re constantly on your app refiguring, recalculating, re-categorizing... A better strategy would be [returning] to the core principles of good time management…Block out your calendar for the non-negotiable things. [Or] have an organized prioritized task list." – Laura Stack (quoted in Zawacki)

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1 Wireframe a resource management strategy using Info-Tech’s seven dimensions of resource management

    Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

    2.3 Draft a high-level resource management workflow and elaborate it into a repeatable practice

    Customize Info-Tech’s five-step resource management process model. Then, document how the process will operate by customizing the Resource Management Playbook.

    Phase 3

    Implement Sustainable Resource Management Practices

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Implement Sustainable Resource Management Practices

    Proposed Time to Completion (in weeks): 4-12 weeks

    Step 3.1: Pilot your resource management process

    Start with an analyst kick-off call:

    • Review your resource management dimensions and tools
    • Review your provisional resource management processes
    • Discuss your ideas for a pilot

    Then complete these activities…

    • Select receptive project/functional managers to work with
    • Define the scope of your pilot and determine logistics
    • Finalize resource management roles and responsibilities

    With these tools & templates:

    • Process Pilot Plan Template
    • Resource Management Playbook
    • Project Portfolio Analyst Job Description
    Step 3.2: Plan to engage your stakeholders

    Review findings with analyst:

    • Results of your pilot, team feedback, and lessons learned
    • Your stakeholder landscape

    Then complete these activities…

    • Brainstorm and plan for potential resistance to change, objections, and fatigue from stakeholders
    • Plan for next steps

    With these tools & templates:

    • Resource Management Playbook

    Phase 3 Results & Insights:

    Engagement paves the way for smoother adoption. An engagement approach (rather than simply communication) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Step 3.1: Pilot your resource management process to assess viability

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:

    • Select receptive project and functional managers to work with during your pilot
    • Define the scope of your pilot and determine logistics
    • Plan to obtain feedback, document lessons learned, and create an action plan for any changes
    • Finalize resource management roles and responsibilities

    This step involves the following participants:

    • CIO
    • PMO Director / Portfolio Manager
    • Project Managers
    • Resource Managers

    Outcomes of this step

    • A pilot team
    • A process pilot plan that defines the scope, logistics, and process for retrospection
    • Roles, responsibilities, and accountabilities for resource management
    • Project Portfolio Analyst job description template

    Pilot your new processes to test feasibility and address issues before a full deployment

    Adopting the right set of practices requires a significant degree of change that necessitates buy-in from varied stakeholders throughout IT and the business.

    Rome wasn’t built in a day. Similarly, your visibility into resource usage and availability won’t happen overnight.

    Resist the urge to deploy a big-bang rollout of your research management practices. This approach is ill advised for two main reasons:

    • It will put more of a strain on the implementation team in the near term, with a larger pool of end users to train and collect data from.
    • Putting untested practices in a department-wide spotlight could lead to mass confusion in the near-term and color the new processes in a negative light, leading to a loss of stakeholder trust and engagement right out of the gate.

    Start with a pilot phase. Identify receptive project managers and functional managers to work with, and leverage their insights to help iron out the kinks in your process before unveiling your practices to IT and business users at large.

    This step will help you:

    • Plan and execute a pilot of the processes we developed in Phase 2.
    • Incorporate the lessons learned from that pilot to strengthen your playbook and ease the communication process.

    Info-Tech Insight

    Engagement paves the way for smoother adoption. An engagement approach (rather than simply communication) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Plan your pilot like you would any project to ensure it’s well defined and its goals are clearly articulated

    Use Info-Tech’s Process Pilot Plan Template to help define the scope of your pilot and set appropriate goals for the test run of your new processes.

    A process pilot is a limited scope of an implementation (constrained by time and resources involved) to test the viability and effectiveness of the process as it has been designed.

    • Investing time and energy into a pilot phase can help to lower implementation risk, enhance the details and steps within a process, and improve stakeholder relations prior to a full scale rollout.
    • More than a dry run, however, a pilot should be approached strategically and planned out to limit the scope of it and achieve specific outcomes.
    • Leverage a planning document to ensure your process pilot is grounded in a common set of definitions, that the pilot is delivering value and insight, and that ultimately the pilot can serve as a starting point for a full-scale process implementation.

    "The advantages to a pilot are several. First, risk is constrained. Pilots are closely monitored so if a problem does occur, it can be fixed immediately. Second, the people working in the pilot can become trainers as you roll the process out to the rest of the organization. Third, the pilot is another opportunity for skeptics to visit the pilot process and learn from those working in it. There’s nothing like seeing a new process working for people to change their minds." – Daniel Madison

    Download Info-Tech’s Process Pilot Plan Template

    Select receptive project and functional managers to work with during your pilot

    3.1.1
    20 to 60 minutes

    Input

    • Project management staff and functional managers

    Output

    • Pilot project teams

    Materials

    • Stakeholder Engagement Workbook
    • Process Pilot Plan Template

    Participants

    • Process owner (PMO director or portfolio owner)
    • CIO

    Info-Tech recommends selecting project managers and functional managers who are aware of your role and some of the supply-demand challenges to assist in the implementation process.

    1. If receptive project and functional managers are known, schedule a 15-minute meeting with them to inquire if they would be willing to be part of the pilot process.
    2. If receptive project managers are not known, use Info-Tech’s Stakeholder Engagement Workbook to conduct a formal selection process.
      1. Enter a list of potential pilot project managers in tab 3.
      2. Rate project managers in terms of influence, pilot interest, and potential deployment contribution within tab 4.
      3. Review tab 5 in the workbook. Receptive project managers will appear in the top quadrants. Ideal project managers for the pilot are located in the top right quadrant of the graph.

    Document the project and functional managers involved in your pilot in Section 3 of Info-Tech’s Process Pilot Plan Template.

    Define the scope of your pilot and determine logistics

    Input

    • Sections 1 through 4 of the Process Pilot Plan Template

    Output

    • A process pilot plan

    Materials

    • Process Pilot Plan Template

    Participants

    • Process Owner (PMO Director or Portfolio Owner)
    • CIO
    • Project and Resource Managers

    Use Info-Tech’s Process Pilot Plan Template to design the details of your pilot.

    Investing time into planning your pilot phase strategically will ensure a clear scope, better communications for those piloting the processes, and overall, better, more actionable results during the pilot phase. The Process Pilot Plan Template is broken into five sections to assist in these goals:

      • Pilot Overview and Scope
      • Success and Risk Factors
      • Stakeholders Involved and Communications Plan
      • Pilot Retrospective and Feedback Protocol
      • Lessons Learned
    • The duration of your pilot should go at least one allocation period, depending on your frequency of updates, e.g. one week or month.
    • Estimates of time commitments should be captured for each stakeholder. During the retrospective at the end of the pilot, you should capture actuals to help determine the time-cost of the process itself and measure its sustainability.
    • Once the template is completed, schedule time to share and communicate it with the pilot team and executive sponsors of the process.

    While you should invest time in this planning document, continue to lean on the Resource Management Playbook as well as a process guide throughout the pilot phase.

    Execute your pilot and prepare to make process revisions before the full rollout

    Hit play! Begin the process pilot and get familiar with the work routine and resource management solution.

    Some things to keep in mind during the pilot include:

    • Depending on the solution you’re using, you will likely need to spend one day or less to populate the tool. During the pilot, measure the time and effort required to manage the data within the tool. Compare with the original estimate from activity 2.2.2. Determine whether time and effort required are viable on an ongoing basis (i.e. can you do it every week or month) and have value.
    • Meet with the pilot team and other stakeholders regularly during the pilot – at least weekly. Allow the team (and yourself) to speak honestly and openly about what isn’t working. The pilot is your chance to make things better.
    • Keep notes about what will need to change in the RM Playbook. For major changes, you may have to tweak the process during the pilot itself. Update the process documents as needed and communicate the changes and why they’re being made. If required, update the scope of the pilot in the Process Pilot Plan Template.

    Obtain feedback from the pilot group to improve your processes before a wider rollout

    3.1.3
    30 minutes

    Input

    • What’s working and what isn’t in the process

    Output

    • Ideas to improve process

    Materials

    • Whiteboard
    • Sticky notes
    • Process Pilot Plan Template

    Participants

    • Process Owner (PMO Director or Portfolio Owner)
    • Pilot Team

    Pilot projects allow you to validate your assumptions and leverage lessons learned. During the planning of the pilot, you should have scheduled a retrospective meeting with the pilot team to formally assess strengths and weaknesses in the process you have drafted.

    • Schedule the retrospective shortly after the pilot is completed. Info-Tech recommends a stop/start/continue activity with pilot participants to obtain and capture feedback.
    • Have members of the meeting record any processes/activities on sticky notes that should:
      • Stop: because they are ineffective or not useful
      • Start: because they would be useful for the tool and have not been incorporated into current processes
      • Continue: because they are useful and positively contribute to intended process outcomes

    An example of how to structure a stop/start/continue activity on a whiteboard using sticky notes.

    The image shows three black squares, each with three brightly coloured sticky notes in it. The three squares are labelled: Stop; Start; Continue.

    See below for additional instructions

    Document lessons learned and create an action plan for any changes to the resource management processes

    3.1.4
    30 minutes

    As a group, discuss everyone’s responses and organize according to top priority (mark with a 1) and lower priority/next steps (mark with a 2). At this point, you can also remove any sticky notes that are repetitive or no longer relevant.

    Once you have organized based on priority, be sure to come to a consensus with the group regarding which actions to take. For example, if the group agrees that they should “stop holding meetings weekly,” come to a consensus regarding how often meetings will be held, i.e. monthly.

    Create an action plan for the top priority items that require changes (the stops and starts). Record in this slide or your preferred medium. Be sure to include who is responsible for the action and the date that it will be implemented.

    Priority Action Required Who is Responsible Implementation Date
    Stop: Holding meetings weekly Hold meetings monthly Jane Doe, PMO Next Meeting: November 1, 2017
    Start: Discussing backlog during meetings Ensure that backlog data is up to date for discussion on date of next meeting John Doe, Portfolio Manager November 1, 2017

    Document the outcomes of the start/stop/continue exercise and your action plan in Section 6 of Info-Tech’s Process Pilot Plan Template.

    Review actions that can be taken based on the results of your pilot

    Situation Action Next Steps
    The dimensions that we chose for our strategy have proven to be too difficult to accurately maintain. The dimensions that we chose for our strategy have proven to be too difficult to accurately maintain. Reassess the dimensions that you chose for your strategy. Make sure that you are not overcommitting yourself based on your maturity level. You can always go back and adjust for a higher level of resource management maturity once you have mastered your current level. For example, if you chose “weekly” as your update frequency and this has proven to be too much to maintain, try updating monthly for a few months. Once you have mastered this update frequency, it will be easier to adjust to a weekly update process.
    We were able to maintain the data for our pilot based on the dimensions that we chose. However, allocating projects based on realized capacity did not alleviate any of our resourcing issues and resources still seem to be working on more projects than they can handle. Determine other factors at the organization that would help to maintain the data and work toward reclaiming capacity. Continue working with the dimensions that you chose and maintain the accuracy of this data. The next step is to identify other factors that are contributing to your resource allocation problems and begin reclaiming capacity. Continue forward to the resource management roadmap section and work on changing organizational structures and worker behavior to maximize capacity for project work.
    We were able to easily and accurately maintain the data, which led to positive results and improvement in resource allocation issues. If your strategy is easily maintained, identify factors that will help your organization reclaim capacity. Continue to maintain this data, and eventually work toward maintaining it at a more precise level. For example, if you are currently using an update frequency of “monthly” and succeeding, think about moving toward a “weekly” frequency within a few months. Once you feel confident that you can maintain project and resource data, continue on to the roadmap section to discover ways to reclaim resource capacity through organizational and behavioral change.

    Finalize resource management roles and responsibilities

    3.1.5
    15 to 30 minutes

    Input

    • Tasks for resource management
    • Stakeholder involved

    Output

    • Roles, responsibilities, and accountabilities for resource management

    Materials

    • Resource Management Playbook

    Participants

    • PMO Director/ Portfolio Manager
    • Functional Managers
    • Project Managers

    Perform a RACI exercise to help standardize terminology around roles and responsibilities and to ensure that expectations are consistent across stakeholders and teams.

    • A RACI will help create a clear understanding of the tasks and expectations for each stakeholder at each process step, assigning responsibilities and accountability for resource management outcomes.

    Responsible

    Accountable

    Consulted

    Informed

    Roles CIO PMO Portfolio Analyst Project Manager Functional Manager
    Collect supply data I A R I C
    Collect demand data I A R C I
    Identify conflicts I C/A R C C
    Resolve conflicts C A/R I R R
    Approve allocations A R I R I

    Document your roles and responsibilities in Section 2 of Info-Tech’s Resource Management Playbook.

    Use Info-Tech’s Portfolio Analyst job description to help fill any staffing needs around data maintenance

    3.1 Project Portfolio Analyst/PMO Analyst Job Description

    You will need to determine responsibilities and accountabilities for portfolio management functions within your team.

    If you do not have a clearly identifiable portfolio manager at this time, you will need to clarify who will wear which hats in terms of facilitating intake and prioritization, high-level capacity awareness, and portfolio reporting.

    • Use Info-Tech’s Project Portfolio Analyst job description template to help clarify some of the required responsibilities to support your PPM strategy.
      • If you need to bring in an additional staff member to help support the strategy, you can customize the job description template to help advertise the position. Simply edit the text in grey within the template.
    • If you have other PPM tasks that you need to define responsibilities for, you can use the RASCI chart on the final tab of the PPM Strategy Development Tool.

    Download Info-Tech’s Project Portfolio Analyst Job Description Template

    Finalize the Resource Management Playbook and prepare to communicate your processes

    Once you’ve completed the pilot process and made the necessary tweaks, you should finalize your Resource Management Playbook and prepare to communicate it.

    Revisit your RM Playbook from step 2.3 and ensure it has been updated to reflect the process changes that were identified in activity 3.1.4.

    • If during the pilot process the data was too difficult or time consuming to maintain, revisit the dimensions you have chosen and select dimensions that are easier to accurately maintain. Tweak your process steps in the playbook accordingly.
    • In the long term, if you are not observing any capacity being reclaimed, revisit the roadmap that we’ll prepare in step 3.2 and address some of these inhibitors to organizational change.
    • In the next step, we will also be repurposing some of the content from the playbook, as well as from previous activities, to include them in your presentation to stakeholders, using Info-Tech’s Resource Management Communications Template.

    Download Info-Tech’s Resource Management Playbook

    Info-Tech Best Practice

    Make your process standardization comprehensive. The RM Playbook should serve as your resource management standard operating procedure. In addition to providing a walk-through of the process, an SOP also clarifies project governance by clearly defining roles and responsibilities.

    Step 3.2: Plan to engage your stakeholders with your playbook

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:

    • Brainstorm and plan for potential resistance to change, objections, and fatigue from stakeholders
    • Plan for next steps in reclaiming project capacity
    • Plan for next steps in overcoming supply-demand reconciliation challenges

    This step involves the following participants:

    • CIO
    • PMO Director / Portfolio Manager
    • Pilot Team from Step 3.1

    Outcomes of this step

    • Plan for communicating responses and objections from stakeholders and staff
    • Plan to manage structural/enabling factors that influence success of the resource management strategy
    • Description of next steps in reclaiming project capacity and overcoming supply-demand reconciliation challenges
    • Final draft of the customized Resource Management Playbook

    Develop a resource management roadmap to communicate and reinforce the strategy

    A roadmap will help anticipate, plan, and address barriers and opportunities that influence the success of the resource management strategy.

    This step of the project will ensure the new strategy is adopted and applied with maximum success by helping you manage challenges and opportunities across three dimensions:

    1. Executive Stakeholder Factors

    For example, resistance to adopting new assumptions about ratio of project versus non-project work.

    2. Workforce/Team Factors

    For example, resistance to moving from individual- to team-based allocations.

    3. Structural Factors

    For example, ensuring priorities are stable within the chosen resource planning horizon.

    See Info-Tech’s Drive Organizational Change from the PMOfor comprehensive tools and guidance on achieving organizational buy-in for your new resource management practices.

    Info-Tech Insight

    Communicate, communicate, communicate. Staff are 34% more likely to adapt to change quickly during the implementation and adoption phases when they are provided with a timeline of impending changes specific to their department. (McLean & Company)

    Anticipate a wide range of responses toward your new processes

    While your mandate may be backed by an executive sponsor, you will need to influence stakeholders from throughout the organization in order to succeed. Indeed, as EPMO leader, success will depend upon your ability to confirm and reaffirm commitments on soft or informal grounds. Prepare an engagement strategy that anticipates a wide range of responses.

    Enthusiasts Fence-sitters Skeptics Saboteurs
    What they look like: Put all their energy into learning new skills and behaviors. Start to use new skills and behaviors at a sluggish pace. Look for alternate ways of implementing the change. Refuse to learn anything new or try new behaviors.
    How they contribute: Lead the rest of the group. Provide an undercurrent of movement from old behaviors to new. Challenge decisions and raise risk points with managers. May raise valid points about the process that should be fixed.
    How to manage them: Give them space to learn and lead others. Keep them moving forward by testing their progress. Listen to them, but don’t give in to their demands. Keep communicating with them until you convert them.
    How to leverage them: Have them lead discussions and training sessions. Use them as an example to forecast the state once the change is adopted. Test new processes by having them try to poke holes in them. If you can convert them, they will lead the Skeptics and Fence-sitters.

    Info-Tech Insight

    Hone your stakeholder engagement strategy. Most people affected by an IT-enabled change tend to be fence-sitters. Small minorities will be enthusiasts, saboteurs, and skeptics. Your communication strategy should focus on engaging the skeptics, saboteurs, and enthusiasts. Fence-sitters will follow.

    Define plans to deal with resistance to change, objections, and fatigue

    Be prepared to confront skeptics and saboteurs when communicating the change.

    1. Use the templates on the following slide to:
      1. Brainstorm possible objections from stakeholders and staff. Prioritize objections that are likely to occur.
      2. Develop responses to objections.
    2. Develop a document and plan for proactively communicating responses and objections to show people that you understand their point of view.
      1. Revise the communications messaging and plan to include proactive objection handling.
    3. Discuss the likelihood and impact of “saboteurs” who aren’t convinced or affected by change management efforts.
      1. Explore contingency plans for dealing with difficult saboteurs. These individuals can negate the progress of the rest of the team by continuing to resist the process and spreading toxic energy. If necessary, be ruthless with these individuals. Let them know that the rest of the group is moving on without them, and if they can’t or won’t adopt the new standards, then they can leave.

    Info-Tech Insight

    Communicate well and engage often. Agility and continuous improvement are good, but can degenerate into volatility if change isn’t managed properly. People will perceive change to be volatile if their expectations aren’t managed through communications and engagement planning.

    Info-Tech Best Practice

    The individuals best positioned to provide insight and influence change positively are also best positioned to create resistance.

    These people should be engaged early and often in the implementation process – not just to make them feel included or part of the change, but also because their insight could very likely identify risks, barriers, and opportunities that need to be addressed.

    Develop a plan to manage stakeholder resistance to the new resource management strategy

    3.2.1
    30 minutes

    Brainstorm potential implications and objections that executive stakeholders might raise about your new processes.

    Dimension Decision Potential Impact, Implications, and Objections Possible Responses and Actions
    i.e. Default Project Ratio 50% “This can’t be right...” “We conducted a thorough time audit to establish this ratio.”
    “We need to spend more time on project work.” “Realistic estimates will help us control new project intake, which will help us optimize time allocated to projects.”
    i.e. Frequency Monthly “This data isn’t detailed enough, we need to know what people are working on right now.” “Maintaining an update frequency of weekly would require approximately [X] extra hours of PMO effort. We can work toward weekly as we mature.”
    i.e. Scope Person “That is a lot of people to keep track of.” “Managing individuals is still the job of the project manager; we are responsible for allocating individuals to projects.”
    i.e. Granularity of Work Assignment Project “We need to know exactly what tasks are being worked on and what the progress is.” “Assigning at task level is very difficult to accurately maintain. Once we have mastered a project-level granularity we can move toward task level.”
    i.e. Forecast Horizon One month “We need to know what each resource is working on next year.” “With a monthly forecast, our estimates are dependable. If we forecast a year in advance, this estimate will not be accurate.”

    Document the outcomes of this activity on slide 26 of Info-Tech’s Resource Management Communications Template.

    Develop a plan to manage staff/team resistance to the new resource management strategy

    3.2.2
    30 minutes

    Brainstorm potential implications and objections that individual staff and members of project teams might raise about your new processes.

    Dimension Decision Potential Impact, Implications, and Objections Possible Responses and Actions
    i.e. Default Project Ratio 50% “There’s too much support work.” “We conducted a thorough time audit to establish this ratio. Realistic estimates will help us control new project intake, which will help us optimize your project time.”
    i.e. Frequency Monthly “I don’t have time to give you updates on project progress.” “This update frequency requires only [X] amount of time from you per week/month.”
    i.e. Granularity Project “I need more clarity on what I’m working on.” “Team members and project managers are in the best position to define and assign (or self-select) individual tasks.”
    i.e. Forecast Horizon One month “I need to know what my workload will be further in advance.” “You will still have a high-level understanding of what you will be working on in the future, but projects will only be officially forecasted one month in advance.”
    i.e. Allocation Cadence Monthly “We need a more frequent cadence.” “We can work toward weekly cadence as we mature.”

    Document the outcomes of this activity on slide 27 of Info-Tech’s Resource Management Communications Template.

    Develop a plan to manage structural/enabling factors that influence success of the resource management strategy

    3.2.3
    30 minutes

    Brainstorm a plan to manage other risks and challenges to implementing your processes.

    Dimension Decision Potential Impact, Implications, and Objections Possible Responses and Actions
    i.e. Default Project Ratio 50% “We have approved too many projects to allocate so little time to project work.” Nothing has changed – this was always the amount of time that would actually go toward projects. If you are worried about a backlog, stop approving projects until you have completed the current workload.
    i.e. Frequency Monthly “Status reports aren’t reliably accurate and up to date more than quarterly.” Enforce strict requirements to provide monthly status updates for 1-3 key KPIs.
    i.e. Scope Person “How can we keep track of what each individual is working on?” Establish a simple, easy reporting mechanism so that resources are reporting their own progress.
    i.e. Granularity Project “How will we know the status of a project without knowing what tasks are completed?” It is in the domain of the project manager to know what tasks have been completed and to report overall project progress.
    i.e. Forecast Horizon One Month “It will be difficult to plan for resource needs in advance.” Planning a month in advance allows you to address conflicts or issues before they are urgent.

    Document the outcomes of this activity on slide 28 of Info-Tech’s Resource Management Communications Template.

    Finalize your communications plan and prepare to present the new processes to the organization

    Use Info-Tech’s Resource Management Communications Template to record the challenges your resource management strategy is addressing and how it is addressing them.

    Highlight organizational factors that necessitated the change.

    • Stakeholders and staff understandably tend to dislike change for the sake of change. Use Info-Tech’s Resource Management Communications Template to document the pain points that your process change is addressing and explain the intended benefits for all who will be subject to the new procedures.

    Determine goals and benefits for implementation success.

    • Provide metrics by which the implementation will be deemed a success. Providing this horizon will provide some structure for stakeholders and hopefully help to encourage process discipline.

    Clearly indicate what is required of people to adopt new processes.

    • Document your Resource Management Playbook. Be sure to include specific roles and responsibilities so there is no doubt regarding who is accountable for what.

    Download Info-Tech’s Resource Management Communications Template

    "You need to be able to communicate effectively with major stakeholders – you really need their buy-in. You need to demonstrate credibility with your audience in the way you communicate and show how portfolio [management] is a structured decision-making process." – Dr. Shan Rajegopal (quoted in Akass, “What Makes a Successful Portfolio Manager”)

    Review tactics for keeping your processes on track

    Once the strategy is adopted, the next step is to be prepared to address challenges as they come up. Review the tactics in the table below for assistance.

    Challenge Resolution Next Step
    Workers are distracted because they are working on too many projects at once; their attention is split and they are unproductive. Workers are distracted because they are working on too many projects at once; their attention is split and they are unproductive. Review portfolio practices for ways to limit work in progress (WIP).
    Employees are telling project managers what they want to hear and not giving honest estimates about the way their time is spent. Ensure that employees understand the value of honest time tracking. If you’re allocating your hours to the wrong projects, it is your projects that suffer. If you are overallocated, be honest and share this with management. Display employee time-tracking reports on a public board so that everyone will see where their time is spent. If they are struggling to complete projects by their deadlines they must be able to demonstrate the other work that is taking up their time.
    Resources are struggling with projects because they do not have the necessary expertise. Perform a skills audit to determine what skills employees have and assign them to projects accordingly. If an employee with a certain skill is in high demand, consider hiring more resources who are able to complete this work.

    See below for additional challenges and tactics

    Review tactics for keeping supply and demand aligned

    Once the strategy is adopted, the next step is to use the outputs of the strategy to reclaim capacity and ensure supply and demand remain aligned. Review the tactics in the table below for assistance.

    Challenge Resolution Next Step
    There is insufficient project capacity to take on new work, but demand continues to grow. Extend project due date and manage the expectations of project sponsors with data. If possible, reclaim capacity from non-project work. Customize the playbook to address insufficient project capacity.
    There is significant fluctuation in demand, making it extremely challenging to stick to allocations. Project managers can build in additional contingencies to project plans based on resourcing data, with plans for over-delivering with surplus capacity. In addition, the CIO can leverage business relationships to curb chaotic demand. The portfolio manager should analyze the project portfolio for clues on expanding demand. Customize the playbook to address large fluctuations in demand.
    On a constant basis, there are conflicting project demands over specific skills. Re-evaluate the definition of a project to guard the value of the portfolio. Continually prioritize projects based on their business values as of today. Customize the playbook to address conflicting project demands. Feed into any near- and long-term staffing plans.

    Prepare to communicate your new resource management practices and reap their benefits

    As you roll out your resource management strategy, familiarize yourself with the capability improvements that will drive your resource management success metrics.

    1. Increased capacity awareness through the ability to more efficiently and more effectively collect and track complex, diverse, and dynamic project data across the project portfolio.
    2. Improved supply management. Increased awareness of resource capacity (current and forecasted) combined with the ability to see the results of resource allocations across the portfolio will help ensure that project resources are used as effectively as possible.
    3. Improved demand management. Increased capacity awareness, combined with reliable supply management, will help PMOs set realistic limits on the amount and kind of IT projects the organization can take on at any given time. The ability to present user-friendly reports to key decision makers will help the PMO to ensure that the projects that are approved are realistically attainable and strategically aligned.
    4. Increased portfolio success. Improvements in the three areas indicated above should result in more realistic demands on project workers/managers, better products, and better service to all stakeholders. While successfully implemented PPM solutions should produce more efficient PPM processes, ideally they should also drive improved project stakeholder satisfaction across the organization.

    The image shows a series on concentric circles, labelled (from the inside out): Capacity Awareness; Supply Management; Demand Management; Project Success.

    Info-Tech client achieves resource management success by right-sizing its data requirements and focusing on reporting

    CASE STUDY

    Industry Manufacturing

    Source Info-Tech Client

    We were concerned that the staff would not want to do timesheets. With one level of task definition, it’s not really timesheets. It’s more about reconciling our allocations.” – PMO Director, Manufacturing

    Challenge

    • In a very fast-paced environment, the PMO had developed a meaningful level of process maturity.
    • There had never been time to slow down enough to introduce a mature PPM tool set.
    • The executive leadership had started to ask for more throughput of highly visible IT projects.

    Solution

    • There had never been oversight on how much IT time went toward escalated support issues and smaller enhancement requests.
    • Staff had grown accustomed to a lack of documentation rigor surrounding the portfolio.
    • Despite a historic baseline of the ratio between strategic projects, small projects, and support, the lack of recordkeeping made it hard to validate or reconcile these ratios.

    Results

    • The organization introduced a robust commercial PPM tool.
    • They were able to restrict the granularity of data to a high level in order to limit the time required to enter and manage, and track the actuals.
    • They prepared executive leadership for their renewed focus on the allocation of resources to strategically important projects.
    • Approval of projects was right-sized based on the actual capacity and realized through improved timesheet recordkeeping.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1 Define the scope of your pilot and set appropriate goals for the test-run of your new processes

    An effective pilot lowers implementation risk, enhances the details and steps within a process, and improves stakeholder relations prior to a full scale rollout.

    3.2 Develop a plan to manage stakeholder and staff resistance to the new resource management practice

    Proactively plan for communicating responses and objections to show people that you understand their point of view and win their buy-in.

    Insight breakdown

    Insight 1

    A matrix organization creates many small, untraceable demands that are often overlooked in resource management efforts, which lead to underestimating total demand and overcommitting resources. To capture them and enhance the success of your resource management effort, focus on completeness rather than precision. Precision of data will improve over time as your process maturity grows.

    Insight 2

    Draft the resource management practice with sustainability in mind. It is about what you can and will maintain every week, even during a crisis: it is not about what you put together as a one-time snapshot. Once you stop maintaining resource data, it’s nearly impossible to catch up.

    Insight 3

    Engagement paves the way for smoother adoption. An engagement approach (rather than simply communication) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Summary of accomplishment

    Knowledge Gained

    • Disconnect between traditional resource management paradigms and today’s reality of work environment
    • Differentiation of accuracy and precision in capacity data
    • Snapshot of resource capacity supply and demand
    • Seven dimensions of resource management strategy
    • How to create sustainability of a resource management practice

    Processes Optimized

    • Collecting resource supply data
    • Capturing the project demand
    • Identifying and documenting resource constraints and issues
    • Resolving resource issues
    • Finalizing and communicating resource allocations for the forecast window

    Deliverable Completed

    • Resource Management Supply-Demand Calculator, to create an initial estimate of resource capacity supply and demand
    • Time-tracking survey emails, to validate assumptions made for creating the initial snapshot of resource capacity supply and demand
    • Resource Management Playbook, which documents your resource management strategy dimensions, process steps, and responses to challenges
    • PPM Solution Vendor Demo Script, to structure your resource management tool demos and interactions with vendors to ensure that their solutions can fully support your resource management practices
    • Portfolio Manager Lite, a spreadsheet-based resource management solution to facilitate the flow of data
    • Process Pilot Plan, to ensure that the pilot delivers value and insight necessary for a wider rollout
    • Project Portfolio Analyst job description, to help your efforts in bringing in additional staff to provide support for the new resource management practice
    • Resource Management Communications presentation, with which to engage your stakeholders during the new process rollout

    Research contributors and experts

    Trevor Bramwell, ICT Project Manager Viridor Waste Management

    John Hansknecht, Director of Technology University of Detroit Jesuit High School & Academy

    Brian Lasby, Project Manager Toronto Catholic District School Board

    Jean Charles Parise, CIO & DSO Office of the Auditor General of Canada

    Darren Schell, Associate Executive Director of IT Services University of Lethbridge

    Related Info-Tech research

    Develop a Project Portfolio Management Strategy

    Grow Your Own PPM Solution

    Optimize Project Intake, Approval, and Prioritization

    Maintain and Organized Portfolio

    Manage a Minimum-Viable PMO

    Establish the Benefits Realization Process

    Manage an Agile Portfolio

    Tailor Project Management Processes to Fit Your Projects

    Project Portfolio Management Diagnostic Program

    The Project Portfolio Management Diagnostic Program is a low-effort, high-impact program designed to help project owners assess and improve their PPM practices. Gather and report on all aspects of your PPM environment to understand where you stand and how you can improve.

    Bibliography

    actiTIME. “How Poor Tracking of Work Time Affects Your Business.” N.p., Oct. 2016. Web.

    Akass, Amanda. “What Makes a Successful Portfolio Manager.” Pcubed, n.d. Web.

    Alexander, Moira. “5 Steps to avoid overcommitting resources on your IT projects.” TechRepublic. 18 July 2016. Web.

    Anderson, Ryan. “Some Shocking Statistics About Interruptions in Your Work Environment.” Filevine, 9 July 2015. Web.

    Bondale, Kiron. “Focus less on management and more on the resources with resource management.” Easy in Theory, Difficult in Practice. 16 July 2014. Web.

    Burger, Rachel. “10 Software Options that Will Make Your Project Resource Allocation Troubles Disappear.” Capterra Project Management Blog, 6 January 2016. Web.

    Cooper, Robert, G. “Effective Gating: Make product innovation more productive by using gates with teeth.” Stage-Gate International and Product Development Institute. March/April 2009. Web.

    Dimensional Research. “Lies, Damned Lies and Timesheet Data.” Replicon, July 2013. Web.

    Edelman Trust Barometer. “Leadership in a Divided World.” 2016. Web.

    Frank, T.A. “10 Execs with Time-Management Secrets You Should Steal.” Monday*. Issue 2: Nov-Dec 2014. Drucker Institute. Web.

    Huth, Susanna. “Employees waste 759 hours each year due to workplace distractions.” The Telegraph, 22 Jun 2015. Web.

    Jacobeus, Nicolas. “How Detailed Does Your Agency Time Tracking Need to Be?” Scale Blog, 18 Jul 2016. Web.

    Lessing, Lawrence. Free Culture. Lulu Press Inc.: 30 July 2016.

    Kwak, James. “The Importance of Excel. The Baseline Scenario, 9 Feb 2013. Web.

    Madison, Daniel. “The Five Implementation Options to Manage the Risk in a New Process.” BPMInstitute.org. n.d. Web.

    Mark, Gloria. Multitasking in the Digital Age. Morgan & Claypool Publishers. 1 April 2015

    Maron, Shim. “Accountability Vs. Responsibility In Project Management.” Workfront, 10 June 2016. Web.

    PM Solutions. “Resource Management and the PMO: Three Strategies for Addressing Your Biggest Challenge.” N.p., 2009. Web.

    Project Management Institute. “Pulse of the Profession 2014.” PMI, 2014. Web.

    Planview. “Capacity Planning Fuels Innovation Speed.” 2016. Web.

    Rajda, Vilmos. “The Case Against Project Portfolio Management.” PMtimes, 1 Dec 2010. Web.

    Reynolds, Justin. “The Sad Truth about Nap Pods at Work.” TINYpulse, 22 Aug 2016. Web.

    Schulte, Brigid. “Work interrupts can cost you 6 hours a day. An efficiency expert explains how to avoid them.” Washington Post, 1 June 2015. Web.

    Stone, Linda. "Continuous Partial Attention." Lindastone.net. N.p., n.d. Web.

    Zawacki, Kevin. “The Perils of Time Tracking.” Fast Company, 26 Jan 2015. Web.

    Service Management

    • Buy Link or Shortcode: {j2store}46|cart{/j2store}
    • Related Products: {j2store}46|crosssells{/j2store}
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture

    The challenge

    • We have good, holistic practices, but inconsistent adoption leads to chaotic service delivery and low customer satisfaction.
    • You may have designed your IT services with little structure, formalization, or standardization.
    • That makes the management of these services more difficult and also leads to low business satisfaction.

    Continue reading

    Adopt Generative AI in Solution Delivery

    • Buy Link or Shortcode: {j2store}146|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Delivery teams are under continuous pressure to deliver high value and quality solutions with limited capacity in complex business and technical environments. Common challenges experienced by these teams include:
      • Attracting and retaining talent
      • Maximizing the return on technology
      • Confidently shifting to digital
      • Addressing competing priorities
      • Fostering a collaborative culture
      • Creating high-throughput teams
    • Gen AI offers a unique opportunity to address many of these challenges.

    Our Advice

    Critical Insight

    • Your stakeholders' understanding of Gen AI, its value, and its application can be driven by hype and misinterpretation. This confusion can lead to unrealistic expectations and set the wrong precedent for the role Gen AI is intended to play.
    • Your SDLC is not well documented and is often executed inconsistently. An immature practice will not yield the benefits stakeholders expect.
    • The Gen AI marketplace is broad and diverse. Selecting the appropriate tools and partners is confusing and overwhelming.
    • There is a skills gap for what is needed to configure, adopt, and operate Gen AI.

    Impact and Result

    • Ground your Gen AI expectations. Set realistic and achievable goals centered on driving business value and efficiency across the entire SDLC by enabling Gen AI in key tasks and activities. Propose the SDLC as the ideal pilot for Gen AI.
    • Select the right Gen AI opportunities. Discuss how proven Gen AI capabilities can be applied to your solution delivery practice to achieve the outcomes and priorities stakeholders expect. Lessons learned sow the foundation for future Gen AI scaling.
    • Assess your Gen AI readiness in your solution delivery teams. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of Gen AI.

    Adopt Generative AI in Solution Delivery Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Adopt Generative AI in Solution Delivery Storyboard – A step-by-step guide that helps you assess whether Gen AI is right for your solution delivery practices.

    Gain an understanding of the potential opportunities that Gen AI can provide your solution delivery practices and answer the question "What should I do next?"

    • Adopt Generative AI in Solution Delivery Storyboard

    2. Gen AI Solution Delivery Readiness Assessment Tool – A tool to help you understand if your solution delivery practice is ready for Gen AI.

    Assess the readiness of your solution delivery team for Gen AI. This tool will ask several questions relating to your people, process, and technology, and recommend whether or not the team is ready to adopt Gen AI practices.

    • Gen AI Solution Delivery Readiness Assessment Tool
    [infographic]

    Further reading

    Adopt Generative AI in Solution Delivery

    Drive solution quality and team productivity with the right generative AI capabilities.

    Analyst Perspective

    Build the case for Gen AI with the right opportunities.

    Generative AI (Gen AI) presents unique opportunities to address many solution delivery challenges. Code generation can increase productivity, synthetic data generation can produce usable test data, and scanning tools can identify issues before they occur. To be successful, teams must be prepared to embrace the changes that Gen AI brings. Stakeholders must also give teams the opportunity to optimize their own processes and gauge the fit of Gen AI.

    Start small with the intent to learn. The right pilot initiative helps you learn the new technology and how it benefits your team without the headache of complex setups and lengthy training and onboarding. Look at your existing solution delivery tools to see what Gen AI capabilities are available and prioritize the use cases where Gen AI can be used out of the box.

    This is a picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Delivery teams are under continuous pressure to deliver high-value, high-quality solutions with limited capacity in complex business and technical environments. Common challenges experienced by these teams include:

    • Attracting and retaining talent
    • Maximizing the return on technology
    • Confidently shifting to digital
    • Addressing competing priorities
    • Fostering a collaborative culture
    • Creating high-throughput teams

    Generative AI (Gen AI) offers a unique opportunity to address many of these challenges.

    Common Obstacles

    • Your stakeholders' understanding of what is Gen AI, its value and its application, can be driven by hype and misinterpretation. This confusion can lead to unrealistic expectations and set the wrong precedent for the role Gen AI is intended to play.
    • Your solution delivery process is not well documented and is often executed inconsistently. An immature practice will not yield the benefits stakeholders expect.
    • The Gen AI marketplace is very broad and diverse. Selecting the appropriate tools and partners is confusing and overwhelming.
    • There is a skills gap for what is needed to configure, adopt, and operate Gen AI.

    Info-Tech's Approach

    • Ground your Gen AI expectations. Set realistic and achievable goals centered on driving business value and efficiency across the entire solution delivery process by enabling Gen AI in key tasks and activities. Propose this process as the ideal pilot for Gen AI.
    • Select the right Gen AI opportunities. Discuss how proven Gen AI capabilities can be applied to your solution delivery practice and achieve the outcomes and priorities stakeholders expect. Lessons learned sow the foundation for future Gen AI scaling.
    • Assess your Gen AI readiness in your solution delivery teams. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of Gen AI.

    Info-Tech Insight

    Position Gen AI as a tooling opportunity to enhance the productivity and depth of your solution delivery practice. Current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery. Assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Insight Summary

    Overarching Info-Tech Insight

    Position Gen AI is a tooling opportunity to enhance the productivity and depth of your solution delivery practice. However, current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery. Assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Understand and optimize first, automate with Gen AI later.
    Gen AI magnifies solution delivery inefficiencies and constraints. Adopt a user-centric perspective to understand your solution delivery teams' interactions with solution delivery tools and technologies to better replicate how they complete their tasks and overcome challenges.

    Enable before buy. Buy before build.
    Your solution delivery vendors see AI as a strategic priority in their product and service offering. Look into your existing toolset and see if you already have the capabilities. Otherwise, prioritize using off-the-shelf solutions with pre-trained Gen AI capabilities and templates.

    Innovate but don't experiment.
    Do not reinvent the wheel and lower your risk of success. Stick to the proven use cases to understand the value and fit of Gen AI tools and how your teams can transform the way they work. Use your lessons learned to discover scaling opportunities.

    Blueprint benefits

    IT benefits

    Business benefits

    • Select the Gen AI tools and capabilities that meet both the solution delivery practice and team goals, such as:
    • Improved team productivity and throughput.
    • Increased solution quality and value.
    • Greater team satisfaction.
    • Motivate stakeholder buy-in for the investment in solution delivery practice improvements.
    • Validate the fit and opportunities with Gen AI for future adoption in other IT departments.
    • Increase IT satisfaction by improving the throughput and speed of solution delivery.
    • Reduce the delivery and operational costs of enterprise products and services.
    • Use a pilot to demonstrate the fit and value of Gen AI capabilities and supporting practices across business and IT units.

    What is Gen AI?

    An image showing where Gen AI sits within the artificial intelligence.  It consists of four concentric circles.  They are labeled from outer-to-inner circle in the following order: Artificial Intelligence; Machine Learning; Deep Learning; Gen AI

    Generative AI (Gen AI)
    A form of ML whereby, in response to prompts, a Gen AI platform can generate new output based on the data it has been trained on. Depending on its foundational model, a Gen AI platform will provide different modalities and use case applications.

    Machine Learning (ML)
    The AI system is instructed to search for patterns in a data set and then make predictions based on that set. In this way, the system learns to provide accurate content over time. This requires a supervised intervention if the data is inaccurate. Deep learning is self-supervised and does not require intervention.

    Artificial Intelligence (AI)
    A field of computer science that focuses on building systems to imitate human behavior. Not all AI systems have learning behavior; many systems (such as customer service chatbots) operate on preset rules.

    Info-Tech Insight

    Many vendors have jumped on Gen AI as the latest marketing buzzword. When vendors claim to offer Gen AI functionality, pin down what exactly is generative about it. The solution must be able to induce new outputs from inputted data via self-supervision – not trained to produce certain outputs based on certain inputs.

    Augment your solution delivery teams with Gen AI

    Position Gen AI as a tooling opportunity to enhance the productivity and depth of your solution delivery practice. Current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery; assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Solution Delivery Team

    Humans

    Gen AI Bots

    Product owner and decision maker
    Is accountable for the promised delivery of value to the organization.

    Business analyst and architect
    Articulates the requirements and aligns the team to the business and technical needs.

    Integrator and builder
    Implements the required solution.

    Collaborator
    Consults and supports the delivery.

    Administrator
    Performs common administrative tasks to ensure smooth running of the delivery toolchain and end-solutions.

    Designer and content creator
    Provides design and content support for common scenarios and approaches.

    Paired developer and tester
    Acts as a foil for existing developer or tester to ensure high quality output.

    System monitor and support
    Monitors and recommends remediation steps for operational issues that occur.

    Research deliverable

    This research is accompanied by a supporting deliverable to help you accomplish your goals.

    Gen AI Solution Delivery Readiness Assessment Tool

    Assess the readiness of your solution delivery team for Gen AI. This tool will ask several questions relating to your people, process, and technology, and recommend whether the team is ready to adopt Gen AI practices.

    This is a series of three screenshots from the Gen AI Solution Delivery Readiness Assessment Tool

    Step 1.1

    Set the context

    Activities

    1.1.1 Understand the challenges of your solution delivery teams.

    1.1.2 Outline the value you expect to gain from Gen AI.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • SWOT Analysis to help articulate the challenges facing your teams.
    • A Gen AI Canvas that will articulate the value you expect to gain.

    IT struggles to deliver solutions effectively

    • Lack of skills and resources
      Forty-six percent of respondents stated that it was very or somewhat difficult to attract, hire, and retain developers (GitLab, 2023; N=5,010).
    • Delayed software delivery
      Code development (37%), monitoring/observability (30%), deploying to non-production environments (30%), and testing (28%) were the top areas where software delivery teams or organizations encountered the most delays (GitLab, 2023, N=5,010).
    • Low solution quality and satisfaction
      Only 64% of applications were identified as effective by end users. Effective applications are identified as at least highly important and have high feature and usability satisfaction (Application Portfolio Assessment, August 2021 to July 2022; N=315).
    • Burnt out teams
      While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing. Sixty-two percent of organizations reported increased working hours, while 80% reported an increase in flexibility ("2022 HR Trends Report," McLean & Company, 2022; N=394) .

    Creating high-throughput teams is an organizational priority.

    CXOs ranked "optimize IT service delivery" as the second highest priority. "Achieve IT business" was ranked first.

    (CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568)

    1.1.1 Understand the challenges of your solution delivery teams

    1-3 hours

    1. Complete a SWOT analysis of your solution delivery team to discover areas where Gen AI can be applied.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Strengths

    Internal characteristics that are favorable as they relate to solution delivery

    Weaknesses

    Internal characteristics that are unfavorable or need improvement

    Opportunities

    External characteristics that you may use to your advantage

    Threats

    External characteristics that may be potential sources of failure or risk

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Output

    • SWOT analysis of current state of solution delivery practice

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Gen AI can help solve your solution delivery challenges

    Why is software delivery an ideal pilot candidate for Gen AI?

    • Many software delivery practices are repeatable and standardized.
    • Software delivery roles that are using and implementing Gen AI are technically savvy.
    • Automation is a staple in many commonly used tools.
    • Change will likely not impact business operations.

    Improved productivity

    Gen AI jumpstarts the most laborious and mundane parts of software delivery. Delivery teams saved 22 hours (avg) per software use case when using AI in 2022, compared to last year when AI was not used ("Generative AI Speeds Up Software Development," PRNewswire, 2023).

    Fungible resources

    Teams are transferrable across different frameworks, platforms, and products. Gen AI provides the structure and guidance needed to work across a wider range of projects ("Game changer: The startling power generative AI is bringing to software development," KPMG, 2023).

    Improved solution quality

    Solution delivery artifacts (e.g. code) are automatically scanned to quickly identify bugs and defects based on recent activities and trends and validate against current system performance and capacity.

    Business empowerment

    AI enhances the application functionalities workers can build with low- and no-code platforms. In fact, "AI high performers are 1.6 times more likely than other organizations to engage non-technical employees in creating AI applications" ("The state of AI in 2022 — and a half decade in review." McKinsey, 2022, N=1,492).

    However, various fears, uncertainties, and doubts challenge Gen AI adoption

    Black Box

    Little transparency is provided on the tool's rationale behind content creation, decision making, and the use and storage of training data, creating risks for legal, security, intellectual property, and other areas.

    Role Replacement

    Some workers have job security concerns despite Gen AI being bound to their rule-based logic framework, the quality of their training data, and patterns of consistent behavior.

    Skills Gaps

    Teams need to gain expertise in AI/ML techniques, training data preparation, and continuous tooling improvements to support effective Gen AI adoption across the delivery practice and ensure reliable operations.

    Data Inaccuracy

    Significant good quality data is needed to build trust in the applicability and reliability of Gen AI recommendations and outputs. Teams must be able to combine Gen AI insights with human judgment to generate the right outcome.

    Slow Delivery of AI Solution

    Timelines are sensitive to organizational maturity, experience with Gen AI, and investments in good data management practices. 65% of organizations said it took more than three months to deploy an enterprise-ready AIOps solution (OpsRamp, 2022).

    Define the value you want Gen AI to deliver

    Well-optimized Gen AI instills stakeholder confidence in ongoing business value delivery and ensures stakeholder buy-in, provided proper expectations are set and met. However, business value is not interpreted or prioritized the same across the organization. Come to a common business value definition to drive change in the right direction by balancing the needs of the individual, team, and organization.

    Business value cannot always be represented by revenue or reduced expenses. Dissecting value by the benefit type and the value source's orientation allows you to see the many ways in which Gen AI brings value to the organization.

    Financial benefits vs. intrinsic needs

    • Financial benefits refers to the degree to which the value source can be measured through monetary metrics, such as revenue generation and cost saving.
    • Intrinsic needs refers to how a product, service, or business capability enhanced with Gen AI meets functional, user experience, and existential needs.

    Inward vs. outward orientation

    • Inward refers to value sources that are internally impacted by Gen AI and improve your employees' and teams' effectiveness in performing their responsibilities.
    • Outward refers to value sources that come from your interaction with external stakeholders and customers and were improved from using Gen AI.

    See our Build a Value Measurement Framework blueprint for more information about business value definition.

    An image of the Business Value Matrix for Gen AI

    Measure success with the right metrics

    Establishing and monitoring metrics are powerful ways to drive behavior and strategic changes in your organization. Determine the right measures that demonstrate the value of your Gen AI implementation by aligning them with your Gen AI objectives, business value drivers, and non-functional requirements.

    Select metrics with different views

    1. Solution delivery practice effectiveness
      The ability of your practice to deliver, support, and operate solutions with Gen AI
      Examples: Solution quality and throughput, delivery and operational costs, number of defects and issues, and system quality
    2. Solution quality and value
      The outcome of your solutions delivered with Gen AI tools
      Examples: Time and money saved, utilization of products and services, speed of process execution, number of errors, and compliance with standards
    3. Gen AI journey goals and milestones
      Your organization's position in your Gen AI journey
      Examples: Maturity score, scope of Gen AI adoption, comfort and
      confidence with Gen AI capabilities, and complexity of Gen AI use cases

    Leverage Info-Tech's Diagnostics

    IT Management & Governance

    • Improvement to application development quality and throughput effectiveness
    • Increased importance of application delivery and maintenance capabilities across the IT organization
    • Delegation of delivery accountability across more IT roles

    CIO Business Vision

    • Improvements to IT satisfaction and value from delivered solutions
    • Changes to the value and importance of IT core services enabled with Gen AI
    • The state of business and IT relationships
    • Capability to deliver and support Gen AI effectively

    1.1.2 Outline the value you expect to gain from Gen AI

    1-3 hours

    1. Complete the following fields to build your Gen AI canvas:
      1. Problem that Gen AI is intending to solve
      2. List of stakeholders
      3. Desired business and IT outcomes
      4. In-scope solution delivery teams, systems, and capabilities.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Output

    • Gen AI Canvas

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    1.1.2 Example

    Example of an outline of the value you expect to gain from Gen AI

    Problem statements

    • Manual testing procedures hinder pace and quality of delivery.
    • Inaccurate requirement documentation leads to constant redesigning.

    Business and IT outcomes

    • Improve code quality and performance.
    • Expedite solution delivery cycle.
    • Improve collaboration between teams and reduce friction.

    List of stakeholders

    • Testing team
    • Application director
    • CIO
    • Design team
    • Project manager
    • Business analysts

    In-scope solution delivery teams, system, and capabilities

    • Web
    • Development
    • App development
    • Testing
    • Quality assurance
    • Business analysts
    • UI/UX design

    Align your objectives to the broader AI strategy

    Why is an organizational AI strategy important for Gen AI?

    • All Gen AI tactics and capabilities are designed, delivered, and managed to support a consistent interpretation of the broader AI vision and goals.
    • An organizational strategy gives clear understanding of the sprawl, criticality, and risks of Gen AI solutions and applications to other IT capabilities dependent on AI.
    • Gen AI initiatives are planned, prioritized, and coordinated alongside other software delivery practice optimizations and technology modernization initiatives.
    • Resources, skills, and capacities are strategically allocated to meet the needs of Gen AI considering other commitments in the software delivery optimization backlog and roadmap.
    • Gen AI expectations and practices uphold the persona, values, and principles of the software delivery team.

    What is an AI strategy?

    An AI strategy details the direction, activities, and tactics to deliver on the promise of your AI portfolio. It often includes:

    • AI vision and goals
    • Application, automation, and process portfolio involved or impacted by AI
    • Values and principles
    • Health of your AI portfolio
    • Risks and constraints
    • Strategic roadmap

    Step 1.2

    Evaluate opportunities for Gen AI

    Activities

    1.2.1 Align Gen AI opportunities with teams and capabilities.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • Understand the Gen AI opportunities for your solution delivery practice.

    Learn how Gen AI is employed in solution delivery

    Gen AI opportunity Common Gen AI tools and vendors Teams than can benefit How can teams leverage this? Case study
    Synthetic data generation
    • Testing
    • Data Analysts
    • Privacy and Security
    • Create test datasets
    • Replace sensitive personal data

    How Unity Leverages Synthetic Data

    Code generation
    • Development
    • Testing
    • Code Templates & Boilerplate
    • Code Refactoring

    How CI&T accelerated development by 11%

    Defect forecasting and debugging
    • Project Manager & Quality Assurance
    • Development
    • Testing
    • Identify root cause
    • Static and dynamic code analysis
    • Debugging assistance

    Altran Uses Microsoft Code Defect AI Solution

    Requirements documentation and elicitation
    • Business Analysts
    • Development
    • Document functional requirements
    • Writing test cases

    Google collaborates with Replit to reduce time to bring new products to market by 30%

    UI design and prototyping
    • UI/UX Design
    • Development
    • Deployment
    • Rapid prototyping
    • Design assistance

    How Spotify is Upleveling Their Entire Design Team

    Other common AI opportunities solutions include test case generation, code translation, use case creation, document generation, and automated testing.

    Opportunity 1: Synthetic data generation

    Create artificial data that mimics the structure of real-life data.

    What are the expected benefits?

    • Availability of test data: Creation of large volumes of data compatible for testing multiple systems within the organization.
    • Improved privacy: Substituting real data with artificial leads to reduced data leaks.
    • Quicker data provisioning: Automated generation of workable datasets aligned to company policies.

    What are the notable risks and challenges?

    • Generalization and misrepresentations: Data models used in synthetic data generation may not be an accurate representation of production data because of potentially conflicting definitions, omission of dependencies, and multiple sources of truth.
    • Lack of accurate representation: It is difficult for synthetic data to fully capture real-world data nuances.
    • Legal complexities: Data to build and train the Gen AI tool does not comply with data residency and management standards and regulations.

    How should teams prepare for synthetic data generation?

    It can be used:

    • To train machine learning models when there is not enough real data, or the existing data does not meet specific needs.
    • To improve quality of test by using data that closely resembles production without the risk of leveraging sensitive and private information.

    "We can simply say that the total addressable market of synthetic data and the total addressable market of data will converge,"
    Ofir Zuk, CEO, Datagen (Forbes, 2022)

    Opportunity 2: Code generation

    Learn patterns and automatically generate code.

    What are the expected benefits?

    • Increased productivity: It allows developers to generate more code quickly.
    • Improved code consistency: Code is generated using a standardized model and lessons learnt from successful projects.
    • Rapid prototyping: Expedite development of a working prototype to be verified and validated.

    What are the notable risks and challenges?

    • Limited contextual understanding: AI may lack domain-specific knowledge or understanding of requirements.
    • Dependency: Overreliance on AI generated codes can affect developers' creativity.
    • Quality concerns: Generated code is untested and its alignment to coding and quality standards is unclear.

    How should teams prepare for code generation?

    It can be used to:

    • Build solutions without the technical expertise of traditional development.
    • Discover different solutions to address coding challenges.
    • Kickstart new development projects with prebuilt code.

    According to a survey conducted by Microsoft's GitHub, a staggering 92% of programmers were reported as using AI tools in their workflow (GitHub, 2023).

    Opportunity 3: Defect forecasting & debugging

    Predict and proactively address defects before they occur.

    What are the expected benefits?

    • Reduced maintenance cost: Find defects earlier in the delivery process, when it's cheaper to fix them.
    • Increased efficiency: Testing efforts can remain focused on critical and complex areas of solution.
    • Reduced risk: Find critical defects before the product is deployed to production.

    What are the notable risks and challenges?

    • False positives and negatives: Incorrect interpretation and scope of defect due to inadequate training of the Gen AI model.
    • Inadequate training: Training data does not reflect the complexity of the solutions code.
    • Not incorporating feedback: Gen AI models are not retrained in concert with solution changes.

    How should teams prepare for defect forecasting and debugging?

    It can be used to:

    • Perform static and dynamic code analysis to find vulnerabilities in the solution source code.
    • Forecast potential issues of a solution based on previous projects and industry trends.
    • Find root cause and suggest solutions to address found defects.

    Using AI technologies, developers can reduce the time taken to debug and test code by up to 70%, allowing them to finish projects faster and with greater accuracy (Aloa, 2023).

    Opportunity 4: Requirements documentation & elicitation

    Capturing, documenting, and analyzing function and nonfunctional requirements.

    What are the expected benefits?

    • Improve quality of requirements: Obtain different perspectives and contexts for the problem at hand and help identify ambiguities and misinterpretation of risks and stakeholder expectation.
    • Increased savings: Fewer resources are consumed in requirements elicitation activities.
    • Increased delivery confidence: Provide sufficient information for the solution delivery team to confidently estimate and commit to the delivery of the requirement.

    What are the notable risks and challenges?

    • Conflicting bias: Gen AI models may interpret the problem differently than how the stakeholders perceive it.
    • Organization-specific interpretation: Inability of the Gen AI models to accommodate unique interpretation of terminologies, standards, trends and scenarios.
    • Validation and review: Interpreting extracted insights requires human validation.

    How should teams prepare for requirements documentation & elicitation?

    It can be used to:

    • Document requirements in a clear and concise manner that is usable to the solution delivery team.
    • Analyze and test requirements against various user, business, and technical scenarios.

    91% of top businesses surveyed report having an ongoing investment in AI (NewVantage Partners, 2021).

    Opportunity 5: UI design and prototyping

    Analyze existing patterns and principles to generate design, layouts, and working solutions.

    What are the expected benefits?

    • Increased experimentation: Explore different approaches and tactics to solve a solution delivery problem.
    • Improved collaboration: Provide quick design layouts that can be reshaped based on stakeholder feedback.
    • Ensure design consistency: Enforce a UI/UX design standard for all solutions.

    What are the notable risks and challenges?

    • Misinterpretation of UX Requirements: Gen AI model incorrectly assumes a specific interpretation of user needs, behaviors, and problem.
    • Incorrect or missing requirements: Lead to extensive redesigns and iterations, adding to costs while hampering user experience.
    • Design creativity: May lack originality and specific brand aesthetics if not augmented well with human customizability and creativity.

    How should teams prepare for UI design and prototyping?

    It can be used to:

    • Visualize the solution through different views and perspectives such as process flows and use-case diagrams.
    • Create working prototypes that can be verified and validated by stakeholders and end users.

    A study by McKinsey & Company found that companies that invest in AI-driven design outperform their peers in revenue growth and customer experience metrics. They were found to achieve up to two times higher revenue growth than industry peers and up to 10% higher net promoter score (McKinsey & Company, 2018).

    Determine the importance of your opportunities by answering these questions

    Realizing the complete potential of Gen AI relies on effectively fostering its adoption and resulting changes throughout the entire solution delivery process.

    What are the challenges faced by your delivery teams that could be addressed by Gen AI?

    • Recognize the precise pain points, bottlenecks, or inefficiencies faced by delivery teams.
    • Include all stakeholders' perspectives during problem discovery and root cause analysis.

    What's holding back Gen AI adoption in the organization?

    • Apart from technical barriers, address cultural and organizational challenges and discuss how organizational change management strategies can mitigate Gen AI adoption risk.

    Are your objectives aligned with Gen AI capabilities?

    • Identify areas where processes can be modernized and streamlined with automation.
    • Evaluate the current capabilities and resources available within the organization to leverage Gen AI technologies effectively.

    How can Gen AI improve the entire solution delivery process?

    • Investigate and evaluate the improvements Gen AI can reasonably deliver, such as increased accuracy, quickened delivery cycles, improved code quality, or enhanced cross-functional collaboration.

    1.2.1 Align Gen AI opportunities to teams and capabilities

    1-3 hours

    1. Associate the Gen AI opportunities that can be linked to your system capabilities. These opportunities refer to the potential applications of generative AI techniques, such as code generation or synthetic data, to address specific challenges.
      1. Start by analyzing your system's requirements, constraints, and areas where Gen AI techniques can bring value. Identify the potential benefits of integrating Gen AI, such as increased productivity, or enhanced creativity.
      2. Next, discern potential risks or challenges, such as dependency or quality concerns, associated with the opportunity implementation.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Output

    • Gen AI opportunity selection

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Keep an eye out for red flags

    Not all Gen AI opportunities are delivered and adopted the same. Some present a bigger risk than others.

    • Establishing vague targets and success criteria
    • Defining Gen AI as substitution of human capital
    • Open-source software not widely adopted or validated
    • High level of dependency on automation
    • Unadaptable cross-functional training across organization
    • Overlooking privacy, security, legal, and ethical implications
    • Lack of Gen AI expertise and understanding of good practices

    Step 1.3

    Assess your readiness for Gen AI

    Activities

    1.3.1 Assess your readiness for Gen AI.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • A completed Gen AI Readiness Assessment to confirm how prepared you are to embrace Gen AI in your solution delivery team.

    Prepare your SDLC* to leverage Gen AI

    As organizations evolve and adopt more tools and technology, their solution delivery processes become more complex. Process improvement is needed to simplify complex and undocumented software delivery activities and artifacts and prepare it for Gen AI. Gen AI scales process throughput and output quantity, but it multiplies the negative impact of problems the process already has.

    When is your process ready for Gen AI?

    • Solution value Ensures the accuracy and alignment of the committed feature and change requests to what the stakeholder truly expects and receives.
    • ThroughputDelivers new products, enhancements, and changes at a pace and frequency satisfactory to stakeholder expectations and meets delivery commitments.
    • Process governance Has clear ownership and appropriate standardization. The roles, activities, tasks, and technologies are documented and defined. At each stage of the process someone is responsible and accountable.
    • Process management Follows a set of development frameworks, good practices, and standards to ensure the solution and relevant artifacts are built, tested, and delivered consistently and repeatably.
    • Technical quality assurance – Accommodates committed non-functional requirements within the stage's outputs to ensure products meet technical excellence expectations.

    *software development lifecycle

    To learn more, visit Info-Tech's Modernize Your SDLC blueprint.

    To learn more, visit Info-Tech's Build a Winning Business Process Automation Playbook

    Assess the impacts from Gen AI changes

    Ensure that no stone is left unturned as you evaluate the fit of Gen AI and prepare your adoption and support plans.

    By shining a light on considerations that might have otherwise escaped planners and decision makers, an impact analysis is an essential component to Gen AI success. This analysis should answer the following questions on the impact to your solution delivery teams.

    1. Will the change impact how our clients/customers receive, consume, or engage with our products/services?
    2. Will there be an increase in operational costs, and a change to compensation and/or rewards?
    3. Will this change increase the workload and alter staffing levels?
    4. Will the vision or mission of the team change?
    5. Will a new or different set of skills be needed?
    6. Will the change span multiple locations/time zones?
    7. Are multiple products/services impacted by this change?
    8. Will the workflow and approvals be changed, and will there be a substantial change to scheduling and logistics?
    9. Will the tools of the team be substantially different?
    10. Will there be a change in reporting relationships?

    See our Master Organizational Change Management Practices blueprint for more information.

    Brace for impact

    A thorough analysis of change impacts will help your software delivery teams and change leaders:

    • Bypass avoidable problems.
    • Remove non-fixed barriers to success.
    • Acknowledge and minimize the impact of unavoidable barriers.
    • Identify and leverage potential benefits.
    • Measure the success of the change.

    Many key IT capabilities are required to successfully leverage Gen AI

    Portfolio Management

    An accurate and rationalized inventory of all Gen AI tools verifies they support the goals and abide to the usage policies of the broader delivery practice. This becomes critical when tooling is updated frequently and licenses and open- source community principles drastically change (e.g. after an acquisition).

    Quality Assurance

    Gen AI tools are routinely verified and validated to ensure outcomes are accurate, complete, and aligned to solution delivery quality standards. Models are retrained using lessons learned, new use cases, and updated training data.

    Security & Access Management

    Externally developed and trained Gen AI models may not include the measures, controls, and tactics you need to prevent vulnerabilities and protect against threats that are critical in your security frameworks, policies, and standards.

    Data Management & Governance

    All solution delivery data and artifacts can be transformed and consumed in various ways as they transit through solution delivery and Gen AI tools. Data integrations, structures, and definitions must be well-defined, governed, and monitored.

    OPERATIONAL SUPPORT

    Resources are available to support the ongoing operations of the Gen AI tool, including infrastructure, preparing training data, and managing integration with other tools. They are also prepared to recover backups, roll back, and execute recovery plans at a moment's notice.

    Apply Gen AI good practices in your solution delivery practice

    1. Keep the human in the loop.
      Gen AI models cannot produce high-quality content with 100% confidence. Keeping the human in the loop allows people to directly give feedback to the model to improve output quality.
    2. Strengthen prompt and query engineering.
      The value of the outcome is dependent on what is being asked. Good prompts and queries focus on creating the optimal input by selecting and phrasing the appropriate words, sentence structures, and punctuation to illustrate the focus, scope, problem, and boundaries.
    3. Thoughtfully prepare your training data.
      Externally hosted Gen AI tools may store your training data in their systems or use it to train their other models. Intellectual property and sensitive data can leak into third-party systems and AI models if it is not properly masked and sanitized.
    4. Build guardrails into your Gen AI models.
      Guardrails can limit the variability of any misleading Gen AI responses by defining the scope and bounds of the response, enforcing the policies of its use, and clarifying the context of its response.
    5. Monitor your operational costs.
      The cost breakdown will vary among the types of Gen AI solution and the vendor offerings. Cost per query, consultant fees, infrastructure hosting, and licensing costs are just a few cost factors. Open source can be an attractive cost-saving option, but you must be willing to invest in the roles to assume traditional vendor accountabilities.
    6. Check the licenses of your Gen AI tool.
      Each platform has licenses and agreements on how their solution can or cannot be used. They limit your ability to use the tool for commercial purposes or reproductions or may require you to purchase and maintain a specific license to use their solution and materials.

    See Build Your Generative AI Roadmap for more information.

    Assess your Gen AI readiness

    • Solution delivery team
      The team is educated on Gen AI, its use cases, and the tools that enable it. They have the skills and capacity to implement, create, and manage Gen AI.
    • Solution delivery process and tools
      The solution delivery process is documented, repeatable, and optimized to use Gen AI effectively. Delivery tools are configured to enable, leverage and manage Gen AI assets to improve their performance and efficiency.
    • Solution delivery artifacts
      Delivery artifacts (e.g. code, scripts, documents) that will be used to train and be leveraged by Gen AI tools are discoverable, accurate, complete, standardized, of sufficient quantity, optimized for Gen AI use, and stored in an accessible shared central repository.
    • Governance
      Defined policies, role definitions, guidelines, and processes that guide the implementation, development, operations, and management of Gen AI.
    • Vision and executive support
      Clear alignment of Gen AI direction, ambition, and objectives with broader business and IT priorities. Stakeholders support the Gen AI initiative and allocate human and financial resources for its implementation within the solution delivery team.
    • Operational support
      The capabilities to manage the Gen AI tools and ensure they support the growing needs of the solution delivery practice, such as security management, hosting infrastructure, risk and change management, and data and application integration.

    1.3.1 Assess your readiness for Gen AI

    1-3 hours

    1. Review the current state of your solution delivery teams including their capacity, skills and knowledge, delivery practices, and tools and technologies.
    2. Determine the readiness of your team to adopt Gen AI.
    3. Discuss the gaps that need to be filled to be successful with Gen AI.
    4. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Output

    • Gen AI Solution Delivery Readiness Assessment

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Recognize that Gen AI does not require a fully optimized solution delivery process

    1. Consideration; 2. Exploration; 3. Incorporation; 4. Proliferation; 5. Optimization.  Steps 3-5 are Recommended maturity levels to properly embrace Gen AI.

    To learn more, visit Info-Tech's Develop Your Value-First Business Process Automation (BPA) Strategy.

    Be prepared to take the next steps

    Deliver Gen AI to your solution delivery teams

    Modernize Your SDLC
    Efficient and effective SDLC practices are vital, as products need to readily adjust to evolving and changing business needs and technologies.

    Adopt Generative AI in Solution Delivery
    Generative AI can drive productivity and solution quality gains to your solution delivery teams. Level set expectations with the right use case to demonstrate its value potential.

    Select Your AI Vendor & Implementation Partner
    The right vendor and partner are critical for success. Build the selection criteria to shortlist the products and services that best meets the current and future needs of your teams.

    Drive Business Value With Off-the-Shelf AI
    Build a framework that will guide your teams through the selection of an off-the-shelf AI tool with a clear definition of the business case and preparations for successful adoption.

    Build Your Enterprise Application Implementation Playbook
    Your Gen AI implementation doesn't start with technology, but with an effective plan that your team supports and is aligned to broader stakeholder and sponsor priorities and goals.

    Build your Gen AI practice

    • Get Started With AI
    • AI Strategy & Generative AI Roadmap
    • AI Governance

    Related Info-Tech Research

    Build a Winning Business Process Automation Playbook
    Optimize and automate your business processes with a user-centric approach.

    Embrace Business Managed Applications
    Empower the business to implement their own applications with a trusted business-IT relationship.

    Application Portfolio Management Foundations
    Ensure your application portfolio delivers the best possible return on investment.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence
    Optimize your organization's enterprise application capabilities with a refined and scalable methodology.

    Create an Architecture for AI
    Build your target state architecture from predefined best-practice building blocks.

    Deliver on Your Digital Product Vision
    Build a product vision your organization can take from strategy through execution.

    Enhance Your Solution Architecture Practices
    Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

    Apply Design Thinking to Build Empathy With the Business
    Use design thinking and journey mapping to make IT the business' go-to problem solver.

    Modernize Your SDLC
    Deliver quality software faster with new tools and practices.

    Drive Business Value With Off-the-Shelf AI
    A practical guide to ensure return on your off-the-shelf AI investment.

    Bibliography

    "Altran Helps Developers Write Better Code Faster with Azure AI." Microsoft, 2020.
    "Apply Design Thinking to Complex Teams, Problems, and Organizations." IBM, 2021.
    Bianca. "Unleashing the Power of AI in Code Generation: 10 Applications You Need to Know — AITechTrend." AITechTrend, 16 May 2023.
    Biggs, John. "Deep Code Cleans Your Code with the Power of AI." TechCrunch, 26 Apr 2018.
    "Chat GPT as a Tool for Business Analysis — the Brazilian BA." The Brazilian BA, 24 Jan 2023.
    Davenport, Thomas, and Randy Bean. "Big Data and AI Executive Survey 2019." New Vantage Partners, 2019.
    Davenport, Thomas, and Randy Bean. "Big Data and AI Executive Survey 2021." New Vantage Partners, 2021.
    Das, Tamal. "9 Best AI-Powered Code Completion for Productive Development." Geek flare, 5 Apr 2023.
    Gondrezick, Ilya. "Council Post: How AI Can Transform the Software Engineering Process." Forbes, 24 Apr 2020.
    "Generative AI Speeds up Software Development: Compass UOL Study." PR Newswire, 29 Mar 2023.
    "GitLab 2023 Global Develops Report Series." Gitlab, 2023.
    "Game Changer: The Startling Power Generative AI Is Bringing to Software Development." KPMG, 30 Jan 2023.
    "How AI Can Help with Requirements Analysis Tools." TechTarget, 28 July 2020.
    Indra lingam, Ashanta. "How Spotify Is Upleveling Their Entire Design Team." Framer, 2019.
    Ingle, Prathamesh. "Top Artificial Intelligence (AI) Tools That Can Generate Code to Help Programmers." Matchcoat, 1 Jan 2023.
    Kaur, Jagreet . "AI in Requirements Management | Benefits and Its Processes." Xenon Stack, 13 June 2023.
    Lange, Danny. "Game On: How Unity Is Extending the Power of Synthetic Data beyond the Gaming Industry." CIO, 17 Dec 2020.
    Lin, Ying. "10 Artificial Intelligence Statistics You Need to Know in 2020." OBERLO, 17 Mar. 2023.
    Mauran, Cecily. "Whoops, Samsung Workers Accidentally Leaked Trade Secrets via ChatGPT." Mashable, 6 Apr 2023.

    Prepare for the Upgrade to Windows 11

    • Buy Link or Shortcode: {j2store}166|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Windows 10 is going EOL in 2025.That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Our Advice

    Critical Insight

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system. Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    Impact and Result

    Windows 11 hardware requirements will result in devices that are not eligible for the upgrade. Companies will be left to spend money on replacement devices. Following the Info-Tech guidance will help clients properly budget for hardware replacements before Windows 10 is no longer supported by Microsoft. Eligible devices can be upgraded, but Info-Tech guidance can help clients properly plan the upgrade using the upgrade ring approach.

    Prepare for the Upgrade to Windows 11 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for the Upgrade to Windows 11 Deck – A look into some of the pros and cons of Microsoft’s latest desktop operating system, along with guidance on moving forward with this inevitable upgrade.

    Discover the reason for the release of Windows 11, what you require to be eligible for the upgrade, what features were added or updated, and what features were removed. Our guidance will assist you with a planned and controlled rollout of the Windows 11 upgrade. We also provide guidance on how to approach a device refresh plan if some devices are not eligible for Windows 11. The upgrade is inevitable, but you have time, and you have options.

    • Prepare for the Upgrade to Windows 11 Storyboard

    2. What Are My Options If My Devices Cannot Upgrade to Windows 11? – Build a Windows 11 Device Replacement budget with our Hardware Asset Management Budgeting Tool.

    This tool will help you budget for a hardware asset refresh and to adjust the budget as necessary to accommodate any unexpected changes. The tool can easily be modified to assist in developing and justifying the budget for hardware assets for a Windows 11 project. Follow the instructions on each tab and feel free to play with the HAM budgeting tool to fit your needs.

    • HAM Budgeting Tool
    [infographic]

    Further reading

    Prepare for the Upgrade to Windows 11

    The upgrade is inevitable, but you have time, and you have options.

    Analyst Perspective

    Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    “You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

    The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

    There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    It is inevitable!

    P.J. Ryan

    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Windows 10 is going EOL in 2025. That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Common Obstacles

    • The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
    • The cost of upgrading devices just to be eligible for Windows 11 is high.
    • Your end users don’t like change. This is not going to go over well!

    Info-Tech's Approach

    • Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
    • Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
    • Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

    Info-Tech Insight

    There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

    Insight summary

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    Many organizations will have to spend capital on endpoint upgrades.

    Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

    Windows 11 is a virtualization challenge for some providers.

    The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

    Windows 10 will be supported by Microsoft until October 2025.

    That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

    New look and feel, and a center screen taskbar.

    Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

    The education industry gets extra attention with the release of Windows 11.

    Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

    Why Windows 11?

    Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

    Maybe. It depends who you ask.

    Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

    Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

    Nope.

    Windows 11 is a free upgrade or is included with any new computer purchase.

    Market share challenges?

    Doubtful.

    It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

    In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

    Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

    The market share is worth noting for Microsoft but it hardly warrants a new operating system.

    New look and feel?

    Unlikely

    New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

    Security?

    Likely the main reason.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    The features are available on all Windows 11 physical devices, due to the common hardware requirements.

    Windows 11 hardware-based security

    These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

    Feature What it is How it works
    TPM 2.0 (Trusted Platform Module) Chip TPM is a chip on the motherboard of the computer. It is used to store encryption keys, certificates, and passwords. TPM does this securely with tamper-proof prevention. It can also generate encryption keys and it includes its own unique encryption key that cannot be altered (helpdeskgeek.com). You do not need to enter your password once you setup Windows Hello, so the password is no longer easy to capture and steal. It is set up on a device per device basis, meaning if you go to a different device to sign in, your Windows Hello authentication will not follow you and you must set up your Hello pin or facial recognition again on that particular device. TPM (Trusted Platform Module) can store the credentials used by Windows Hello and encrypt them on the module.
    Windows Hello Windows Hello is an alternative to using a password for authentication. Users can use a pin, a fingerprint, or facial recognition to authenticate.
    Device Encryption Device encryption is only on when your device is off. It scrambles the data on your disk to make it unreadable unless you have the key to unscramble it. If your endpoint is stolen, the contents of the hard drive will remain encrypted and cannot be accessed by anyone unless they can properly authenticate on the device and allow the system to unscramble the encrypted data.
    UEFI Secure Boot Capable UEFI is an acronym for Unified Extensible Firmware Interface. It is an interface between the operating system and the computer firmware. Secure Boot, as part of the firmware interface, ensures that only unchangeable and approved software and drivers are loaded at startup and not any malware that may have infiltrated the system (Lumunge). UEFI, with Secure Boot, references a database containing keys and signatures of drivers and runtime code that is approved as well as forbidden. It will not let the system boot up unless the signature of the driver or run-time code that is trying to execute is approved. This UEFI Secure boot recognition process continues until control is handed over to the operating system.
    Virtualization Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) VBS is security based on virtualization capabilities. It uses the virtualization features of the Windows operating system, specifically the Hyper-V hypervisor, to create and isolate a small chunk of memory that is isolated from the operating system. HVCI checks the integrity of code for violations. The Code Integrity check happens in the isolated virtual area of memory protected by the hypervisor, hence the acronym HVCI (Hypervisor Protected Code Integrity) (Murtaza). In the secure, isolated region of memory created by VBS with the hypervisor, Windows will run checks on the integrity of the code that runs various processes. The isolation protects the stored item from tampering by malware and similar threats. If they run incident free, they are released to the operating system and can run in the standard memory space. If issues are detected, the code will not be released, nor will it run in the standard memory space of the operating system, and damage or compromise will be prevented.

    How do all the hardware-based security features work?

    This scenario explains how a standard boot up and login should happen.

    You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

    Now imagine the same process with various compromised scenarios.

    You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

    You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

    You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

    TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

    “Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

    “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

    Can any device upgrade to Windows 11?

    In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

    Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

    Software Requirement

    You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

    Complete hardware requirements for Windows 11

    • 1 GHz (or faster) compatible 64-bit processor with two or more cores
    • 4 GB RAM
    • 64 GB or more of storage space
    • Compatible with DirectX 12 or later with WDDM 2.0 driver
      • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
      • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
      • Version 2.0 of WDDM is required for Windows 11.
    • 720p display greater than 9" diagonally with 8 bits per color channel
    • UEFI Secure Boot capable
    • TPM 2.0 chip
    • (“Windows 11 Requirements”)

    Windows 11 may challenge your virtual environment

    When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

    The Challenge

    The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

    The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

    Short-Term Solutions

    VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

    Additional Insight

    According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

    • It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
    • 64 GB of storage or greater
    • Secure Boot capable with the virtual TPM enabled
    • 4 GB of memory or greater
    • 2 or more virtual processors
    • The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

    What’s new or updated in Windows 11?

    The following two slides highlight some of the new and updated features in Windows 11.

    Security

    The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

    Taskbar

    The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

    Updated Apps

    Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

    User Interface

    The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

    Microsoft Teams

    Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

    What’s new or updated in Windows 11?

    Snap Layouts

    Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

    Widgets

    Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

    Android Apps

    Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

    Docking

    Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

    This is not intended to be an inclusive list but does cover some of the more prominent features.

    What’s missing from Windows 11?

    The following features are no longer found in Windows 11:

    • Backward compatibility
      • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
    • Internet Explorer
      • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
    • Tablet mode
      • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
    • Semi-annual updates
      • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
    • Specific apps
      • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
        • OneNote for Windows 10
        • 3D Viewer
        • Paint 3D
        • Skype
    • Cortana (by default)
      • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

    Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

    Windows 11 editions

    • Windows 11 is offered in several editions:
      • Windows 11 Home
      • Windows 11 Pro
      • Windows 11 Pro for Workstations
      • Windows 11 Enterprise Windows 11 for Education
      • Windows 11 SE for Education
    • Windows 11 hardware requirements and security features are common throughout all editions.
    • The new look and feel along with all the features mentioned previously are common to all editions as well.
    • Windows Home
      • Standard offering for home users
    • Pro versus Pro for Workstations
      • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
      • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
      • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
      • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
    • Enterprise Offerings
      • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
      • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
      • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

    Windows 11 Education Editions

    With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

    “40 Million Chromebooks in Use in Education” (Thurrott)

    “The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

    “Chromebooks Gain Market Share as Education Goes Online” (Hruska)

    “Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

    “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

    • Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
    • Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
    • The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
    • Windows 11 SE for Education:
      • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
      • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
      • Windows 11 SE requires Intune for Education and only IT admins can install applications.
    • Microsoft and others have come out with Windows SE specific devices at a low price point.
      • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
      • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

    Initial Reactions

    Below you can find some actual initial reactions to Windows 11.

    Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

    The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

    The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

    “My 91-year-old Mum has found it easy!” Binns, Paul ITRG

    “It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

    “It makes me feel more like a Mac user.” Chang, Ben Info-Tech

    “At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

    “Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

    “I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

    “A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

    “The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

    “No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

    “The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

    How do I upgrade to Windows 11?

    The process is very similar to applying updates in Windows 10.

    • Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
      • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
    • A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
    • Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
    • WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
    • Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
    • Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
    • Other modern endpoint management solutions may also allow for a controlled deployment.

    Info-Tech Insight

    The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

    When can I upgrade to Windows 11?

    You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

    • Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
      • Deploy the initial update to your test environment.
      • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
      • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
      • Increase the size of each ring as you progress.
    • Always back up your data before any upgrade.

    Deployment Ring Example

    Pilot Ring - Individuals from all departments - 10 users

    Ring #1 - Dev, Finance - 20 Users

    Ring #2 - Research - 100 Users

    Ring #3 - Sales, IT, Marketing - 500 Users

    Upgrade your eligible devices and users to Windows 11

    Build Windows 11 Deployment Rings

    Instructions:

    1. Identify who will be in the pilot group. Use individuals instead of user groups.
    2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
    3. Map groups to rings. Define which user groups will be in each ring.
    4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
    5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.
    Ring Department or Group Total Users Delay Time Before Next Group
    Pilot Ring Individuals from all departments 10 Three weeks
    Ring 1 Dev Finance 20 Two weeks
    Ring 2 Research 100 One week
    Ring 3 Sales, IT Marketing 500 N/A

    What are my options if my devices cannot upgrade to Windows 11?

    Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

    Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

    • Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
    • Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
    • Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
    • Determine the cost for replacement devices:
      • Compare vendor offerings using an RFP process.
    • Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

    Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

    New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

    New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    Build a Windows 11 Device Replacement Budget

    The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

    A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

    HAM Budgeting Tool

    Windows 11 Replacement Schedule
    2022 2023 2024 2025
    Department Total to replace Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Left to allocate
    Finance 120 20 20 20 10 10 20 20 0
    HR 28 15 13 0
    IT 30 15 15 0
    Research 58 8 15 5 20 5 5 0
    Planning 80 10 15 15 10 15 15 0
    Other 160 5 30 5 15 15 30 30 30 0
    Totals 476 35 38 35 35 35 35 38 35 50 35 35 35 35 0

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Implement Hardware Asset Management

    This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Bibliography

    aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

    Binns, Paul. Personal interview. 07 June 2022.

    Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

    Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

    Chang, Ben. Personal interview. 26 May 2022.

    Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

    Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

    “Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

    “Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

    Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

    Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

    Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

    Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

    Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

    Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

    Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

    Bibliography

    Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

    Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

    Roberts, Jeremy. Personal interview. 27 May 2022.

    Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

    Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    “The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

    Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

    Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

    “Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

    “What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

    “Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

    “Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

    Optimize Software Pricing in a Volatile Competitive Market

    • Buy Link or Shortcode: {j2store}566|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Your challenge:

    • Rising supplier costs and inflation are eroding margins and impacting customers' budgets.
    • There is pressure from management to make a gut-feeling decision because of time, lack of skills, and process limitations.
    • You must navigate competing pricing-related priorities among product, sales, and finance teams.
    • Product price increases fail because discovery lacks understanding of costs, price/value equation, and competitive price points.
    • Customers can react negatively, and results are seen much later (more than 12 months) after the price decision.

    Our Advice

    Critical Insight

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and make ongoing adjustments based on an ability to monitor buyer, competitor, and product cost changes.

    Impact and Result

    • Success for many SaaS product managers requires a reorganization and modernization of pricing tools, techniques, and assumptions. Leaders will develop the science of tailored price changes versus across-the-board price actions and account for inflation exposure and the customers’ willingness to pay.
    • This will build skills on how to price new products or adjust pricing for existing products. The disciplines using our pricing strategy methodology will strengthen efforts to develop repeatable pricing models and processes and build credibility with senior management.

    Optimize Software Pricing in a Volatile Competitive Market Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Optimize Software Pricing in a Volatile Competitive Market Executive Brief - A deck to build your skills on how to price new products or adjust pricing for existing products.

    This Executive Brief will build your skills on how to price new products or adjust pricing for existing products.

    • Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    2. Optimize Software Pricing in a Volatile Competitive Market Storyboard – A deck that provides key steps to complete the project.

    This blueprint will build your skills on how to price new products or adjust pricing for existing products with documented key steps to complete the pricing project and use the Excel workbook and customer presentation.

    • Optimize Software Pricing in a Volatile Competitive Market – Phases 1-3

    3. Optimize Software Pricing in a Volatile Competitive Market Workbook – A tool that enables product managers to simplify the organization and collection of customer and competitor information for pricing decisions.

    These five organizational workbooks for product pricing priorities, interview tracking, sample questions, and critical competitive information will enable the price team to validate price change data through researching the three pricing schemes (competitor, customer, and cost-based).

    • Optimize Software Pricing in a Volatile Competitive Market Workbook

    4. Optimize Software Pricing in a Volatile Competitive Market Presentation Template – A template that serves as a guide to communicating the Optimize Pricing Strategy team's results for a product or product line.

    This template includes the business case to justify product repricing, contract modifications, and packaging rebuild or removal for launch. This template calls for the critical summarized results from the Optimize Software Pricing in a Volatile Competitive Market blueprint and the Optimize Software Pricing in a Volatile Competitive Market Workbook to complete.

    • Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Infographic

    Further reading

    SoftwareReviews — A Division of INFO~TECH RESEARCH GROUP

    Optimize Software Pricing in a Volatile Competitive Market

    Leading SaaS product managers align pricing strategy to company financial goals and refresh the customer price/value equation to avoid leaving revenues uncaptured.

    Table of Contents

    Section Title Section Title
    1 Executive Brief 2 Key Steps
    3 Concluding Slides

    Optimize Software Pricing in a Volatile Competitive Market

    Leading SaaS product managers align pricing strategy to company financial goals and refresh the customer price/value equation to avoid leaving revenues uncaptured.

    EXECUTIVE BRIEF

    Analyst Perspective

    Optimized Pricing Strategy

    Product managers without well-documented and repeatable pricing management processes often experience pressure from “Agile” management to make gut-feel pricing decisions, resulting in poor product revenue results. When combined with a lack of customer, competitor, and internal cost understanding, these process and timing limitations drive most product managers into suboptimal software pricing decisions. And, adding insult to injury, the poor financial results from bad pricing decisions aren’t fully measured for months, which further compounds the negative effects of poor decision making.

    A successful product pricing strategy aligns finance, marketing, product management, and sales to optimize pricing using a solid understanding of the customer perception of price/value, competitive pricing, and software production costs.

    Success for many SaaS product managers requires a reorganization and modernization of pricing tools, techniques, and data. Leaders will develop the science of tailored price changes versus across-the-board price actions and account for inflation exposure and the customers’ willingness to pay.

    This blueprint will build your skills on how to price new products or adjust pricing for existing products. The discipline you build using our pricing strategy methodology will strengthen your team’s ability to develop repeatable pricing and will build credibility with senior management and colleagues in marketing and sales.

    Photo of Joanne Morin Correia, Principal Research Director, SoftwareReviews.

    Joanne Morin Correia
    Principal Research Director
    SoftwareReviews

    Executive Summary

    Organizations struggle to build repeatable pricing processes:
    • A lack of alignment and collaboration among finance, marketing, product development, and sales.
    • A lack of understanding of customers, competitors, and market pricing.
    • Inability to stay ahead of complex and shifting software pricing models.
    • Time is wasted without a deep understanding of pricing issues and opportunities, and revenue opportunities go unrealized.
    Obstacles add friction to the pricing management process:
    • Pressure from management to make quick decisions results in a gut-driven approach to pricing.
    • A lack of pricing skills and management processes limits sound decision making.
    • Price changes fail because discovery often lacks competitive intelligence and buyer value to price point understanding. Customers’ reactions are often observed much later, after the decision is made.
    • Economic disruptions, supplier price hikes, and higher employee salaries/benefits are driving costs higher.
    Use SoftwareReviews’ approach for more successful pricing:
    • Organize for a more effective pricing project including roles & responsibilities as well as an aligned pricing approach.
    • Work with CFO/finance partner to establish target price based on margins and key factors affecting costs.
    • Perform a competitive price assessment and understand the buyer price/value equation.
    • Arrive at a target price based on the above and seek buy-in and approvals.

    SoftwareReviews Insight

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and they will make ongoing adjustments based on an ability to monitor buyers, competitors, and product cost changes.

    What is an optimized price strategy?

    “Customer discovery interviews help reduce the chance of failure by testing your hypotheses. Quality customer interviews go beyond answering product development and pricing questions.” (Pricing Strategies, Growth Ramp, March 2022)

    Most product managers just research their direct competitors when launching a new SaaS product. While this is essential, competitive pricing intel is insufficient to create a long-term optimized pricing strategy. Leaders will also understand buyer TCO.

    Your customers are constantly comparing prices and weighing the total cost of ownership as they consider your competition. Why?

    Implementing a SaaS solution creates a significant time burden as buyers spend days learning new software, making sure tools communicate with each other, configuring settings, contacting support, etc. It is not just the cost of the product or service.

    Optimized Price Strategy Is…
    • An integral part of any product plan and business strategy.
    • Essential to improving and maintaining high levels of margins and customer satisfaction.
    • Focused on delivering the product price to your customer’s business value.
    • Understanding customer price-value for your software segment.
    • Monitoring your product pricing with real-time data to ensure support for competitive strategy.
    Price Strategy Is Not…
    • Increasing or decreasing price on a gut feeling.
    • Changing price for short-term gain.
    • Being wary of asking customers pricing-related questions.
    • Haphazardly focusing entirely on profit.
    • Just covering product costs.
    • Only researching direct competitors.
    • Focusing on yourself or company satisfaction but your target customers.
    • Picking the first strategy you see.

    SoftwareReviews Insight

    An optimized pricing strategy establishes the “best” price for a product or service that maximizes profits and shareholder value while considering customer business value vs. the cost to purchase and implement – the total cost of ownership (TCO).

    Challenging environment

    Product managers are currently experiencing the following:
    • Supplier costs and inflation are rising, eroding product margins and impacting customers’ budgets.
    • Pressure from management to make a gut-feeling decision because of time, lack of skills, and process limitations.
    • Navigating competing pricing-related priorities among product, sales, and finance.
    • Product price increases that fail because discovery lacks understanding of costs, price/value equation, and competitive price points.
    • Slowing customer demand due to poorly priced offerings may not be fully measured for many months following the price decision.
    Doing nothing is NOT an option!
    Offense Double Down

    Benefit: Leverage long-term financial and market assets

    Risk: Market may not value those assets in the future
    Fight Back

    Benefit: Move quickly

    Risk: Hard to execute and easy to get pricing wrong
    Defense Retrench

    Benefit: Reduce threats from new entrants through scale and marketing

    Risk: Causes managed decline and is hard to sell to leadership
    Move Away

    Benefit: Seize opportunities for new revenue sources

    Risk: Diversification is challenging to pull off
    Existing Markets and Customers New Markets and Customers

    Pricing skills are declining

    Among product managers, limited pricing skills are big obstacles that make pricing difficult and under-optimized.

    Visual of a bar chart with descending values, each bar has written on it: 'Limited - Limits in understanding of engineering, marketing, and sales expectations or few processes for pricing and/or cost', 'Inexperienced - Inexperience in pricing project skills and corporate training', 'Lagging - Financial lag indicators (marketing ROI, revenue, profitability, COGs)', 'Lacking - Lack of relevant competitive pricing/packaging information', 'Shifting - Shift to cloud subscription-based revenue models is challenging'.

    The top three weakest product management skills have remained constant over the past five years:
    • Competitive analysis
    • Pricing
    • End of life
    Pricing is the weakest skill and has been declining the most among surveyed product professionals every year. (Adapted from 280 Group, 2022)

    Key considerations for more effective pricing decisions

    Pricing teams can improve software product profitability by:
    • Optimizing software profit with four critical elements: properly pricing your product, giving complete and accurate quotations, choosing the terms of the sale, and selecting the payment method.
    • Implementing tailored price changes (versus across-the-board price actions) to help account for inflation exposure, customer willingness to pay, and product attribute changes.
    • Accelerating ongoing pricing decision-making with a dedicated cross-functional team ready to act quickly.
    • Resetting discounting and promotion, and revisiting service-level agreements.
    Software pricing leaders will regularly assess:

    Has it been over a year since prices were updated?

    Have customers told you to raise your prices?

    Do you have the right mix of customers in each pricing plan?

    Do 40% of your customers say they would be very disappointed if your product disappeared? (Adapted from Growth Ramp, 2021)

    Case Study

    Middleware Vendor

    INDUSTRY
    Technology Middleware
    SOURCE
    SoftwareReviews Custom Pricing Strategy Project
    A large middleware vendor, who is running on Microsoft Azure, known for quality development and website tools, needed to react strategically to the March 2022 Microsoft price increase.

    Key Initiative: Optimize New Pricing Strategy

    The program’s core objective was to determine if the vendor should implement a price increase and how the product should be packaged within the new pricing model.

    For this initiative, the company interviewed buyers using three key questions: What are the core capabilities to focus on building/selling? What are the optimal features and capabilities valued by customers that should be sold together? And should they be charging more for their products?

    Results
    This middleware vendor saw buyer support for a 10% price increase to their product line and restructuring of vertical contract terms. This enabled them to retain customers over multi-year subscription contracts, and the price increase enabled them to protect margins after the Microsoft price increase.

    The Optimize New Pricing Strategy included the following components:

    Components: 'Product Feature Importance & Satisfaction', 'Correlation of Features and Value Drivers', 'Fair Cost to Value Average for Category', 'Average Discounting for Category', 'Customer Value Is an Acceptable Multiple of Price'. First four: 'Component fails into the scope of optimizing price strategy to value'; last one: 'They are optimizing their price strategy decisions'.

    New product price approach

    As a collaborative team across product management, marketing, and finance, we see leaders taking a simple yet well-researched approach when setting product pricing.

    Iterating to a final price point is best done with research into how product pricing:

    • Delivers target margins.
    • Is positioned vs. key competitors.
    • Delivers customer value at a fair price/value ratio.
    To arrive at our new product price, we suggest iterating among 3 different views:

    New Target Price:

    • Buyer Price vs. Value
    • Cost - Plus
    • Vs. Key Competitors
    We analyzed:
    • Customer price/value equation interviews
    • Impacts of Supplier cost increases
    • Competitive pricing research
    • How product pricing delivers target margins

    Who should care about optimized pricing?

    Product managers and marketers who:

    • Support the mandate for optimizing pricing and revenue generation.
    • Need a more scientific way to plan and implement new pricing processes and methods to optimize revenues and profits.
    • Want a way to better apply customer and competitive insights to product pricing.
    • Are evaluating current pricing and cost control to support a refreshed pricing strategy.

    Finance, sales, and marketing professionals who are pricing stakeholders in:

    • Finding alternatives to current pricing and packaging approaches.
    • Looking for ways to optimize price within the shifting market momentum.

    How will they benefit from this research?

    • Refine the ability to effectively target pricing to specific market demands and customer segments.
    • Strengthen product team’s reputation for reliable and repeatable price-management capabilities among senior leadership.
    • Recognize and plan for new revenue opportunities or cost increases.
    • Allow for faster, more accurate intake of customer and competitive data. 
    • Improve pricing skills for professional development and business outcomes.
    • Create new product price, packaging, or market opportunities. 
    • Reduce financial costs and mistakes associated with manual efforts and uneducated guessing.
    • Price software products that better achieve financial goals optimizing revenue, margins, or market share.
    • Enhance the product development and sales processes with real competitive and customer expectations.

    Is Your Pricing Strategy Optimized?

    With the right pricing strategy, you can invest more money into your product, service, or growth. A 1% price increase will improv revenues by:

    Three bars: 'Customer acquisition, 3.32%', 'Customer retention, 6.71%', 'Price monetization, 12.7%'.

    Price monetization will almost double the revenue increases over customer acquisition and retention. (Pricing Strategies, Growth Ramp, March 2022)

    DIAGNOSE PRICE CHALLENGES

    Prices of today's cloud-based services/products are often misaligned against competition and customers' perceived value, leaving more revenues on the table.
    • Do you struggle to price new products with confidence?
    • Do you really know your SaaS product's costs?
    • Have you lost pricing power to stronger competitors?
    • Has cost focus eclipsed customer value focus?
    If so, you are likely skipping steps and missing key outputs in your pricing strategy.

    OPTIMIZE THESE STEPS

    ALIGNMENT
    1. Assign Team Responsibilities
    2. Set Timing for Project Deliverables
    3. Clarify Financial Expectations
    4. Collect Customer Contacts
    5. Determine Competitors
    6. BEFORE RESEARCH, HAVE YOU
      Documented your executive's financial expectations? If "No," return.

    RESEARCH & VALIDATE
    1. Research Competitors
    2. Interview Customers
    3. Test Pricing vs. Financials
    4. Create Pricing Presentation
    5. BEFORE PRESENTING, HAVE YOU:
      Clarified your customer and competitive positioning to validate pricing? If "No," return.

    BUY-IN
    1. Executive Pricing Presentation
    2. Post-Mortem of Presentation
    3. Document New Processes
    4. Monitor the Pricing Changes
    5. BEFORE RESEARCH, HAVE YOU:
      Documented your executive's financial expectations? If "No," return.

    DELIVER KEY OUTPUTS

    Sponsoring executive(s) signs-offs require a well-articulated pricing plan and business case for investment that includes:
    • Competitive features and pricing financial templates
    • Customer validation of price value
    • Optimized price presentation
    • Repeatable pricing processes to monitor changes

    REAP THE REWARDS

    • Product pricing is better aligned to achieve financial goals
    • Improved pricing skills or professional development
    • Stronger team reputation for reliable price management

    Key Insights

    1. Gain a competitive edge by using market and customer information to optimize product financials, refine pricing, and speed up decisions.
    2. Product leaders will best set software product price based on a deep understanding of buyer/price value equation, alignment with financial strategy, and an ongoing ability to monitor buyer, competitor, and product costs.

    SoftwareReviews’ methodology for optimizing your pricing strategy

    Steps

    1.1 Establish the Team and Responsibilities
    1.2 Educate/Align Team on Pricing Strategy
    1.2 Document Portfolio & Target Product(s) for Pricing Updates
    1.3 Clarify Product Target Margins
    1.4 Establish Customer Price/Value
    1.5 Identify Competitive Pricing
    1.6 Establish New Price and Gain Buy-In

    Outcomes

    1. Well-organized project
    2. Clarified product pricing strategy
    3. Customer value vs. price equation
    4. Competitive price points
    5. Approvals

    Insight summary

    Modernize your price planning

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and make ongoing adjustments based on an ability to monitor buyer, competitor, and product cost changes.

    Ground pricing against financials

    Meet and align with financial stakeholders.
    • Give finance a heads-up that you want to work with them.
    • Find out the CFO’s expectations for pricing and margins.
    • Ask for a dedicated finance team member.

    Align on pricing strategy

    Lead stakeholders in SaaS product pricing decisions to optimize pricing based on four drivers:
    • Customer’s price/value
    • Competitive strategy
    • Reflective of costs
    • Alignment with financial goals

    Decrease time for approval

    Drive price decisions, with the support of the CFO, to the business value of the suggested change:
    • Reference current product pricing guidelines
    • Compare to the competition and our strategy and weigh results against our customer’s price/value
    • Compare against the equation to business value for the suggested change
    Develop the skill of pricing products

    Increase product revenues and margins by enhancing modern processes and data monetization. Shift from intuitive to information-based pricing decisions.

    Look at other options for revenue

    Adjust product design, features, packaging, and contract terms while maintaining the functionality customers find valuable to their business.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
    Key deliverable:

    New Pricing Strategy Presentation Template

    Capture key findings for your price strategy with the Optimize Your Pricing in a Volatile Competitive Market Strategy Presentation Template

    Sample of the 'Acme Corp New Product Pricing' blueprint.

    Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    This executive brief will build your knowledge on how to price new products or adjust pricing for existing products.

    Sample of the 'Optimize Software Pricing in a Volatile Competitive Market' blueprint.

    Optimize Software Pricing in a Volatile Competitive Market Workbook

    This workbook will help you prioritize which products require repricing, hold customer interviews, and capture competitive insights.

    Sample of the 'Optimize Software Pricing in a Volatile Competitive Market' workbook.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews analyst to help implement our best practices in your organization.

    A typical GI is 4 to 8 calls over the course of 2 to 4 months.

    What does a typical GI on optimizing software pricing look like?

    Alignment

    Research & Reprice

    Buy-in

    Call #1: Share the pricing team vision and outline activities for the pricing strategy process. Plan next call – 1 week.

    Call #2: Outline products that require a new pricing approach and steps with finance. Plan next call – 1 week.

    Call #3: Discuss the customer interview process. Plan next call – 1 week.

    Call #4 Outline competitive analysis. Plan next call – 1 week.

    Call #5: Review customer and competitive results for initial new pricing business case with finance for alignment. Plan next call – 3 weeks.

    Call #6: Review the initial business case against financial plans across marketing, sales, and product development. Plan next call – 1 week.

    Call #7 Review the draft executive pricing presentation. Plan next call – 1 week.

    Call #8: Discuss gaps in executive presentation. Plan next call – 3 days.

    SoftwareReviews Offers Various Levels of Support to Meet Your Needs

    Included in Advisory Membership Optional add-ons

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Desire a Guided Implementation?

    • A GI is where your SoftwareReviews engagement manager and executive advisor/counselor will work with SoftwareReviews research team members to craft with you a Custom Key Initiative Plan (CKIP).
    • A CKIP guides your team through each of the major steps, outlines responsibilities between members of your team and SoftwareReviews, describes expected outcomes, and captures actual value delivered.
    • A CKIP also provides you and your team with analyst/advisor/counselor feedback on project outputs, helps you communicate key principles and concepts to your team, and helps you stay on project timelines.
    • If Guided Implementation assistance is desired, contact your engagement manager.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Align Team, Identify Customers, and Document Current Knowledge
    Validate Initial Insights and Identify Competitors and Market View
    Schedule and Hold Buyer Interviews
    Summarize Findings and Provide Actionable Guidance to Stakeholders
    Present, Go Forward, and Measure Impact and Results
    Activities

    1.1 Identify Team Members, roles, and responsibilities

    1.2 Establish timelines and project workflow

    1.3 Gather current product and future financial margin expectations

    1.4 Review the Optimize Software Executive Brief and Workbook Templates

    1.4 Build prioritized pricing candidates hypothesis

    2.1 Identify customer interviewee types by segment, region, etc.

    2.2 Hear from industry analysts their perspectives on the competitors, buyer expectations, and price trends

    2.3 Research competitors for pricing, contract type, and product attributes

    3.2 Review pricing and attributes survey and interview questionnaires

    3.2 Hold interviews and use interview guides (over four weeks)

    A gap of up to 4 weeks for scheduling of interviews.

    3.3 Hold review session after initial 3-4 interviews to make adjustments

    4.1 Review all draft price findings against the market view

    4.2 Review Draft Executive Presentation

    5.1 Review finalized pricing strategy plan with analyst for market view

    5.2 Review for comments on the final implementation plan

    Deliverables
    1. Documented steering committee and working team
    2. Current and initial new pricing targets for strategy
    3. Documented team knowledge
    1. Understanding of market and potential target interviewee types
    2. Objective competitive research
    1. Initial review – “Are we going in the right direction with surveys?”
    2. Validate or adjust the pricing surveys to what you hear in the market
    1. Complete findings and compare to the market
    2. Review and finish drafting the Optimize Software Pricing Strategy presentation
    1. Final impute on strategy
    2. Review of suggested next steps and implementation plan

    Our process

    Align team, perform research, and gain executive buy-in on updated price points

    1. Establish the team and responsibilities
    2. Educate/align team on pricing strategy
    3. Document portfolio & target product(s) for pricing updates
    4. Clarify product target margins
    5. Establish customer price/value
    6. Identify competitive pricing
    7. Establish new price and gain buy-in

    Optimize Software Pricing in a Volatile Competitive Market

    Our process will help you deliver the following outcomes:

    • Well-organized project
    • Clarified product pricing strategy
    • Customer value vs. price equation
    • Competitive price points
    • Approvals

    This project involves the following participants:

    • Product management
    • Program leadership
    • Product marketing
    • CFO or finance representative/partner
    • Others
    • Representative(s) from Sales

    1.0 Assign team responsibilities

    Input: Steering committee roles and responsibilities, Steering committee interest and role

    Output: List of new pricing strategy steering committee and workstream members, roles, and timelines, Updated Software Pricing Strategy presentation

    Materials: Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: CFO, sponsoring executive, Functional leads – development, product marketing, product management, marketing, sales, customer success/support

    1-2 hours
    1. The product manager/member running this pricing/repricing program should review the entire Optimize Software Pricing in a Volatile Competitive Market blueprint and each blueprint attachment.
    2. The product manager should also refer to slide 19 of the Optimize Software Pricing in a Volatile Competitive Market blueprint and decide if help via a Guided Implementation (GI) is of value. If desired, alert your SoftwareReviews engagement manager.
    1-2 hours
    1. The product manager should meet with the chief product officer/CPO and functional leaders, and set the meeting agenda to:
      1. Nominate steering committee members.
      2. Nominate work-stream leads.
      3. Establish key pricing project milestones.
      4. Schedule both the steering committee (suggest monthly) and workstream lead meetings (suggest weekly) through the duration of the project.
      5. Ask the CPO to craft, outside this meeting, his/her version of the "Message from the chief product officer.”
      6. If a Guided Implementation is selected, inform the meeting attendees that a SoftwareReviews analyst will join the next meeting to share his/her Executive Brief on Pricing Strategy.
    2. Record all above findings in the Optimize Software Pricing in a Volatile Competitive Market Presentation Template.

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    SoftwareReviews Advisory Insight:

    Pricing steering committees are needed to steer overall product, pricing, and packaging decisions. Some companies include the CEO and CFO on this committee and designate it as a permanent body that meets monthly to give go/no-go decisions to “all things product and pricing related” across all products and business units.

    2.0 Educate the team

    1 hour

    Input: Typically, a joint recognition that pricing strategies need upgrading and have not been fully documented, Steering committee and working team members

    Output: Communication of team members involved and the makeup of the steering committee and working team, Alignment of team members on a shared vision of “why a new price strategy is critical” and what key attributes define both the need and impact on business

    Materials: Optimize Your Software Strategy Executive Brief PowerPoint presentation

    Participants: Initiative manager – individual leading the new pricing strategy, CFO/sponsoring executive, Working team – typically representatives in product marketing, product management, and sales, SoftwareReviews marketing analyst (optional)

    1. Walk the team through the Optimize Software Pricing in a Volatile Competitive Market Executive Brief PowerPoint presentation.
    2. Optional – Have the SoftwareReviews Advisory (SRA) analyst walk the team through the Optimize Software Pricing in a Volatile Competitive Market Executive Brief PowerPoint presentation as part of your session. Contact your engagement manager to schedule.
    3. Walk the team through the current version of the Optimize Software Pricing in a Volatile Competitive Market Presentation Template outlining project goals, steering committee and workstream make-up and responsibilities, project timeline and key milestones, and approach to arriving at new product pricing.
    4. Set expectations among team members of their specific roles and responsibilities for this project, review the frequency of steering committee and workstream meetings to set expectations of key milestones and deliverable due dates.

    Download the Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    3.0 Document portfolio and target products for pricing update

    1-3 Hours

    Input: List of entire product portfolio

    Output: Prioritized list of product candidates that should be repriced

    Materials: Optimize Software Pricing in a Volatile Competitive Market Executive Brief presentation, Optimize Software Pricing in a Volatile Competitive Market Workbook

    Participants: Initiative manager – individual leading the new pricing strategy, CFO/sponsoring executive, Working team – typically representatives in product marketing, product management, and sales

    1. Walk the team through the current version of Optimize Software Pricing in a Volatile Competitive Market workbook, tab 2: “Product Portfolio Organizer.” Modify sample attributes to match your product line where necessary.
    2. As a group, record the product attributes for your entire portfolio.
    3. Prioritize the product price optimization candidates for repricing with the understanding that it might change after meeting with finance.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    4.0 Clarify product target margins

    2-3 sessions of 1 Hour each

    Input: Finance partner/CFO knowledge of target product current and future margins, Finance partner/CFO who has information on underlying costs with details that illustrate supplier contributions

    Output: Product finance markup target percentage margins and revenues

    Materials: Finance data on the product family, Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Finance partner/CFO

    1. Schedule a meeting with your finance partner/CFO to validate expectations for product margins. The goal is to understand the detail of underlying costs/margins and if the impacts of supplier costs affect the product family. The information will be placed into the Optimize Software Pricing in a Volatile Competitive Market Workbook on tab 2, Product Portfolio Organizer under the “Unit Margins” heading.
    2. Arrive at a final “Cost-Plus New Price” based on underlying costs and target margins for each of the products. Record results in the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 2, under the “Cost-Plus New Price” heading.
    3. Record product target finance markup price under “Cost-Plus” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9, and details in Appendix, “Cost-Plus Analysis,” slide 11.
    4. Repeat this process for any other products to be repriced.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    5.0 Establish customer price to value

    1-4 weeks

    Input: Identify segments within which you require price-to-value information, Understand your persona insight gaps, Review Sample Interview Guide using the Optimize Software Pricing in a Volatile, Competitive Market Workbook, Tab 4. Interview Guide.

    Output: List of interviewees, Updated Interview Guide

    Materials: Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Customer success to help identify interviewees, Customers, prospects

    1. Identify a list of customers and prospects that best represent your target persona when interviewed. Choose interviewees who will inform key differences among key segments (geographies, company size, a mix of customers and prospects, etc.) and who are decision makers and can best inform insights on price/value and competitors.
    2. Recruit interviewees and schedule 30-minute interviews.
    3. Keep track of interviewees using the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 3: “Interviewee Tracking.”
    4. Review the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 4: “Interview Guide,” and modify/update it where appropriate.
    5. Record interviewee perspectives on the “price they are willing to pay for the value received” (price/value equation) using the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 4: “Interview Guide.”
    6. Summarize findings to result in an average “customer’s value price.” Record product target ”customer’s value price” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9 and supporting details in Appendix, “Customer Pricing Analysis,” slide 12.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    6.0 Identify competitive pricing

    1-2 weeks

    Input: Identify price candidate competitors, Your product pricing, contract type, and product attribute information to compare against, Knowledge of existing competitor information, websites, and technology research sites to guide questions

    Output: Competitive product average pricing

    Materials: Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Customers, prospects

    1. Identify the top 3-5 competitors’ products that you most frequently compete against with your selected product.
    2. Perform competitive intelligence research on deals won or lost that contain competitive pricing insights by speaking with your sales force.
    3. Use the interviews with key customers to also inform competitive pricing insights. Include companies which you may have lost to a competitor in your customer interviewee list.
    4. Modify and add key competitive pricing, contract, or product attributes in the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 5: “Competitive Information.”
    5. Place your product’s information into the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 5: “Competitive Information.”
    6. Research your competitors’ summarized pricing and product attribute insights into the workbook.
    7. Record research in the Summarize research on competitors to arrive at an average “Competitors Avg. Price”. Record in ”Customer’s Value Price” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9, and details in Appendix, “Competitor Pricing Analysis,” slide 13.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    7.0 Establish new price and gain buy-in

    2-3 hours

    Input: Findings from competitive, cost-plus, and customer price/value analysis

    Output: Approvals for price change

    Materials: Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Steering committee, Working team – typically representatives in product marketing, product management, sales

    1. Using prior recorded findings of Customer’s Value Price, Competitors’ Avg. Price, and Finance Markup Price, arrive at a recommended “New Price” and record in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9 and the Appendix for Project Analysis Details.
    2. Present findings to steering committee. Be prepared to show customer interviews and competitive analysis results to support your recommendation.
    3. Plan internal and external communications and discuss the timing of when to “go live” with new pricing. Discuss issues related to migration to a new price, how to handle currently low-priced customers, and how to migrate them over time to the new pricing.
    4. Identify if it makes sense to target a date to launch the new pricing in the future, so customers can be alerted in advance and therefore take advantage of “current pricing” to drive added revenues.
    5. Confer with IT to assess times required to implement within CPQ systems and with product marketing for time to change sales proposals, slide decks, and any other affected assets and systems.

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Summary of Accomplishment

    Problem Solved

    With the help of this blueprint, you have deepened your and your company’s understanding of how to look at new pricing opportunities and what the market and the buyer will pay for your product. You are among the minority of product and marketing leaders that have thoroughly documented their new pricing strategy and processes – congratulations!

    The benefits of having led your team through the process are significant and include the following:

    • Allow for faster, more accurate intake of customer and competitive data 
    • Refine the ability to effectively target pricing to specific market demands and customer segments 
    • Understand the association between the value proposition of products and services
    • Reduce financial costs and mistakes associated with manual efforts & uneducated guessing
    • Recognize and plan for new revenue opportunities or cost increases
    • Create new market or product packaging opportunities
    And finally, by bringing your team along with you in this process, you have also led your team to become more customer-focused while pricing your products – a strategic shift that all organizations should pursue.

    If you would like additional support, contact us and we’ll make sure you get the professional expertise you need.

    Contact your account representative for more information.

    info@softwarereviews.com
    1-888-670-8889

    Bibliography

    “Chapter 4 Reasons for Project Failure.” Kissflow's Guide to Project Management. Kissflow, n.d. Web.

    Edie, Naomi. “Microsoft Is Raising SaaS Prices, and Other Vendors Will, Too.” CIO Dive, 8 December 2021. Web.

    Gruman, Galen, Alan S. Morrison, and Terril A. Retter. “Software Pricing Trends.” PricewaterhouseCoopers, 2018. Web.

    Hargrave, Marshall. “Example of Economic Exposure.” Investopedia, 12 April 2022. Web.

    Heaslip, Emily. “7 Smart Pricing Strategies to Attract Customers.” CO—, 17 November 2021. Web.

    Higgins, Sean. “How to Price a Product That Your Sales Team Can Sell.” HubSpot, 4 April 2022. Web.

    “Pricing Strategies.” Growth Ramp, March 2022. Web.

    “Product Management Skills Benchmark Report 2021.” 280 Group, 9 November 2021. Web.

    Quey, Jason. “Price Increase: How to Do a SaaS Pricing Change in 8 Steps.” Growth Ramp, 22 March 2021. Web.

    Steenburg, Thomas, and Jill Avery. “Marketing Analysis Toolkit: Pricing and Profitability Analysis.” Harvard Business School, 16 July 2010. Web.

    “2021 State of Competitive Intelligence.” Crayon and SCIO, n.d. Web.

    Valchev, Konstantin. “Cost of Goods Sold (COGS) for Software-as-a-Service (SaaS) Business.” OpenView Venture Partners, OV Blog, 20 April 2020. Web.

    “What Is Price Elasticity?” Market Business News, n.d. Web.

    Grow Your Own PPM Solution

    • Buy Link or Shortcode: {j2store}436|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $47,944 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As portfolio manager, you’re responsible for supporting the intake of new project requests, providing visibility into the portfolio of in-flight projects, and helping to facilitate the right approval and prioritization decisions.
    • You need a project portfolio management (PPM) tool that promotes the maintenance and flow of good data to help you succeed in these tasks. However, while throwing expensive technology at bad process rarely works, many organizations take this approach to solve their PPM problems.
    • Commercial PPM solutions are powerful and compelling, but they are also expensive, complex, and hard to use. When a solution is not properly adopted, the data can be unreliable and inconsistent, defeating the point of purchasing a tool in the first place.

    Our Advice

    Critical Insight

    • Your choice of PPM solution must be in tune with your organizational PPM maturity to ensure that you are prepared to sustain the tool use without having the corresponding PPM processes collapse under its own weight.
    • A spreadsheet-based homegrown PPM solution can provide key capabilities of an optimized PPM solution with a high level of sophistication and complexity without the prohibitive capital and labor costs demanded by commercial PPM solution.
    • Focus on your PPM decision makers that will consume the reports and insights by investigating their specific reporting needs.

    Impact and Result

    • Think outside the commercial box. Develop an affordable, adoptable, and effective PPM solution using widely available tools based on Info-Tech’s ready-to-deploy templates.
    • Make your solution sustainable. When it comes to portfolio management, high level is better. A tool that is accurate and maintainable will provide more value than one that strives for precise data yet is ultimately unmaintainable.
    • Report success. A PPM tool needs to foster portfolio visibility in order to engage and inform the executive layer and support effective decision making.

    Grow Your Own PPM Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should grow your own PPM solution, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Right-size your PPM solution

    Scope an affordable, adoptable, and effective PPM solution with Info-Tech's Portfolio Manager 2017 workbook.

    • Grow Your Own PPM Solution – Phase 1: Right-Size Your PPM Solution
    • Portfolio Manager 2017 Cost-in-Use Estimation Tool
    • None

    2. Get to know Portfolio Manager 2017

    Learn how to use Info-Tech's Portfolio Manager 2017 workbook and create powerful reports.

    • Grow Your Own PPM Solution – Phase 2: Meet Portfolio Manager 2017
    • Portfolio Manager 2017
    • Portfolio Manager 2017 (with Actuals)
    • None
    • None
    • None

    3. Implement your homegrown PPM solution

    Plan and implement an affordable, adoptable, and effective PPM solution with Info-Tech's Portfolio Manager 2017 workbook.

    • Grow Your Own PPM Solution – Phase 3: Implement Your PPM Solution
    • Portfolio Manager 2017 Operating Manual
    • Stakeholder Engagement Workbook
    • Portfolio Manager Debut Presentation for Portfolio Owners
    • Portfolio Manager Debut Presentation for Data Suppliers

    4. Outgrow your own PPM solution

    Develop an exit strategy from your home-grown solution to a commercial PPM toolset. In this video, we show a rapid transition from the Excel dataset shown on this page to a commercial solution from Meisterplan. Christoph Hirnle of Meisterplan is interviewed starting at 9 minutes.

    • None
    [infographic]

    Workshop: Grow Your Own PPM Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Scope a Homegrown PPM Solution for Your Organization

    The Purpose

    Assess the current state of project portfolio management capability at your organization. The activities in this module will inform the next modules by exploring your organization’s current strengths and weaknesses and identifying areas that require improvement.

    Set up the workbook to generate a fully functional project portfolio workbook that will give you a high-level view into your portfolio.

    Key Benefits Achieved

    A high-level review of your current project portfolio capability is used to decide whether a homegrown PPM solution is an appropriate choice

    Cost-benefit analysis is done to build a business case for supporting this choice

    Activities

    1.1 Review existing PPM strategy and processes.

    1.2 Perform a cost-benefit analysis.

    Outputs

    Confirmation of homegrown PPM solution as the right choice

    Expected benefits for the PPM solution

    2 Get to Know Portfolio Manager 2017

    The Purpose

    Define a list of requirements for your PPM solution that meets the needs of all stakeholders.

    Key Benefits Achieved

    A fully customized PPM solution in your chosen platform

    Activities

    2.1 Introduction to Info-Tech's Portfolio Manager 2017: inputs, outputs, and the data model.

    2.2 Gather requirements for enhancements and customizations.

    Outputs

    Trained project/resource managers on the homegrown solution

    A wish list of enhancements and customizations

    3 Implement Your Homegrown PPM Solution

    The Purpose

    Determine an action plan regarding next steps for implementation.

    Implement your homegrown PPM solution. The activities outlined in this step will help to promote adoption of the tool throughout your organization.

    Key Benefits Achieved

    A set of processes to integrate the new homegrown PPM solution into existing PPM activities

    Plans for piloting the new processes, process improvement, and stakeholder communication

    Activities

    3.1 Plan to integrate your new solution into your PPM processes.

    3.2 Plan to pilot the new processes.

    3.3 Manage stakeholder communications.

    Outputs

    Portfolio Manager 2017 operating manual, which documents how Portfolio Manager 2017 is used to augment the PPM processes

    Plan for a pilot run and post-pilot evaluation for a wider rollout

    Communication plan for impacted PPM stakeholders

    10 Secrets for Successful Disaster Recovery in the Cloud

    • Buy Link or Shortcode: {j2store}419|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,096 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • The pay-per-use pricing structure of cloud services make it a cheaper DR option, but there are gotchas you need to avoid, ranging from unexpected licensing costs to potential security vulnerabilities.
    • You likely started on the path to cloud DR with consideration of cloud storage for offsite retention of backups. Systems recovery in the cloud can be a real value-add to using cloud as a backup target.
    • Your cloud-based DR environment has to be secure and compliant, but performance also has to be “good enough” to operate the business.
    • Location still matters, and selecting the DR site that optimizes latency tolerance and geo-redundancy can be difficult.

    Our Advice

    Critical Insight

    • Keep your systems dormant until disaster strikes. Prepare as much of your environment as possible without tapping into compute resources. Enjoy the low at-rest costs, and leverage the reliability of the cloud in your failover.
    • Avoid failure on the failback! Bringing up your systems in the cloud is a great temporary solution, but an expensive long-term strategy. Make sure you have a plan to get back on premises.
    • Leverage cloud DR as a start for cloud migration. Cloud DR provides a gateway for broader infrastructure lift and shift to cloud IaaS, but this should only be the first phase of a longer-term roadmap that ends in multi-service hybrid cloud.

    Impact and Result

    • Calculate the cost of your DR solution with a cloud vendor. Test your systems often to build out more accurate budgets and to define failover and failback action plans to increase confidence in your capabilities.
    • Define “good enough” performance by consulting with the business and setting correct expectations for the recovery state.
    • Dig deeper into the various flavors of cloud-based DR beyond backup and restore, including pilot light, warm standby, and multi-site recovery. Each of these has unique benefits and challenges when done in the cloud.

    10 Secrets for Successful Disaster Recovery in the Cloud Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out the 10 secrets for success in cloud-based DR deployment, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    [infographic]

    Fast Track Your GDPR Compliance Efforts

    • Buy Link or Shortcode: {j2store}372|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $25,779 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations often tackle compliance efforts in an ad hoc manner, resulting in an ineffective use of resources.
    • The alignment of business objectives, information security, and data privacy is new for many organizations, and it can seem overwhelming.
    • GDPR is an EU regulation that has global implications; it likely applies to your organization more than you think.

    Our Advice

    Critical Insight

    • Financial impact isn’t simply fines. A data controller fined for GDPR non-compliance may sue its data processor for damage.
    • Even day-to-day activities may be considered processing. Screen-sharing from a remote location is considered processing if the data shown onscreen contains personal data!
    • This is not simply an IT problem. Organizations that address GDPR in a siloed approach will not be as successful as organizations that take a cross-functional approach.

    Impact and Result

    • Follow a robust methodology that applies to any organization and aligns operational and situational GDPR scope. Info-Tech's framework allows organizations to tackle GDPR compliance in a right-sized, methodical approach.
    • Adhere to a core, complex GDPR requirement through the use of our documentation templates.
    • Understand how the risk of non-compliance is aligned to both your organization’s functions and data scope.
    • This blueprint will guide you through projects and steps that will result in quick wins for near-term compliance.

    Fast Track Your GDPR Compliance Efforts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should fast track your GDPR compliance efforts, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your compliance requirements

    Understand the breadth of the regulation’s requirements and document roles and responsibilities.

    • Fast Track Your GDPR Compliance Efforts – Phase 1: Understand Your Compliance Requirements
    • GDPR RACI Chart

    2. Define your GDPR scope

    Define your GDPR scope and prioritize initiatives based on risk.

    • Fast Track Your GDPR Compliance Efforts – Phase 2: Define Your GDPR Scope
    • GDPR Initiative Prioritization Tool

    3. Satisfy documentation requirements

    Understand the requirements for a record of processing and determine who will own it.

    • Fast Track Your GDPR Compliance Efforts – Phase 3: Satisfy Documentation Requirements
    • Record of Processing Template
    • Legitimate Interest Assessment Template
    • Data Protection Impact Assessment Tool
    • A Guide to Data Subject Access Requests

    4. Align your data breach requirements and security program

    Document your DPO decision and align security strategy to data privacy.

    • Fast Track Your GDPR Compliance Efforts – Phase 4: Align Your Data Breach Requirements & Security Program

    5. Prioritize your GDPR initiatives

    Prioritize any initiatives driven out of Phases 1-4 and begin developing policies that help in the documentation effort.

    • Fast Track Your GDPR Compliance Efforts – Phase 5: Prioritize Your GDPR Initiatives
    • Data Protection Policy
    [infographic]

    Workshop: Fast Track Your GDPR Compliance Efforts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Compliance Requirements

    The Purpose

    Kick-off the workshop; understand and define GDPR as it exists in your organizational context.

    Key Benefits Achieved

    Prioritize your business units based on GDPR risk.

    Assign roles and responsibilities.

    Activities

    1.1 Kick-off and introductions.

    1.2 High-level overview of weekly activities and outcomes.

    1.3 Identify and define GDPR initiative within your organization’s context.

    1.4 Determine what actions have been done to prepare; how have regulations been handled in the past?

    1.5 Identify key business units for GDPR committee.

    1.6 Document business units and functions that are within scope.

    1.7 Prioritize business units based on GDPR.

    1.8 Formalize stakeholder support.

    Outputs

    Prioritized business units based on GDPR risk

    GDPR Compliance RACI Chart

    2 Define Your GDPR Scope

    The Purpose

    Know the rationale behind a record of processing.

    Key Benefits Achieved

    Determine who will own the record of processing.

    Activities

    2.1 Understand the necessity for a record of processing.

    2.2 Determine for each prioritized business unit: are you a controller or processor?

    2.3 Develop a record of processing for most-critical business units.

    2.4 Perform legitimate interest assessments.

    2.5 Document an iterative process for creating a record of processing.

    Outputs

    Initial record of processing: 1-2 activities

    Initial legitimate interest assessment: 1-2 activities

    Determination of who will own the record of processing

    3 Satisfy Documentation Requirements and Align With Your Data Breach Requirements and Security Program

    The Purpose

    Review existing security controls and highlight potential requirements.

    Key Benefits Achieved

    Ensure the initiatives you’ll be working on align with existing controls and future goals.

    Activities

    3.1 Determine the appetite to align the GDPR project to data classification and data discovery.

    3.2 Discuss the benefits of data discovery and classification.

    3.3 Review existing incident response plans and highlight gaps.

    3.4 Review existing security controls and highlight potential requirements.

    3.5 Review all initiatives highlighted during days 1-3.

    Outputs

    Highlighted gaps in current incident response and security program controls

    Documented all future initiatives

    4 Prioritize GDPR Initiatives

    The Purpose

    Review project plan and initiatives and prioritize.

    Key Benefits Achieved

    Finalize outputs of the workshop, with a strong understanding of next steps.

    Activities

    4.1 Analyze the necessity for a data protection officer and document decision.

    4.2 Review project plan and initiatives.

    4.3 Prioritize all current initiatives based on regulatory compliance, cost, and ease to implement.

    4.4 Develop a data protection policy.

    4.5 Finalize key deliverables created during the workshop.

    4.6 Present the GDPR project to key stakeholders.

    4.7 Workshop executive presentation and debrief.

    Outputs

    GDPR framework and prioritized initiatives

    Data Protection Policy

    List of key tools

    Communication plans

    Workshop summary documentation

    Jump Start Your Vendor Management Initiative

    • Buy Link or Shortcode: {j2store}211|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $137,332 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Each year, IT organizations spend more money “outsourcing” tasks, activities, applications, functions, and other items.
    • The increased spend and associated outsourcing leads to less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively.

    Our Advice

    Critical Insight

    • Vendor management is not “plug and play” – each organization’s vendor management initiative (VMI) needs to fit its culture, environment, and goals. There are commonalites among vendor management initiatives, but the key is to adapt vendor management principles to fit your needs, not the other way around.
    • All vendors are not of equal importance to an organization. Internal resources are a scarce commodity and should be deployed so that they provide the best return on the organization’s investment. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.
    • Having a solid foundation is critical to the VMI’s ongoing success. Whether you will be creating a formal vendor management office or using vendor management techniques, tools, and templates “informally,” starting with the basics is essential. Make sure you understand why the VMI exists and what it hopes to achieve, what is in and out of scope for the VMI, what strengths the VMI can leverage and the obstacles it will have to address, and how it will work with other areas within your organization.

    Impact and Result

    • Build and implement a vendor management initiative tailored to your environment.
    • Create a solid foundation to sustain your vendor management initiative as it evolves and matures.
    • Leverage vendor management-specific tools and templates to manage vendors more proactively and improve communication.
    • Concentrate your vendor management resources on the right vendors.
    • Build a roadmap and project plan for your vendor management journey to ensure you reach your destination.
    • Build collaborative relationships with critical vendors.

    Jump Start Your Vendor Management Initiative Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should jump start a vendor management initiative, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plan

    Organize your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, a baseline VMI maturity level, and a desired future state for the VMI.

    • Jump Start Your Vendor Management Initiative – Phase 1: Plan
    • Jump – Phase 1 Tools and Templates Compendium

    2. Build

    Configure and create the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan.

    • Jump Start Your Vendor Management Initiative – Phase 2: Build
    • Jump – Phase 2 Tools and Templates Compendium
    • Jump – Phase 2 Vendor Classification Tool
    • Jump – Phase 2 Vendor Risk Assessment Tool

    3. Run

    Begin operating the VMI. The main outcomes from this phase are guidance and the steps required to implement your VMI.

    • Jump Start Your Vendor Management Initiative – Phase 3: Run

    4. Review

    Identify what the VMI should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

    • Jump Start Your Vendor Management Initiative – Phase 4: Review

    Infographic

    Workshop: Jump Start Your Vendor Management Initiative

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan

    The Purpose

    Getting Organized

    Key Benefits Achieved

    Defined Roles and Goals for the VMI

    Activities

    1.1 Mission Statement and Goals

    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities – OIC Chart

    1.5 Process Mapping

    1.6 Vendor Inventory Tool (Overview)

    Outputs

    Completed Mission Statement and Goals

    List of Items In Scope and Out of Scope for the VMI

    List of Strengths and Obstacles for the VMI

    Completed OIC Chart

    Sample Process Map for One Process

    Begun Using Vendor Inventory Tool

    2 Plan/Build/Run

    The Purpose

    Build VMI Tools and Templates

    Key Benefits Achieved

    Configured Tools and Templates for the VMI Based on Its Roles and Goals

    Activities

    2.1 Maturity Assessment

    2.2 Structure and Job Descriptions

    2.3 Attributes of a Valuable Vendor

    2.4 Classification Model

    2.5 Risk Assessment Tool

    2.6 Scorecards and Feedback

    2.7 Business Alignment Meeting Agenda

    Outputs

    Completed Maturity Assessment.

    Sample Job Descriptions and Phrases.

    List of Attributes of a Valuable Vendor.

    Configured Classification Model.

    Configured Risk Assessment Tool.

    Configured Scorecard and Feedback Questions.

    Configured Business Alignment Meeting Agenda.

    3 Build/Run

    The Purpose

    Continue Building VMI Tools and Templates

    Key Benefits Achieved

    Configured Tools and Templates for the VMI Based on Its Roles and Goals

    Activities

    3.1 Relationship Alignment Document

    3.2 Vendor Orientation

    3.3 Policies and Procedures

    3.4 3-Year Roadmap

    3.5 90-Day Plan

    3.6 Quick Wins

    3.7 Reports

    3.8 Kickoff Meeting

    Outputs

    Relationship Alignment Document Sample and Checklist

    Vendor Orientation Checklist

    Policies and Procedures Checklist

    Completed 3-Year Roadmap

    Completed 90-Day Plan

    List of Quick Wins

    List of Reports

    4 Review

    The Purpose

    Review the Past 12 Months of VMI Operations and Improve

    Key Benefits Achieved

    Keeping the VMI Aligned With the Organization’s Goals and Ensuring the VMI Is Leveraging Leading Practices

    Activities

    4.1 Develop/Improve Vendor Relationships.

    4.2 Assess Compliance.

    4.3 Incorporate Leading Practices.

    4.4 Leverage Lessons Learned.

    4.5 Maintain Internal Alignment.

    4.6 Update Governances.

    Outputs

    Further reading

    Jump Start Your Vendor Management Initiative

    Create and implement a vendor management framework to begin obtaining measurable results in 90 days.

    EXECUTIVE BRIEF

    Analyst Perspective

    What is vendor management?

    When you read the phrase “vendor management,” what comes to mind? This isn’t a rhetorical question. Take your time … I’ll wait.

    Unfortunately, those words conjure up a lot of different meanings, and much of that depends on whom you ask. Those who work in the vendor management field will provide a variety of answers. To complicate matters, those who are vendor management “outsiders” will have a totally different view of what vendor management is. Why is this important? Because we need a common definition to communicate more effectively, even if the definition is broad.

    Let’s start creating a working definition that is not circular. Vendor management is not simply managing vendors. That expression basically reorders the words and does nothing to advance our cause; it only adds to the existing confusion surrounding the concept.

    Vendor management is best thought of as a spectrum or continuum with many points rather than a specific discipline like accounting or finance. There are many functions and activities that fall under the umbrella term of vendor management: some of them will be part of your vendor management initiative (VMI), some will not, and some will exist in your organization but be outside the VMI. This is the unique part of vendor management – the part that makes it fun, but also the part that leads to the confusion. For example, accounts payable sits within the accounting department almost exclusively, but contract management can sit within or outside the VMI. The beauty of vendor management is its flexibility; your VMI can be created to meet your specific needs and goals while leveraging common vendor management principles.

    Every conversation around vendor management needs to begin with “What do you mean by that?” Only then can we home in on the scope and nature of what people are discussing. “Managing vendors” is too narrow because it often ignores many of the reasons organizations create VMIs in the first place: to reduce costs, to improve performance, to improve processes, to improve relationships, to improve communication, and to manage risk better.

    Vendor management is a strategic initiative that takes the big picture into account … navigating the cradle to grave lifecycle to get the most out of your interactions and relationships with your vendors. It is flexible and customizable; it is not plug and play or overly prescriptive. Tools, principles, templates, and concepts are adapted rather than adopted as is. Ultimately, you define what vendor management is for your organization.

    We look forward to helping you on your vendor management journey no matter what it looks like. But first, let’s have a conversation about how you want to define vendor management in your environment.

    This is a picture of Phil Bode, Principal  Research Director, Vendor Management at Info-Tech Research Group.

    Phil Bode
    Principal Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Each year, IT organizations “outsource” tasks, activities, functions, and other items. During 2021:

    • Spend on as-a-service providers increased 38% over 2020.*
    • Spend on managed service providers increased 16% over 2020.*
    • IT service providers increased their merger and acquisition numbers by 47% over 2020.*

    *Source: Information Services Group, Inc., 2022.

    This leads to more spend, less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively.

    Common Obstacles

    As new contracts are negotiated and existing contracts are renegotiated or renewed, there is a perception that the contracts will yield certain results, output, performance, solutions, or outcomes. The hope is that these will provide a measurable expected value to IT and the organization. Oftentimes, much of the expected value is never realized. Many organizations don’t have a VMI to help:

    • Ensure at least the expected value is achieved.
    • Improve on the expected value through performance management.
    • Significantly increase the expected value through a proactive VMI.

    Info-Tech’s Approach

    Vendor management is a proactive, cross-functional lifecycle. It can be broken down into four phases:

    • Plan
    • Build
    • Run
    • Review

    The Info-Tech process addresses all four phases and provides a step-by-step approach to configure and operate your VMI. The content in this blueprint helps you quickly establish your VMI and set a solid foundation for its growth and maturity.

    Info-Tech Insight

    Vendor management is not a one-size-fits-all initiative. It must be configured:

    • For your environment, culture, and goals.
    • To leverage the strengths of your organization and personnel.
    • To focus your energy and resources on your critical vendors.

    Executive Summary

    Your Challenge

    Spend on managed service providers and as-a-service providers continues to increase. In addition, IT services vendors continue to be active in the mergers and acquisitions arena. This increases the need for a VMI to help with the changing IT vendor landscape. In 2021, there was increases of:

    38%

    Spend on As-a-Service Providers

    16%

    Spend on Managed Services Providers

    47%

    IT Services Merger & Acquisition Growth (Transactions)

    Source: Information Services Group, Inc., 2022.

    Executive Summary

    Common Obstacles

    When organizations execute, renew, or renegotiate a contract, there is an “expected value” associated with that contract. Without a robust VMI, most of the expected value will never be realized. With a robust VMI, the realized value significantly exceeds the expected value during the contract term.

    A contract’s realized value with and without a vendor management initiative

    Two bars are depicted, showing that vendor collaboration and vendor performance management exceed expected value with a VMI, but without VMI, 75% of a contract's expected value can disappear within 18 months.

    Source: Based on findings from Geller & Company, 2003.

    Executive Summary

    Info-Tech’s Approach

    A sound, cyclical approach to vendor management will help you create a VMI that meets your needs and stays in alignment with your organization as they both change (i.e. mature and grow).

    This is an image of Info-Tech's approach to VMI.  It includes the following four steps: 01 - Plan; 02 - Build; 03 - Run; 04 - Review

    Info-Tech’s Methodology for Creating and Operating Your VMI

    Phase 1: Plan Phase 2: Build Phase 3: Run Phase 4: Review

    Phase Steps

    1.1 Mission Statement and Goals
    1.2 Scope
    1.3 Strengths and Obstacles
    1.4 Roles and Responsibilities
    1.5 Process Mapping
    1.6 Charter
    1.7 Vendor Inventory
    1.8 Maturity Assessment
    1.9 Structure

    2.1 Classification Model
    2.2 Risk Assessment Tool
    2.3 Scorecards and Feedback
    2.4 Business Alignment Meeting Agenda
    2.5 Relationship Alignment Document
    2.6 Vendor Orientation
    2.7 Job Descriptions
    2.8 Policies and Procedures
    2.9 3-Year Roadmap
    2.10 90-Day Plan
    2.11 Quick Wins
    2.12 Reports

    3.1 Classify Vendors
    3.2 Conduct Internal “Kickoff” Meeting
    3.3 Conduct Vendor Orientation
    3.4 Compile Scorecards
    3.5 Conduct Business Alignment Meetings
    3.6 Work the 90-Day Plan
    3.7 Manage the 3-Year Roadmap
    3.8 Measure and Monitor Risk
    3.9 Issue Reports
    3.10 Develop/Improve Vendor Relationships
    3.11 Contribute to Other Processes

    4.1 Assess Compliance
    4.2 Incorporate Leading Practices
    4.3 Leverage Lessons Learned
    4.4 Maintain Internal Alignment
    4.5 Update Governances

    Phase Outcomes

    This phase helps you organize your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, a baseline VMI maturity level, and a desired future state for the VMI. This phase helps you configure and create the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan. This phase helps you begin operating the VMI. The main outcomes from this phase are guidance and the steps required to implement your VMI. This phase helps the VMI identify what it should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

    Insight Summary

    Insight 1

    Vendor management is not “plug and play” – each organization’s vendor management initiative (VMI) needs to fit its culture, environment, and goals. While there are commonalities and leading practices associated with vendor management, your initiative won’t look exactly like another organization’s. The key is to adapt vendor management principles to fit your needs.

    Insight 2

    All vendors are not of equal importance to your organization. Internal resources are a scarce commodity and should be deployed so that they provide the best return on the organization’s investment. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.

    Insight 3

    Having a solid foundation is critical to the VMI’s ongoing success. Whether you will be creating a formal vendor management office or using vendor management techniques, tools, and templates “informally,” starting with the basics is essential. Make sure you understand why the VMI exists and what it hopes to achieve, what is in and out of scope for the VMI, what strengths the VMI can leverage and the obstacles it will have to address, and how it will work with other areas within your organization.

    Blueprint Deliverables

    The four phases of creating and running a vendor management initiative are supported with configurable tools, templates, and checklists to help you stay aligned internally and achieve your goals.

    VMI Tools and Templates

    This image contains two screenshots of Info-Tech's VMI Tools and Templates

    Build a solid foundation for your VMI and configure tools and templates to help you manage your vendor relationships.

    Key Deliverables:

    1. Jump – Phase 1 Tools and Templates Compendium
    2. Jump – Phase 2 Tools and Templates Compendium
    3. Jump – Phase 2 Vendor Classification Tool
    4. Jump – Phase 2 Vendor Risk Assessment Tool

    A suite of tools and templates to help you create and implement your vendor management initiative.

    Blueprint benefits

    IT Benefits

    • Identify and manage risk proactively.
    • Reduce costs and maximize value.
    • Increase visibility with your critical vendors.
    • Improve vendor performance.
    • Create a collaborative environment with key vendors.
    • Segment vendors to allocate resources more effectively and more efficiently.

    Business Benefits

    • Improve vendor accountability.
    • Increase collaboration between departments.
    • Improve working relationships with your vendors.
    • Create a feedback loop to address vendor or customer issues before they get out of hand or are more costly to resolve.
    • Increase access to meaningful data and information regarding important vendors.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    Using the Maturity Assessment and 90-Day Plan tools, track how well you are able to achieve your goals and objectives:

    • Did you meet the targeted maturity level for each maturity category as determined by the point system?
    • Did you finish each activity in the 90-Day Plan completely and on time?
    1-Year Maturity Roadmap(by Category) Target Maturity (Total Points) Actual Maturity (Total Points)
    Contracts 12 12
    Risk 8 7
    Vendor Selection 9 9
    Vendor Relationships 21 21
    VMI Operations 24 16
    90-Day Plan (by Activity) Activity Completed
    Finalize mission and goals; gain executive approval Yes
    Finalize OIC chart; gain buy-in from other departments Yes
    Classify top 40 vendors by spend Yes
    Create initial scorecard Yes
    Develop the business alignment meeting agenda Yes
    Conduct two business alignment meetings No
    Update job descriptions Yes
    Map two VMI processes No

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phases 2 & 3 Phase 4

    Call #1: Mission statement and goals, scope, and strengths and obstacles.

    Call #5: Classification model.

    Call #9: Policies and procedures and reports.

    Call #12: Assess compliance, incorporate leading practices, leverage lessons learned, maintain internal alignment, and update governances.

    Call #2: Roles and responsibilities and process mapping.

    Call #6: Risk assessment.

    Call #10: 3-year roadmap.

    Call #3: Charter and vendor inventory.

    Call #7: Scorecards and feedback and business alignment meetings.

    Call #11: 90-day plan and quick wins.

    Call #4: Maturity assessment and VMI structure.

    Call #8: Relationship alignment document, vendor orientation, and job descriptions.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4
    Plan Plan/Build/Run Build/Run Review

    Activities

    1.1 Mission Statement and Goals
    1.2 Scope
    1.3 Strengths and Obstacles
    1.4 Roles and Responsibilities
    1.5 Process Mapping
    1.6 Charter
    1.7 Vendor Inventory
    1.8 Maturity Assessment
    1.9 Structure

    2.1 Classification Model
    2.2 Risk Assessment Tool
    2.3 Scorecards and Feedback
    2.4 Business Alignment Meeting Agenda
    2.5 Relationship Alignment Document
    2.6 Vendor Orientation
    2.7 Job Descriptions
    2.8 Policies and Procedures
    2.9 3-Year Roadmap
    2.10 90-Day Plan
    2.11 Quick Wins
    2.12 Reports

    3.1 Classify Vendors
    3.2 Conduct Internal “Kickoff” Meeting
    3.3 Conduct Vendor Orientation
    3.4 Compile Scorecards
    3.5 Conduct Business Alignment Meetings
    3.6 Work the 90-Day Plan
    3.7 Manage the 3-Year Roadmap
    3.8 Measure and Monitor Risk
    3.9 Issue Reports
    3.10 Develop/Improve Vendor Relationships
    3.11 Contribute to Other Processes

    4.1 Assess Compliance
    4.2 Incorporate Leading Practices
    4.3 Leverage Lessons Learned
    4.4 Maintain Internal Alignment
    4.5 Update Governances

    Deliverables

    1. Completed Mission Statement and Goals
    2. List of Items In Scope and Out of Scope for the VMI
    3. List of Strengths and Obstacles for the VMI
    4. Completed OIC Chart
    5. Sample Process Map for One Process
    6. Vendor Inventory tab
    1. Completed Maturity Assessment
    2. Sample Job Descriptions and Phrases
    3. List of Attributes of a Valuable Vendor
    4. Configured Classification Model
    5. Configured Risk Assessment Tool
    6. Configured Scorecard and Feedback Questions
    7. Configured Business Alignment Meeting Agenda
    1. Relationship Alignment Document Sample and Checklist
    2. Vendor Orientation Checklist
    3. Policies and Procedures Checklist
    4. Completed 3-Year Roadmap
    5. Completed 90-Day Plan
    6. List of Quick Wins
    7. List of Reports

    Phase 1: Plan

    Get Organized

    1.1 Mission Statement and Goals
    1.2 Scope
    1.3 Strengths and Obstacles
    1.4 Roles and Responsibilities
    1.5 Process Mapping
    1.6 Charter
    1.7 Vendor Inventory
    1.8 Maturity Assessment
    1.9 Structure

    Phase 1 Phase 2 Phase 3 Phase 4
    1.1 Mission Statement and Goals
    1.2 Scope
    1.3 Strengths and Obstacles
    1.4 Roles and Responsibilities
    1.5 Process Mapping
    1.6 Charter
    1.7 Vendor Inventory
    1.8 Maturity Assessment
    1.9 Structure

    2.1 Classification Model
    2.2 Risk Assessment Tool
    2.3 Scorecards and Feedback
    2.4 Business Alignment Meeting Agenda
    2.5 Relationship Alignment Document
    2.6 Vendor Orientation
    2.7 Job Descriptions
    2.8 Policies and Procedures
    2.9 3-Year Roadmap
    2.10 90-Day Plan
    2.11 Quick Wins
    2.12 Reports

    3.1 Classify Vendors
    3.2 Conduct Internal “Kickoff” Meeting
    3.3 Conduct Vendor Orientation
    3.4 Compile Scorecards
    3.5 Conduct Business Alignment Meetings
    3.6 Work the 90-Day Plan
    3.7 Manage the 3-Year Roadmap
    3.8 Measure and Monitor Risk
    3.9 Issue Reports
    3.10 Develop/Improve Vendor Relationships
    3.11 Contribute to Other Processes

    4.1 Assess Compliance
    4.2 Incorporate Leading Practices
    4.3 Leverage Lessons Learned
    4.4 Maintain Internal Alignment
    4.5 Update Governances

    This phase will walk you through the following activities:

    Organize your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, a baseline VMI maturity level, and a desired future state for the VMI.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Procurement/Sourcing
    • IT
    • Others as needed

    Jump Start Your Vendor Management Initiative

    Phase 1: Plan

    Get organized.

    Phase 1: Plan focuses on getting organized. Foundational elements (mission statement, goals, scope, strengths and obstacles, roles and responsibilities, and process mapping) will help you define your VMI. These and the other elements of this Phase will follow you throughout the process of standing up your VMI and running it.

    Spending time up front to ensure that everyone is on the same page will help avoid headaches down the road. The tendency is to skimp (or even skip) on these steps to get to “the good stuff.” To a certain extent, the process provided here is like building a house. You wouldn’t start building your dream home without having a solid blueprint. The same is true with vendor management. Leveraging vendor management tools and techniques without the proper foundation may provide some benefit in the short term, but in the long term it will ultimately be a house of cards waiting to collapse.

    Step 1.1: Mission statement and goals

    Identify why the VMI exists and what it will achieve.

    Whether you are starting your vendor management journey or are already down the path, it is important to know why the vendor management initiative exists and what it hopes to achieve. The easiest way to document this is with a written declaration in the form of a mission statement and goals. Although this is the easiest way to proceed, it is far from easy.

    The mission statement should identify at a high level the nature of the services provided by the VMI, who it will serve, and some of the expected outcomes or achievements. The mission statement should be no longer than one or two sentences.

    The complement to the mission statement is the list of goals for the VMI. Your goals should not be a reassertion of your mission statement in bullet format. At this stage it may not be possible to make them SMART (Specific, Measurable, Achievable/Attainable, Relevant, Time-Bound/Time-Based), but consider making them as SMART as possible. Without some of the SMART parameters attached, your goals are more like dreams and wishes. At a minimum, you should be able to determine the level of success achieved for each of the VMI goals.

    Although the VMI’s mission statement will stay static over time (other than for significant changes to the VMI or organization as a whole), the goals should be re-evaluated periodically using a SMART filter and adjusted as needed.

    1.1.1: Mission statement and goals

    20-40 minutes

    1. Meet with the participants and use a brainstorming activity to list on a whiteboard or flip chart the reasons why the VMI will exist.
    2. Review external mission statements for inspiration.
    3. Review internal mission statements from other areas to ensure consistency.
    4. Draft and document your mission statement in the Phase 1 Tools and Templates Compendium, Tab 1.1 Mission Statement and Goals.
    5. Continue brainstorming and identify the high-level goals for the VMI.
    6. Review the list of goals and make them as SMART (Specific, Measurable, Achievable/Attainable, Relevant, Time-Bound/Time-Based) as possible.
    7. Document your goals in the Phase 1 Tools and Templates Compendium, Tab 1.1 Mission Statement and Goals.
    8. Obtain sign-off on the mission statement and goals from stakeholders and executives as required.

    Input

    • Brainstorming results
    • Mission statements from other internal and external sources

    Output

    • Completed mission statement and goals

    Materials

    • Whiteboard/Flip Charts
    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.1 Mission Statement and Goals

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 1.2: Scope

    Determine what is in scope and out of scope for the VMI

    Regardless of where your VMI resides or how it operates, it will be working with other areas within your organization. Some of the activities performed by the VMI will be new and not currently handled by other groups or individuals internally; at the same time, some of the activities performed by the VMI may be currently handled by other groups or individuals internally. In addition, executives, stakeholders, and other internal personnel may have expectations or make assumptions about the VMI. As a result, there can be a lot of confusion about what the VMI does and doesn’t do, and the answers cannot always be found in the VMI’s mission statement and goals.

    One component of helping others understand the VMI landscape is formalizing the VMI scope. The scope will define boundaries for the VMI. The intent is not to fence itself off and keep others out but provide guidance on where the VMI’s territory begins and ends. Ultimately, this will help clarify the VMI’s roles and responsibilities, improve workflow, and reduce errant assumptions.

    When drafting your VMI scoping document, make sure you look at both sides of the equation (similar to what you would do when following best practices for a statement of work): Identify what is in scope and what is out of scope. Be specific when describing the individual components of the VMI scope, and make sure executives and stakeholders are on board with the final version.

    1.2.1: Scope

    20-40 minutes

    1. Meet with the participants and use a brainstorming activity to list on a whiteboard or flip chart the activities and functions in scope and out of scope for the VMI.
      1. Be specific to avoid ambiguity and improve clarity.
      2. Go back and forth between in scope and out of scope as needed; it is not necessary to list all of the in-scope items and then turn your attention to the out-of-scope items.
    2. Review the lists to make sure there is enough specificity. An item may be in scope or out of scope but not both.
    3. Use the Phase 1 Tools and Templates Compendium, Tab 1.2 Scope, to document the results.
    4. Obtain sign-off on the scope from stakeholders and executives as required.

    Input

    • Brainstorming
    • Mission statement and goals

    Output

    • Completed list of items in and out of scope for the VMI

    Materials

    • Whiteboard/Flip Charts
    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.2 Scope

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 1.3: Strengths and obstacles

    Pinpoint the VMI’s strengths and obstacles.

    A SWOT analysis (strengths, weaknesses, opportunities, and threats) is a valuable tool, but it is overkill for your VMI at this point. However, using a modified and simplified form of this tool (strengths and obstacles) will yield significant results and benefit the VMI as it grows and matures.

    Your output will be two lists: the strengths associated with the VMI and the obstacles facing the VMI. For example, strengths could include items such as smart people working within the VMI and executive support. Obstacles could include items such as limited headcount and training required for VMI staff.

    The goals are 1) to harness the strengths to help the VMI be successful and 2) to understand the impact of the obstacles and plan accordingly. The output can also be used to enlighten executives and stakeholders about the challenges associated with their directives or requests (e.g. human bandwidth may not be sufficient to accomplish some of the vendor management activities and there is a moratorium on hiring until the next budget year).

    For each strength identified, determine how you will or can leverage it when things are going well or when the VMI is in a bind. For each obstacle, list the potential impact on the VMI (e.g. scope, growth rate, and number of vendors that can actively be part of the VMI).

    As you do your brainstorming, be as specific as possible and validate your lists with stakeholders and executives as needed.

    1.3.1: Strengths and obstacles

    20-40 minutes

    1. Meet with the participants and use a brainstorming activity to list on a whiteboard or flip chart the VMI’s strengths and obstacles.
      1. Be specific to avoid ambiguity and improve clarity.
      2. Go back and forth between strengths and obstacles as needed; it is not necessary to list all of the strengths and then turn your attention to the obstacles.
      3. It is possible for an item to be a strength and an obstacle; when this happens, add details to distinguish the situations.
    2. Review the lists to make sure there is enough specificity.
    3. Determine how you will leverage each strength and how you will manage each obstacle.
    4. Use the Phase 1 Tools and Templates Compendium, Tab 1.3 Strengths and Obstacles, to document the results.
    5. Obtain sign-off on the strengths and obstacles from stakeholders and executives as required.

    Download the Info-Tech Jump – Phase 1 Tools and Templates Compendium

    Input

    • Brainstorming
    • Mission statement and goals
    • Scope

    Output

    • Completed list of items impacting the VMI’s ability to be successful: strengths the VMI can leverage and obstacles the VMI must manage

    Materials

    • Whiteboard/Flip Charts
    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.3 Strengths and Obstacles

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 1.4: Roles and responsibilities

    Obtain consensus on who is responsible for what.

    One crucial success factor for VMIs is gaining and maintaining internal alignment. There are many moving parts to an organization, and a VMI must be clear on the various roles and responsibilities related to the relevant processes. Some of this information can be found in the VMI’s scope, referenced in Step 1.2, but additional information is required to avoid stepping on each other’s toes since many of the processes require internal departments to work together. (For example, obtaining requirements for a request for proposal takes more than one person or one department to complete this process.) While it is not necessary to get too granular, it is imperative that you have a clear understanding of how the VMI activities will fit within the larger vendor management lifecycle (which is comprised of many sub processes) and who will be doing what.

    As we have learned through our workshops and guided implementations, a traditional RACI* or RASCI* chart does not work well for this purpose. These charts are not intuitive, and they lack the specificity required to be effective. For vendor management purposes, a higher-level view and a slightly different approach provide much better results.

    This step will lead your through the creation of an OIC* chart to determine vendor management lifecycle roles and responsibilities. Afterward, you’ll be able to say, “Oh, I see clearly who is involved in each part of the process and what their role is.”

    *RACI – Responsible, Accountable, Consulted, Informed
    *RASCI – Responsible, Accountable, Support, Consulted, Informed
    *OIC – Owner, Informed, Contributor

    This is an image of a table which shows an example of which role would be responsible for which step

    Step 1.4: Roles and responsibilities (cont.)

    Obtain consensus on who is responsible for what.

    To start, define the vendor management lifecycle steps or process applicable to your VMI. Next, determine who participates in the vendor management lifecycle. There is no need to get too granular – think along the lines of departments, subdepartments, divisions, agencies, or however you categorize internal operational units. Avoid naming individuals other than by title; this typically happens when a person oversees a large group (e.g. the CIO [chief information officer] or the CPO [chief procurement officer]). Be thorough, but the chart can get out of hand quickly. For each role and step of the lifecycle, ask whether the entry is necessary – does it add value to the clarity of understanding the responsibilities associated with the vendor management lifecycle? Consider two examples, one for roles and one for lifecycle steps: 1) Is IT sufficient or do you need IT Operations and IT Development? 2) Is “negotiate contract documents” sufficient or do you need “negotiate the contract” and “negotiate the renewal”? The answer will always depend on your culture and environment, but be wary of creating a spreadsheet that requires an 85-inch monitor to view it in its entirety.

    After defining the roles (departments, divisions, agencies) and the vendor management lifecycle steps or process, assign one of three letters to each box in your chart:

    • O – Owner – who owns the process; they may also contribute to it.
    • I – Informed – who is informed about the progress or results of the process.
    • C – Contributor – who contributes or works on the process; it can be tangible or intangible contributions.

    This activity can be started by the VMI or done as a group with representatives from each of the named roles. If the VMI starts the activity, the resulting chart should be validated by the each of the named roles.

    1.4.1: Roles and responsibilities

    1-6 hours

    1. Meet with the participants and configure the OIC Chart in the Jump – Phase 1 Tools and Templates Compendium, Tab 1.4 OIC Chart.
      1. Review the steps or activities across the top of the chart and modify as needed.
      2. Review the roles listed along the left side of the chart and modify as needed.
    2. For each activity or step across the top of the chart, assign each role a letter – O for owner of that activity or step; I for informed; or C for contributor. Use only one letter per cell.
    3. Work your way across the chart. Every cell should have an entry or be left blank if it is not applicable.
    4. Review the results and validate that every activity or step has an O assigned to it; there must be an owner for every activity or step.
    5. Obtain sign-off on the OIC chart from stakeholders and executives as required.

    Download the Info-Tech Jump – Phase 1 Tools and Templates Compendium

    Input

    • A list of activities or steps to complete a project, starting with requirements gathering and ending with ongoing risk management
    • A list of internal areas (departments, divisions, agencies, etc.) and stakeholders that contribute to completing a project

    Output

    • Completed OCI chart indicating roles and responsibilities for the VMI and other internal areas

    Materials

    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.4 OIC Chart

    Participants

    • VMI team
    • Procurement/Sourcing
    • IT
    • Representatives from other areas as needed
    • Applicable stakeholders and executives as needed

    Step 1.5: Process mapping

    Diagram the workflow.

    Although policies and procedures are important, their nature can make it difficult to grasp how things work at a high level (or even at the detail level). To help bridge the gap, map the applicable processes (determined by how deep and wide you want to go) involving the VMI. To start, look at the OIC chart from Step 1.4. You can expand the breadth and depth of your mapping to include the VMI scope, the 3-year roadmap (see Step 2.9), and the processes driven by the day-to-day work within the VMI.

    Various mapping tools can be used. Three common approaches that can be mixed and matched are:

    • Traditional flowcharts.
    • Swimlane diagrams.
    • Work breakdown structures.
    This is an example of a Workflow Process Map

    Step 1.5: Process mapping (cont.)

    Diagram the workflow.

    Your goal is not to create an in-depth diagram for every step of the vendor management lifecycle. However, for steps owned by the VMI, the process map should include sufficient details for the owner and the contributors (see Step 1.4) to understand what is required of them to support that step in the lifecycle.

    For VMI processes that don’t interact with other departments, follow the same pattern as outlined above for steps owned by the VMI.

    Whatever methodology you use to create your process map, make sure it includes enough details so that readers and users can identify the following elements:

    • Input:
      • What are the inputs?
      • Where do the inputs originate or come from?
    • Process:
      • Who is involved/required for this step?
      • What happens to the inputs in this step?
      • What additional materials, tools, or resources are used or required during this step?
    • Output:
      • What are the outputs?
      • Where do the outputs go next?

    1.5.1: Process Mapping

    1-8 hours (or more)

    1. Meet with the participants and determine which processes you want to map.
      1. For processes owned by the VMI, map the entire process.
      2. For processes contributed to by the VMI, map the entire process at a high level and map the VMI portion of the process in greater detail.
    2. Select the right charts/diagrams for your output.
      1. Flowchart
      2. Swimlane diagram
      3. Modified SIPOC (Supplier, Input, Process, Output, Customer)
      4. WBS (work breakdown structure)
    3. Begin mapping the processes either in a tool or using sticky notes. You want to be able to move the steps and associated information easily; most people don’t map the entire process accurately or with sufficient detail the first time through. An iterative approach works best.
    4. Obtain signoff on the process maps from stakeholders and executives as required. A copy of the final output can be kept in the Jump – Phase 1 Tools and Templates Compendium, Tab 1.5 Process Mapping, if desired.

    Download the Info-Tech Jump – Phase 1 Tools and Templates Compendium

    Input

    • Existing processes (formal, informal, documented, and undocumented)
    • OIC chart

    Output

    • Process maps for processes contributed to or owned by the VMI

    Materials

    • Sticky Notes
    • Flowchart/process mapping software or something similar
    • (Optional) Jump – Phase 1 Tools and Templates Compendium, Tab 1.5 Process Mapping

    Participants

    • VMI team
    • Procurement/Sourcing
    • IT
    • Representatives from other areas as needed
    • Applicable stakeholders and executives (as needed)

    Step 1.6: Charter

    Document how the VMI will operate.

    As you continue getting organized by working through steps 1.1-1.5, you may want to document your progress in a charter and add some elements. Basically, a charter is a written document laying out how the VMI will operate within the organization. It clearly states the VMI’s mission, goals, scope, roles and responsibilities, and vendor governance model. In addition, it can include a list of team members and sponsors.

    Whether you create a VMI charter will largely depend on:

    • Your organization’s culture.
    • Your organization’s formality.
    • The perceived value of creating a charter.

    If you decide to create a VMI charter, this is a good place in the process to create an initial draft. As you continue working through the blueprint and your VMI matures, update the VMI charter as needed.

    VMI Charter:

    • Purpose
    • Sponsors
    • Roles
    • Responsibilities
    • Governance

    1.6.1: Charter

    1-4 hours

    1. Meet with the participants and review the template in Jump – Phase 1 Tools and Templates Compendium, Tab 1.6 Charter.
    2. Determine whether the participants will use this template or add materials to your standard charter template.
    3. Complete as much of the charter as possible, knowing that some information may not be available until later.
    4. Return to the charter as needed until it is completed.
    5. Obtain sign-off on the charter from stakeholders and executives as required.

    Download the Info-Tech Jump – Phase 1 Tools and Templates Compendium

    Input

    • Mission statement and goals
    • Scope
    • Strengths and obstacles
    • OIC chart
    • List of stakeholders and executives and their VMI roles and responsibilities

    Output

    • Completed VMI charter

    Materials

    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.6 Charter
    • Your organization’s standard charter document

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 1.7: Vendor inventory

    Compile a list of vendors and relevant vendor information.

    As you prepare your VMI for being operational, it’s critical to identify all of your current vendors providing IT products or services to the organization. This can be tricky and may depend on how you view things internally. For example, you may have traditional IT vendors that are managed by IT, and you may have IT vendors that are managed by other internal departments (shadow IT or out-in-the-open IT). If it wasn’t determined with the help of stakeholders and executives before now, make sure you establish the purview of the VMI at this point. What types of vendors are included and excluded from the VMI?

    You may find that a vendor can be included and excluded based on the product or service they provide. A vendor may provide a service that is managed by IT and a service that is managed/controlled by another department. In this instance, a good working relationship and clearly defined roles and responsibilities between the VMI and the other department will be required. But, it all starts with compiling a list of vendors and validating the VMI’s purview (and any limitations) for the vendors with stakeholders and executives.

    Step 1.7: Vendor inventory (cont.)

    Compile a list of vendors and relevant vendor information.

    At a minimum, the VMI should be able to quickly retrieve key information about each of “its” vendors:

    • Vendor Name
    • Classification (see Steps 2.1 and 3.1)
    • Categories of Service
    • Names of Products and Services Provided
    • Brief Descriptions of Products and Services Provided
    • Annualized Vendor Spend
    • Vendor Contacts
    • Internal Vendor Relationship Owner

    Not all of this information will be available at this point, but you can begin designing or configuring your tool to meet your needs. As your VMI enters Phase 3: Run and continues to mature, you will return to this tool and update the information. For example, the vendor classification category won’t be known until Phase 3, and it can change over time.

    1.7.1: Vendor inventory

    1-10 hours

    Meet with the participants and review the Jump – Phase 1 Tools and Templates Compendium, Tab 1.7 Vendor Inventory. Determine whether the VMI wants to collect and/or monitor additional information and make any necessary modifications to the tool.

    Enter the “Annual IT Vendor Spend” amount in the appropriate cell toward the top of the spreadsheet. This is for IT spend for vendor-related activities within the VMI’s scope; include shadow IT spend and “non-shadow” IT spend if those vendors will be included in the VMI’s scope.

    Populate the data fields for your top 50 vendors by annual spend; you may need multiple entries for the same vendor depending on the nature of the products and services they provide.

    Ignore the “Classification” column for now; you will return to this later when classification information is available.

    Ignore the “Percentage of IT Budget” column as well; it uses a formula to calculate this information.

    Input

    • Data from various internal and external sources such as accounts payable, contracts, and vendor websites

    Output

    • List of vendors with critical information required to manage relationships with key vendors

    Materials

    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.7 Vendor Inventory

    Participants

    • VMI team (directly)
    • Other internal and external personnel (indirectly)

    Download the Info-Tech Jump – Phase 1 Tools and Templates Compendium

    Step 1.8: Maturity assessment

    Establish a VMI maturity baseline and set an ideal future state.

    Knowing where you are and where you want to go are essential elements for any journey in the physical world, and the same holds true for your VMI journey. Start by assessing your current-state VMI maturity. This will provide you with a baseline to measure progress against. Next, using the same criteria, determine the level of VMI maturity you would like to achieve one year in the future. This will be your future-state VMI maturity. Lastly, identify the gaps and plot your course.

    The maturity assessment provides three main benefits:

    1. Focus – you’ll know what is important to you moving forward.
    2. 3-Year Roadmap (discussed more fully in Step 2.9) – you’ll have additional input for your short-term and long-term roadmap (1, 2, and 3 years out).
    3. Quantifiable Improvement – you’ll be able to measure your progress and make midcourse corrections when necessary.

    Step 1.8: Maturity assessment (cont.)

    Establish a VMI maturity baseline and set an ideal future state.

    The Info-Tech VMI Maturity Assessment tool evaluates your maturity across several criteria across multiple categories. Once completed, the assessment will specify:

    • A current-state score by category and overall.
    • A target-state score by category and overall.
    • A quantifiable gap for each criterion.
    • A priority assignment for each criterion.
    • A level of effort required by criterion to get from the current state to the target state.
    • A target due date by criterion for achieving the target state.
    • A rank order for each criterion (note: limit your ranking to your top 7 or 9).

    Many organizations will be tempted to mature too quickly. Resource constraints and other items from Step 1.3 (Strengths and Obstacles) will impact how quickly you can mature. Being aggressive is fine, but it must be tempered with a dose of reality. Otherwise, morale, perception, and results can suffer.

    1.8.1: Maturity assessment

    45-90 minutes

    1. Meet with the participants and use Jump – Phase 1 Tools and Templates Compendium, Tab 1.8 Maturity Assessment Input, to complete the first part of this activity. Provide the required information indicated below.
      1. Review each statement in column B and enter a value in the “Current” column using the drop-down menus based on how much you disagree or agree (0-4) with the statement. This establishes a baseline maturity.
      2. Repeat this process for the “Future” column using a target date of one year from now to achieve this level. This is your desired maturity.
      3. Enter information regarding priority, level of effort, and target due date in the applicable columns using the drop-down menus. (Priority levels are critical, high, medium, low, and maintain; Levels of Effort are high, medium, and low; Target Due Dates are broken into timelines: 1-3 months, 4-6 months, 7-9 months, and 10-12 months.)
    2. Review the information on Jump – Phase 1 Tools and Templates Compendium, Tab 1.8 Maturity Assessment Output; use the Distribution Tables to help you rank your top priorities. Enter a unique number into the Priority (Rank) column. Limit your ranking to the top 7 to 9 activities to provide focus.

    Input

    • Knowledge of current VMI practices and desired future states

    Output

    • VMI maturity baseline
    • Desired VMI target maturity state (in one year)
    • Prioritized areas to improve and due dates
    • Graphs and tables to identify maturity deltas and track progress

    Materials

    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.8 Maturity Assessment Input
    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.8 Maturity Assessment Output

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 1.9: Structure

    Determine the VMI’s organizational and reporting structure.

    There are two parts to the VMI structure:

    1. Organization Structure. Who owns the VMI – where does it fit on the organization chart?
    2. Reporting Structure. What is the reporting structure within the VMI – what are the job functions, titles, and solid and dotted lines of accountability?

    VMI Organization Structure

    The decision regarding who owns the VMI can follow one of two paths:

    1. The decision has already been made by the board of directors, executives, senior leadership, or stakeholders; OR
    2. The decision has not been made, and options will be reviewed and evaluated before it is implemented.

    Many organizations overlook the importance of this decision. The VMI’s position on the organization chart can aid or hinder its success. Whether the decision has already been made or not, this is the perfect time to evaluate the decision or options based on the following question: Why is the VMI being created and how will it operate? Review the documents you created during Steps 1.1-1.8 and other factors to answer this question.

    Step 1.9: Structure (cont.)

    Determine the VMI’s organizational and reporting structure.

    Based on your work product from Steps 1.1-1.8 and other factors, select where the VMI will be best located from the following areas/offices or their equivalent:

    • Chief Compliance Officer (CCO)
    • Chief Information Officer (CIO)
    • Chief Financial Officer (CFO)
    • Chief Procurement Officer (CPO)
    • Chief Operating Officer (COO)
    • Other area

    Without the proper support and placement in the organization chart, the VMI can fail. It is important for the VMI to find a suitable home with a direct connection to one of the sponsors identified above and for the VMI lead to have significant stature (aka title) within the organization. For example, if the VMI lead is a “manager” level who is four reporting layers away from the chief officer/sponsor, the VMI will have an image issue within and outside of the sponsor’s organization (as well as within the vendor community). While this is not to say that the VMI lead should be a vice president* or senior director, our experience and research indicate that the VMI and the VMI lead will be taken more seriously when the VMI lead is at least a director level reporting directly to a CXO.

    *For purposes of the example above, the reporting structure hierarchy used is manager, senior manager, director, senior director, vice president, CXO.

    Step 1.9: Structure (cont.)

    Determine the VMI’s organizational and reporting structure.

    VMI Reporting Structure

    As previously mentioned, the VMI reporting structure describes and identifies the job functions, titles, and lines of accountability. Whether you have a formal vendor management office or you are leveraging the principles of vendor management informally, your VMI reporting structure design will involve some solid lines and some dotted lines. In this instance, the dotted lines represent part-time participation or people/areas that will assist the VMI in some capacity. For example, if the VMI sits within IT, a dotted line to Procurement will show that a good working relationship is required for both parties to succeed; or a dotted line to Christina in Legal will indicate that Christina will be helping the VMI with legal issues.

    There is no one-size-fits-all reporting structure for VMIs, and your approach must leverage the materials from Steps 1.1-1.8, your culture, and your needs. By way of example, your VMI may include some or all of the following functions:

    • Contract Management
    • Relationship Management
    • Financial Management
    • Asset Management
    • Performance Management
    • Sourcing/Procurement
    • Risk Management

    Step 1.9: Structure (cont.)

    Determine the VMI’s organizational and reporting structure.

    Once you’ve identified the functional groups, you can assign titles, responsibilities, and reporting relationships. A good diagram goes a long way to helping others understand your organization. Traditional organization charts work well with VMIs, but a target diagram allows for rapid absorption of the dotted-line relationships. Review the two examples below and determine an approach that works best for you.

    An organizational Chart is depicted.  At the top of the chart is: Office of the CIO.  Below that is: VMI: Legal; Accounting & Finance; Corporate Procurement; below that are the following: Vendor Risk Management; Vendor Reporting and Analysis; Asset Management; Performance Management; Contract Management; IT Procurement Three concentric circles are depicted.  In the inner circle is the term: VMI.  In the middle circle are the terms: Reporting & Analysis; Asset Mgmt; Contract Mgmt; Performance Mgmt; It Proc; Vendor Risk.  In the outer circle are the following terms: Compliance; Finance; HR; Accounting; Procurement; Business Units; Legal; IT

    1.9.1: Structure

    15-60 minutes

    1. Meet with the participants and review decisions that have been made or options that are available regarding the VMI’s placement in the organization chart.
      1. Common options include the Chief Information Officer (CIO), Chief Financial Officer (CFO), or Chief Procurement Officer (CPO).
      2. Less common but viable options include the Chief Compliance Officer (CCO), Chief Operating Officer (COO), or another area.
    2. Brainstorm and determine the job functions and titles
    3. Define the reporting structure within the VMI.
    4. Identify the “dotted line” relationships between the VMI and other internal areas.
    5. Using flowchart, org. chart, or other similar software, reduce your results to a graphic representation that indicates where the VMI resides, its reporting structure, and its dotted-line relationships.
    6. Obtain sign-off on the structure from stakeholders and executives as required. A copy of the final output can be kept in the Jump – Phase 1 Tools and Templates Compendium, Tab 1.9 Structure, if desired.

    Input

    • Mission statement and goals
    • Scope
    • Maturity assessment results (current and target state)
    • Existing org. charts
    • Brainstorming

    Output

    • Completed org. chart with job titles and reporting structure

    Materials

    • Whiteboard/flip chart
    • Sticky notes
    • Flowchart/org. chart software or something similar
    • (Optional) Jump – Phase 1 Tools and Templates Compendium, Tab 1.9 Structure

    Participants

    • VMI team
    • VMI sponsor
    • Stakeholders and executives

    Phase 2: Build

    Create and Configure Tools, Templates, and Processes

    Phase 1Phase 2Phase 3Phase 4
    1.1 Mission Statement and Goals


    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    1.5 Process Mapping

    1.6 Charter

    1.7 Vendor Inventory

    1.8 Maturity Assessment

    1.9 Structure

    2.1 Classification Model
    2.2 Risk Assessment Tool
    2.3 Scorecards and Feedback
    2.4 Business Alignment Meeting Agenda
    2.5 Relationship Alignment Document
    2.6 Vendor Orientation
    2.7 Job Descriptions
    2.8 Policies and Procedures
    2.9 3-Year Roadmap
    2.10 90-Day Plan
    2.11 Quick Wins
    2.12 Reports

    3.1 Classify Vendors
    3.2 Conduct Internal “Kickoff” Meeting
    3.3 Conduct Vendor Orientation
    3.4 Compile Scorecards
    3.5 Conduct Business Alignment Meetings
    3.6 Work the 90-Day Plan
    3.7 Manage the 3-Year Roadmap
    3.8 Measure and Monitor Risk
    3.9 Issue Reports
    3.10 Develop/Improve Vendor Relationships
    3.11 Contribute to Other Processes

    4.1 Assess Compliance
    4.2 Incorporate Leading Practices
    4.3 Leverage Lessons Learned
    4.4 Maintain Internal Alignment
    4.5 Update Governances

    This phase will walk you through the following activities:

    Configure and create the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Human Resources
    • Legal
    • Others as needed

    Jump Start Your Vendor Management Initiative

    Phase 2: Build

    Create and configure tools, templates, and processes.

    Phase 2: Build focuses on creating and configuring the tools and templates that will help you run your VMI. Vendor management is not a plug-and-play environment, and unless noted otherwise, the tools and templates included with this blueprint require your input and thought. The tools and templates must work in concert with your culture, values, and goals. That will require teamwork, insights, contemplation, and deliberation.

    During this Phase, you’ll leverage the various templates and tools included with this blueprint and adapt them for your specific needs and use. In some instances, you’ll be starting with mostly a blank slate; while in others, only a small modification may be required to make it fit your circumstances. However, it is possible that a document or spreadsheet may need heavy customization to fit your situation. As you create your VMI, use the included materials for inspiration and guidance purposes rather than as absolute dictates.

    Step 2.1: Classification model

    Configure the COST Vendor Classification Tool.

    One of the functions of a VMI is to allocate the appropriate level of vendor management resources to each vendor since not all vendors are of equal importance to your organization. While some people may be able intuitively to sort their vendors into vendor management categories, a more objective, consistent, and reliable model works best. Info-Tech’s COST model helps you assign your vendors to the appropriate vendor management category so that you can focus your vendor management resources where they will do the most good.

    COST is an acronym for Commodity, Operational, Strategic, and Tactical. Your vendors will occupy one of these vendor management categories, and each category helps you determine the nature of the resources allocated to that vendor, the characteristics of the relationship desired by the VMI, and the governance level used.

    The easiest way to think of the COST model is as a 2x2 matrix or graph. The model should be configured for your environment so that the criteria used for determining a vendor’s classification align with what is important to you and your organization. However, at this point in your VMI’s maturation, a simple approach works best. The Classification Model included with this blueprint requires minimal configuration to get you started and that is discussed on the activity slide associated with this Step 2.1.


    Speed
    Operational Strategic
    Commodity Tactical
    →→→
    Criticality and Risk to the Organization

    Step 2.1: Classification model (cont.)

    Configure the COST Vendor Classification Tool.

    Common Characteristics by Vendor Management Category

    Operational Strategic
    • Low to moderate risk and criticality; moderate to high spend and switching costs
    • Product or service used by more than one area
    • Price is a key negotiation point
    • Product or service is valued by the organization
    • Quality or the perception of quality is a differentiator (i.e. brand awareness)
    • Moderate to high risk and criticality; moderate to high spend and switching costs
    • Few competitors and differentiated products and services
    • Product or service significantly advances the organization’s vision, mission, and success
    • Well-established in their core industry
    Commodity Tactical
    • Low risk and criticality; low spend and switching costs
    • Product or service is readily available from many sources
    • Market has many competitors and options
    • Relationship is transactional
    • Price is the main differentiator
    • Moderate to high risk and criticality; low to moderate spend and switching costs
    • Vendor offerings align with or support one or more strategic objectives
    • Often IT vendors “outside” of IT (i.e. controlled and paid for by other areas)
    • Often niche or new vendors

    Source: Compiled in part from Stephen Guth, “Vendor Relationship Management Getting What You Paid for (And More)”

    2.1.1: Classification Model

    15-30 minutes

    1. Meet with the participants to configure the spend ranges in Jump – Phase 2 Vendor Classification Tool, Tab 1. Configuration, for your environment.
    2. Sort the data from Jump – Phase 1 Tools and Templates Compendium, Tab 1.7 Vendor Inventory, by spend; if you used multiple line items for a vendor in the Vendor Inventory tab, you will have to aggregate the spend data for this activity.
    3. Update cells F14-J14 in the Classification Model based on your actual data.
      1. Cell F14 – set the boundary at a point between the spend for your 10th and 11th ranked vendors. For example, if the 10th vendor by spend is $1,009,850 and the 11th vendor by spend is $980,763, the range for F14 would be $1,000,00+.
      2. Cell G14 – set the bottom of the range at a point between the spend for your 30th and 31st ranked vendors; the top of the range will be $1 less than the bottom of the range specified in F14.
      3. Cell H14 – set the bottom of the range slightly below the spend for your 50th ranked vendor; the top of the range will be $1 less than the bottom of the range specified in G14.
      4. Cells I14 and J14 – divide the remaining range in half and split it between the two cells; for J14 the range will be $0 to $1 less than the bottom range in I14.
    4. Ignore the other variables at this time.

    Download the Info-Tech Jump – Phase 2 Vendor Risk Assessment Tool

    Input

    • Jump – Phase 1 Tools and Templates Compendium, Tab 1.7 Vendor Inventory

    Output

    • Configured Vendor Classification Tool

    Materials

    • Jump – Phase 2 Vendor Classification Tool, Tab 1. Configuration

    Participants

    • VMI team

    Step 2.2: Risk assessment tool

    Identify risks to measure, monitor, and report on.

    One of the typical drivers of a VMI is risk management. Organizations want to get a better handle on the various risks their vendors pose. Vendor risks originate from many areas: financial, performance, security, legal, and many others. However, security risk is the high-profile risk and the one organizations often focus on almost exclusively, which leaves the organization vulnerable in other areas.

    Risk management is a program, not a project – there is no completion date. A proactive approach works best and requires continual monitoring, identification, and assessment. Reacting to risks after they occur can be costly and can have other detrimental effects on the organization. Any risk that adversely affects IT will adversely affect the entire organization.

    While the VMI won’t necessarily be quantifying or calculating the risk directly, it generally is the aggregator of risk information across the risk categories, which it then includes in its reporting function. (See Steps 2.12 and 3.8.)

    At a minimum, your risk management strategy should involve:

    • Identifying the risks you want to measure and monitor.
    • Identifying your risk appetite (the amount of risk you are willing to live with).
    • Measuring, monitoring, and reporting on the applicable risks.
    • Developing and deploying a risk management plan to minimize potential risk impact.

    Vendor risk is a fact of life, but you do have options for how you handle it. Be proactive and thoughtful in your approach, and focus your resources on what is important.

    2.2.1: Risk assessment tool

    30-90 minutes

    1. Meet with the participants to configure the risk indicators in Jump – Phase 2 Vendor Risk Assessment Tool, Tab 1. Set Parameters, for your environment.
    2. Review the risk categories and determine which ones you will be measuring and monitoring.
    3. Review the risk indicators under each risk category and determine whether the indicator is acceptable as written, is acceptable with modifications, should be replaced, or should be deleted.
    4. Make the necessary changes to the risk indicators; these changes will cascade to each of the vendor tabs. Limit the number of risk indicators to no more than seven per risk category.
    5. Gain input and approval as needed from sponsors, stakeholders, and executives as required.

    Download the Info-Tech Jump – Phase 2 Vendor Risk Assessment Tool

    Input

    • Scope
    • OIC Chart
    • Process Maps
    • Brainstorming

    Output

    • Configured Vendor Classification Tool

    Materials

    • Jump – Phase 2 Vendor Classification Tool, Tab 1. Configuration

    Participants

    • VMI team

    Step 2.3: Scorecards and feedback

    Design a two-way feedback loop with your vendors.

    A vendor management scorecard is a great tool for measuring, monitoring, and improving relationship alignment. In addition, it is perfect for improving communication between you and the vendor.

    Conceptually, a scorecard is similar to a report card you received when you were in school. At the end of a learning cycle, you received feedback on how well you did in each of your classes. For vendor management, the scorecard is also used to provide periodic feedback, but there are some different nuances and some additional benefits and objectives when compared to a report card.

    Although scorecards can be used in a variety of ways, the main focus here will be on vendor management scorecards – contract management, project management, and other types of scorecards will not be included in the materials covered in this Step 2.3 or in Step 3.4.

    Category 1 Score
    Vendor Objective A 4
    Objective B 3
    Objective C 5
    Objective D 4 !

    Step 2.3: Scorecards and feedback (cont.)

    Design a two-way feedback loop with your vendors.

    Anatomy

    The Info-Tech Scorecard includes five areas:

    • Measurement Categories. Measurement categories help organize the scorecard. Limit the number of measurement categories to three to five; this allows the parties to stay focused on what’s important. Too many measurement categories make it difficult for the vendor to understand the expectations.
    • Criteria. The criteria describe what is being measured. Create criteria with sufficient detail to allow the reviewers to fully understand what is being measured and to evaluate it. Criteria can be objective or subjective. Use three to five criteria per measurement category.
    • Measurement Category Weights. Not all of your measurement categories may be of equal importance to you; this area allows you to give greater weight to a measurement category when compiling the overall score.
    • Rating. Reviewers will be asked to assign a score to each criteria using a 1 to 5 scale.
    • Comments. A good scorecard will include a place for reviewers to provide additional information regarding the rating or other items that are relevant to the scorecard.

    An overall score is calculated based on the rating for each criteria and the measurement category weights.

    Step 2.3: Scorecards and feedback (cont.)

    Design a two-way feedback loop with your vendors.

    Goals and Objectives

    Scorecards can be used for a variety of reasons. Some of the common ones are listed below:

    • Improve vendor performance.
    • Convey expectations to the vendor.
    • Identify and recognize top vendors.
    • Increase alignment between the parties.
    • Improve communication with the vendor.
    • Compare vendors across the same criteria.
    • Measure items not included in contract metrics.
    • Identify vendors for “strategic alliance” consideration.
    • Help the organization achieve specific goals and objectives.
    • Identify and resolve issues before they impact performance or the relationship.

    Identifying your scorecard drivers first will help you craft a suitable scorecard.

    Step 2.3: Scorecards and feedback (cont.)

    Design a two-way feedback loop with your vendors.

    Info-Tech recommends starting with simple scorecards to allow you and the vendors to acclimate to the new process and information. As you build your scorecards, keep in mind that internal personnel will be scoring the vendors and the vendors will be reviewing the scorecard. Make your scorecard easy for your personnel to fill out and composed of meaningful content to drive the vendor in the right direction. You can always make the scorecard more complex in the future.

    Our recommendation of five categories is provided below. Choose three to five categories to help you accomplish your scorecard goals and objectives:

    1. Timeliness – responses, resolutions, fixes, submissions, completions, milestones, deliverables, invoices, etc.
    2. Cost – total cost of ownership, value, price stability, price increases/decreases, pricing models, etc.
    3. Quality – accuracy, completeness, mean time to failure, bugs, number of failures, etc.
    4. Personnel – skilled, experienced, knowledgeable, certified, friendly, trustworthy, flexible, accommodating, etc.
    5. Risk – adequate contractual protections, security breaches, lawsuits, finances, audit findings, etc.

    Some criteria may be applicable in more than one category. The categories above should cover at least 80% of the items that are important to your organization. The general criteria listed for each category is not an exhaustive list, but most things break down into time, money, quality, people, and risk issues.

    Step 2.3: Scorecards and feedback (cont.)

    Design a two-way feedback loop with your vendors.

    Additional Considerations

    • Even a good rating system can be confusing. Make sure you provide some examples or a way for reviewers to discern the differences between 1, 2, 3, 4, and 5. Don’t assume your “Rating Key” will be intuitive.
    • When assigning weights, don’t go lower than 10% for any measurement category. If the weight is too low, it won’t be relevant enough to have an impact on the total score. If it doesn’t “move the needle,” don’t include it.
    • Final sign-off on the scorecard template should occur outside of the VMI. The heavy lifting can be done by the VMI to create it, but the scorecard is for the benefit of the organization overall and those impacted by the vendors specifically. You may end up playing arbiter or referee, but the scorecard is not the exclusive property of the VMI. Try to reach consensus on your final template whenever possible.
    • You should notice improved ratings and total scores over time for your vendors. One explanation for this is the Pygmalion Effect: “The Pygmalion [E]ffect describes situations where someone’s high expectations improves our behavior and therefore our performance in a given area. It suggests that we do better when more is expected of us.”* Convey your expectations and let the vendors’ competitive juices take over.
    • While you’re creating your scorecard and materials to explain the process to internal personnel, identify those pieces that will help you explain it to your vendors as part of your vendor orientation (see steps 2.6 and 3.4). Leveraging pre-existing materials is a great shortcut.

    *Source: The Decision Lab, 2020

    Step 2.3: Scorecards and feedback (cont.)

    Design a two-way feedback loop with your vendors.

    Vendor Feedback

    After you’ve built your scorecard, turn your attention to the second half of the equation – feedback from the vendor. A communication loop cannot be successful without the dialogue flowing both ways. While this can happen with just a scorecard, a mechanism specifically geared toward the vendor providing you with feedback improves communication, alignment, and satisfaction.

    You may be tempted to create a formal scorecard for the vendor to use. Our recommendation is to avoid that temptation until later in your maturity or development of the VMI. You’ll be implementing a lot of new processes, deploying new tools and templates, and getting people to work together in new ways. Work on those things first.

    For now, implement an informal process for obtaining information from the vendor. Start by identifying information that you will find useful, information that will allow you to improve overall, to reduce waste or time, to improve processes, to identify gaps in skills. Incorporate these items into your business alignment meetings (see Steps 2.4 and 3.5). Create three to five good questions to ask the vendor and include these in the business alignment meeting agenda. The goal is to get meaningful feedback, and that starts with asking good questions.

    Keep it simple at first. When the time is right, you can build a more formal feedback form or scorecard. Don’t be in a rush though. So long as the informal method works, keep using it.

    2.3.1: Scorecards and feedback

    30-60 minutes

    1. Meet with the participants and brainstorm ideas for your scorecard measurement categories:
      1. What makes a vendor valuable to your organization?
      2. What differentiates a “good” vendor from a “bad” vendor?
      3. What items would you like to measure and provide feedback to the vendor to improve performance, the relationship, risk, and other areas?
    2. Select three, but no more than five, of the following measure categories: timeliness, cost, quality, personnel, and risk.
    3. Within each measurement category, list two or three criteria that you want to measure and track for your vendors; choose items that are as universal as possible rather than being applicable to one vendor or one vendor type.
    4. Assign a weight to each measurement category, ensuring that the total weight is 100% for all measurement categories.
    5. Document your results as you go in Jump – Phase 2 Tools and Templates Compendium, Tab 2.3 Scorecard.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming

    Output

    • Configured scorecard template

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.3 Scorecard

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    2.3.2: Scorecards and feedback

    15-30 minutes

    1. Meet with the participants and brainstorm ideas for feedback to seek from your vendors during your business alignment meetings. During the brainstorming, identify questions to ask the vendor about your organization that will:
      1. Help you improve the relationship.
      2. Help you improve your processes or performance.
      3. Help you improve ongoing communication.
      4. Help you evaluate your personnel.
    2. Identify the top five questions you want to include in your business alignment meeting agenda. (Note: you may need to refine the actual questions from the brainstorming activity before they are ready to include in your business alignment meeting agenda.)
    3. Document both your brainstorming activity and your final results in Jump – Phase 2 Tools and Templates Compendium, Tab 2.3 Feedback. The brainstorming questions can be used in the future as your VMI matures and your feedback transforms from informal to formal. The final results will be used in Steps 2.4 and 3.5.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming

    Output

    • Feedback questions to include with the business alignment meeting agenda

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.3 Feedback

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 2.4: Business alignment meeting agenda

    Craft an agenda that meets the needs of the VMI.

    A business alignment meeting (BAM) is a great, multi-faceted tool to ensure the customer and the vendor stay focused on what is important to the customer at a high level. BAMs are not traditional “operational” meetings where the parties get into the details of the contracts, deal with installation problems, address project management issues, or discuss specific cost overruns. The main focus of the BAM is the scorecard (see Step 2.3), but other topics are discussed and other purposes are served. For example, you can use the BAM to develop the relationship with the vendor’s leadership team so that if escalation is ever needed, your organization is more than just a name on a spreadsheet or customer list; you can learn about innovations the vendor is working on (without the meeting turning into a sales call); you can address high-level performance trends and request corrective action as needed; you can clarify your expectations; you can educate the vendor about your industry, culture, and organization; and you can learn more about the vendor.

    As you build your BAM agenda, someone in your organization may say, “Oh, that’s just a quarterly business review (QBR) or top-to-top meeting.” However, in most instances, an existing QBR or top-to-top meeting is not the same as a BAM. Using the term QBR or top-to-top meeting instead of BAM can lead to confusion internally. The VMI may say to the business unit, Procurement, or another department, “We’re going to start running some QBRs for our strategic vendors.” The typical response is, “There’s no need to do that. We already run QBRs/top-to-top meetings with our important vendors.” This may be accompanied by an invitation to join their meeting, where you may be an afterthought, have no influence, and get five minutes at the end to talk about your agenda items. Keep your BAM separate so that it meets your needs.

    Step 2.4: Business alignment meeting agenda (cont.)

    Craft an agenda that meets the needs of the VMI.

    As previously noted, using the term BAM more accurately depicts the nature of the VMI meeting and prevents confusion internally with other meetings already occurring. In addition, hosting the BAM yourself rather than piggybacking onto another meeting ensures that the VMI’s needs are met. The VMI will set and control the BAM agenda and determine the invite list for internal personnel and vendor personnel. As you may have figured out by now, having the right customer and vendor personnel attend will be essential.

    BAMs are conducted at the vendor level … not the contract level. As a result, the frequency of the BAMs will depend on the vendor’s classification category (see Steps 2.1 and 3.1). General frequency guidelines are provided below, but they can be modified to meet your goals:

    • Commodity Vendors – Not applicable
    • Operational Vendors – Biannually or annually
    • Strategic Vendors – Quarterly
    • Tactical Vendors – Quarterly or biannually

    BAMs can help you achieve some additional benefits not previously mentioned:

    • Foster a collaborative relationship with the vendor.
    • Avoid erroneous assumptions by the parties.
    • Capture and provide a record of the relationship (and other items) over time.

    Step 2.4: Business alignment meeting agenda (cont.)

    Craft an agenda that meets the needs of the VMI.

    As with any meeting, building the proper agenda will be one of the keys to an effective and efficient meeting. A high-level BAM agenda with sample topics is set out below:

    BAM Agenda

    • Opening Remarks
      • Welcome and introductions
      • Review of previous minutes
    • Active Discussion
      • Review of open issues
      • Scorecard and feedback
      • Current status of projects to ensure situational awareness by the vendor
      • Roadmap/strategy/future projects
      • Accomplishments
    • Closing Remarks
      • Reinforce positives (good behavior, results, and performance, value added, and expectations exceeded)
      • Recap
    • Adjourn

    2.4.1: Business alignment meeting agenda

    20-45 minutes

    1. Meet with the participants and review the sample agenda in Jump – Phase 2 Tools and Templates Compendium, Tab 2.4 BAM Agenda.
    2. Using the sample agenda as inspiration and brainstorming activities as needed, create a BAM agenda tailored to your needs.
      1. Select the items from the sample agenda applicable to your situation.
      2. Add any items required based on your brainstorming.
      3. Add the feedback questions identified during Activity 2.3.2 and documented in Jump – Phase 2 Tools and Templates Compendium, Tab 2.3 Feedback.
    3. Gain input and approval from sponsors, stakeholders, and executives as required or appropriate.
    4. Document the final BAM agenda in Jump – Phase 2 Tools and Templates Compendium, Tab 2.4 BAM Agenda.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming
    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.3 Feedback

    Output

    • Configured BAM agenda

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.4 BAM Agenda

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 2.5: Relationship alignment document

    Draft a document to convey important VMI information to your vendors.

    Throughout this blueprint, alignment is mentioned directly (e.g. business alignment meetings [Steps 2.4 and 3.5]) or indirectly implied. Ensuring you and your vendors are on the same page, have clear and transparent communication, and understand each other’s expectations is critical to fostering strong relationships. One component of gaining and maintaining alignment with your vendors is the relationship alignment document (RAD). Depending upon the scope of your VMI and what your organization already has in place, your RAD will fill in the gaps on various topics.

    Early in the VMI’s maturation, the easiest approach is to develop a short document (i.e. 1 page) or a pamphlet (i.e. the classic trifold) describing the rules of engagement when doing business with your organization. The RAD can convey expectations, policies, guidelines, and other items. The scope of the document will depend on 1) what you believe is important for the vendors to understand, and 2) any other similar information already provided to the vendors.

    The first step to drafting a RAD is to identify what information vendors need to know to stay on your good side. For example, you may want vendors to know about your gift policy (e.g. employees may not accept gifts from vendors above a nominal value such as a pen or mousepad). Next, compare your list of what vendors need to know and determine if the content is covered in other vendor-facing documents such as a vendor code of conduct or your website’s vendor portal. Lastly, create your RAD to bridge the gap between what you want and what is already in place. In some instances, you may want to include items from other documents to reemphasize them with the vendor community.

    Info-Tech Insight

    The RAD can be used with all vendors regardless of classification category. It can be sent directly to the vendors or given to them during vendor orientation (see Step 3.3)

    2.5.1: Relationship alignment document

    1-4 hours

    1. Meet with the participants and review the RAD sample and checklist in Jump – Phase 2 Tools and Templates Compendium, Tab 2.5 Relationship Alignment Doc.
    2. Determine:
      1. Whether you will create one RAD for all vendors or one RAD for strategic vendors and another RAD for tactical and operational vendors; whether you will create a RAD for commodity vendors.
      2. The concepts you want to include in your RAD(s).
      3. The format for your RAD(s) – traditional, pamphlet, or other.
      4. Whether signoff or acknowledgement will be required by the vendors.
    3. Draft your RAD(s) and work with other internal areas such as Marketing to create a consistent brand for the RADS and Legal to ensure consistent use and preservation of trademarks or other intellectual property rights and other legal issues.
    4. Review other vendor-facing documents (e.g. supplier code of conduct, onsite safety and security protocols) for consistencies between them and the RAD(s).
    5. Obtain signoff on the RAD(s) from stakeholders, sponsors, executives, Legal, Marketing, and others as needed.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming
    • Vendor-facing documents, policies, and procedures

    Output

    • Completed relationship alignment document(s)

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.5 Relationship Alignment Doc

    Participants

    • VMI team
    • Marketing, as needed
    • Legal, as needed

    Step 2.6: Vendor orientation

    Create a VMI awareness process to build bridges with your vendors.

    Vendor Orientation: 01 - Orientation; 02 - Reorientation; 03 - Debrief

    Your organization is unique. It may have many similarities with other organizations, but your culture, risk tolerance, mission, vision, and goals, finances, employees, and “customers” (those that depend on you) make it different. The same is true of your VMI. It may have similar principles, objectives, and processes to other organizations’ VMIs, but yours is still unique. As a result, your vendors may not fully understand your organization and what vendor management means to you.

    Vendor orientation is another means to helping you gain and maintain alignment with your important vendors, educate them on what is important to you, and provide closure when/if the relationship with the vendor ends. Vendor orientation is comprised of three components, each with a different function:

    • Orientation
    • Reorientation
    • Debrief

    Vendor orientation focuses on the vendor management pieces of the puzzle (e.g. the scorecard process) rather than the operational pieces (e.g. setting up a new vendor in the system to ensure invoices are processed smoothly).

    Step 2.6: Vendor orientation (cont.)

    Create a VMI awareness process to build bridges with your vendors.

    Vendor Orientation: 01 - Orientation

    Orientation

    Orientation is conceptually similar to new hire orientation for employees at your organization. Generally conducted as a meeting, orientation provides your vendors with the information they need to be successful when working with your organization. Sadly, this is often overlooked by customers; it can take months or years for vendors to figure it out by themselves. By controlling the narrative and condensing the timeline, vendor relationships and performance improve more rapidly.

    A partial list of topics for orientation is set out below:

    • Your organization’s structure
    • Your organization’s culture
    • Your relationship expectations
    • Your governances (VMI and other)
    • Their vendor classification designation (commodity, operational, strategic, or tactical)
    • The scorecard process
    • Business alignment meetings
    • Relationship alignment documents

    In short, this is the first step toward building (or continuing to build) a robust, collaborative, mutually beneficial relationship with your important vendors.

    Step 2.6: Vendor orientation (cont.)

    Create a VMI awareness process to build bridges with your vendors.

    Vendor Orientation: 02 - Reorientation

    Reorientation

    Reorientation is either identical or similar to orientation, depending upon the circumstances. Reorientation occurs for a number of reasons, and each reason will impact the nature and detail of the reorientation content. Reorientation occurs whenever:

    • There is a significant change in the vendor’s products or services.
    • The vendor has been through a merger, acquisition, or divestiture.
    • A significant contract renewal/renegotiation has recently occurred.
    • Sufficient time has passed from orientation; commonly 2 to 3 years.
    • The vendor has been placed in a “performance improvement plan” or “relationship improvement plan” protocol.
    • Significant turnover has occurred within your organization (executives, key stakeholders, and/or VMI personnel).
    • Substantial turnover has occurred at the vendor at the executive or account management level.
    • The vendor has changed vendor classification categories after the most current classification.

    As the name implies, the goal is to refamiliarize the vendor with your current VMI situation, governances, protocols, and expectations. The drivers for reorientation will help you determine its scope, scale, and frequency.

    Step 2.6: Vendor orientation (cont.)

    Create a VMI awareness process to build bridges with your vendors.

    Vendor Orientation: 03 - Debrief

    Debrief

    To continue the analogy from orientation, debrief is similar to an exit interview for an employee when their employment is terminated. In this case, debrief occurs when the vendor is no longer an active vendor with your organization – all contracts have terminated or expired, and no new business with the vendor is anticipated within the next three months.

    Similar to orientation and reorientation, debrief activities will be based on the vendor’s classification category within the COST model. Strategic vendors don’t go away very often; usually, they transition to operational or tactical vendors first. However, if a strategic vendor is no longer providing products or services to you, dig a little deeper into their experiences and allocate extra time for the debrief meeting.

    The debrief should provide you with feedback on the vendor’s experience with your organization and their participation in your VMI. In addition, it can provide closure for both parties since the relationship is ending. Be careful that the debrief does not turn into a finger-pointing meeting or therapy session for the vendor. It should be professional and productive; if it is going off the rails, terminate the meeting before more damage can occur.

    End the debrief on a high note if possible. Thank the vendor, highlight its key contributions, and single out any personnel who went above and beyond. You never know when you will be doing business with this vendor again – don’t burn bridges!

    Step 2.6: Vendor orientation (cont.)

    Create a VMI awareness process to build bridges with your vendors.

    • As you create your vendor orientation materials, focus on the message you want to convey.
    • For orientation and reorientation:
      • What is important to you that vendors need to know?
      • What will help the vendors understand more about your organization … your VMI?
      • What and how are you different from other organizations overall … in your “industry”?
      • What will help them understand your expectations?
      • What will help them be more successful?
      • What will help you build the relationship?
    • For debrief:
      • What information or feedback do you want to obtain?
      • What information or feedback to you want to give?
    • The level of detail you provide strategic vendors during orientation and reorientation may be different from the information you provide tactical and operational vendors. Commodity vendors are not typically involved in the vendor orientation process. The orientation meetings can be conducted on a one-to-one basis for strategic vendors and a one-to-many basis for operational and tactical vendors; reorientation and debrief are best conducted on a one-to-one basis. Lastly, face-to-face or video meetings work best for vendor orientation; voice-only meetings, recorded videos, or distributing only written materials seldom hit their mark or achieve the desired results.

    2.6.1: Vendor orientation

    1 to several hours

    1. Meet with the participants and review the Phase Tools and Templates Compendium, Tab 2.6 Vendor Orientation.
      1. Use the orientation checklist to identify the materials you want to create for your orientation meetings.
      2. Use the reorientation checklist to identify the materials you want to create for your reorientation meetings.
    2. The selections can be made by classification category (i.e. different items can apply to strategic, operational, and tactical vendors).
    3. Create the materials and seek input and/or approval from sponsors, stakeholders, and executives as needed.
    4. Use the debrief section of the tool to create an agenda, list the questions you want to ask vendors, and list information you want to provide to vendors. The agenda, questions, and information can be segregated by classification category.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming

    Output

    • Agendas and materials for orientation, reorientation, and debrief

    Materials

    • Phase Tools and Templates Compendium, Tab 2.6 Vendor Orientation

    Participants

    • VMI team

    Step 2.7: Job descriptions

    Ensure new and existing job descriptions are up to date.

    Based on your work product from Steps 1.1-1.9, it’s time to start drafting new or modifying existing job descriptions applicable to the VMI team members. Some of the VMI personnel may be dedicated full-time to the VMI, while others may be supporting the VMI on a part-time basis. At a minimum, create or modify your job descriptions based on the categories set out below. Remember to get the internal experts involved so that you stay true to your environment and culture.

    01 Title

    This should align overall with what the person will be doing and what the person will be responsible for. Your hands may be tied with respect to titles, but try to make them intuitively descriptive if possible.

    02 Duties

    This is the main portion of the job description. List the duties, responsibilities, tasks, activities, and results expected. Again, there may be some limitations imposed by your organization, but be as thorough as possible.

    03 Qualifications

    This tends to be a gray area for many organizations, with the qualifications, certifications, and experience desired expressed in “ranges” so that good candidates are not eliminated from consideration unnecessarily.

    2.7.1: Job descriptions

    1 to several hours

    1. Meet with the participants and review the VMI structure from Step 1.9.
      1. List the positions that require new job descriptions.
      2. List the positions that require updated job descriptions.
    2. Review the other Phase 1 work product and list the responsibilities, tasks, and functions that need to be incorporated into the new and updated job descriptions.
    3. Review the sample VMI job descriptions and sample VMI job description language in Jump – Phase 2 Tools and Templates Compendium, Tab 2.7 Job Descriptions, and identify language and concepts you want to include in the new and revised job descriptions.
    4. Using your template, draft the new job descriptions and modify the existing job descriptions to synchronize with the VMI structure. Work with other internal areas such as Human Resources to ensure cultural fit and compliance.
    5. Obtain input and signoff on the job descriptions from stakeholders, sponsors, executives, Human Resources, and others as needed.
    6. Document your final job descriptions in Jump – Phase 2 Tools and Templates Compendium, Tab 2.7 Job Descriptions.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming
    • Existing job descriptions
    • Work product from Phase 1

    Output

    • Job descriptions for new positions
    • Updated job descriptions for existing positions

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.7 Job Descriptions

    Participants

    • VMI team
    • Human Resources (as needed)
    • Applicable stakeholders and executives (as needed)

    Step 2.8: Policies and procedures

    Prepare policies and procedures for VMI functions.

    Policies and procedures are often thought of as boring documents that are 1) tedious to create, 2) seldom read after creation, and 3) only used to punish people when they do something “wrong.” However, when done well, these documents:

    • Communicate expectations.
    • Capture institutional knowledge.
    • Provide guidance for decision making.
    • Help workers avoid errors and minimize risk.
    • Ensure regulatory and organizational compliance.
    • List the steps required to achieve consistent results.

    Definitions of Policies and Procedures

    Policies and procedures are essential, but they are often confused with each other. A policy is a rule, guideline, or framework for making decisions. For example, in the vendor management space, you may want a policy indicating your organization’s view on gifts from vendors. A procedure is a set of instructions for completing a task or activity. For example, staying in the vendor management space, you may want a procedure to outline the process for classifying vendors.

    Step 2.8: Policies and procedures (cont.)

    Prepare policies and procedures for VMI functions.

    Start With Your Policy/Procedure Template or Create One for Consistency

    When creating policies and procedures, follow your template. If you don’t have one (or want to see if anything is missing from your template) the following list of potential components for your governance documents is provided.* Not every concept is required. Use your judgment and err on the side of caution when drafting; balance readability and helpfulness against over documenting and over complicating.

    • Descriptive Title
    • Policy Number
    • Brief Overview
    • Purpose
    • Scope
    • The Policy or Procedure
    • Definitions
    • Revision Date
    • History
    • Related Documents
    • Keywords

    Step 2.8: Policies and procedures (cont.)

    Prepare policies and procedures for VMI functions.

    Although they are not ever going to be compared to page-turning novels, policies and procedures can be improved by following a few basic principles. By following the guidelines set out below, your VMI policies and procedures will contribute to the effectiveness of your initiative.*

    • Use short sentences.
    • Organize topics logically.
    • Use white space liberally.
    • Use mandatory language.
    • Use gender-neutral terms.
    • Write with an active voice.
    • Avoid jargon when possible.
    • Use a consistent “voice” and tone.
    • Use pictures or diagrams when they will help.
    • Write in the same tense throughout the document.
    • Use icons and colors to designate specific elements.
    • Make sure links to other policies and procedures work.
    • Define all acronyms and jargon (when it must be used).
    • Avoid a numbering scheme with more than three levels.

    *Adapted in part from smartsheet.com

    Info-Tech Insight

    Drafting policies and procedures is an iterative process that requires feedback from the organization’s leadership team.

    2.8.1: Policies and procedures

    Several hours

    1. Meet with the participants and review the sample policies and procedures topics in Jump – Phase 2 Tools and Templates Compendium, Tab 2.8 Policies and Procedures.
    2. Determine:
      1. The concepts you want to include in your policies and procedures; brainstorm for any additional concepts you want to include.
      2. The format/template for your policies and procedures.
    3. Draft your policies and procedures based on the sample topics and your brainstorming activity. Work with other internal areas such as Legal and Human Resources to ensure cultural and environmental fit within your organization.
    4. Obtain input and signoff on the policies and procedures from stakeholders, sponsors, executives, Legal, Human Resources, and others as needed.
    5. Document your final policies and procedures in Jump – Phase 2 Tools and Templates Compendium, Tab 2.8 Policies and Procedures.
    6. Publish your policies and procedures and conduct training sessions or awareness sessions as needed.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Existing policies and procedures (if any)
    • Existing policies and procedures template (if any)
    • Scope
    • OIC chart
    • Process maps
    • Brainstorming

    Output

    • VMI policies and procedures

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.8 Policies and Procedures

    Participants

    • VMI team
    • Legal and Human Resources (as needed)
    • Applicable stakeholders and executives (as needed)

    Step 2.9: 3-year roadmap

    Plot your path at a high level.

    The VMI exists in many planes concurrently: 1) it operates both tactically and strategically, and 2) it focuses on different timelines or horizons (e.g. the past, the present, and the future). Creating a 3-year roadmap facilitates the VMI’s ability to function effectively across these multiple landscapes.

    The VMI roadmap will be influenced by many factors. The work product from Phase 1: Plan, input from executives, stakeholders, and internal clients, and the direction of the organization as a whole are great sources of information as you begin to build your roadmap.

    To start, identify what you would like to accomplish in Year 1. This is arguably the easiest year to complete: budgets are set (or you have a good idea what the budget will look like), personnel decisions have been made, resources have been allocated, and other issues impacting the VMI are known with a higher degree of certainty than any other year. This does not mean things won’t change during the first year of the VMI, but expectations are usually lower and the short event horizon makes things more predictable during the Year-1 ramp-up period.

    Years 2 and 3 are more tenuous, but the process is the same: identify what you would like to accomplish or roll out in each year. Typically, the VMI maintains the Year 1 plan into subsequent years and adds to the scope or maturity. For example, you may start Year 1 with BAMs and scorecards for three of your strategic vendors; during Year 2, you may increase that to five vendors; and during Year 3, you may increase that to nine vendors. Or, you may not conduct any market research during Year 1, waiting to add it to your roadmap in Year 2 or 3 as you mature.

    Breaking things down by year helps you identify what is important and the timing associated with your priorities. A conservative approach is recommended. It is easy to overcommit, but the results can be disastrous and painful.

    2.9.1: 3-year roadmap

    45-90 minutes

    1. Meet with the participants and decide how to coordinate Year 1 of your 3-year roadmap with your existing fiscal year or reporting year. Year 1 may be shorter or longer than a calendar year.
    2. Review the VMI activities listed in Jump – Phase 2 Tools and Templates Compendium, Tab 2.9 3-Year Roadmap. Use brainstorming and your prior work product from Phase 1 and Phase 2 to identify additional items for the roadmap and add them at the bottom of the spreadsheet.
    3. Starting with the first activity, determine when that activity will begin and put an X in the corresponding column; if the activity is not applicable, leave it blank or insert N/A.
    4. Go back to the top of the list and add information as needed.
      1. For any Year-1 or Year-2 activities, add an X in the corresponding columns if the activity will be expanded/continued in subsequent periods (e.g. if a Year 2 activity will continue in Year 3, put an X in Year 3 as well).
      2. Use the comments column to provide clarifying remarks or additional insights related to your plans or “X’s.” For example, “Scorecards begin in Year 1 with three vendors and will roll out to five vendors in Year 2 and nine vendors in Year 3.”
    5. Obtain signoff from stakeholders, sponsors, and executives as needed.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Phase 1 work product
    • Steps 2.1-2.8 work product
    • Brainstorming

    Output

    • High level 3-year roadmap for the VMI

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.9 3-Year Roadmap

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 2.10: 90-day plan

    Pave your short-term path with a series of detailed quarterly plans.

    Now that you have prepared a 3-year roadmap, it’s time to take the most significant elements from the first year and create action plans for each three-month period. Your first 90-day plan may be longer or shorter if you want to sync to your fiscal or calendar quarters. Aligning with your fiscal year can make it easier for tracking and reporting purposes; however, the more critical item is to make sure you have a rolling series of four 90-day plans to keep you focused on the important activities and tasks throughout the year.

    The 90-day plan is a simple project plan that will help you measure, monitor, and report your progress. Use the Info-Tech tool to help you track:

    • Activities
    • Tasks comprising each activity
    • Who will be performing the tasks
    • An estimate of the time required per person per task
    • An estimate of the total time to achieve the activity
    • A due date for the activity
    • A priority of the activity

    The first 90-day plan will have the greatest level of detail and should be as thorough as possible; the remaining three 90-day plans will each have less detail for now. As you approach the middle of the first 90-day plan, start adding details to the next 90-day plan; toward the end of the first quarter add a high-level 90-day plan to the end of the chain. Continue repeating this cycle each quarter and consult the 3-year roadmap and the leadership team as necessary.

    90 Days

    2.10.1: 90-day plan

    45-90 minutes

    1. Meet with the participants and decide how to coordinate the first 90-day plan with your existing fiscal year or reporting cycles. Your first plan may be shorter or longer than 90 days.
    2. Looking at the Year 1 section of the 3-year roadmap, identify the activities that will be started during the next 90 days.
    3. Using the Jump – Phase 2 Tools and Templates Compendium, Tab 2.10 90-Day Plan, enter the following information into the spreadsheet for each activity to be accomplished during the next 90 days:
      1. Activity description
      2. Tasks required to complete the activity (be specific and descriptive)
      3. The people who will be performing each task
      4. The estimated number of hours required to complete each task
      5. The start date and due date for each task or the activity
    4. Validate the tasks are a complete list for each activity and the people performing the tasks have adequate time to complete the tasks by the due date(s).
    5. Assign a priority to each activity.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • 3-year roadmap
    • Phase 1 work product
    • Steps 2.1-2.9 work product
    • Brainstorming

    Output

    • Detailed plan for the VMI for the next quarter or 90 days

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.10 90-Day Plan

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Step 2.11: Quick wins

    Identify potential short-term successes to gain momentum and show value immediately.

    As the final step in the timeline trilogy, you are ready to identify some quick wins for the VMI. Using the first 90-day plan and a brainstorming activity, create a list of things you can do in 15 to 30 days that add value to your initiative and build momentum.

    As you evaluate your list of potential candidates, look for things that:

    • Are achievable within the stated timeline.
    • Don’t require a lot of effort.
    • Involve stopping a certain process, activity, or task; this is sometimes known as a “stop doing stupid stuff” approach.
    • Will reduce or eliminate inefficiencies; this is sometimes known as the war on waste.
    • Have a moderate to high impact or bolster the VMI’s reputation.

    As you look for quick wins, you may find that everything you identify does not meet the criteria. That’s ok … don’t force the issue. Return your focus to the 90-day plan and 3-year roadmap, and update those documents if the brainstorming activity associated with this Step 2.11 identified anything new.

    2.11.1: Quick wins

    15-30 minutes

    1. Meet with the participants and review the 3-year roadmap and 90-day plan. Determine if any item on either document can be completed:
      1. Quickly (30 days or less)
      2. With minimal effort
      3. To provide or show moderate to high levels of value or provide the VMI with momentum
    2. Brainstorm to identify any other items that meet the criteria in step 1 above.
    3. Compile a comprehensive list of these items and select up to five to pursue.
    4. Document the list in the Jump – Phase 2 Tools and Templates Compendium, Tab 2.11 Quick Wins.
    5. Manage the quick wins list and share the results with the VMI team and applicable stakeholders and executives.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • 3-year roadmap
    • 90-day plan
    • Brainstorming

    Output

    • A list of activities that require low levels of effort to achieve moderate to high levels of value in a short period

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.11 Quick Wins

    Participants

    • VMI team

    Step 2.12: Reports

    Construct your reports to resonate with your audience.

    Issuing reports is a critical piece of the VMI since the VMI is a conduit of information for the organization. It may be aggregating risk data from internal areas, conducting vendor research, compiling performance data, reviewing market intelligence, or obtaining relevant statistics, feedback, comments, facts, and figures from other sources. Holding onto this information minimizes the impact a VMI can have on the organization; however, the VMI’s internal clients, stakeholders, and executives can drown in raw data and ignore it completely if it is not transformed into meaningful, easily-digested information.

    Before building a report, think about your intended audience:

    • What information are they looking for … what will help them understand the big picture?
    • What level of detail is appropriate, keeping in mind the audience may not be like-minded?
    • What items are universal to all of the readers and what items are of interest to one or two readers?
    • How easy or hard will it be to collect the data … who will be providing it, how time consuming will it be?
    • How accurate, valid, and timely will the data be?
    • How frequently will each report need to be issued?

    Step 2.12: Reports (cont.)

    Construct your reports to resonate with your audience.

    Use the following guidelines to create reports that will resonate with your audience:

    • Value information over data, but sometimes data does have a place in your report.
    • Use pictures, graphics, and other representations more than words, but words are often necessary in small, concise doses.
    • Segregate your report by user; for example, general information up top, CIO information below that on the right, CFO information to the left of CIO information, etc.
    • Send a draft report to the internal audience and seek feedback, keeping in mind you won’t be able to cater to or please everyone.

    Step 2.12: Reports (cont.)

    Construct your reports to resonate with your audience.

    The report’s formatting and content display can make or break your reports.*

    • Make the report look inviting and easy to read. Use:
      • Short paragraphs and bullet points.
      • A simple layout and uncluttered, wide margins.
      • Minimal boldface, underline, or italics to attract the readers’ attention.
      • High contrast between text and background.
    • Charts, graphs, and infographics should be intuitive and tell the story on their own.
    • Make it easy to peruse the report for topics of interest.
      • Maintain consistent design features.
      • Use impactful, meaningful headings and subheadings.
      • Include callouts to draw attention to important high-level information.
    • Demonstrate the impact of the accomplishments or success stories when appropriate.
    • Finish with a simple concise summary when appropriate. Consider adding:
      • Key points for the reader to takeaway.
      • Action items or requests.
      • Plans for next reporting period.

    *Sources: Adapted and compiled in part from: designeclectic.com, ahrq.gov, and 60secondmarketer.com.

    2.12.1: Reports

    15-45 minutes

    1. Meet with the participants and review the applicable work product from Phases 1 and 2; identify qualitative and quantitative items the VMI measures, monitors, tracks, or aggregates.
    2. Determine which items will be reported and to whom (by category):
      1. Internally to personnel within the VMI
      2. Internally to personnel outside the VMI
      3. Externally to vendors
    3. Within each category above, determine your intended audiences/recipients. For example, you may have a different list of recipients for a risk report than you do a scorecard summary report. This will help you identify the number of reports required.
    4. Create a draft structure for each report based on the audience and the information being conveyed. Determine the frequency of each report and person responsible for creating for each report.
    5. Document your final choices in Jump – Phase 2 Tools and Templates Compendium, Tab 2.12 Reports.

    Download the Info-Tech Jump – Phase 2 Tools and Templates Compendium

    Input

    • Brainstorming
    • Phase 1 work product
    • Steps 2.1-2.11 work product

    Output

    • A list of reports used by the VMI
    • For each report:
    • The conceptual content
    • A list of who will receive or have access
    • A creation/distribution frequency

    Materials

    • Jump – Phase 2 Tools and Templates Compendium, Tab 2.12 Reports

    Participants

    • VMI team
    • Applicable stakeholders and executives (as needed)

    Phase 3: Run

    Implement Your Processes and Leverage Your Tools and Templates

    Phase 1 Phase 2 Phase 3 Phase 4
    1.1 Mission Statement and Goals
    1.2 Scope
    1.3 Strengths and Obstacles
    1.4 Roles and Responsibilities
    1.5 Process Mapping
    1.6 Charter
    1.7 Vendor Inventory
    1.8 Maturity Assessment
    1.9 Structure

    2.1 Classification Model
    2.2 Risk Assessment Tool
    2.3 Scorecards and Feedback
    2.4 Business Alignment Meeting Agenda
    2.5 Relationship Alignment Document
    2.6 Vendor Orientation
    2.7 Job Descriptions
    2.8 Policies and Procedures
    2.9 3-Year Roadmap
    2.10 90-Day Plan
    2.11 Quick Wins
    2.12 Reports

    3.1 Classify Vendors
    3.2 Conduct Internal “Kickoff” Meeting
    3.3 Conduct Vendor Orientation
    3.4 Compile Scorecards
    3.5 Conduct Business Alignment Meetings
    3.6 Work the 90-Day Plan
    3.7 Manage the 3-Year Roadmap
    3.8 Measure and Monitor Risk
    3.9 Issue Reports
    3.10 Develop/Improve Vendor Relationships
    3.11 Contribute to Other Processes

    4.1 Assess Compliance
    4.2 Incorporate Leading Practices
    4.3 Leverage Lessons Learned
    4.4 Maintain Internal Alignment
    4.5 Update Governances

    This phase will walk you through the following activities:

    Begin operating the VMI. The main outcomes from this phase are guidance and the steps required to implement your VMI.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Others as needed

    Jump Start Your Vendor Management Initiative

    Phase 3: Run

    Implement your processes and leverage your tools and templates.

    All of the hard work invested in Phase 1: Plan and Phase 2: Build begins to pay off in Phase 3: Run. It’s time to stand up your VMI and ensure that the proper level of resources is devoted to your vendors and the VMI itself. There’s more hard work ahead, but the foundational elements are in place. This doesn’t mean there won’t be adjustments and modifications along the way, but you are ready to use the tools and templates in the real world; you are ready to begin reaping the fruits of your labor.

    Phase 3: Run guides you through the process of collecting data, monitoring trends, issuing reports, and conducting effective meetings to:

    • Manage risk better.
    • Improve vendor performance.
    • Improve vendor relationships.
    • Identify areas where the parties can improve.
    • Improve communication between the parties.
    • Increase the value proposition with your vendors.

    Step 3.1: Classify vendors

    Begin classifying your top 25 vendors by spend.

    Step 3.1 sets the table for many of the subsequent steps in Phase 3: Run. The results of your classification process will determine: which vendors go through the scorecarding process (Step 3.4); which vendors participate in BAMs (Step 3.5); the nature and content of the vendor orientation activities (Step 3.3); which vendors will be part of the risk measurement and monitoring process (Step 3.8); which vendors will be included in the reports issued by the VMI (Step 3.9); and which vendors you will devote relationship-building resources to (Step 3.10).

    As you begin classifying your vendors, Info-Tech recommends using an iterative approach initially to validate the results from the classification model you configured in Step 2.1.

    1. Using the information from the Vendor Inventory tab (Step 1.7), identify your top 25 vendors by spend.
    2. Run your top 10 vendors by spend through the classification model and review the results.
      1. If the results are what you expected and do not contain any significant surprises, go to next page.
      2. If the results are not what you expected or contain significant surprises, look at the configuration page of the tool (Tab 1) and adjust the weights or the spend categories slightly. Be cautious in your evaluation of the results before modifying the configuration page – some legitimate results are unexpected or surprising based on bias. If you modify the weighting, review the new results and repeat your evaluation. If you modify the spend categories, review the answers on the vendor tabs to ensure that the answers are still accurate; review the new results and repeat your evaluation.

    Step 3.1: Classify vendors (cont.)

    Review your results and adjust the classification tool as needed.

    1. Run your top 11 through 25 vendors by spend through the classification model and review the results. Identify any unexpected results or surprises. Determine if further configuration makes sense and repeat the process outlined in 2.b, previous page, as necessary. If no further modifications are required, continue to 4, below.
    2. Share the preliminary results with the leadership team, executives, and stakeholders to obtain their approval or adjustments to the results.
      1. They may have questions and want to understand the process before approving the results.
      2. They may request that you move a vendor from one quadrant to another based on your organization’s roadmap, the vendor’s roadmap, or other information not available to you.
    3. Identify the vendors that will be part of the VMI at this stage – how many and which ones. Based on this number and the VMI’s scope (Step 1.2), make sure you have the resources necessary to accommodate the number of vendors participating in the VMI. Proceed cautiously and gradually increase the number of vendors participating in the VMI.

    Step 3.1: Classify vendors (cont.)

    Finalize the results and update VMI tools and templates.

    1. Update the Vendor Inventory tab (Step 1.7) to indicate the current classification status for the top 25 vendors by spend. Once your vendors have been classified, you can sort the Vendor Inventory tab by classification status to see all the vendors in that category at once.
    2. Review your 3-year roadmap (Step 2.9) and 90-day plans (Step 2.10) to determine if any modifications are needed to the activities and timelines.

    Additional classification considerations:

    • You should only have a few vendors that fit in the strategic category. As a rough guideline, no more than 5% to 10% of your IT vendors should end up in the strategic category. If you have a large number of vendors, even 5% may be too many. The classification model is an objective start to the classification process, but common sense must prevail over the “math” at the end of the day.
    • At this point, there is no need to go beyond the top 25 by spend. Most VMIs starting out can’t handle more than three to five strategic vendors initially. Allow the VMI to run a pilot program with a small sample size, work out any bugs, make adjustments, and then ramp up the VMI’s rollout in waves. Vendors can be added quarterly, biannually, or annually, depending upon the desired goals and available resources.

    Step 3.1: Classify vendors (cont.)

    Align your vendor strategy to your classification results.

    As your VMI matures, additional vendors will be part of the VMI. Review the table below and incorporate the applicable strategies into your deployment of vendor management principles over time. Stay true to your mission, goals, and scope, and remember that not all of your vendors are of equal importance.

    Operational Strategic
    • Focus on spend containment
    • Concentrate on lowering total cost of ownership
    • Invest moderately in cultivating the relationship
    • Conduct BAMs biannually or annually
    • Compile scorecards quarterly or biannually
    • Identify areas for performance and cost improvement
    • Focus on value, collaboration, and alignment
    • Review market intelligence for the vendor’s industry
    • Invest significantly in cultivating the relationship
    • Initiate executive-to-executive relationships
    • Conduct BAMs quarterly
    • Compile scorecards quarterly
    • Understand how the vendors view your organization

    Commodity

    Tactical

    • Investigate vendor rationalization and consolidation
    • Negotiate for the best-possible price
    • Leverage competition during negotiations
    • Streamline the purchasing and payment process
    • Allocate minimal VMI resources
    • Assign the lowest priority for vendor management metrics
    • Conduct risk assessments biannually or annually
    • Cultivate a collaborative relationship based on future growth plans or potential with the vendor
    • Conduct BAMs quarterly or biannually
    • Compile scorecards quarterly
    • Identify areas of performance improvement
    • Leverage innovation and creative problem solving

    Step 3.1: Classify vendors (cont.)

    Be careful when using the word “partner” with your strategic and other vendors.

    For decades, vendors have used the term “partner” to refer to the relationship they have with their clients and customers. In many regards, this is often an emotional ploy used by the vendors to get the upper hand. To fully understand the terms “partner” and “partnership” let’s evaluate them through two more-objective, less-cynical lenses.

    If you were to talk to your in-house or outside legal counsel, you may be told that partners share in profits and losses, and they have a fiduciary obligation to each other. Unless there is a joint venture between the parties, you are unlikely to have a partnership with a vendor from this perspective.

    What about a “business” partnership … one that doesn’t involve sharing profits and losses? What would that look like? Here are some indicators of a business partnership (or preferably a strategic alliance):

    • Trust and transparent communication exist.
    • You have input into the vendor’s roadmap for products and services.
    • The vendor is aligned with your desired outcomes and helps you achieve success.
    • You and the vendor are accountable for actions and inactions, with both parties being at risk.
    • There is parity in the peer-to-peer relationships between the organizations (e.g. C-Level to C-Level).
    • The vendor provides transparency in pricing models and proactively suggests ways for you to reduce costs.
    • You and the vendor work together to make each party better, providing constructive feedback on a regular basis.
    • The vendor provides innovative suggestions for you to improve your processes, performance, the bottom line, etc.
    • Negotiations are not one-sided; they are meaningful and productive, resulting in an equitable distribution of money and risk.

    Step 3.1: Classify vendors (cont.)

    Understand the implications and how to leverage the words “partner” and “partnership.”

    By now you might be thinking, “What’s all the fuss? Why does it matter?” At Info-Tech, we’ve seen firsthand how referring to the vendor as a partner can have the following impact:

    • Confidences are disclosed unnecessarily.
    • Negotiation opportunities and leverage are lost.
    • Vendors no longer have to earn the customer’s business.
    • Vendor accountability is missing due to shared responsibilities.
    • Competent skilled vendor resources are assigned to other accounts.
    • Value erodes over time since contracts are renewed without being competitively sourced.
    • One-sided relationships are established, and false assurances are provided at the highest levels within the customer organization.

    Proceed with caution when using partner or partnership with your vendors. Understand how your organization benefits from using these terms and mitigate the negatives outlined above by raising awareness internally to ensure people understand the psychology behind the terms. Finally, use the term to your advantage when warranted by referring to the vendor as a partner when you want or need something that the vendor is reluctant to provide. Bottom line: Be strategic in how you refer to vendors and know the risks.

    Step 3.2: Conduct internal “kickoff” meeting

    Raise awareness about the VMI and its mission, vision, and goals.

    To be effective, your VMI needs executive support, a clear vision, appropriate governances and tools, personnel with the right skills, and other items discussed in this blueprint. However, the VMI doesn’t exist in a vacuum … it can’t sit back and be reactive. As part of being proactive, the VMI must be aware of its brand and “market” its services. An effective way to market the VMI is to conduct an internal kickoff meeting. There are at least a couple of ways to do this:

    • Host a meeting for stakeholders, executives, and others who will be contributing to the VMI processes (but are not part of the VMI). The meeting can be part of a townhall or standalone meeting; it can be done live or via a recorded video.
    • Attend appropriate staff meetings and make your presentation.

    With either approach above or one of your choosing, keep in mind the following objectives for your kickoff meeting:

    • Make sure you provide a way for those in attendance to ask questions at that time and later. You want to create and foster a communication loop with the people who will be impacted by the VMI or participating with it.
    • Raise awareness of your existence and personnel. Tell the VMI’s story by sharing your mission statement, goals, and scope; this will help dispel (or confirm) rumors about the VMI that often lead to confusion and faulty assumptions.
    • As you share the VMI’s vision, connect the story to how the VMI will impact the organization and individuals and to how they can help. The VMI tends to be the least autonomous area within an organization; it needs the assistance of others to be successful. Convey an atmosphere of collaboration and appreciation for their help.

    Host a kickoff meeting annually to kickoff the new year. Remind people of your story, announce successes from the past year, and indicate what the future year holds. Keep it brief, make it personal for the audience, and help them connect the names of VMI personnel to faces.

    Step 3.3: Conduct vendor orientation

    Introduce your VMI to your top vendors.

    Based on the results from your vendor classification (Step 3.1) and your VMI deployment timeline, identify the vendors who will participate in the initial orientation meetings. Treat the orientation as a formal, required meeting for the vendors to attend. Determine the attendee list for your organization and the vendors, and send out invites. Ideally, you will want the account manager, a sales director or vice president, the “delivery” director or vice president, and an executive from the vendor in the meeting. From the customer side, you may need more than one or two people from the VMI to entice the vendor’s leadership team to attend; you may need attendance from your own leadership team to add weight or credibility to the meeting (unfortunately).

    Before going into the meeting, make sure everyone on your side knows their roles and responsibilities, and review the agenda. Control the agenda or the meeting is likely to get out of hand and turn into a sales call.

    Conduct orientation meetings even if the participating vendors have been doing business with you for several years. Don’t assume they know all about your organization and your VMI (even if their other clients have a VMI).

    Run two or three orientation meetings and then review the “results.” What needs to be modified? What lessons have you learned? Make any necessary adjustments and continue rolling out the orientation meetings.

    Early in the VMI’s deployment, reorientation and debrief may not be in play. As time passes, it is important to remember them! Use them when warranted to help with vendor alignment.

    Step 3.4: Compile scorecards

    Begin scoring your top vendors.

    The scorecard process typically is owned and operated by the VMI, but the actual rating of the criteria within the measurement categories is conducted by those with day-to-day interactions with the vendors, those using or impacted by the services and products provided by the vendors, and those with the skills to research other information on the scorecard (e.g. risk). Chances are one person will not be able to complete an entire scorecard by themselves. As a result, the scorecard process is a team sport comprising sub-teams where necessary.

    The VMI will compile the scores, calculate the final results, and aggregate all of the comments into one scorecard. There are two common ways to approach this task:

    1. Send out the scorecard template to those who will be scoring the vendor and ask them to return it when completed, providing them with a due date a few days before you actually need it; you’ll need time to compile, calculate, and aggregate.
    2. Invite those who will be scoring the vendor to a meeting and let the contributors use that time to score the vendors; make VMI team members available to answer questions and facilitate the process.

    Step 3.4: Compile scorecards (cont.)

    Gather input from stakeholders and others impacted by the vendors.

    Since multiple people will be involved in the scorecarding process or have information to contribute, the VMI will have to work with the reviewers to ensure that the right mix of data is provided. For example:

    • If you are tracking lawsuits filed by or against the vendor, one person from Legal may be able to provide that, but they may not be able to evaluate any other criteria on the scorecard.
    • If you are tracking salesperson competencies, multiple people from multiple areas may have valuable insights.
    • If you are tracking deliverable timeliness, several project managers may want to contribute across several projects.

    Where one person is contributing exclusively to limited criteria, make it easy for the person to identify the criteria they are to evaluate. When multiple people from the same functional area will provide insights, they can contribute individually (and the VMI will average their responses) or they can respond collectively after reaching consensus among themselves.

    After the VMI has compiled, calculated, and aggregated, share the results with executives, impacted stakeholders, and others who will be attending the BAM for that vendor. Depending upon the comments provided by internal personnel, you may need to create a sanitized version of the scorecard for the vendor.

    Make sure your process timeline has a buffer built in. You’ll be sending the final scorecard to the vendor three to five days before the BAM, and you’ll need some time to assemble the results. The scorecarding process can be perceived as a low-priority activity for people outside of the VMI, and other “priorities” will arise for them. Without a timeline buffer, the VMI may find itself behind schedule and unprepared due to things beyond its control.

    Step 3.5: Conduct business alignment meetings

    Determine which vendors will participate and how long the meetings will last.

    At their core, BAMs aren’t that different from any other meeting. The basics of running a meeting still apply, but there are a few nuances that apply to BAMs Set out below are leading practices for conducing your BAMs; adapt them to meet your needs and suit your environment.

    Who

    Initially, BAMs are conducted with the strategic vendors in your pilot program. Over time, you’ll add vendors until all of your strategic vendors are meeting with you quarterly. After that, roll out the BAMs to those tactical and operational vendors located close to the strategic quadrant in the classification model (Steps 2.1 and 3.1) and as VMI resources allow. It may take several years before you are holding regular BAMs with all of your strategic, tactical, and operational vendors.

    Duration

    Keep the length of your meetings reasonable. The first few with a vendor may need to be 60 to 90 minutes long. After that, you should be able to trim them to 45 to 60 minutes. The BAM does not have to fill the entire time. When you are done, you are done.

    Step 3.5: Conduct business alignment meetings (cont.)

    Identify who will be invited and send out invitations.

    Invitations

    Set up a recurring meeting whenever possible. Changes will be inevitable, but keeping the timeline regular works to your advantage. Also, the vendors included in your initial BAMs won’t change for twelve months. For the first BAM with a vendor, provide adequate notice; four weeks is sufficient in most instances, but calendars will fill up quickly for the main attendees from the vendor. Treat the meeting as significant and make sure your invitation reflects this. A simple meeting request will often be rejected, treated as optional, or ignored completely by the vendor’s leadership team (and maybe yours as well!).

    Invitees

    Internal invitees should include those with a vested interest in the vendor’s performance and the relationship. In addition, other functional areas may be invited based on need or interest. Be careful the attendee list doesn’t get too big. Based on this, internal BAM attendees often include representatives from IT, Sourcing/Procurement, and the applicable business units. At times, Finance and Legal are included.

    From the vendor’s side, strive to have decision makers and key leaders attend. The salesperson/account manager is often included for continuity, but a director or vice president of sales will have more insights and influence. The project manager is not needed at this meeting due to the nature of the meeting and its agenda; however, a director or vice president from the “product or service delivery” area is a good choice. Bottom line: get as high into the vendor’s organization as possible whenever possible; look at the types of contracts you have with that vendor to provide guidance on the type of people to invite.

    Step 3.5: Conduct business alignment meetings (cont.)

    Prepare for the meetings and maintain control.

    Preparation

    Send the scorecard and agenda to the vendor five days prior to the BAM. The vendor should provide you with any information you require for the meeting five days prior as well.

    Decide who will run the meeting. Some customers like to lead and others let the vendor present. How you craft the agenda and your preferences will dictate who runs the show.

    Make sure the vendor knows what materials it should bring to the meeting or have access to. This will relate to the agenda and any specific requests listed under the discussion points. You don’t want the vendor to be caught off guard and unable to discuss a matter of importance to you.

    Running the BAM

    Regardless of which party leads, make sure you manage the agenda to stay on topic. This is your meeting – not the vendor’s, not IT’s, not Procurement’s or Sourcing’s. Don’t let anyone hijack it.

    Make sure someone is taking notes. If you are running this virtually, consider recording the meeting. Check with your legal department first for any concerns, notices, or prohibitions that may impact your recording the session.

    As a reminder, this is not a sales call, and this is not a social activity. Innovation discussions are allowed and encouraged, but that can quickly devolve into a sales presentation. People can be friendly toward one another, but the relationship building should not overwhelm the other purposes.

    Step 3.5: Conduct business alignment meetings (cont.)

    Follow these additional guidelines to maximize your meetings.

    More Leading Practices

    • Remind everyone that the conversation may include items covered by various confidentiality provisions or agreements.
    • Publish the meeting minutes on a timely basis (within 48 hours).
    • Focus on the bigger picture by looking at trends over time; get into the details only when warranted.
    • Meet internally immediately beforehand to prepare – don’t go in cold; review the agenda and the roles and responsibilities for the attendees.
    • Physical meetings are better than virtual meetings, but travel constraints, budgets, and pandemics may not allow for physical meetings.

    Final Thoughts

    • When performance or the relationship is suffering, be constructive in your feedback and conversations rather than trying to assign blame; lead with the carrot rather than the stick.
    • Look for collaborative solutions whenever possible and avoid referencing the contract if possible. Communicate your willingness to help resolve outstanding issues.
    • Use inclusive language and avoid language that puts the vendor on the defensive.
    • Make sure that your meetings are not focused exclusively on the negative, but don’t paint a rosy picture where one doesn’t exist.
    • A vendor that is doing well should be commended. This is an important part of relationship building.

    Step 3.6: Work the 90-day plan

    Monitor your progress and share your results.

    Having a 90-day plan is a good start, but assuming the tasks on the plan will be accomplished magically or without any oversight can lead to failure. While it won’t take a lot of time to work the plan, following a few basic guidelines will help ensure the 90-day plan gets results and wasn’t created in vain.

    90-Day Plan: Activity 1; Activity 2; Activity 3; Activity 4; Activity 5
    1. Measure and track your progress against the initial/current 90-day plan at least weekly; with a short timeline, any delay can have a huge impact.
    2. If adjustments are needed to any elements of the plan, understand the cause and the impact of those adjustments before making them.
    3. Make adjustments ONLY when warranted. The temptation will be to push activities and tasks further out on the timeline (or to the next 90-day plan!) when there is any sort of “hiccup” along the way, especially when personnel outside the VMI are involved. Hold true to the timeline whenever possible; once you start slipping, it often becomes a habit.
    4. Report on progress every week and hold people accountable for their assignments and contributions.
    5. Take the 90-day plan seriously and treat it as you would any significant project – this is part of the VMI’s branding and image.

    Step 3.7: Manage the 3-year roadmap

    Keep an eye on the future since it will feed the present.

    The 3-year roadmap is a great planning tool, but it is not 100% reliable. There are inherent flaws and challenges. Essentially, the roadmap is a set of three “crystal balls” attempting to tell you what the future holds. The vision for Year 1 may be fairly clear, but for each subsequent year, the crystal ball becomes foggier. In addition, the timeline is constantly changing; before you know it, tomorrow becomes today and Year 2 becomes Year 1.

    To help navigate through the roadmap and maximize its potential, follow these principles:

    • Manage each year of the roadmap differently.
      • Review the Year 1 map each quarter to update your 90-day plans (See steps 2.10 and 3.6).
      • Review the Year 2 map every six months to determine if any changes are necessary. As you cycle through this, your vantage point of Year 2 will be 6 months or 12 months away from the beginning of Year 2, and time moves quickly.
      • Review the Year 3 map annually, and determine what needs to be added, changed, or deleted. Each time you review Year 3, it will be a “new” Year 3 that needs to be built.
    • Analyze the impact on the proposed modifications from two perspectives: 1) What is the impact if a requested modification is made? 2) What is the impact if a requested modification is not made?
    • Validate all modifications with leadership and stakeholders before updating the 3-year roadmap to ensure internal alignment.

    Step 3.8: Measure and monitor risk

    Understand and manage risk levels.

    Using the configured Vendor Risk Assessment Tool (Step 2.2), confirm which risks you will be measuring and monitoring and identify the vendors that will be part of the initial risk management process. Generally, organizations start measuring and monitoring risk in two to five risk categories for two or three strategic vendors. Over time, additional risk categories and/or vendors can be added in waves. Resist the temptation to add risk categories or vendors into the mix too quickly. Expanding requires resources inside and outside of the VMI.

    The VMI will rely heavily on other areas to provide input or the risk data, and the VMI needs to establish good working relationships with those areas. For example, if legal risk is something being measured and monitored, the VMI will need data from Legal on the number and nature of any lawsuits filed by or against the applicable vendors; the VMI will need data from Legal, Contract Management, or Procurement/Sourcing on the number and nature of any agreed upon deviations from your organization’s preferred contract terms that increase legal risk.

    With respect to risk, the VMI’s main role is threefold: 1) take the data obtained from others (or in some instances the VMI may have the data) and turn it into useful information, 2) monitor the risk categories over time and periodically issue reports, and 3) work with other areas to manage the risk.

    Step 3.9: Issue reports

    Inform internal personnel and vendors about trends, issues, progress, and results.

    Issuing the reports created in Step 2.12 is one of the main ways the VMI 1) will communicate with internal and external personnel and 2) track trends and information over time. Even with input from the potential reviewers of the reports, you’ll still want to seek their feedback and input periodically. It may take a few iterations until the reports are hitting their mark. You may find that a metric is no longer required, that a metric is missing completely or it is missing a component, or a formatting change would improve the report’s readability. Once a report has been “finalized,” try not to change it until you are engaged in Phase 4: Review activities. It can be unsettling for the reviewers when reports change constantly.

    Whenever possible, find ways to automate the reports. While issuing reports is critical, the function should not consume more time than necessary. Automation can remove some of the manual and repetitive tasks.

    Internal reports may need to be kept confidential. An automated dashboard or reporting tool can help lock down who has access to the information. At a minimum, the internal reports should contain a “Confidential” stamp, header, watermark, or other indicator that the materials are sensitive and should not be disclosed outside of your organization without approval.

    Reports for vendors may not need to be sent as often as reports are generated or prepared for internal personnel. Establish a cadence by classification model category and stick to it. Letting each vendor choose the frequency will make it more difficult for you to manage. The vendors can choose to ignore the report if they so choose.

    This is an image of an example of a bar graph showing ROI and Benchmark for Categories 1-6

    Step 3.10: Develop/improve vendor relationships

    Drive better performance through better relationships.

    One of the key components of a VMI is relationship management. Good relationships with your vendors provide many benefits for both parties, but they don’t happen by accident. Do not assume the relationship will be good or is good merely because your organization is buying products and services from a vendor.

    In many respects, the VMI should mirror a vendor’s sales organization by establishing relationships at multiple levels within the vendor organizations – not just with the salesperson or account manager. Building and maintaining relationships is hard work, but the return on investment makes it worthwhile.

    Business relationships are comprised of many components, not all of which have to be present to have a great relationship. However, there are some essential components. Whether you are trying to develop, improve, or maintain a relationship with a vendor, make sure you are conscious of the following:*

    • Focus your energies on strategic vendors first and then tactical and operational vendors.
    • Be transparent and honest in your communications.
    • Continue building trust by being responsive and honoring commitments (timely).
    • Create a collaborative environment and build upon common ground.
    • Thank the vendor when appropriate.
    • Resolve disputes early, avoid the “blame game,” and be objective when there are disagreements.

    Step 3.11: Contribute to other processes

    Continue assisting others and managing roles and responsibilities outside of the VMI.

    The VMI has processes that it owns and processes that it contributes to. Based on the VMI scope (Step 1.2), the OIC chart (Step 1.4), and the process mapping activities (Step 1.5), ensure that the VMI is honoring its contribution commitments. This is often easier said than done though. A number of factors can make it difficult to achieve the balance required to handle VMI processes and contribute to other processes associated with the VMI’s mission and vision. Understanding the issues is half the battle. If you see signs of these common “vampires,” take action quickly to address the situation.

    • The VMI’s first focus is often internal, and the tendency is to operate in a bubble. Classifying vendors, running BAMs, coordinating the risk process, and other inward-facing processes can consume all of the VMI’s energy. As a result, there is little time, effort, or let’s be honest, desire to participate in other processes outside of the VMI.
    • It is easy for VMI personnel to get dragged into processes and situations that are outside of its scope. This often happens when personnel join the VMI from other internal areas or departments and have good relationships with their former teammates. The relationships make it hard to say “No” when out-of-scope assistance is being requested.
    • The VMI may have “part-time” personnel who have responsibilities across internal departments, divisions, agencies, or teams. When the going gets tough and time is at a premium, people gravitate toward the easiest or most comfortable work. That work may not be VMI work.

    Phase 4: Review

    Keep Your VMI Up to Date and Running Smoothly

    Phase 1Phase 2Phase 3Phase 4
    1.1 Mission Statement and Goals


    1.2 Scope

    1.3 Strengths and Obstacles

    1.4 Roles and Responsibilities

    1.5 Process Mapping

    1.6 Charter

    1.7 Vendor Inventory

    1.8 Maturity Assessment

    1.9 Structure

    2.1 Classification Model
    2.2 Risk Assessment Tool
    2.3 Scorecards and Feedback
    2.4 Business Alignment Meeting Agenda
    2.5 Relationship Alignment Document
    2.6 Vendor Orientation
    2.7 Job Descriptions
    2.8 Policies and Procedures
    2.9 3-Year Roadmap
    2.10 90-Day Plan
    2.11 Quick Wins
    2.12 Reports

    3.1 Classify Vendors
    3.2 Conduct Internal “Kickoff” Meeting
    3.3 Conduct Vendor Orientation
    3.4 Compile Scorecards
    3.5 Conduct Business Alignment Meetings
    3.6 Work the 90-Day Plan
    3.7 Manage the 3-Year Roadmap
    3.8 Measure and Monitor Risk
    3.9 Issue Reports
    3.10 Develop/Improve Vendor Relationships
    3.11 Contribute to Other Processes

    4.1 Assess Compliance
    4.2 Incorporate Leading Practices
    4.3 Leverage Lessons Learned
    4.4 Maintain Internal Alignment
    4.5 Update Governances

    This phase will walk you through the following activities:

    Identify what the VMI should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Others as needed

    Jump Start Your Vendor Management Initiative

    Phase 4: Review

    Keep your VMI up to date and running smoothly.

    As the old adage says, “The only thing constant in life is change.” This is particularly true for your VMI. It will continue to mature; people inside and outside of the VMI will change; resources will expand or contract from year to year; your vendor base will change. As a result, your VMI needs the equivalent of a physical every year. In place of bloodwork, x-rays, and the other paces your physician may put you through, you’ll assess compliance with your policies and procedures, incorporate leading practices, leverage lessons learned, maintain internal alignment, and update governances.

    Be thorough in your actions during this Phase to get the most out of it. It requires more than the equivalent of gauging a person’s health by taking their temperature, measuring their blood pressure, and determining their body mass index. Keeping your VMI up to date and running smoothly takes hard work.

    Some of the items presented in this Phase require an annual review; others may require quarterly review or timely review (i.e. when things are top of mind and current). For example, collecting lessons learned should happen on a timely basis rather than annually, and classifying your vendors should occur annually rather than every time a new vendor enters the fold.

    Ultimately, the goal is to improve over time and stay aligned with other areas internally. This won’t happen by accident. Being proactive in the review of your VMI further reinforces the nature of the VMI itself – proactive vendor management, NOT reactive!

    Step 4.1: Assess compliance

    Determine what is functionally going well and not going well.

    Whether you have a robust set of vendor management-related policies and procedures or they are the bare minimum, gathering data each quarter and conducting an assessment each year will provide valuable feedback. The scope of your assessment should focus on two concepts: 1) are the policies and procedures being followed and 2) are the policies and procedures accurate and relevant. This approach requires parallel thinking, but it will help you understand the complete picture and minimize the amount of time required.

    Use the steps listed below (or modify them for your culture) to conduct your assessment:

    • Determine the type of assessment – formal or informal.
    • Determine the scale of the assessment – which policies and procedures will be reviewed and how many people will be interviewed.
    • Determine the compliance levels, and seek feedback on the policies and procedures – what is going well and what can be improved?
    • Review the compliance deviations.
    • Conduct a root cause analysis for the deviations.
    • Create a list of improvements and gain approval.
    • Create a plan for minimizing noncompliance in the future.
      • Improve/increase education and awareness.
      • Clarify/modify policies and procedures.
      • Add resources, tools, and people (as necessary and as allowed).

    Step 4.2: Incorporate leading practices

    Identify and evaluate what external VMIs are doing.

    The VMI’s world is constantly shifting and evolving. Some changes will take place slowly, while others will occur quickly. Think about how quickly the cloud environment has changed over the past five years versus the 15 years before that; or think about issues that have popped up and instantly altered the landscape (we’re looking at you COVID-19 and ransomware). As a result, the VMI needs to keep pace, and one of the best ways to do that is to incorporate leading practices.

    At a high level, a leading practice is a way of doing something that is better at producing a particular outcome or result or performing a task or activity than other ways of proceeding. The leading practice can be based on methodologies, tools, processes, procedures, and other items. Leading practices change periodically due to innovation, new ways of thinking, research, and other factors. Consequently, a leading practice is to identify and evaluate leading practices each year.

    Step 4.2: Incorporate leading practices (cont.)

    Update your VMI based on your research.

    • A simple approach for incorporating leading practices into your regular review process is set out below:
    • Research:
      • What other VMIs in your industry are doing.
      • What other VMIs outside your industry are doing.
      • Vendor management in general.
    • Based on your results, list specific leading practices others are doing that would improve your VMI (be specific – e.g. other VMIs are incorporating risk into their classification process).
    • Evaluate your list to determine which of these potential changes fit or could be modified to fit your culture and environment.
    • Recommend the proposed changes to leadership (with a short business case or explanation/justification, as needed) and gain approval.

    Remember: Leading practices or best practices may not be what is best for you. In some instances, you will have to modify them to fit your culture and environment; in other instances, you will elect not to implement them at all (in any form).

    Step 4.3: Leverage lessons learned

    Tap into the collective wisdom and experience of your team members.

    There are many ways to keep your VMI running smoothly, and creating a lessons learned library is a great complement to the other ways covered in this Phase 4: Review. By tapping into the collective wisdom of the team and creating a safe feedback loop, the VMI gains the following benefits:

    • Documented institutional wisdom and knowledge normally found only in the team members’ brains.
    • The ability for one team member to gain insights and avoid mistakes without having to duplicate the events leading to the insights or mistakes.
    • Improved methodologies, tools, processes, procedures, skills, and relationships.

    Many of the processes raised in this Phase can be performed annually, but a lessons learned library works best when the information is “deposited” in a timely manner. How you choose to set up your lessons learned process will depend on the tools you select and your culture. You may want to have regular “input” meetings to share the lessons as they are being deposited, or you may require team members to deposit lessons learned on a regular basis (within a week after they happen, monthly, or quarterly). Waiting too long can lead to vague or lost memories and specifics – timeliness of the deposits is a crucial element.

    Step 4.3: Leverage lessons learned (cont.)

    Create a library to share valuable information across the team.

    Lessons learned are not confined to identifying mistakes or dissecting bad outcomes. You want to reinforce good outcomes as well. When an opportunity for a lessons-learned deposit arises, identify the following basic elements:

    • A brief description of the situation and outcome.
    • What went well (if anything) and why did it go well?
    • What didn't go well (if anything) and why didn't it go well?
    • What would/could you do differently next time?
    • A synopsis of the lesson(s) learned.

    Info-Tech Insights

    The lessons learned library needs to be maintained. Irrelevant material needs to be culled periodically, and older or duplicate material may need to be archived.

    The lessons learned process should be blameless. The goal is to share insightful information … not to reward or punish people based on outcomes or results.

    Step 4.4: Maintain internal alignment

    Review the plans of other internal areas to stay in sync.

    Maintaining internal alignment is essential for the ongoing success of the VMI. Over time, it is easy to lose sight of the fact that the VMI does not operate in a vacuum; it is an integral component of a larger organization whose parts must work well together to function optimally. Focusing annually on the VMI’s alignment within the enterprise helps reduce any breakdowns that could derail the organization.

    To ensure internal alignment:

    • Review the key components of the applicable materials from Phase 1: Plan and Phase 2: Build with the appropriate members of the leadership team (e.g. executives, sponsors, and stakeholders). Not every item from those Phases and Steps needs to be reviewed, but err on the side of caution for the first set of alignment discussions, and be prepared to review each item. You can gauge the audience’s interest on each topic and move quickly when necessary or dive deeper when needed. Identify potential changes required to maintain alignment.
    • Review the strategic plans (e.g. 1-, 3-, and 5- year plans) for various portions of the organization if you have access to them or gather insights if you don’t have access.
      • If the VMI is under the IT umbrella, review the strategic plans for IT and its departments.
      • Review the strategic plans for the areas the VMI works with (e.g. Procurement, Business Units).
      • The organization itself.
    • Create and vet a list of modifications to the VMI and obtain approval.
    • Develop a plan for making the necessary changes.

    Step 4.5: Update governances

    Revise your protocols and return to the beginning of cyclical processes.

    You’re at the final Step and ready to update governances. This is comprised of two sequential paths.

    • First, use the information from Steps 4.1-4.4 to make any required modifications to the items in Phase 1: Plan, Phase 2: Build, and Phase 3: Run. For example, you may need to update your policies and procedures (Step 2.8) based on your findings in Step 4.1; or you may need to update the VMI’s scope (Step 1.2) to ensure internal alignment issues identified in Step 4.4. are accounted for.
    • Second, return to Phase 3: Run to perform the activities below; they tend to be performed annually, but use your discretion and perform them on an as-needed basis:
      • Reclassify vendors.
      • Complete a new maturity assessment.
      • Run reorientation sessions for vendors.
      • Conduct a kickoff meeting to update internal personnel.

    Other activities and tasks (e.g. scorecards and BAMs) may be impacted by the modifications made above, but the nature of their performance follows a shorter cadence. As a result, they are not specifically called out here in this Step 4.5 since they are performed on an ongoing basis. However, don’t overlook them as part of your update.

    Summary of Accomplishment

    Problem Solved

    Vendor management is a broad, often overwhelming, comprehensive spectrum that encompasses many disciplines. By now, you should have a great idea of what vendor management can or will look like in your organization. Focus on the basics first: Why does the VMI exist and what does it hope to achieve? What is its scope? What are the strengths you can leverage, and what obstacles must you manage? How will the VMI work with others? From there, the spectrum of vendor management will begin to clarify and narrow.

    Leverage the tools and templates from this blueprint and adapt them to your needs. They will help you concentrate your energies in the right areas and on the right vendors to maximize the return on your organization’s investment in the VMI of time, money, personnel, and other resources. You may have to lead by example internally and with your vendors at first, but they will eventually join you on your path if you stay true to your course.

    At the heart of a good VMI is the relationship component. Don’t overlook its value in helping you achieve your vendor management goals. The VMI does not operate in a vacuum, and relationships (internal and external) will be critical.

    Lastly, seek continual improvement from the VMI and from your vendors. Both parties should be held accountable, and both parties should work together to get better. Be proactive in your efforts, and you, the VMI, and the organization will be rewarded.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Prepare for Negotiations More Effectively

    Don't leave negotiation preparations and outcomes to chance. Learn how to prepare for negotiations more effectively and improve your results.

    Understand Common IT Contract Provisions to Negotiate More Effectively

    Info-Tech’s guidance and insights will help you navigate the complex process of contract review and identify the key details necessary to maximize the protections for your organization.

    Capture and Market the ROI of Your VMO

    Calculating the impact or value of a vendor management office (VMO) can be difficult without the right framework and tools. Let Info-Tech’s tools and templates help you account for the contributions made by your VMO.

    Bibliography

    “Best Practices for Writing Corporate Policies and Procedures.” PowerDMS, 29 Dec. 2020. Accessed 11 January 2022.

    Duncan. “Top 10 Tips for Creating Compelling Reports.” Design Eclectic, 11 October 2019. Accessed 29 March 2022.

    Eby, Kate. “Master Writing Policies, Procedures, Processes, and Work Instructions.” 1 June 2018, updated 19 July 2021. Accessed 11 January 2022.

    “Enterprise Risk Management.” Protiviti, n.d. Accessed 16 Feb. 2017.

    Geller & Company. “World-Class Procurement — Increasing Profitability and Quality.” Spend Matters, 2003. Accessed 4 March 2019.

    Guth, Stephen. “Vendor Relationship Management Getting What You Paid for (And More).” Citizens, 26 Feb. 2015. Web.

    Guth, Stephen. The Vendor Management Office: Unleashing the Power of Strategic Sourcing. Lulu.com, 2007. Print.

    “ISG Index 4Q 2021.” Information Services Group, Inc., 2022. Web.

    “Six Tips for Making a Quality Report Appealing and Easy To Skim.” AHRQ, Oct. 2019. Accessed 29 March 2022.

    Tucker, Davis. “Marketing Reporting: Tips to Create Compelling Reports.” 60 Second Marketer, 28 March 2020. Accessed 29 March 2022.

    “Why Do We Perform Better When Someone Has High Expectations of Us?” The Decision Lab, 9 Sept. 2020. Accessed 31 January 2022.

    Develop and Implement a Security Incident Management Program

    • Buy Link or Shortcode: {j2store}316|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $105,346 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
    • Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being re-victimized by the same vector.
    • Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

    Our Advice

    Critical Insight

    • You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
    • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

    Impact and Result

    • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
    • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

    Develop and Implement a Security Incident Management Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop and implement a security incident management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare

    Equip your organization for incident response with formal documentation of policies and processes.

    • Develop and Implement a Security Incident Management Program – Phase 1: Prepare
    • Security Incident Management Maturity Checklist ‒ Preliminary
    • Information Security Requirements Gathering Tool
    • Incident Response Maturity Assessment Tool
    • Security Incident Management Charter Template
    • Security Incident Management Policy Template
    • Security Incident Management RACI Tool

    2. Operate

    Act with efficiency and effectiveness as new incidents are handled.

    • Develop and Implement a Security Incident Management Program – Phase 2: Operate
    • Security Incident Management Plan
    • Security Incident Runbook Prioritization Tool
    • Security Incident Management Runbook: Credential Compromise
    • Security Incident Management Workflow: Credential Compromise (Visio)
    • Security Incident Management Workflow: Credential Compromise (PDF)
    • Security Incident Management Runbook: Distributed Denial of Service
    • Security Incident Management Workflow: Distributed Denial of Service (Visio)
    • Security Incident Management Workflow: Distributed Denial of Service (PDF)
    • Security Incident Management Runbook: Malware
    • Security Incident Management Workflow: Malware (Visio)
    • Security Incident Management Workflow: Malware (PDF)
    • Security Incident Management Runbook: Malicious Email
    • Security Incident Management Workflow: Malicious Email (Visio)
    • Security Incident Management Workflow: Malicious Email (PDF)
    • Security Incident Management Runbook: Ransomware
    • Security Incident Management Workflow: Ransomware (Visio)
    • Security Incident Management Workflow: Ransomware (PDF)
    • Security Incident Management Runbook: Data Breach
    • Security Incident Management Workflow: Data Breach (Visio)
    • Security Incident Management Workflow: Data Breach (PDF)
    • Data Breach Reporting Requirements Summary
    • Security Incident Management Runbook: Third-Party Incident
    • Security Incident Management Workflow: Third-Party Incident (Visio)
    • Security Incident Management Workflow: Third-Party Incident (PDF)
    • Security Incident Management Runbook: Blank Template

    3. Maintain and optimize

    Manage and improve the incident management process by tracking metrics, testing capabilities, and leveraging best practices.

    • Develop and Implement a Security Incident Management Program – Phase 3: Maintain and Optimize
    • Security Incident Metrics Tool
    • Post-Incident Review Questions Tracking Tool
    • Root-Cause Analysis Template
    • Security Incident Report Template
    [infographic]

    Workshop: Develop and Implement a Security Incident Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare Your Incident Response Program

    The Purpose

    Understand the purpose of incident response.

    Formalize the program.

    Identify key players and escalation points.

    Key Benefits Achieved

    Common understanding of the importance of incident response.

    Various business units becoming aware of their roles in the incident management program.

    Formalized documentation.

    Activities

    1.1 Assess the current process, obligations, scope, and boundaries of the incident management program.

    1.2 Identify key players for the response team and for escalation points.

    1.3 Formalize documentation.

    1.4 Prioritize incidents requiring preparation.

    Outputs

    Understanding of the incident landscape

    An identified incident response team

    A security incident management charter

    A security incident management policy

    A list of top-priority incidents

    A general security incident management plan

    A security incident response RACI chart

    2 Develop Incident-Specific Runbooks

    The Purpose

    Document the clear response procedures for top-priority incidents.

    Key Benefits Achieved

    As incidents occur, clear response procedures are documented for efficient and effective recovery.

    Activities

    2.1 For each top-priority incident, document the workflow from detection through analysis, containment, eradication, recovery, and post-incident analysis.

    Outputs

    Up to five incident-specific runbooks

    3 Maintain and Optimize the Program

    The Purpose

    Ensure the response procedures are realistic and effective.

    Identify key metrics to measure the success of the program.

    Key Benefits Achieved

    Real-time run-through of security incidents to ensure roles and responsibilities are known.

    Understanding of how to measure the success of the program.

    Activities

    3.1 Limited scope tabletop exercise.

    3.2 Discuss key metrics.

    Outputs

    Completed tabletop exercise

    Key success metrics identified

    Further reading

    Develop and Implement a Security Incident Management Program

    Create a scalable incident response program without breaking the bank.

    ANALYST PERSPECTIVE

    Security incidents are going to happen whether you’re prepared or not. Ransomware and data breaches are just a few top-of-mind threats that all organizations deal with. Taking time upfront to formalize response plans can save you significantly more time and effort down the road. When an incident strikes, don’t waste time deciding how to remediate. Rather, proactively identify your response team, optimize your response procedures, and track metrics so you can be prepared to jump to action.

    Céline Gravelines,
    Senior Research Analyst
    Security, Risk & Compliance Info-Tech Research Group

    Picture of Céline Gravelines

    Céline Gravelines,
    Senior Research Analyst
    Security, Risk & Compliance Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For

    • A CISO who is dealing with the following:
      • Inefficient use of time and money when retroactively responding to incidents, negatively affecting business revenue and workflow.
      • Resistance from management to adequately develop a formal incident response plan.
      • Lack of closure of incidents, resulting in being re-victimized by the same vector.

    This Research Will Help You

    • Develop a consistent, scalable, and usable incident response program that is not resource intensive.
    • Track and communicate incident response in a formal manner.
    • Reduce the overall impact of incidents over time.
    • Learn from past incidents to improve future response processes.

    This Research Will Also Assist

    • Business stakeholders who are responsible for the following:
    • Improving workflow and managing operations in the event of security incidents to reduce any adverse business impacts.
    • Ensuring that incident response compliance requirements are being adhered to.

    This Research Will Help Them

    • Efficiently allocate resources to improve incident response in terms of incident frequency, response time, and cost.
    • Effectively communicate expectations and responsibilities to users.

    Executive Summary

    Situation

    • Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
    • The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.

    Complication

    • Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
    • Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being revictimized by the same vector.
    • Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

    Resolution

    • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
    • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

    Info-Tech Insight

    • You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
    • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

    Data breaches are resulting in major costs across industries

    Per capita cost by industry classification of benchmarked companies (measured in USD)

    This is a bar graph showing the per capita cost by industry classification of benchmarked companies(measured in USD). the companies are, in decreasing order of cost: Health; Financial; Services; Pharmaceutical; Technology; Energy; Education; Industrial; Entertainment; Consumer; Media; Transportation; Hospitality; Retail; Research; Public

    Average data breach costs per compromised record hit an all-time high of $148 (in 2018).
    (Source: IBM, “2018 Cost of Data Breach Study)”

    % of systems impacted by a data breach
    1%
    No Impact
    19%
    1-10% impacted
    41%
    11-30% impacted
    24%
    31-50% impacted
    15%
    > 50% impacted
    % of customers lost from a data breach
    61% Lost
    < 20%
    21% Lost 20-40% 8% Lost
    40-60%
    6% Lost
    60-80%
    4% Lost
    80-100%
    % of customers lost from a data breach
    58% Lost
    <20%
    25% Lost
    20-40%
    9% Lost
    40-60%
    5% Lost
    60-80%
    4% Lost
    80-100%

    Source: Cisco, “Cisco 2017 Annual Cybersecurity Report”

    Defining what is security incident management

    IT Incident

    Any event not a part of the standard operation of a service which causes, or may cause, the interruption to, or a reduction in, the quality of that service.

    Security Event:

    A security event is anything that happens that could potentially have information security implications.

    • A spam email is a security event because it may contain links to malware.
    • Organizations may be hit with thousands or perhaps millions of identifiable security events each day.
    • These are typically handled by automated tools or are simply logged.

    Security Incident:

    A security incident is a security event that results in damage such as lost data.

    • Incidents can also include events that don't involve damage but are viable risks.
    • For example, an employee clicking on a link in a spam email that made it through filters may be viewed as an incident.

    It’s not a matter of if you have a security incident, but when

    The increasing complexity and prevalence of threats have finally caught the attention of corporate leaders. Prepare for the inevitable with an incident response program.

    1. A formalized incident response program reduced the average cost of a data breach (per capita) from $148 to $134, while third-party involvement increased costs by $13.40.
    2. US organizations lost an average of $7.91 million per data breach as a result of increased customer attrition and diminished goodwill. Canada and the UK follow suit at $1.57 and $1.39 million, respectively.
    3. 73% of breaches are perpetrated by outsiders, 50% are the work of criminal groups, and 28% involve internal actors.
    4. 55% of companies have to manage fallout, such as reputational damage after a data breach.
    5. The average cost of a data breach increases by $1 million if left undetected for > 100 days.

    (Sources: IBM, “2018 Cost of Data Breach Study”; Verizon, “2017 Data Breach Investigations Report”; Cisco, “Cisco 2018 Annual Cybersecurity Report”)

    Threat Actor Examples

    The proliferation of hacking techniques and commoditization of hacking tools has enabled more people to become threat actors. Examples include:
    • Organized Crime Groups
    • Lone Cyber Criminals
    • Competitors
    • Nation States
    • Hacktivists
    • Terrorists
    • Former Employees
    • Domestic Intelligence Services
    • Current Employees (malicious and accidental)

    Benefits of an incident management program

    Effective incident management will help you do the following:

    Improve efficacy
    Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points and transition teams from firefighting to innovating.

    Improve threat detection, prevention, analysis, and response
    Enhance your pressure posture through a structured and intelligence-driven incident handling and remediation framework.

    Improve visibility and information sharing
    Promote both internal and external information sharing to enable good decision making.

    Create and clarify accountability and responsibility
    Establish a clear level of accountability throughout the incident response program, and ensure role responsibility for all tasks and processes involved in service delivery.

    Control security costs
    Effective incident management operations will provide visibility into your remediation processes, enabling cost savings from misdiagnosed issues and incident reduction.

    Identify opportunities for continuous improvement
    Increase visibility into current performance levels and accurately identify opportunities for continuous improvement with a holistic measurement program.

    Impact

    Short term:
    • Streamlined security incident management program.
    • Formalized and structured response process.
    • Comprehensive list of operational gaps and initiatives.
    • Detailed response runbooks that predefine necessary operational protocol.
    • Compliance and audit adherence.
    Long term:
    • Reduced incident costs and remediation time.
    • Increased operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhanced security pressure posture.
    • Improved communication with executives about relevant security risks to the business.
    • Preserved reputation and brand equity.

    Incident management is essential for organizations of any size

    Your incidents may differ, but a standard response ensures practical security.

    Certain regulations and laws require incident response to be a mandatory process in organizations.

    Compliance Standard Examples Description
    Federal Information Security Modernization Act (FISMA)
    • Organizations must have “procedures for detecting, reporting, and responding to security incidents” (2002).
    • They must also “inform operators of agency information systems about current and potential information security threats and vulnerabilities.”
    Federal Information Processing Standards (FIPS)
    • “Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.”
    Payment Card Industry Data Security Standard (PCI DSS v3)
    • 12.5.3: “Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.”
    Health Insurance Portability and Accountability Act (HIPAA)
    • 164.308: Response and Reporting – “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”

    Security incident management is applicable to all verticals

    Examples:
    • Finance
    • Insurance
    • Healthcare
    • Public administration
    • Education services
    • Professional services
    • Scientific and technical services

    Maintain a holistic security operations program

    Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

    Info-Tech’s incident response blueprint is one of four security operations initiatives

    Design and Implement a Vulnerability Management Program Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    • Vulnerability Tracking Tool
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template
    • Vulnerability Mitigation Process Template
    Integrate Threat Intelligence Into Your Security Operations Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    • Threat Intelligence Maturity Assessment Tool
    • Threat Intelligence RACI Tool
    • Threat Intelligence Management Plan Template
    • Threat Intelligence Policy Template
    • Threat Intelligence Alert Template
    • Threat Intelligence Alert and Briefing Cadence Schedule Template
    Develop Foundational Security Operations Processes Operations
    Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. These analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.
    • Security Operations Maturity Assessment Tool
    • Security Operations Event Prioritization Tool
    • Security Operations Efficiency Calculator
    • Security Operations Policy
    • In-House vs. Outsourcing Decision-Making Tool
    • Seccrimewareurity Operations RACI Tool
    • Security Operations TCO & ROI Comparison Calculator
    Develop and Implement a Security Incident Management Program Incident Response (IR)
    Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. Incident response teams coordinate root cause and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.
    Security Incident Management Policy
    • Security Incident Management Plan
    • Incident Response Maturity Assessment Tool
    • Security Incident Runbook Prioritization Tool
    • Security Incident Management RACI Tool
    • Various Incident Management Runbooks

    Understand how incident response ties into related processes

    Info-Tech Resources:
    Business Continuity Plan Develop a Business Continuity Plan
    Disaster Recovery Plan Create a Right-Sized Disaster Recovery Plan
    Security Incident Management Develop and Implement a Security Incident Management Program
    Incident Management Incident and Problem Management
    Service Desk Standardize the Service Desk

    Develop and Implement a Security Incident Management Program – project overview

    1. Prepare 2. Operate 3. Maintain and Optimize
    Best-Practice Toolkit 1.1 Establish the Drivers, Challenges, and Benefits.

    1.2 Examine the Security Incident Landscape and Trends.

    1.3 Understand Your Security Obligations, Scope, and Boundaries.

    1.4 Gauge Your Current Process to Identify Gaps.

    1.5 Formalize the Security Incident Management Charter.

    1.6 Identify Key Players and Develop a Call Escalation Tree.

    1.7 Develop a Security Incident Management Policy.

    2.1 Understand the Incident Response Framework.

    2.2 Understand the Purpose of Runbooks.

    2.3 Prioritize the Development of Incident-Specific Runbooks.

    2.4 Develop Top-Priority Runbooks.

    2.5 Fill Out the Root-Cause Analysis Template.

    2.6 Customize the Post-Incident Review Questions Tracking Tool to Standardize Useful Questions for Lessons-Learned Meetings.

    2.7 Complete the Security Incident Report Template.

    3.1 Conduct Tabletop Exercises.

    3.2 Initialize a Security Incident Management Metrics Program.

    3.3 Leverage Best Practices for Continuous Improvement.

    Guided Implementations Understand the incident response process, and define your security obligations, scope, and boundaries.

    Formalize the incident management charter, RACI, and incident management policy.
    Use the framework to develop a general incident management plan.

    Prioritize and develop top-priority runbooks.
    Develop and facilitate tabletop exercises.

    Create an incident management metrics program, and assess the success of the incident management program.
    Onsite Workshop Module 1:
    Prepare for Incident Response
    Module 2:
    Handle Incidents
    Module 3:
    Review and Communicate Security Incidents
    Phase 1 Outcome:
  • Formalized stakeholder support
  • Security Incident Management Policy
  • Security Incident Management Charter
  • Call Escalation Tree
  • Phase 2 Outcome:
    • A generalized incident management plan
    • A prioritized list of incidents
    • Detailed runbooks for top-priority incidents
    Phase 3 Outcome:
    • A formalized tracking system for benchmarking security incident metrics.
    • Recommendations for optimizing your security incident management processes.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities
    • Kick off and introductions.
    • High-level overview of weekly activities and outcomes.
    • Understand the benefits of security incident response management.
    • Formalize stakeholder support.
    • Assess your current process, obligations, and scope.
    • Develop RACI chart.
    • Define impact and scope.
    • Identify key players for the threat escalation protocol.
    • Develop a security incident response policy.
    • Develop a general security incident response plan.
    • Prioritize incident-specific runbook development.
    • Understand the incident response process.
    • Develop general and incident-specific call escalation trees.
    • Develop specific runbooks for your top-priority incidents (e.g. ransomware).
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Develop specific runbooks for your next top-priority incidents:
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Determine key metrics to track and report.
    • Develop post-incident activity documentation.
    • Understand best practices for both internal and external communication.
    • Finalize key deliverables created during the workshop.
    • Present the security incident response program to key stakeholders.
    • Workshop executive presentation and debrief.
    • Finalize main deliverables.
    • Schedule subsequent Analyst Calls.
    • Schedule feedback call.
    Deliverables
    • Security Incident Management Maturity Checklist ‒ Preliminary
    • Security Incident Management RACI Tool
    • Security Incident Management Policy
    • General incident management plan
    • Security Incident Management Runbook
    • Development prioritization
    • Prioritized list of runbooks
    • Understanding of incident handling process
    • Incident-specific runbooks for two incidents (including threat escalation criteria and Visio workflow)
    • Discussion points for review with response team
    • Incident-specific runbooks for two incidents (including threat escalation criteria and Visio workflow)
    • Discussion points for review with response team
    • Security Incident Metrics Tool
    • Post-Incident Review Questions Tracking Tool
    • Post-Incident Report Analysis Template
    • Root Cause Analysis Template
    • Post-Incident Review Questions Tracking Tool
    • Communication plans
    • Workshop summary documentation
  • All final deliverables
  • Measured value for Guided Implementations

    Engaging in GIs doesn’t just offer valuable project advice – it also results in significant cost savings.

    GI Purpose Measured Value
    Section 1: Prepare

    Understand the need for an incident response program.
    Develop your incident response policy and plan.
    Develop classifications around incidents.
    Establish your program implementation roadmap.

    Time, value, and resources saved using our classification guidance and templates: 2 FTEs*2 days*$80,000/year = $1,280
    Time, value, and resources saved using our classification guidance and templates:
    2 FTEs*5 days*$80,000/year = $3,200

    Section 2: Operate

    Prioritize runbooks and develop the processes to create your own incident response program:

  • Detect
  • Analyze
  • Contain
  • Eradicate
  • Recover
  • Post-Incident Activity
  • Time, value, and resources saved using our guidance:
    4 FTEs*10 days*$80,000/year = $12,800 (if done internally)

    Time, value, and resources saved using our guidance:
    1 consultant*15 days*$2,000/day = $30,000 (if done by third party)
    Section 3: Maintain and Optimize Develop methods of proper reporting and create templates for communicating incident response to key parties. Time, value, and resources saved using our guidance, templates, and tabletop exercises:
    2 FTEs*3 days*$80,000/year = $1,920
    Total Costs To just get an incident response program off the ground. $49,200

    Insurance company put incident response aside; executives were unhappy

    Organization implemented ITIL, but formal program design became less of a priority and turned more ad hoc.

    Situation

    • Ad hoc processes created management dissatisfaction around the organization’s ineffective responses to data breaches.
    • Because of the lack of formal process, an entirely new security team needed to be developed, costing people their positions.

    Challenges

    • Lack of criteria to categorize and classify security incidents.
    • Need to overhaul the long-standing but ineffective program means attempting to change mindsets, which can be time consuming.
    • Help desk is not very knowledgeable on security.
    • New incident response program needs to be in alignment with data classification policy and business continuity.
    • Lack of integration with MSSP’s ticketing system.

    Next steps:

    • Need to get stakeholder buy-in for a new program.
    • Begin to establish classification/reporting procedures.

    Follow this case study to Phase 1

    Phase 1

    Prepare

    Develop and Implement a Security Incident Management Program

    Phase 1: Prepare

    PHASE 1 PHASE 2 PHASE 3
    Prepare Operate Optimize

    This phase walks you through the following activities:

    1.1 Establish the drivers, challenges, and benefits.
    1.2 Examine the security incident landscape and trends.
    1.3 Understand your security obligations, scope, and boundaries.
    1.4 Gauge your current process to identify gaps.
    1.5 Formalize a security incident management charter.
    1.6 Identify key players and develop a call escalation tree.
    1.7 Develop a security incident management policy.

    This phase involves the following participants:

    • CISO
    • Security team
    • IT staff
    • Business leaders

    Outcomes of this phase

    • Formalized stakeholder support.
    • Security incident management policy.
    • Security incident management charter.
    • Call escalation tree.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Prepare for Incident Response
    Proposed Time to Completion: 3 Weeks
    Step 1.1-1.3 Understand Incident Response Step 1.4-1.7 Begin Developing Your Program
    Start with an analyst kick-off call:
  • Discuss your current incident management status.
  • Review findings with analyst:
  • Review documents.
  • Then complete these activities…
    • Establish your security obligations, scope, and boundaries.
    • Identify the drivers, challenges, and benefits of formalized incident response.
    • Review any existing documentation.
    Then complete these activities…
    • Discuss further incident response requirements.
    • Identify key players for escalation and notifications.
    • Develop the policy.
    • Develop the plan.

    With these tools & templates:
    Security Incident Management Maturity Checklist ‒ Preliminary Information Security Requirements Gathering Tool

    With these tools & templates:
    Security Incident Management Policy
    Security Incident Management Plan
    Phase 1 Results & Insights:

    Ready-made incident response solutions often contain too much coverage: too many irrelevant cases that are not applicable to the organization are accounted for, making it difficult to sift through all the incidents to find the ones you care about. Develop specific incident use cases that correspond with relevant incidents to quickly identify the response process and eliminate ambiguity when handled by different individuals.

    Ice breaker: What is a security incident for your organization?

    1.1 Whiteboard Exercise – 60 minutes

    How do you classify various incident types between service desk, IT/infrastructure, and security?

    • Populate sticky notes with various incidents and assign them to the appropriate team.
      • Who owns the remediation? When are other groups involved? What is the triage/escalation process?
      • What other groups need to be notified (e.g. cyber insurance, Legal, HR, PR)?
      • Are there dependencies among incidents?
      • What are we covering in the scope of this project?

    Formalize Your Digital Business Strategy

    • Buy Link or Shortcode: {j2store}101|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Your organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise. Digital investments have been made in the past but failed to yield or demonstrate business value. Given the pace of change, the current digital strategy is outdated, and new digital opportunities need to be identified to inform the technology innovation roadmap.

    Our Advice

    Critical Insight

    Turn your digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.

    Impact and Result

    • Identify new digitally enabled growth opportunities.
    • Understand which digital ideas yield the biggest return and the value they generate for the organization.
    • Understand the impact of opportunities on your business capabilities.
    • Map a customer journey to identify opportunities to transform stakeholder experiences.

    Formalize Your Digital Business Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Formalize Your Digital Business Strategy – a document that walks you through a series of activities to help brainstorm and ideate on possible new digital opportunities as an input into building your business case for a new IT innovation roadmap.

    Knowing which digital opportunities create the greatest business value requires a structured approach to ideate, prioritize, and understand the value they create for the business to help inform the creation of your business case for investment approval.

    • Formalize Your Digital Strategy Storyboard

    Infographic

    Further reading

    Formalize Your Digital Business Strategy

    Stay relevant in an evolving digital economy

    Executive Summary

    Your Challenge

    Common Obstacles

    Solution

    • Since 2020, the environment has been volatile, leading many CIOs to rethink their priorities and strategies.
    • The organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise.
    • Digital investments have been made but fail to demonstrate the business value.
    • The current digital strategy was developed in isolation and failed to garner consensus on a common understanding of the digital vision from across the business.
    • CIOs struggle to understand what existing capabilities need to transform or what new digital capabilities are needed to support the digital ambitions.
    • The existing Digital Strategy is synonymous with the IT Strategy.
    • Identify new digitally enabled growth opportunities.
    • Understand which digital ideas yield the biggest return and the value they generate for the organization.
    • Understand the impact of opportunities on your business capabilities.
    • Map the customer journey to identify opportunities to transform the stakeholder experience.

    Info-Tech Insight

    Turn your existing digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.

    Info-Tech’s Digital Transformation Journey

    Your journey: An IT roadmap for your Digital Business Strategy

    The image contains a screenshot of Info-Tech's Digital Transformation Journey.

    By now, you understand your current business context and capabilities

    The image contains a screenshot of the IT roadmap for your Digital Business Strategy.

    By this point you have leveraged industry roundtables to better understand the art of the possible, exploring global trends, shifts in market forces, customer needs, emerging technologies, and economic forecasts to establish your business objectives and innovation goals.

    Now you need to formalize digital business strategy.

    Phase 1: Industry Trends Report

    The image contains a screenshot of phase 1 industry trends report.

    Phase 2: Digital Maturity Assessment

    The image contains a screenshot of phase 2 digital maturity assessment.

    Phase 3: Zero-In on Business Objectives

    The image contains a screenshot of phase 3 Zero-in on business objectives.

    Business and innovation goals are established through stakeholder interviews and a heatmap of your current capabilities for transformation.

    Since 2020, market dynamics have forced organizations to reassess their strategies

    The unprecedented pace of global disruptions has become both a curse and a silver lining for many CIOs. The ability to maximize the value of digital will be vital to remain relevant in the new digital economy.

    The image contains a screenshot of an image that demonstrates how market dynamics force organizations to reassess their strategies.

    Formalize your digital strategy to address industry trends and market dynamics

    The goal of this phase is to ensure the scope of the current digital strategy reflects the right opportunities to allocate capital to resources, assets, and capabilities to drive strategic growth and operational efficiency.

    There are three key activities outlined in this deck that that can be undertaken by industry members to help evolve their current digital business strategy.

    1. Identify New Digitally Enabled Growth Opportunities
      • Host an ideation session to identify new leapfrog ideas
      • Discuss assumptions, value drivers, and risks
      • Translate ideas into opportunities and consolidate
    2. Evaluate New Digital Opportunities and Business Capabilities
      • Build an opportunity profile
      • Identify business capabilities for transformation
    3. Transform Stakeholder Journeys
      • Understand the impact of opportunities on value-chains
      • Identify stakeholder personas
      • Build a stakeholder journey map
      • Compile your new list of digital opportunities
    The image contains a screenshot of Formalize your digital business strategy.

    Info-Tech’s approach

    1. Identify New Digital Opportunities
      • Conduct an ideation session
      • Identify leapfrog ideas from trends
      • Evaluate each leapfrog idea to define opportunity
    2. Evaluate Opportunities and Business Capabilities
      • Build Opportunity Profile
      • Understand the impact of opportunities on business capabilities
    3. Transform Stakeholder Journeys
      • Analyze value chains
      • Map your Stakeholder Journey
      • Breakdown opportunities into initiatives

    Overview of Key Activities

    Formalize your digital business strategy

    Methodology

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Phase 1: New Digital Opportunities

    Phase 2: Evaluate Opportunities and Business Capabilities

    Phase 3: Transform Stakeholder Journeys

    Content Leveraged

    • Digital Business Strategy blueprint
    • Client’s Business Architecture
    1. Hold an ideation session with business executives.
      • Review relevant reports on industry trends, market shifts, and emerging technologies.
      • Establish guiding principles for digital transformation.
      • Leverage a trend-analysis approach to determine the most impactful and relevant trends.
      • From tends, elicit leapfrog ideas for growth opportunities.
      • For each idea, engage in discussion on assumptions, value drivers, benefits, and risks.
    1. Create opportunity profiles.
      • Evaluate each opportunity to determine if it is important to turn into initiatives
    2. Evaluate the impact of opportunities on your business capabilities.
      • Leverage a value-chain analysis to assess the impact of the opportunity across value chains in order to understand the impact across your business capabilities.
    1. Map stakeholder journey:
      • Identify stakeholder personas
      • Identify one journey scenario
      • Map stakeholder journey
      • Consolidate opportunities
    2. Breakdown opportunities into actional initiatives
      • Brainstorm priority initiatives against opportunities.

    Deliverable:

    Client’s Digital Business Strategy

    Phase 1: Deliverable

    1. Compiled list of leapfrog ideas for new growth opportunities

    Phase 2: Deliverables

    1. Opportunity Profile
    2. Business Capability Impact

    Phase 3: Deliverables

    1. Opportunity Profile
    2. Business Capability Impact

    Glossary of Terms

    LEAPFROG IDEAS

    The concept was originally developed in the area of industrial organizations and economic growth. Leapfrogging is the notion that organizations can identify opportunities to skip one or several stages ahead of their competitors.

    DIGITAL OPPORTUNITIES

    Opening of new possibilities to transform or change your business model and create operational efficiencies and customer experiences through the adoption of digital platforms, solutions, and capabilities.

    INITIATIVES

    Breakdown of opportunities into actionable initiatives that creates value for organizations through new or changes to business models, operational efficiencies, and customer experiences.

    1. LEAPFROG IDEAS:
      • Precision medicine
    2. DIGITAL OPPORTUNITY:
      • Machine Learning to sniff out pre-cancer cells
    3. INITIATIVES:
      1. Define genomic analytics capabilities and recruit
      2. Data quality and cleansing review
      3. Implement Machine Learning SW

    Identify Digitally Enabled Opportunities

    Host an ideation session to turn trends into growth opportunities with new leapfrog ideas.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 1

    Host an Ideation Session to Identify New Digital Opportunities

    1.1

    IDENTIFY AND ASSEMBLE YOUR KEY STAKEHOLDERS

    Build support and eliminate blind spots

    It is important to make sure the right stakeholders participate in this working group. Designing a digital strategy will require debate, insights, and business decisions from a broad perspective across the enterprise. The focus is on the value to be generated from digital.

    Consider:

    • Who are the decision makers and key influencers?
    • Who will impact the business?
    • Who has a vested interest in the success or failure of the practice? Who has the skills and competencies necessary to help you be successful?

    Avoid:

    • Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
    • Don’t ignore subject matter experts on either the business or IT side. You will need to consider both.
    1.2

    ESTABLISH GUIDING PRINCIPLES

    Define the guardrails to focus your ideas

    All ideas are great until you need one that works. Establish guiding principles that will help you establish the perimeters for turning big ideas into opportunities.

    Consider:

    • Focus on the breadth and alignment to support business objectives
    • This should help narrow conceptual ideas into actionable initiatives

    Avoid:

    • Don’t recreate the corporate guiding principles
    • Focus on what will help define strategic growth opportunities and operational efficiencies
    1.3

    LEVERAGE STRATEGIC FORESIGHT TO IDENTIFY LEAPFROG IDEAS

    Create space to elicit “big ideas”

    Leverage industry roundtables and trend reports imagining how digital solutions can help drive strategic growth and operational efficiency. Brainstorm new opportunities and discuss their viability to create value and better experiences for your stakeholders.

    Consider:

    • Accelerate this exercise by leveraging stakeholder insights from:
      • Your corporate strategy and financial plan
      • Outputs from stakeholder interviews
      • Market research

    Avoid:

    • Don’t simply go with the existing documented strategic objectives for the business. Ensure they are up to date and interview the decision makers to validate their perspectives if needed.

    Host an Ideation Session

    Identify digitally enabled opportunities

    Industry Roundtables and Trend Reports

    Industry Trends Report

    The image contains a screenshot of phase 1 industry trends report.

    Business Documents

    The image contains a screenshot of Business Documents.

    Digital Maturity Assessment

    The image contains a screenshot of phase 2 digital maturity assessment.

    Activity: 2-4 hours

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Hold a visioning session with key business executives (e.g., CIO, CEO, CFO, CCO, and COO) and others as needed. Here is a proposed agenda of activities for the ideation session:

    1. Leverage current trend reports and relevant emerging trend reports, market analysis, and customer research to envision future possibilities.
    2. Establish guiding principles for defining your digital strategy and scope.
    3. Leverage insights from trend reports and market analysis to generate leapfrog ideas that can be turned into opportunities.
    4. For each leapfrog idea, engage in a discussion on assumptions, value drivers, benefits, and risks.

    Content Leveraged

    • Digital Trends Report
    • Industry roundtables and trend reports
    • Digital Maturity Assessment
    • Digital Business Strategy v1.0

    Deliverable:

    1. Guiding principles
    2. Strategic growth opportunities

    1.1 Executive Stakeholder Engagement

    Assemble Executive Stakeholders

    Set yourself up for success with these three steps.

    CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives.

    Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution.

    1. Confirm your role

    2. Identify Stakeholders

    3. Diverse Perspective

    The digital strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor.

    Identify key decision-makers and influencers who can help make rapid decisions as well as garner support across the enterprise.

    Don’t be afraid to include contrarians or naysayers. They will help reduce any blind spots but can also become the greatest allies through participation.

    1.2 Guiding Principles

    Set the Guiding Principles

    Guiding principles help define the parameters of your digital strategy. They act as priori decisions that establish the guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgets that are aligned with the business objectives. Consider these components when brainstorming guiding principles:

    Consider these three components when brainstorming

    Breadth

    Digital strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover a 3600 view across the entire organization.

    Planning Horizon

    Timing should anchor stakeholders to look to the long-term with an eye on the foreseeable future i.e., business value realization in one, two, and three years.

    Depth

    Needs to encompass more than the enterprise view of lofty opportunities but establish boundaries to help define actionable initiatives (i.e., individual projects).

    1.2 Guiding Principles

    Examples of Guiding Principles

    IT Principle NameIT Principle Statement
    1.Enterprise value focusWe aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks.
    2.Fit for purposeWe maintain capability levels and create solutions that are fit for purpose without over engineering them.
    3.SimplicityWe choose the simplest solutions and aim to reduce operational complexity of the enterprise.
    4.Reuse > buy > buildWe maximize reuse of existing assets. If we can’t reuse, we procure externally. As a last resort, we build custom solutions.
    5.Managed dataWe handle data creation and modification and use it enterprise-wide in compliance with our data governance policy.
    6.Controlled technical diversityWe control the variety of what technology platforms we use.
    7.Managed securityWe manage security enterprise-wide in compliance with our security governance policy.
    8.Compliance to laws and regulationsWe operate in compliance with all applicable laws and regulations.
    9.InnovationWe seek innovative ways to use technology for business advantage.
    10.Customer centricityWe deliver best experiences to our customers with our services and products.
    11.Digital by default We always put digital solutions at the core of our plans for all viable solutions across the organization.
    12.Customer-centricity by designWe design new products and services with the goal to drive greater engagement and experiences with our customers.

    1.3 Trend-Analysis

    Leverage strategic foresight to identify growth opportunities

    What is Strategic Foresight?

    In times of increasing uncertainty, rapid change, market volatility, and complexity, the development of strategies can be difficult. Strategic foresight offers a solution.
    Strategic foresight refers to an approach that uses a range of methodologies, such as scanning the horizon for emerging changes and signals, analyzing megatrends, and developing multiple scenarios to identify opportunities (source: OECD, 2022). However, it cannot predict the future and is distinct from:

    • Forecasting tools
    • Strategic planning
    • Scenario planning (only)
    • Predictive analyses of the future

    Why is Strategic Foresight useful?

    • Reduce uncertainties about the future
    • Better anticipate changes
    • Future-proof to stress test proposed strategies
    • Explore innovation to reveal new products, services, and approaches

    Explore Info-Tech’s Strategic Foresight Process Tool

    “When situations lack analogies to the past, it’s hard to envision the future.”

    - J. Peter Scoblic, HBR, 2020

    1.3 Trend-Analysis

    Leverage industry roundtables and trend reports to understand the art of the possible

    Uncover important business and industry trends that can inform possibilities for technology innovation.

    Explore trends in areas such as:

    • Machine Learning
    • Citizen Dev 2.0
    • Venture Architecture
    • Autonomous Organizations
    • Self-Sovereign Cloud
    • Digital Sustainability

    Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to get started.

    The image contains screenshots from Info-Tech blueprints.

    Images are from Info-Tech’s Rethinking Higher Education Report and 2023 Tech Trends Report

    1.3 Trend-Analysis

    Scan the Horizon

    Understand how the environment is evolving in your industry

    Scan the horizon to detect early signs of future changes or threats.

    Horizon scanning involves scanning, analyzing, and communicating changes in an organization’s environment to prepare for potential threats and opportunities. Much of what we know about the future is based around the interactions and trajectory of macro trends, trends, and drivers. These form the foundations for future intelligence.

    Macro Trends

    A macro trend captures a large-scale transformative trend on a global scale that could impact your addressable market

    Industry Trend

    An industry trend captures specific use cases of the macro trend in relation to your market and industry. Consider this in terms of shifts in your market dynamics i.e., competitors, size, transaction, international trade, supply/demand, etc.

    Driver(s)

    A driver is an underlying force causing the trend to occur. There can be multiple causal forces, or drivers, that influence a trend, and multiple trends can be influenced by the same causal force.

    Identify signals of change in the present and their potential future impacts.

    1.3 Trend-Analysis

    Identify macro trends

    Macro trends capture a global shift that can change the market and the industry. Here are examples of macro-trends to consider when scanning the horizon for your own organization:

    Talent Availability

    Customer Expectations

    Emerging Technologies

    Regulatory System

    Supply Chain Continuity

    Decentralized workforce

    Hybrid workforce

    Diverse workforce

    Skills gap

    Digital workforce

    Multigenerational workforce

    Personalization

    Digital experience

    Data ownership

    Transparency

    Accessibility

    On-demand

    Mobility

    AI & robotics

    Virtual world

    Ubiquitous connectivity

    Genomics (nano, bio, smart….)

    Big data

    Market control

    Economic shifts

    Digital regulation

    Consumer protection

    Global green

    Resource scarcity

    Sustainability

    Supply chain digitization

    Circular supply chains

    Agility

    Outsource

    1.3 Trend-Analysis

    Determine impact and relevance of trends

    Understand which trends create opportunities or risks for your organization.

    Key Concepts:

    Once an organization has uncovered a set of trends that are of potential importance, a judgment must be made on which of the trends should be prioritized to understand their impact on your market and ultimately, the implications for your business or organization. Consider the following criteria to help you prioritize your trends.

    Impact to Industry: The degree of impact the trend will have on your industry and market to create possibilities or risks for your business. Will this trend create opportunities for the business? Or does it pose a risk that we need to mitigate?

    Relevance to Organization. The relevance of the trend to your organization. Does the trend align with the mission, vision, and business objectives of your organization?

    Activity: 2-4hours

    In order to determine which trends will have an impact on your industry and are relevant to your organization, you need to use a gating approach to short-list those that may create opportunities to capitalize on while you need to manage the ones that pose risk.

    Impact

    What does this trend mean for my industry and market?

    • Degree – how broad or narrow is the impact
    • Likelihood – the reality of disrupting an industry or market
    • Timing – when do we expect disruption?

    Relevance

    What opportunity or risk does it pose to my business/organization?

    • Significance – depth and breadth across the enterprise
    • Duration – how long is the anticipated impact?

    1.3 Trend-Analysis

    Prioritize Trends for Exploration

    The image contains a screenshot of a table to demonstrate the trends.The image contains a graph that demonstrates the trends from the table on a graph to show how to prioritze them based on relevance and impact.

    Info-Tech Insight

    While the scorecard may produce a ranking based on weighted metrics, you need to leverage the group discussion to help contextualize and challenge assumptions when validating the priority. The room for debate is important to truly understand whether a trend is a fad or a fact that needs to be addressed.

    1.3 Trend-Analysis

    Discuss the driver(s) behind the trend

    Determining the root cause(s) of a trend is an important precursor to understanding the how, why, and to what extent a trend will impact your industry and market.

    Trend analysis can be a valuable approach to reduce uncertainties about the future and an opportunity to understand the underlying drivers (forces) that may be contributing to a shift in pattern. Understanding the drivers is important to help determine implication on your organization and potential opportunities.

    The image contains a screenshot of a driver diagram.

    1.3 Trend-Analysis

    Examples of driver(s)

    INDUSTRY

    Healthcare Exemplar

    Macro Trends

    (Transformative change)

    Industry Trend

    (A pattern of change…)

    Drivers

    (“Why”….)

    Accessibility

    Increase in wait times

    Aging population leading to global workforce shortage

    New models of care e.g., diversify scope of practice

    Address capacity issues

    Understanding the drivers is not about predicting the future. Don’t get stuck in “analysis paralysis.” The key objective is to determine what opportunities and risks the trend and its underlying driver pose to your business. This will help elicit leapfrog opportunities that can be funneled into actionable initiatives.

    Other examples…

    Dimensions

    Macro-Trends

    Industry Trend

    Driver

    Social

    Demographic shift

    Global shortage of healthcare workers

    Workforce age

    Customer expectations

    Patients as partners

    Customer demographics

    Technology

    AI and robotics

    Early detection of cancer

    Patient outcomes

    Ubiquitous connectivity

    Virtual health

    Capacity

    Economic

    Recession

    Cost-savings

    Sustainability

    Consumer spending

    Value-for-money

    Prioritization

    Environment

    Climate change

    Shift in manufacturers

    ESG compliant vendors

    Pandemic

    Supply chain disruption

    Local production

    Political

    Regulatory

    Consolidation of professional colleges

    Operational efficiency

    De-regulation

    New models of care

    New service (business) model

    1.3 Trend-Analysis

    Case Study

    Industry

    Healthcare

    Artificial Intelligence (AI) in Precision Medicine (Genomics)

    Precision Medicine has become very popular over the recent years fueled by research but also political and patient demands to focus more on better outcomes vs. profits. A cancer care center in Canada wanted to look at what was driving this popularity but more importantly, what this potentially meant to their current service delivery model and operations and what opportunities and risks they needed to address in the foreseeable future. They determined the following drivers:

    • Improve patient outcomes
    • Earlier detection of cancer
    • Better patient experience
    • Ability to compute vast amounts of data to reduce manual effort and errors
    • Accelerate from research to clinical trials to delivery

    The image contains a screenshot of AI in Genomics.

    1.3 Trend-Analysis

    INDUSTRY

    Healthcare Exemplar

    Category

    Macro-Trends

    Industry Trends

    (Use-Case)

    Drivers

    Impact to Industry

    Impact to Business

    Talent Availability

    Diverse workforce

    Aboriginal health

    Systemic inequities

    Brand and legal

    Policies in place

    Hybrid workforce

    Virtual care

    COVID-19 and infectious disease

    New models of care

    New digital talent

    Customer Expectation

    Personalization

    On-demand care

    Patient experience

    Patients as consumers

    New operating model

    Digital experience

    Patient portals

    Democratization of data

    Privacy and security

    Capacity

    Emerging Technologies

    Internet of Things (IoT)

    Smart glucometers

    Greater mobility

    System redesign

    Shift from hospital to home care

    Quantum computing

    Genomic sequencing

    Accelerate analysis

    Improve quality of data analysis

    Faster to clinical trial and delivery

    Regulatory System

    Consumer protection

    Protect access to sensitive patient data

    HIPPA legislation

    Restrict access to health record

    Electronic health records

    Global green

    Green certification for redev. projects

    Political optics

    Higher costs

    Contract management

    Supply Chain

    Supply chain disruptions

    Surgical strategic sourcing

    Preference cards

    Quality

    Organizational change management

    New pharma entrants

    Telco’s move into healthcare

    Demand/supply

    Funding model

    Resource competition

    Sample Output From Trend Analysis

    1.3 Elicit New Opportunities

    Leapfrog into the future

    Turn trends into growth opportunities.

    To thrive in the digital age, organizations must innovate big, leverage internal creativity, and prepare for flexibility.

    In this digital era, organizations are often playing catch up to a rapidly evolving technological landscape and following a strict linear approach to innovation. However, this linear catch-up approach does not help companies get ahead of competitors. Instead, organizations must identify avenues to skip one or several stages of technological development to leapfrog ahead of their competitors.

    “The best way to predict the future is to invent it.”

    – Alan Kay

    Leapfrogging takes place when an organization introduces disruptive innovation into the market and sidesteps competitors, who are unable to mobilize to respond to the opportunities.

    1.3 Elicit New Opportunities

    Funnel trends into leapfrog ideas

    Go from trend insights into ideas for opportunities

    Brainstorm ways to generate leapfrog ideas from trend insights.

    Dealing with trends is one of the most important tasks for innovation. It provides the basis of developing the future orientation of the organization. However, being aware of a trend is one thing, to develop strategies for response is another.

    To identify the impact the trend has on the organization, consider the four areas of growth for the organization:

    1. New Customers: Leverage the trend to target new customers for existing products or services.
    2. New Business Models: Adjust the business model to capture a change in how the organization delivers value.
    3. New Markets: Enter or create new markets by applying existing products or services to different problems.
    4. New Product or Service Offerings: Introduce new products or services to the existing market.

    1.3 Elicit New Opportunities

    INDUSTRY: Healthcare

    SOURCE: Memorial Sloan Kettering Cancer Center

    Case Study

    Machine Learning Sensor to Sniff Out Cancer

    Challenge

    Solution

    Results

    Timely access to diagnostic services is a key indicator of a cancer patient’s prognosis i.e., outcome. Early detection of cancer means the difference between life and death for cancer patients.

    Typically, cancer biomarkers need to be present to detect cancer. Often the presence of these biomarkers is late in the disease state when the cancer cells have likely spread, resulting in suspicions of cancer only when the patient does not feel well or suspects something is wrong.

    Researchers in partnership with IBM Watson at Memorial Sloan Kettering Cancer Center (MSK) have created a tool that can sniff for and identify cancer in a blood sample using machine learning.

    Originally, MSK worked with IBM Watson to identify machine learning as an emerging technology that could drive early cancer detection without the use of cancer biomarkers. But they needed to find specific use cases. After a series of concept prototypes, they were able to use machine learning to detect patterns in blood cells vs. cancer biomarkers to detect cancer disease.

    Machine learning was an emerging trend that researchers at MSK felt held great promise. They needed to turn the trend into tangible opportunities by identifying some key use cases that could be prototyped.

    Computational tools in oncology have the ability to greatly reduce clinician labor, improve the consistency of variant classification, and help accelerate the analytics of vast amounts of clinical data that would be prone to errors and delays when done manually.

    From trends to leapfrog ideas

    Additional Examples in the Appendix

    Example of leapfrog ideas that can generate opportunities for consideration

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New stakeholder segment

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services and experiences

    Virtualize Registration

    Empower patients as consumers of healthcare partners

    Direct B2C to close gap between providers and patients by removing middle administrative overhead.

    24/7 On-Demand Patient Portal

    Leverage AI to develop chatbots and on-demand

    Phase 1: Deliverable

    Phase 1 Deliverable

    Example of output from phase 1 ideation session

    Business Objectives

    New Customers

    (Customer Experience)

    New Markets

    (Health Outcomes)

    New Business or

    Operating Models

    (Operational Excellence)

    New Service Offering

    (Value for Money)

    Description:

    Focus on improving experiences for patients and providers

    Improve quality and standards of care to continually drive better health outcomes

    Deliver care better, faster, and more efficiently

    Reduce cost per capital of delivery care and increase value for services

    Trends:

    • Global workforce shortage due to ageing demographics
    • Clinicians are burnt-out and unable to practice at the top of their profession
    • On-demand care/mobile/wearables
    • Virtual care
    • Faster access to quality service
    • Help navigating complex medical ecosystem from primary to acute to community
    • Standardize care across regions
    • New models of care to expand capacity
    • Improve medication errors
    • Opportunities to use genomics to design personalized medicine
    • Automate tasks
    • Leverage AI and robotics more effectively
    • Regulatory colleges consolidation mandate
    • Use data and analytics to forecast capacity and health outcomes
    • Upskill vs. virtualize workforce
    • Payment reform i.e., move to value-based care vs. fee-for-service
    • Consolidation of back-office functions like HR, supply chain, IT, etc. to reduce cost i.e., shared services model

    Digital Opportunities:

    1. Virtual health command center
    2. Self-scheduling patient portal
    3. Patient way-finder
    4. Smart glucometer for diabetes
    1. Machine learning for early detection of cancer
    2. Visualization tools for capacity planning and forecasting
    3. Contact tracing apps for public health
    1. Build advanced analytics capabilities with new skills and business intelligence tools
    2. Pharmacy robotics
    3. Automate registration
    1. Automate provider billing solution
    2. Payment gateways – supplier portal in the cloud

    Phase 2

    Evaluate Opportunities and Business Capabilities

    Build a better understanding of the opportunities and their impact on your business.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 2

    Evaluate Opportunities and Business Capabilities

    2.1

    CREATE OPPORTUNITY PROFILES

    Evaluate each opportunity

    Some opportunities will have an immediate and significant impact on your business. Some may have a significant impact but on a longer time scale or some may be unlikely to have a significant impact at all. Understanding these trends is an important context for your digital business strategy.

    Consider:

    • Does this opportunity conform with your guiding principles?
    • Can this opportunity feasibly deliver the anticipated benefits?
    • Is this opportunity desired by your stakeholders?

    Avoid:

    • Overly vague language. Opportunities need to be specific enough to evaluate what impact they will have.
    • Simply following what competitors are doing. Be ambitious and tailor your digital strategy to your organizational values, goals, and priorities.
    2.2

    UNDERSTAND THE IMPACT OF OPPORTUNITIES ON BUSINESS CAPABILITIES

    Understand the impact across your value chains

    Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities. You need to assess their impacts across value chains. Does the opportunity impact existing value chain(s) or create a new value chain?

    Consider:

    • How well does this opportunity align with your digital vision, mission, and goals?
    • What will be the overall impact of this opportunity?
    • How urgently must you act?

    Avoid:

    • Guessing. Validate assumptions and use clear, unbiased information to make decisions. Info-Tech has extensive resources to assist in evaluating trends, opportunities, and solutions.
    • Making everything a high priority. Most organizations can only prioritize one to two initiatives at a time.

    2.1 Build an opportunity profile

    Evaluate each opportunity

    Discussion Framework:

    In your discussion, evaluate each opportunity to assess assumptions, value drivers, and benefits.

    Ideas matter, but not all ideas are created equal. Now that you have elicited opportunities, discuss the assumptions, risks, and benefits associated with each new digital opportunity.

    Design Thinking

    Leverage the guiding principles as the guardrails to limit the scope of your new digital opportunities. You may want to consider taking a design-thinking approach to innovation by discussing the merits of each opportunity based on:

    • DesirabilityDesirability: People want it. Does the solution enable the organization to meet the expectations of stakeholders?
    • Feasibility
    • Feasibility: Able to Execute. Do we have the capabilities to deliver e.g., the right skills, partners, technology, and leadership?

    • Viability
    • Viability: Delivers Value. Will this idea meet business goals e.g., cost, revenue, and benefits?

    Source: Adapted from IDEO

    Transform the Business

    Must Prioritize

    Should Plan

    Drive Digital Experiences

    Build Digital Capabilities

    High Value/Low Complexity

    • stakeholders want it
    • easy to implement
    • capabilities exist to deliver
    • creates significant value
    • strategic growth = competitive advantage

    High Value/High Complexity

    • customers want it
    • not easy to implement without carefully planning
    • need to invest in developing capabilities
    • Competitive differentiator

    Low Value/Low Complexity

    • stakeholders don’t want it
    • easy to implement but takes resources away from priority
    • some capabilities exist
    • creates marginal value
    • minimal growth

    Low Value/High Complexity

    • stakeholders don’t want it
    • difficult to implement
    • need to invest in developing capabilities
    • no real strategic growth

    Could Have

    Don’t Need

    Transform Operations

    IMPACT

    COMPLEXITY

    Source: Adapted from MoSCoW prioritization model

    Exemplar: Opportunity Profile

    Example:

    An example of a template to capture the output of discussion.

    Automate the Registration Process Around Admission, Discharge, and Transfer (ADT)

    Description of Opportunity:

    ADT is a critical function of registration that triggers patient identification to support services and billing. Currently, ADT is a heavily manual process with a high degree of errors as a result of human intervention. There is an opportunity to leverage intelligent automation by using RPA and AI.

    Alignment With Business Objectives

    Improve patient outcome

    Drive operational efficiency and effectiveness

    Better experiences for patients

    Business Architecture

    This opportunity may impact the following business capabilities:

    • Referral evaluation
    • Admission, discharge, and transfer management
    • Scheduling management
    • Patient registry management
    • Provider registry management
    • Patient billing
    • Provider billing
    • Finance management
    • EHR/EMR integration management
    • Enterprise data warehouse for reporting
    • Provincial/state quality reporting

    Benefits & Outcomes

    • Reduce errors by manual registration
    • Improve turnaround time for registration
    • Create a consistent customer experience
    • Improve capacity
    • Virtualize low-value work

    Key Risks & Assumptions

    • Need to add skills & knowledge to maintain systems
    • Perception of job loss or change by unions
    • assume documentation of standard work for automation vs. non-standard

    Opportunity Owner

    VP, Health Information Management (HIM)

    Incremental Value

    Reduce errors in patient identity

    • Next Steps
    • Investigate use cases for RPA and AI in registration
    • Build business case for funding

    2.2 Business capabilities impact

    Understand the impact on your business capabilities

    Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities.

    You will need:

    Industry Reference Architecture.Industry Reference Architecture

    Activity: 1-2 hours

    1. Using your industry reference architecture, highlight the business capabilities that may be impacted by the opportunity. Use a value chain analysis approach to help with this exercise.
    2. Referring to your Prioritized Opportunities for Transformation, prioritize areas to transform. Priority should be given to low maturity areas that are highly or urgently relevant to your overall strategic goals.
    +
    Prioritized Opportunities for Transformation.Prioritized Opportunities for TransformationPrioritized Business Capability Map.

    2.2 Business capabilities impact

    Start with a value chain analysis

    This will help identify the impact on your business capabilities.

    As we identify and prioritize the opportunities available to us, we need to assess impacts on value chains. Does the opportunity directly impact an existing value chain? Or does it open us to the creation of a new value chain?

    The image contains a screenshot of the value chain analysis.

    The value chain perspective allows an organization to identify how to best minimize or enhance impacts and generate value.

    As we move from opportunity to impact, it is important to break down opportunities into the relevant pieces so we can see a holistic picture of the sources of differentiation.

    Exemplar: Prioritized Business Capability Map

    The image contains a screenshot of the exemplar prioritized business capability map.

    In this example, intelligent automation for referral and admission would create opportunity to virtualize repeatable tasks.

    Phase 3

    ETransform Stakeholder Journeys

    Understand the impact of opportunities across the value chain and possibilities of new or better stakeholder experiences.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 3

    Identify opportunities to transform stakeholder experiences

    3.1 IDENTIFY STAKEHOLDER PERSONA

    Understand WHO gains value from the value chain

    To define a stakeholder scenario, you need to understand whom we are mapping for. Developing stakeholder personas is a great way to understand their needs through a lens of empathy.

    Consider:

    • Keep your stakeholder persona groupings to the core clusters typical of your industry.
    • See it from their perspective not the business’s.

    Avoid:

    • Don’t create a multitude of personas based on discrete nuances.
    3.2 BUILD A STAKEHOLDER JOURNEY

    Identify opportunities to transform the stakeholder experience

    A stakeholder or customer journey helps teams visualize the impact of a given opportunity through a value chain. This exercise uncovers the specific initiatives and features that should be considered in the evolution of the digital strategy.

    Consider:

    • Which stakeholders may be most affected by this opportunity?
    • How might stakeholders feel about a given solution as they move through the journey? What pain points can be solved?

    Avoid:

    • Simply listing steps in a process. Put yourself in the shoes of whoever’s journey you are mapping. What do they care about?
    • Choosing a stakeholder with limited involvement in the process.
    3.3 BREAKDOWN OPPORTUNITIES INTO INITIATIVES ALIGNED TO BUSINESS OBJECTIVES

    Unlock key initiatives to deliver value

    Opportunities need to be broken down into actionable initiatives that can be turned into business cases with clear goals, benefits realization, scope, work plans, and investment ask.

    Consider:

    • Multiple initiatives can be grouped into one opportunity that is similar or in phases.
    • Ensure the initiatives support and enable the business goals.

    Avoid:

    • Creating a laundry list of initiatives.
    • Initiatives that don’t align with business goals.

    Map Stakeholder Journey

    Conduct a journey mapping exercise to further refine and identify value streams to transform.

    Stakeholder Journey Mapping

    Digital Business Strategy Blueprint

    Activity: 4-6 hours

    Our analysts can guide and support you, where needed.

    1. First download the Define Your Digital Business Strategy blueprint to review the Stakeholder Journey Mapping exercise.
    2. Identify a stakeholder persona and a one-journey scenario.
    3. Map a stakeholder journey using a single persona across one-journey scenarios to identify pain points and opportunities to improve experiences and generate value.
    4. Consolidate a list of opportunities for business case prioritization.

    Key Concepts:

    Value Stream: a set of activities to create and capture value for and from the end consumer.

    Value Chain: a string of end-to-end processes that creates value for the consumer.

    Journey Scenario: a specific use case across a value chain (s).

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Stakeholder Persona.Stakeholder Persona

    1-Journey Use Case.1-Journey Use Case

    Map Stakeholder Journey 
Map Stakeholder Journey

    Content Leveraged

    • Stakeholder Persona
    • Journey Use Case
    • Map Stakeholder Journey

    Deliverable:

    1. Guiding principles
    2. Strategic growth opportunities

    Download the Define Your Digital Business Strategy blueprint for Customer Journey Mapping Activities

    3.1 Persona identification

    Identify a stakeholder persona and journey scenario

    From value chain to journey scenario.

    Stakeholder personas and scenarios help us build empathy towards our customers. It helps put us into the shoes of a stakeholder and relate to their experience to solve problems or understand how they experience the steps or processes required to accomplish a goal. A user persona is a valuable basis for stakeholder journey mapping.

    A stakeholder persona is a fictitious profile to represent a customer or a user segment. Creating this persona helps us understand who your customers really are and why they are using your service or product.

    A stakeholder scenario describes the situation the journey map addresses. Scenarios can be real (for existing products and services) or anticipated.

    Learn more about applying design thinking methodologies

    3.1 Persona identification

    Identify a stakeholder persona

    Who are you transforming for?

    To define a stakeholder scenario, we need to understand who we are mapping for. In each value chain, we identified a stakeholder who gains value from that value chain. We now need to develop a stakeholder persona: a representation of the end user to gain a strong understanding of who they are, what they need, and their pains and gains.

    One of the best ways to flesh out your stakeholder persona is to engage with the stakeholders directly or to gather the input of those who may engage with them within the organization.

    For example, if we want to define a journey map for a student, we might want to gather the input of students or teaching faculty that have firsthand encounters with different student types and are able to define a common student type.

    Info-Tech Insight

    Run a survey to understand your end users and develop a stronger picture of who they are and what they are seeking to gain from your organization.

    3.1 Persona identification

    Identify stakeholder scenarios to map

    For your digital strategy, leverage the existing and opportunity value chains identified in phases 1 and 2 for journey mapping.

    Identify two existing value chains to be transformed.

    In section 1, we identified existing value chains to be transformed. For example, your stakeholder persona is a registration clerk who is part of the Health Information Management team responsible for registering and adjudicating patient identity.

    The image contains a screenshot example of two existing value chains to be transformed.

    Identify one new value chain.

    In section 2, we identified a new value chain. However, for a new opportunity, the scenario is more complex as it may capture many different areas of a value chain. Subsequently, a journey map for a new opportunity may require mapping all parts of the value chain.

    The image contains a screenshot of one value chain.

    3.1 Persona identification

    Example Stakeholder Persona

    Stakeholder demographics

    Name: Anne

    Age: 35

    Occupation: HIM Clerk

    Location: Unity Hospital System

    Pains

    What are their frustrations, fears, and anxieties?

    • Volume of patients to schedule
    • Too many applications to access
    • Data quality is an error
    • Extensive manual entry of data prone to errors
    • Disruptions with calls from patients, doctors, and FOI requests

    What do they need to do?

    What do they want to get done? How will they know they are successful?

    • Automate some non-valuable tasks that can also reduce human errors. Allow patients to self-schedule online or answer FAQs via a chatbox. Would love to have a virtual triage to alleviate volume of calls and redirects.

    Gains

    What are their wants, needs, hopes, and dreams?

    • Reduce errors in data entry for patient identity (reduce manual look-ups).
    • Have standard requests go through a chatbot.
    • Have physicians automate billing through front-end speech recognition software.

    3.1 Persona identification

    Define a journey statement for mapping

    Now that we understand who we are mapping for, we need to define a journey statement to capture the stakeholder journey.

    Leverage the following format to define the journey statement.

    “As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].”

    The image contains a screenshot of a journey statement for mapping.

    3.2 Stakeholder Journey-Map

    Leverage customer journey mapping to capture value chains to be transformed

    Conduct a journey mapping exercise to identify opportunities for innovation or automation.

    A journey-based approach helps an organization understand how a stakeholder moves through a process and interacts with the organization in the form of touch points, channels, and supporting characters. By identifying pain points in the journey and the activity types, we can identify opportunities for innovation and automation along the journey.

    The image contains a screenshot of an example of journey mapping.

    Embrace design-thinking methodologies to elevate the stakeholder journey and build a competitive advantage for your organization.

    3.2 Stakeholder Journey-Map

    Key Concepts

    0. Name: Annie Smith

    Age: 35

    Occupation: HIM Registration Clerk for Unity Hospital System

    Key Concepts.0.Stakeholder Persona

    A fictitious profile of a representative stakeholder group that shares a common yet discrete set of characteristics that embodies how they think, feel, and act.

    1. Journey (Value Chain)

    Describes the end-to-end steps or processes that a customer takes across the value chain that groups a set of activities, interactions, touch-points, and experiences.

    2. Persona’s Goals

    Exemplifies what the persona is thinking and wanting across each specific step of their journey.

    3. Nature of Activity (see detailed definition in this section)

    This section captures two key components: 1) the description of the action or interaction between the personas to achieve their goals, and 2) the classification of the activity to determine the feasibility for automation. The type is based on four main characteristics: 1) routine cognitive, 2) non-routine cognitive , 3) routine manual, and 4) non-routine manual.

    4. Type of Touch-Point

    The channel by which a persona interacts or touches products, services, the organization, or information.

    5. Key Moments & Pain Points

    Captures the emotional experience and value of the persona across each step and interaction.

    6. Metrics

    This section captures the KPIs used to measure the experience, process or activity today. Future KPIs will need to be developed to measure the opportunities.

    7. Opportunities refer to both the possible initiatives to address the persona’s pain points, and the ability to enable business goals.

    3.2 Stakeholder Journey-Map

    Opportunities for Automation: Nature of Activity

    Example
    We identified opportunities for automation

    Categorize the activity type to identify opportunities for automation. While there is no perfect framework for automation, this 4x4 matrix provides a general guide to identifying automation opportunities for consideration.

    Automation example list.Automation Quadrant Analysis

    Info-Tech Insight

    Automation is more than a 1:1 relationship between the defined task or job and automation. When considering automation, look for opportunities to: 1) streamline across multiple processes, 2) utilize artificial intelligence to augment or virtualize manual tasks, and 3) create more structured data to allow for improved data quality over the long-term.

    3.2 Stakeholder Journey-Map

    Example of stakeholder journey output: Healthcare

    Stakeholder: HIM Clerks

    Journey: Follow-up visit of 80-year-old diabetes patient at diabetic clinic outpatient

    Journey

    (Value Chain)

    AppointmentRegistrationIdentity ReconciliationEligibility VerificationTreatment Consult

    Persona’s Goals

    • Confirm appointment
    • Verify referral through provider registry
    • Request medical insurance or care card
    • Enroll patient into CIS
    • Patient registry validation
    • Secondary identification request
    • Verify eligibility through the patient registry
    • Schedule follow referrals & appointments
    • Coding for billing

    Nature of Activity

    Priority

    Priority

    Investigate – ROI

    Investigate – ROI

    Defer

    Type of Touchpoint

    • Telephone (land/mobile)
    • Email
    • CIS Application
    • Verbal
    • Patient registry system
    • Telephone
    • Patient and provider registry
    • CIS
    • Email, call, verbal
    • Physician billing
    • Hospital ERP
    • CIS
    • Paper appointments

    Pain Points & Gains

    • Volume of calls
    • Manual scheduling
    • Too many applications
    • Data entry errors
    • Limited languages
    • Too many applications
    • Data entry errors
    • Too many applications
    • Limited languages
    • Ask patients to repeat info
    • Data entry errors
    • Too many applications
    • Limited languages
    • Ask patients to repeat info
    • Patient identity not linked to physician billing
    • Manual coding entry

    Metrics

    Time to appointment

    Time to enrollment

    Patient mis-match

    Provider mis-match

    Percentage of errors in billing codes

    Opportunities

    • Patient scheduling portal (24/7)
    • Use of AI and chatbots
    • Automate patient matching index digitalization and integration
    • Automate provider matching index digitalization and integration
    • Natural language processing using front-end speech recognition software for billing

    Break opportunities into a series of initiatives aligned to business objectives

    Opportunity 1

    Virtual Registration

    »

    Business Goals

    Initiatives

    Health Outcomes

    Stakeholder Experience

    New Models of Care

    Operational Efficiency

    • Enterprise master patient index integration with patient registry
    • Intelligent automation for outpatient department
    • Customer service chat box for triage FOI1
    • Front-end speech recognition for billing (FESR)

    Opportunity 2

    Machine Learning Pre-Cancer Diagnosis

    »

    Business Goals

    Initiatives

    Health Outcomes

    Stakeholder Experience

    New Models of Care

    Operational Efficiency

    • Enterprise Datawarehouse architecture (build data lake)
    • Build genomics analytics capabilities e.g., recruitment, data-quality review
    • Implementation of machine learning software
    • Supply chain integration with ERP for medical and research supplies
    FOI = Freedom of Information

    Info-Tech Insight

    Evaluate if an opportunity will require a series of discrete activities to execute and/or if they can be a stand-alone initiative.

    Now you are ready to select and prioritize digital initiatives for business case development

    After completing all three phases of activities in this blueprint, you will have compiled a list of new and planned digital initiatives for prioritization and business case development in the next phase.

    Consolidated List of Digital Initiatives.

    Example: Consolidated List of Digital Initiatives

    The next step will focus on prioritizing and building a business case for your top digital initiatives.

    IT Roadmap for your Digital Business Strategy.

    Appendix: Additional Examples

    From trend to leapfrog ideas

    Every idea is a good one, unless you need one that works.

    Additional Examples
    Examples of leapfrog ideas that can generate opportunities for consideration

    Example 1 Finance

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    Open banking

    Account integrators (AISPs)

    Payment integrators
    (PISPs)

    Data monetization

    Social payments

    Example 2: Retail

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    Virtual cashier

    (RFID Enablement)

    Big-box retailers

    Brick & mortar stores

    Automated stores driving new customer experiences

    Digital cart

    From trend to leapfrog ideas

    Every idea is a good one, unless you need one that works.

    Additional Exemplars in Appendix

    Examples of leapfrog ideas that can generate opportunities for consideration

    Example 3:

    Manufacturing

    Trend

    New Customer

    New Market

    New Business or

    Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    IT/OT convergence

    Value-added resellers

    New geographies

    Train quality-control algorithms and sell as a service to other manufacturers

    Quality control as a service

    Case Study: International Airport

    Persona Journey Map: International/Domestic Departure

    Persona: Super Traveler

    Name: Annie Smith

    Age: 35

    Occupation: Engineer, Global Consultant

    Journey Activity Name: Inspired to Travel

    Persona’s Goals

    What Am I Thinking?

    • I am planning on traveling to Copenhagen, Denmark for work.
    • It’s my first time and I need to gather information about the destination, accommodation, costs, departure information, bag weight, etc..

    Nature of Activity

    What Am I Doing?

    • Logging onto airline website
    • Confirming departure gates

    Type of Touchpoint

    • Airport rewards program
    • Airport Website
    • Online hotel eCommerce
    • Social media
    • Transportation services on mobile

    Key moments & pain points

    How Am I Feeling?

    • Frustrated because the airport website is difficult to navigate to get information
    • Annoyed because there is no FAQ online and I have to call; there’s a long wait to speak to someone.
    • Stress & uncertainty (cancellation, logistics, insurance, etc..)

    Metrics

    • Travel dates
    • Trip price & budget

    Opportunities

    • Tailored communication based on search history
    • Specific messaging (e.g., alerts for COVID-19, changes in events, etc.)
    • Interactive VR experience that guides customers through the airport as a navigator

    Related Info-Tech Research

    Tech Trends and Priorities Research Center

    • Access Info-Tech’s Tech Trends reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the impact of these changes on IT.

    Digital Business Strategy

    • Leverage Info-Tech’s Digital Business Strategy to identify opportunities to transform the customer experience.

    Industry Reference Architecture

    • Access Info-Tech’s Industry coverage to accelerate your understanding of your business capabilities and opportunities for automation.

    Contact Your Account Manager

    Research Contributors and Experts

    Joanne Lee

    Joanne Lee

    Principal, Research Director, CIO Strategy

    Info-Tech Research Group

    Kim Osborne-Rodgriguez

    Kim Osborne-Rodgriguez

    Research Director, CIO Strategy

    Info-Tech Research Group

    Joanne is an executive with over 25 years of in digital technology and management consulting across both public and private entities from solution delivery to organizational redesign across Canada and globally.

    Prior to joining Info-Tech Research Group, Joanne was a management consultant within KPMG’s CIO management consulting services and the Western Canada Digital Health Practice lead. She has held several executive roles in the industry with the most recent position as Chief Program Officer for a large $450M EHR implementation. Her expertise spans cloud strategy, organizational design, data and analytics, governance, process redesign, transformation, and PPM. She is passionate about connecting people, concepts, and capital.

    Joanne holds a Master’s in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

    Kim holds a Bachelor’s degree in Mechatronics Engineering from University of Waterloo.

    Research Contributors and Experts

    Jack Hakimian

    Jack Hakimian

    Vice President, Research

    Info-Tech Research Group

    Charl Lombard.

    Charl Lombard

    President, Digital Transformation Consulting

    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multi-billion dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.

    Prior to joining the Info-Tech Research Group, he worked for leading consulting players such as Accenture, Deloitte, EY, and IBM.

    Jack led digital business strategy engagements as well as corporate strategy and M&A advisory services for clients across North America, Europe, the Middle East, and Africa. He is a seasoned technology consultant who has developed IT strategies and technology roadmaps, led large business transformations, established data governance programs, and managed the deployment of mission-critical CRM and ERP applications.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Charl has more than 20 years of professional services experience, “majoring” in digital transformation and strategic topics. He has led multiple successful Digital Transformation programs across a range of industries like Information technology, hospitality, Advanced Industries, High Tech, Entertainment, Travel and Transport, Insurance & Financial Services, Metals & Mining, Electric Power, Renewable Energy, Telecoms, Manufacturing) across different geographics (i.e., North America, EU, Africa) in both private and public sectors.

    Prior to joining Info-Tech Research Group, Charl was the Vice President of Global Product Management and Strategy (Saber Hospitality Solution), Associate President, McKinsey Transformation Practice, e-Business Practice for PwC, and tech start-up founder and investor.

    Charl is a frequent speaker at innovation and digital transformation conferences and holds an MBA from the University of Cape Town Graduate School of Business, and a bachelor’s degree from the University of Pretoria, South Africa.

    Research Contributors and Experts

    Mike Tweedie

    Mike Tweedie

    Practice Lead, CIO Strategy

    Info-Tech Research Group

    Michael Alemany

    Michael Alemany

    Vice President, Digital Transformation Consulting

    Info-Tech Research Group

    Mike Tweedie brings over 25 years of experience as a technology executive. He’s led several large transformation projects across core infrastructure, application, and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor’s degree in Architecture from Ryerson University.

    Michael is a leader in Info-Tech’s digital transformation consulting practice. He brings over 10 years of experience working with companies across a range of industries. His work experience includes ~4.5 years at McKinsey & Company where he led large-scale transformations for fortune 500 companies. Prior to joining Info-Tech, he worked for Sabre Corp., an SaaS platform provider for the travel and hospitality sector, leading Product Strategy & Operations. Michael holds an MBA from the Tuck School of Business at Dartmouth and a B.S in Business Strategy from Brigham Young University.

    Research Contributors and Experts

    Duane Cooney

    Duane Cooney

    Executive Counselor, Healthcare

    Info-Tech Research Group

    Denis Goulet

    Denis Goulet

    Senior Workshop Director

    Info-Tech Research Group

    Duane brings over 30 years of experiences a healthcare IT leader with a passion for the transformation of people, processes, and technology. He has led large-scale health technology transformation and operations across the enterprise. Before joining Info-Tech, Duane served as the Deputy CIO, Senior Information Technology Director, and Enterprise Architect for both public not-for-profit and private sectors. He has a Bachelors in Computer Science and is a graduate of EDS Operations. He holds certifications in EHR, LEAN/Agile, ITIL, and PMP.

    Denis is an IAF Certified Professional Facilitator who has helped organizations and technology executives develop IT strategies for small to large global enterprises. He firmly believes in a collaborative value-driven approach. Prior to joining Info-Tech Research Group, Denis held several industry positions as CIO, Chief Administrative Office (City Manager), General Manager, and Vice President of Engineering. Denis holds an MBA from Queen’s University and a Diploma in Technology Engineering and Executive Municipal Management.

    Jay Cappis.

    Jay Cappis

    Executive Advisor, Real-Estate

    Info-Tech Research Group

    Christine Brick.

    Christine Brick

    Executive Advisor, Financial Services
    Info-Tech Research Group

    Jay brings over 30 years of experience in management and technology across small and medium enterprises to large global enterprises including Exxon and Xerox. His cross-industry experience includes professional services, commercial real estate, oil and gas, digital start-ups, insurance, and aerospace. Jay has led business process improvements and change management and has expertise in software development lifecycle management and DevOps practices.

    Christine brings over 20 years in IT transformation across DevOps, infrastructure, operations, supply chain, IT Strategy, modernization, cost optimization, data management, and operational risk. She brings expertise in business transformation, mergers and acquisitions, vendor selection, and contract management.

    Bibliography

    Bhatia, AD. “Transforming through disruptions: A conversation with Dan Antonelli. Transformation Insights.” McKinsey & Company. January 31, 2022. Web
    Bertoletti, Antonella and Peter Eeles. “Use an IT Maturity Model.” IBM Garage Methodology. Web. accessed May 30, 2022.
    Catlin, Tanguy, Jay Scanlan, and Paul Willmott. “Raising your Digital Quotient.” McKinsey Quarterly. June 1, 2015. Article
    Custers, Heidi. “Digital Blueprint. Reference Architecture. Deloitte Digital.Accessed May 15, 2022.
    Coundouris, Anthony. “Reviewed: The Top 5 Digital Transformation Frameworks in 2020.” Run-frictionless Blog. Accessed May 15, 2022. Web.
    Daub, Matthias and Anna Wiesinger. “Acquiring the Capabilities you need to go digital.” Business Technology Office – McKinsey and Company. March 2015. Web.
    De La Boutetiere, Alberto Montagner and Angelika Reich. “Unlocking success in digital transformations.” McKinsey and Company. October 2018. Web.
    “Design Thinking Defined.” IDEO.com. November 21, 2022. Web.
    Dorner, Karle and David Edelman. “What ‘Digital’ really means.” McKinsey Digital. July 2015. Web
    “Everything Changed. Or Did it? Harvey Nash KPMG CIO Survey 2020.” KPMG, 2020
    Kane, Gerald C., Doug Palmer, Ahn Nguyen Phillips, David Kiron, Natasha Buckley. “Aligning the organization for its digital future.” Findings from the 2016 Digital Business Global Executive Study and Research Project. MIT Sloan Management Review. July 26, 2016. Web
    LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021
    Mindtools Content Team. “Cause and Effect Analysis.” Mindtools.com. November 21, 2022. Web.
    “Strategic Foresight.” OECD.org. November 21, 2022, Web
    Sall, Sherman, Dan Lichtenfeld. “The Digital ME Method. Turning digital opportunities into customer engagement and business growth.” Sygnific. 2017. Web.
    Scoblic, J. Peter. “Learning from the Future. How to make robust strategy in times of deep uncertainty.” Harvard Business Review, August 2020.
    Silva, Bernardo and Schoenwaelder, Tom. ‘Why Good Strategies fail. Addressing the three critical strategic tensions.” Deloitte Monitor Group. 2019.

    Craft a Customer-Driven Market Strategy With Unbiased Data

    • Buy Link or Shortcode: {j2store}611|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Market strategies are informed by gut feel and endless brainstorming instead of market data to take their product from concept to customer.
    • Hiring independent market research firms results in a lack of unbiased third-party data. Research firms tell vendors what they want to hear instead of offering an agnostic view of software trends.
    • Dissatisfied customers don’t tell you directly why they are leaving, so there is no feedback loop back into product improvements.
    • Often a market strategy is built after a product is developed to force the product’s fit in the market. The product marketing team has no say in the product vision or future improvements.

    Our Advice

    Critical Insight

    • Adopt the 5 P’s to building a winning market strategy: Proposition, Product, Pricing, Placement, and Promotion.
    • You can’t be everything to everyone. Testing your proposition in the market to see what sticks is a risky move. Promise future value using past successes by gaining a deeper understanding of which customers and submarkets truly align to your product.
    • Customers have learned to avoid shiny new objects but still expect rapid feature releases. Differentiating features require a closer look at the underpinning vendor capabilities. Having intentional feature releases requires a feedback loop into the product roadmap and increases influence by the product marketing team.
    • Price transparency and sensitivity should drive what you offer to customers. Negotiating solely on price is a race to the bottom.

    Impact and Result

    • Leverage this report to gain insights on the software selection process and what top vendors do best.
    • Gain a bird’s-eye view on customer purchasing behavior using over 40,000 data points on satisfaction and importance collected directly from the source.
    • Build a winning market strategy influenced by real customer data that drives vendor success.

    Craft a Customer-Driven Market Strategy With Unbiased Data Research & Tools

    Read the storyboard

    Read our storyboard to find out why you should leverage SoftwareReviews data to craft your market strategy, review Info-Tech’s methodology, and understand unbiased customer data on software purchasing triggers.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Craft a Customer-Driven Market Strategy With Unbiased Data Storyboard
    [infographic]

    Data security consultancy

    Data security consultancy

    Based on experience
    Implementable advice
    human-based and people-oriented

    Data security consultancy makes up one of Tymans Group’s areas of expertise as a corporate consultancy firm. We are happy to offer our insights and solutions regarding data security and risk to businesses, both through online and offline channels. Read on and discover how our consultancy company can help you set up practical data security management solutions within your firm.

    How our data security consultancy services can help your company

    Data security management should be an important aspect of your business. As a data security consultancy firm, Tymans Group is happy to assist your small or medium-sized enterprise with setting up clear protocols to keep your data safe. As such, we can advise on various aspects comprising data security management. This ranges from choosing a fit-for-purpose data architecture to introducing IT incident management guidelines. Moreover, we can perform an external IT audit to discover which aspects of your company’s data security are vulnerable and which could be improved upon.

    Security and risk management

    Our security and risk services

    Security strategy

    Security Strategy

    Embed security thinking through aligning your security strategy to business goals and values

    Read more

    Disaster Recovery Planning

    Disaster Recovery Planning

    Create a disaster recovey plan that is right for your company

    Read more

    Risk Management

    Risk Management

    Build your right-sized IT Risk Management Program

    Read more

    Check out all our services

    Discover our practical data security management solutions

    Data security is just one aspect with which our consultancy firm can assist your company. Tymans Group offers its extensive expertise in various corporate management domains, such as quality management and risk management. Our solutions all stem from our vast expertise and have proven their effectiveness. Moreover, when you choose to employ our consultancy firm for your data security management, you benefit from a holistic, people-oriented approach.

    Set up an appointment with our experts

    Do you wish to learn more about our data security management solutions and services for your company? We are happy to analyze any issues you may be facing and offer you a practical solution if you contact us for an appointment. You can book a one-hour online talk or elect for an on-site appointment with our experts. Contact us to set up your appointment now.

    Register to read more …

    Improve your core processes

    Improve your core processes


    We have over 45 fully detailed
    and interconnected process guides
    for you to improve your operations

    Managing and improving your processes is key to attaining commercial success

    Our practical guides help you to improve your operations

    We have hundreds of practical guides, grouped in many processes in our model. You may not need all of them. I suggest you browse within the belo top-level categories below and choose where to focus your attention. And with Tymans Group's help, you can go one process area at a time.

    If you want help deciding, please use the contact options below or click here.

    Check out our guides

    Our research and guides are priced from €299,00

    • Gert Taeymans Guidance

      Tymans Group Guidance & Consulting

      Tymans Group guidance and (online) consulting using both established and forward-looking research and field experience in our management domains.

      Contact

    • Tymans Group
      & Info-Tech
      Combo

      Get both inputs, all of the Info-tech research (with cashback rebate), and Tymans Group's guidance.

      Contact

    • Info-Tech Research

      Info-Tech offers a vast knowledge body, workshops, and guided implementations. You can buy Info-Tech memberships here at Tymans Group with cashback, reducing your actual outlay.

      Contact

    Register to read more …

    Develop a Use Case for Smart Contracts

    • Buy Link or Shortcode: {j2store}92|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Organizations today continue to use traditional and often archaic methods of manual processing with physical paper documents.
    • These error-prone methods introduce cumbersome administrative work, causing businesses to struggle with payments and contract disputes.
    • The increasing scale and complexity of business processes has led to many third parties, middlemen, and paper hand-offs.
    • Companies remain bogged down by expensive and inefficient processes while losing sight of their ultimate stakeholder: the customer. A failure to focus on the customer is a failure to do business.

    Our Advice

    Critical Insight

    • Simplify, automate, secure. Smart contracts enable businesses to simplify, automate, and secure traditionally complex transactions.
    • Focus on the customer. Smart contracts provide a frictionless experience for customers by removing unnecessary middlemen and increasing the speed of transactions.
    • New business models. Smart contracts enable the redesign of your organization and business-to-business relationships and transactions.

    Impact and Result

    • Simplify and optimize your business processes by using Info-Tech’s methodology to select processes with inefficient transactions, unnecessary middlemen, and excessive manual paperwork.
    • Use Info-Tech’s template to generate a smart contract use case customized for your business.
    • Customize Info-Tech’s stakeholder presentation template to articulate the goals and benefits of the project and get buy-in from business executives.

    Develop a Use Case for Smart Contracts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should leverage smart contracts in your business, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop a Use Case for Smart Contracts – Phases 1-2

    1. Understand smart contracts

    Understand the fundamental concepts of smart contract technology and get buy-in from stakeholders.

    • Develop a Use Case for Smart Contracts – Phase 1: Understand Smart Contracts
    • Smart Contracts Executive Buy-in Presentation Template

    2. Develop a smart contract use case

    Select a business process, create a smart contract logic diagram, and complete a smart contract use-case deliverable.

    • Develop a Use Case for Smart Contracts – Phase 2: Develop the Smart Contract Use Case
    • Smart Contracts Use-Case Template

    [infographic]

    Workshop: Develop a Use Case for Smart Contracts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Smart Contracts

    The Purpose

    Review blockchain basics.

    Understand the fundamental concepts of smart contracts.

    Develop smart contract use-case executive buy-in presentation.

    Key Benefits Achieved

    Understanding of blockchain basics.

    Understanding the fundamentals of smart contracts.

    Development of an executive buy-in presentation.

    Activities

    1.1 Review blockchain basics.

    1.2 Understand smart contract fundamentals.

    1.3 Identify business challenges and smart contract benefits.

    1.4 Create executive buy-in presentation.

    Outputs

    Executive buy-in presentation

    2 Smart Contract Logic Diagram

    The Purpose

    Brainstorm and select a business process to develop a smart contract use case around.

    Generate a smart contract logic diagram.

    Key Benefits Achieved

    Selected a business process.

    Developed a smart contract logic diagram for the selected business process.

    Activities

    2.1 Brainstorm candidate business processes.

    2.2 Select a business process.

    2.3 Identify phases, actors, events, and transactions.

    2.4 Create the smart contract logic diagram.

    Outputs

    Smart contract logic diagram

    3 Smart Contract Use Case

    The Purpose

    Develop smart contract use-case diagrams for each business process phase.

    Complete a smart contract use-case deliverable.

    Key Benefits Achieved

    Smart contract use-case diagrams.

    Smart contract use-case deliverable.

    Activities

    3.1 Build smart contract use-case diagrams for each phase of the business process.

    3.2 Create a smart contract use-case summary diagram.

    3.3 Complete smart contract use-case deliverable.

    Outputs

    Smart contract use case

    4 Next Steps and Action Plan

    The Purpose

    Review workshop week and lessons learned.

    Develop an action plan to follow through with next steps for the project.

    Key Benefits Achieved

    Reviewed workshop week with common understanding of lessons learned.

    Completed an action plan for the project.

    Activities

    4.1 Review workshop deliverables.

    4.2 Create action plan.

    Outputs

    Smart contract action plan

     

    Take Control of Cloud Costs on AWS

    • Buy Link or Shortcode: {j2store}425|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $62,500 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • Traditional IT budgeting and procurement processes don't work for public cloud services.
    • The self-service nature of the cloud means that often the people provisioning cloud resources aren't accountable for the cost of those resources.
    • Without centralized control or oversight, organizations can quickly end up with massive AWS bills that exceed their IT salary cost.

    Our Advice

    Critical Insight

    • Most engineers care more about speed of feature delivery and reliability of the system than they do about cost.
    • Often there are no consequences for over architecting or overspending on AWS.
    • Many organizations lack sufficient visibility into their AWS spend, making it impossible to establish accountability and controls.

    Impact and Result

    • Define roles and responsibilities.
    • Establish visibility.
    • Develop processes, procedures, and policies.

    Take Control of Cloud Costs on AWS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should take control of cloud costs, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build cost accountability framework

    Assess your current state, define your cost allocation model, and define roles and responsibilities.

    • Cloud Cost Management Worksheet
    • Cloud Cost Management Capability Assessment
    • Cloud Cost Management Policy
    • Cloud Cost Glossary of Terms

    2. Establish visibility

    Define dashboards and reports, and document account structure and tagging requirements.

    • Service Cost Cheat Sheet

    3. Define processes and procedures

    Establish governance for tagging and cost control, define processes for right-sizing, and define processes for purchasing commitment discounts.

    • Right-Sizing Workflow (Visio)
    • Right-Sizing Workflow (PDF)
    • Commitment Purchasing Workflow (Visio)
    • Commitment Purchasing Workflow (PDF)

    4. Build implementation plan

    Document process interactions, establish program KPIs, and build implementation roadmap and communication plan.

    • Cloud Cost Management Task List

    Infographic

    Workshop: Take Control of Cloud Costs on AWS

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build Cost Accountability Framework

    The Purpose

    Establish clear lines of accountability and document roles and responsibilities to effectively manage cloud costs.

    Key Benefits Achieved

    Chargeback/showback model to provide clear accountability for costs.

    Understanding of key areas to focus on to improve cloud cost management capabilities.

    Activities

    1.1 Assess current state

    1.2 Determine cloud cost model

    1.3 Define roles and responsibilities

    Outputs

    Cloud cost management capability assessment

    Cloud cost model

    Roles and responsibilities

    2 Establish Visibility

    The Purpose

    Establish visibility into cloud costs and drivers of those costs.

    Key Benefits Achieved

    Better understanding of what is driving costs and how to keep them in check.

    Activities

    2.1 Develop architectural patterns

    2.2 Define dashboards and reports

    2.3 Define account structure

    2.4 Document tagging requirements

    Outputs

    Architectural patterns; service cost cheat sheet

    Dashboards and reports

    Account structure

    Tagging scheme

    3 Define Processes and Procedures

    The Purpose

    Develop processes, procedures, and policies to control cloud costs.

    Key Benefits Achieved

    Improved capability of reducing costs.

    Documented processes and procedures for continuous improvement.

    Activities

    3.1 Establish governance for tagging

    3.2 Establish governance for costs

    3.3 Define right-sizing process

    3.4 Define purchasing process

    3.5 Define notification and alerts

    Outputs

    Tagging policy

    Cost control policy

    Right-sizing process

    Commitment purchasing process

    Notifications and Alerts

    4 Build Implementation Plan

    The Purpose

    Document next steps to implement and improve cloud cost management program.

    Key Benefits Achieved

    Concrete roadmap to stand up and/or improve the cloud cost management program.

    Activities

    4.1 Document process interaction changes

    4.2 Define cloud cost program KPIs

    4.3 Build implementation roadmap

    4.4 Build communication plan

    Outputs

    Changes to process interactions

    Cloud cost program KPIs

    Implementation roadmap

    Communication plan

    Increase Grant Application Success

    • Buy Link or Shortcode: {j2store}314|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $7,799 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • Writing grants has not been prioritized by the organization.
    • Your organization is unable to start, finish, and/or continue priority projects or initiatives as it does not have sufficient funds.
    • Grants are applied to in an ad hoc manner by employees who do not have sufficient time and resources to dedicate to the process.

    Our Advice

    Critical Insight

    There are three critical components to the grant application process:

    • Being strategic about the grant opportunities your organization chooses to pursue.
    • Dedicating sufficient time and resources to writing a competitive grant application.
    • Ensuring your organization will be able to adhere to the grant parameters if awarded the funding.

    Impact and Result

    • By leveraging Info-Tech’s methodology, your organization will strategically select, write, and submit competitive grant applications, securing additional funding sources to support the organization and the communities you serve.
    • This research can enhance the grant writing capabilities of the organization and ensure that every grant chosen aligns with your organizational priorities.
    • This blueprint will drive consensus on which grant applications should be prioritized by the organization, ensuring resourcing, feasibility, and significance are considered.

    Increase Grant Application Success Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your organization's grant application lifecycle and how you can increase the number of grants your organization is awarded. Review Info-Tech’s methodology and understand the four ways Info-Tech can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify Opportunities

    Identify grant funding opportunities that align with your organization's priorities. Ensure the programs, services, projects, and initiatives that align with these priorities can be financially supported by grant funding.

    • Increase Grant Application Success – Phase 1: Identify Opportunities
    • Grant Identification and Prioritization Tool for Organizations

    2. Grant Prioritization

    Prioritize applying for the grant opportunities that your organization identified. Be sure to consider the feasibility of implementing the project or initiative if your organization is awarded the grant.

    • Increase Grant Application Success – Phase 2: Grant Prioritization

    3. Write the Grant Application

    Write a competitive grant application that has been strategically developed and actively critiqued by various internal and external reviewers.

    • Increase Grant Application Success – Phase 3: Write the Grant Application
    • Grant Writing Checklist

    4. Submit the Grant Application

    Submit an exemplary grant application that meets the guidelines and expectations of the granting agency prior to the due date.

    • Increase Grant Application Success – Phase 4: Submit the Grant Application
    • Grant Follow-up Email Template

    Infographic

    Workshop: Increase Grant Application Success

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Your Organization's Priorities

    The Purpose

    Determine the key priorities of your organization and identify grant funding opportunities that align with those priorities.

    Key Benefits Achieved

    Prevents duplicate grant applications from being submitted

    Ensures the grant and the organization's priorities are aligned

    Increases the success rate of grant applications

    Activities

    1.1 Discuss grant funding opportunities and their importance to the organization.

    1.2 Identify organizational priorities.

    Outputs

    An understanding of why grants are important to your organization

    A list of priorities being pursued by your organization

    2 Prioritize Grant Funding Opportunities

    The Purpose

    Identify potential grant funding opportunities that align with the projects/initiatives the organization would like to pursue. Prioritize these funding opportunities and identify which should take precedent based on resourcing, importance, likelihood of success, and feasibility.

    Key Benefits Achieved

    Generate a list of potential funding opportunities that can be revisited when resources allow

    Obtain consensus from your working group on which grants should be pursued based on how they have been prioritized

    Activities

    2.1 Develop a list of potential grant funding opportunities.

    2.2 Define the resource capacity your organization has to support the granting writing process.

    2.3 Discuss and prioritize grant opportunities

    Outputs

    A list of potential grant funding opportunities

    Realistic expectations of your organization's capacity to undertake the grant writing lifecycle

    Notes and priorities from your discussion on grant opportunities

    3 Sketch a Grant Application

    The Purpose

    Take the grant that was given top priority in the last section and sketch out a draft of what that application will look like. Think critically about the sketch and determine if there are opportunities to further clarify and demonstrate the goals of the grant application.

    Key Benefits Achieved

    A sketch ready to be developed into a grant application

    A critique of the sketch to ensure that the application will be well understood by the reviewers of your submission

    Activities

    3.1 Sketch the grant application.

    3.2 Perform a SWOT analysis of the grant sketch.

    Outputs

    A sketched version of the grant application ready to be drafted

    A SWOT analysis that critically examines the sketch and offers opportunities to enhance the application

    4 Prepare to Submit the Grant Application

    The Purpose

    Have the grant application actively critiqued by various internal and external individuals. This will increase the grant application's quality and generate understanding of the application submission and post-submission process.

    Key Benefits Achieved

    A list of individuals (internal and external) that can potentially review the application prior to submission

    Preparation for the submission process

    An understanding of why the opportunity to learn how to improve future grant applications is so important

    Activities

    4.1 Identify potential individuals who will review the draft of your grant application.

    4.2 Discuss next steps around the grant submission.

    4.3 Review grant writing best practices.

    Outputs

    A list of potential individuals who can be asked to review and critique the grant application

    An understanding of what the next steps in the process will be

    Knowledge of grant writing best practices

    Build an ITSM Tool Implementation Plan

    • Buy Link or Shortcode: {j2store}486|cart{/j2store}
    • member rating overall impact: 7.5/10 Overall Impact
    • member rating average dollars saved: $9,246 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project, but also a process improvement opportunity.
    • Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool, but they will not fix your processes for you.
    • Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment.
    • Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

    Our Advice

    Critical Insight

    • Start with the assumption you don’t need to migrate old data.
    • ITSM tools are designed to support ITIL best practices.
    • Implement your new tool in stages to manage scope.

    Impact and Result

    • Ability to plan and scope the project to avoid or reduce last-minute chaos.
    • Opportunity to review and optimize processes as part of the ITSM tool implementation project.
    • Improved project management, and therefore, better cost and effort estimates, by identifying required tasks upfront.

    Build an ITSM Tool Implementation Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an ITSM Tool Implementation Plan Deck – An implementation guide that walks you through the steps to ensure the tool delivers business value.

    There may be hundreds of parameters to define and decisions to make, so identifying the full list of tasks early is critical for the success of the implementation project.

    • Build an ITSM Tool Implementation Plan – Phases 1-3

    2. ITSM Tool Project Charter Template – A charter to document your project scope, milestones, stakeholders, risks etc. to kick-off and manage your project.

    This project charter document summarizes the Project Overview (Description, background, drivers, and objectives), Governance and Management (Project stakeholders/roles, budget, and dependencies), and Risk, Assumptions, and Constraints (Known and potential risks and mitigation strategy).

    • ITSM Tool Implementation Project Charter Template

    3. ITSM Tool Implementation Checklist – A tool to help identify the most common decisions you will need to make and prepare for your implementation project.

    The checklists in this tool identify the most common decisions and preparation you will need to make to support the implementation for the ITSM modules that we recommend are set up first: incident management and service requests; change management; and asset management. Use these checklists as a model to follow for any additional ITSM modules you plan to implement, and refer to Info-Tech's blueprints for each service management topic for additional guidance.

    • ITSM Tool Implementation Checklist

    4. ITSM Tool Deployment Plan Template – A tool to help prioritize and prepare for tool rollout plan.

    This deployment plan documents the strategy and decisions made for making the transition to the new ITSM tool, and the details to execute the cutover to a live environment, including how, when, where.

    • ITSM Tool Deployment Plan Template

    5. ITSM Tool Training Schedule – Use the tool to create your new tool training roadmap.

    This template is a guide for creating a training and communication plan as part of the implementation project for your ITSM tool. Use the template to document and plan the communications and training needs prior to deployment of the new tool.

    • ITSM Tool Training Schedule

    Infographic

    Further reading

    Build an ITSM Tool Implementation Plan

    Plan ahead with a step-by-step approach to ensure the tool delivers business value.

    EXECUTIVE BRIEF

    Analyst perspective

    Take control of the wheel or you might end up in a ditch.

    The image contains a picture of Frank Trovato.

    An ITSM tool implementation is a complex project with direct impact on IT’s ability to support the business. With that level of risk, you need to take control early on.

    Yes, your vendor will support or execute the technical implementation, but they depend on you to tell them how to configure ITSM parameters and workflows that affect user interface, the ability to manage incidents, and governance over assets and IT changes.

    If you leave the configuration completely to the vendor, at best you might get the same setup as in your old tool (and not realize the benefits that leadership is expecting). At worst you end up with default values that don’t fit your process needs, i.e., confusion and not realizing expected benefits.

    A successful implementation requires early planning from a wide range of resources including ITSM tool experts (supported by the vendor), process experts, and a project manager to methodically step through the hundreds of parameters you will need to define before implementation.

    Frank Trovato
    Research Director, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Leadership has invested significantly in a new ITSM tool and expects to see the benefits they were promised by the vendor and the procurement team.

    The ITSM project team needs to balance leadership expectations with the direct impact this project will have on IT staff and end users.

    Implementing an ITSM tool is a large project that is often highly complex in part because it requires input from a wide range of stakeholders: IT staff, end users, senior management, and vendors.

    A new ITSM tool will change how IT staff work and how users are serviced, and change is always difficult.

    Finally, implementing the new tool requires a migration from an existing tool without a pause in IT service availability. Incidents don’t take a week off while you execute the final product rollout.

    There may be hundreds of parameters to define and decisions to make, so identifying the full list of tasks early is critical to:

    • Identify the necessary stakeholders to provide input into implementation decisions.
    • Properly define scope and timelines.
    • Take advantage of the opportunity to review and improve processes as part of defining what will need to be configured in the new ITSM tool.

    Info-Tech Insight

    As with any large project, a key step is tackling it one bite at a time – but also understanding the size of the whole meal. This is where organizations often fail with ITSM implementations: not understanding upfront the volume of work required for a successful implementation.

    Your Challenge

    Organizations implementing a new ITSM tool often face these pitfalls:

    • Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project but also a process improvement opportunity. You will need to configure ITSM parameters and workflows in the new tool – which directly affects processes. Take advantage of that opportunity to fix pain points. For example, if your existing ticket categories are not effective, implement a better categorization scheme rather than just configure the same old, ineffective scheme.
    • Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool but they will not fix your processes for you. On installation day, if you are not prepared with the categories, ticket templates, and so on that you wish to configure, your vendor will just go with the default or migrate your old parameters from your old ITSM tool.
    • Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment. That takes planning and must be defined well before the vendor is ready to implement your tool.
    • Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

    A survey of implementation challenges for ServiceNow’s customers

    26% Resistance to change

    43% Lacked a clear roadmap

    38% Planning for resources

    Source: Acorio, 2019

    Info-Tech’s approach

    Divide the implementation project into controllable phases for an effective implementation.

    Plan

    Define the scope of your project, identify and get buy-in from your stakeholders, and establish a timeframe for the implementation.

    Design & Build

    Identify existing process challenges and design workflows and ticket management to improve processes. Make decisions on data migrations and integrations for your new tool.

    Deploy & Train

    Create a rollout plan and communicate changes and improvements to users. Plan for the new tool deployment and monitor your solution.

    STOP: Use this blueprint after you have selected an ITSM solution

    Leverage our SoftwareReviews service and related blueprints to assist with ITSM tool selection, and then use this blueprint to plan the implementation.

    1. Evaluate solutions

    2. Select and purchase

    3. Implement (use this blueprint)

    Use our SoftwareReviews resources to evaluate solutions and vendors based on criteria such as features and customer service. Below are links to our ITSM software reviews:

    Use the following resources to help you make the case for funding and execute the purchase process:

    Your ITSM vendor or systems integrator will lead the technical implementation (e.g. software install and integration).

    As a result, your implementation plan needs to focus on preparing the information needed for implementation (e.g. ticket categories, workflow requirements) and organizational change management.

    This blueprint provides a methodology, checklist, and supporting templates to prepare for the implementation.

    Info-Tech’s methodology to build an ITSM Tool Implementation Plan

    1. Identify Scope, Stakeholders, and Preliminary Timeline

    2. Prepare to Implement Incident Management and Service Request Modules

    3. Create a Deployment Plan (Communication, Training, Rollout)

    Phase Steps

    1.1 Document define scope

    1.2 Define roles and responsibilities

    1.3 Identify preliminary timeline

    2.1 Review your existing solution and challenges

    2.2 Plan ticket management and workflow implementation

    2.3 Plan data migration, knowledgebase setup, and integrations

    2.4 Plan the module rollout

    3.1 Create a communication plan (for IT, users, and business leaders)

    3.2 Create a training plan

    3.3 Plan how you will deploy, monitor, and maintain the solution

    Phase Outcomes

    • RACI chart outlining high-level accountability and responsibilities for the project
    • Documenting timeline and team for the implementation project
    • ITSM tool implementation checklist
    • Strategy and identified opportunities to implement incident and service request modules
    • Documented communications and targeted training plan
    • Completed rollout plan and prepared to monitor your success metrics

    Insight summary

    Start with the assumption you don’t need to migrate old data

    ITSM tools are designed to support ITIL best practices

    Implement your new tool in stages to manage scope

    We all love data. We love being able to run reports showing trends, measuring changes over time, and highlighting pain points – but is your data from five years ago relevant to those assessments? Can you get by with just migrating open tickets and perhaps just the last year of critical tickets?

    Be ruthless in deciding what really needs to be in your active system to support incident matching, troubleshooting, or ongoing reporting.

    If you can’t make a strong case, don’t waste your time on old data. Remember, you can still save an exported copy or report of your old data if the need arises to search historical records.

    For organizations lacking process maturity, the tool’s default settings will often provide a good starting point. For example, a good ITSM tool will typically already be configured to follow best practices such as:

    • Separating incidents from service requests
    • Assigning resolution codes to solved tickets
    • Enabling routing based on categories

    Within those defaults, you will still need to decide your specific parameters – e.g. what your categories and resolution codes should be – so don’t blindly follow default settings but use them as a starting point.

    Start with the incident management and service requests modules. Those are typically the core of IT service management operations, so that should help realize benefits from the new tool sooner. In addition, incident management and service requests processes will support other ITSM processes such as asset management and problem management.

    Once those modules are implemented successfully (from a technology and process perspective), then start to implement your next core module (e.g. asset or change management), and continue to build from there.

    Blueprint deliverables

    This blueprint includes tools and templates to help you accomplish your goals:

    ITSM Tool Implementation Checklist

    Identify the most common decisions you will need to make and prepare for your implementation project.

    ITSM Tool Project Charter Template

    Review and edit the template to suit your project requirements

    The image contains a screenshot of the ITSM Tool Project Charter Template.
    The image contains screenshots of the ITSM Tool Implementation Checklist.

    ITSM Tool Deployment Plan Template

    Prioritize and prepare tool rollout plan

    The image contains a screenshot of the ITSM Tool Deployment Plan Template.

    ITSM Tool Training Schedule

    Use the checklist to create your new tool training roadmap

    The image contains a screenshot of the ITSM Tool Training Schedule.

    Blueprint benefits

    Benefits for IT

    Benefits for the business

    • Checklists and templates to support a smoother transition to the new ITSM tool.
    • Opportunity to review and optimize processes as part of the ITSM tool implementation project. A new tool with the same old processes will not achieve expected benefits.
    • Ability to plan and scope the project to avoid or reduce last-minute chaos.
    • Better planning means better results – specifically, ensuring that the implementation takes into account targeted business benefits.
    • Improved project management, and therefore better cost and effort estimates, by identifying required tasks upfront. This also provides the opportunity to re-scope or adjust timelines based on estimated effort.
    • Higher end-user satisfaction by executing a well-organized ITSM tool implementation.

    Measured value from using this blueprint

    Use this guide as an example to calculate your total cost savings from the ITSM tool implementation project.

    Phase 1

    Identify Scope, Stakeholders, and Preliminary Timeline

    Time, value, and resources saved by using Info-Tech’s methodology to define scope and plan your project

    E.g. 2 FTEs * 6 days * $80,000/year = $4,000/-

    Phase 2

    Prepare to Implement Incident Management and Service Request Modules

    Time, value, and resources saved by using Info-Tech’s methodology to build your solution strategy and determine configurations

    E.g. 2 FTEs * 8 days * $80,000/year = $5,400/-

    Phase 3

    Create a Deployment Plan (Communication, Training, Rollout)

    Time, value, and resources saved by using Info-Tech’s methodology to establish an effective communications roadmap and deploy tool

    E.g. 2 FTEs * 6 days * $80,000/year = $4,000/-

    Total Savings

    Total Savings

    Phase 1 + Phase 2 + Phase 3 = $13,400

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1 Phase 2 Phase 3

    Call #1: Define scope, roles, responsibilities and timeline.

    Call #2: Review your existing solution and challenges.

    Call #3: Plan ticket management and workflow implementation.

    Call #4: Plan data migration, knowledgebase setup, and integrations.

    Call #5: Plan the module rollout.

    Call #6: Create a communication plan.

    Call #7: Create a training plan.

    Call #8: Plan how you will deploy, monitor, and maintain the solution.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 6 to 8 calls over the course of 3 to 6 months.

    Phase 1

    Identify Stakeholders, Scope, and Preliminary Timeline

    Phase 1 Phase 2 Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    1. Define scope
    2. Define roles and responsibilities
    3. Identify preliminary timeline

    Step 1.1

    Define scope

    Activities

    1.1.1

    Use the Project Charter Template to capture project parameters

    1.1.2

    Leverage the Implementation Checklist to guide your preparation

    1.1.3

    Review goals that drove the ITSM tool purchase

    1.1.4

    Interview ITSM staff to identify current tool challenges and support organizational change management

    1.1.5

    Identify the modules and features you will plan to implement

    1.1.6

    Determine if data migration is required

    This step will walk you through the following activities:

    • Define the scope of the implementation project
    • Establish the future processes and functionalities the tool will support

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Specifying the implementation project
    • Identifying the business units that are needed to support the project
    • Defining the ongoing and future service management processes the tool will support

    1.1.1 Use the Project Charter Template to capture scope, stakeholders, and timeline as outlined in Phase 1

    Follow the instructions in Phase 1 (step 1.1, 1.2, and 1.3) to gather information needed to create a project charter to define project parameters.

    Specific subsections are listed below and described in more detail in the remainder of this phase.

    1. Project Overview: Includes deliverables, scope, milestones, and success metrics.
    2. Governance and Management: Includes roles, responsibilities, and resource requirements.
    3. Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies as well as any assumptions and constraints.
    4. Project Sign-Off: Includes IT and executive sign-off (if required).

    The image contains a screenshot of the Project Charter Template.

    Download the ITSM Tool Implementation Project Charter Template

    1.1.2 Leverage the Implementation Checklist to guide your preparation

    The checklist tabs align to each phase of this blueprint.

    • Phase 1 (Tab 1) – Identify Stakeholders, Scope, and Preliminary Timeline
    • Phase 2 (Tab 2) – Prepare to Implement Incident Management and Service Request Modules
    • Phase 3 (Tabs 3+4) – Prepare to Implement Additional ITSM Modules (e.g. Change Management)
    • Phase 4 (deployment section in each tab) – Create a Deployment Plan (Communication, Training, Rollout)

    The image contains screenshots from the Implementation Checklist.

    Download the ITSM Tool Implementation Checklist

    1.1.3 Review goals that drove the ITSM tool purchase

    Identify the triggers for the selection and implementation of your new ITSM tool.

    Whether this is your first ITSM tool or a replacement for your old tool, the project was likely triggered by pain points that must be addressed by the new tool to improve your service desk. Having a clear understanding of these pain points throughout the implementation of your new tool will help to prevent them from reoccurring.

    Common ITSM pain points include:

    1. Poor communication with end users on ticket status.
    2. Lack of SLA automation to escalate issues to the appropriate channels.
    3. Poor self-service options for end users to perform simple requests on their own.
    4. Undeveloped knowledgebase for users to find answers to common issues.
    5. Lack of reporting or mistrust in reporting data.
    6. Lack of automation, including ticket templates.
    7. Overcomplicated ticket categories resulting in categories being misused.
    8. Overconfiguration prevents future upgrades.
    9. Lack of integration with other tools.

    If you haven't already selected an ITSM tool, leverage the IT Service Management Selection Guide to select the right tool.

    Download the IT Service Management Selection Guide

    1.1.4 Plan to interview staff to support organizational change management

    Identify challenges with the existing tool and processes as well as potential objections to the new tool.

    Incorporate this feedback in the implementation to drive buy-in and a successful rollout.

    Implementing a new ITSM tool will force changes in how IT staff do their work:

    • At a minimum, it means learning a new interface.
    • It could also mean leveraging features that improve IT operations but could change the process or tasks for the staff.
    • Their input on the current tool and process challenges can be critical for the project.
    • Solving at least some of their challenges can help bring them onboard to use this tool properly and follow associated process changes.

    Info-Tech Insight

    Keep management in the loop through every stage of the implementation process. They are the ones who are paying for the software, so they need to be informed throughout implementation and feel that their needs and feedback are being heard to prevent pushback further into the implementation.

    1.1.5 Identify the modules and features you will plan to implement

    Consider these factors when deciding what modules and features you want to implement:

    • Specific ITSM modules based on the recommended order and any unique business requirements
    • Key features that drove the tool purchase and address key issues
    • High-level process changes needed to address challenges and realize expected benefits from the new ITSM tool (e.g. if a key goal was automated ticket routing based on categories, then the project needs to include developing a good categorization scheme)

    Recommended order for implementation:

    1. Incident Management and Service Request
    2. This is the core of service management and typically has the highest impact on the organization. Include knowledgebase development as part of this implementation.

    3. Change Management
    4. A foundational component of service management, it allows organizations to minimize disruptions to IT services when making changes to services and critical systems.

    5. Asset Management
    6. A foundational component of service management, it allows organizations to track their assets’ locations, how they are used, and when changes are made to them.

    1.1.6 Determine if data migration is required

    If you are switching from a previous ITSM tool, carefully weigh the pros and cons as well as the necessity of migrating historical transactional data before deciding to import it into the new tool.

    Importing your old transactional data will allow you to track metrics over time, which can be valuable for data analysis and reporting purposes.

    However, ask yourself what the true value of your data is before you import it.

    You will not get value out of migrating the old data if:

    • You have incomplete or inaccurate data (a high percentage of incidents did not have tickets created in the old system).
    • The categorization of your old tickets was not useful or was used inconsistently.
    • You plan on changing the ticket categorization in the new system.

    “Don’t debate whether you can import your old data until you’ve made sure that you should.”

    – Barry Cousins, Practice Lead at Info-Tech Research Group

    Info-Tech Insight

    If you decide to migrate your data, keep in mind that it can be a complex process and proper time should be budgeted for planning, structuring the data, and importing and testing it.

    Step 1.2

    Define roles and responsibilities

    Activities

    1.2.1

    Key internal roles and responsibilities

    1.2.2

    Key external roles and responsibilities

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Decision on whether to hire professional services for the implementation
    • Clearly defined roles and responsibilities for the project

    1.2.1 Identify key internal roles and responsibilities

    Review the tasks outlined in the Implementation Checklist to help you identify appropriate roles and specific staff that will be needed to execute this project.

    Project Role

    Description

    RACI

    Assigned To

    Executive Sponsor

    Liaison with the executive team (the CIO would be a good candidate for this role).

    Accountable for project completion.

    Approves resource allocation and funding.

    A, C

    Name(s)

    Project Manager

    Manages the project schedule, tasks, and budget.

    May act as a liaison between executives and the project-level team.

    R

    Name(s)

    Product Owner

    Liaison with the vendor.

    SME for the new tool.

    Provides input to tool configuration decisions.

    Manages the tool post-implementation.

    R

    Name(s)

    Process Owners

    Define current processes.

    Provide input to identifying current-state process challenges to address and potential changes as part of the new tool implementation.

    R

    Name(s)

    Service Desk Manager

    Provides input to tool configuration decisions.

    Manages and trains service desk agents to use new tool and processes.

    R

    Name(s)

    ITSM Tool Core Users (e.g. Service Desk Technicians)

    Provide input to identifying current-state process challenges to address.

    Provide input to tool configuration decisions.

    C

    Name(s)

    RACI = Responsible, Accountable, Consulted, and Informed

    Assign individuals to roles through each step of the implementation project in the governance and management chart in the Project Charter Template.

    Download the Project Charter Template

    1.2.2 Key external roles and responsibilities

    Determine whether you will engage professional services for the implementation.

    There are three main ways to implement your ITSM tool

    Implemented in-house by own staff

    Implemented using a combination of your own staff and your ITSM tool vendor

    Implemented by professional services and your ITSM tool vendor

    DIY Implementation

    Adopting a DIY implementation approach can save money but could draw out your implementation timeline and increase the likelihood of errors. Carefully consider your integration environment to determine your resourcing capabilities and maturity.

    Vendor Implementation

    In most cases, your vendor will support or execute the technical implementation based on your requirements. Use this blueprint to help you define those requirements.

    Professional Services

    Opting for professional services may result in a shorter implementation period and fewer errors but may also deny your IT staff the opportunity to develop the skills necessary to maintain and configure the solution in the future.

    Clarify the role of the professional services vendor before acquiring their services to make sure your expectations are aligned. For example, are you hiring the vendor for tool installation, tool configuration, or tool customization or for training your end users?

    Step 1.3

    Identify preliminary timeline

    Activities

    1.3.1

    Identify preliminary internal target dates

    1.3.2

    Identify target dates for vendor involvement

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Specifying the target dates for the implementation project

    1.3.1 Identify preliminary internal target dates

    Identify high-level start and end dates based on the following:

    • Existing process maturity
    • Process changes required (to address process issues or to realize targeted benefits from the new tool)
    • Data migration requirements (if any)
    • Information to prepare for the implementation (review the Checklist Tool)
    • Vendor availability to support implementation
    • Executive mandates that have established specific milestone dates

    Create an initial project schedule:

    • Review the remaining phases of this blueprint for more details on the implementation planning steps.
    • Review and update the Checklist Tool to suit your implementation goals and requirements.
    • Assign task owners and target dates in the Checklist Tool.

    Note: This is a preliminary schedule. Monitor progress as well as requirement changes, and adjust the scope or schedule as needed.

    Update the columns in the Checklist Tool to plan and keep track of your implementation project.

    1.3.2 Identify target dates for vendor involvement

    Plan when you'll be ready for the vendor and identify the key points for when the vendor will come in.

    Are dates already scheduled for tool installation/configuration/customization?

    If yes:

    • Clarify vendor expectations for those target dates (i.e. what do you have to have prepared in advance?).
    • Determine options to adjust dates if needed.

    If no:

    • Defer scheduling until you have reviewed and updated the Implementation Checklist. The checklist will help you determine your readiness for vendor involvement.

    Consider if the vendor will implement the ITSM tool in one go or if they will help setup the tool in stages. Keep in mind that ITSM implementation projects typically take anywhere from 9 weeks to 16 months and plan accordingly depending on the maturity of your processes and the modules and features you plan to implement.

    Use your internal target dates to estimate when you'll be ready for the vendor to set up the tool and implement the setting that you've defined.

    Phase 2

    Prepare to Implement Incident Management and Service Request Modules

    Phase 1Phase 2Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    • Review your existing solution and challenges
    • Plan ticket management and workflow implementation
    • Plan data migration, knowledgebase setup, and integrations
    • Plan the module rollout

    Additional Info-Tech Research

    The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in these blueprints.

    Standardize the Service Desk

    Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

    Optimize the Service Desk With a Shift-Left Strategy

    Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

    Incident and Problem Management

    Develop a critical incident management workflow and create standard operating procedures for problem management.

    Step 2.1

    Review your existing solution and challenges

    Activities

    2.1.1

    Configure, don’t customize, your solution to minimize risk

    2.1.2

    Review your existing process and solution challenges for opportunities for improvement

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    2.1.1 Configure your tool, don’t customize it

    Your tool may require at least some basic configurations to align with your processes, but in most cases customization of the tool is not recommended.

    Configuration

    Customization

    • Creating settings and recording reference data in the tool within the normal functionality of the tool.
    • Does not require changes to source code.

    Documentation of configurations is key.

    Failure to document configurations and the reasons for specific configurations will lead to:

    • Difficulty diagnosing incidents and problems.
    • Difficulty reconstructing the tool in the case of disaster recovery.
    • One administrator having all of the knowledge of configurations and taking it with them if they leave the organization.
    • Configurations that become useless in the future are maintained and lead to unnecessary work if documentation is not regularly reviewed.
    • Extending the functionality of the tool beyond what it was originally intended to do.
    • Requires manual changes to source code.

    Carefully consider whether a customization is necessary.

    • Over-customization of your ITSM tool code may lock you into your current version of the software by preventing future patches and upgrades, leaving you with outdated software.
    • Over-customization becomes particularly risky when your ITSM solution is integrated with other tools, as a loss in functionality of your ITSM tool resulting from over-customization may cause disruptions across the business.
    • If your selected ITSM solution doesn’t do something you think you need it to do, carefully evaluate whether you really need that customization and if the trade-off of potentially limiting future innovation is worth it.

    Case Study

    Consider the consequences of over-customizing your solution.

    INDUSTRY: Education

    SOURCE: IT Director

    Situation

    Challenge

    Resolution

    A few years ago, the service management office at the university decided to switch ITSM tools, from Computer Associates to ServiceNow.

    They wanted the new tool to behave similarly to what they had previously, so they made a lot of customized code changes to ServiceNow during implementation.

    As a result of the customizations, much of the functionality of the tool was restricted, and the upgrades were not compatible with the solution.

    The external consultants who performed the customizations and backend work did not document their changes, leaving the service management team without an understanding of why they did what they did.

    The service management team is working with ServiceNow to slowly unravel the custom code to try to get the solution back to having out-of-the-box functionality, with the ability to be upgraded.

    It has been challenging to do this work without disrupting the functionality of the tool.

    Over-customization led to the organization paying for features they couldn’t use and spending more time and resources down the road to try to reverse the changes.

    2.1.2 Review your existing process to identify opportunities for improvement

    Documenting your existing processes is an effective method for also reviewing those processes and identifying inefficiencies. Take advantage of this project to fix your process issues.

    1. Document your existing workflows for incident management and service requests.
    2. Review your workflows to identify opportunities to optimize through process refinement (e.g. clarifying escalation guidelines) or by leveraging features in your new ITSM tool (e.g. improved workflow automation).
    3. Similarly, review the challenges identified through stakeholder interviews: is there an opportunity address those challenges through process changes or leveraging your new ITSM tool?
    4. Address those challenge and issues as you execute the tasks outlined in the Implementation Checklist Tool. For example, if inconsistent ticket routing was identified as a challenge due to a vague categorization scheme, that’s a driver to review and update your scheme rather than just carry forward your existing scheme.

    Regardless of your existing ITSM maturity, this is an opportunity to review and optimize existing processes. Even the most-mature organizations can typically find an area to improve.

    Case Study

    Reviewing and defining processes before the implementation can be a project in itself.

    INDUSTRY: Defense

    SOURCE: Anonymous

    Situation

    Challenge

    Resolution

    The organization was switching to a new ITSM tool. To prepare for the implementation, they gathered stakeholders, held steering committee meetings, and broke down key processes, teams, and owners before even meeting with the larger group.

    They used a software tool called InDesign to visibly map service requests and incidents and determine who owned each process and where the handoffs were.

    The service catalog also needed to be built out as they were performing certain services that didn’t relate to anything in the catalog.

    The goal for the implementation was to have it completed within a year, but it ended up going over, taking 15 to 16 months to complete.

    Most of the time was spent identifying processes upfront before configuring the tool. There were difficulties defining processes as well as agreeing on who owned a process or service.

    There were also difficulties agreeing upon who the valid stakeholders were for processes, as groups were siloed.

    The major obstacles to implementation were therefore people and process, not the product.

    New processes were introduced, and boundaries were placed around processes that were being done in the past that weren’t necessary.

    Once the groups were able to agree upon process owners, the tool configuration and implementation itself did not pose any major difficulties.

    After the implementation, the tool was continually improved and sharpened to adapt to processes.

    Step 2.2

    Plan ticket management and workflow implementation

    Activities

    2.2.1

    Define ticket classification values

    2.2.2

    Define ticket templates for common incident types and service requests

    2.2.3

    Plan your ticket intake channels

    2.2.4

    Design a self-service portal

    2.2.5

    Plan your knowledgebase implementation in the new tool

    2.2.6

    Design your ticket status notification processes and templates

    2.2.7

    Identify required user accounts, access levels, and skills/ service groups

    2.2.8

    Review and update your workflows and escalation rules

    2.2.9

    Identify desired reporting and relevant metrics to track

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    Tool is designed and configured to support service desk processes and organization needs.

    Checklist overview

    The ITSM Tool Implementation Checklist will help you estimate resources required to support demand, based on your ticket volume.

    TAB 2

    TAB 3

    TAB 4

    Incident and Service Modules Checklist

    Change Management Modules

    Asset Management Modules

    The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 2. The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 3. The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 4.

    How to follow this section:

    The following slides contain a table that explains why each task in the module matters and what needs to be considered. Complete the checklist modules referring to this section.

    2.2.1 Define ticket classification values

    Ticket classification improves reporting, workflow automation, and problem identification.

    Review your existing ticket classification values to identify what to carry forward, drop, or change. For example, if your categorization scheme has become too complex, this is your opportunity to fix it; don’t perpetuate ineffective classification in the new tool.

    Task

    Why this matters

    Ticket Types (e.g. incident, service request, change)

    In particular, separating incidents from service requests supports appropriate ticket prioritization and resourcing; for example, an incident typically should be prioritized, and service requests can be scheduled.

    Categories (e.g. network, servers)

    An effective categorization scheme can help identify ticket assignment and escalation (e.g. network tickets would be escalated to the network team), and potentially automate ticket routing.

    Resolution Codes

    Indicates how the ticket was resolved (e.g. configuration change). Supports another layer of trends reporting and data to support problem identification.

    Status Values

    Shows what status the ticket is currently in (e.g. if the ticket has been opened or assigned to an agent, if it is in progress or has been resolved).

    2.2.2 Define ticket templates for common incident types and service requests

    Ticket templates are the backbone of automation. A common complaint is that tickets take too much time. However, a little planning can reduce the time it takes to create a ticket to less than a minute.

    Task

    Why this matters

    Identify common recurring tickets that would be good candidates for using ticket templates (e.g. common service requests and incidents).

    Some common recurring tickets such as password reset, new laptop, and login requests would be great candidates to create ticket templates for. Building a deck of standard rules to follow for common tickets saves time and reduces the number of tickets generated.

    Design ticket templates and workflows for common tickets (e.g. fields to auto-populate as well as routing and secondary tickets for onboarding requests).

    Differentiating between recurring ticket types and building pre-defined templates not just saves time but can also have major impact on how service is delivered as this will also help separate tickets. Creating these templates beforehand will also let you communicate effectively with the users at a time when all hands need to be on deck.

    2.2.3 Plan your ticket intake channels

    Consider possible ticket intake channels and evaluate their relevance to your organization.

    Task

    Why this matters

    Decide on ticket intake channels (e.g. phone, email, portal, walk-ups).

    Each standard intake channel serves its own purposes and can be extremely valuable under different circumstances. For example, walk-ins may be inefficient but necessary for critical incidents.

    If using email, identify/create the email account and appropriate permissions.

    Email works well if it automatically creates a ticket in your ticketing system, but users often don’t provide enough information in unstructured emails. Use required fields and ticket templates to ensure the ticket is properly categorized.

    If using phone, identify/create the phone number and appropriate integrations.

    Maintain the phone for users from other locations and for critical incidents but encourage users who call in to submit a ticket through the portal.

    If using a portal, determine if you will leverage the tool's portal or an existing portal.

    The web portal is the most efficient intake method, but ensure it is user friendly before promoting it.

    If using chat, determine whether you will use the tool's chat or an existing chat mechanism and whether integrations are needed.

    Another way to improve support experience for your customers is through live chat. This gives your customers an easy way to reach you at the exact moment they have questions or issues they can't fix.

    2.2.4 Design a self-service portal

    Map your processes to the tool by defining your ticket input, categories, escalations, and workflows.

    Don’t forget about the client-facing side of the solution. It is important to build a self-serve portal that has an easy-to-use interface where the user can easily find the category for the help they’re looking for. It is also necessary to educate the users on where to find the portal or how to access it.

    Task

    Why this matters

    Identify components to include (e.g. service request, incident, knowledgebase).

    Identify the categories you want the users to be able to access in the portal. Finding the right balance of components to include is very important to make it easy for your users to find all the relevant information they are looking for. This could mean fewer tickets.

    Plan the input form for service requests and incidents (e.g. mandatory fields, optional fields, drop-down lists).

    Having relevant and specific fields helps to narrow down your user’s issues and provides more information on how to allocate these tasks among the service desk resources and reduce time to further investigate the issues.

    If service catalog will be attached to the ITSM tool, define routing and workflows; if there is no existing service catalog, start a separate project to define it (e.g. services, SLAs).

    A centrally defined guide enables a uniform quality in service and clarifies the responsible tier for the ticket. Identify services that will be included in the catalog, and if the information is attached to the ITSM tool, plan for how will the routing and workflows be structured.

    Plan design requirements (e.g. company branding).

    Ensure that the portal is aligned with the company’s theme and access format. Work with the vendor to customize the branding on the tool, design requirements, images.

    2.2.5 Plan your knowledgebase (KB) implementation in the new tool

    Evaluate how onerous KB migration will be for you. Is this an opportunity to improve how the KB is organized?

    Task

    Why this matters

    Define knowledgebase categories and structure.

    Establishing knowledgebase structures or having them separated into categories makes it easy for your clients to find them (e.g. do they align with ticket categories?).

    Identify existing knowledgebase articles to add to the new tool.

    Review existing knowledgebase articles at a high level (e.g. Do you carry forward all existing articles? Take an opportunity to retire old articles?).

    Define knowledgebase article templates.

    Having standardized templates makes it an easy read and will increase its usage (e.g. all knowledgebase articles for recurring incidents will follow the same template).

    Build knowledgebase article creation, usage, and revision workflows.

    Decide how new knowledgebase articles will be built and added to the tool, how it will be accessed and used, and also any steps necessary to update the articles.

    Plan a knowledgebase feedback system.

    For example, include a comments section, like buttons, and who will get notified about feedback.

    2.2.6 Design your ticket status notification processes and templates

    Task

    Why this matters

    Identify triggers for status notifications. Balance the need for keeping users informed versus notifications being treated as spam.

    Identify when and where the users are informed to make sure you are not under or over communicating with them. Status notifications and alerts are a great way to set or reset expectations to your users on the delivery or resolution on their tickets. For example, auto-response for a new ticket, or status updates to users when the ticket is assigned, solved, and closed.

    If using email notifications, design email templates for each type of notification.

    Creating notification templates is a great way to provide standardized service to your clients and it saves time when a ticket is raised. For example, email templates for new ticket, ticket updated, or ticket closed.

    Plan how you will enable users to validate the ticket or resolve request without causing the ticket to reopen.

    For example, in the ticket solved template, provide a link to close the ticket, and ask the user to reply only if they wish to re-open the ticket (i.e. if it's not resolved). May require consulting with the ITSM tool vendor.

    Decide if customer satisfaction surveys will be sent to end users after their ticket has been closed.

    Discuss if this data would be useful to you if captured to improve/modify your service.

    If customer satisfaction surveys will be used, design the survey.

    Discuss what data would be useful to you if captured and create survey questionnaires to capture that data from your clients. For example, how many questions, types of questions, whether sent for every ticket or randomly.

    2.2.7 Identify required user accounts, access levels, and skills/service groups

    Task

    Why this matters

    Define Tier 1, 2, and 3 roles and their associated access levels.

    Having pre-established roles for different tiers and teams is a great way to boost accountability and also helps identify training requirements for each tier. For example, knowledgebase training for tier 1 & 2, reporting/analytics for IT manager.

    Identify skill groups or support teams.

    Establishing accountability for all the support practices in the service desk is important for the tickets to be effectively distributed among the functional individuals and teams. Identifying the responsibilities of groups help execute shift-left strategy.

    Identify required email permissions for each role.

    For example, define which roles get permissions to include status updates or other ticket information in their emails or to support automated notifications and other integrations with email.

    Determine how you will import users into the new tool.

    Identify the best way to migrate your users to the new tool whether it be by importing from Active Directory or the old ITSM tool, etc.

    2.2.8 Review and update your workflows and escalation rules

    Task

    Why this matters

    Document your future-state incident and service request workflows that will incorporate the above planning as well as improvements supported by the new tool.

    Document your workflows and review it to make sure it’s accurate and also to help you with communicating process expectations to all the stakeholders.

    Review the future-state workflows.

    This helps you validate that the planned changes meet your goals and identify any additional required changes.

    Update ticket classification values, templates, and ticket intake as needed based on the future-state workflows.

    Documenting your process might uncover additional requirements for classification, templates, etc. Ensure that the classification templates and related parameters align with the workflows.

    Identify opportunities to further automate workflows by leveraging the new tool.

    The process of reviewing the workflows often helps identify manual processes, labor intensive processes, very repetitive processes, etc. These can be opportunities to further automate your processes.

    2.2.9 Identify desired reporting and relevant metrics to track

    Documentation of key metrics of service desk performance and end-user satisfaction that you wish to improve through the new solution is key to evaluate the success of your implementation.

    Task

    Why this matters

    Define the metrics you will track in the new ITSM tool.

    It is critical to ensure that your tool will be able to track necessary metrics on KPIs from the start and that this data is accurate and reliable so that reporting will be relevant and meaningful to the business. Whether you use your own tool for tracking metrics or an external tool, ensure that you can get the internal data you need from the ITSM tool. This may include measures of Productivity (e.g. time to respond, time to resolve), Service (e.g. incident backlog, customer satisfaction), and Proactiveness (e.g. number of knowledgebase articles per week).

    Determine what reports you want to generate from data collected through the tool.

    It’s not enough to simply set up metrics, you have to actually use the information. Reports should be analyzed regularly and used to manage costs and productivity, improve services, and identify issues. Ensure that your service desk team contributes to the usefulness of reporting by following processes such as creating tickets for every incident and request, categorizing it properly, and closing it after it’s resolved with the proper resolution code.

    Identify the information and metrics to include in the ITSM tool's dashboards.

    A dashboard helps drive accountability across the team through greater visibility. Decide what will be reported on the dashboard. For example, average time to resolution, number of open tickets with subtotals for each priority, problem ticket aging.

    Step 2.3

    Plan data migration and integrations

    Activities

    2.3.1

    Create a data migration and archiving plan

    2.3.2

    Identify and plan required integrations

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    • Decisions made around data migration, integrations, automation, and reporting.
    • ITSM Tool Implementation Checklist

    2.3.1 Create a data migration and archiving plan

    Task

    Why this matters

    Document your future-state incident and service request workflows that will incorporate the above planning as well as improvements supported by the new tool.

    Document your workflows and review them to make sure they’re accurate and also to help you with communicating process expectations to all the stakeholders.

    Review the future-state workflows.

    This helps you validate that the planned changes meet your goals and identify any additional required changes.

    Update ticket classification values, templates, and ticket intake as needed based on the future-state workflows.

    Documenting your process might uncover additional requirements for classification, templates, etc. Ensure that the classification templates and related parameters align with the workflows.

    Identify opportunities to further automate workflows leveraging the new tool.

    The process of reviewing the workflows often helps identify manual processes, labor-intensive processes, very repetitive processes, etc. These can be opportunities to further automate your processes.

    2.3.2 Identify and plan required integrations

    Consider and plan for any necessary integrations with other systems.

    A major component of the implementation that should be carefully considered throughout is if and how to integrate your ITSM tool with other applications in the environment.

    Task

    Why this matters

    Identify the systems you need to integrate with your ITSM tool (e.g. asset discovery tools, reporting systems).

    Regardless of whether your solution will be configured and installed on-premises or as a SaaS, you need to consider the underlying technology to determine how you will integrate it with other tools where necessary.

    Businesses may need to integrate their ITSM tool with other systems including asset management, network monitoring, and reporting systems to make the organization more efficient.

    Determine how data will flow between systems.

    Carefully evaluate the purpose of each integration. Clients often want their ITSM tool to be integrated with all of the available data in another application when they only need a subset of that data to be integrated.

    Consider not only which systems you need to integrate with your ITSM tool but also who the owners of those systems are and which way the data needs to flow.

    Plan the development, configuration, and testing of integrations.

    As with other aspects of the implementation, configure and test the integrations before going live with the tool.

    Step 2.4

    Plan the module rollout

    Activities

    2.4.1

    Repeat the methodology for additional ITSM modules, using the Checklists as a guide

    2.4.2

    Leverage these blueprints to help you implement change and asset management modules

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    Identify and plan for additional modules and features to be implemented

    2.4.1 Repeat the methodology for additional ITSM modules, using the Checklists as a guide

    The preparation completed in Phase 1 and 2 to this point provide a foundation for additional ITSM modules.

    This blueprint starts with the incident management and service request modules as those are typically implemented first since they are the most impactful to day-to-day IT service management.

    In addition, the methodology outlined in Phase 1 and 2 to this point provides a model to follow for additional ITSM modules:

    • If you did not already account for additional modules in Phase 1, then repeat the steps in Phase 1 to define scope, stakeholders, and timeline.
    • The Implementation Checklist Tool provides tabs for Change Management and Asset Management to outline the specific details for those topic areas, but they follow the same high-level steps as Phase 2 (e.g. review existing processes, design relevant workflows).
    • If you are planning to implement other modules (e.g. Problem Management), create additional tabs in the Implementation Checklist Tool as needed, using the existing tabs as a base.
    The image contains screenshots of the ITSM checklists.

    2.4.2 Leverage these blueprints to help you implement change and asset management modules

    The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in the blueprints below.

    Optimize IT Change Management

    Define change management workflows, key roles, and supporting elements such as request-for-change forms based on best practices.

    Implement Hardware Asset Management

    Create an SOP and associated process workflows to streamline and standardize hardware asset management.

    Implement Software Asset Management

    Build on a strong hardware asset management program to also properly track and manage software assets. This includes managing software licensing, finding opportunities to reduce costs, and improving your software audit readiness.

    Phase 3

    Create a Deployment Plan (Communication, Training, Rollout)

    Phase 1Phase 2Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    1. Create a communication plan (for IT, users, and business leaders)
    2. Create a training plan
    3. Plan how you will deploy, monitor, and maintain the solution

    ITSM Tool Training Schedule

    ITSM Tool Deployment Plan Template

    Use the template to document and plan the communications and training needs prior to deployment of the new tool.

    The image contains a screenshot of the ITSM Tool Training Schedule.

    Use the deployment plan template to document the strategy and decisions made for making the transition to the new ITSM tool.

    The image contains a screenshot of the ITSM Tool Deployment Plan Template.

    Download the ITSM Tool Training Schedule

    Download the ITSM Tool Deployment Plan Template

    Step 3.1

    Create a communication plan (for IT, users, and business leaders)

    Activities

    3.1.1

    Ensure there is strong communication from management throughout the implementation and deployment

    3.1.2

    Base your communications timeline on a classic change curve to accommodate natural resistance

    3.1.3

    Communicate new processes with business leaders and end users to improve positive customer feedback

    This step involves the following participants:

    1. CIO/IT Director
    2. IT Manager
    3. Service Manager

    Outcomes of this step

    Plan for communicating the change with business executives, service desk agents, and end users.

    3.1.1 Ensure there is strong communication from management throughout the implementation and deployment

    A common contributing factor for unsuccessful implementation is a lack of communication around training, transitioning, and deploying the new tool.

    Common Pitfall:

    Organizational communication and change management should have been ongoing and tightly monitored throughout the project. However, cut-over is a time in which critical communication regarding deployment and proper user training can be derailed when last-minute preparations take priority. Not only will general user frustration increase, but unintended process workarounds will emerge, eroding system effectiveness.

    Mitigating Actions:

    Deliver training for end users that will be engaged in testing. For all other users, deliver training prior to go-live to avoid the risk of training too early (where materials may not be ready or users are likely to forget what was learned). If possible, host quick refresher training a week or two prior to go-live.

    Aim to communicate the upcoming go-live. The purpose of communication here is to reiterate expectations, complexities, and ramifications on business going forward. Alleviate performance anxiety by clearly stating that temporary drops in productivity are to be expected and that there will be appropriate assistance throughout the transition period.

    Transition: Have the project/program manager remain on the project team for some time after deployment to oversee and assure smooth transition for the organization.

    Complete training: Have a clear plan for training those users that were missed in the first round of training as well as a plan for ongoing training for those that require refresher training, for new joiners to your organization, and for any training requirements that result from subsequent upgrades.

    3.1.2 Base your communications timeline on a classic change curve

    It’s important to communicate the change ahead of the implementation, but also to reinforce that communication after implementation to recover from any resistance that occurs through the implementation itself.

    Stages in a typical change curve:

    1. Change is announced. Some people are skeptical and resistant, but others are enthusiastic. Most people are fence sitters; if they trust senior leadership, they will give the benefit of the doubt and expect change to be good.
    2. Positive sentiment declines as implementation approaches. Training and other disruptions take people’s time and energy away from their work. Project setbacks and delays take credibility away from project leaders and seem to validate the efforts of saboteurs and skeptics.
    3. Overall sentiment begins to improve as people adjust and see real progress made. Ideally, early successes or quick wins neutralize saboteurs and convert skeptics. At the very least, people will begin to accept and adapt to new realities.
    4. If the project is successful and communication is reinforced after implementation, sentiment will peak and level out over time as people move on to other projects.

    The image contains a diagram of a change curve.

    1. Honeymoon of “Uninformed Optimism”: Tentative support and enthusiasm for change before people have really felt or understood what it involves.
    2. Backlash of “Informed Pessimism” (leading to “Valley of Despair”): People realize they’ve overestimated the benefits (or how soon they’ll be achieved) and underestimated the difficulty of change.
    3. Valley of Despair and beginning of “Hopeful Realism”: Sentiment bottoms out and people begin to accept the difficulty (or inevitability) of change.
    4. Bounce of “Informed Optimism”: More optimism and support when people begin to see bright spots and early successes.
    5. Contentment of “Completion”: Change has been successfully adopted and benefits are being realized.

    3.1.3 Communicate new processes

    1. Communicate with business unit leaders and users:
    • Focus on the benefits for end users to encourage buy-in for the change.
    • Include preliminary instructions with a date for training sessions.
  • Train users:
    • Teach users how to contact the service desk and submit a ticket.
    • Set expectations for IT’s response.
    • Record all your training sessions so it can used for recursive training.
  • Enforce:
    • IT must point users toward the new process, but ad hoc requests should still be expected at first. Deal with these politely but encourage all employees to use the new service desk ticketing process, if applicable.
  • Measure success:
    • Continue to adjust communications if processes aren’t being followed to ensure SLAs can be met and improved.

    “Communicate with your end users in phase 1 to let them know what will be changing, get feedback and buy-in, and inform them that training will be happening, then ensure you train them once the tool is installed. A lot of times we’ll get our tool set up but people don’t know how to use it."

    – Director of ITSM Tools

    Info-Tech Insight

    If there is a new process for ticket input, consider using a reward system for users who submit a ticket through the proper channel ;(e.g. email or self-serve portal) instead of their old method (e.g. phone). However, if a significant cultural change is required, don’t expect it to happen right away.

    Step 3.2

    Create a training plan

    Activities

    3.2.1

    Target training session(s) to the specific needs of your service desk, service groups, IT managers

    3.3.1

    Provide training (tool/portal and process changes)

    3.4.1

    Choose an appropriate training delivery method that will focus on both process and tool

    This step involves the following participants:

    • IT Director
    • Project Manager
    • Service Desk Manager

    Outcomes of this step

    • Training modules for different users of the tool.
    • Assignment of training modules to users and schedule for completion.

    3.2.1 Target training session(s) to the specific needs of your service desk and IT staff

    Create targeted role-based training programs for your service desk analysts; they care about the portion of the solution they are responsible for, not the functionality that is irrelevant to their job.

    Create and execute a role-based training program by conducting training sessions for targeted groups of users, training them on the functions they require to perform their jobs.

    Use a table like this one to help identify which roles should be trained on which tasks within the ITSM tool.

    The image contains a table as an example of identifying which roles should be trained within the ITSM tool.

    The need for targeted training:

    • IT personnel may challenge the need for training. They may feel they don’t require training on the use of tools or that they don’t have time to dedicate to training when there is so much work to be done.
    • Providing targeted training focused on only the functions of the solution that each tier is responsible for can help to overcome that resistance.
    • Targeted training may include basic training for level 1 technicians and more advanced in-depth training for administrators, power users, or level 2/3 technicians.

    Info-Tech Insight:

    Properly trained users promote adoption and improve results. Always keep training materials updated and available. New employees, new software integration, and internal promotions create opportunities for training employees to align the ITSM tool with their roles and responsibilities.

    3.2.2 Provide training

    Training must take place before deployment to ensure that both your service desk agents and end users will use the tool in the way it was intended and improve end-user satisfaction.

    • Implementing a new ITSM tool will likely bring with it at least some degree of organizational and cultural change. It’s important to manage that change through proper training. Your training needs will vary depending on the maturity of the organization and the amount of cultural and process change being implemented.
    • If this is your first ITSM solution with many new changes for staff to take on board, it will be important to dedicate training time not only before deployment but also several months after the initial installation, to allow staff to gain more experience with the new tool and processes and formulate questions they may not think to ask during implementation.
    • A training plan should take into account not only training needs for the implementation project but also any ongoing training requirements that may be required. This may include:
      • Training for new personnel.
      • Training on any changes to the tool.
      • Training on any new processes the tool will support.
    • Better agent training will lead to better performance and improved end-user satisfaction.

    The image contains a screenshot of a graph to demonstrate training hours and first contact resolution.

    The blue graph line charts new-agent training hours against first contact resolution and the orange graph line charts the trendline for the dataset.

    Source: MetricNet, 2012

    3.2.3 Choose an appropriate training delivery method

    Training should include use cases that focus on not only how the tool’s interface works but also how the tool should be used to support process activities.

    1. Training through use cases highlights how the tool will support the user in role-based tasks.
    2. If new processes are being introduced along with the tool, training should cover both in an integrated way.
    3. Team leadership and management commitment ensures that all agents take their training seriously and are prepared for all use cases by the deployment date.

    Trainer-led sessions:

    Self-taught sessions:

    • May take the form of onsite or video training.
    • Vendor may train administrators or managers, who will later train remaining staff.
    • Allows for interaction with the trainer and greater opportunity to ask questions.
    • Difficult for large organizations with many users to be trained.
    • Delivered via computer-based training applications, typically through a web browser.
    • May include voice training sessions combined with exercises and quizzes.
    • More feasible for large, distributed organizations with less flexible schedules.

    Info-Tech Insight:

    Ensure that the training demonstrates not only how the tool should be used, but also the benefits it will provide your staff in terms of improved efficiency and productivity. Users who can clearly see the benefits the tool will provide for their daily work will accept the tool more readily and promote it across the organization.

    Step 3.3

    Plan how you will deploy, monitor, and maintain the solution

    Activities

    3.3.1

    Plan the transition from your old tool to ensure continual functionality

    3.3.2

    Choose a cut-over approach that works for you

    3.3.3

    Deploy the solution and any new processes simultaneously to ease the transition

    3.3.4

    Have a post-deployment support plan in place

    3.3.5

    Monitor success metrics defined in Phase 1

    This step involves the following participants:

    • IT Director
    • Project Manager
    • Service Desk Manager

    Outcomes of this step

    Deployment plan, including a plan for cut-over from the old tool (if applicable), release of the new tool, and post-deployment support and maintenance of the tool.

    3.3.1 Plan the transition from your old tool to ensure continual functionality

    If you will have a transitional period during which the current tool will be used alongside the new tool, develop a clear plan for the transition to ensure continued service for your end users.

    • If there will be an interim period during which only some aspects of the new ITSM tool are functional, you will need to determine how the new system and old systems will work together for that period of time. This may require creating interfaces as well as providing user documentation and/or SOPs on how the business processes will operate during the interim period.
    • Cut-over is the period during which the changeover to the new system occurs. Cut-over activities need to be tightly choreographed for a successful deployment. If improperly planned, chaos may erupt when unforeseen issues are encountered during deployment, the deployment may be jeopardized, and the organization may encounter costly interruptions to its daily operations.
    • Many organizations may leave any open tickets in the old tool until they are closed, which requires that tool run alongside the new tool for a transitional period. In this case, it is necessary to create guidelines around how long the open tickets will remain in the old system and ensure there is clear communication around these processes.

    Be prepared for the transition:

    1. Create a robust cut-over plan that includes when the old tool will be decommissioned, what activities are necessary during the cut-over, and what the contingency plan is in case of unforeseen issues.
    2. Plan for and perform mock cut-overs to establish the timeline and dependencies for all steps that need to be performed to successfully complete the changeover. Do this to avoid any surprises or delays during the true cut-over period.
    3. Establish cut-over logistics: Create a schedule for resources to work in shifts to avoid burn-out during cut-over, which can lead to lapses in judgment and easily avoidable mistakes. Allocate dedicated workspaces for cut-over activities, e.g. “war rooms” for the triage of issues.

    3.3.2 Choose a cut-over approach that works for you

    Approaches and insights from three case studies

    Case Study #1

    Case Study #2

    Case Study #3

    On day one we started recording all new incidents in the new tool, and everything that was open in the old tool remained open for about one month. At that point we transferred over some open incidents but closed old incidents with the view that if anyone really wanted something done that hadn’t been yet, they could re-submit a ticket.

    – Brett Andrews,

    Managing Director at BAPTISM Consultancy

    It made sense for us to start fresh with the new system. We left all of the old tickets in the old system and started the new system with ticket #1. We only had about a dozen open tickets in the old system so we left them there and ran the two tools side by side until those were closed.

    – CIO, Publishing

    It depends on the client and the size of their service desk as well as the complexity of their data and whether they need their old data for reporting. If there are only a dozen open tickets, they can manually move those over easily, and decide whether they want to migrate their historical data for reporting purposes.

    – Scott Walling,

    Co-Founder at Monitor 24-7 Inc.

    3.3.3 Deploy the solution and any new processes simultaneously to ease the transition

    Follow a deployment plan for introducing new processes alongside the new tool to ensure changes to both process and technology are adopted simultaneously.

    If you’re introducing new processes alongside the new tool, it’s important to maintain the link between process and tool. Typically, the processes and tool should be deployed simultaneously unless there is a strong reason not to do so.

    Deployment can be done as a big-bang or phased approach. The decision to employ a phased deployment depends on the number and size of business units the tool will support, as well as the organization’s geography and infrastructure (deployment locations).

    Before deployment, conduct readiness assessments to understand whether:

    The people are ready to accept the new system (have received the proper training and communications and understand how their jobs will change when the switch is flipped).

    The technology is ready (test results are favorable, workarounds and a plan for closure have been identified for any open defects, and the system is performing as expected).

    The data is ready (data for final conversion has been cleansed, and all conversions have been rehearsed).

    The post-deployment support model is ready (infrastructure and technical support is in place, sites are ready, knowledge transfer has been conducted with the support organization, and end users understand procedures for escalation of issues).

    3.3.4 Have a post-deployment support plan in place

    Ensure that strong internal support for the project and tool will continue after deployment.

    The stabilization period after a new software deployment can last between three and nine months, during which there may be continued training needs and fine-tuning of processes. Internal support from project leaders within your organization will be critical to recover from any dip in operational efficiency and deliver the benefits of the tool.

    Consider the following to prepare better for your support plan:

    What are the roles and responsibilities for ongoing tool administration support?

    What level of support will exist to assist service desk staff after deployment?

    How much time will project team resources devote to tackling upcoming issues and assisting with ongoing support?

    Who will be responsible for ongoing training needs and documentation?

    If your organization is spread across multiple locations, what level of support/assistance will be available at each site?

    How will new code releases or system upgrades be managed and communicated?

    Info-Tech Insight:

    Deployment is only the first step in the system lifecycle. Full benefit realization from the tool requires ongoing investment and learning to be sustained. Unless processes and training are updated on an ongoing basis, benefits gained will start to decrease over time. If your service desk efficiency stagnates at the level it was at prior to implementation, the tool has failed to serve its objective.

    Establish ongoing tool maintenance, improvement structures, and processes

    People, processes, and organizations change over time, and your ITSM tool will need to change to meet expectations.

    Develop and execute a plan for the maintenance of the solution and its infrastructure components.

    Include periodic reviews against business needs and operational requirements (e.g. patches, upgrades, and risk and security requirements).

    For maintenance updates, use the change management process and assess how an activity will impact solution design, functionality, and business processes.

    For major changes that result in significant change in current designs, functionality, and/or business processes, follow the development process used for new systems.

    Ensure that maintenance activities are periodically analyzed for abnormal trends indicating underlying quality or performance problems, cost/benefit of major upgrade, or replacement in lieu of maintenance.

    Assign responsibility for ongoing maintenance. Hold regular meetings for the following activities:

    1. Inspect data and reports.
    2. Assess whether you’re meeting SLAs.
    3. Predict any upcoming changes that may impact ticket volume (e.g. a new operating system or security patch).
    4. Create new ticket templates for recurring or upcoming issues.
    5. Create new knowledgebase articles.
    6. Determine whether ticket categories are being used correctly.
    7. Ask team if there are any problems with the tool.

    3.3.5 Monitor success metrics defined in Project Charter

    Revisit your goals for the solution and assess if they are being met by evaluating current metrics. If your goals have not yet been met, re-evaluate how to ensure the tool will deliver value.

    Sample High-Level Goals:

    1. Improved service desk efficiency
    2. Improved end-user satisfaction
    3. Improved self-service options for end users
    4. Improved data and reporting capabilities

    Sample Metric Descriptions

    Baseline Metric

    Goal

    Current Metric

    Increased ticket input through email versus phone

    50% of tickets submitted through phone

    10% of tickets submit through phone

    Reduced ticket volume (through improved self-serve capabilities)

    1,500 tickets per month

    1,200 tickets per month

    Improved first call resolution (through increased efficiency and automation)

    50% FCR

    60% FCR

    Improved ability to meet SLAs (through automated escalations and prioritization)

    5 minutes to log a ticket

    1 minute to log a ticket

    Improved time to produce reports

    3 business days

    1 business day

    Improved end-user satisfaction

    60% satisfied with services

    75% satisfied

    Related Info-Tech Research

    Optimize IT Change Management

    Define change management workflows, key roles, and supporting elements such as request-for-change forms based on best practices.

    Standardize the Service Desk

    Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

    Optimize the Service Desk With a Shift-Left Strategy

    Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

    Incident and Problem Management

    Develop a critical incident management workflow and create standard operating procedures for problem management.

    IT Service Management Selection Guide

    Identify the best-of-breed solution to make the most of your investment and engage the right stakeholders to define success.

    Analyze Your Service Desk Ticket Data

    Develop a framework to track metrics, clean data, and put your data to use for pre-defined timelines.

    Bibliography

    Adiga, Siddanth. “10 Reasons Why ITSM Implementations Fail.” Could Strategy, 6 May 2015. Web.

    Hastie, Shane, and Stéphane Wojewoda. “Standish Group 2015 Chaos Report.” InfoQ, 4 October 2015. Web.

    “How to Manage Change in the Implementation of an ITSM Software.” C2, 20 April 2015. Web.

    Lockwood, Meghan. “First Look: Annual ServiceNow Insight and Vision Executive Summary [eBook].” Acorio, 31 October 2019. Web.

    Mainville, David. “7 Steps to a Successful ITSM Tool Implementation.” Navvia, 2012. Web.

    Rae, Barclay. “Preparing for ITSM Tool Implementation.” Joe the IT Guy, 24 June 2015. Web.

    Rae, Barclay. “Successful ITSM Tool Implementation.” BrightTALK, 9 May 2013. Webcast.

    Rumburg, Jeffrey. “Metric of the Month: Agent Training Hours.” MetricNet, 2012. Web.

    Make Prudent Decisions When Increasing Your Salesforce Footprint

    • Buy Link or Shortcode: {j2store}134|cart{/j2store}
    • member rating overall impact: 8.9/10 Overall Impact
    • member rating average dollars saved: $55,224 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Too often, organizations fail to achieve economy of scale. They neglect to negotiate price holds, do not negotiate deeper discounts as volume increases, or do not realize there are already existing contracts within the organization.
    • Understand what to negotiate. Organizations do not know what can and cannot be negotiated, which means value gets left on the table.
    • Integrations with other applications must be addressed from the outset. Many users buy the platform only to realize later on that the functionality they wanted does not exist and may be an extra expense with customization.

    Our Advice

    Critical Insight

    • Buying power dissipates when you sign the contract. Get the right product for the right number of users for the right term and get it right the first time.
    • Getting the best price does not assure a great total cost of ownership or ROI. There are many components as part of the purchasing process that if unaccounted for can lead to dramatic and unbudgeted spend.
    • Avoid buyer’s remorse through due diligence before signing the deal. If you need to customize the software or extend it with a third-party add-in, identify your costs and timelines upfront. Plan for successful adoption.

    Impact and Result

    • Centralize purchasing instead of enabling small deals to maximize discount levels by creating a process to derive a cost-effective methodology when subscribing to Sales Cloud, Service Cloud, and Force.com.
    • Educate your organization on Salesforce’s licensing methods and contract types, enabling informed purchasing decisions. Critical components of every agreement that need to be negotiated are a renewal escalation cap, term protection, and license metrics to document what comes with each. Re-bundling protection is also critical in case a product is no longer desired.
    • Proactively addressing integrations and business requirements will enable project success and enable the regular upgrades the come with a multi-tenant cloud services SaaS solution.

    Make Prudent Decisions When Increasing Your Salesforce Footprint Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your Salesforce licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish software requirements

    Begin your journey by understanding whether Salesforce is the right CRM. Also proactively approach Salesforce licensing by understanding which information to gather and assessing the current state and gaps.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 1: Establish Software Requirements
    • Salesforce Licensing Purchase Reference Guide
    • RASCI Chart

    2. Evaluate licensing options

    Review current products and licensing models to determine which licensing models will most appropriately fit the organization's environment.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 2: Evaluate Licensing Options
    • Salesforce TCO Calculator
    • Salesforce Discount Calculator

    3. Evaluate agreement options

    Review Salesforce’s contract types and assess which best fits the organization’s licensing needs.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 3: Evaluate Agreement Options
    • Salesforce Terms and Conditions Evaluation Tool

    4. Purchase and manage licenses

    Conduct negotiations, purchase licensing, finalize a licensing management strategy, and enhance your CRM with a Salesforce partner.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 4: Purchase and Manage Licenses
    • Controlled Vendor Communications Letter
    • Vendor Communication Management Plan
    [infographic]

    Workshop: Make Prudent Decisions When Increasing Your Salesforce Footprint

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Software Requirements

    The Purpose

    Assess current state and align goals; review business feedback.

    Interview key stakeholders to define business objectives and drivers.

    Key Benefits Achieved

    Have a baseline for whether Salesforce is the right solution.

    Understand Salesforce as a solution.

    Examine all CRM options.

    Activities

    1.1 Perform requirements gathering to review Salesforce as a potential solution.

    1.2 Gather your documentation before buying or renewing.

    1.3 Confirm or create your Salesforce licensing team.

    1.4 Meet with stakeholders to discuss the licensing options and budget allocation.

    Outputs

    Copy of your Salesforce Master Subscription Agreement

    RASCI Chart

    Salesforce Licensing Purchase Reference Guide

    2 Evaluate Licensing Options

    The Purpose

    Review product editions and licensing options.

    Review add-ons and licensing rules.

    Key Benefits Achieved

    Understand how licensing works.

    Discuss licensing rules and their application to your current environment.

    Determine the product and license mix that is best for your requirements.

    Activities

    2.1 Determine the editions, licenses, and add-ons for your Salesforce CRM solution.

    2.2 Calculate total cost of ownership.

    2.3 Use the Salesforce Discount Calculator to ensure you are getting the discount you deserve.

    2.4 Meet with stakeholders to discuss the licensing options and budget allocation.

    Outputs

    Salesforce CRM Solution

    Salesforce TCO Calculator

    Salesforce Discount Calculator

    Salesforce Licensing Purchase Reference Guide

    3 Evaluate Agreement Options

    The Purpose

    Review terms and conditions of Salesforce contracts.

    Review vendors.

    Key Benefits Achieved

    Determine if MSA or term agreement is best.

    Learn what specific terms to negotiate.

    Activities

    3.1 Perform a T&Cs review and identify key “deal breakers.”

    3.2 Decide on an agreement that nets the maximum benefit.

    Outputs

    Salesforce T&Cs Evaluation Tool

    Salesforce Licensing Purchase Reference Guide

    4 Purchase and Manage Licenses

    The Purpose

    Finalize the contract.

    Discuss negotiation points.

    Discuss license management and future roadmap.

    Discuss Salesforce partner and implementation strategy.

    Key Benefits Achieved

    Discuss negotiation strategies.

    Learn about licensing management best practices.

    Review Salesforce partner options.

    Create an implementation plan.

    Activities

    4.1 Know the what, when, and who to negotiate.

    4.2 Control the flow of communication.

    4.3 Assign the right people to manage the environment.

    4.4 Discuss Salesforce partner options.

    4.5 Discuss implementation strategy.

    4.6 Meet with stakeholders to discuss licensing options and budget allocation.

    Outputs

    Salesforce Negotiation Strategy

    Vendor Communication Management Plan

    RASCI Chart

    Info-Tech’s Core CRM Project Plan

    Salesforce Licensing Purchase Reference Guide

    Choose Your Mobile Platform and Tools

    • Buy Link or Shortcode: {j2store}281|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Mobile Development
    • Parent Category Link: /mobile-development
    • Organizations see the value of mobile applications in improving productivity and reach of day-to-day business and IT operations. This motivates leaders to begin the planning of their first application.
    • However, organizations often lack the critical foundational knowledge and skills to deliver and maintain high quality and valuable applications that meet business and user priorities and technical requirements.
    • Mobile technologies and trends are continually evolving and maturing. It is hard to predict which trends will make a significant impact and to prepare current mobile investments to harness their value of these trends.

    Our Advice

    Critical Insight

    • Mobile applications can stress the stability, reliability, and overall quality of your enterprise systems and services. They will also increase your security risks because of the exposure of your enterprise technology assets to unsecured networks and devices.
    • High costs of entry may restrict what built-in features your users can have in their mobile experience. Workarounds may not be sufficient to offset the costs of certain built-in feature needs.
    • Many operating models do not enable or encourage the collaboration required to fully understand user needs and behaviors and evaluate mobile opportunities and underlying operational systems from multiple perspectives.

    Impact and Result

    • Establish the right expectations. Understand your mobile users by learning their needs, challenges, and behaviors. Discuss the current state of your systems and your high priority non-functional requirements to determine what to expect from your mobile applications.
    • Choose the right mobile platform approach and shortlist your mobile delivery solutions. Obtain a thorough view of the business and technical complexities of your mobile opportunities, including current mobile delivery capabilities and system compatibilities.
    • Create your mobile roadmap. Describe the gradual rollout of your mobile technologies through minimal valuable products (MVPs).

    Choose Your Mobile Platform and Tools Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Choose Your Mobile Platform and Tools Storyboard

    This blueprint helps you develop an approach to understand the mobile experience your stakeholders want your users to have and select the appropriate platform and delivery tools to meet these expectations.

    • Choose Your Mobile Platform and Tools Storyboard

    2. Mobile Application Delivery Communication Template – Clearly communicate the goal and approach of your mobile application implementation in a language your audience understands.

    This template narrates a story to describe the need and expectations of your low- and no-code initiative to get buy-in from stakeholders and interested parties.

    • Mobile Application Delivery Communication Template

    Infographic

    Workshop: Choose Your Mobile Platform and Tools

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Choose Your Platform and Delivery Solution

    The Purpose

    Choose the right mobile platform.

    Shortlist your mobile delivery solution and desired features and services.

    Key Benefits Achieved

    A chosen mobile platform that meets user and enterprise needs.

    Candidate mobile delivery solutions that meet your delivery needs and capacity of your teams.

    Activities

    1.1 Select your platform approach.

    1.2 Shortlist your mobile delivery solution.

    1.3 Build your feature and service lists.

    Outputs

    Desired mobile platform approach.

    Shortlisted mobile delivery solutions.

    Desired list of vendor features and services.

    2 Create Your Roadmap

    The Purpose

    Design the mobile application minimal viable product (MVP).

    Create your mobile roadmap.

    Key Benefits Achieved

    An achievable and valuable mobile application that is scalable for future growth.

    Clear intent of business outcome delivery and completing mobile delivery activities.

    Activities

    2.1 Define your MVP release.

    2.2 Build your roadmap.

    Outputs

    MVP design.

    Mobile delivery roadmap.

    3 Set the Mobile Context

    The Purpose

    Understand your user’s environment needs, behaviors, and challenges.

    Define stakeholder expectations and ensure alignment with the holistic business strategy.

    Identify your mobile application opportunities.

    Key Benefits Achieved

    Thorough understanding of your mobile user and opportunities where mobile applications can help.

    Level set stakeholder expectations and establish targeted objectives.

    Prioritized list of mobile opportunities.

    Activities

    3.1 Generate user personas with empathy maps.

    3.2 Build your mobile application canvas.

    3.3 Build your mobile backlog.

    Outputs

    User personas.

    Mobile objectives and metrics.

    Mobile opportunity backlog.

    4 Identify Your Technical Needs

    The Purpose

    Define the mobile experience you want to deliver and the features to enable it.

    Understand the state of your current system to support mobile.

    Identify your definition of mobile application quality.

    List the concerns with mobile delivery.

    Key Benefits Achieved

    Clear understanding of the desired mobile experience.

    Potential issues and risks with enabling mobile on top of existing systems.

    Grounded understanding of mobile application quality.

    Holistic readiness assessment to proceed with mobile delivery.

    Activities

    4.1 Discuss your mobile needs.

    4.2 Conduct a technical assessment.

    4.3 Define mobile application quality.

    4.4 Verify your decision to deliver mobile applications.

    Outputs

    List of mobile features to enable the desired mobile experience.

    System current assessment.

    Mobile application quality definition.

    Verification to proceed with mobile delivery.

    Further reading

    Choose Your Mobile Platform and Tools

    Maximize the value of your mobile investments by prioritizing technology decisions on user experience, business priorities, and system quality.

    EXECUTIVE BRIEF

    Analyst Perspective

    Mobile is the way of working.

    Workers require access to enterprise products, data, and services anywhere at anytime on any device. Give them the device-specific features, offline access, desktop-like interfaces, and automation capabilities they need to be productive.

    To be successful, you need to instill a collaborative business-IT partnership. Only through this partnership will you be able to select the right mobile platform and tools to balance desired outcomes with enterprise security, performance, integration, quality, and other delivery capacity concerns.

    This is a picture of Andrew Kum-Seun Senior Research Analyst, Application Delivery and Application Management Info-Tech Research Group

    Andrew Kum-Seun
    Senior Research Analyst,
    Application Delivery and Application Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Organizations see the value of mobile applications in improving productivity and reach of day-to-day business and IT operations. This motivates leaders to begin the planning of their first application.
    • However, organizations often lack the critical foundational knowledge and skills to deliver and maintain high quality and valuable applications that meet business and user priorities and technical requirements.
    • Mobile technologies and trends are continually evolving and maturing. It is hard to predict which trends will make a significant impact and to prepare current mobile investments to harness the value of these trends.

    Common Obstacles

    • Mobile applications can stress the stability, reliability and overall quality of your enterprise systems and services. They will also increase your security risks because of the exposure of your enterprise technology assets to unsecured networks and devices.
    • High costs of entry may restrict what native features your users can have in their mobile experience. Workarounds may not be sufficient to offset the costs of certain native feature needs.
    • Many operating models do not enable or encourage the collaboration required to fully understand user needs and behaviors and evaluate mobile opportunities and underlying operational systems from multiple perspectives.

    Info-Tech's Approach

    • Establish the right expectations. Understand your mobile users by learning their needs, challenges, and behaviors. Discuss the current state of your systems and your high priority non-functional requirements to determine what to expect from your mobile applications.
    • Choose the right mobile platform approach and shortlist your mobile delivery solutions. Obtain a thorough view of the business and technical complexities of your mobile opportunities, including current mobile delivery capabilities and system compatibilities.
    • Create your mobile roadmap. Describe the gradual rollout of your mobile technologies through minimal valuable products (MVPs).

    Insight Summary

    Overarching Info-Tech Insight

    Treat your mobile applications as digital products. Digital products are continuously modernized to ensure they are fit-for-purpose, secured, accessible, and immersive. A successful mobile experience involves more than just the software and supporting system. It involves good training and onboarding, efficient delivery turnaround, and a clear and rational vision and strategy.

    Phase 1: Set the Mobile Context

    • Build applications your users need and desire – Design the right mobile application that enables your users to address their frustrations and productivity challenges.
    • Maximize return on your technology investments – Build your mobile applications with existing web APIs, infrastructure, and services as much as possible.
    • Prioritize mobile security, performance and integration requirements – Understand the unique security, performance, and integration influences has on your desired mobile user experience. Find the right balance of functional and non-functional requirements through business and IT collaboration.

    Phase 2: Define Your Mobile Approach

    • Start with a mobile web platform - Minimize disruptions to your existing delivery process and technical stack by building against common web standards. Select a hybrid platform or cross-platform if you need device hardware access or have complicated non-functional requirements.
    • Focus your mobile solution decision on vendor support and functional complexity – Verify that your solution is not only compatible with the architecture, data, and policies of existing business systems, but satisfies IT's concerns with access to restricted technology and data, and with IT's ability to manage and operate your applications.
    • Anticipate changes, defects & failures in your roadmap - Quickly shift your mobile roadmaps according to user feedback, delivery challenges, value, and stability.

    Mobile is how the business works today

    Mobile adoption continues to grow in part due to the need to be a mobile workforce, and the shift in customer behaviors. This reality pushed the industry to transform business processes and technologies to better support the mobile way of working.

    Mobile Builds Interests
    61%
    Mobile devices drove 61% of visits to U.S. websites
    Source: Perficient, 2021

    Mobile Maintains Engagement
    54%
    Mobile devices generated 54.4% of global website traffic in Q4 2021.
    Source: Statista, 2022

    Mobile Drives Productivity
    82%
    According to 82% of IT executives, smartphones are highly important to employee productivity
    Source: Samsung and Oxford Economics, 2022

    Mobile applications enable and drive your digital business strategy

    Organizations know the criticality of mobile applications in meeting key business and digital transformation goals, and they are making significant investments. Over half (58%) of organizations say their main strategy for driving application adoption is enabling mobile access to critical enterprise systems (Enterprise CIO, 2016). The strategic positioning and planning of mobile applications are key for success.

    Mobile Can Motivate, Support and Drive Progress in Key Activities Underpinning Digital Transformation Goals

    Goal: Enhance Customer Experience

    • A shift from paper to digital communications
    • Seamless, omni-channel client experiences across devices
    • Create Digital interactive documents with sections that customers can customize to better understand their communications

    Goal: Increase Workflow Throughput & Efficiency

    • Digitized processes and use of data to improve process efficiency
    • Modern IT platforms
    • Automation through robotic process automation (RPA) where possible
    • Use of AI and machine learning for intelligent automation

    Source: Broadridge, 2022

    To learn more, visit Info-Tech's Define Your Digital Business Strategy blueprint.

    Well developed mobile applications bring unique opportunities to drive more value

    Role

    Opportunities With Mobile Applications

    Expected Value

    Stationary Worker

    Design flowcharts and diagrams, while abandoning paper and desktop applications in favor of easy-to-use, drawing tablet applications.

    Multitask by checking the application to verify information given by a vendor during their presentation or pitch.

    • Reduce materials cost to complete administrative responsibilities.
    • Digitally and automatically store and archive frequently used documents.

    Roaming Worker
    (Engineer)

    Replace physical copies of service and repair manuals with digital copies, and access them with mobile applications.

    Scan or input product bar code to determine whether a replacement part is available or needs to be ordered.

    • Readily access and update corporate data anywhere at anytime.
    • Expand employee responsibilities with minimal skills impact.

    Roaming Worker
    (Nurse)

    Log patient information according to HIPAA standards and complete diagnostics live to propose medication for a patient.

    Receive messages from senior staff about patients and scheduling while on-call.

    • Quickly and accurately complete tasks and update patient data at site.
    • Be readily accessible to address urgent issues.

    Info-Tech Insight

    If you build it, they may not come. Design and build the applications your user wants and needs, and ensure users are properly onboarded and trained. Learn how your applications are leveraged, capture feedback from the user and system dashboards, and plan for enhancements, fixes, and modernizations.

    Workers expect IT to deliver against their high mobile expectations

    Workers want sophisticated mobile applications like what they see their peers and competitors use.

    Why is IT considering building their own applications?

    • Complex and Unique Workflows: Canned templates and shells are viewed as incompatible to the workflows required to complete worker responsibilities outside the office, with the same level of access to corporate data as on premise.
    • Supporting Bring Your Own Device (BYOD): Developing your own mobile applications around your security protocols and standards can help mitigate the risks with personal devices that are already in your workforce.
    • Long-Term Architecture Misalignment: Outsourcing mobile development risks the mobile application misaligned with your quality standards or incompatible with other enterprise and third-party systems.

    Continuously meeting aggressive user expectations will not be easy

    Value Quickly Wears Off
    39.9% of users uninstall an application because it is not in use.
    40%
    Source: n=2,000, CleverTap, 2021

    Low Tolerance to Waiting
    Keeping a user waiting for 3 seconds is enough to dissatisfy 43% of users.
    43%
    Source: AppSamurai, 2018

    Quick Fixes Are Paramount
    44% of defects are found by users
    44%
    Source: Perfecto Mobile, 2014

    Mobile emphasizes the importance of good security, performance, and integration

    Today's mobile workers are looking for new ways to get more work done quickly. They want access to enterprise solutions and data directly on their mobile devices, which can reside on multiple legacy systems and in the cloud and third-party infrastructure. This presents significant performance, integration, and security risks.

    Cloud Solutions: Can I use my existing APIs?. Solutions in Corporate Networks: Do my legacy systems have the capacity to support mobile?; How do I integrate solutions and data from multiple sources into a single view?; Third Party Solutions: Will I have a significant performance bottleneck?; Single View on Mobile Devices: How is corporate data stored on the device?; What new technology dependencies must I account for in my architecture and operational support capabilities?

    Accept change as the norm

    IT is challenged with keeping up with disruptive technologies, such as mobile, which are arriving and changing faster and faster.

    What is the issue? Mobile priorities, concepts, and technologies do not remain static. For example, current Google's Pixels benefit from at least three versions of Android updates and at least three years of monthly security patches after their release (NextPit, 2022). Keeping up to date with anything mobile is difficult if you do not have the right delivery and product management practices in place.

    What is the impact on IT? Those who fail to prepare for changing requirements and technologies will quickly run into maintainability, extensibility, and flexibility issues. Mobile applications will quickly become stale and misaligned with the maturity of other enterprise infrastructure and applications.

    Continuously look at the trends, vendor roadmaps, and your user's feedback to envision where your mobile applications should be. Learning from your past attempts gives you insights on the opportunities and impacts changes will have on your people, process, and technology.

    How do I address this issue? A well-defined mobile vision and roadmap ensures your initiatives are aligned with your holistic business and technology strategies, the right problem is being solved, and resources are available to deliver high priority changes.

    To learn more, visit Info-Tech's Deliver on Your Digital Product Vision blueprint.

    Address the difficulties in managing enterprise mobile technologies

    Adaptability During Development

    Teams must be ready to alter their mobile approach when new insights and issues arise during and after the delivery of your mobile application and its updates.

    High Cybersecurity Standards

    Cybersecurity should be a top priority given the high security exposure of mobiles and the sensitive data mobile applications need to operate. Role-based access, back-up systems, advanced scanning, and protection software and encryption should all be implemented.

    Integration with Other Systems

    Your application will likely be integrated with other systems to expand service offerings and optimize performance and user experience. Your enterprise integration strategy ensures all systems connect against a common pattern with compatible technologies.

    Finding the Right Mobile Developers

    Enterprise mobile delivery requires a broad skillset to build valuable applications against extensive non-functional requirements in complex and integration environments. The right resources are even harder to find when native applications are preferred over web-based ones.

    Source: Radoslaw Szeja, Netguru, 2022.

    Build and manage the right experience by treating mobile as digital products

    Digital products are continuously modernized to ensure they are fit-for-purpose, secured, insightful, accessible, and interoperable. A good experience involves more than just technology.

    First, deliver the experience end users want and expect by designing the application against digital application principles.

    Business Value

    Continuous modernization

    • Fit for purpose
    • User-centric
    • Adaptable
    • Accessible
    • Private and secured
    • Informative and insightful
    • Seamless application connection
    • Relationship and network building

    To learn more, visit Info-Tech's Modernize Your Applications blueprint.

    Then, deliver a long-lasting experience by supporting your applications with key governance and management capabilities.

    • Product Strategy and Roadmap
    • External Relationships
    • User Adoption and Organizational Change Management
    • Funding
    • Knowledge Management
    • Stakeholder Management
    • Product Governance
    • Maintenance & Enhancement
    • User Support
    • Managing and Governing Data
    • Requirements Analysis and Design
    • Research & Development

    To learn more, visit Info-Tech's Make the Case for Product Delivery blueprint.

    Choose Your Mobile Platform and Tools

    Maximize the value of your mobile investments by prioritizing technology decisions on user experience, business priorities, and system quality.

    WORKFLOW

    1. Capture Your User Personas and Journey workflow: Trigger: Step 1; Step 2; Step 3; Step 4; Outcome
    2. Select Your Platform Nine datapoints are arranged on a graph where the x axis s labeled: User Centric Needs; and the Y axis is labeled: Enterprise-centric needs. The datapoints are, in order from left to right, top to bottom: Hybrid; Cross- Platform; Native; Web; Hybrid or Cross- Platform; Cros-s Platform; Web; Web; Hybrid or Cross- Platform.
    3. Shortlist Your Solutions A quadrant analysis is depicted. the top data is labeled Complex Mobile Features; the right side is labeled Organization-Managed Stack; the bottom is labeled Simple Mobile Features; and the left side is labeled Vendor-Managed Stack. The quadrants are labeled the following, in order from left to right, top to bottom. Vendor- Hosted Mobile Platform; Custom Native Development Solutions; Commercial-Off-the-Shelf Solutions; Custom Web Development Solutions. In the middle of the graph are the following, in order from top to bottom: Cross-Platform Development Solutions; Hybrid Development Solutions

    Strategic Perspective
    Business and Product Strategies

    1. End-User Perspective

    End User Needs

    • Productivity
    • Innovation
    • Transformation

    Native User Experience

    • Anytime, Anywhere
    • Visually Pleasing & Fulfilling
    • Personalized & Insightful
    • Hands-Off & Automated
    • Integrated Ecosystem

    2. Platform Perspective

    Technical Requirements

    Security

    Performance

    Integration

    Mobile Platform

    3. Solution Perspective

    Vendor Support

    Services

    Stack Mgmt.

    Quality & Risk

    Mobile Delivery Solutions

    Make user experience (UX) the standard

    User experience (UX) focuses on a user's emotions, beliefs, and physical and psychological responses that occur before, during, or after interacting with a service or product.

    For a mobile application to be meaningful, the functions, aesthetics and content must be:

    • Usable
      • Users can intuitively navigate through your mobile application and complete their desired tasks.
    • Desirable
      • The application elements are used to evoke positive emotions and appreciation.
    • Accessible
      • Users can easily use your mobile application, including those with disabilities.
    • Valuable
      • Users find the content useful, and it fulfills a need.

    Enable a greater experience with UX-driven thinking

    Designing for a high-quality experience requires more than just focusing on the UI. It also requires the merging of multiple business, technical, and social disciplines in order to create an immersive, practical, and receptive application. The image on the right explains the disciplines involved in UX. This is critical for ensuring users have a strong desire to use the mobile application, it is adequately supported technically, and it supports business objectives.

    To learn more, visit Info-Tech's Implement and Mature Your User Experience Design Practice blueprint.

    A Venn diagram is depicted, demonstrating the inputs that lead to an interactive design, with interactive elements, usability, and accessibility. This work by Mark Roden is licensed under a Creative Commons Attribution 3.0 Unported License.

    Source: Marky Roden, Xomino, 2018

    Define the mobile experience your end users want

    • Anytime, Anywhere
      • The user can access, update and analyze data and corporate products and services whenever they want, in all networks, and on any device.
    • Hands-Off and Automated
      • The application can perform various workflows and tasks without the user's involvement and notify the user when specific triggers are hit.
    • Personalized and Insightful
      • Content presentation and subject are tailored for the user based on specific inputs from the user, device hardware, or predicted actions.
    • Integrated Ecosystem
      • The application supports a seamless experience across various third-party and enterprise applications and services the user needs.
    • Visually Pleasing and Fulfilling
      • The UI is intuitive and aesthetically gratifying, with little security and performance trade-offs to use the full breadth of its functions and services.

    Each mobile platform has its own take on the mobile native experience. The choice ultimately depends on whether the costs and effort are worth the anticipated value.

    Mobile value is dependent on the platform you choose

    What is a platform?

    "A platform is a set of software and a surrounding ecosystem of resources that helps you to grow your business. A platform enables growth through connection: its value comes not only from its own features, but from its ability to connect external tools, teams, data, and processes." (Source: Emilie Nøss Wangen, 2021) In the mobile context, applications in a platform execute and communicate through a loosely-coupled API architecture, whether the supporting system is managed and supported by your organization or by third-party providers.

    Web

    Mobile web applications are deployed and executed within the mobile web browser. They are often developed with a combination of web and scripting languages, such as HTML, CSS, and JavaScript. Web often takes two forms on mobile:

    • Progressive Web Applications (PWA)
    • Mobile Web Sites

    Hybrid

    Hybrid applications are developed with web technologies but are deployed as native applications. The code is wrapped using a framework so that it runs locally within a native container. It uses the device's browser runtime engine to support more sophisticated designs and features than to the web approach.

    Cross-Platform

    Cross-platform applications are developed within a distinct programming or scripting environment that uses its own scripting language (often like web languages) and APIs. The solution compiles the code into device-specific builds for native deployment.

    Native

    Native applications are developed and deployed to specific devices and OSs using platform-specific software development kits (SDKs) provided by the operating system vendors. The programming language and framework are dictated by the targeted device, such as Java for Android.

    Start mobile development on a mobile web platform

    Start with what you have: begin with a mobile web platform to minimize impacts to your existing delivery skill sets and technical stack while addressing business needs. Resort to a hybrid first. Then consider a cross-platform application if you require device access or need to meet specific non-functional requirements.

    Why choose a mobile web platform?

    Pros

    The latest versions of the most popular web languages (HTML5, CSS3, JavaScript) abstract away from the granular, physical components of the application, simplifying the development process. HTML5 offer some mobile features (e.g. geolocation, accelerometer) that can meet your desired experience without the need for native development skills. Native look-and-feel, high performance, and full device access are just a few tradeoffs of going with web languages.

    Cons

    Native mobile platforms depend on device-specific code which follows specific frameworks and leverages unique programming libraries, such as Objective C for iOS and Java for Android. Each language requires a high level of expertise in the coding structure and hardware of specific devices. This requires resources with specific skillsets and different tools to support development and testing.

    Other Notable Benefits with Web Languages

    • Modern browsers in most mobile devices can execute and render many mobile features developed in web languages, allowing for greater portability and sophistication of code across multiple devices. However, this flexibility comes at the cost of performance since the browser's runtime engine will not perform as well as a native engine.
    • Web languages are well known by developers, minimizing skills and resourcing impacts. Consequently, changes can be quickly accommodated and updated uniformly across all end users.

    Select your mobile platform

    Drive your mobile platform selection against user-centric needs (e.g. device access, aesthetics) and enterprise-centric needs (e.g. security, system performance).

    When does a platform makes sense to use?

    Web

    • Desire to maximize current web technologies investments (people, process, and technologies).
    • Use cases do not require significant computational resources on the device or are tightly constrained by non-functional requirements.
    • Limited budget to acquire mobile development resources.
    • Access to device hardware is not a high priority.

    Hybrid / Cross-Platform

    • The need to quickly spin up native-like applications for multiple platforms and devices.
    • Desire to leverage existing web development skills, but also a need for device access and meeting specific non-functional requirements.
    • Vendor support is needed for the entire mobile delivery process.

    Native

    • Developers are experts in the target programming language and with the device's hardware.
    • Strong need for high performance, security, and device-specific access and customizations.
    • Application use cases require significant computing resources.

    Nine datapoints are arranged on a graph where the x axis s labeled: User Centric Needs; and the Y axis is labeled: Enterprise-centric needs. The datapoints are, in order from left to right, top to bottom: Hybrid; Cross- Platform; Native; Web; Hybrid or Cross- Platform; Cros-s Platform; Web; Web; Hybrid or Cross- Platform.

    Understand the common attributes of a mobile delivery solution

    • Source Code Management – Built-in or having the ability to integrate with code management solutions for branching, merging, and versioning. Debugging and coding assistance capabilities may be available.
    • Single Code Base – Capable of programming in a standard coding and scripting language for deployment into several platforms and devices. This code base is aligned to a common industry framework (e.g. AngularJS, Java) or a vendor-defined one.
    • Out-of-the-Box Connectors & Plug-ins – Pre-built APIs enhance the solution's capabilities with third-party tools and systems to deliver and manage high quality and valuable mobile applications.
    • Emulators – Ability to virtualize an application's execution on a target platform and device.
    • Support for Native Features – Supports plug-ins and APIs for access to device-specific features.

    What are mobile delivery solutions?

    A mobile delivery solution provides the tools, resources, and support to enable or build your mobile application. It can provide pre-built applications, vendor supported components to allow some configurations, or resources for full stack customizations. Solutions can be barebone software development kits (SDKs), or comprehensive suites offering features to support the entire software delivery lifecycle, such as:

    • Mobile application management
    • Testing and publishing to app stores
    • Content management
    • Cloud hosting
    • Application performance management

    Info-Tech Insight

    Mobile enablement and development capabilities are already embedded in many common productivity tools and enterprise applications, such as Microsoft PowerApps and ERP modules. They can serve as a starting point in the initial rollout of new management and governance practices without the need to acquire new tools.

    Select your mobile delivery solutions

    1. Set the scope of your framework.
    • The initial context of this framework is based on the mobile functions needed to support your desired mobile experience and on the current state of your enterprise and 3rd party systems.
  • Define the decision factors for your solution selection.
    • Review the decision factors that will influence the selection of your mobile delivery solution for each mobile opportunity:
    • Stack Management – Who will be hosting and supporting your mobile application stack?
    • Workflows Complexity & Native Experience – How complex is your desired mobile experience and how will native device features be leveraged?
  • Select your solution type.
    • Mobile delivery solutions are broadly defined in the following groups:
    • Commercial-Off-The-Shelf (COTS) – Pre-built mobile applications requiring little to no configurations or implementation effort.
    • Vendor Hosted Mobile Platform – Back-end and mid-tier infrastructure and operational support are managed by a vendor.
    • Cross-Platform Development – Frameworks that transform a single code base into platform-specific builds.
    • Hybrid Development – Tools that wrap a single code base into a locally deployable build.
    • Custom Web Development – Environment enabling full stack development for mobile web applications.
    • Custom Native Development – Environment enabling full stack development for mobile native applications.
  • A quadrant analysis is depicted. the top data is labeled Complex Mobile Features; the right side is labeled Organization-Managed Stack; the bottom is labeled Simple Mobile Features; and the left side is labeled Vendor-Managed Stack. The quadrants are labeled the following, in order from left to right, top to bottom. Vendor- Hosted Mobile Platform; Custom Native Development Solutions; Commercial-Off-the-Shelf Solutions; Custom Web Development Solutions. In the middle of the graph are the following, in order from top to bottom: Cross-Platform Development Solutions; Hybrid Development Solutions

    Optimize your software delivery process

    Mobile brings new delivery and management challenges that are often difficult for organizations that are tied to legacy systems, hindered by rigid and slow delivery lifecycles, and are unable to adopt leading-edge technologies. Many of these challenges stem from the fact that mobile is a significant shift from desktop development:

    • Mobile devices and operating systems are heavily fragmented, especially in the Android space.
    • Test coverage is significantly expanded to include physical environments and multiple network connections.
    • Mobile devices do not have the same performance capabilities and memory storage as their desktop counterparts.
    • The user interface must be strategically designed to accommodate the limited screen size.
    • Mobile applications are highly susceptible to security breaches.
    • Mobile users often expect quick turnaround time on fixes and enhancements due to continuously changing technology, business priorities, and user needs.

    To learn more, visit Info-Tech's Modernize Your SDLC blueprint.

    How should the process change?

    • Cross-functional collaboration – Bringing business and IT together at the most opportune times to clarify user needs and business priorities, and set realistic expectations given technology and capacity constraints. The appropriate tactics and techniques are used to improve decision making and delivery effectiveness according to the type of work.
    • Iterative delivery – Frequent delivery of progressive changes minimizes the risk of low-quality features by containing and simplifying scope, and enables responsive turnarounds of fixes, enhancements, and priority changes.
    • Feedback loops –Mobile application owners constantly review, update and refine their backlog of mobile features and changes to reflect user feedback and system performance metrics. Delivery teams proactively prepare the application for future scaling based on lessons and feedback learned from earlier releases.

    Achieve mobile success with MVPs

    By delivering mobile capabilities in small iterations, teams recognize value sooner and reduce accumulated risk. Both benefits are realized as the iteration enters validation testing and release.

    This image depicts a graph of the learn-build-measure cycle over time, adapted from Managing the Development of Large Software Systems, Dr. Winston W. Royce, 1970

    An MVP focuses on a small set of functions, involves minimal possible effort to deliver a working and valuable solution, and is designed to satisfy a specific user group. Its purpose is to:

    • Maximize learning.
    • Evaluate the value and acceptance of mobile applications.
    • Inform the building of a mobile delivery practice.

    The build-measure-learn loop suggests mobile delivery teams should perpetually take an idea and develop, test, and validate it with the mobile development solution, then expand on the MVP using the lessons learned and evolving ideas. In this sense the MVP is just the first iteration in the loop.

    Gauge the value with the right metrics

    Metrics are a powerful way to drive behavior change in your organization. But metrics are highly prone to creating unexpected outcomes so they must be used with great care. Use metrics judiciously to avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.

    To learn more, visit Info-Tech's Select and Use SDLC Metrics Effectively blueprint.

    What should I measure?

    1. Mobile Application Engagement, Retention and User Satisfaction
      1. The activeness of users on the applications, the number of returning users, and the happiness of the users.
      2. Example: Number of tasks completed, number of active and returning users, session length and intervals, user satisfaction
    2. Value Driven from Mobile Applications
      1. The business value that the user directly or indirectly receives with the mobile application.
      2. Example: Mobile application revenue, business operational costs, worker productivity, business reputation and image
    3. Delivery Throughput and Quality
      1. The health and quality of your mobile applications throughout their lifespan and the speed to deliver working applications that meet stakeholder expectations.
      2. Example: Frequency of release, lead time, request turnaround, escaped defects, test coverage.

    Use Info-Tech's diagnostic to evaluate the reception of your mobile applications

    Info-Tech's Application Portfolio Assessment (APA) Diagnostic is a canned end-user satisfaction survey used to evaluate your application portfolio health to support data-driven decisions.

    This image contains a screenshot from Info-Tech's Application Portfolio Assessment (APA) Diagnostic

    USE THE PROGRAM DIAGNOSTIC TO:

    • Assess the importance and satisfaction of enterprise applications.
    • Solicit feedback from your end users on applications being used.
    • Understand the strengths and weaknesses of your current applications.
    • Perform a high-level application rationalization initiative.

    INTEGRATE DIAGNOSTIC RESULTS TO:

    • Target which applications to analyze in greater detail.
    • Expand on the initial application rationalization results with a more comprehensive and business-value-focused criteria.

    Grow your mobile delivery practice

    Level 1: Mobile Delivery Foundations

    You understand the opportunities and impacts mobile has on your business operations and its disruptive nature on your enterprise systems. Your software delivery lifecycle was optimized to incorporate the specific practices and requirements needed for mobile. A mobile platform was selected based on stakeholder needs that are weighed against current skillsets, high priority non-functional requirements, the available capacity and scalability of your stack, and alignment to your current delivery process.

    Level 2: Scaled Mobile Delivery

    New features and mobile use cases are regularly emerging in the industry. Ensuring your mobile platform and delivery process can easily scale to incorporate constantly changing mobile features and technologies is key. This can help minimize the impact these changes will have on your mobile stack and the resulting experience.

    Achieving this state requires three competencies: mobile security, performance optimization, and integration practices.

    Level 3: Leading-Edge Mobile Delivery

    Many of today's mobile trends involve, in one form or another, hardware components on the mobile device (e.g., NFC receivers, GPS, cameras). You understand the scope of native features available on your end user's mobile device and the required steps and capabilities to enable and leverage them.

    Hit a home run with your stakeholders

    Use a data-driven approach to select the right tooling vendor for your needs – fast.

    Awareness Education & Discovery Evaluation Selection

    Negotiation & Configuration

    1.1 Proactively Lead Technology Optimization & Prioritization 2.1 Understand Marketplace Capabilities & Trends 3.1 Gather & Prioritize Requirements & Establish Key Success Metrics 4.1 Create a Weighted Selection Decision Model 5.1 Initiate Price Negotiation with Top Two Venders
    1.2 Scope & Define the Selection Process for Each Selection Request Action 2.2 Discover Alternate Solutions & Conduct Market Education 3.2 Conduct a Data Driven Comparison of Vendor Features & Capabilities 4.2 Conduct Investigative Interviews Focused on Mission Critical Priorities with Top 2-4 Vendors 5.2 Negotiate Contract Terms & Product Configuration

    1.3 Conduct an Accelerated Business Needs Assessment

    2.3 Evaluate Enterprise Architecture & Application Portfolio Narrow the Field to Four Top Contenders 4.3 Validate Key Issues with Deep Technical Assessments, Trial Configuration & Reference Checks 5.3 Finalize Budget Approval & Project
    1.4 Align Stakeholder Calendars to Reduce Elapsed Time & Asynchronous Evaluation 2.4 Validate the Business Case 5.4 Invest in Training & Onboarding Assistance

    Investing time improving your software selection methodology has big returns.

    Info-Tech Insight

    Not all software selection projects are created equal – some are very small, some span the entire enterprise. To ensure that IT is using the right framework, understand the cost and complexity profile of the application you're looking to select. Info-Tech's Rapid Application Selection Framework approach is best for commodity and mid-tier enterprise applications; selecting complex applications is better handled by the methodology in Info-Tech's Implement a Proactive and Consistent Vendor Selection Process.

    Pitch your mobile delivery approach with Info-Tech's template

    Communicate the justification of your approach to mobile applications with Info-Tech's Mobile Application Delivery Communication Template:

    • Level set your mobile application goals and objectives by weighing end user expectations with technical requirements.
    • Define the high priority opportunities for mobile applications.
    • Educate decision makers of the limitations and challenges of delivering specific mobile experiences with the various mobile platform options.
    • Describe your framework to select the right mobile platform and delivery tools.
    • Lay out your mobile delivery roadmap and initiatives.

    INFO-TECH DELIVERABLE

    This is a screenshot from Info-Tech's Mobile Application Delivery Communication Template

    Info-Tech's methodology for mobile platform and delivery solution selection

    1. Set the Mobile Context

    2. Define Your Mobile Approach

    Phase Steps

    Step 1.1 Build Your Mobile Backlog

    Step 1.2 Identify Your Technical Needs

    Step 1.3 Define Your Non-Functional Requirements

    Step 2.1 Choose Your Platform Approach

    Step 2.2 Shortlist Your Mobile Delivery Solution

    Step 2.3 Create a Roadmap for Mobile Delivery

    Phase Outcomes

    • User personas
    • Mobile objectives and metrics
    • Mobile opportunity backlog
    • List of mobile features to enable the desired mobile experience
    • System current assessment
    • Mobile application quality definition
    • Readiness for mobile delivery
    • Desired mobile platform approach
    • Shortlisted mobile delivery solutions
    • Desired list of vendor features and services
    • MVP design
    • Mobile delivery roadmap

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2

    Call #1: Understand the case and motivators for mobile applications.

    Call #2: Discuss the end user and desired mobile experience.

    Call #5: Discuss the desired mobile platform.

    Call #8: Discuss your mobile MVP.

    Call #3: Review technical complexities and non-functional requirements.

    Call #6: Shortlist mobile delivery solutions and desired features.

    Call #9: Review your mobile delivery roadmap.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 9 calls over the course of 2 to 3 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Module 1 Module 2 Module 3 Module 4 Post-Workshop
    Activities Set the Mobile Context Identify Your Technical Needs Choose Your Platform & Delivery Solution Create Your Roadmap Next Steps andWrap-Up (offsite)

    1.1 Generate user personas with empathy maps

    1.2 Build your mobile application canvas

    1.3 Build your mobile backlog

    2.1 Discuss your mobile needs

    2.2 Conduct a technical assessment

    2.3 Define mobile application quality

    2.4 Verify your decision to deliver mobile applications

    3.1 Select your platform approach

    3.2 Shortlist your mobile delivery solution

    3.3 Build your feature and service lists

    4.1 Define your MVP release

    4.2 Build your roadmap

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    • User personas
    • Mobile objectives and metrics
    • Mobile opportunity backlog
    • List of mobile features to enable the desired mobile experience
    • System current assessment
    • Mobile application quality definition
    • Verification to proceed with mobile delivery
    • Desired mobile platform approach
    • Shortlisted mobile delivery solutions
    • Desired list of vendor features and services
    • MVP design
    • Mobile delivery roadmap
    • Completed workshop output deliverable
    • Next steps

    Phase 1

    Set the Mobile Context

    Choose Your Mobile Platform and Tools

    This phase will walk you through the following steps:

    • Step 1.1 – Build Your Mobile Backlog
    • Step 1.2 – Identify Your Technical Needs
    • Step 1.3 – Define Your Non-Functional Requirements

    This phase involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Step 1.1

    Build Your Mobile Backlog

    Activities

    1.1.1 Generate user personas with empathy maps

    1.1.2 Build your mobile application canvas

    1.1.3 Build your mobile backlog

    Set the Mobile Context

    This step involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Outcomes of this step

    • User personas
    • Mobile objectives and metrics
    • Mobile opportunity backlog

    Users expect your organization to support their mobile way of working

    Today, users expect sophisticated and personalized features, immersive interactions, and cross-platform capabilities from their mobile applications and be able to access information and services anytime, anywhere and on any device. These demands are pushing organizations to become more user-driven, placing greater importance on user experience (UX) with enterprise-grade technologies.

    How has technologies evolved to easily enable mobile capabilities?

    • Desktop-Like Features
      • Native-like features, such as geolocation and local caching, are supported through web language or third-party plugins and extensions.
    • Extendable & Scalable
      • Plug-and-play architecture is designed to allow software delivery teams to explore new use cases and mobile capabilities with out-of-the-box connectors and/or customizable REST APIs.
    • Low Barrier to Entry
      • Low- and no-code development tools, full-stack solutions, and plug-and-play architectures allow non-technical users to easily build and implement applications without direct IT involvement.
    • Templates & Shells
      • Vendors provide UI templates and application shells that contain pre-built native features and multiple aesthetic layouts in a publishing-friendly and configurable way.
    • Personalized Content
      • Content can be uniquely tailored to a user's preference or be automatically generated based on the user's profile or activity history.
    • Hands-Off Operations
      • Many mobile solutions operate in a as-a-service model where the underlying and integrated technologies are managed by the vendor and abstracted away.

    Make user experience (UX) the standard

    User experience (UX) focuses on a user's emotions, beliefs, and physical and psychological responses that occur before, during, or after interacting with a service or product.

    For a mobile application to be a meaningful experience, the functions, aesthetics and content must be:

    • Usable
      • Users can intuitively navigate through your mobile application and complete their desired tasks.
    • Desirable
      • The application elements are used to evoke positive emotions and appreciation.
    • Accessible
      • Users can easily use your mobile application, including those with disabilities.
    • Valuable
      • Users find the content useful, and it fulfills a need.

    Enable a greater experience with UX-driven thinking

    Designing for a high-quality experience requires more than just focusing on the UI. It also requires the merging of multiple business, technical, and social disciplines in order to create an immersive, practical, and receptive application. The image on the right explains the disciplines involved in UX. This is critical for ensuring users have a strong desire to use the mobile application, it is adequately supported technically, and it supports business objectives.

    To learn more, visit Info-Tech's Implement and Mature Your User Experience Design Practice blueprint.

    A Venn diagram is depicted, demonstrating the inputs that lead to an interactive design, with interactive elements, usability, and accessibility. This work by Mark Roden is licensed under a Creative Commons Attribution 3.0 Unported License.

    Source: Marky Roden, Xomino, 2018

    UX-driven mobile apps bring together a compelling UI with valuable functionality

    Info-Tech Insight

    Organizations often over-rotate on the UI. Receptive and satisfying applications require more than just pretty pictures, bold colors, and flashy animations. UX-driven mobile applications require the seamless merging of enticing design elements and valuable functions that are specifically tailored to the behaviors of the users. Take a deep look at how each design element and function is used and perceived by the user, and how your application can sufficiently support user needs.

    UI-Function Balance to Achieve Highly Satisfying Mobile Applications

    An application's UI and function both contribute to UX, but they do so in different ways.

    • The UI generates the visual, audio, and vocal cues to draw the attention of users to key areas of the application while stimulating the user's emotions.
    • Functions give users the means to satisfy their needs effortlessly.

    Finding the right balance of UI and function is dependent on the organization's understanding of user emotions, needs, and tendencies. However, these factors are often left out of an application's design. Having the right UX competencies is key in assuring user behaviors are appropriately accommodated early in the delivery process.

    To learn more, visit Info-Tech's Modernize Your Corporate Website to Drive Business Value blueprint.

    Focus your efforts on all items that drive high user experience and satisfaction

    UX-driven mobile applications involve all interaction points and system components working together to create an immersive experience while being actively supported by delivery and operations teams. Many organizations commonly focus on visual and content design to improve the experience, but this is only a small fraction of the total UX design. Look beyond the surface to effectively enhance your application's overall UX.

    Typical Focus of Mobile UX

    Aesthetics
    What Are the Colors & Fonts?

    Relevance & Modern
    Will Users Receive Up to Date Content and Trending Features?

    UI Design
    Where Are the Interaction Points?

    Content Layout
    How Is Content Organized?

    Critical Areas of Mobile UX That Are Often Ignored

    Web Infrastructure
    How Will Your Application Be Operationally Supported?

    Human Behavior
    What Do the Users Feel About Your Application?

    Coding Language
    What Is the Best Language to Use?

    Cross-Platform Compatibility
    How Does It Work in a Browser Versus Each Mobile Platform?

    Application Quality
    How are Functional and Non-Functional Needs Balanced?

    Adoption & Retention
    How Do I Promote Adoption and Maintain User Engagement?

    Application Support
    How Will My Requests and Issues Be Handled?

    Use personas to envision who will be using your mobile application

    What Are Personas?

    Personas are detailed descriptions of the targeted audience of your mobile application. It represents a type of user in a particular scenario. Effective personas:

    • Express and focus on the major needs and expectations of the most important user groups.
    • Give a clear picture of the typical user's behavior.
    • Aid in uncovering critical features and functionalities.
    • Describe real people with backgrounds, goals, and values.

    Why Are Personas Important to UX?

    They are important because they help:

    • Focus the development of mobile application features on the immediate needs of the intended audience.
    • Detail the level of customization needed to ensure content is valuable to and resonates with the user.
    • Describe how users may behave when certain audio and visual stimulus are triggered from the mobile application.
    • Outline the special design considerations required to meet user accessibility needs.

    Key Elements of a Persona:

    • Professional and Technical Skills and Experiences (e.g., knowledge of mobile applications, area of expertise)
    • Persona Group (e.g., executives)
    • Technological Environment of User (e.g., devices, browsers, network connection)
    • Demographics (e.g., nationality, age, language spoken)
    • Typical Behaviors and Tendencies (e.g., goes to different website when cannot find information in 20 seconds)
    • Purpose of Using the Mobile Application (e.g., search for information, submit registration form)

    Create empathy maps to gain a deeper understanding of stakeholder personas

    Empathy mapping draws out the characteristics, motivations, and mannerisms of a potential end user.

    This image contains an image of an empathy map from XPLANE, 2017. it includes the following list: 1. Who are we empathizing with; 2. What do they need to DO; 3. What do they SEE; 4. What do they SAY?; 5. What do they DO; 6. What do they HEAR; 7. What do they THINK and FEEL.

    Source: XPLANE, 2017

    Empathy mapping focuses on identifying the problems, ambitions, and frustrations they are looking to resolve and describes their motivations for wanting to resolve them. This analysis helps your teams:

    • Better understand the reason behind the struggles, frustrations and motivators through a user's perspective.
    • Verify the accuracy of assertions made about the user.
    • Pinpoint the specific problem the mobile application will be designed to solve and the constraints to its successful adoption and on-going use.
    • Read more about empathy mapping and download the empathy map PDF template here.

    To learn more, visit Info-Tech's Use Experience Design to Drive Empathy with the Business blueprint.

    1.1.1 Generate user personas with empathy maps

    1-3 hours

    1. Download the Empathy Map Canvas and draw the map on a whiteboard or project it on the screen.
    2. Choose an end user to be the focus of your empathy map. Using sticky notes, fill out the sections of the empathy map in the following order:
      1. Start by filling out the goals section. State who the subject of the empathy map will be and what activity or task you would like them to do.
        1. Focus on activities and tasks that may benefit from mobile.
      2. Next, complete the outer sections in clockwise order (see, say, do, hear). The purpose of this is to think in terms of what the subject of your empathy map is observing, sensing, and experiencing.
        1. Indicate the mobile devices and OS users will likely use and the environments they will likely be in (e.g., places with poor connections)
        2. Discuss accessibility needs and how user prefer to consume content.
      3. Last, complete the inner circle of the empathy map (pains and gains). Since you spent the last step of the exercise thinking about the external influences on your stakeholder, you can think about how those stimuli affect their emotions.
    3. Document your end user persona into Info-Tech's Mobile Application Delivery Communication Template.

    Input

    Output
    • List of potential mobile application users
    • User personas
    Materials Participants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    1.1.1 cont'd

    This image contains an image of an empathy map from XPLANE, 2017. it includes the following list: 1. Who are we empathizing with; 2. What do they need to DO; 3. What do they SEE; 4. What do they SAY?; 5. What do they DO; 6. What do they HEAR; 7. What do they THINK and FEEL.

    Download the Empathy Map Canvas

    Many business priorities are driving mobile

    Mobile Applications

    • Product Roadmap
      • Upcoming enterprise technology releases and updates offer mobile capabilities to expand its access to a broader userbase.
    • Cost Optimization
      • Maximizing business value in processes and technologies through disciplined and strategic cost and spending reduction practices with mobile applications.
    • Competitive Differentiation
      • Developing and optimizing your organization's distinct products and services quickly with mobile applications.
    • Digital Transformation
      • Transitioning processes, data and systems to a digital environment to broaden access to enterprise data and services anywhere at anytime.
    • Operational Efficiency
      • Improving software delivery and business process throughput by increasing worker productivity with mobile applications.
    • Other Business Priorities
      • New corporate products and services, business model changes, application rationalization and other priorities may require modernization, innovation and a mobile way of working.

    Focus on the mobile business and end user problem, not the solution

    People are naturally solution-focused. The onus isn't on them to express their needs in the form of a problem statement!

    When refining your mobile problem statement, attempt to answer the following four questions:

    • Who is impacted?
    • What is the (user or organizational) challenge that needs to be addressed?
    • Where does it happen?
    • Why does it matter?

    There are many ways of writing problem statements, a clear approach follows the format:

    • "Our (who) has the problem that (what) when (where). Our solution should (why)."
    • Example: "Our system analysts has the problem that new tickets take too long to update when working on user requests. Our approach should enable the analyst to focus on working with customers and not on administration."

    Adapted from: "Design Problem Statements – What and How to Frame Them"

    How to write a vision statement

    It's ok to dream a little!

    When thinking about a vision statement, think about:

    • Who is it for?
    • What does the customer need?
    • What can we do for them?
    • And why is this special?

    There are different statement templates available to help form your vision statements. Some include:

    1. For [our target customer], who [customer's need], the [product] is a [product category or description] that [unique benefits and selling points]. Unlike [competitors or current methods], our product [main differentiators]. (Crossing the Chasm)
    2. "We believe (in) a [noun: world, time, state, etc.] where [persona] can [verb: do, make, offer, etc.], for/by/with [benefit/goal].
    3. To [verb: empower, unlock, enable, create, etc.] [persona] to [benefit, goal, future state].
    4. Our vision is to [verb: build, design, provide], the [goal, future state], to [verb: help, enable, make it easier to...] [persona]."

    (Numbers 2-4 from: How to define a product vision)

    Info-Tech Best Practice

    A vision shouldn't be so far out that it doesn't feel real and so short term that it gets bogged down in minutiae and implementation details. Finding that right balance will take some trial and error and will be different depending on your organization.

    Ensure mobile supports ongoing value delivery and stakeholder expectations

    Success hinges on your team's ability to deliver business value. Well-developed mobile applications instill stakeholder confidence in ongoing business value delivery and stakeholder buy-in, provided proper expectations are set and met.

    Business value defines the success criteria of an organization, and it is interpreted from four perspectives:

    • Profit Generation – The revenue generated from a business capability with mobile applications.
    • Cost Reduction – The cost reduction when performing business capabilities with mobile applications.
    • Service Enablement – The productivity and efficiency gains of internal business operations with mobile applications.
    • Customer and Market Reach – Metrics measuring the improved reach and insights of the business in existing or new markets.

    See our Build a Value Measurement Framework blueprint for more information about business value definition.

    This image contains a quadrant analysis with the following labels: Left - Improved Capabilities; Top - Outward; Right - Financial Benefit; Bottom - Inward. the quadrants are labeled the following, in order from left to right, top to bottom. Customer and Market Reach; Profit Generation; Service Enhancement; Cost Reduction

    Set realistic mobile goals

    Mobile applications enables the exploration of new and different ways to improve worker productivity and deliver business value. However, the realities of mobile applications may limit your ability to meet some of your objectives:

    • On the day of installation, the average retention rate for public-facing applications was 25.3%. By day 30, the retention rate drops to 5.7%. (Source: Statista, 2020)
    • 63% of 3,335 most popular Android mobile applications on the Google Play Store contained open-source components with known security vulnerabilities and other pervasive security concerns including exposing sensitive data (Source: Synopsys, 2021)
    • 62% of users would delete the application because of performance issues, such as crashes, freezes and other errors (Source: Intersog, 2021).

    These realities are not guaranteed to occur or impede your ability to deliver valuable mobile applications, but they can lead to unachievable expectations. Ensure your stakeholders are not oversold on advertised benefits and hold you accountable for unrealistic objectives. Recognize that the organization must also change how it works and operates to see the full benefit and adoption of mobile applications and overcome the known and unknown challenges and hurdles that often come with mobile delivery.

    Benchmarks present enticing opportunities, but should be used to set reasonable expectations

    66%
    Improve Market Reach
    66% of the global population uses a mobile device
    Source: DataReportal, 2021

    20%
    Connected Workers are More Productive
    Nearly 20 percent of mobile professionals estimate they miss more than three hours of working time a week not being able to get connected to the internet
    Source: iPass, 2017

    80%
    Increase Brand Recognition
    80% of smartphone users are more likely to purchase from companies whose mobile sites of apps help them easily find answers to their questions
    Source: Google, 2018

    Gauge the value with the right metrics

    Metrics are a powerful way to drive behavior change in your organization. But metrics are highly prone to creating unexpected outcomes so they must be used with great care. Use metrics judiciously to avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.

    To learn more, visit Info-Tech's Select and Use SDLC Metrics Effectively blueprint.

    What should I measure?

    1. Mobile Application Engagement, Retention and User Satisfaction
      • The activeness of users on the applications, the number of returning users, and the happiness of the users.
      • Example: Number of tasks completed, number of active and returning users, session length and intervals, user satisfaction
    2. Value Driven from Mobile Applications
      • The business value that the user directly or indirectly receives with the mobile application.
      • Example: Mobile application revenue, business operational costs, worker productivity, business reputation and image
    3. Delivery Throughput and Quality
      • The health and quality of your mobile applications throughout their lifespan and the speed to deliver working applications that meet stakeholder expectations.
      • Example: Frequency of release, lead time, request turnaround, escaped defects, test coverage.

    Use Info-Tech's diagnostic to evaluate the reception of your mobile applications

    Info-Tech's Application Portfolio Assessment (APA) Diagnostic is a canned end user satisfaction survey used to evaluate your application portfolio health to support data-driven decisions.

    This image contains a screenshot from Info-Tech's Application Portfolio Assessment (APA) Diagnostic

    USE THE PROGRAM DIAGNOSTIC TO:

    • Assess the importance and satisfaction of enterprise applications.
    • Solicit feedback from your end users on applications being used.
    • Understand the strengths and weaknesses of your current applications.
    • Perform a high-level application rationalization initiative.

    INTEGRATE DIAGNOSTIC RESULTS TO:

    • Target which applications to analyze in greater detail.
    • Expand on the initial application rationalization results with a more comprehensive and business-value-focused criteria.

    Use a canvas to define key elements of your mobile initiative

    Mobile Application Initiative Name

    Owner:
    Parent Initiative:
    Updated:

    NAME
    LINK
    October 05, 2022

    Problem Statement

    Vision

    The problem or need mobile applications are addressing

    Vision, unique value proposition, elevator pitch, or positioning statement

    Business Goals & Metrics

    Capabilities, Processes & Application Systems

    List of business objectives or goals for the mobile application initiative.

    List of business capabilities, processes and application systems related to this initiative.

    Personas/Customers/Users

    Stakeholders

    List of groups who consume the mobile application

    List of key resources, stakeholders, and teams needed to support the process, systems and services

    To learn more, visit Info-Tech's Deliver on Your Digital Product Vision blueprint.

    1.1.2 Build your mobile application canvas

    1-3 hours

    1. Complete the following fields to build your mobile application canvas:
      • Mobile application initiative name
      • Mobile application owner
      • Parent initiative name
      • Problem that mobile applications are intending to solve and your vision. See the outcome from the previous exercise.
      • Mobile application business goals and metrics.
      • Capabilities, processes and application systems involved
      • Primary customers/users (For additional help with your product personas, download and complete to Deliver on Your Digital Product Vision.)
    2. Stakeholders
    3. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    Input

    Output
    • User personas
    • Business strategy
    • Problem and vision statements
    • Mobile objectives and metrics
    • Mobile application canvas
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    1.1.2 cont'd

    Mobile Application Initiative Name

    Owner:
    Parent Initiative:
    Updated:

    NAME
    LINK
    October 05, 2022

    Problem Statement

    Vision

    [Problem Statement]

    [Vision]

    Business Goals & Metrics

    Capabilities, Processes & Application Systems

    [Business Goal 1, Metric]
    [Business Goal 2, Metric]
    [Business Goal 3, Metric]

    [Business Capability]
    [Business Process]
    [Application System]

    Personas/Customers/Users

    Stakeholders

    [User 1]
    [User 2]
    [User 3]

    [Stakeholder 1]
    [Stakeholder 2]
    [Stakeholder 3]

    Create your mobile backlog

    Your backlog gives you a holistic understanding of the demand for mobile applications across your organization.

    Opportunities
    Trends
    MVP

    External Sources

    Internal Sources

    • Market Trends Analysis
    • Competitive Analysis
    • Regulations & Industry Standards
    • Customer & Reputation Analysis
    • Application Rationalization
    • Capability & Value Stream Analysis
    • Business Requests & Incidents
    • Discovery & Mining Capabilities

    A mobile application minimum viable product (MVP) focuses on a small set of functions, involves minimal possible effort to deliver a working and valuable solution, and is designed to satisfy a specific user group. Its purpose is to maximize learning, evaluate value and acceptance, and inform the development of a full-fledged mobile delivery practice.

    Find your mobile opportunities

    Modern mobile technologies enable users to access, analyze and change data anywhere with native device features, which opens the door to enhanced processes and new value sources.

    Examples of Mobile Opportunities:

    • Mobile Payment
      • Cost alternative to credit card transaction fees.
      • Loyalty systems are updated upon payment without need of a physical card.
      • Quicker completion of transactions.
    • Inventory Management
      • Update inventory database when shipments arrive or deliveries are made.
      • Inform retailers and consumers of current stock on website.
      • Alert staff of expired or outdated products.
    • Quick and Small Data Transfer
      • Embed tags into posters to transfer URIs, which sends users to sites containing product or location information.
      • Replace entry tags, fobs, or smart cards at doors.
      • Exchange contact details.
    • Location Sensitive Information
      • Proactively send promotions and other information (e.g. coupons, event details) to users within a defined area.
      • Inform employees of nearby prospective clients.
    • Supply Chain Management
      • Track the movement and location of goods and delivery trucks.
      • Direct drivers to the most optimal route.
      • Location-sensitive billing apps such as train and bus ticket purchases.
    • Education and Learning
      • Educate users about real-world objects and places with augmented books and by pushing relevant learning materials.
      • Visualize theories and other text with dynamic 3D objects.
    • Augmented Reality (AR)
      • Provide information about the user's surroundings and the objects in the environment through the mobile device.
      • Interactive and immersive experiences with the inclusion of virtual reality.
    • Architecture and Planning
      • Visualize historic buildings or the layout of structural projects and development plans.
      • Develop a digital tour with location-based audio initiated with location-based services or a camera.
    • Navigation
      • Provide directions to users to navigate and provide contextual travelling instructions.
      • Push traffic notifications and route changes to travelling users.
    • Tracking User Movement
      • Predict the future location of users based on historic information and traffic modelling.
      • Proactively push information to users before they reach their destination.

    1.1.3 Build your mobile backlog

    1-3 hours

    1. As a group, discuss the use and value mobile already has within your organization for each persona.
      1. What are some of the apps being used?
      2. What enterprise systems and applications are already exposed to the web and accessible by mobile devices?
      3. How critical is mobile to business operations, marketing campaigns, etc.?
    2. Discuss how mobile can bring additional business value to other areas of your organization for each persona.
      1. Can mobile enhance your customer reach? Do your customers care that your services are offered through mobile?
      2. Are employees asking for better access to enterprise systems in order to improve their productivity?
    3. Write your mobile opportunities in the following form: As a [end user persona], I want to [process or capability to enable with mobile applications], so that [organizational benefit]. Prioritize each opportunity against feasibility, desirability, and viability.
    4. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Input

    Output
    • Problem and vision statements
    • Mobile objectives and metrics
    • Mobile application canvas
    • Mobile opportunities backlog
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Manage your mobile backlog

    Your backlog stores and organizes your mobile opportunities at various stages of readiness. It must be continuously refined to address new requests, maintenance and changing priorities.

    3 – IDEAS
    Composed of raw, vague, and potentially large ideas that have yet to go through any formal valuation.

    2 – QUALIFIED
    Researched and qualified opportunities awaiting refinement.

    1 READY
    Discrete, refined opportunities that are ready to be placed in your team's delivery plans.

    Adapted from Essential Scrum

    A well-formed backlog can be thought of as a DEEP backlog

    • Detailed Appropriately: opportunities are broken down and refined as necessary
    • Emergent: The backlog grows and evolves over time as opportunities are added and removed.
    • Estimated: The effort an opportunity requires is estimated at each tier.
    • Prioritized: The opportunity's value and priority are determined at each tier.

    (Source Perforce, 2018)

    See our Deliver on Your Digital Product Vision for more information on backlog practices.

    Step 1.2

    Identify Your Technical Needs

    Activities

    1.2.1 Discuss your mobile needs

    1.2.2 Conduct a technical assessment

    Set the Mobile Context

    This step involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Outcomes of this step

    • List of mobile features to enable the desired mobile experience
    • System current assessment

    Describe your desired mobile experiences with journey maps

    A journey map tells the story of the user's experience with an existing or prospective product or service, starting with a trigger, through the process of engagement, to create an outcome. Journey maps can focus on a particular part of the user's or the entire experience with your organization's products or services. All types of maps capture key interactions and motivations of the user in chronological order.

    Why are journey maps an important for mobile application delivery?

    Everyone has their own preferred method for completing their tasks on mobile devices – often, what differentiates one persona from another has to do with how users privately behave. Understand that the activities performed outside of IT's purview develop context for your persona's pain points and position IT to meet their needs with the appropriate solution.

    To learn more, visit Info-Tech's Use Experience Design to Drive Empathy with the Business blueprint.

    Two charts are depicted, the first shows the path from Trigger, through steps 1-4, to the outcome, and the Activities and Touchpoints for each. The second chart shows the Expectation analysis, showing which steps are must-haves, nice-to-haves, and hidden-needs.

    Pinpoint specific mobile needs in your journey map

    Realize that mobile applications may not precisely fit with your personas workflow or align to their expectations due to device and system limitations and restrictions. Flag the mobile opportunities that require significant modifications to underlying systems.

    Consider these workflow scenarios that can influence your persona's desire for mobile:

    Workflow Scenarios Ask Yourself The Key Questions Technology Constraints or Restrictions to Consider Examples of Mobile Opportunities

    Data View – Data is queried, prepared and presented to make informed decisions, but it cannot be edited.

    Where is the data located and can it be easily gathered and prepared?

    Is the data sensitive and can it be locally stored?

    What is the level of detail in my view?

    Multi-factor authentication required.

    Highly sensitive data requires encryption in transit and at rest.

    Minor calculations and preparation needed before data view.

    Generate a status report.

    View social media channels.

    View contact information.

    Data Collection – Data is inputted directly into the application and updates back-end system or integrated 3rd party services.

    Do I need special permission to add, delete and overwrite data?

    How much data can I edit?

    Is the data automatically gathered?

    Bandwidth restrictions.

    Multi-factor authentication required.

    Native device access required (e.g., camera).

    Multiple types and formats of gathered data.

    Manual and automatic data gathering

    Book appointments with clients.

    Update inventory.

    Tracking movement of company assets.

    Data Analysis & Modification – Data is evaluated, manipulated and transformed through the application, back-end system or 3rd party service.

    How complex are my calculations?

    Can computations be offloaded?

    What resources are needed to complete the analysis?

    Memory and processing limitations on device.

    Inability to configure device and enterprise hardware to support system resource demand.

    Scope and precision of analysis and modifications.

    Evaluate and propose trends.

    Gauge user sentiment.

    Propose next steps and directions.

    Define the mobile experience your end users want

    Anytime, Anywhere
    The user can access, update and analyze data, and corporate products and services whenever they want, in all networks, and on any device.

    Hands-Off & Automated
    The application can perform various workflows and tasks without the user's involvement and notify the user when specific triggers are hit.

    Personalized & Insightful
    Content presentation and subject are tailored for the user based on specific inputs from the user, device hardware or predicted actions.

    Integrated Ecosystem
    The application supports a seamless experience across various 3rd party and enterprise applications and services the user needs.

    Visually Pleasing & Fulfilling
    The UI is intuitive and aesthetically gratifying with little security and performance trade-offs to use the full breadth of its functions and services.

    Each mobile platform has its own take on the mobile native experience. The choice ultimately depends on whether the costs and effort are worth the anticipated value.

    1.2.1 Discover your mobile needs

    1-3 hours

    1. Define the workflow of a high priority opportunity in your mobile backlog. This workflow can be pertaining to an existing mobile application or a workflow that can benefit with a mobile application.
      1. Indicate the trigger that will initiate the opportunity and the desired outcome.
      2. Break down the persona's desired outcome into small pieces of value that are realized in each workflow step.
    2. Identify activities and touchpoints the persona will need to complete to finish each step in the workflow. Indicate the technology used to complete the activity or to facilitate the touchpoint.
    3. Indicate which activities and touchpoints can be satisfied, complimented or enhanced with mobile.

    Input

    Output
    • User personas
    • Mobile application canvas
    • Desired mobile experience
    • List of mobile features
    • Journey map
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    1.2.1 cont'd

    Workflow

    Trigger

    Conduct initial analysis

    Get planning help

    Complete and submit RFP

    Design and implement solution

    Implement changes

    Activities, Channels, and Touchpoints

    Need is recognized in CIO council meeting

    See if we have a sufficient solution internally

    Seek planning help (various channels)

    *Meet with IT shared services business analyst

    Select the appropriate vendor

    Follow action plan

    Compliance rqmt triggered by new law

    See if we have a sufficient solution internally

    *Hold in-person initial meeting with IT shared services

    *Review and approve rqmts (email)

    Seek miscellaneous support

    Implement project and manage change

    Research potential solutions in the marketplace

    Excess budget identified for utilization

    Pick a "favorite" solution

    *Negotiate and sign statement of work (email)

    Prime organization for the change

    Create action plan

    If solution is unsatisfactory, plan remediation

    Current Technology

    • Email
    • Video conferencing
    • Phone
    • Meeting transcripts and recordings
    • ERP
    • IT asset management
    • Internet browser for research
    • Virtual environment to demonstrate solutions
    • Email
    • Vendor assessment and procurement solution
    • Email
    • Video conferencing
    • Phone
    • Meeting transcripts and recordings
    • PDF documents and reader
    • Digital signature
    • Email
    • Video conferencing
    • Phone
    • Meeting transcripts and recordings
    • PDF documents and reader
    • Digital signature
    • Email
    • Video conferencing
    • Phone
    • Vendor assessment and procurement solution
    • Project management solution
    • Team collaboration solution
    • Email
    • Video conferencing
    • Phone
    • Project management solution
    • Team collaboration solution
    • Vendor's solution

    Legend:

    Bold – Touchpoint

    * – Activities or Touchpoints That Can Benefit with Mobile

    1.2.1 cont'd

    1-3 hours

    1. Analyze persona expectations. Identify the persona's must-haves, then nice-to-haves, and then hidden needs to effectively complete the workflow.
      1. Must-haves. The necessary outcomes, qualities, and features of the workflow step.
      2. Nice-to-haves. Desired outcomes, qualities, or features that your persona is able to articulate or express.
      3. Hidden needs. Outcomes, qualities, or features that your persona is not aware they have a desire for; benefits that they are pleasantly surprised to receive. These will usually be unknown for your first-iteration journey map.
    2. Indicate which persona expectations can be satisfied with mobile. Discuss what would the desired mobile experience be.
    3. Discuss feedback and experiences your team has heard from the personas they engage with regularly.
    4. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    1.2.1 cont'd

    Example

    This image contains an example workflow for determining mobile needs.

    1.2.1 cont'd

    Template:

    Workflow

    TriggerStep 1Step 2Step 3Step 4

    Desired Outcome

    Journey Map

    Activities & Touch-points

    <>

    <>

    <>

    <>

    <>

    <>

    Must-Haves

    <>

    <>

    <>

    <>

    <>

    <>

    Nice-to-Haves

    <>

    <>

    <>

    <>

    <>

    <>

    Hidden Needs

    <>

    <>

    <>

    <>

    <>

    <>

    Emotional Journey

    <>

    <>

    <>

    <>

    <>

    <>

    If you need more than four steps in the workflow, duplicate this slide.

    Understand how mobile fits with your current system

    Evaluate the risks and impacts of your desired mobile features by looking at your enterprise system architecture from top to bottom. Is your mobile vision and needs compatible with your existing business capabilities and technologies?

    An architecture is usually represented by one or more architecture views that together provide a coherent description of the application system, including demonstrating the full impact mobile will have. A single, comprehensive model is often too complex to be understood and communicated in its most detailed form, and a model too high level hides the underlying complexity of an application's structure and deployment (The Open Group, TOGAF 8.1.1 - Developing Architecture Views). Obtain a complete understanding of your architecture by assessing it through multiple levels of views to reveal different sets of concerns:

    Application Architecture Views

    1. Use Case View
    • How does your business operate, and how will users interact with your mobile applications?
  • . Process View
    • What is the user workflow impacted by mobile, and how will it change?
  • Component View
    • How are my existing applications structured? What are its various components? How will mobile expand the costs of the existing technical debt?
  • Data View
    • What is the relationship of the data and information consumed, analyzed, and transmitted? Will mobile jeopardize the quality and reliability of the data?
  • Deployment View
    • In what environment are your mobile application components deployed? How will the existing systems operate with your mobile applications?
  • System View
    • How does your mobile application communicate with other internal and external systems? How will dependencies change with mobile?
  • See our Enhance Your Solution Architecture for more information.

    Ask key questions in your current system assessment

    • How do the various components of your system communicate with each other (e.g., web APIs, middleware, and point to point)?
    • What information is exchanged during the conversation?
    • How does the data flow from one component to the next? Is the data read-only or can application and users edit and modify it?
    • What are the access points to your mid- and back-tier systems (e.g., user access through web interface, corporate networks and third-party application access through APIs)?
    • Who has access to your enterprise systems?
    • Which components are managed and operated by third-party providers? What is your level of control?
    • What are the security protocols currently enforced in your system?
    • How often are your databases updated? Is it real-time or periodic extract, transfer, and load (ETL)?
    • What are the business rules?
    • Is your mobile stack dependent on other systems?
    • Is a mobile middleware, web server, or API gateway needed to help facilitate the integration between devices and your back-end support?

    1.2.2 Conduct a technical assessment

    1-3 hours

    1. Evaluate your current systems that will support the journey map of your mobile opportunities based on two categories: system quality and system management. Use the tables on the following slides and modify the questions if needed.
    2. Discuss if the current state of your system will impede your ability to succeed with mobile. Use this discussion to verify the decision to continue with mobile applications in your current state.
    3. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    Input

    Output
    • Journey map
    • Understanding of current system
    • Assessment of current system
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    1.2.2 cont'd

    Current State System Quality Assessment

    Factors Definitions Survey Responses
    Fit-for-Purpose System functionalities, services and integrations are designed and implemented for the purpose of satisfying the end users' needs and technology compatibilities. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Response Rate The system completes computation and processing requests within acceptable timeframes. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Data Quality The system delivers consumable, accurate, and trustworthy data. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Usability The system provides functionalities, services and integrations that are rewarding, engaging, intuitive, and emotionally satisfying. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Reliability The system is resilient or quickly recovers from issues and defects. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Accessible The system is available on demand and on the end user's preferred interface and device. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Secured End-user activity and data is protected from unauthorized access. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Adaptable The system can be quickly tailored to meet changing end-user and technology needs with reusable and customizable components. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)

    1.2.2 cont'd

    Current State System Management Assessment

    Factors Definitions Survey Responses
    Documentation The system is documented, accurate, and shared in the organization. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Measurement The system is continuously measured against clearly defined metrics tied to business value. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Compliance The system is compliant with regulations and industry standards. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Continuous Improvement The system is routinely rationalized and enhanced. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Architecture There is a shared overview of how the process supports business value delivery and its dependencies with technologies and other processes. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Ownership & Accountability The process has a clearly defined owner who is accountable for its risks and roadmap. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Support Resources are available to address adoption and execution challenges. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)
    Organizational Change Management Communication, onboarding, and other change management capabilities are available to facilitate technology and related role and process changes. 1 (Very Poor) – 2 – 3 (Fair) – 4 – 5 (Excellent)

    Step 1.3

    Define Your Non-Functional Requirements

    Activities

    1.3.1 Define mobile application quality

    1.3.2 Verify your decision to deliver mobile applications

    Set the Mobile Context

    This step involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams

    Outcomes of this step

    • Mobile application quality definition
    • Readiness for mobile delivery

    Build a strong foundation of mobile application quality

    Functionality and aesthetics often take front seats in mobile application delivery. Applications are then frequently modified and changed, not because they are functionally deficient or visually displeasing, but because they are difficult to maintain or scale, too slow, vulnerable or compromised. Implementing clear quality principles (i.e., non-functional requirements) and strong quality assurance practices throughout delivery are critical to minimize the potential work of future maintenance and to avoid, mitigate and manage IT risks.

    What is Mobile Application Quality?

    • Quality requirements (i.e., non-functional requirements) are properties of a system or product that dictate how it should behave at runtime and how it should be designed, implemented, and maintained.
    • These requirements should be involved in decision making around architecture, UI and functional design changes.
    • Functionality should not dictate the level of security, availability, or performance of a product, thereby risking system quality. Functionality and quality are viewed orthogonally, and trade-offs are discussed when one impacts the other.
    • Quality attributes should never be achieved in isolation as one attribute can have a negative or positive impact on another (e.g. security and availability).

    Why is Mobile Quality Assurance Critical?

    • Quality assurance (QA) is a necessity for the validation and verification of mobile delivery, whether you are delivering applications in an Agile or Waterfall fashion. Effective QA practices implemented across the software development lifecycle (SDLC) are vital, as all layers of the mobile stack need to readily able to adjust to suddenly evolving and changing business and user needs and technologies without risking system stability and breaking business standards and expectations.
    • However, investments in QA optimizations are often afterthoughts. QA is commonly viewed as a lower priority compared to other delivery capabilities (e.g., design and coding) and is typically the first item cut when delivery is under pressure.

    See our Build a Software Quality Assurance Program for more information.

    Mobile emphasizes the importance of good security, performance and integration

    Today's mobile workforce is looking for new ways to get more work done quickly. They want access to enterprise solutions and data directly on their mobile device, which can reside on multiple legacy systems and in the cloud and third-party infrastructure. This presents significant performance, integration, and security risks.

    Cloud Solutions: Can I use my existing APIs?. Solutions in Corporate Networks: Do my legacy systems have the capacity to support mobile?; How do I integrate solutions and data from multiple sources into a single view?; Third Party Solutions: Will I have a significant performance bottleneck?; Single View on Mobile Devices: How is corporate data stored on the device?; What new technology dependencies must I account for in my architecture and operational support capabilities?

    Mobile risks opening and widening existing security gaps

    New mobile technologies and the continued expansion of the enterprise environment increase the number of entry points attackers to your corporate data and networks. The ever-growing volume, velocity, and variety of new threats puts significant pressure on mobile delivery teams who are responsible for implementing mobile security measures and maintaining alignment to your security policies and those of app stores.

    Mobile attacks can come from various vectors:

    Attack Surface: Mobile Device

    Attack Surface: Network

    Attack Surface: Data Center

    Browser:
    Phishing
    Buffer Overflow
    Data Caching

    System:
    No Passcode
    Jailbroken and Rooted OS
    No/Weak Encryption
    OS Data Caching

    Phone:
    SMSishing
    Radio Frequency Attacks

    Apps:
    Configuration Manipulation
    Runtime Injection
    Improper SSL Validation

    • Packet Sniffing
    • Session Hijacking
    • Man-in-the-Middle (circumvent password verification systems)
    • Fake SSL Certificate
    • Rogue Access Points

    Web Server:
    Cross-Site Scripting (XSS)
    Brute Force Attacks
    Server Misconfigurations

    Database:
    SQL Injection
    Data Dumping

    Understand the top web security risks and vulnerabilities seen in the industry

    Recognize mobile applications are exposed to the same risks and vulnerabilities as web applications. Learn of OWASP's top 10 web security risks.

    • Broken Access Control
      • Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
    • Cryptographic Failures
      • Improper and incorrect protection of data in transit and at rest, especially proprietary and confidential data and those that fall under privacy laws.
    • Injection
      • Execution of malicious code and injection of hostile or unfiltered data on the mobile device via the mobile application.
    • Insecure Design
      • Missing or ineffective security controls in the application design. An insecure design cannot be fixed by a perfect implementation,. Needed security controls were never created to defend against specific attacks.
    • Security Misconfiguration
      • The security settings in the application are not securely set or configured, including poor security hardening and inadequate system upgrading practices.
    • Vulnerable and Outdated Components
      • System components are vulnerable because they are unsupported, out of date, untested or not hardened against current security concerns.
    • Identification and Authentication Failures
      • Improper or poor protection against authentication-related attacks, particularly to the user's identity, authentication and session management.
    • Software and Data Integrity Failures
      • Failures related to code and infrastructure that does not protect against integrity violations, such as an application relying upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks
    • Security Logging and Monitoring Failures
      • Insufficient logging, detection, monitoring, and active response that hinders the ability to detect, escalate, and respond to active breaches.
    • Server-Side Request Forgery (SSRF)
      • SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.

    Good mobile application performance drives satisfaction and value delivery

    Underperforming mobile applications can cause your users to be unproductive. Your mobile applications should always aim to satisfy the productivity requirements of your end users.

    Users quickly notice applications that are slow and difficult to use. Providing a seamless experience for the user is now heavily dependent on how well your application performs. Optimizing your mobile application's processing efficiency can help your users perform their jobs properly in various environment conditions.

    Productive Users Need
    Performant Mobile Applications

    Persona

    Mobile Application Use Case

    Optimized Mobile Application

    Stationary Worker

    • Design flowcharts and diagrams, while abandoning paper and desktop apps in favor of easy-to-use, drawing tablet applications.
    • Multitask by checking the application to verify information given by a vendor during their presentation or pitch.
    • Flowcharts and diagrams are updated in real time for team members to view and edit
    • Compare vendors under assessment with a quick look-up app feature

    Roaming Worker (Engineer)

    • Replace physical copies of service and repair manuals physically stored with digital copies and access them with mobile applications.
    • Scan or input product bar code to determine whether a replacement part is available or needs to be ordered.
    • Worker is capable of interacting with other features of the mobile web app while product bar code is being verified

    Enhance the performance of the entire mobile stack

    Due to frequently changing mobile hardware, users' high performance expectations and mobile network constraints, mobile delivery teams must focus on the entire mobile stack for optimizing performance.

    Fine tune your enterprise mobile applications using optimization techniques to improve performance across the full mobile stack.

    This image contains a bar graph ranking the importance of the following datapoints: Minimize render blocking resources; Configure the mobile application viewport; Determine the right image file format ; Determine above-the-fold content; Minimize browser reflow; Adopt UI techniques to improve perceived latency; Resource minification; Data compression; Asynchronous programming; Resource HTTP caching; Minimize network roundtrips for first time to render.

    Info-Tech Insight

    Some user performance expectations can be managed with clever UI design (e.g., spinning pinwheels to indicate loading in progress and directing user focus to quick loading content) and operational choices (e.g. graceful degradation and progressive enhancements).

    Create an API-centric integration strategy

    Mobile delivery teams are tasked to keep up with the changing needs of end users and accommodate the evolution of trending mobile features. Ensuring scalable APIs is critical in quickly releasing changes and ensuring availability of corporate services and resources.

    As your portfolio of mobile applications grows, and device platforms and browsers diversify, it will become increasingly complex to provide all the data and service capabilities your mobile apps need to operate. It is important that your APIs are available, reliable, reusable, and secure for multiple uses and platforms.

    Take an API-centric approach to retain control of your mobile development and ensure reliability.

    APIs are the underlying layer of your mobile applications, enabling remote access of company data and services to end users. Focusing design and development efforts on the maintainability, reliability and scalability of your APIs enables your delivery teams to:

    • Reuse tried-and-tested APIs to deliver, test and harden applications and systems quicker by standardizing on the use and structure of REST APIs.
    • Ensure a consistent experience and performance across different applications using the same API.
    • Uniformly apply security and access control to remain compliant to security protocols, industry standards and regulations.
    • Provide reliable integration points when leveraging third-party APIs and services.

    See our Build Effective Enterprise Integration on the Back of Business Process for more information.

    Guide your integration strategy with principles

    Craft your principles around good API management and integration practices

    Expose Enterprise Data And Functionality in API-Friendly Formats
    Convert complex on-premises application services into developer-friendly RESTful APIs

    Protect Information Assets Exposed Via APIs to Prevent Misuse
    Ensure that enterprise systems are protected against message-level attack and hijack

    Authorize Secure, Seamless Access for Valid Identities
    Deploy strong access control, identity federation and social login functionality

    Optimize System Performance and Manage the API Lifecycle
    Maintain the availability of backend systems for APIs, applications and end users

    Engage, Onboard, Educate and Manage Developers
    Give developers the resources they need to create applications that deliver real value

    Source: 5 Pillars of API Management, Broadcom, 2021

    Clarify your definition of mobile quality

    Quality does not mean the same thing to everyone

    Do not expect a universal definition of mobile quality. Each department, person and industry standard will have a different interpretation of quality, and they will perform certain activities and enforce policies that meet those interpretations. Misunderstanding of what is defined as a high quality mobile application within business and IT teams can lead to further confusion behind governance, testing priorities and compliance.

    Each interpretation of quality can lead to endless testing, guardrails and constraints, or lack thereof. Be clear on the priority of each interpretation and the degree of effort needed to ensure they are met.

    For example:

    Mobile Application Owner
    What does an accessible mobile application mean?

    Persona: Customer
    I can access it on mobile phones, tablets and the web browser

    Persona: Developer
    I have access to each layer of the mobile stack including the code & data

    Persona: Operations
    The mobile application is accessible 24/7 with 95% uptime

    Example: A School Board's Quality Definition

    Quality Attribute Definitions
    Usability The product is an intuitive solution. Usability is the ease with which the user accomplishes a desired task in the application system and the degree of user support the system provides. Limited training and documentation are required.
    Performance Usability and performance are closely related. A solution that is slow is not usable. The application system is able to meet timing requirements, which is dependent on stable infrastructure to support it regardless of where the application is hosted. Baseline performance metrics are defined and changes must result in improvements. Performance is validated against peak loads.
    Availability The application system is present, accessible, and ready to carry out its tasks when needed. The application is accessible from multiple devices and platforms, is available 24x7x365, and teams communicate planned downtimes and unplanned outages. IT must serve teachers international student's parents, and other users who access the application outside normal business hours. The application should never be down when it should be up. Teams must not put undue burden on end users accessing the systems. Reasonable access requirements are published.
    Security Applications handle both private and personal data, and must be able to segregate data based on permissions to protect privacy. The application system is able to protect data and information from unauthorized access. Users want it to be secure but seamless. Vendors need to understand and implement the District School Board's security requirements into their products. Teams ensure access is authorized, maintain data integrity, and enforce privacy.
    Reusability Reusability is the capability for components and subsystems to be suitable for use in other applications and in other scenarios. This attribute minimizes the duplication of components and implementation time. Teams ensure a modular design that is flexible and usable in other applications.
    Interoperability The degree to which two or more systems can usefully exchange meaningful information via interfaces in a particular context.

    Scalability

    There are two kinds of scalability:

    • Horizontal scalability (scaling out): Adding more resources to logical units, such as adding another server to a cluster of servers.
    • Vertical scalability (scaling up): Adding more resources to a physical unit, such as adding more memory to a single computer.

    Ease of maintenance and enhancements are critical. Additional care is given to custom code because of the inherent difficulty to make it scale and update.

    Modifiability The capability to manage the risks and costs of change, considering what can be changed, the likelihood of change, and when and who makes the change. Teams minimize the barriers to change, and get business buy in to keep systems current and valuable.
    Testability The ease with which software are made to demonstrate its faults through (typically execution-based) testing. It cannot be assumed that the vendor has already tested the system against District School Board's requirements. Testability applies to all applications, operating systems, and databases.
    Supportability The ability of the system to provide information helpful for identifying and resolving issues when it fails to work correctly. Supportability applies to all applications and systems within the District School Board's portfolio, whether that be custom developed applications or vendor provided solutions. Resource investments are made to better support the system.
    Cost Efficiency The application system is executed and maintained in such a way that each area of cost is reduced to what is critically needed. Cost efficiency is critical (e.g. printers cost per page, TCO, software what does downtime cost us), and everyone must understand the financial impact of their decisions.
    Self-Service End users are empowered to make configurations, troubleshoot and make changes to their application without the involvement of IT. The appropriate controls are in place to manage the access to unauthorized access to corporate systems.
    Modifiability The capability to manage the risks and costs of change, considering what can be changed, the likelihood of change, and when and who makes the change. Teams minimize the barriers to change, and get business buy in to keep systems current and valuable.
    Testability The ease with which software are made to demonstrate its faults through (typically execution-based) testing. It cannot be assumed that the vendor has already tested the system against District School Board's requirements. Testability applies to all applications, operating systems, and databases.
    Supportability The ability of the system to provide information helpful for identifying and resolving issues when it fails to work correctly. Supportability applies to all applications and systems within the District School Board's portfolio, whether that be custom developed applications or vendor provided solutions. Resource investments are made to better support the system.

    1.3.1 Define mobile application quality

    1-3 hours

    1. List 5 quality attributes that your organization sees as important for a successful mobile application.
    2. List the core personas that will support mobile delivery and that will consume the mobile application. Start with development, operations and support, and end user.
    3. Describe each quality attributes from the perspective of each persona by asking, "What does quality mean to you?".
    4. Review each description from each persona to come to an acceptable definition.
    5. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    Input

    Output
    • User personas
    • Mobile application canvas
    • Journey map
    • Mobile application quality definition
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    1.3.1 cont'd

    Example: Info-Tech Guided Implementation with a Legal and Professional Services Organization

    Quality AttributeDeveloperOperations & Support TeamEnd Users

    Usability

    • Architecture and frameworks are aligned with industry best practices
    • Regular feedback through analytics and user feedback
    • Faster development and less technical debt
    • Pride in the product
    • Satisfaction that the product is serving its purpose and is actually being used by the user
    • Increased update of product use and feedback for future lifecycle
    • Standardization and positive perception of IT processes
    • Simpler to train users to adopt products and changes
    • Trust in system and ability to promote the product in a positive light
    • Trusted list of applications
    • Intuitive (easy to use, no training required)
    • Encourage collaboration and sharing ideas between end users and delivery teams
    • The information presented is correct and accurate
    • Users understand where the data came from and the algorithms behind it
    • Users learn features quickly and retain their knowledge longer, which directly correlates to decreased training costs and time
    • High uptake in use of the product
    • Seamless experience, use less energy to work with product

    Security

    • Secure by design approach
    • Testing across all layers of the application stack
    • Security analysis of our source code
    • Good approach to security requirement definition, secure access to databases, using latest libraries and using semantics in code
    • Standardized & clear practices for development
    • Making data access granular (not all or none)
    • Secure mission critical procedures which will reduce operational cost, improve compliance and mitigate risks
    • Auditable artifacts on security implementation
    • Good data classification, managed secure access, system backups and privacy protocols
    • Confidence of protection of user data
    • Encryption of sensitive data
    Availability
    • Good access to the code
    • Good access to the data
    • Good access to APIs and other integration technologies
    • Automatic alerts when something goes wrong
    • Self-repairing/recovering
    • SLAs and uptimes
    • Code documentation
    • Proactive support from the infrastructure team
    • System availability dashboard
    • Access on any end user device, including mobile and desktop
    • 24/7 uptime
    • Rapid response to reported defects or bugs
    • Business continuity

    1.3.2 Verify your decision to deliver mobile applications

    1-3 hours

    1. Review the various end user, business and technical expectations for mobile its achievability given the current state of your system and non-functional requirements.
    2. Complete the list of questions on the following slide as an indication for your readiness for mobile delivery.

    Input

    Output
    • Mobile application canvas
    • Assessment to proceed with mobile
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    1.3.2 cont'd

    Skill Sets
    Software delivery teams have skills in creating mobile applications that stakeholders are expecting in value and quality. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Architects look for ways to reuse existing technical asset and design for future growth and maturity in mobile. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Resources can be committed to implement and manage a mobile platform. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Software delivery teams and resources are adaptable and flexible to requirements and system changes. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Delivery Process
    My software delivery process can accommodate last minute and sudden changes in mobile delivery tasks. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Business and IT requirements for the mobile are clarified through collaboration between business and IT representatives. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Mobile will help us fill the gaps and standardize our software delivery process process. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    My testing practices can be adapted to verify and validate the mobile functional and non-functional requirements. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Technical Stack
    My mid-tier and back-end support has the capacity to accommodate additional traffic from mobile. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    I have access to my web infrastructure and integration technologies, and I am capable of making configurations. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    My security approaches and capabilities can be enhanced address specific mobile application risks and vulnerabilities. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    I have a sound and robust integration strategy involving web APIs that gives me the flexibility to support mobile applications. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)

    Phase 2

    Define Your Mobile Approach

    Choose Your Mobile Platform and Tools

    This phase will walk you through the following activities:

    • Step 2.1 – Choose Your Platform Approach
    • Step 2.2 – Shortlist Your Mobile Delivery Solution
    • Step 2.3 – Create a Roadmap for Mobile Delivery

    This phase involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Step 2.1

    Choose Your Platform Approach

    Activities

    2.1.1 Select your platform approach

    Define Your Mobile Approach

    This step involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Outcomes of this step

    • Desired mobile platform approach

    Mobile value is dependent on the platform you choose

    What is a platform?

    "A platform is a set of software and a surrounding ecosystem of resources that helps you to grow your business. A platform enables growth through connection: its value comes not only from its own features, but from its ability to connect external tools, teams, data, and processes." (Source: Emilie Nøss Wangen, 2021) In the mobile context, applications in a platform execute and communicate through a loosely coupled API architecture whether the supporting system is managed and supported by your organization or by 3rd party providers.

    Web

    The mobile web often takes on one of the following two approaches:

    • Responsive websites – Content, UI and other website elements automatically adjusts itself according to the device, creating a seamless experience regardless of the device.
    • Progressive web applications (PWAs) – PWAs uses the browser's APIs and features to offer native-like experiences.

    Mobile web applications are often developed with a combination of HTML, CSS, and JavaScript languages.

    Hybrid

    Hybrid applications are developed with web technologies but are deployed as native applications. The code is wrapped using a framework so that it runs locally within a native container, and it uses the device's browser runtime engine to support more sophisticated designs and features compared to the web approach. Hybrid mobile solutions allows teams to code once and deploy to multiple platforms.

    Some notable examples:

    • Gmail
    • Instagram

    Cross-Platform

    Cross-platform applications are developed within a distinct programming or scripting environment that uses its own scripting language (often like web languages) and APIs. Then the solution will compile the code into device-specific builds for native deployment.

    Some notable examples:

    • Facebook
    • Skype
    • Slack

    Native

    Native applications are developed and deployed to specific devices and OSs using platform-specific software development kits (SDKs) provided by the operating system vendors. The programming language and framework are dictated by the targeted device, such as Java for Android.

    With this platform, developers have direct access to local device features allowing customized operations. This enables the use of local resources, such as memory and runtime engines, which will achieve a higher performance than hybrid and cross-platform applications.

    Each platform offers unique pros and cons depending on your mobile needs

    WebHybridCross-PlatformNative

    Pros

    Cons

    Pros

    Cons

    Pros

    Cons

    Pros

    Cons

    • Modern browsers support the popular of web languages (HTML, CSS, and JavaScript).
    • Ubiquitous across multiple form factors and devices.
    • Mobile can be easily integrated into traditional web development processes and technical stacks.
    • Installations are not required, and updates are immediate.
    • Sensitive data can be wiped from memory after app is closed.
    • Limited access to local device hardware and software.
    • Local caching is available for limited offline capabilities, but the scope of tasks that can be completed in this scenario is restricted.
    • The browser's runtime engine is limited in computing power.
    • Not all browsers fully support the latest versions of HTML, CSS, or JavaScript.
    • Web languages can be used to develop a complete application.
    • Code can be reused for multiple platforms, including web.
    • Access to commonly-used native features that are not available through the web platform.
    • Quick delivery and maintenance updates compared to native and cross-platform platforms.
    • Consistent internet access is needed due to its reliance heavily reliance on web technologies to operate.
    • Limited ability to support complex workflows and features.
    • Sluggish performance compared to cross-platform and native applications.
    • Certain features may not operate the same across all platforms given the code once, deploy everywhere approach.
    • More cost-effective to develop than using native development approaches to gain similar features. Platform-specific developers are not needed.
    • Common codebase to develop applications on different applications.
    • Enables more complex application functionalities and technical customizations compared to hybrid applications.
    • Code is not portable across cross-platform delivery solutions.
    • The framework is tied to the vendor solution which presents the risk of vendor lock-in.
    • Deployment is dependent on an app store and the delivery solution may not guarantee the application's acceptance into the application store.
    • Significant training and onboarding may be needed using the cross-platform framework.
    • Tight integration with the device's hardware enables high performance and greater use of hardware features.
    • Computationally-intensive and complex tasks can be completed on the device.
    • Available offline access.
    • Apps are available through easy-to-access app stores.
    • Requires additional investments, such as app stores, app-specific support, versioning, and platform-specific extensions.
    • Developers skilled in a device-specific language are difficult to acquire and costly to train.
    • Testing is required every time a new device or OS is introduced.
    • Higher development and maintenance costs are tradeoffs for native device features.

    Start mobile development on a mobile web platform

    Start with what you have: begin with a mobile web platform to minimize impacts to your existing delivery skill sets and technical stack while addressing business needs. Resort to a hybrid first and then consider a cross-platform application if you require device access or the need to meet specific non-functional requirements.

    Why choose a mobile web platform?

    Pros

    The latest versions of the most popular web languages (HTML5, CSS3, JavaScript) abstract away from the granular, physical components of the application, simplifying the development process. HTML5 offer some mobile features (e.g., geolocation, accelerometer) that can meet your desired experience without the need for native development skills. Native look-and-feel, high performance, and full device access are just a few tradeoffs of going with web languages.

    Cons

    Native mobile platforms depend on device-specific code which follows specific frameworks and leverages unique programming libraries, such as Objective C for iOS and Java for Android. Each language requires a high level of expertise in the coding structure and hardware of specific devices requiring resources with specific skillsets and different tools to support development and testing.

    Other Notable Benefits with Web Languages

    • Modern browsers in most mobile devices are capable of executing and rendering many mobile features developed in web languages, allowing for greater portability and sophistication of code across multiple devices. However, this flexibility comes at the cost of performance since the browser's runtime engine will not perform as well as a native engine.
    • Web languages are well known by developers, minimizing skills and resourcing impacts. Consequently, changes can be quickly accommodated and updated uniformly across all end users.

    Do you need a native platform?

    Consider web workarounds if you choose a web platform but require some native experiences.

    The web platform does not give you direct access or sophisticated customizations to local device hardware and services, underlying code and integrations. You may run into the situation where you need some native experiences, but the value of these features may not offset the costs to undertake a native, hybrid or cross-platform application. When developing hybrid and cross-platform applications with a mobile delivery solution, only the APIs of the commonly used device features are available. Note that some vendors may not offer a particular native feature across all devices, inhibiting your ability to achieve feature parity or exploiting device features only available in certain devices. Workarounds are then needed.

    Consider the following workarounds to address the required native experiences on the web platform:

    Native Function Description Web Workaround Impact
    Camera Takes pictures or records videos through the device's camera. Create an upload form in the web with HTML5. Break in workflow leading to poor user experience (UX).
    Geolocation Detects the geographical location of the device. Available through HTML5. Not Applicable.
    Calendar Stores the user's calendar in local memory. Integrate with calendaring system or manually upload contacts. Costly integration initiative. Poor user experience.
    Contacts Stores contact information in local memory. Integrate app with contact system or manually upload contacts. Costly integration initiative. Poor user experience.
    Near Field Communication (NFC) Communication between devices by touching them together or bringing them into proximity. Manual transfer of data. A lot of time is consumed transferring simple information.
    Native Computation Computational power and resources needed to complete tasks on the device. Resource-intensive requests are completed by back-end systems and results sent back to user. Slower application performance given network constraints.

    Info-Tech Insight

    In many cases, workarounds are available when evaluating the gaps between web and native applications. For example, not having application-level access to the camera does not negate the user option to upload a picture taken by the camera through a web form. Tradeoffs like this will come down to assessing the importance of each platform gap for your organization and whether a workaround is good enough as a native-like experience.

    Architect and configure your entire mobile stack with a plan

    • Assess your existing technology stack that will support your mobile platform. Determine if it has the capacity to handle mobile traffic and the necessary integration between devices and enterprise and 3rd party systems are robust and reliable. Reach out to your IT teams and vendors if you are missing key mobile components, such as:
    • The acquisition and provisioning of physical or virtual mobile web servers and middleware from existing vendors.
    • Cloud services [e.g., Mobile Back-end as a Service (mBaaS)] that assists in the mobilization of back-end data sources with API SDKs, orchestration of data from multiple sources, transformation of legacy APIs to mobile formats, and satisfaction of other security, integration and performance needs.
    • Configure the services of your web server or middleware to facilitate the translation, transformation, and transfer of data between your mobile front-end and back-end. If your plan involves scripts, maintenance and other ongoing costs will likely increase.
    • Leverage the APIs or adapters provided by your vendors or device manufacturers to integrate your mobile front-end and back-end support to your web server or middleware. If you are reusing a web server, the back-end integration should already be in place. Remember, APIs implement business rules to maintain the integrity of data exchange within your mobile stack.
    • See Appendix A for examples of reference architectures of mobile platforms.

    See our Enhance Your Solution Architecture for more information.

    Do Not Forget Your Security and Performance Requirements

    Security: New threats from mobile put organizations into a difficult situation beyond simply responding to them in a timely matter. Be careful not to take the benefits of security out of the mobile context. You need to make security a first-order citizen during the scoping, design, and optimization of your systems supporting mobile. It must also be balanced with other functional and non-functional requirements with the right roles taking accountability for these decisions.

    See our Strengthen the SSDLC for Enterprise Mobile Applications for more information.

    Performance: Within a distributed mobile environment, performance has a risk of diminishing due to limited device capacity, network hopping, lack of server scalability, API bottlenecks, and other device, network and infrastructure issues. Mobile web APIs suffer from the same pain points as traditional web browsing and unplanned API call management in an application will lead to slow performance.

    See our Develop Enterprise Mobile Applications With Realistic and Relevant Performance for more information.

    Enterprise platform selection requires a shift in perspective

    Your mobile platform selection must consider both user and enterprise (i.e., non-functional) needs. Use a two-step process for your analysis:

    Begin Platform Selection with a User-Centric Approach

    Organizations appealing to end users place emphasis on the user experience: the look and appeal of the user interface, and the satisfaction, ease of use, and value of its functionalities. In this approach, IT concerns and needs are not high priorities, but many functions are completed locally or isolated from mission critical corporate networks and sensitive data. Some needs include:

    • Performance: quick execution of tasks and calculations made on the device or offloaded to web servers or the cloud.
    • User Interface: cross-platform compatibility and feature-rich design and functionality. The right native experience is critical to the user adoption and satisfaction.
    • Device Access: use of local device hardware and software to complete app use cases, such as camera, calendar, and contact lists.

    Refine Platform Selection with an Enterprise-Centric Approach

    From the enterprise perspective, emphasis is on security, system performance, integration, reuse and other non-functional requirements as the primary motivations in the selection of a mobile platform. User experience is still a contributing factor because of the mobile application's need to drive value but its priority is not exclusive. Some drivers include:

    • Openness: agreed-upon industry standards and technologies that can be applied to serve enterprise needs which support business processes.
    • Integration: increase the reuse of legacy investments and existing applications and services with integration capabilities.
    • Flexibility: support for multiple data types from applications such as JSON format for mobile.
    • Capacity: maximize the utilization of your software delivery resources beyond the initial iteration of the mobile application.

    Info-Tech Insight

    Selecting a mobile platform should not solely be made on business requirements. Key technical stakeholders should be at the table in this discussion to provide insight on the implementation and ongoing costs and benefits of each platform. Both business and technical requirements should be considered when deciding on a final platform.

    Select your mobile platform

    Drive your mobile platform selection against user-centric needs (e.g. device access, aesthetics) and enterprise-centric needs (e.g. security, system performance).

    When does a platform makes sense to use?

    Web

    • Desire to maximize current web technologies investments (people, process, and technologies).
    • Use cases do not require significant computational resources on the device or are tightly constrained by non-functional requirements.
    • Limited budget to acquire mobile development resources.
    • Access to device hardware is not a high priority.

    Hybrid / Cross-Platform

    • The need to quickly spin up native-like applications for multiple platforms and devices.
    • Desire to leverage existing web development skills, but also a need for device access and meeting specific non-functional requirements.
    • Vendor support is needed for the entire mobile delivery process.

    Native

    • Developers are experts in the target programming language and with the device's hardware.
    • Strong need for high performance, security and device-specific access and customizations.
    • Application use cases requiring significant computing resources.

    Nine datapoints are arranged on a graph where the x axis s labeled: User Centric Needs; and the Y axis is labeled: Enterprise-centric needs. The datapoints are, in order from left to right, top to bottom: Hybrid; Cross- Platform; Native; Web; Hybrid or Cross- Platform; Cros-s Platform; Web; Web; Hybrid or Cross- Platform.

    2.1.1 Select your platform approach

    1-3 hours

    1. Review your mobile objectives, end user needs and non-functional requirements.
    2. Determine which mobile platform is appropriate for each mobile opportunity or use case by answering the following questions on the following slides against two factors: user-centric and enterprise-centric needs.
    3. Calculate an average score for user-centric and one for enterprise-centric. Then, map them on the matrix to indicate possible platform options. Consider all options around the plotted point.
    4. Further discuss which platforms should be the preferred choice.
    5. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    Input

    Output
    • Desired mobile experience
    • List of desired mobile features
    • Current state assessments
    • Mobile platform approach
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    2.1.1 cont'd

    User-Centric Needs: Functional Requirements

    Factors Definitions Survey Responses
    Device Hardware Access The scope of access to native device hardware features. Basic features include those that are available through current web languages (e.g., geolocation) whereas comprehensive features are those that are device-specific. 1 (Basic) – 2 – 3 (Moderate) – 4 – 5 (Comprehensive)
    Customized Execution of Device Hardware The degree of changes to the execution of local device hardware to satisfy functional needs. 1 (Use as Is) – 2 – 3 (Configure) – 4 – 5 (Customize)
    Device Software Access The scope of access to software on the user's device, such as calendars and contact. 1 (Basic) – 2 – 3 (Moderate) – 4 – 5 (Comprehensive)
    Customized Execution of Device Software The degree of changes to the execution of local device software to satisfy functional needs. 1 (Use as Is) – 2 – 3 (Configure) – 4 – 5 (Customize)
    Use Case Complexity Workflow tasks and decisions are simple and straightforward. Complex computation is not needed to acquire the desired outcome. 1 (Strongly Agree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Disagree)
    Computational Resources The resources needed on the device to complete desired functional needs. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Use Case Ambiguity The mobile use case and technical requirements are well understood and documented. Changes to the mobile application is likely. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Mobile Application Access Enterprise systems and data are accessible to the broader organization through the mobile application. This factor does not necessarily mean that anyone can access it untracked. You may still need to identify yourself or log in, etc. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Scope of Adoption & Impact The extent to which the mobile application is leveraged in the organization. 1 (Enterprise) – 2 – 3 (Department) – 4 – 5 (Team)
    Installable The need to locally install the mobile application. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Targeted Devices & Platforms Mobile applications are developed for a defined set of mobile platform versions and types and device. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Output Audience The mobile application transforms an input into a valuable output for high-priority internal or external stakeholders. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)

    2.1.1 cont'd

    User-Centric Needs: Native User Experience Factors

    Factors Definitions Survey Responses
    Immersive Experience The need to bridge physical world with the virtual and digital environment, such as geofencing and NFC. 1 (Internally Delivered) – 2 – 3 (3rd Party Supported) – 4 – 5 (Business Implemented)
    Timeliness of Content and Updates The speed of which the mobile application (and supporting system) responds with requested information, data and updates from enterprise systems and 3rd party services. 1 (Reasonable Delayed Response) – 2 – 3 (Partially Outsourced) – 4 – 5 (Fully Outsourced)
    Application Performance The speed of which the mobile application completes tasks is critical to its success. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Network Accessibility The needed ability to access and use the mobile application in various network conditions. 1 (Only Available When Online) – 2 – 3 (Partially Available When Online) – 4 – 5 (Available Online)
    Integrated Ecosystem The approach to integrate the mobile application with enterprise or 3rd party systems and services. 1 (Out-of-the-Box Connectors) – 2 – 3 (Configurable Connectors) – 4 – 5 (Customized Connectors)
    Desire to Have a Native Look-and-Feel The aesthetics and UI features (e.g., heavy animations) that are only available through native and cross-platform applications. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    User Tolerance to Change The degree of willingness and ableness for a user to change their way of working to maximize the value of the mobile application. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Mission Criticality The business could not execute its main strategy if the mobile application was removed. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Business Value The mobile application directly adds business value to the organization. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Industry Differentiation The mobile application provides a distinctive competitive advantage or is unique to your organization. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)

    2.1.1 cont'd

    Enterprise-Centric Needs: Non-Functional Requirements

    Factors Definitions Survey Responses
    Legacy Compatibility The need to integrate and operate with legacy systems. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Code Portability The need to enable the "code once and deploy everywhere" approach. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)
    Vendor & Technology Lock-In The tolerance to lock into a vendor mobile delivery solution or technology framework. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Data Sensitivity The data used by the mobile application does not fall into the category of sensitive data – meaning nothing financial, medical, or personal identity (GDPR and worldwide equivalents). The disclosure, modification, or destruction of this data would cause limited harm to the organization. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Data Policies Policies of the mobile application's data are mandated by internal departmental standards (e.g. naming standards, backup standards, data type consistency). Policies only mandated in this way usually have limited use in a production capacity. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Security Risks Mobile applications are connected to private data sources and its intended use will be significant if underlying data is breached. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    Business Continuity & System Integrity Risks The mobile application in question does not have much significance relative to the running of mission critical processes in the organization. 1 (Strongly Disagree) – 2 – 3 (Neutral) – 4 – 5 (Strongly Agree)
    System Openness Openness of enterprise systems to enable mobile applications from the user interface to the business logic and backend integrations and database. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)
    Mobile Device Management The organization's policy for the use of mobile devices to access and leverage enterprise data and services. 1 (Bring-Your-Own-Device) – 2 – 3 (Hybrid) – 4 – 5 (Corporate Devices)

    2.1.1 cont'd

    Enterprise-Centric Needs: Delivery Capacity

    Factors Definitions Survey Responses
    Ease of Mobile Delivery The desire to have out-of-the-box and packaged tools to expedite mobile application delivery using web technologies. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Solution Competency The capability for internal staff to and learn how to implement and administer mobile delivery tools and deliver valuable, high-quality applications. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Ease of Deployment The desire to have the mobile applications delivered by the team or person without specialized resources from outside the team. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Delivery Approach The capability to successfully deliver mobile applications given budgetary and costing, resourcing, and supporting services constraints. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Maintenance & Operational Support The capability of the resources to responsibly maintain and operate mobile applications, including defect fixes and the addition and extension of modules to base implementations of the digital product. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Domain Knowledge Support The availability and accessibility of subject and domain experts to guide facilitate mobile application implementation and adoption. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Delivery Urgency The desire to have the mobile application delivered quickly. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)
    Reusable Components The desire to reuse UI elements and application components. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)

    2.1.1 cont'd

    Example:

    Score Factors (Average) Mobile Opportunity 1: Inventory Management Mobile Opportunity 2: Remote Support
    User-Centric Needs 4.25 3
    Functional Requirements 4.5 2.25
    Native User Experience Factors 4 1.75
    Enterprise-Centric Needs 4 2
    Non-Functional Requirements 3.75 3.25
    Delivery Capacity 4.25 2.75
    Possible Mobile Platform Cross-Platform Native PWA Hybrid

    Nine datapoints are arranged on a graph where the x axis s labeled: User Centric Needs; and the Y axis is labeled: Enterprise-centric needs. The datapoints are, in order from left to right, top to bottom: Hybrid; Cross- Platform; Native; Web; Hybrid or Cross- Platform; Cros-s Platform; Web; Web; Hybrid or Cross- Platform. Two yellow circles are overlaid, one containing the phrase: Remote Support - over the box containing Progressive Web Applications (PWA) or Hybrid; and a yellow circle containing the phrase Inventory MGMT, partly covering the box containing Native; and the box containing Cross-Platform.

    Build a scalable and manageable platform

    Long-term mobile success depends on the efficiency and reliability of the underlying operational platform. This platform must support the computational and performance demands in a changing business environment, whether it is composed of off-the-self or custom-developed solutions, or a single vendor or best-of-breed.

    • Application
      • The UI design and content language is standardized and consistently applied
      • All mobile configurations and components are automatically versioned
      • Controlled administration and tooling access, automation capabilities, and update delivery
      • Holistic portfolio management
    • Data
      • Automated data management to preserve data quality (e.g. removal of duplications)
      • Defined single source of truth
      • Adherence to data governance, and privacy and security policies
      • Good content management practices, governance and architecture
    • Infrastructure
      • Containers and sandboxes are available for development and testing
      • Self-healing and self-service environments
      • Automatic system scaling and load balancing
      • Comply to budgetary and licensing constraints
    • Integration
      • Backend database and system updates are efficient
      • Loosely coupled architecture to minimize system regressions and delivery effort
      • Application, system and data monitoring

    Step 2.2

    Shortlist Your Mobile Delivery Solution

    Activities

    2.2.1 Shortlist your mobile delivery solution

    2.2.2 Build your feature and service lists

    Define Your Mobile Approach

    This step involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Outcomes of this step

    • Shortlisted mobile delivery solutions
    • Desired list of vendor features and services

    Ask yourself: should I build or buy?

    Build Buy

    Multi-Source Best-of-Breed

    Vendor Add-Ons & Integrations

    Integrate various technologies that provide subset(s) of the features needed for supporting the business functions.

    Enhance an existing vendor's offerings by using their system add-ons either as upgrades, new add-ons or integrations.

    Pros

    • Flexibility in choice of tools.
    • In some cases, cost may be lower.
    • Easier to enhance with in-house teams.

    Cons

    • Introduces tool sprawl.
    • Requires resources to understand tools and how they integrate.
    • Some of the tools necessary may not be compatible with each other.

    Pros

    • Reduces tool sprawl.
    • Supports consistent tool stack.
    • Vendor support can make enhancement easier.
    • Total cost of ownership may be lower.

    Cons

    • Vendor Lock-In.
    • The processes to enhance may require tweaking to fit tool capability.

    Multi-Source Custom

    Single Source

    Integrate systems built in-house with technologies developed by external organizations.

    Buy an application/system from one vendor only.

    Pros

    • Flexibility in choice of tools.
    • In some cases, cost may be lower.
    • Easier to enhance with in-house teams.

    Cons

    • May introduce tool sprawl.
    • Requires resources to have strong technical skills
    • Some of the tools necessary may
    • not be compatible with each other.

    Pros

    • Reduces tool sprawl.
    • Supports consistent tool stack.
    • Vendor support can make enhancement easier.
    • Total cost of ownership may be lower.

    Cons

    • Vendor Lock-In.
    • The processes to enhance may require tweaking to fit tool capability.

    Weigh the pros and cons of mobile enablement versus development

    Mobile Enablement

    Mobile Development

    Description Mobile interfaces that heavily rely on enterprise or 3rd party systems to operate. Mobile does not expand the functionality of the system but complements it with enhanced access, input and consumption capabilities. Mobile applications that are custom built or configured in a way that can operate as a standalone entity, whether they are locally deployed to a user's device or virtually hosted.
    Mobile Platform Mobile web, locally installed mobile application provided by vendor Mobile web, hybrid, cross-platform, native
    Typical Audience Internal staff, trusted users Internal and external users, general public
    Examples of Tooling Flavors Enterprise applications, point solutions, robotic & process automation Mobile enterprise application platform, web development, low and no code development, software development kits (SDKs)
    Technical Skills Required Little to no mobile delivery experience and skillsets are needed, but teams must be familiar with the supporting system to understand how a mobile interface can improve the value of the system. Have good UX-driven and quality-first practices in the mobile context. In-depth coding, networking, system and UX design, data management and security skills are needed for complex designs, functions, and architectures.
    Architecture & Integration Architecture is standardized by the vendor or enterprise with UI elements that are often minimally configurable. Extensions and integrations must be done through the system rather than the mobile interface. Much of application stack and integration approach can be customized to meet the specific functional and non-functional needs. It should still leverage web and design standards and investments currently used.
    Functional Scope Functionality is limited to the what the underlying system allows the interface to do. This often is constrained to commodity web application features (e.g., reporting) or tied to minor configurations to the vendor-provided point solution Functionality is only constrained by the platform and the targeted mobile devices whether it is performance, integration, access or security related. Teams should consider feature and content parity across all products within the organization portfolio.
    Delivery Pipeline End-to-end delivery and automated pipeline is provided by the vendor to ensure parity across all interfaces. Many vendors provide cloud-based services for hosting. Otherwise, it is directly tied to the SDLC of the supporting system. End-to-end delivery and automated pipeline is directly tied to enterprise SDLC practices or through the vendor. Some vendors provide cloud-based services for hosting. Updates are manually or automatically (through a vendor) published to app stores and can be automatically pushed to corporate users through mobile application management capabilities.
    Standards & Guardrails Quality standards and technology governance are managed by the vendor or IT with limited capabilities to tailor them to be mobile specific. Quality standards and technology governance are managed by the mobile delivery teams. The degree of customizations to these standards and guardrails is dependent on the chosen platform and delivery team competencies.

    Understand the common attributes of a mobile delivery solution

    • Source Code Management – Built-in or having the ability to integrate with code management solutions for branching, merging, and versioning. Debugging and coding assistance capabilities may be available.
    • Single Code Base – Capable of programming in a standard coding and scripting language for deployment into several platforms and devices. This code base is aligned to a common industry framework (e.g., AngularJS, Java) or a vendor-defined one.
    • Out-of-the-Box Connectors & Plug-ins – Pre-built APIs enhance the solution's capabilities with 3rd party tools and systems to deliver and manage high quality and valuable mobile applications.
    • Emulators – Ability to virtualize an application's execution on a target platform and device.
    • Support for Native Features – Supports plug-ins and APIs for access to device-specific features.

    What are mobile delivery solutions?

    A mobile delivery solution gives you the tools, resources and support to enable or build your mobile application. They can provide pre-built applications, vendor supported components to allow some configurations, or resources for full stack customizations. Some solutions can be barebone software development kits (SDKs) or comprehensive suites offering features to support the entire software delivery lifecycle, such as:

    • Mobile application management
    • Testing and publishing to app stores
    • Content management
    • Cloud hosting
    • Application performance management

    Info-Tech Insight

    Mobile enablement and development capabilities are already embedded in many common productivity tools and enterprise applications, such as Microsoft PowerApps and ERP modules. They can serve as a starting point in the initial rollout of new management and governance practices without the need of acquiring new tools.

    Select your mobile delivery solutions

    1. Set the scope of your framework.
    • The initial context of this framework is based on the mobile functions needed to support your desired mobile experience and on the current state of your enterprise and 3rd party systems.
  • Define the decision factors for your solution selection.
    • Review the decision factors that will influence the selection of your mobile delivery solution for each mobile opportunity:
    • Stack Management – Who will be hosting and supporting your mobile application stack?
    • Workflows Complexity & Native Experience – How complex is your desired mobile experience and how will native device features be leveraged?
  • Select your solution type.
    • Mobile delivery solutions are broadly defined in the following groups:
    • Commercial-Off-The-Shelf (COTS) – Pre-built mobile applications requiring little to no configurations or implementation effort.
    • Vendor Hosted Mobile Platform – Back-end and mid-tier infrastructure and operational support are managed by a vendor.
    • Cross-Platform Development – Frameworks that transform a single code base into platform-specific builds.
    • Hybrid Development – Tools that wrap a single code base into a locally deployable build.
    • Custom Web Development – Environment enabling full stack development for mobile web applications.
    • Custom Native Development – Environment enabling full stack development for mobile native applications.
  • A quadrant analysis is depicted. the top data is labeled Complex Mobile Features; the right side is labeled Organization-Managed Stack; the bottom is labeled Simple Mobile Features; and the left side is labeled Vendor-Managed Stack. The quadrants are labeled the following, in order from left to right, top to bottom. Vendor- Hosted Mobile Platform; Custom Native Development Solutions; Commercial-Off-the-Shelf Solutions; Custom Web Development Solutions. In the middle of the graph are the following, in order from top to bottom: Cross-Platform Development Solutions; Hybrid Development Solutions

    Explore the various solution options

    Vendor Hosted Mobile Platform

    • Cloud Services (Mobile Backend-as-a-Service) (Amazon Amplify, Kinvey, Back4App, Google Firebase, Apache Usergrid)
    • Low Code Mobile Platforms (Outsystems, Mendix, Zoho Creator, IBM Mobile Foundation, Pega Mobile, HCL Volt MX, Appery)
    • Mobile Development via Enterprise Application (SalesForce Heroku, Oracle Application Accelerator MAX, SAP Mobile Development Kit, NetSuite Mobile)
    • Mobile Development via Business Process Automation (PowerApps, Appian, Nintex, Quickbase)

    Cross-Platform Development SDKs

    React Native, NativeScript, Xamarin Forms, .NET MAUI, Flutter, Kotlin Multiplatform Mobile, jQuery Mobile, Telerik, Temenos Quantum

    Custom Native Development Solutions

    • Native Development Languages and Environments (Swift, Java, Objective-C, Kotlin, Xcode, NetBeans, Android Studio, AppCode, Microsoft Visual Studio, Eclipse, DriodScript, Compose, Atom)
    • Mobile Application Utilities (Unity, MonoGame, Blender, 3ds Max Design, Maya, Unreal Engine, Amazon Lumberyard, Oculus)

    Commercial-Off-the-Shelf Solutions

    • No Code Mobile Platforms (Swiftic, Betty Blocks, BuildFire, Appy Pie, Plant an App, Microsoft Power Apps, AppSheet, Wix, Quixy)
    • Mobile Application Point Solutions and Enablement via Enterprise Applications

    Hybrid Development SDKs

    Cordova Project, Sencha Touch, Electron, Ionic, Capacitor, Monaca, Voltbuilder

    Custom Web Development Solutions

    Web Development Frameworks (React, Angular, Vue, Express, Django, Rails, Spring, Ember, Backbone, Bulma, Bootstrap, Tailwind CSS, Blade)

    Get the most out of your solutions by understanding their core components

    While most of the heavy lifting is handled by the vendor or framework, understanding how the mobile application is built and operates can identify where further fine-tuning is needed to increase its value and quality.

    Platform Runtime

    Automatic provisioning, configurations, and tuning of organizational and 3rd party infrastructure for high availability, performance, security and stability. This can include cloud management and non-production environments.

    Extensions

    • Mobile delivery solutions can be extended to allow:
    • Custom development of back-end code
    • Customizable integrations and hooks where needed
    • Integrations with CI/CD pipelines and administrative services
    • Integrations with existing databases and authentication services

    Platform Services

    The various services needed to support mobile delivery and enable continuous delivery, such as:

    • Configuration & Change Management – Verifies, validates, and monitors builds, deployments and changes across all components.
    • Code Generator – Transforms UI and data models into native application components that are ready to be deployed.
    • Deployment Services – Deploys application components consistently across all target environments and app stores.
    • Application Services – Manages the mobile application at runtime, including executing scheduled tasks and instrumentation.

    Application Architecture

    Fundamentally, mobile application architecture is no different than any other application architecture so much of your design standards still applies. The trick is tuning it to best meet your mobile functional and non-functional needs.

    This image contains an example of mobile application architecture.

    Source: "HCL Volt MX", HCL.

    Build your shortlist decision criteria

    The decision on which type of mobile delivery solution to use is dependent on several key questions?

    Who is the Mobile Delivery Team?

    • Is it a worker, business or IT?
    • What skills and knowledge does this person have?
    • Who is supporting mobile delivery and management?
    • Are other skills and tools needed to support, extend or mature mobile delivery adoption?

    What are the Use Cases?

    • What is the value and priority of the use cases?
    • What native features do we need?
    • Who is the audience of the output and who is impacted?
    • What systems, data and services do I need access?
    • Is it best to build it or buy it?
    • What are the quality standards?
    • How strategic is the use case?

    How Complex is the System?

    • Is the mobile application a standalone or integrated with enterprise systems?
    • What is the system's state and architecture?
    • What 3rd party services do we need integrated?
    • Are integrations out-of-the-box or custom?
    • Is the data standardized and who can edit its definition?
    • Is the system monolithic or loosely coupled?

    How Much Can We Tolerate?

    • Risks: What are the business and technical risks involved?
    • Costs: How much can we invest in implementation, training and operations?
    • Change: What organizational changes am I expecting to make? Will these changes be accepted and adopted?

    2.2.1 Shortlist your mobile delivery solution

    1-3 hours

    1. Determine which mobile delivery solutions is appropriate for each mobile opportunity or use case by answering the following questions on the following slides against two factors: complexity of mobile workflows and native features and management of the mobile stack.
      1. Take the average of the enterprise-centric and user-centric scores from step 2.1 for your complexity of mobile workflows and native features scores.
    2. Calculate an average score for the management of the mobile stack. Then, map them on the matrix to indicate possible solution options alongside your user-centric scores. Consider all options around the plotted point.
    3. Further discuss which solution should be the preferred choice and compare those options with your selected platform approach.
    4. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    Input

    Output
    • Current state assessment
    • Mobile platform approach
    • Shortlist of mobile delivery solution
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    2.2.1 cont'd

    Stack Management

    Factors Definitions Survey Responses
    Cost of Delayed Delivery The expected cost if a vendor solution or update is delayed. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Vendor Negotiation Organization's ability to negotiate favorable terms from vendors. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)
    Controllable Delivery Timeline Organization's desire to control when solutions and updates are delivered. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Solution Hosting The desired approach to host the mobile application. 1 (Fully Outsourced) – 2 – 3 (Partially Outsourced) – 4 – 5 (Internally Hosted)
    Vendor Lock-In The tolerance to be locked into a specific technology stack or vendor ecosystem. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Operational Cost Target The primary target of the mobile application's operational budget. 1 (External Resources) – 2 – 3 (Hybrid) – 4 – 5 (Internal Resources)
    Platform Management The desired approach to manage the mobile delivery solution, platform or underlying technology. 1 (Decentralized) – 2 – 3 (Federated) – 4 – 5 (Centralized)
    Skill & Competency of Mobile Delivery Team The ability of the team to create and manage valuable and high-quality mobile applications. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Current Investment in Enterprise Technologies The need to maximize the ROI of current enterprise technologies or integrate with legacy technologies. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)
    Ease of Extensibility Need to have out-of-the-box connectors and plug-ins to extend the mobile delivery solution beyond its base implementation. 1 (High) – 2 – 3 (Moderate) – 4 – 5 (Low)
    Holistic Application Strategy Organizational priorities on the types of applications the portfolio should be comprised. 1 (Buy) – 2 – 3 (Hybrid) – 4 – 5 (Build)
    Control of Delivery Pipeline The desire to control the software delivery pipeline from design to development, testing, publishing and support. 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)
    Specific Quality Requirements Software and mobile delivery is constrained to your unique quality standards (e.g., security, performance, availability) 1 (Low) – 2 – 3 (Moderate) – 4 – 5 (High)

    2.2.1 cont'd

    Example:

    Score Factors (Average) Mobile Opportunity 1: Inventory Management Mobile Opportunity 2: Remote Support
    User-Centric & Enterprise Centric Needs (From Step 2.1) 4.125 2.5
    Stack Management 2 2.5
    Desired Mobile Delivery Solution Vendor-Hosted Mobile Platform

    Commercial-Off-the-Shelf Solution

    Hybrid Development Solution

    A quadrant analysis is depicted. the top data is labeled Complex Mobile Features; the right side is labeled Organization-Managed Stack; the bottom is labeled Simple Mobile Features; and the left side is labeled Vendor-Managed Stack. The quadrants are labeled the following, in order from left to right, top to bottom. Vendor- Hosted Mobile Platform; Custom Native Development Solutions; Commercial-Off-the-Shelf Solutions; Custom Web Development Solutions. In the middle of the graph are the following, in order from top to bottom: Cross-Platform Development Solutions; Hybrid Development Solutions.

    Consider the following in your solution selection and implementation

    • Vendor lock in – Each solution has its own approach, frameworks, and data schemas to convert designs and logic into an executable build that is stable in the targeted environment. Consequently, moving application artifacts (e.g., code and designs) from one solution or environment to another may not be easily accomplished without significant modifications or the use of application modernization or migration services.
    • Conflicting priorities and viewpoints of good delivery practices – Mobile delivery solutions are very particular on how they generate applications from designs and configurations. The solution's approach may not accommodate your interpretation of high-quality code (e.g., scalability, maintainability, extensibility, security). Technical experts should be reviewing and refactoring the generated code.
    • Incompatibility with enterprise applications and systems – The true benefit of mobile delivery solutions is their ability to connect your mobile application to enterprise and 3rd party technologies and services. This capability often requires enterprise technologies and services to be architected in a way that is compatible with your delivery solution while ensuring data, security protocols and other standards and policies are consistently enforced.
    • Integration with current application development and management tools – Mobile delivery solutions should be extensions from your existing application development and management tools that provides the versioning, testing, monitoring, and deployment capabilities to sustain a valuable application portfolio. Without this integration, IT will be unable to:
      • Root cause issues found on IT dashboards or reported to help desk.
      • Rollback defective applications to a previous stable state.
      • Obtain a complete application portfolio inventory.
      • Execute comprehensive testing for high-risk applications.
      • Trace artifacts throughout the development lifecycle.
      • Generate reports of the status of releases.

    Enhance your SDLC to support mobile delivery

    What is the SDLC?

    The software development lifecycle (SDLC) is a process that ensures valuable software products are efficiently delivered to customers. It contains a repeatable set of activities needed to intake and analyze requirements to design, build, test, deploy, and maintain software products.

    How will mobile delivery influence my SDLC?

    • Cross-functional collaboration – Bringing business and IT together at the most opportune times to clarify user needs and business priorities, and set realistic expectations given technology and capacity constraints. The appropriate tactics and techniques are used to improve decision making and delivery effectiveness according to the type of work.
    • Iterative delivery – Frequent delivery of progressive changes minimizes the risk of low-quality features by containing and simplifying scope, and enables responsive turnarounds of fixes, enhancements, and priority changes.
    • Feedback loops –Mobile application owners constantly review, update and refine their backlog of mobile features and changes to reflect user feedback and system performance metrics. Delivery teams proactively prepare the application for future scaling based on lessons and feedback learned from earlier releases.

    To learn more, visit Info-Tech's Modernize Your SDLC blueprint.

    Example: Low- & No-Code Mobile Delivery Pipeline

    Low Code

    Data Modeling & Configuration

    No Code

    Visual Interface with Complex Data Models

    Data Modeling & Configuration

    Visual Interfaces with Simple Data Models

    GUI Designer with Customizable Components & Entities

    UI Definition & Design

    GUI Designer with Canned Templates

    Visual Workflow and Custom Scripting

    Business Logic Rules and Workflow Specification

    Visual Workflow and Natural Language Scripting

    Out-of-the-Box Plugins & Custom Integrations

    Integration of External Services (via 3rd Party APIs)

    Out-of-the-Box Plugins

    Automated and Manual Build & Packaging

    Build & Package

    Automated Build & Packaging

    Automated & Manual Testing

    Test

    Automated Testing

    One-Click Push or IT Push to App Store

    Publish to App Store

    One-Click Push to App Store

    Use Info-Tech's research to address your delivery gaps

    Mobile success requires more than a set of good tools.

    Overcome the Common Challenges Faced with Building Mobile Applications

    Common Challenges with Digital Applications

    Suggested Solutions

    • Time & Resource Constraints
    • Buy-In From Internal Stakeholders
    • Rapidly Changing Requirements
    • Legacy Systems
    • Low-Priority for Internal Tools
    • Insufficient Data Access

    Source: DronaHQ, 2021

    Learn the differentiators of mobile delivery solutions

    • Native Program Languages – Supports languages other than web (Java, Ruby, C/C++/C#, Objective-C).
    • IDE Integration – Available plug-ins for popular development suites and editors.
    • Debugging Tools – Finding and eliminating bugs (breakpoints, single stepping, variable inspection, etc.).
    • Application Packaging via IDE – Digitally sign applications through the IDE for it to be packaged and published in app stores.
    • Automated Testing Tools – Native or integration with automated functional and unit testing tools.
    • Low- and No- Code Designer – Tools for designing graphical user interfaces and features and managing data with drag-and-drop functionalities.
    • Publishing and Deployment Capabilities – Automated deployment to mobile device management (MDM) systems, mobile application management (MAM) systems, mobile application stores, and web servers.
    • Third-Party and Open-Source Integration – Integration with proprietary and open-source third-party modules, development tools, and systems.
    • Developer Marketplace – Out-of-the-box plug-ins, templates, and integration are available through a marketplace.
    • Mobile Application Support Capabilities – Ability to gather, manage, and address application issues and defects.
    • API Gateway, Monitoring, and Management – Services that enable the creation, publishing, maintenance, monitoring, and securing of APIs through a common interface.
    • Mobile Analytics and Monitoring – View the adoption, usage, and performance of deployed mobile applications through graphical dashboards.
    • Mobile Content Management – Publish and manage mobile content through a centralized system.
    • Mobile Application Security – Supports the securing of application access and usage, data encryption, and testing of security controls.

    Define your mobile delivery vendor selection criteria

    Focus on the key vendor attributes and capabilities that enable mobile delivery scaling and growth in your organization

    Considerations in Mobile Delivery Vendor Selection
    Platform Features & Capabilities Price to Implement & Operate Platform
    Types of Mobile Applications That Can Be Developed Ease of IT Administration & Management
    User Community & Marketplace Size Security, Privacy & Access Control Capabilities
    SME in Industry Verticals & Business Functions Vendor Product Roadmap & Corporate Strategy
    Pre-Built Designs, Templates & Application Shells Scope of Device- and OS-Specific Compatibilities
    Regulatory & Industry Compliance Integration & Technology Partners
    Importing Artifacts From and Exporting to Other Solutions Platform Architecture & Underlying Technology
    End-to-End Support for the Entire Mobile SDLC Relevance to Current Mobile Trends & Practices

    Build your features list

    Incorporate different perspectives when defining the list of mandatory and desired features of your target solution.

    Appendix B contains a list of features for low- and no-code solutions that can be used as a starting point.

    Visit Info-Tech's Implement a Proactive and Consistent Vendor Selection Process blueprint.

    Mobile Developer

    • Visual, drag-and-drop models to define data models, business logic, and user interfaces.
    • One-click deployment.
    • Self-healing capabilities.
    • Vendor-managed infrastructure.
    • Active community and marketplace.
    • Pre-built templates and libraries.
    • Optical character recognition and natural language processing.
    • Knowledgebase and document management.
    • Business value, operational costs, and other KPI monitoring.
    • Business workflow automation.

    Mobile IT Professional

    • Audit and change logs.
    • Theme and template builder.
    • Template management.
    • Role-based access.
    • Regulatory compliance.
    • Consistent design and user experience across applications.
    • Application and system performance monitoring.
    • Versioning and code management.
    • Automatic application and system refactoring and recovery.
    • Exception and error handling.
    • Scalability (e.g. load balancing) and infrastructure management.
    • Real-time debugging.
    • Testing capabilities.
    • Security management.
    • Application integration management.

    2.2.2 Build your feature and service lists

    1-3 hours

    Review the key outcomes in the previous exercises to help inform the features and vendor support you require to support your mobile delivery needs:

    End user personas and desired mobile experience

    Objectives and expectations

    Desired mobile features and platform

    Mobile delivery solutions

    Brainstorm a list of features and functionalities you require from your ideal solution vendors. Prioritize these features and functionalities. See our Implement a Proactive and Consistent Vendor Selection Process blueprint for more information on vendor procurement.

    Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Download the Mobile Application Delivery Communication Template

    Input

    Output
    • Shortlist of mobile solutions
    • Quality definitions
    • Mobile objectives and metrics
    • List of desired features and services of mobile delivery solution vendors
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Hit a home run with your stakeholders

    Use a data-driven approach to select the right tooling vendor for your needs – fast.

    AwarenessEducation & DiscoveryEvaluationSelection

    Negotiation & Configuration

    1.1 Proactively Lead Technology Optimization & Prioritization2.1 Understand Marketplace Capabilities & Trends3.1 Gather & Prioritize Requirements & Establish Key Success Metrics4.1 Create a Weighted Selection Decision Model5.1 Initiate Price Negotiation with Top Two Venders
    1.2 Scope & Define the Selection Process for Each Selection Request Action2.2 Discover Alternate Solutions & Conduct Market Education3.2 Conduct a Data Driven Comparison of Vendor Features & Capabilities4.2 Conduct Investigative Interviews Focused on Mission Critical Priorities with Top 2-4 Vendors5.2 Negotiate Contract Terms & Product Configuration

    1.3 Conduct an Accelerated Business Needs Assessment

    2.3 Evaluate Enterprise Architecture & Application PortfolioNarrow the Field to Four Top Contenders4.3 Validate Key Issues with Deep Technical Assessments, Trial Configuration & Reference Checks5.3 Finalize Budget Approval & Project
    1.4 Align Stakeholder Calendars to Reduce Elapsed Time & Asynchronous Evaluation2.4 Validate the Business Case5.4 Invest in Training & Onboarding Assistance

    Investing time improving your software selection methodology has big returns.

    Info-Tech Insight

    Not all software selection projects are created equal – some are very small, some span the entire enterprise. To ensure that IT is using the right framework, understand the cost and complexity profile of the application you're looking to select. Info-Tech's Rapid Application Selection Framework approach is best for commodity and mid-tier enterprise applications; selecting complex applications is better handled by the methodology in Info-Tech's Implement a Proactive and Consistent Vendor Selection Process.

    Step 2.3

    Create a Roadmap for Mobile Delivery

    Activities

    2.3.1 Define your MVP release

    2.3.2 Build your roadmap

    Define Your Mobile Approach

    This step involves the following participants:

    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    Outcomes of this step

    • MVP design
    • Mobile delivery roadmap

    Achieve mobile success with MVPs

    By delivering mobile capabilities in small iterations, teams recognize value sooner and reduce accumulated risk. Both benefits are realized as the iteration enters validation testing and release.

    This image depicts a graph of the learn-build-measure cycle over time, adapted from Managing the Development of Large Software Systems, Dr. Winston W. Royce, 1970

    An MVP focuses on a small set of functions, involves minimal possible effort to deliver a working and valuable solution, and is designed to satisfy a specific user group. Its purpose is to:

    • Maximize learning.
    • Evaluate the value and acceptance of mobile applications.
    • Inform the building of a mobile delivery practice.

    The build-measure-learn loop suggests mobile delivery teams should perpetually take an idea and develop, test, and validate it with the mobile development solution, then expand on the MVP using the lessons learned and evolving ideas. In this sense the MVP is just the first iteration in the loop.

    Leverage a canvas to detail your MVP

    Use the release canvas to organize and align the organization around your MVP!

    This is an example of a release canvas which can be used to detail your MVP.

    2.3.1 Define your MVP release

    1-3 hours

    1. Create a list of high priority use cases slated for mobile application delivery. Brainstorm the various supporting activities required to implement your use cases including the shortlisting of mobile delivery tools.
    2. Prioritize these use cases based on business priority (from your canvas). Size the effort of these use cases through collaboration.
    3. Define your MVPs using a release canvas as shown on the following slide.
    4. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Input

    Output
    • High priority mobile opportunities
    • Mobile platform approach
    • Shortlist of mobile solutions
    • List of potential MVPs
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    2.3.1 cont'd

    MVP Name

    Owner:
    Parent Initiative:
    Updated:

    NAME
    LINK
    October 05, 2022

    MVP Theme/Goals

    [Theme / Goal]

    Use Cases

    Value

    Costs

    [Use Case 1]
    [Use Case 2]
    [Use Case 3]

    [Business Value 1]
    [Business Value 2]
    [Business Value 3]

    [Cost Item 1]
    [Cost Item 2]
    [Cost Item 3]

    Impacted Personas

    Impacted Workflows

    Stakeholders

    [Persona 1]
    [Persona 2]
    [Persona 3]

    [Workflow 1]
    [Workflow 2]
    [Workflow 3]

    [Stakeholder 1]
    [Stakeholder 2]
    [Stakeholder 3]

    Build your mobile roadmap

    It's more than a set of colorful boxes. It's the map to align everyone to where you are going

    Your mobile roadmap

    • Lays out a strategy for your mobile application, platform and practice implementation and scaling.
    • Is a statement of intent for your mobile adoption.
    • Communicates direction for the implementation and use of mobile delivery tools, mobile applications and supporting technologies.
    • Directly connects to the organization's goals

    However, it is not:

    • Representative of a hard commitment.
    • A simple combination of your current product roadmaps

    Roadmap your MVPs against your milestones and release dates

    This is an image of an example of a roadmap for your MVPS, with milestones across Jan 2022, Feb 2022, Mar 2022, Apr 2022. under milestones, are the following points: Points in the timeline when an established set of artifacts is complete (feature-based), or to check status at a particular point in time (time-based); Typically assigned a date and used to show progress; Plays an important role when sequencing different types of artifacts. Under Release Dates are the following points: Releases mark the actual delivery of a set of artifacts packaged together in a new version of processes and applications or new mobile application and delivery capabilities. ; Release dates, firm or not, allow stakeholders to anticipate when this is coming.

    To learn more, visit Info-Tech's Deliver on Your Digital Product Vision blueprint.

    Understand what is communicated in your roadmap

    WHY is the work being done?

    Explains the overarching goal of work being done to a specific audience.

    WHO is doing the work?

    Categorizes the different groups delivering the work on the product.

    WHAT is the work being done?

    Explains the artifacts, or items of work, that will be delivered.

    WHEN is the work being done?

    Explains when the work will be delivered within your timeline.

    To learn more, visit Info-Tech's Deliver on Your Digital Product Vision blueprint.

    Pay attention to organizational changes

    Be prepared to answer:

    "How will mobile change the way I do my job?"

    • Plan how workers will incorporate mobile applications into their way of working and maximize the features it offers.
    • Address the human concerns regarding the transition to a digital world involving modern and mobile technologies and automation.
    • Accept changes, challenges and failures with open arms and instill tactics to quickly address them.
    • Build and strengthen business-IT trust, empowerment, and collaborative culture by adopting the right practices throughout the mobile delivery process.
    • Ensure continuous management and leadership support for business empowerment, operational changes, and shifts in role definitions to best support mobile delivery.
    • Establish a committee to manage the growth, adoption, and delivery of mobile as part of a grandeur digital application portfolio and address conflicts among business units and IT.

    Anticipate and prepare for changes and issues

    Verify and validate the flexibility and adaptability of your mobile applications, strategy and roadmap against various scenarios

    • Scenarios
      • Application Stores Rejecting the Application
      • Security Incidents & Risks
      • Low User Adoption, Retention & Satisfaction
      • Incompatibility with User's Device & Other Systems
      • Device & OS Patches & Updates
      • Changes in Industry Standards & Regulations

    Use the "Now, Next, Later" roadmap

    Use this when deadlines and delivery dates are not strict. This is best suited for brainstorming a product plan when dependency mapping is not required.

    Now

    What are you going to do now?

    Next

    What are you going to do very soon?

    Later

    What are you going to do in the future?

    This is a roadmap showing various points in the following categories: Now; Next; Later

    Adapted From: "Tips for Agile product roadmaps & product roadmap examples," Scrum.org, 2017

    2.3.2 Build your roadmap

    1-3 hours

    1. Identify the business outcomes your mobile application delivery and MVP is expected to deliver.
    2. Build your strategic roadmap by grouping each business outcome by how soon you need to deliver it:
      1. Now: Let's achieve this ASAP.
      2. Next: Sometime very soon, let's achieve these things.
      3. Later: Much further off in the distance, let's consider these things.
    3. Identify what the critical steps are for the organization to embrace mobile application delivery and deliver your MVP.
    4. Build your tactical roadmap by grouping each critical step by how soon you need to address it:
      1. Now: Let's do this ASAP.
      2. Next: Sometime very soon, let's do these things.
      3. Later: Much further off in the distance, let's consider these things.
    5. Document your findings and discussions into Info-Tech's Mobile Application Delivery Communication Template.

    Input

    Output
    • List of potential MVPs
    • Mobile roadmap
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • Mobile Application Delivery Communication Template
    • Applications Manager
    • Product and Platform Owners
    • Software Delivery Teams
    • Business and IT Leaders

    2.3.2 cont'd

    Example: Tactical Roadmap

    Milestone 1

    • Modify the business processes of the MVP to best leverage mobile technologies. Streamline the business processes by removing the steps that do not directly support value delivery.
    • Develop UI templates using the material design framework and the organization's design standards. Ensure it is supported on mobile devices through the mobile browser and satisfy accessibility design standards.
    • Verify and validate current security controls against latest security risks using the W3C as a starting point. Install the latest security patches to maintain compliance.
    • Acquire the Ionic SDK and upskill delivery teams.

    Milestone 2

    • Update the current web framework and third-party libraries with the latest version and align web infrastructure to latest W3C guidelines.
    • Verify and validate functionality and stability of APIs with third-party applications. Begin transition to REST APIs where possible.
    • Make minor changes to the existing data architecture to better support the data volume, velocity, variety, and veracity the system will process and deliver.
    • Update the master data management with latest changes. Keep changes to a minimum.
    • Develop and deliver the first iteration of the MVP with Ionic.

    Milestone 3

    • Standardize the initial mobile delivery practice.
    • Continuously monitor the system and proactively address business continuity, system stability and performance, and security risks.
    • Deliver a hands-on and facilitated training session to end users.
    • Develop intuitive user manuals that are easily accessible on SharePoint.
    • Consult end users for their views and perspectives of suggested business model and technology changes.
    • Regularly survey end users and the media to gauge industry sentiment toward the organization.

    Pitch your roadmap initiatives

    There are multiple audiences for your pitch, and each audience requires a different level of detail when addressed. Depending on the outcomes expected from each audience, a suitable approach must be chosen. The format and information presented will vary significantly from group to group.

    Audience

    Key Contents

    Outcome

    Outcome

    • Costs or benefits estimates

    Sign off on cost and benefit projections

    Executives and decision makers

    • Business value and financial benefits
    • Notable business risks and impacts
    • Business rationale and strategic roadmap

    Revisions, edits, and approval

    IT teams

    • Notable technical and IT risks
    • IT rationale and tactical roadmap
    • Proposed resourcing and skills capacity

    Clarity of vision and direction and readiness for delivery

    Business workers

    • Business rationale
    • Proposed business operations changes
    • Application roadmap

    Verification on proposed changes and feedback

    Continuously measure the benefits and value realized in your mobile applications

    Success hinges on your team's ability to deliver business value. Well-developed mobile applications instill stakeholder confidence in ongoing business value delivery and stakeholder buy-in, provided proper expectations are set and met.

    Business value defines the success criteria of an organization, and it is interpreted from four perspectives:

    • Profit Generation – The revenue generated from a business capability with mobile applications.
    • Cost Reduction – The cost reduction when performing business capabilities with mobile applications.
    • Service Enablement – The productivity and efficiency gains of internal business operations with mobile applications.
    • Customer and Market Reach – Metrics measuring the improved reach and insights of the business in existing or new markets.

    See our Build a Value Measurement Framework blueprint for more information about business value definition.

    Business Value Matrix

    This image contains a quadrant analysis with the following labels: Left - Improved Capabilities; Top - Outward; Right - Financial Benefit; Bottom - Inward. the quadrants are labeled the following, in order from left to right, top to bottom. Customer and Market Reach; Profit Generation; Service Enhancement; Cost Reduction

    Grow your mobile delivery practice

    We are Here
    Level 1: Mobile Delivery Foundations Level 2: Scaled Mobile Delivery Level 3: Leading-Edge Mobile Delivery

    You understand the opportunities and impacts mobile has on your business operations and its disruptive nature on your enterprise systems. Your software delivery lifecycle was optimized to incorporate the specific practices and requirements needed for mobile. A mobile platform was selected based on stakeholder needs that are weighed against current skillsets, high priority non-functional requirements, the available capacity and scalability of your stack, and alignment to your current delivery process.

    New features and mobile use cases are regularly emerging in the industry. Ensuring your mobile platform and delivery process can easily scale to incorporate constantly changing mobile features and technologies is key. This can help minimize the impact these changes will have on your mobile stack and the resulting experience.

    Achieving this state requires three competencies: mobile security, performance optimization, and integration practices.

    Many of today's mobile trends involve, in one form or another, hardware components on the mobile device (e.g., NFC receivers, GPS, cameras). You understand the scope of native features available on your end user's mobile device and the required steps and capabilities to enable and leverage them.

    Grow your mobile delivery practice (cont'd)

    Ask yourself the following questions:
    Level 1: Mobile Delivery Foundations Level 2: Scaled Mobile Delivery Level 3: Leading-Edge Mobile Delivery

    Checkpoint questions shown at the end of step 1.2 of this blueprint

    You should be at this point upon the successful delivery of your first mobile application.

    Security

    • Your mobile stack (application, data, and infrastructure) is updated to incorporate the security risks mobile apps will have on your systems and business operations.
    • Leading edge encryption, authentication management (e.g., multi-factor), and access control systems are used to bolster existing mobile security infrastructure.
    • Network traffic to and from mobile application is monitored and analyzed.

    Performance Optimization

    • Performance enhancements are made with the entire mobile stack in mind.
    • Mobile performance is monitored and assessed with both proactive (data flow) and retroactive (instrumentation) approaches.
    • Development and testing practices and technologies accommodate the performance differences between mobile and desktop applications.

    API Development

    • Existing web APIs are compatible with mobile applications, or a gateway / middleware is used to facilitate communication with backend and third-party services.
    • APIs are secured to prevent unauthorized access and misuse.
    • Web APIs are documented and standardized for reuse in multiple mobile applications.
    • Implementing APIs of native features in native and/or cross-platform and/or hybrid platforms is well understood.
    • All leading-edge mobile features are mapped to and support business requirements and objectives.
    • The new mobile use cases are well understood and account for the various scenarios/environments a user may encounter with the leading-edge mobile features.
    • The relevant non-mobile devices, readers, sensors, and other dependent systems are shortlisted and acquired to enable and support your new mobile capabilities.
    • Delivery teams are prepared to accommodate the various security, performance, and integration risks associated with implementing leading-edge mobile features. Practices and mechanisms are established to minimize the impact to business operations.
    • Metrics are used to measure the success of your leading-edge mobile features implementation by comparing its performance and acceptance against past projects.
    • Business stakeholders and development teams are up to date with the latest mobile technologies and delivery techniques.

    Summary of Accomplishment

    Choose Your Mobile Platform and Tools

    • User personas
    • Mobile objectives and metrics
    • Mobile opportunity backlog
    • List of mobile features to enable the desired mobile experience
    • System current assessment
    • Mobile application quality definition
    • Readiness for mobile delivery
    • Desired mobile platform approach
    • Shortlisted mobile delivery solutions
    • Desired list of vendor features and services
    • MVP design
    • Mobile delivery roadmap

    If you would like additional support, have our analysts guide you through other phases as part of Info-Tech workshop.

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    This is a picture of Chaim Yudkowsky, Chief Information Officer for The American Israel Public Affairs Committee

    Chaim Yudkowsky
    Chief Information Officer
    The American Israel Public Affairs Committee

    Chaim Yudkowsky is currently Chief information Officer for American Israel Public Affairs Committee (AIPAC), the DC headquartered not-for-profit focused on lobbying for a strong US-Israel relationship. In that role, Chaim is responsible for all traditional IT functions including oversight of IT strategy, vendor relationships, and cybersecurity program. In addition, Chaim also has primary responsibility for all physical security technology and strategy for US offices and event technology for the many AIPAC events.

    Bibliography

    "5 Pillars of API Management". Broadcom, 2021. Web.

    Bourne, James. "Apperian research shows more firms pushing larger numbers of enterprise apps". Enterprise CIO, 17 Feb 2016. Web.

    Ceci, L. "Mobile app user retention rate worldwide 2020, by vertical". Statista, 6 Apr 2022. Web.

    Clement, J. "Share of global mobile website traffic 2015-2021". Statista, 18 Feb 2022. Web

    DeVos, Jordan. "Design Problem Statements – What They Are and How to Frame Them." Toptal, n.d. Web.

    Enge, Eric. "Mobile vs. Desktop Usage in 2020". Perficient, 23 March 2021. Web.

    Engels, Antoine. "How many Android updates does Samsung, Xiaomi or OnePlus offer?" NextPit, Mar 2022. Web.

    "Fast-tracking digital transformation through next-gen technologies". Broadridge, 2022. Web.

    Gayatri. "The Pulse of Digital Transformation 2021 – Survey Results." DronaHQ, 2021. Web.

    Gray, Dave. "Updated Empathy Map Canvas." The XPLANE Collection, 15 July 2017. Web.

    "HCL Volt MX". HCL, n.d. Web.

    "iPass Mobile Professional Report 2017". iPass, 2017. Web.

    Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce, 2019. Web.

    Karnes, KC. "Why Users Uninstall Apps: 28% of People Feel Spammed [Survey]". CleverTap, 27 July 2021. Web.

    Kemp, Simon. "Digital 2021: Global Overview Report". DataReportal, 27 Jan 2021. Web.

    Kleinberg, Sara. "Consumers are always shopping and eager for your help". Google, Aug 2018. Web.

    MaLavolta, Ivano. "Anatomy of an HTML 5 mobile web app". University of L'Aquila, 16 Apr 2012. Web.

    "Maximizing Mobile Value: To BYOD or not to BYOD?" Samsung and Oxford Economics, 2022. Web.

    "Mobile App Performance Metrics For Crash-Free Apps." AppSamurai, 27 June 2018. Web.

    "Mobile Application Development Statistics: 5 Facts". Intersog, 23 Nov 2021. Web.

    Moore, Geoffrey A. "Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers." Harper Business, 3rd edition, 2014. Book.

    "OWASP Top Ten". OWASP, 2021. Web.

    "Personas". Usability.gov, n.d. Web.

    Roden, Marky. "PSC Tech Talk: UX Design – Not just making things pretty". Xomino, 18 Mar 2018. Web.

    Royce, Dr. Winston W. "Managing the Development of Large Software Systems." USC Student Computing Facility, 1970. Web.

    Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education, 2012. Book.

    Sahay, Apurvanand et al. "Supporting the understanding and comparison of low-code development platforms." Universit`a degli Studi dell'Aquila, 2020. Web.

    Schuurman, Robbin. "Tips for Agile product roadmaps & product roadmap examples." Scrum.org, 2017. Web.

    Strunk, Christian. "How to define a product vision (with examples)." Christian Strunk. n.d. Web.

    Szeja, Radoslaw. "14 Biggest Challenges in Mobile App Development in 2022". Netguru, 4 Jan 2022. Web.

    "Synopsys Research Reveals Significant Security Concerns in Popular Mobile Apps Amid Pandemic". Synopsys, 25 Mar 2021. Web.

    "TOGAF 8.1.1 Online, Part IV: Resource Base, Developing Architecture Views." The Open Group, n.d. Web.

    Wangen, Emilie Nøss. "What Is a Software Platform & How Is It Different From a Product?" HubSpot, 2021. Web.

    "Mobile App Retention Rate: What's a Good Retention Rate?" Localytics, July 2021. Web.

    "Why Mobile Apps Fail: Failure to Launch". Perfecto Mobile, 26 Jan 2014. Web.

    Appendix A

    Sample Reference Frameworks

    Reference Framework: Web Platform

    Most of the operations of the applications on a web platform are executed in the mid-tier or back-end servers. End users interact with the platform through the presentation layer, developed with web languages, in the browser.

    This is an image of the Reference Framework: Web Platform

    Reference Framework: Mobile Web Application

    Many mobile web applications are composed of JavaScript (the muscle of the app), HTML5 (the backbone of the app), and CSS (the aesthetics of the app). The user will make a request to the web server which will interact with the application to provide a response. Since each device has unique attributes, consider a device detection service to help adjust content for each type of device.

    this is an image of the Reference Framework: Mobile Web Application

    Source: MaLavolta, Ivono, 2012.

    Web Platform: Anatomy of a Web Server

    Web Server Services

    • Mediation Services: Perform transformation of data/messages.
    • Boundary Services: Provide interface protocol and data/message conversion capabilities.
    • Event Distribution: Provides for the enterprise-wide adoption of content and topic-based publish/subscribe event distribution.
    • Transport Services: Facilitate data transmission across the middleware/server.
    • Service Directory: Manages multiple service identifiers and locations.

    This image shows the relationships of the various web server services listed above

    Reference Framework: Hybrid Platform

    Unlike the mobile web platform, most of an application's operations on the hybrid platform is on the device within a native container. The container leverages the device browser's runtime engine and is based on the framework of the mobile delivery solution.

    This is an image of the Reference Framework: Hybrid Platform

    Reference Framework: Native Platform

    Applications on a native platform are installed locally on the device giving it access to native device hardware and software. The programming language depends on the operating system's or device's SDK.

    This is an image of the Reference Framework: Native Platform

    Appendix B

    List of Low- and No- Code Software Delivery Solution Features

    Supplementary List of Features

    Graphical user interface

    • Drag-and-drop designer - This feature enhances the user experience by permitting to drag all the items involved in making an app including actions, responses, connections, etc.
    • Point and click approach - This is similar to the drag-and-drop feature except it involves pointing on the item and clicking on the interface rather than dragging and dropping the item.
    • Pre-built forms/reports - This is off-the-shelf and most common reusable editable forms or reports that a user can use when developing an application.
    • Pre-built dashboards - This is off-the-shelf and most common dashboards that a user can use when developing an application.
    • Forms - This feature helps in creating a better user interface and user experience when developing applications. A form includes dashboards, custom forms, surveys, checklists, etc. which could be useful to enhance the usability of the application being developed.
    • Progress tracking - This features helps collaborators to combine their work and track the development progress of the application.
    • Advanced Reporting - This features enables the user to obtain a graphical reporting of the application usage. The graphical reporting includes graphs, tables, charts, etc.
    • Built-in workflows - This feature helps to concentrate the most common reusable workflows when creating applications.
    • Configurable workflows - Besides built-in workflows, the user should be able to customize workflows according to their needs.

    Interoperability support

    • Interoperability with external services - This feature is one of the most important features to incorporate different services and platforms including that of Microsoft, Google, etc. It also includes the interoperability possibilities among different low-code platforms.
    • Connection with data sources - This features connects the application with data sources such as Microsoft Excel, Access and other relational databases such as Microsoft SQL, Azure and other non-relational databases such as MongoDB.

    Security Support

    • Application security - This feature enables the security mechanism of an application which involves confidentiality, integrity and availability of an application, if and when required.
    • Platform security - The security and roles management is a key part in developing an application so that the confidentiality, integrity and authentication (CIA) can be ensured at the platform level.

    Collaborative development support

    • Off-line collaboration - Different developers can collaborate on the specification of the same application. They work off-line locally and then they commit to a remote server their changes, which need to be properly merged.
    • On-line collaboration - Different developers collaborate concurrently on the specification of the same application. Conflicts are managed at run-time.

    Reusability support

    • Built-in workflows - This feature helps to concentrate the most common reusable workflows in creating an application.
    • Pre-built forms/reports - This is off-the-shelf and most common reusable editable forms or reports that a user might want to employ when developing an application.
    • Pre-built dashboards - This is off-the-shelf and most common dashboards that a user might want to employ when developing an application.

    Scalability

    • Scalability on number of users - This features enables the application to scale-up with respect to the number of active users that are using that application at the same time.
    • Scalability on data traffic - This features enables the application to scale-up with respect to the volume of data traffic that are allowed by that application in a particular time.
    • Scalability on data storage - This features enables the application to scale-up with respect to the data storage capacity of that application.

    Business logic specification mechanisms

    • Business rules engine - This feature helps in executing one or more business rules that help in managing data according to user's requirements.
    • Graphical workflow editor - This feature helps to specify one or more business rules in a graphical manner.
    • AI enabled business logic - This is an important feature which uses Artificial Intelligence in learning the behavior of an attributes and replicate those behaviors according to learning mechanisms.

    Application build mechanisms

    • Code generation - According to this feature, the source code of the modeled application is generated and subsequently deployed before its execution.
    • Models at run-time - The model of the specified application is interpreted and used at run-time during the execution of the modeled application without performing any code generation phase.

    Deployment support

    • Deployment on cloud - This features enables an application to be deployed online in a cloud infrastructure when the application is ready to deployed and used.
    • Deployment on local infrastructures - This features enables an application to be deployed locally on the user organization's infrastructure when the application is ready to be deployed and used.

    Kinds of supported applications

    • Event monitoring - This kind of applications involves the process of collecting data, analyzing the event that can be caused by the data, and signaling any events occurring on the data to the user.
    • Process automation - This kind of applications focuses on automating complex processes, such as workflows, which can take place with minimal human intervention.
    • Approval process control - This kind of applications consists of processes of creating and managing work approvals depending on the authorization of the user. For example, payment tasks should be managed by the approval of authorized personnel only.
    • Escalation management - This kind of applications are in the domain of customer service and focuses on the management of user viewpoints that filter out aspects that are not under the user competences.
    • Inventory management - This kind of applications is for monitoring the inflow and outflow of goods and manages the right amount of goods to be stored.
    • Quality management - This kind of applications is for managing the quality of software projects, e.g., by focusing on planning, assurance, control and improvements of quality factors.
    • Workflow management - This kind of applications is defined as sequences of tasks to be performed and monitored during their execution, e.g., to check the performance and correctness of the overall workflow.

    Source: Sahay, Apurvanand et al., 2020

    Create a Right-Sized Enterprise Architecture Governance Framework

    • Buy Link or Shortcode: {j2store}582|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • EA governance is perceived as an unnecessary layer of bureaucracy because business benefits are poorly communicated.
    • The organization doesn’t have a formalized EA practice.
    • Where an EA practice exists, employees are unsure of EA’s roles and responsibilities.

    Our Advice

    Critical Insight

    • Enterprise architecture is not a technical function – it should be business-value driven and forward looking, positioning organizational assets in favor of long-term strategy rather than short-term tactics.

    Impact and Result

    • Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.
    • Right-sized. Re-use existing process checkpoints rather than creating new ones. Clearly define EA governance inclusion criteria for projects.
    • Defined and measured process. Define metrics to measure EA’s performance and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.
    • Strike the right balance. Adopt architecture principles that strikes the right balance between business and technology.

    Create a Right-Sized Enterprise Architecture Governance Framework Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to find out how implementing a successful enterprise architecture governance framework can benefit your organization.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Current State of EA Governance

    Identify the organization’s standing in terms of the enterprise architecture practice, and know the gaps and what the EA practice needs to fulfill to create a good governance framework.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 1: Current State of EA Governance
    • EA Capability – Risk and Complexity Assessment Tool
    • EA Governance Assessment Tool

    2. EA Fundamentals

    Understand the EA fundamentals and then refresh them to better align the EA practice with the organization and create business benefit.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 2: EA Fundamentals
    • EA Vision and Mission Template
    • EA Goals and Measures Template
    • EA Principles Template

    3. Engagement Model

    Analyze the IT operating model and identify EA’s role at each stage; refine it to promote effective EA engagement upfront in the early stages of the IT operating model.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 3: Engagement Model
    • EA Engagement Model Template

    4. EA Governing Bodies

    Set up EA governing bodies to provide guidance and foster a collaborative environment by identifying the correct number of EA governing bodies, defining the game plan to initialize the governing bodies, and creating an architecture review process.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 4: EA Governing Bodies
    • Architecture Board Charter Template
    • Architecture Review Process Template

    5. EA Policy

    Create an EA policy to provide a set of guidelines designed to direct and constrain the architecture actions of the organization in the pursuit of its goals in order to improve architecture compliance and drive business value.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 5: EA Policy
    • EA Policy Template
    • EA Assessment Checklist Template
    • EA Compliance Waiver Process Template
    • EA Compliance Waiver Form Template

    6. Architectural Standards

    Define architecture standards to facilitate information exchange, improve collaboration, and provide stability. Develop a process to update the architectural standards to ensure relevancy and promote process transparency.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 6: Architectural Standards
    • Architecture Standards Update Process Template

    7. Communication Plan

    Craft a plan to engage the relevant stakeholders, ascertain the benefits of the initiative, and identify the various communication methods in order to maximize the chances of success.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 7: Communication Plan
    • EA Governance Communication Plan Template
    • EA Governance Framework Template
    [infographic]

    Workshop: Create a Right-Sized Enterprise Architecture Governance Framework

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Current State of EA governance (Pre-workshop)

    The Purpose

    Conduct stakeholder interviews to understand current state of EA practice and prioritize gaps for EA governance based on organizational complexity.

    Key Benefits Achieved

    Prioritized list of actions to arrive at the target state based on the complexity of the organization

    Activities

    1.1 Determine organizational complexity.

    1.2 Conduct an assessment of the EA governance components.

    1.3 Identify and prioritize gaps.

    1.4 Conduct senior management interviews.

    Outputs

    Organizational complexity score

    EA governance current state and prioritized list of EA governance component gaps

    Stakeholder perception of the EA practice

    2 EA Fundamentals and Engagement Model

    The Purpose

    Refine EA fundamentals to align the EA practice with the organization and identify EA touchpoints to provide guidance for projects.

    Key Benefits Achieved

    Alignment of EA goals and objectives with the goals and objectives of the organization

    Early involvement of EA in the IT operating model

    Activities

    2.1 Review the output of the organizational complexity and EA assessment tools.

    2.2 Craft the EA vision and mission.

    2.3 Develop the EA principles.

    2.4 Identify the EA goals.

    2.5 Identify EA engagement touchpoints within the IT operating model.

    Outputs

    EA vision and mission statement

    EA principles

    EA goals and measures

    Identified EA engagement touchpoints and EA level of involvement

    3 EA Governing Bodies

    The Purpose

    Set up EA governing bodies to provide guidance and foster a collaborative environment by identifying the correct number of EA governing bodies, defining the game plan to initialize the governing bodies and creating an architecture review process.

    Key Benefits Achieved

    Business benefits are maximized and solution design is within the options set forth by the architectural reference models while no additional layers of bureaucracy are introduced

    Activities

    3.1 Identify the number of governing bodies.

    3.2 Define the game plan to initialize the governing bodies.

    3.3 Define the architecture review process.

    Outputs

    Architecture board structure and coverage

    Identified architecture review template

    4 EA Policy

    The Purpose

    Create an EA policy to provide a set of guidelines designed to direct and constrain the architecture actions of the organization in the pursuit of its goals in order to improve architecture compliance and drive business value.

    Key Benefits Achieved

    Improved architecture compliance, which ties investments to business value and provides guidance to architecture practitioners

    Activities

    4.1 Define the scope.

    4.2 Identify the target audience.

    4.3 Determine the inclusion and exclusion criteria.

    4.4 Craft an assessment checklist.

    Outputs

    Defined scope

    Inclusion and exclusion criteria for project review

    Architecture assessment checklist

    5 Architectural Standards and Communication Plan

    The Purpose

    Define architecture standards to facilitate information exchange, improve collaboration, and provide stability.

    Craft a communication plan to implement the new EA governance framework in order to maximize the chances of success.

    Key Benefits Achieved

    Consistent development of architecture, increased information exchange between stakeholders

    Improved process transparency

    Improved stakeholder engagement

    Activities

    5.1 Identify and standardize EA work products.

    5.2 Classifying the architectural standards.

    5.3 Identifying the custodian of standards.

    5.4 Update the standards.

    5.5 List the changes identified in the EA governance initiative

    5.6 Create a communication plan.

    Outputs

    Identified set of EA work products to standardize

    Architecture information taxonomy

    Identified set of custodian of standards

    Standard update process

    List of EA governance initiatives

    Communication plan for EA governance initiatives

    Further reading

    Create a Right-Sized Enterprise Architecture Governance Framework

    Focus on process standardization, repeatability, and sustainability.

    ANALYST PERSPECTIVE

    "Enterprise architecture is not a technology concept, rather it is the foundation on which businesses orient themselves to create and capture value in the marketplace. Designing architecture is not a simple task and creating organizations for the future requires forward thinking and rigorous planning.

    Architecture processes that are supposed to help facilitate discussions and drive option analysis are often seen as an unnecessary overhead. The negative perception is due to enterprise architecture groups being overly prescriptive rather than providing a set of options that guide and constrain solutions at the same time.

    EA groups should do away with the direct and control mindset and change to a collaborate and mentor mindset. As part of the architecture governance, EA teams should provide an option set that constrains design choices, and also be open to changes to standards or best practices. "

    Gopi Bheemavarapu, Sr. Manager, CIO Advisory Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    This Research Will Help You:

    • Understand the importance of enterprise architecture (EA) governance and how to apply it to guide architectural decisions.
    • Enhance your understanding of the organization’s current EA governance and identify areas for improvement.
    • Optimize your EA engagement model to maximize value creation.
    • Learn how to set up the optimal number of governance bodies in order to avoid bureaucratizing the organization.

    This Research Will Also Assist:

    • Business Relationship Managers
    • Business Analysts
    • IT Managers
    • Project Managers
    • IT Analysts
    • Quality Assurance Leads
    • Software Developers

    This Research Will Help Them:

    • Give an overview of enterprise architecture governance
    • Clarity on the role of enterprise architecture team

    Executive summary

    Situation

    • Deployed solutions do not meet business objectives resulting in expensive and extensive rework.
    • Each department acts independently without any regular EA touchpoints.
    • Organizations practice project-level architecture as opposed to enterprise architecture.

    Complication

    • EA governance is perceived as an unnecessary layer of bureaucracy because business benefits are poorly communicated.
    • The organization doesn’t have a formalized EA practice.
    • Where an EA practice exists, employees are unsure of EA’s roles and responsibilities.

    Resolution

    • Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.
    • Right-sized. Re-use existing process checkpoints, rather than creating new ones. Clearly define EA governance inclusion criteria for projects.
    • Defined and measured process. Define metrics to measure EA’s performance and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.
    • Strike the right balance. Adopt architecture principles that strikes the right balance between business and technology imperatives.

    Info-Tech Insight

    Enterprise architecture is critical to ensuring that an organization has the solid IT foundation it needs to efficiently enable the achievement of its current and future strategic goals rather than focusing on short-term tactical gains.

    What is enterprise architecture governance?

    An architecture governance process is the set of activities an organization executes to ensure that decisions are made and accountability is enforced during the execution of its architecture strategy. (Hopkins, “The Essential EA Toolkit.”)

    EA governance includes the following:

    • Implement a system of controls over the creation and monitoring of all architectural components.
    • Ensure effective introduction, implementation, and evolution of architectures within the organization.
    • Implement a system to ensure compliance with internal and external standards and regulatory obligations.
    • Develop practices that ensure accountability to a clearly identified stakeholder community, both inside and outside the organization.

    (TOGAF)

    IT governance sets direction through prioritization and decision making, and monitors overall IT performance.

    The image shows a circle set within a larger circle. The inner circle is connected to the bottom of the larger circle. The inner circle is labelled EA Governance and the larger circle is labelled IT Governance.

    EA governance ensures that optimal architectural design choices are being made that focus on long-term value creation.

    Harness the benefits of an optimized EA governance

    Core benefits of EA governance are seen through:

    Value creation

    Effective EA governance ensures alignment between organizational investments and corporate strategic goals and objectives.

    Cost reduction

    Architecture standards provide guidance to identify opportunities for reuse and eliminate redundancies in an organization.

    Risk optimization

    Architecture review processes and assessment checklists ensure that solutions are within the acceptable risk levels of the organization.

    EA governance is difficult to structure appropriately, but having an effective structure will allow you to:

    • Achieve business strategy through faster time-to-market innovations and capabilities.
    • Reduced transaction costs with more consistent business processes and information across business units.
    • Lower IT costs due to better traceability, faster design, and lower risk.
    • Link IT investments to organizational strategies and objectives
    • Integrate and institutionalizes IT best practices.
    • Enable the organization to take full advantage of its information, infrastructure, and hardware and software assets.
    • Support regulatory as well as best practice requirements such as auditability, security, responsibility, and accountability.

    Organizations that have implemented EA governance realize greater benefits from their EA programs

    Modern day CIOs of high-performing organizations use EA as a strategic planning discipline to improve business-IT alignment, enable innovation, and link business and IT strategies to execution.

    Recent Info-Tech research found that organizations that establish EA governance realize greater benefits from their EA initiatives.

    The image shows a bar graph, with Impact from EA on the Y-axis, and different initiatives listed on the X-axis. Each initiative has two bars connected to it, with a blue bar representing answers of No and the grey bar representing answers of Yes.

    (Info-Tech Research Group, N=89)

    Measure EA governance implementation effectiveness

    Define key operational measures for internal use by IT and EA practitioners. Also, define business value measures that communicate and demonstrate the value of EA as an “enabler” of business outcomes to senior executives.

    EA performance measures (lead, operational) EA value measures (lag)
    Application of EA management process EA’s contribution to IT performance EA’s contribution to business value

    Enterprise Architecture Management

    • Number of months since the last review of target state EA blueprints.

    IT Investment Portfolio Management

    • Percentage of projects that were identified and proposed by EA.

    Solution Development

    • Number of projects that passed EA reviews.
    • Number of building blocks reused.

    Operations Management

    • Reduction in the number of applications with overlapping functionality.

    Business Value

    • Lower non-discretionary IT spend.
    • Decreased time to production.
    • Higher satisfaction of IT-enabled services.

    An insurance provider adopts a value-focused, right-sized EA governance program

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    The insurance sector has been undergoing major changes, and as a reaction, businesses within the sector have been embracing technology to provide innovative solutions.

    The head of EA in a major insurance provider (henceforth to be referred to as “INSPRO01”) was given the mandate to ensure that solutions are architected right the first time to maximize reuse and reduce technology debt. The EA group was at a critical point – to demonstrate business value or become irrelevant.

    Complication

    The project management office had been accountable for solution architecture and had placed emphasis on short-term project cost savings at the expense of long term durability.

    There was a lack of awareness of the Enterprise Architecture group within INSPRO01, and people misunderstood the roles and responsibilities of the EA team.

    Result

    Info-Tech helped define the responsibilities of the EA team and clarify the differences between the role of a Solution Architect vs. Enterprise Architect.

    The EA team was able to make the case for change in the project management practices to ensure architectures are reviewed and approved prior to implementation.

    As a result, INSPRO01 saw substantial increases in reuse opportunities and thereby derived more value from its technology investments.

    Success factors for EA governance

    The success of any EA governance initiative revolves around adopting best practices, setting up repeatable processes, and establishing appropriate controls.

    1. Develop best practices for managing architecture policies, procedures, roles, skills, and organizational structures.
    2. Establish organizational responsibilities and structures to support the architecture governance processes.
    3. Management of criteria for the control of the architecture governance processes, dispensations, compliance assessments, and SLAs.

    Info-Tech’s approach to EA governance

    Our best-practice approach is grounded in TOGAF and enhanced by the insights and guidance from our analysts, industry experts, and our clients.

    Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.

    Right-sized. Insert EA governance into existing process checkpoints rather than creating new ones. Clearly define EA governance inclusion criteria for projects.

    Measured. Define metrics to measure EA’s performance, and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.

    Balanced. Adopt architecture principles that strikes the right balance between business and technology.

    Info-Tech’s EA governance framework

    Info-Tech’s architectural governance framework provides a value-focused, right-sized approach with a strong emphasis on process standardization, repeatability, and sustainability.

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    Use Info-Tech’s templates to complete this project

    1. Current state of EA governance
      • EA Capability - Risk and Complexity Assessment Tool
      • EA Governance Assessment Tool
    2. EA fundamentals
      • EA Vision and Mission Template
      • EA Goals and Measures Template
      • EA Principles Template
    3. Engagement model
      • EA Engagement Model Template
    4. EA governing bodies
      • Architecture Board Charter Template
      • Architecture Review Process Template
    5. EA policy
      • EA Policy Template
      • Architecture Assessment Checklist Template
      • Compliance Waiver Process Template
      • Compliance Waiver Form Template
    6. Architectural standards
      • Architecture Standards Update Process Template
    7. Communication Plan
      • EA Governance Communication Plan Template
      • EA Governance Framework Template

    As you move through the project, capture your progress with a summary in the EA Governance Framework Template.

    Download the EA Governance Framework Template document for use throughout this project.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    EA governance framework – phase-by-phase outline (1/2)

    Current state of EA governance EA Fundamentals Engagement Model EA Governing Bodies
    Best-Practice Toolkit

    1.1 Determine organizational complexity

    1.2 Conduct an assessment of the EA governance components

    1.3 Identify and prioritize gaps

    2.1 Craft the EA vision and mission

    2.2 Develop the EA principles

    2.3 Identify the EA goals

    3.1 Build the case for EA engagement

    3.2 Identify engagement touchpoints within the IT operating model

    4.1 Identify the number of governing bodies

    4.2 Define the game plan to initialize the governing bodies

    4.3 Define the architecture review process

    Guided Implementations
    • Determine organizational complexity
    • Assess current state of EA governance
    • Develop the EA fundamentals
    • Review the EA fundamentals
    • Review the current IT operating model
    • Determine the target engagement model
    • Identify architecture boards and develop charters
    • Develop an architecture review process

    Phase 1 Results:

    • EA Capability - risk and complexity assessment
    • EA governance assessment

    Phase 2 Results:

    • EA vision and mission
    • EA goals and measures
    • EA principles

    Phase 3 Results:

    • EA engagement model

    Phase 4 Results:

    • Architecture board charter
    • Architecture review process

    EA governance framework – phase-by-phase outline (2/2)

    EA Policy Architectural Standards Communication Plan
    Best-Practice Toolkit

    5.1 Define the scope of EA policy

    5.2 Identify the target audience

    5.3 Determine the inclusion and exclusion criteria

    5.4 Craft an assessment checklist

    6.1 Identify and standardize EA work products

    6.2 Classify the architectural standards

    6.3 Identify the custodian of standards

    6.4 Update the standards

    7.1 List the changes identified in the EA governance initiative

    7.2 Identify stakeholders

    7.3 Create a communication plan

    Guided Implementations
    • EA policy, assessment checklists, and decision types
    • Compliance waivers
    • Understand architectural standards
    • EA repository and updating the standards
    • Create a communication plan
    • Review the communication plan

    Phase 5 Results:

    • EA policy
    • Architecture assessment checklist
    • Compliance waiver process
    • Compliance waiver form

    Phase 6 Results:

    • Architecture standards update process

    Phase 7 Results:

    • Communication plan
    • EA governance framework

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Pre-workshopWorkshop Day 1Workshop Day 2Workshop Day 3Workshop Day 4
    ActivitiesCurrent state of EA governance EA fundamentals and engagement model EA governing bodies EA policy Architectural standards and

    communication plan

    1.1 Determine organizational complexity

    1.2 Conduct an assessment of the EA governance components

    1.3 Identify and prioritize gaps

    1.4 Senior management interviews

    1. Review the output of the organizational complexity and EA assessment tools
    2. Craft the EA vision and mission
    3. Develop the EA principles.
    4. Identify the EA goals
    5. Identify EA engagement touchpoints within the IT operating model
    1. Identify the number of governing bodies
    2. Define the game plan to initialize the governing bodies
    3. Define the architecture review process
    1. Define the scope
    2. Identify the target audience
    3. Determine the inclusion and exclusion criteria
    4. Craft an assessment checklist
    1. Identify and standardize EA work products
    2. Classifying the architectural standards
    3. Identifying the custodian of standards
    4. Updating the standards
    5. List the changes identified in the EA governance initiative
    6. Identify stakeholders
    7. Create a communication plan
    Deliverables
    1. EA Capability - risk and complexity assessment tool
    2. EA governance assessment tool
    1. EA vision and mission template
    2. EA goals and measures template
    3. EA principles template
    4. EA engagement model template
    1. Architecture board charter template
    2. Architecture review process template
    1. EA policy template
    2. Architecture assessment checklist template
    3. Compliance waiver process template
    4. Compliance waiver form template
    1. Architecture standards update process template
    2. Communication plan template

    Phase 1

    Current State of EA Governance

    Create a Right-Sized Enterprise Architecture Governance Framework

    Current State of EA Governance

    1. Current State of EA Governance
    2. EA Fundamentals
    3. Engagement Model
    4. EA Governing Bodies
    5. EA Policy
    6. Architectural Standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Determine organizational complexity
    • Conduct an assessment of the EA governance components
    • Identify and prioritize gaps

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Prioritized list of gaps

    Info-Tech Insight

    Correlation is not causation – an apparent problem might be a symptom rather than a cause. Assess the organization’s current EA governance to discover the root cause and go beyond the symptoms.

    Phase 1 guided implementation outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Current State of EA Governance

    Proposed Time to Completion: 2 weeks

    Step 1.1: Determine organizational complexity

    Start with an analyst kick-off call:

    • Discuss how to use Info-Tech’s EA Capability – Risk and Complexity Assessment Tool.
    • Discuss how to complete the inputs on the EA Governance Assessment Tool.

    Then complete these activities…

    • Conduct an assessment of your organization to determine its complexity.
    • Assess the state of EA governance within your organization.

    With these tools & templates:

    • EA Capability – Risk and Complexity Assessment Tool
    • EA Governance Assessment Tool

    Step 1.2: Assess current state of EA governance

    Start with an analyst kick-off call:

    • Review the output of the EA governance assessment and gather feedback on your goals for the EA practice.

    Then complete these activities…

    • Discuss whether you are ready to proceed with the project.
    • Review the list of tasks and plan your next steps.

    With these tools & templates:

    • EA Governance Assessment Tool

    Right-size EA governance based on organizational complexity

    Determining organizational complexity is not rocket science. Use Info-Tech’s tool to quantify the complexity and use it, along with common sense, to determine the appropriate level of architecture governance.

    Info-Tech’s methodology uses six factors to determine the complexity of the organization:

    1. The size of the organization, which can often be denoted by the revenue, headcount, number of applications in use, and geographical diversity.
    2. The solution alignment factor helps indicate the degree to which various projects map to the organization’s strategy.
    3. The size and complexity of the IT infrastructure and networks.
    4. The portfolio of applications maintained by the IT organization.
    5. Key changes within the organization such as M&A, regulatory changes, or a change in business or technology leadership.
    6. Other negative influences that can adversely affect the organization.

    Determine your organization’s level of complexity

    1.1 2 hours

    Input

    • Group consensus on the current state of EA competencies.

    Output

    • A list of gaps that need to be addressed for EA governance competencies.

    Materials

    • Info-Tech’s EA assessment tool, a computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Capability section highlighted.

    Step 1 - Facilitate

    Download the EA Capability – Risk and Complexity Assessment Tool to facilitate a session on determining your organization’s complexity.

    Download EA Organizational - Risk and Complexity Assessment Tool

    Step 2 - Summarize

    Summarize the results in the EA governance framework document.

    Update the EA Governance Framework Template

    Understand the components of effective EA governance

    EA governance is multi-faceted and it facilitates effective use of resources to meet organizational strategic objectives through well-defined structural elements.

    EA Governance

    • Fundamentals
    • Engagement Model
    • Policy
    • Governing Bodies
    • Architectural Standards

    Components of architecture governance

    1. EA vision, mission, goals, metrics, and principles that provide a direction for the EA practice.
    2. An engagement model showing where and in what fashion EA is engaged in the IT operating model.
    3. An architecture policy formulated and enforced by the architectural governing bodies to guide and constrain architectural choices in pursuit of strategic goals.
    4. Governing bodies to assess projects for compliance and provide feedback.
    5. Architectural standards that codify the EA work products to ensure consistent development of architecture.

    Next Step: Based on the organization’s complexity, conduct a current state assessment of EA governance using Info-Tech’s EA Governance Assessment Tool.

    Assess the components of EA governance in your organization

    1.2 2 hrs

    Input

    • Group consensus on the current state of EA competencies.

    Output

    • A list of gaps that need to be addressed for EA governance competencies.

    Materials

    • Info-Tech’s EA assessment tool, a computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Governance section highlighted.

    Step 1 - Facilitate

    Download the “EA Governance Assessment Tool” to facilitate a session on identifying the best practices to be applied in your organization.

    Download Info-Tech’s EA Governance Assessment Tool

    Step 2 - Summarize

    Summarize the identified best practices in the EA governance framework document.

    Update the EA Governance Framework Template


    Conduct a current state assessment to identify limitations of the existing EA governance framework

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    INSPRO01 was planning a major transformation initiative. The organization determined that EA is a strategic function.

    The CIO had pledged support to the EA group and had given them a mandate to deliver long-term strategic architecture.

    The business leaders did not trust the EA team and believed that lack of business skills in the group put the business transformation at risk.

    Complication

    The EA group had been traditionally seen as a technology organization that helps with software design.

    The EA team lacked understanding of the business and hence there had been no common language between business and technology.

    Result

    Info-Tech helped the EA team create a set of 10 architectural principles that are business-value driven rather than technical statements.

    The team socialized the principles with the business and technology stakeholders and got their approvals.

    By applying the business focused architectural principles, the EA team was able to connect with the business leaders and gain their support.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Determine organizational complexity.
    • Conduct an assessment of the EA governance components.
    • Identify and prioritize gaps.

    Outcomes

    • Organizational complexity assessment
    • EA governance capability assessment
    • A prioritized list of capability gaps

    Phase 2

    EA Fundamentals

    Create a Right-Sized Enterprise Architecture Governance Framework

    EA Fundamentals

    1. Current State of EA Governance
    2. EA Fundamentals
    3. Engagement Model
    4. EA Governing Bodies
    5. EA Policy
    6. Architectural Standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Craft the EA vision and mission
    • Develop the EA principles.
    • Identify the EA goals

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Refined set of EA fundamentals to support the building of EA governance

    Info-Tech Insight

    A house divided against itself cannot stand – ensure that the EA fundamentals are aligned with the organization’s goals and objectives.

    Phase 2 guided implementation outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: EA Fundamentals

    Proposed Time to Completion: 3 weeks

    Step 2.1: Develop the EA fundamentals

    Review findings with analyst:

    • Discuss the importance of the EA fundamentals – vision, mission, goals, measures, and principles.
    • Understand how to align the EA vision, mission, goals, and measures to your organization’s vision, mission, goals, measures, and principles.

    Then complete these activities…

    • Develop the EA vision statements.
    • Craft the EA mission statements.
    • Define EA goals and measures.
    • Adopt EA principles.

    With these tools & templates:

    • EA Vision and Mission Template
    • EA Principles Template
    • EA Goals and Measures Template

    Step 2.2: Review the EA fundamentals

    Review findings with analyst:

    • Review the EA fundamentals in conjunction with the results of the EA governance assessment tool and gather feedback.

    Then complete these activities…

    • Refine the EA vision, mission, goals, measures, and principles.
    • Review the list of tasks and plan your next steps.

    With these tools & templates:

    • EA Vision and Mission Template
    • EA Principles Template
    • EA Goals and Measures Template

    Fundamentals of an EA organization

    Vision, mission, goals and measures, and principles form the foundation of the EA function.

    Factors to consider when developing the vision and mission statements

    The vision and mission statements provide strategic direction to the EA team. These statements should be created based on the business and technology drivers in the organization.

    Business Drivers

    • Business drivers are factors that determine, or cause, an increase in value or major improvement of a business.
    • Examples of business drivers include:
      • Increased revenue
      • Customer retention
      • Salesforce effectiveness
      • Innovation

    Technology Drivers

    • Technology drivers are factors that are vital for the continued success and growth of a business using effective technologies.
    • Examples of technology drivers include:
      • Enterprise integration
      • Information security
      • Portability
      • Interoperability

    "The very essence of leadership is [that] you have a vision. It's got to be a vision you articulate clearly and forcefully on every occasion. You can't blow an uncertain trumpet." – Theodore Hesburgh

    Develop vision, mission, goals, measures, and principles to define the EA capability direction and purpose

    EA capability vision statement

    Articulates the desired future state of EA capability expressed in the present tense.

    • What will be the role of EA capability?
    • How will EA capability be perceived?

    Example: To be recognized by both the business and IT as a trusted partner that drives [Company Name]’s effectiveness, efficiency, and agility.

    EA capability mission statement

    Articulates the fundamental purpose of the EA capability.

    • Why does EA capability exist?
    • What does EA capability do to realize its vision?
    • Who are the key customers of the EA capability?

    Example: Define target enterprise architecture for [Company Name], identify solution opportunities, inform IT investment management, and direct solution development, acquisition, and operation compliance.

    EA capability goals and measures

    EA capability goals define specific desired outcomes of an EA management process execution. EA capability measures define how to validate the achievement of the EA capability goals.

    Example:

    Goal: Improve reuse of IT assets at [Company Name].

    Measures:

    • The number of building blocks available for reuse.
    • Percent of projects that utilized existing building blocks.
    • Estimated efficiency gain (= effort to create a building block * reuse count).

    EA principles

    EA principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting target-state enterprise architecture design, solution development, and procurement decisions.

    Example:

    • EA principle name: Reuse.
    • Statement: Maximize reuse of existing assets.
    • Rationale: Reuse prevents duplication of development and support efforts, increasing efficiency, and agility.
    • Implications: Define architecture and solution building blocks and ensure their consistent application.

    EA principles guide decision making

    Policies can be seen as “the letter of the law,” whereas EA principles summarize “the spirit of the law.”

    The image shows a graphic with EA Principles listed at the top, with an arrow pointing down to Decisions on the use of IT. At the bottom are domain-specific policies, with two arrows pointing upwards: the arrow on the left is labelled direct, and the arrow on the right is labelled control. The arrow points up to the label Decisions on the use of IT. On the left, there is an arrow pointing both up and down. At the top it is labelled The spirit of the law, and at the bottom, The letter of the law. On the right, there is another arrow pointing both up and down, labelled How should decisions be made at the top and labelled Who has the accountability and authority to make decisions? at the bottom.

    Define EA capability goals and related measures that resonate with EA capability stakeholders

    EA capability goals, i.e. specific desired outcomes of an EA management process execution. Use COBIT 5, APO03 process goals, and metrics as a starting point.

    The image shows a chart titled Manage Enterprise Architecture.

    Define relevant business value measures to collect indirect evidence of EA’s contribution to business benefits

    Define key operational measures for internal use by IT and EA practitioners. Also, define business value measures that communicate and demonstrate the value of EA as an enabler of business outcomes to senior executives.

    EA performance measures (lead, operational) EA value measures (lag)
    Application of EA management process EA’s contribution to IT performance EA’s contribution to business value

    Enterprise Architecture Management

    • Number of months since the last review of target state EA blueprints.

    IT Investment Portfolio Management

    • Percentage of projects that were identified and proposed by EA.

    Solution Development

    • Number of projects that passed EA reviews.
    • Number of building blocks reused.

    Operations Management

    • Reduction in the number of applications with overlapping functionality.

    Business Value

    • Lower non-discretionary IT spend.
    • Decreased time to production.
    • Higher satisfaction of IT-enabled services.

    Refine the organization’s EA fundamentals

    2.1 2 hrs

    Input

    • Group consensus on the current state of EA competencies.

    Output

    • A list of gaps that need to be addressed for EA governance competencies.

    Materials

    • Info-Tech’s EA assessment tool, a computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the Table of Contents with four sections highlighted, beginning with EA Vision Statement and ending with EA Goals and Measures.

    Step 1 - Facilitate

    Download the three templates and hold a working session to facilitate a session on creating EA fundamentals.

    Download the EA Vision and Mission Template, the EA Principles Template, and the EA Goals and Measures Template

    Step 2 - Summarize

    Document the final vision, mission, principles, goals, and measures within the EA Governance Framework.

    Update the EA Governance Framework Template


    Ensure that the EA fundamentals are aligned to the organizational needs

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    The EA group at INSPRO01 was being pulled in multiple directions with requests ranging from architecture review to solution design to code reviews.

    Project level architecture was being practiced with no clarity on the end goal. This led to EA being viewed as just another IT function without any added benefits.

    Info-Tech recommended that the EA team ensure that the fundamentals (vision, mission, principles, goals, and measures) reflect what the team aspired to achieve before fixing any of the process concerns.

    Complication

    The EA team was mostly comprised of technical people and hence the best practices outlined were not driven by business value.

    The team had no documented vision and mission statements in place. In addition, the existing goals and measures were not tied to the business strategic objectives.

    The team had architectural principles documented, but there were too many and they were very technical in nature.

    Result

    With Info-Tech’s guidance, the team developed a vision and mission statement to succinctly communicate the purpose of the EA function.

    The team also reduced and simplified the EA principles to make sure they were value driven and communicated in business terms.

    Finally, the team proposed goals and measures to track the performance of the EA team.

    With the fundamentals in place, the team was able to show the value of EA and gain organization-wide acceptance.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Craft the EA vision and mission.
    • Develop the EA principles.
    • Identify the EA goals.

    Outcomes

    • Refined set of EA fundamentals to support the building of EA governance.

    Phase 3

    Engagement Model

    Create a Right-Sized Enterprise Architecture Governance Framework

    Engagement Model

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This step will walk you through the following activities:

    • Build the case for EA engagement
    • Engagement touchpoints within the IT operating model

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Summary of the assessment of the current EA engagement model
    • Target EA engagement model

    Info-Tech Insight

    Perform due diligence prior to decision making. Use the EA Engagement Model to promote conversations between stage gate meetings as opposed to having the conversation during the stage gate meetings.

    Phase 3 guided implementation outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: EA engagement model

    Proposed Time to Completion: 2 weeks

    Step 3.1 Review the current IT operating model

    Start with an analyst kick-off call:

    • Review Info-Tech’s IT operating model.
    • Understand how to document your organization’s IT operating model.
    • Document EA’s current role and responsibility at each stage of the IT operating model.

    Then complete these activities…

    • Document your organization’s IT operating model.

    With these tools & templates:

    • EA Engagement Model Template

    Step 3.2: Determine the target engagement model

    Review findings with analyst:

    • Review your organization’s current state IT operating model.
    • Review your EA’s role and responsibility at each stage of the IT operating model.
    • Document the role and responsibility of EA in the future state.

    Then complete these activities…

    • Document EA’s future role within each stage of your organization’s IT operating model.

    With these tools & templates:

    • EA Engagement Model Template.

    The three pillars of EA Engagement

    Effective EA engagement revolves around three basic principles – generating business benefits, creating adaptable models, and being able to replicate the process across the organization.

    Business Value Driven

    Focus on generating business value from organizational investments.

    Repeatable

    Process should be standardized, transparent, and repeatable so that it can be consistently applied across the organization.

    Flexible

    Accommodate the varying needs of projects of different sizes.

    Where these pillars meet: Advocates long-term strategic vs. short-term tactical solutions.

    EA interaction points within the IT operating model

    EA’s engagement in each stage within the plan, build, and run phases should be clearly defined and communicated.

    Plan Strategy Development Business Planning Conceptualization Portfolio Management
    Build Requirements Solution Design Application Development/ Procurement Quality Assurance
    Run Deploy Operate

    Document the organization’s current IT operating model

    3.1 2-3 hr

    Input

    • IT project lifecycle

    Output

    • Organization’s current IT operating model.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, IT department leads, business leaders.

    Instructions:

    Hold a working session with the participants to document the current IT operating model. Facilitate the activity using the following steps:

    1. Map out the IT operating model.

    1. Find a project that was just deployed within the organization and backtrack every step of the way to the strategy development that resulted in the conception of the project.
    2. Interview the personnel involved with each step of the process to get a sense of whether or not projects usually move to deployment going through these steps.
    3. Review Info-Tech’s best-practice IT operating model presented in the EA Engagement Model Template, and add or remove any steps to the existing organization’s IT operating model as necessary. Document the finalized steps of the IT operating model.

    2. Determine EA’s current role in the operating model.

    1. Interview EA personnel through each step of the process and ask them their role. This is to get a sense of the type of input that EA is having into each step of the process.
    2. Using the EA Engagement Model Template, document the current role of EA in each step of the organization’s IT operation as you complete the interviews.

    Download the EA Engagement Model Template to document the organization’s current IT operating model.

    Define RACI in every stage of the IT operating model (e.g. EA role in strategy development phase of the IT operating model is presented below)

    Strategy Development

    Also known as strategic planning, strategy development is fundamental to creating and running a business. It involves the creation of a longer-term game plan or vision that sets specific goals and objectives for a business.

    R Those in charge of performing the task. These are the people actively involved in the completion of the required work. Business VPs, EA, IT directors R
    A The one ultimately answerable for the correct and thorough completion of the deliverable or task, and the one who delegates the work to those responsible. CEO A
    C Those whose opinions are sought before a decision is made, and with whom there is two-way communication. PMO, Line managers, etc. C
    I Those who are kept up to date on progress, and with whom there is one-way communication. Development managers, etc. I

    Next Step: Similarly define the RACI for each stage of the IT operating model; refer to the activity slide for prompts.

    Best practices on the role of EA within the IT operating model

    Plan

    Strategy Development

    C

    Business Planning

    C

    Conceptualization

    A

    Portfolio Management

    C

    Build

    Requirements

    C

    Solution Design

    R

    Application Development/ Procurement

    R

    Quality Assurance

    I

    Run

    Deploy

    I

    Operate

    I

    Next Step: Define the role of EA in each stage of the IT operating model; refer to the activity slide for prompts.

    Define EA’s target role in each step of the IT operating model

    3.2 2 hrs

    Input

    • Organization’s IT operating model.

    Output

    • Organization’s EA engagement model.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business leaders, IT department leaders.

    The image shows the Table of Contents for the EA Engagement Model Template with the EA Engagement Summary section highlighted.

    Step 1 - Facilitate

    Download the EA Engagement Model Template and hold a working session to define EA’s target role in each step of the IT operating model.

    Download the EA Engagement Model Template

    Step 2 - Summarize

    Document the target state role of EA within the EA Governance Framework document.

    Update the EA Governance Framework Template


    Design an EA engagement model to formalize EA’s role within the IT operating model

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    INSPRO01 had a high IT cost structure with looming technology debt due to a preference for short-term tactical gains over long-term solutions.

    The business satisfaction with IT was at an all-time low due to expensive solutions that did not meet business needs.

    INSPRO01’s technology landscape was in disarray with many overlapping systems and interoperability issues.

    Complication

    No single team within the organization had an end-to-end perspective all the way from strategy to project execution. A lot of information was being lost in handoffs between different teams.

    This led to inconsistent design/solution patterns being applied. Investment decisions had not been grounded in reality and this often led to cost overruns.

    Result

    Info-Tech helped INSPRO01 identify opportunities for EA team engagement at different stages of the IT operating model. EA’s role within each stage was clearly defined and documented.

    With Info-Tech’s help, the EA team successfully made the case for engagement upfront during strategy development rather than during project execution.

    The increased transparency enabled the EA team to ensure that investments were aligned to organizational strategic goals and objectives.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Build the case for EA engagement.
    • Identify engagement touchpoints within the IT operating model.

    Outcomes

    • Summary of the assessment of the current EA engagement model
    • Target EA engagement model

    Phase 4

    EA Governing Bodies

    Create a Right-Sized Enterprise Architecture Governance Framework

    EA Governing Bodies

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Identify the number of governing bodies
    • Define the game plan to initialize the governing bodies
    • Define the architecture review process

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Charter definition for each EA governance board

    Info-Tech Insight

    Use architecture governance like a scalpel rather than a hatchet. Implement governing bodies to provide guidance rather than act as a police force.

    Phase 4 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Create or identify EA governing bodies

    Proposed Time to Completion: 2 weeks

    Step 4.1: Identify architecture boards and develop charters

    Start with an analyst kick-off call:

    • Understand the factors influencing the number of governing bodies required for an organization.
    • Understand the components of a governing body charter.

    Then complete these activities…

    • Identify how many governing bodies are needed.
    • Define EA governing body composition, meeting frequency, and domain of coverage.
    • Define the inputs and outputs of each EA governing body.
    • Identify mandatory inclusion criteria.

    With these tools & templates:

    • Architecture Board Charter Template

    Step 4.2: Develop an architecture review process

    Follow-up with an analyst call:

    • Review the number of boards identified for your organization and gather feedback.
    • Review the charters developed for each governing body and gather feedback.
    • Understand the various factors that impact the architecture review process.
    • Review Info-Tech’s best-practice architecture review process.

    Then complete these activities…

    • Refine the charters for governing bodies.
    • Develop the architecture review process for your organization.

    With these tools & templates:

    • Architecture Review Process Template

    Factors that determine the number of architectural boards required

    The primary purpose of architecture boards is to ensure that business benefits are maximized and solution design is within the options set forth by the architectural reference models without introducing additional layers of bureaucracy.

    The optimal number of architecture boards required in an organization is a function of the following factors:

    • EA organization model
      • Distributed
      • Federated
      • Centralized
    • Architecture domains Maturity of architecture domains
    • Project throughput

    Commonly observed architecture boards:

    • Architecture Review Board
    • Technical Architecture Committee
    • Data Architecture Review Board
    • Infrastructure Architecture Review Board
    • Security Architecture Review Board

    Info-Tech Insight

    Before building out a new governance board, start small by repurposing existing forums by adding architecture as an agenda item. As the items for review increase consider introducing dedicated governing bodies.

    EA organization model drives the architecture governance structure

    EA teams can be organized in three ways – distributed, federated, and centralized. Each model has its own strengths and weaknesses. EA governance must be structured in a way such that the strengths are harvested and the weaknesses are mitigated.

    Distributed Federated Centralized
    EA org. structure
    • No overarching EA team exists and segment architects report to line of business (LOB) executives.
    • A centralized EA team exists with segment architects reporting to LOB executives and dotted-line to head of (centralized) EA.
    • A centralized EA capability exists with enterprise architects reporting to the head of EA.
    Implications
    • Produces a fragmented and disjointed collection of architectures.
    • Economies of scale are not realized.
    • High cross-silo integration effort.
    • LOB-specific approach to EA.
    • Requires dual reporting relationships.
    • Additional effort is required to coordinate centralized EA policies and blueprints with segment EA policies and blueprints.
    • Accountabilities may be unclear.
    • Can be less responsive to individual LOB needs, because the centralized EA capability must analyze needs of multiple LOBs and various trade-off options to avoid specialized, one-off solutions.
    • May impede innovation.
    Architectural boards
    • Cross LOB working groups to create architecture standards, patterns, and common services.
    • Local boards to support responsiveness to LOB-specific needs.
    • Cross LOB working groups to create architecture standards, patterns and common services.
    • Cross-enterprise boards to ensure adherence to enterprise standards and reduce integration costs.
    • Local boards to support responsiveness to LOB specific needs.
    • Enterprise working groups to create architecture standards, patterns, and all services.
    • Central board to ensure adherence to enterprise standards.

    Architecture domains influences the number of architecture boards required

    • An architecture review board (ARB) provides direction for domain-specific boards and acts as an escalation point. The ARB must have the right mix of both business and technology stakeholders.
    • Domain-specific boards provide a platform to have focused discussions on items specific to that domain.
    • Based on project throughput and the maturity of each domain, organizations would have to pick the optimal number of boards.
    • Architecture working groups provide a platform for cross-domain conversations to establish organization wide standards.
    Level 1 Architecture Review Board IT and Business Leaders
    Level 2 Business Architecture Board Data Architecture Board Application Architecture Board Infrastructure Architecture Board Security Architecture Board IT and Business Managers
    Level 3 Architecture Working Groups Architects

    Create a game plan for the architecture boards

    • Start with a single board for each level – an architecture review board (ARB), a technical architecture committee (TAC), and architecture working groups.
    • As the organization matures and the number of requests to the TAC increase, consider creating domain-specific boards – such as business architecture, data architecture, application architecture, etc. – to handle architecture decisions pertaining to that domain.

    Start with this:

    Level 1 Architecture Review Board
    Level 2 Technical Architecture Committee
    Level 3 Architecture Working Groups

    Change to this:

    Architecture Review Board IT and Business Leaders
    Business Architecture Board Data Architecture Board Application Architecture Board Infrastructure Architecture Board Security Architecture Board IT and Business Managers
    Architecture Working Groups Architects

    Architecture boards have different objectives and activities

    The boards at each level should be set up with the correct agenda – ensure that the boards’ composition and activities reflect their objective. Use the entry criteria to communicate the agenda for their meetings.

    Architecture Review Board Technical Architecture Committee
    Objective
    • Evaluates business strategy, needs, and priorities, sets direction and acts as a decision making authority of the EA capability.
    • Directs the development of target state architecture.
    • Monitors performance and compliance of the architectural standards.
    • Monitor project solution architecture compliance to standards, regulations, EA principles, and target state EA blueprints.
    • Review EA compliance waiver requests, make recommendations, and escalate to the architecture review board (ARB).
    Composition
    • Business Leadership
    • IT Leadership
    • Head of Enterprise Architecture
    • Business Managers
    • IT Managers
    • Architects
    Activities
    • Review compliance of conceptual solution to standards.
    • Discuss the enterprise implications of the proposed solution.
    • Select and approve vendors.
    • Review detailed solution design.
    • Discuss the risks of the proposed solution.
    • Discuss the cost of the proposed solution.
    • Review and recommend vendors.
    Entry Criteria
    • Changes to IT Enterprise Technology Policy.
    • Changes to the technology management plan.
    • Approve changes to enterprise technology inventory/portfolio.
    • Ongoing operational cost impacts.
    • Detailed estimates for the solution are ready for review.
    • There are significant changes to protocols or technologies responsible for solution.
    • When the project is deviating from baselined architectures.

    Identify the number of governing bodies

    4.1 2 hrs

    Input

    • EA Vision and Mission
    • EA Engagement Model

    Output

    • A list of EA governing bodies.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business line leads, IT department leads.

    Instructions:

    Hold a working session with the participants to identify the number of governing bodies. Facilitate the activity using the following steps:

    1. Examine the EA organization models mentioned previously. Assess how your organization is structured, and identify whether your organization has a federated, distributed or centralized EA organization model.
    2. Reference the “Game plan for the architecture boards” slide. Assess the architecture domains, and define how many there are in the organization.
    3. Architecture domains:
      1. If no defined architecture domains exist, model the number of governing bodies in the organization based on the “Start with this” scenario in the “Game plan for the architecture boards” slide.
      2. If defined architecture domains do exist, model the number of governing bodies based on the “Change to this” scenario in the “Game plan for the architecture boards” slide.
    4. Name each governing body you have defined in the previous step. Download Info-Tech’s Architecture Board Charter Template for each domain you have named. Input the names into the title of each downloaded template.

    Download the Architecture Board Charter Template to document this activity.

    Defining the governing body charter

    The charter represents the agreement between the governing body and its stakeholders about the value proposition and obligations to the organization.

    1. Purpose: The reason for the existence of the governing body and its goals and objectives.
    2. Composition: The members who make up the committee and their roles and responsibilities in it.
    3. Frequency of meetings: The frequency at which the committee gathers to discuss items and make decisions.
    4. Entry/Exit Criteria: The criteria by which the committee selects items for review and items for which decisions can be taken.
    5. Inputs: Materials that are provided as inputs for review and decision making by the committee.
    6. Outputs: Materials that are provided by the committee after an item has been reviewed and the decision made.
    7. Activities: Actions undertaken by the committee to arrive at its decision.

    Define EA’s target role in each step of the IT operating model

    4.2 3 hrs

    Input

    • A list of all identified EA governing bodies.

    Output

    • Charters for each EA governing bodies.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the Table of Contents for the EA Governance Framework document, with the Architecture Board Charters highlighted.

    Step 1 Facilitate

    Hold a working session with the stakeholders to define the charter for each of the identified architecture boards.

    Download Architecture Board Charter Template

    Step 2 Summarize

    • Summarize the objectives of each board and reference the charter document within the EA Governance Framework.
    • Upload the final charter document to the team’s common repository.

    Update the EA Governance Framework document


    Considerations when creating an architecture review process

    • Ensure that architecture review happens at major milestones within the organization’s IT Operating Model such as the plan, build, and run phases.
    • In order to provide continuous engagement, make the EA group accountable for solution architecture in the plan phase. In the build phase, the EA group will be consulted while the solution architect will be responsible for the project solution architecture.

    Plan

    • Strategy Development
    • Business Planning
    • A - Conceptualization
    • Portfolio Management

    Build

    • Requirements
    • R - Solution Design
    • Application Development/ Procurement
    • Quality Assurance

    Run

    • Deploy
    • Operate

    Best-practice project architecture review process

    The best-practice model presented facilitates the creation of sound solution architecture through continuous engagement with the EA team and well-defined governance checkpoints.

    The image shows a graphic of the best-practice model. At the left, four categories are listed: Committees; EA; Project Team; LOB. At the top, three categories are listed: Plan; Build; Run. Within the area between these categories is a flow chart demonstrating the best-practice model and specific checkpoints throughout.

    Develop the architecture review process

    4.3 2 hours

    Input

    • A list of all EA governing bodies.
    • Info-Tech’s best practice architecture review process.

    Output

    • The new architecture review process.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    Hold a working session with the participants to develop the architecture review process. Facilitate the activity using the following steps:

    1. Reference Info-Tech’s best-practice architecture review process embedded within the “Architecture Review Process Template” to gain an understanding of an ideal architecture review process.
    2. Identify the stages within the plan, build, and run phases where solution architecture reviews should occur, and identify the governing bodies involved in these reviews.
    3. As you go through these stages, record your findings in the Architecture Review Process Template.
    4. Connect the various activities leading to and from the architecture creation points to outline the review process.

    Download the Architecture Review Process Template for additional guidance regarding developing an architecture review process.

    Develop the architecture review process

    4.3 2 hrs

    Input

    • A list of all identified EA governing bodies.

    Output

    • Charters for each EA governing bodies.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents, with the Architecture Review Process highlighted.

    Step 1 - Facilitate

    Download Architecture Review Process Template and facilitate a session to customize the best-practice model presented in the template.

    Download the Architecture Review Process Template

    Step 2 - Summarize

    Summarize the process changes and document the process flow in the EA Governance Framework document.

    Update the EA Governance Framework Template

    Right-size EA governing bodies to reduce the perception of red tape

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    At INSPRO01, architecture governance boards were a bottleneck. The boards fielded all project requests, ranging from simple screen label changes to complex initiatives spanning multiple applications.

    These boards were designed as forums for technology discussions without any business stakeholder involvement.

    Complication

    INSPRO01’s management never gave buy-in to the architecture governance boards since their value was uncertain.

    Additionally, architectural reviews were perceived as an item to be checked off rather than a forum for getting feedback.

    Architectural exceptions were not being followed through due to the lack of a dispensation process.

    Result

    Info-Tech has helped the team define adaptable inclusion/exclusion criteria (based on project complexity) for each of the architectural governing boards.

    The EA team was able to make the case for business participation in the architecture forums to better align business and technology investment.

    An architecture dispensation process was created and operationalized. As a result architecture reviews became more transparent with well-defined next steps.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Identify the number of governing bodies.
    • Define the game plan to initialize the governing bodies.
    • Define the architecture review process.

    Outcomes

    • Charter definition for each EA governance board

    Phase 5

    EA Policy

    Create a Right-Sized Enterprise Architecture Governance Framework

    EA Policy

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Define the EA policy scope
    • Identify the target audience
    • Determine the inclusion and exclusion criteria
    • Create an assessment checklist

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • The completed EA policy
    • Project assessment checklist
    • Defined assessment outcomes
    • Completed compliance waiver process

    Info-Tech Insight

    Use the EA policy to promote EA’s commitment to deliver value to business stakeholders through process transparency, stakeholder engagement, and compliance.

    Phase 5 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 5: EA Policy

    Proposed Time to Completion: 3 weeks

    Step 5.1–5.3: EA Policy, Assessment Checklists, and Decision Types

    Start with an analyst kick-off call:

    • Discuss the three pillars of EA policy and its purpose.
    • Review the components of an effective EA policy.
    • Understand how to develop architecture assessment checklists.
    • Understand the assessment decision types.

    Then complete these activities…

    • Define purpose, scope, and audience of the EA policy.
    • Create a project assessment checklist.
    • Define the organization’s assessment decision type.

    With these tools & templates:

    • EA Policy Template
    • EA Assessment Checklist Template

    Step 5.4: Compliance Waivers

    Review findings with analyst:

    • Review your draft EA policy and gather feedback.
    • Review your project assessment checklists and the assessment decision types.
    • Discuss the best-practice architecture compliance waiver process and how to tailor it to your organizational needs.

    Then complete these activities…

    • Refine the EA policy based on feedback gathered.
    • Create the compliance waiver process.

    With these tools & templates:

    • EA Compliance Waiver Process Template
    • EA Compliance Waiver Form Template

    Three pillars of architecture policy

    Architecture policy is a set of guidelines, formulated and enforced by the governing bodies of an organization, to guide and constrain architectural choices in pursuit of strategic goals.

    Architecture compliance – promotes compliance to organizational standards through well-defined assessment checklists across architectural domains.

    Business value – ensures that investments are tied to business value by enforcing traceability to business capabilities.

    Architectural guidance – provides guidance to architecture practitioners on the application of the business and technology standards.

    Components of EA policy

    An enterprise architecture policy is an actionable document that can be applied to projects of varying complexity across the organization.

    1. Purpose and Scope: This EA policy document clearly defines the scope and the objectives of architecture reviews within an organization.
    2. Target Audience: The intended audience of the policy such as employees and partners.
    3. Architecture Assessment Checklist: A wide range of typical questions that may be used in conducting Architecture Compliance reviews, relating to various aspects of the architecture.
    4. Assessment Outcomes: The outcome of the architecture review process that determines the conformance of a project solution to the enterprise architecture standards.
    5. Compliance Waiver: Used when a solution or segment architecture is perceived to be non-compliant with the enterprise architecture.

    Draft the purpose and scope of the EA policy

    5.1 2.5 hrs

    Input

    • A consensus on the purpose, scope, and audience for the EA policy.

    Output

    • Documented version of the purpose, scope, and audience for the EA policy.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Policy section highlighted.

    Step 1 - Facilitate

    Download the EA Policy Template and hold a working session to draft the EA policy.

    Download the EA Policy Template

    Step 2 - Summarize

    • Summarize purpose, scope, and intended audience of the policy in the EA Governance Framework document.
    • Update the EA policy document with the purpose, scope and intended audience.

    Update the EA Governance Framework Template

    Architecture assessment checklist

    Architecture assessment checklist is a list of future-looking criteria that a project will be assessed against. It provides a set of standards against which projects can be assessed in order to render a decision on whether or not the project can be greenlighted.

    Architecture checklists should be created for each EA domain since each domain provides guidance on specific aspects of the project.

    Sample Checklist Questions

    Business Architecture:

    • Is the project aligned to organizational strategic goals and objectives?
    • What are the business capabilities that the project supports? Is it creating new capabilities or supporting an existing one?

    Data Architecture:

    • What processes are in place to support data referential integrity and/or normalization?
    • What is the physical data model definition (derived from logical data models) used to design the database?

    Application Architecture:

    • Can this application be placed on an application server independent of all other applications? If not, explain the dependencies.
    • Can additional parallel application servers be easily added? If so, what is the load balancing mechanism?

    Infrastructure Architecture:

    • Does the solution provide high-availability and fault-tolerance that can recover from events within a datacenter?

    Security Architecture:

    • Have you ensured that the corporate security policies and guidelines to which you are designing are the latest versions?

    Create architectural assessment checklists

    5.2 2 hrs

    Input

    • Reference architecture models.

    Output

    • Architecture assessment checklist.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Assessment Checklist section highlighted.

    Step 1 - Facilitate

    Download the EA Assessment Checklist Template and hold a working session to create the architectural assessment checklists.

    Download the EA Assessment Checklist Template

    Step 2 - Summarize

    • Summarize the major points of the checklists in the EA Governance Framework document.
    • Update the EA policy document with the detailed architecture assessment checklists.

    Update the EA Governance Framework Template

    Architecture assessment decision types

    • As a part of the proposed solution review, the governing bodies produce a decision indicating the compliance of the solution architecture with the enterprise standards.
    • Go, No Go, or Conditional are a sample set of decision outcomes available to the governing bodies.
    • On a conditional approval, the project team must file for a compliance waiver.

    Approved

    • The solution demonstrates substantial compliance with standards.
    • Negligible risk to the organization or minimal risks with sound plans of how to mitigate them.
    • Architectural approval to proceed with delivery type of work.

    Conditional Approval

    • The significant aspects of the solution have been addressed in a satisfactory manner.
    • Yet, there are some aspects of the solution that are not compliant with standards.
    • The architectural approval is conditional upon presenting the missing evidence within a minimal period of time determined.
    • The risk level may be acceptable to the organization from an overall IT governance perspective.

    Not Approved

    • The solution is not compliant with the standards.
    • Scheduled for a follow-up review.
    • Not recommended to proceed until the solution is more compliant with the standards.

    Best-practice architecture compliance waiver process

    Waivers are not permanent. Waiver terms must be documented for each waiver specifying:

    • Time period after which the architecture in question will be compliant with the enterprise architecture.
    • The modifications necessary to the enterprise architecture to accommodate the solution.

    The image shows a flow chart, split into 4 sections: Enterprise Architect; Solution Architect; TAC; ARB. To the right of these section labels, there is a flow chart that documents the waiver process.

    Create compliance waiver process

    5.4 3-4 hrs

    Input

    • A consensus on the compliance waiver process.

    Output

    • Documented compliance waiver process and form.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the Table of Contents with the Compliance Waiver Form section highlighted.

    Step 1 - Facilitate

    Download the EA compliance waiver template and hold a working session to customize the best-practice process to your organization’s needs.

    Download the EA Compliance Waiver Process Template

    Step 2 - Summarize

    • Summarize the objectives and high-level process in the EA Governance Framework document.
    • Update the EA policy document with the compliance waiver process.
    • Upload the final policy document to the team’s common repository.

    Update the EA Governance Framework Template

    Creates an enterprise architecture policy to drive adoption

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    EA program adoption across INSPRO01 was at its lowest point due to a lack of transparency into the activities performed by the EA group.

    Often, projects ignored EA entirely as it was viewed as a nebulous and non-value-added activity that produced no measurable results.

    Complication

    There was very little documented information about the architecture assessment process and the standards against which project solution architectures were evaluated.

    Additionally, there were no well-defined outcomes for the assessment.

    Project groups were left speculating about the next steps and with little guidance on what to do after completing an assessment.

    Result

    Info-Tech helped the EA team create an EA policy containing architecture significance criteria, assessment checklists, and reference to the architecture review process.

    Additionally, the team also identified guidelines and detailed next steps for projects based on the outcome of the architecture assessment.

    These actions brought clarity to EA processes and fostered better engagement with the EA group.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Define the scope.
    • Identify the target audience.
    • Determine the inclusion and exclusion criteria.
    • Create an assessment checklist.

    Outcomes

    • The completed EA policy
    • Project assessment checklist
    • Defined assessment outcomes
    • Completed compliance waiver process

    Phase 6

    Architectural Standards

    Create a Right-Sized Enterprise Architecture Governance Framework

    Architectural Standards

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Identify and standardize EA work products
    • Classify the architectural standards
    • Identify the custodian of standards
    • Update the standards

    This step involves the following participants:

    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • A standardized set of EA work products
    • A way to categorize and store EA work products
    • A defined method of updating standards

    Info-Tech Insight

    The architecture standard is the currency that facilitates information exchange between stakeholders. The primary purpose is to minimize transaction costs by providing a balance between stability and relevancy.

    Phase 6 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 6: Architectural standards

    Proposed Time to Completion: 4 weeks

    Step 6.1: Understand Architectural Standards

    Start with an analyst kick-off call:

    • Discuss architectural standards.
    • Know how to identify and define EA work products.
    • Understand the standard content of work products.

    Then complete these activities…

    • Identify and standardize EA work products.

    Step 6.2–6.3: EA Repository and Updating the Standards

    Review with analyst:

    • Review the standardized EA work products.
    • Discuss the principles of EA repository.
    • Discuss the Info-Tech best-practice model for updating architecture standards and how to tailor them to your organizational context.

    Then complete these activities…

    • Build a folder structure for storing EA work products.
    • Use the Info-Tech best-practice architecture standards update process to develop your organization’s process for updating architecture standards.

    With these tools & templates:

    • Architecture Standards Update Process Template

    Recommended list of EA work products to standardize

    • EA work products listed below are typically produced as a part of the architecture lifecycle.
    • To ensure consistent development of architecture, the work products need to be standardized.
    • Consider standardizing both the naming conventions and the content of the work products.
    1. EA vision: A document containing the vision that provides the high-level aspiration of the capabilities and business value that EA will deliver.
    2. Statement of EA Work: The Statement of Architecture Work defines the scope and approach that will be used to complete an architecture project.
    3. Reference architectures: A reference architecture is a set of best-practice taxonomy that describes components and the conceptual structure of the model, as well as graphics, which provide a visual representation of the taxonomy to aid understanding. Reference architectures are created for each of the architecture domains.
    4. Solution proposal: The proposed project solution based on the EA guidelines and standards.
    5. Compliance assessment request: The document that contains the project solution architecture assessment details.
    6. Architecture change request: The request that initiates a change to architecture standards when existing standards can no longer meet the needs of the enterprise.
    7. Transition architecture: A transition architecture shows the enterprise at incremental states that reflect periods of transition that sit between the baseline and target architectures.
    8. Architectural roadmap: A roadmap that lists individual increments of change and lays them out on a timeline to show progression from the baseline architecture to the target architecture.
    9. EA compliance waiver request: A compliance waiver request that must be made when a solution or segment architecture is perceived to be non-compliant with the enterprise architecture.

    Standardize the content of each work product

    1. Purpose - The reason for the existence of the work product.
    2. Owner - The owner of this EA work product.
    3. Target Audience - The intended audience of the work product such as employees and partners.
    4. Naming Pattern - The pattern for the name of the work product as well as its file name.
    5. Table of Contents - The various sections of the work product.
    6. Review & Sign-Off Authority - The stakeholders who will review the work product and approve it.
    7. Repository Folder Location - The location where the work product will be stored.

    Identify and standardize work products

    6.1 3 hrs

    Input

    • List of various documents being produced by projects currently.

    Output

    • Standardized list of work products.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • A computer, and/or a whiteboard and marker.

    Instructions:

    Hold a working session with the participants to identify and standardize work products. Facilitate the activity using the steps below.

    1. Identifying EA work products:
      1. Start by reviewing the list of all architecture-related documents presently produced in the organization. Any such deliverable with the following characteristics can be standardized:
        1. If it can be broken out and made into a standalone document.
        2. If it can be made into a fill-in form completed by others.
        3. If it is repetitive and requires iterative changes.
      2. Create a list of work products that your organization would like to standardize based on the characteristics above.
    2. The content and format of standardized EA work products:
      1. For each work product your organization wishes to standardize, look at its purpose and brainstorm the content needed to fulfill that purpose.
      2. After identifying the elements that need to be included in the work product to fulfill its purpose, order them logically for presentation purposes.
      3. In each section of the work product that need to be completed, include instructions on how to complete the section.
      4. Review the seven elements presented in the previous slide and include them in the work products.

    EA repository - information taxonomy

    As the EA function begins to grow and accumulates EA work products, having a well-designed folder structure helps you find the necessary information efficiently.

    Architecture meta-model

    Describes the organizationally tailored architecture framework.

    Architecture capability

    Defines the parameters, structures, and processes that support the enterprise architecture group.

    Architecture landscape

    An architectural presentation of assets in use by the enterprise at particular points in time.

    Standards information base

    Captures the standards with which new architectures and deployed services must comply.

    Reference library

    Provides guidelines, templates, patterns, and other forms of reference material to accelerate the creation of new architectures for the enterprise.

    Governance log

    Provides a record of governance activity across the enterprise.

    Create repository folder structure

    6.2 5-6 hrs

    Input

    • List of standardized work products.

    Output

    • EA work products mapped to a repository folder.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, IT department leads.

    Instructions:

    Hold a working session with the participants to create a repository structure. Facilitate the activity using the steps below:

    1. Start with the taxonomy on the previous slide, and sort the existing work products into these six categories.
    2. Assess that the work products are sorted in a mutually exclusive and collectively exhaustive fashion. This means that a certain work product that appears in one category should not appear in another category. As well, make sure these six categories capture all the existing work products.
    3. Based on the categorization of the work products, build a folder structure that follows these categories, which will allow for the work products to be accessed quickly and easily.

    Create a process to update EA work products

    • Architectural standards are not set in stone and should be reviewed and updated periodically.
    • The Architecture Review Board is the custodian for standards.
    • Any change to the standards need to be assessed thoroughly and must be communicated to all the impacted stakeholders.

    Architectural standards update process

    Identify

    • Identify changes to the standards

    Assess

    • Review and assess the impacts of the change

    Document

    • Document the change and update the standard

    Approve

    • Distribute the updated standards to key stakeholders for approval

    Communicate

    • Communicate the approved changes to impacted stakeholders

    Create a process to continually update standards

    6.3 1.5 hrs

    Input

    • The list of work products and its owners.

    Output

    • A documented work product update process.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the screenshot of the Table of Contents with the Standards Update Process highlighted.

    Step 1 - Facilitate

    Download the standards update process template and hold a working session to customize the best practice process to your organization’s needs.

    Download the Architecture Standards Update Process Template

    Step 2 - Summarize

    Summarize the objectives and the process flow in the EA governance framework document.

    Update the EA Governance Framework Template

    Create architectural standards to minimize transaction costs

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    INSPRO01 didn’t maintain any centralized standards and each project had its own solution/design work products based on the preference of the architect on the project. This led to multiple standards across the organization.

    Lack of consistency in architectural deliverables made the information hand-offs expensive.

    Complication

    INSPRO01 didn’t maintain the architectural documents in a central repository and the information was scattered across multiple project folders.

    This caused key stakeholders to make decisions based on incomplete information and resulted in constant revisions as new information became available.

    Result

    Info-Tech recommended that the EA team identify and standardize the various EA work products so that information was collected in a consistent manner across the organization.

    The team also recommended an information taxonomy to store the architectural deliverables and other collateral.

    This resulted in increased consistency and standardization leading to efficiency gains.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Identify and standardize EA work products.
    • Classify the architectural standards.
    • Identify the custodian of standards.
    • Update the standards.

    Outcomes

    • A standardized set of EA work products
    • A way to categorize and store EA work products
    • A defined method of updating standards

    Phase 7

    Communication Plan

    Create a Right-Sized Enterprise Architecture Governance Framework

    Communication Plan

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • List the changes identified in the EA governance initiative
    • Identify stakeholders
    • Create a communication plan

    This step involves the following participants:

    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Communication Plan
    • EA Governance Framework

    Info-Tech Insight

    By failing to prepare, you are preparing to fail – maximize the likelihood of success for EA governance by engaging the relevant stakeholders and communicating the changes.

    Phase 7 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 6: Operationalize the EA governance framework

    Proposed Time to Completion: 1 week

    Step 7.1: Create a Communication Plan

    Start with an analyst kick-off call:

    • Discuss how to communicate changes to stakeholders.
    • Discuss the purposes and benefits of the EA governance framework.

    Then complete these activities…

    • Identify the stakeholders affected by the EA governance transformations.
    • List the benefits of the proposed EA governance initiative.
    • Create a plan to communicate the changes to impacted stakeholders.

    With these tools & templates:

    • EA Governance Communication Plan Template
    • EA Governance Framework Template

    Step 7.2: Review the Communication Plan

    Start with an analyst kick-off call:

    • Review the communication plan and gather feedback on the proposed stakeholders.
    • Confer about the various methods of communicating change in an organization.
    • Discuss the uses of the EA Governance Framework.

    Then complete these activities…

    • Refine your communication plan and use it to engage with stakeholders to better serve customers.
    • Create the EA Governance Framework to accompany the communication plan in engaging stakeholders to better understand the value of EA.

    With these tools & templates:

    • EA Governance Communication Plan Template
    • EA Governance Framework Template

    Communicate changes to stakeholders

    The changes made to the EA governance components need to be reviewed, approved, and communicated to all of the impacted stakeholders.

    Deliverables to be reviewed:

    • Fundamentals
      • Vision and Mission
      • Goals and Measures
      • Principles
    • Architecture review process
    • Assessment checklists
    • Policy Governing body charters
    • Architectural standards

    Deliverable Review Process:

    Step 1: Hold a meeting with stakeholders to review, refine, and agree on the changes.

    Step 2: Obtain an official approval from the stakeholders.

    Step 3: Communicate the changes to the impacted stakeholders.

    Communicate the changes by creating an EA governance framework and communication plan

    7.1 3 hrs

    Input

    • EA governance deliverables.

    Output

    • EA Governance Framework
    • Communication Plan.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business line leads, IT department leads.

    Instructions:

    Hold a working session with the participants to create the EA governance framework as well as the communication plan. Facilitate the activity using the steps below:

    1. EA Governance Framework:
      1. The EA Governance Framework is a document that will help reference and cite all the materials created from this blueprint. Follow the instructions on the framework to complete.
    2. Communication Plan:
      1. Identify the stakeholders based on the EA governance deliverables.
      2. For each stakeholder identified, complete the “Communication Matrix” section in the EA Governance Communication Plan Template. Fill out the section based on the instructions in the template.
      3. As the stakeholders are identified based on the “Communication Matrix,” use the EA Governance Framework document to communicate the changes.

    Download the EA Governance Communication Plan Template and EA Governance Framework Template for additional instructions and to document your activities in this phase.

    Maximize the likelihood of success by communicating changes

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    The EA group followed Info-Tech’s methodology to assess the current state and has identified areas for improvement.

    Best practices were adopted to fill the gaps identified.

    The team planned to communicate the changes to the technology leadership team and get approvals.

    As the EA team tried to roll out changes, they encountered resistance from various IT teams.

    Complication

    The team was not sure of how to communicate the changes to the business stakeholders.

    Result

    Info-Tech has helped the team conduct a thorough stakeholder analysis to identify all the stakeholders who would be impacted by the changes to the architecture governance framework.

    A comprehensive communication plan was developed that leveraged traditional email blasts, town hall meetings, and non-traditional methods such as team blogs.

    The team executed the communication plan and was able to manage the change effectively.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • List the changes identified in the EA governance initiative.
    • Identify stakeholders.
    • Create a communication plan.
    • Compile the materials created in the blueprint to better communicate the value of EA governance.

    Outcomes

    • Communication plan
    • EA governance framework

    Bibliography

    Government of British Columbia. “Architecture and Standards Review Board.” Government of British Columbia. 2015. Web. Jan 2016. < http://www.cio.gov.bc.ca/cio/standards/asrb.page >

    Hopkins, Brian. “The Essential EA Toolkit Part 3 – An Architecture Governance Process.” Cio.com. Oct 2010. Web. April 2016. < http://www.cio.com/article/2372450/enterprise-architecture/the-essential-ea-toolkit-part-3---an-architecture-governance-process.html >

    Kantor, Bill. “How to Design a Successful RACI Project Plan.” CIO.com. May 2012. Web. Jan 2016. < http://www.cio.com/article/2395825/project-management/how-to-design-a-successful-raci-project-plan.html >

    Sapient. “MIT Enterprise Architecture Guide.” Sapient. Sep 2004. Web. Jan 2016. < http://web.mit.edu/itag/eag/FullEnterpriseArchitectureGuide0.1.pdf >

    TOGAF. “Chapter 41: Architecture Repository.” The Open Group. 2011. Web. Jan 2016. < http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap41.html >

    TOGAF. “Chapter 48: Architecture Compliance.” The Open Group. 2011. Web. Jan 2016. < http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap48.html >

    TOGAF. “Version 9.1.” The Open Group. 2011. Web. Jan 2016. http://pubs.opengroup.org/architecture/togaf9-doc/arch/

    United States Secret Service. “Enterprise Architecture Review Board.” United States Secret Service. Web. Jan 2016. < http://www.archives.gov/records-mgmt/toolkit/pdf/ID191.pdf >

    Virginia Information Technologies Agency. “Enterprise Architecture Policy.” Commonwealth of Virginia. Jul 2006. Web. Jan 2016. < https://www.vita.virginia.gov/uploadedfiles/vita_main_public/library/eapolicy200-00.pdf >

    Research contributors and experts

    Alan Mitchell, Senior Manager, Global Cities Centre of Excellence, KPMG

    Alan Mitchell has held numerous consulting positions before his role in Global Cities Centre of Excellence for KPMG. As a Consultant, he has had over 10 years of experience working with enterprise architecture related engagements. Further, he worked extensively with the public sector and prides himself on his knowledge of governance and how governance can generate value for an organization.

    Ian Gilmour, Associate Partner, EA advisory services, KPMG

    Ian Gilmour is the global lead for KPMG’s enterprise architecture method and Chief Architect for the KPMG Enterprise Reference Architecture for Health and Human Services. He has over 20 years of business design experience using enterprise architecture techniques. The key service areas that Ian focuses on are business architecture, IT-enabled business transformation, application portfolio rationalization, and the development of an enterprise architecture capability within client organizations.

    Djamel Djemaoun Hamidson, Senior Enterprise Architect, CBC/Radio-Canada

    Djamel Djemaoun is the Senior Enterprise Architect for CBC/Radio-Canada. He has over 15 years of Enterprise Architecture experience. Djamel’s areas of special include service-oriented architecture, enterprise architecture integration, business process management, business analytics, data modeling and analysis, and security and risk management.

    Sterling Bjorndahl, Director of Operations, eHealth Saskatchewan

    Sterling Bjorndahl is now the Action CIO for the Sun Country Regional Health Authority, and also assisting eHealth Saskatchewan grow its customer relationship management program. Sterling’s areas of expertise include IT strategy, enterprise architecture, ITIL, and business process management. He serves as the Chair on the Board of Directors for Gardiner Park Child Care.

    Huw Morgan, IT Research Executive, Enterprise Architect

    Huw Morgan has 10+ years experience as a Vice President or Chief Technology Officer in Canadian internet companies. As well, he possesses 20+ years experience in general IT management. Huw’s areas of expertise include enterprise architecture, integration, e-commerce, and business intelligence.

    Serge Parisien, Manager, Enterprise Architecture at Canada Mortgage Housing Corporation

    Serge Parisien is a seasoned IT leader with over 25 years of experience in the field of information technology governance and systems development in both the private and public sectors. His areas of expertise include enterprise architecture, strategy, and project management.

    Alex Coleman, Chief Information Officer at Saskatchewan Workers’ Compensation Board

    Alex Coleman is a strategic, innovative, and results-driven business leader with a proven track record of 20+ years’ experience planning, developing, and implementing global business and technology solutions across multiple industries in the private, public, and not-for-profit sectors. Alex’s expertise includes program management, integration, and project management.

    L.C. (Skip) Lumley , Student of Enterprise and Business Architecture

    Skip Lumley was formerly a Senior Principle at KPMG Canada. He is now post-career and spends his time helping move enterprise business architecture practices forward. His areas of expertise include enterprise architecture program implementation and public sector enterprise architecture business development.

    Additional contributors

    • Tim Gangwish, Enterprise Architect at Elavon
    • Darryl Garmon, Senior Vice President at Elavon
    • Steve Ranaghan, EMEIA business engagement at Fujitsu

    Business Process Controls and Internal Audit

    • Buy Link or Shortcode: {j2store}37|cart{/j2store}
    • Related Products: {j2store}37|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: security-and-risk
    Establish an Effective System of Internal IT Controls to Mitigate Risks.

    Define and Deploy an Enterprise PMO

    • Buy Link or Shortcode: {j2store}189|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $471,249 Average $ Saved
    • member rating average days saved: 53 Average Days Saved
    • Parent Category Name: Project Management Office
    • Parent Category Link: /project-management-office
    • As an enterprise PMO leader, you need to evolve your PMO framework beyond an IT-centric model of project portfolio management (PPM) to optimize communication and coordination on enterprise-wide initiatives.
    • While senior leaders are demanding greater uniformity in strategic project execution, individual departments currently operate—to the detriment of the organization—as sovereign silos.
    • You know that the answer is a more strategically aligned enterprise PMO framework, but you’re unsure of how to start building the case for one, especially when the majority of upper management view PMOs as support entities rather than strategic partners.

    Our Advice

    Critical Insight

    • An EPMO can’t simply be imposed on an organization. If it is not backed by an executive sponsor, then there needs to be an identifiable business value in implementing one, and you need to communicate this value to stakeholders throughout the enterprise.
    • EPMOs add value not by enforcing project or program governance, but by helping organizations achieve strategic goals and manage change.
    • EPMOs enable organizations to succeed on enterprise-wide initiatives by connecting the individual parts to the whole. They should serve as the coordinating mechanism that ensures the flow of information and resources across departments and programs.

    Impact and Result

    • Find the right balance between a command and control approach that dictates governance standards versus an approach that gives business units flexibility to manage projects, programs, and portfolios the way they see fit, as long as they meet certain reporting, process, and record keeping requirements.
    • Effectively define the EPMO’s role, reach, and authority in terms of Portfolio Governance, Project Leadership, and PPM Administration. An organizationally appropriate mix of these three practices will not only ensure stakeholder buy-in, but it will help foster the right conditions for EPMO success.
    • Build strong cross-departmental relationships upon soft or informal grounds by positioning your EPMO as your organization’s portfolio network, i.e. an enterprise hub that facilitates the flow of reliable information and enables timely responsiveness to change.

    Define and Deploy an Enterprise PMO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how implementing an EPMO could help your organization achieve business goals, review Info-Tech’s methodology, and discover the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gather requirements

    Evaluate executive stakeholder needs and assess your current capabilities to ensure your implementation strategy sets realistic expectations.

    • Define and Deploy an Enterprise PMO – Phase 1: Gather Requirements
    • EPMO Capabilities Survey

    2. Define the plan

    Define an organizationally appropriate scope and mandate for your EPMO to ensure that your processes serve the needs of the whole.

    • Define and Deploy an Enterprise PMO – Phase 2: Define the Plan
    • EPMO Charter Template
    • EPMO Communication Planning Template

    3. Implement the plan

    Establish clearly defined and easy-to-follow EPMO processes that minimize project complexity and improve enterprise project results.

    • Define and Deploy an Enterprise PMO – Phase 3: Implement the Plan
    • EPMO Process Guide and SOP Template
    • EPMO Communications Template
    [infographic]

    Workshop: Define and Deploy an Enterprise PMO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Gather Requirements

    The Purpose

    Identify breakdowns in the flow of portfolio data across the enterprise to pinpoint where and how an EPMO can best intervene.

    Assess areas of strength and opportunity in your PPM capabilities to help structure and drive the EPMO.

    Define stakeholder needs and expectations for the EPMO in order to cultivate capabilities and services that help drive informed and engaged project decisions at the executive level.

    Key Benefits Achieved

    A current state picture of the triggers that are driving the need for an EPMO at your organization.

    A current state understanding of the strengths you bring to the table in constructing an EPMO as well as the areas you need to focus on in building up your capabilities.

    A target state set by stakeholder requirements and expectations, which will enable you to build out an implementation strategy that is aligned with the needs of the executive layer.

    Activities

    1.1 Map current enterprise PPM workflows.

    1.2 Conduct a SWOT analysis.

    1.3 Identify resourcing considerations and other implementation factors.

    1.4 Survey stakeholders to establish the right mix of EPMO capabilities.

    Outputs

    An overview of the flow of portfolio data and information across the organization

    An overview of current strengths, weaknesses, opportunities, and threats

    A preliminary assessment of internal and external factors that could impact the success of this implementation

    The ability to construct a project plan that is aligned with stakeholder needs and expectations

    2 Define the Plan

    The Purpose

    Define an appropriate scope for the EPMO and the deployment it services.

    Devise a plan for engaging and including the appropriate stakeholders during the implementation phase.

    Key Benefits Achieved

    A clear purview for the EPMO in relation to the wider enterprise in order to establish appropriate expectations for the EPMO’s services throughout the organization.

    Engaged stakeholders who understand that they have a stake in the successful implementation of the EPMO.

    Activities

    2.1 Prepare your EPMO value proposition.

    2.2 Define the role and organizational reach of your EPPM capabilities.

    2.3 Establish a communication plan to create stakeholder awareness.

    Outputs

    A clear statement of purpose and benefit that can be used to help build the case for an EPMO with stakeholders

    A functional charter defining the scope of the EPMO and providing a statement of the services the EPMO will provide once established

    An engaged executive layer that understands the value of the EPMO and helps drive its success

    3 Implement the Plan

    The Purpose

    Establish clearly defined and easy-to-follow EPMO processes that minimize project complexity.

    Develop portfolio and project governance structures that feed the EPMO with the data decision makers require without overloading enterprise project teams with processes they can’t support.

    Devise a communications strategy that helps achieve organizational buy-in.

    Key Benefits Achieved

    The reduction of project chaos and confusion throughout the organization.

    Processes and governance requirements that work for both decision makers and project teams.

    Organizational understanding of the universal benefit of the EPMO’s processes to stakeholders throughout the enterprise. 

    Activities

    3.1 Establish EPMO roles and responsibilities.

    3.2 Document standard procedures around enterprise portfolio reporting, PPM administration, and project leadership.

    3.3 Review enterprise PPM solutions.

    3.4 Develop a stakeholder engagement and resistance plan.

    Outputs

    Clear lines of portfolio accountability

    A fully actionable EPMO Standard Operating Procedure document that will enable process clarity

    An informed understanding of the right PPM solution for your enterprise processes

    A communications strategy document to help communicate the organizational benefits of the EPMO

    Streamline Your Workforce During a Pandemic

    • Buy Link or Shortcode: {j2store}515|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    Reduced infection rates in compromised areas are providing hope that these difficult times will pass. However, organizations are facing harsh realities in real time. With significant reductions in revenue, employers are facing pressure to quickly implement cost-cutting strategies, resulting in mass layoffs of valuable employees.

    Our Advice

    Critical Insight

    Employees are an organization’s greatest asset. When faced with cost-cutting pressures, look for redeployment opportunities that use talent as a resource to get through hard times before resorting to difficult layoff decisions.

    Impact and Result

    Make the most of your workforce in this unprecedented situation by following McLean & Company’s process to initiate redeployment efforts and reduce costs. If all else fails, follow our guidance on planning for layoffs and considerations when doing so.

    Streamline Your Workforce During a Pandemic Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Meet with leadership

    Set a strategy with senior leadership, brainstorm underused and understaffed employee segments and departments, then determine an approach to redeployments and layoffs.

    • Streamline Your Workforce During a Pandemic Storyboard
    • Redeployment and Layoff Strategy Workbook

    2. Plan individual and department redeployment

    Collect key information, prepare and redeploy, and roll up information across the organization.

    • Short-Term Survival Segment Evaluation Tool
    • Skills Inventory for Redeployment Tool
    • Redeployment Action and Communication Plan
    • Crisis Communication Guide for HR
    • Crisis Communication Guide for Leaders
    • Leadership Crisis Communication Guide Template
    • 3i's of Engaging Management – Manager Guide
    • Feedback and Coaching Guide for Managers
    • Redeployment Communication Roll-up Template

    3. Plan individual and department layoffs

    Plan for layoffs, execute on the layoff plan, and communicate to employees.

    • Employee Departure Checklist Tool
    • 10 Communication Best Practices in the Face of Crisis
    • Termination Logistics Tool
    • Termination Costing Tool
    • COVID-19: Employee-Facing Frequently Asked Questions Template
    • COVID-19: Employee-Facing Frequently Asked Questions
    • Standard Internal Communications Plan

    4. Monitor and manage departmental effectiveness

    Monitor departmental performance, review organizational performance, and determine next steps.

    • HR Metrics Library
    • Standard HR Scorecard
    [infographic]

    Adopt an Exponential IT Mindset

    • Buy Link or Shortcode: {j2store}103|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    New technologies such as generative AI, quantum computing, 5G cellular networks, and next-generation robotics are ushering in an exciting new era of business transformation. By adopting an exponential IT mindset, IT leaders will be able to lead the autonomization of business capabilities.

    To capitalize on this upcoming opportunity, exponential IT leaders will have to become business advisors who unlock exponential value for the business and help mitigate exponential risk.

    Adopt a renewed focus on business outcomes to achieve autonomization

    An exponential IT mindset means that IT leaders will need to take a lead role in transforming business capabilities.

    • Embrace an expanded role as business advisors: CIOs will be tasked with greater responsibility for determining business strategy alongside the C-suite.
    • Know the rewards and mitigate the risks: New value chain opportunities and efficiency gains will create significant ROI. Protect these returns by mitigating higher risks to business continuity, information security, and delivery performance.
    • Plan to fully leverage technologies such as AI: It will be integral for IT to enable autonomous technologies in this new era of exponential technology progress.

    Adopt an Exponential IT Mindset Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Adopt an Exponential IT Mindset Deck – An introduction to IT’s role in the autonomization era

    The role of IT has evolved throughout the past couple generations to enable fundamental business transformations. In the autonomization era, it will have to evolve again to lead the business through a world of exponential opportunity.

    • Adopt an Exponential IT Mindset Storyboard

    Infographic

    Further reading

    Adopt an Exponential IT Mindset

    Thrive through the next paradigm shift

    Executive Summary

    For more than 40 years, information technology has significantly transformed businesses, from the computerization of operations to the digital transformation of business models. As technological disruption accelerates exponentially, a world of exponential business opportunity is within reach.

    Newly emerging technologies such as generative AI, quantum computing, 5G cellular networks, and next-generation robotics are enabling autonomous business capabilities.

    The role of IT has evolved throughout the past couple generations to enable business transformations. In the autonomization era, it will have to evolve again. IT will have a new mission, an adapted governance structure, innovative capabilities, and an advanced partnership model.

    CIOs embracing exponential IT require a new mindset. Their IT practices will need to progress to the top of the maturity ladder as they make business outcomes their own.

    Over the past two generations, we have witnessed major technology-driven business transformations

    1980s

    Computerization

    The use of computer devices, networks, and applications became widespread in the enterprise. The focus was on improving the efficiency of back-office tasks.

    2000s

    Digitalization

    As the world became connected through the internet, new digitally enabled business models emerged in the enterprise. Orders were now being received online, and many products and services were partially or fully digitized for online fulfillment.

    Recent pandemic measures contributed to a marked acceleration in the digitalization of organizations

    The massive disruption resulting from pandemic measures led businesses to shift to more digital interactions with customers.

    The global average share of customer interactions that are digital went from 36% in December 2019 to 58% in July 2020.

    The global average share of customer interactions that are digital went from 36% to 58% in less than a year.*

    Moreover, companies across business areas have accelerated the digitization of their offerings.

    The global average share of partially or fully digitized products went from 35% in 2019 to 55% in July 2020.

    The global average share of partially or fully digitized products went from 35% to 55% in the same period.*

    The adoption of digitalized business models has accelerated during the pandemic. Post-pandemic, it is unlikely for adoption to recede.

    With more business applications ported to the cloud and more data available online, “digital-first” organizations started to envisage a next wave of automation.

    *Source: “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever,” McKinsey & Company, 2020

    A majority of IT leaders plan to use artificial intelligence within their organizations in 2023

    In August 2022, Info-Tech surveyed 506 IT leaders and asked which tasks would involve AI in their organizations in 2023.

    Graph showing tasks that would involve AI in organizations in 2023.

    We found that 63% of IT leaders plan to use AI within their organizations to automate repetitive, low-level tasks by the end of 2023.

    With the release of the ChatGPT prototype in November 2022, setting a record for the fastest user growth (reaching 100 million active users just two months after launch), we foresee that AI adoption will accelerate significantly and its use will extend to more complex tasks.

    Newly emerging technologies and business realities are ushering in the next business transformation

    1980s

    Computerization

    2000s

    Digitalization

    2020s

    Autonomization

    As digitalization accelerates, a post-pandemic world with a largely online workforce and digitally transformed enterprise business models now enters an era where more business capabilities become autonomous, with humans at the center of a loop* that is gradually becoming larger.

    Deep Learning, Quantum Computing, 5G Networks, Robotics

    * Download Info-Tech’s CIO Trend Report 2019 – Become a Leader in the Loop

    The role of IT needs to evolve as it did through the previous two generations

    1980s

    Computerization

    IT professionals gathered functional requirements from the business to help automate back-office tasks and improve operational efficiency.

    2000s

    Digitalization

    IT professionals acquired business analysis skills and leveraged the SMAC (social, mobile, analytics, and cloud) stack to accelerate the automation of the front office and enable the digital transformation of business models.

    2020s

    Autonomization

    IT professionals will become business advisors and enable the establishment of autonomous yet differentiated business processes and capabilities.

    The autonomization era brings enormous opportunity for organizations, coupled with enormous risk

    Graph of Risk Severity versus Value Opportunity. Autonomization has a high value of opportunity and high risk severity.

    While some analysts have been quick to announce the demise of the IT department and the transition of the role of IT to the business, the budgets that CIOs control have continued to rise steadily over time.

    In a high-risk, high-reward endeavor to make business processes autonomous, the role of IT will continue to be pivotal, because while everyone in the organization will rush to seize the value opportunity, the technology risk will be left for IT to manage.

    Exponential IT represents a necessary change in a CIO’s focus to lead through the next paradigm shift

    EXPONENTIAL RISK

    Autonomous processes will integrate with human-led processes, creating risks to business continuity, information security, and quality of delivery. Supplier power will exacerbate business risks.

    EXPONENTIAL REWARD

    The efficiency gains and new value chains created through artificial intelligence, robotics, and additive manufacturing will be very significant. Most of this value will be realized through the augmentation of human labor.

    EXPONENTIAL DEMAND

    Autonomous solutions for productivity and back-office applications will eventually become commoditized and provided by a handful of large vendors. There will, however, be a proliferation of in-house algorithms and workflows to autonomize the middle and front office, offered by a busy landscape of industry-centric capability vendors.

    EXPONENTIAL IT

    Exponential IT involves IT leading the cognitive reengineering of the organization with evolved practices for:

    • IT governance
    • Asset management
    • Vendor management
    • Data management
    • Business continuity management
    • Information security management

    To succeed, IT will have to adopt different priorities in its mission, governance, capabilities, and partnerships

    Digitalization

    A Connected World

    Progressive IT

    • Mission

      Enable the digital transformation of the business
    • Governance

      Service metrics, security perimeters, business intelligence, compliance management
    • Capabilities

      Service management, business analysis, application portfolio management, data management
    • Partnerships

      Management of technology service agreements

    Autonomization

    An Exponential World

    Exponential IT

    • Mission

      Lead the business through autonomization.
    • Governance

      Outcome-based metrics, zero trust, ESG reporting, digital trust
    • Capabilities

      Experience management, business advisory, enterprise innovation, data differentiation
    • Partnerships

      Management of business capability agreements

    Fortune favors the bold: The CIO now has an opportunity to cement their role as business leader

    Levels of digital maturity.  From bottom: Unstable - inability to consistently deliver basic services, Firefighter - Reliable infrastructure and IT service desk, Trusted Operator - Enablement of business through applications and work orders, Business Partner - Effective delivery of strategic business projects, Innovator - Information and technology as a competitive advantage.

    Research has shown that companies that are more digitally mature have higher growth than the industry average. In these companies, the CIO is part of the executive management team.

    And while the role of the CIO is generally tied to their mandate within the organization, we have seen their role progress from doer to leader as IT climbs the maturity ladder.

    As companies strive to succeed in the next phase of technology-driven transformation, CIOs have an opportunity to demonstrate their business leadership. To do so, they will have to provide exceptionally mature services while owning business targets.

    Align Projects With the IT Change Lifecycle

    • Buy Link or Shortcode: {j2store}464|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Coordinate IT change and project management to successfully push changes to production.
    • Manage representation of project management within the scope of the change lifecycle to gather requirements, properly approve and implement changes, and resolve incidents that arise from failed implementations.
    • Communicate effectively between change management, project management, and the business.

    Our Advice

    Critical Insight

    Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value and slowly add improvements to ease buy-in.

    Impact and Result

    • Establish pre-set touchpoints between IT change management and project management at strategic points in the change and project lifecycles.
    • Include appropriate project representation at the change advisory board (CAB).
    • Leverage standard change resources such as the change calendar and request for change form (RFC).

    Align Projects With the IT Change Lifecycle Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Align Projects With the IT Change Lifecycle Deck – A guide to walk through integrating project touchpoints in the IT change management lifecycle.

    Use this storyboard as a guide to align projects with your IT change management lifecycle.

    • Align Projects With the IT Change Lifecycle Storyboard

    2. The Change Management SOP – This template will ensure that organizations have a comprehensive document in place that can act as a point of reference for the program.

    Use this SOP as a template to document and maintain your change management practice.

    • Change Management Standard Operating Procedure
    [infographic]

    Further reading

    Align Projects With the IT Change Lifecycle

    Increase the success of your changes by integrating project touchpoints in the change lifecycle.

    Analyst Perspective

    Focus on frequent and transparent communications between the project team and change management.

    Benedict Chang

    Misalignment between IT change management and project management leads to headaches for both practices. Project managers should aim to be represented in the change advisory board (CAB) to ensure their projects are prioritized and scheduled appropriately. Advanced notice on project progress allows for fewer last-minute accommodations at implementation. Widespread access of the change calendar can also lead project management to effectively schedule projects to give change management advanced notice.

    Moreover, alignment between the two practices at intake allows for requests to be properly sorted, whether they enter change management directly or are governed as a project.

    Lastly, standardizing implementation and post-implementation across everyone involved ensures more successful changes and socialized/documented lessons learned for when implementations do not go well.

    Benedict Chang
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    To align projects with the change lifecycle, IT leaders must:

    • Coordinate IT change and project management to successfully push changes to production.
    • Manage representation of project management within the scope of the change lifecycle to gather requirements, properly approve and implement changes, and resolve incidents that arise from failed implementations.
    • Communicate effectively between change management, project management, and the business.

    Loose definitions may work for clear-cut examples of changes and projects at intake, but grey-area requests end up falling through the cracks.

    Changes to project scope, when not communicated, often leads to scheduling conflicts at go-live.

    Too few checkpoints between change and project management can lead to conflicts. Too many checkpoints can lead to delays.

    Set up touchpoints between IT change management and project management at strategic points in the change and project lifecycles.

    Include appropriate project representation at the change advisory board (CAB).

    Leverage standard change resources such as the change calendar and request for change form (RFC).

    Info-Tech Insight

    Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value, and slowly add improvements to ease buy-in.

    Info-Tech’s approach

    Use the change lifecycle to identify touchpoints.

    The image contains a screenshot of Info-Tech's approach.

    The Info-Tech difference:

    1. Start with your change lifecycle to define how change control can align with project management.
    2. Make improvements to project-change alignment to benefit the relationship between the two practices and the practices individually.
    3. Scope the alignment to your organization. Take on the improvements to the left one by one instead of overhauling your current process.

    Use this research to improve your current process

    This deck is intended to align established processes. If you are just starting to build IT change processes, see the related research below.

    Align Projects With the IT Change Lifecycle

    02 Optimize IT Project Intake, Approval, and Prioritization

    01 Optimize IT Change Management

    Increase the success of your changes by integrating project touchpoints in your change lifecycle.

    (You are here)

    Decide which IT projects to approve and when to start them.

    Right-size IT change management to protect the live environment.

    Successful change management will provide benefits to both the business and IT

    Respond to business requests faster while reducing the number of change-related disruptions.

    IT Benefits

    Business Benefits

    • Fewer incidents and outages at project go-live
    • Upfront identification of project and change requirements
    • Higher rate of change and project success
    • Less rework
    • Fewer service desk calls related to failed go-lives
    • Fewer service disruptions
    • Faster response to requests for new and enhanced functionalities
    • Higher rate of benefits realization when changes are implemented
    • Lower cost per change
    • Fewer “surprise” changes disrupting productivity

    IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.

    Change management improves core benefits to the business: the four Cs

    Most organizations have at least some form of change control in place, but formalizing change management leads to the four Cs of business benefits:

    Control

    Collaboration

    Consistency

    Confidence

    Change management brings daily control over the IT environment, allowing you to review every relatively new change, eliminate changes that would have likely failed, and review all changes to improve the IT environment.

    Change management planning brings increased communication and collaboration across groups by coordinating changes with business activities. The CAB brings a more formalized and centralized communication method for IT.

    Request-for-change templates and a structured process result in implementation, test, and backout plans being more consistent. Implementing processes for pre-approved changes also ensures these frequent changes are executed consistently and efficiently.

    Change management processes will give your organization more confidence through more accurate planning, improved execution of changes, less failure, and more control over the IT environment. This also leads to greater protection against audits.

    1. Alignment at intake

    Define what is a change and what is a project.

    Both changes and projects will end up in change control in the end. Here, we define the intake.

    Changes and projects will both go to change control when ready to go live. However, defining the governance needed at intake is critical.

    A change should be governed by change control from beginning to end. It would typically be less than a week’s worth of work for a SME to build and come in at a nominal cost (e.g. <$20k over operating costs).

    Projects on the other hand, will be governed by project management in terms of scope, scheduling, resourcing, etc. Projects typically take over a week and/or cost more. However, the project, when ready to go live, should still be scheduled through change control to avoid any conflicts at implementation. At triage and intake, a project can be further scoped based on projected scale.

    This initial touchpoint between change control and project management is crucial to ensure tasks and request are executed with the proper governance. To distinguish between changes and projects at intake, list examples of each and determine what resourcing separates changes from projects.

    Need help scoping projects? Download the Project Intake Classification Matrix

    Change

    Project

    • Smaller scale task that typically takes a short time to build and test
    • Generates a single change request
    • Governed by IT Change Management for the entire lifecycle
    • Larger in scope
    • May generate multiple change requests
    • Governed by PMO
    • Longer to build and test

    Info-Tech Insight

    While effort and cost are good indicators of changes and projects, consider evaluating risk and complexity too.

    1 Define what constitutes a change

    1. As a group, brainstorm examples of changes and projects. If you wish, you may choose to also separate out additional request types such as service requests (user), operational tasks (backend), and releases.
    2. Have each participant write the examples on sticky notes and populate the following chart on the whiteboard/flip chart.
    3. Use the examples to draw lines and determine what defines each category.
    • What makes a change distinct from a project?
    • What makes a change distinct from a service request?
    • What makes a change distinct from an operational task?
    • When do the category workflows cross over with other categories? (For example, when does a project interact with change management?
  • Record the definitions of requests and results in section 2.3 of the Change Management Standard Operating Procedure (SOP).
  • Change

    Project

    Service Request (Optional)

    Operational Task (Optional)

    Release (Optional)

    Changing Configuration

    New ERP

    Add new user

    Delete temp files

    Software release

    Download the Change Management Standard Operating Procedure (SOP).

    Input Output
    • List of examples of each category of the chart
    • Definitions for each category to be used at change intake
    Materials Participants
    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers/pens
    • Change Management SOP
    • Change Manager
    • Project Managers
    • Members of the Change Advisory Board

    2. Alignment at build and test

    Keep communications open by pre-defining and communicating project milestones.

    CAB touchpoints

    Consistently communicate the plan and timeline for hitting these milestones so CAB can prioritize and plan changes around it. This will give change control advanced notice of altered timelines.

    RFCs

    Projects may have multiple associated RFCs. Keeping CAB appraised of the project RFC or RFCs gives them the ability to further plan changes.

    Change Calendar

    Query and fill the change calendar with project timelines and milestones to compliment the CAB touchpoints.

    Leverage the RFC to record and communicate project details

    The request for change (RFC) form does not have to be a burden to fill out. If designed with value in mind, it can be leveraged to set standards on all changes (from projects and otherwise).

    When looking at the RFC during the Build and Test phase of a project, prioritize the following fields to ensure the implementation will be successful from a technical and user-adoption point of view.

    Filling these fields of the RFC and communicating them to the CAB at go-live approval gives the approvers confidence that the project will be implemented successfully and measures are known for when that implementation is not successful.

    Download the Request for Change Form Template

    Communication Plan

    The project may be successful from a technical point of view, but if users do not know about go-live or how to interact with the project, it will ultimately fail.

    Training Plan

    If necessary, think of how to train different stakeholders on the project go-live. This includes training for end users interacting with the project and technicians supporting the project.

    Implementation Plan

    Write the implementation plan at a high enough level that gives the CAB confidence that the implementation team knows the steps well.

    Rollback Plan

    Having a well-formulated rollback plan gives the CAB the confidence that the impact of the project is well known and the impact to the business is limited even if the implementation does not go well.

    Provide clear definitions of what goes on the change calendar and who’s responsible

    Inputs

    • Freeze periods for individual business departments/applications (e.g. finance month-end periods, HR payroll cycle, etc. – all to be investigated)
    • Maintenance windows and planned outage periods
    • Project schedules, and upcoming major/medium changes
    • Holidays
    • Business hours (some departments work 9-5, others work different hours or in different time zones, and user acceptance testing may require business users to be available)

    Guidelines

    • Business-defined freeze periods are the top priority.
    • No major or medium normal changes should occur during the week between Christmas and New Year’s Day.
    • Vendor SLA support hours are the preferred time for implementing changes.
    • The vacation calendar for IT will be considered for major changes.
    • Change priority: High > Medium > Low.
    • Minor changes and preapproved changes have the same priority and will be decided on a case-by-case basis.

    Roles

    • The Change Manager will be responsible for creating and maintaining a change calendar.
    • Only the Change Manager can physically alter the calendar by adding a new change after the CAB has agreed upon a deployment date.
    • All other CAB members, IT support staff, and other impacted stakeholders should have access to the calendar on a read-only basis to prevent people from making unauthorized changes to deployment dates.

    Info-Tech Insight

    Make the calendar visible to as many parties as necessary. However, limit the number of personnel who can make active changes to the calendar to limit calendar conflicts.

    3. Alignment at approval

    How can project management effectively contribute to CAB?

    As optional CAB members

    Project SMEs may attend when projects are ready to go live and when invited by the change manager. Optional members provide details on change cross-dependencies, high-level testing, rollback, communication plans, etc. to inform prioritization and scheduling decisions.

    As project management representatives

    Project management should also attend CAB meetings to report in on changes to ongoing projects, implementation timelines, and project milestones. Projects are typically high-priority changes when going live due to their impact. Advanced notice of timeline and milestone changes allow the rest of the CAB to properly manage other changes going into production.

    As core CAB members

    The core responsibilities of CAB must still be fulfilled:

    1. Protect the live environment from poorly assessed, tested, and implemented changes.

    2. Prioritize changes in a way that fairly reflects change impact, urgency, and likelihood.

    3. Schedule deployments in a way the minimizes conflict and disruption.

    If you need to define the authority and responsibilities of the CAB, see Activity 2.1.3 of the Optimize IT Change Management blueprint.

    4. Alignment at implementation

    At this stage, the project or project phase is treated as any other change.

    Verification

    Once the change has been implemented, verify that all requirements are fulfilled.

    Review

    Ensure all affected systems and applications are operating as predicted.

    Update change ticket and change log

    Update RFC status and CMDB as well (if necessary).

    Transition

    Once the change implementation is complete, it’s imperative that the team involved inform and train the operational and support groups.

    If you need to define transitioning changes to production, download Transition Projects to the Service Desk

    5. Alignment at post-implementation

    Tackle the most neglected portion of change management to avoid making the same mistake twice.

    1. Define RFC statuses that need a PIR
    2. Conduct PIRs for failed changes. Successful changes can simply be noted and transitioned to operations.

    3. Conduct a PIR for every failed change
    4. It’s best to perform a PIR once a change-related incident is resolved.

    5. Avoid making the same mistake twice
    6. Include a root-cause analysis, mitigation actions/timeline, and lessons learned in the documentation.

    7. Report to CAB
    8. Socialize the findings of the PIR at the subsequent CAB meeting.

    9. Circle back on previous PIRs
    10. If a similar change is conducted, append the related PIR to avoid the same mistakes.

    Info-Tech Insight

    Include your PIR documentation right in the RFC for easy reference.

    Download the RFC template for more details on post-implementation reviews

    2 Implement your alignments stepwise

    1. As a group, decide on which implementations you need to make to align change management and project management.
    2. For each improvement, list a timeline for implementation.
    3. Update section 3.5 in the Change Management Standard Operating Procedure (SOP). to outline the responsibilities of project management within IT Change Management.

    The image contains a screenshot of the Change Management SOP

    Download the Change Management Standard Operating Procedure (SOP).

    Input Output
    • This deck
    • SOP update
    Materials Participants
    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers/pens
    • Change Management SOP
    • Change Manager
    • Project Managers
    • Members of the Change Advisory Board

    Related Info-Tech Research

    Optimize IT Change Management

    Right-size IT change management to protect the live environment.

    Optimize IT Project Intake, Approval, and Prioritization

    Decide which IT projects to approve and when to start them.

    Maintain an Organized Portfolio

    Align portfolio management practices with COBIT (APO05: Manage Portfolio).

    Harness Configuration Management Superpowers

    • Buy Link or Shortcode: {j2store}303|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Configuration management databases (CMDB) are a lot of work to build and maintain. Starting down this process without the right tools, processes, and buy-in is a lot of work with very little reward.
    • If you decide to just build it and expect they will come, you may find it difficult to articulate the value, and you will be disappointed by the lack of visitors.
    • Relying on manual entry or automated data collection without governance may result in data you can’t trust, and if no one trusts the data, they won’t use it.

    Our Advice

    Critical Insight

    • The right mindset is just as important as the right tools. By involving everyone early, you can ensure the right data is captured and validated and you can make maintenance part of the culture. This is critical to reaching early and continual value with a CMDB.

    Impact and Result

    • Define your use cases: Identify the use cases and prioritize those objectives into phases. Define what information will be needed to meet the use cases and how that information will be populated.
    • Understand and design the CMDB data model: Define services and undiscoverable configuration items (CI) and map them to the discoverable CIs.
    • Operationalize configuration record updates: Define data stewards and governance processes and integrate your configuration management practice with existing practices and lifecycles.

    Harness Configuration Management Superpowers Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Harness Configuration Management Superpowers Deck – A step-by-step document that walks you through creating a configuration management program.

    Use this blueprint to create a configuration management program that provides immediate value.

    • Harness Configuration Management Superpowers – Phases 1-4

    2. Configuration Management Project Charter Template – A project charter template to help you build a concise document for communicating appropriate project details to stakeholders.

    Use this template to create a project charter to launch the configuration management project.

    • Configuration Management Project Charter

    3. Configuration Control Board Charter Template – A board charter template to help you define the roles and responsibilities of the configuration control board.

    Use this template to create your board charter for your configuration control board (CCB). Define roles and responsibilities and mandates for the CCB.

    • Configuration Control Board Charter

    4. Configuration Management Standard Operating Procedures (SOP) Template – An SOP template to describe processes and procedures for ongoing maintenance of the CMDB under the configuration management program.

    Use this template to create and communicate your SOP to ensure ongoing maintenance of the CMDB under the configuration management program.

    • Configuration Management Standard Operation Procedures

    5. Configuration Management Audit and Validation Checklist Template – A template to be used as a starting point to meet audit requirements under NIST and ITIL programs.

    Use this template to assess capability to pass audits, adding to the template as needed to meet internal auditors’ requirements.

    • Configuration Management Audit and Validation Checklist

    6. Configuration Management Policy Template – A template to be used for building out a policy for governance over the configuration management program.

    Use this template to build a policy for your configuration management program.

    • Configuration Management Policy

    7. Use Cases and Data Worksheet – A template to be used for validating data requirements as you work through use cases.

    Use this template to determine data requirements to meet use cases.

    • Use Cases and Data Worksheet

    8. Configuration Management Diagram Template Library – Examples of process workflows and data modeling.

    Use this library to view sample workflows and a data model for the configuration management program.

    • Configuration Management Diagram Template Library (Visio)
    • Configuration Management Diagram Template Library (PDF)

    9. Configuration Manager Job Description – Roles and responsibilities for the job of Configuration Manager.

    Use this template as a starting point to create a job posting, identifying daily activities, responsibilities, and required skills as you create or expand your configuration management program.

    • Configuration Manager

    Infographic

    Workshop: Harness Configuration Management Superpowers

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Configuration Management Strategy

    The Purpose

    Define the scope of your service configuration management project.

    Design the program to meet specific stakeholders needs

    Identify project and operational roles and responsibilities.

    Key Benefits Achieved

    Designed a sustainable approach to building a CMDB.

    Activities

    1.1 Introduction

    1.2 Define challenges and goals.

    1.3 Define and prioritize use cases.

    1.4 Identify data needs to meet these goals.

    1.5 Define roles and responsibilities.

    Outputs

    Data and reporting use cases based on stakeholder requirements

    Roles and responsibility matrix

    2 CMDB Data Structure

    The Purpose

    Build a data model around the desired use cases.

    Identify the data sources for populating the CMDB.

    Key Benefits Achieved

    Identified which CIs and relationships will be captured in the CMDB.

    Activities

    2.1 Define and prioritize your services.

    2.2 Evaluate CMDB default classifications.

    2.3 Test configuration items against existing categories.

    2.4 Build a data model diagram.

    Outputs

    List of CI types and relationships to be added to default settings

    CMDB data model diagram

    3 Processes

    The Purpose

    Key Benefits Achieved

    Built a right-sized approach to configuration record updates and data validation.

    Activities

    3.1 Define processes for onboarding, offboarding, and maintaining data in the CMDB.

    3.2 Define practices for configuration baselines.

    3.3 Build a data validation and auditing plan.

    Outputs

    Documented processes and workflows

    Data validation and auditing plan

    4 Communications & Roadmap

    The Purpose

    Key Benefits Achieved

    Metrics program defined

    Communications designed

    Activities

    4.1 Define key metrics for configuration management.

    4.2 Define metrics for supporting services.

    4.3 Build configuration management policies.

    4.4 Create a communications plan.

    4.5 Build a roadmap

    Outputs

    Policy for configuration management

    Communications documents

    Roadmap for next steps

    Further reading

    Harness Configuration Management Superpowers

    Create a configuration management practice that will provide ongoing value to the organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    A robust configuration management database (CMDB) can provide value to the business and superpowers to IT. It's time to invest smartly to reap the rewards.

    IT environments are becoming more and more complex, and balancing demands for stability and demands for faster change requires visibility to make the right decisions. IT needs to know their environment intimately. They need to understand dependencies and integrations and feel confident they are making decisions with the most current and accurate view.

    Solutions for managing operations rely on the CMDB to bring visibility to issues, calculate impact, and use predictive analytics to fix performance issues before they become major incidents. AIOps solutions need accurate data, but they can also help identify configuration drift and flag changes or anomalies that need investigation.

    The days of relying entirely on manual entry and updates are all but gone, as the functionality of a robust configuration management system requires daily updates to provide value. We used to rely on that one hero to make sure information was up to date, but with the volume of changes we see in most environments today, it's time to improve the process and provide superpowers to the entire IT department.

    This is a picture of Sandi Conrad

    Sandi Conrad, ITIL Managing Professional
    Principal Research Director, IT Infrastructure & Operations, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Build a configuration management database (CMDB): You need to implement a CMDB, populate it with records and relationships, and integrate it with discovery and management tools.
    • Identify the benefits of a CMDB: Too many CMDB projects fail because IT tries to collect everything. Base your data model on the desired use cases.
    • Define roles and responsibilities: Keeping data accurate and updated is difficult. Identify who will be responsible for helping

    Common Obstacles

    • Significant process maturity is required: Service configuration management (SCM) requires high maturity in change management, IT asset management, and service catalog practices.
    • Large investment: Building a CMDB takes a large amount of effort, process, and expertise.
    • Tough business case: Configuration management doesn't directly provide value to the business, but it requires a lot of investment from IT.

    Info-Tech's Approach

    • Define your scope and objectives: Identify the use cases for SCM and prioritize those objectives into phases.
    • Design the CMDB data model: Align with your existing configuration management system's data model.
    • Operationalize configuration record updates: Integrate your SCM practice with existing practices and lifecycles.

    Start small

    Scope creep is a serial killer of configuration management databases and service configuration management practices.

    Insight summary

    Many vendors are taking a CMDB-first approach to enable IT operations or sometimes asset management. It's important to ensure processes are in place immediately to ensure the data doesn't go stale as additional modules and features are activated.

    Define processes early to ensure success

    The right mindset is just as important as the right tools. By involving everyone early, you can ensure the right data is captured and validated and you can make maintenance part of the culture. This is critical to reaching early and continual value with a CMDB.

    Identify use cases

    The initial use case will be the driving force behind the first assessment of return on investment (ROI). If ROI can be realized early, momentum will increase, and the team can build on the initial successes.

    If you don't see value in the first year, momentum diminishes and it's possible the project will never see value.

    Keep the initial scope small and focused

    Discovery can collect a lot of data quickly, and it's possible to be completely overwhelmed early in the process.

    Build expertise and troubleshoot issues with a smaller scope, then build out the process.

    Minimize customizations

    Most CMDBs have classes and attributes defined as defaults. Use of the defaults will enable easier implementation and faster time to value, especially where automations and integrations depend on standard terms for field mapping.

    Automate as much as possible

    In large, complex environments, the data can quickly become unmanageable. Use automation as much as possible for discovery, dependency mapping, validation, and alerts. Minimize the amount of manual work but ensure everyone is aware of where and how these manual updates need to happen to see continual value.

    Info-Tech's Harness Configuration Management Superpowers.

    Configuration management will improve functionality of all surrounding processes

    A well-functioning CMDB empowers almost all other IT management and governance practices.

    Service configuration management is about:

    • Building a system of record about IT services and the components that support those services.
    • Continuously reconciling and validating information to ensure data accuracy.
    • Ensuring the data lifecycle is defined and well understood and can pass data and process audits.
    • Accessing information in a variety of ways to effectively serve IT and the business.
    An image of Info-Tech's CMDB Configuration Management tree, breaking down aspects into the following six categories: Strategic Partner; Service Provider; Proactive; Stabilize; Core; and Foundational.

    Configuration management most closely impacts these practices

    Info-Tech Research Group sees a clear relationship.

    When an IT department reports they are highly effective at configuration management, they are much more likely to report they are highly effective at these management and governance processes:

    The following management and governance processes are listed: Quality Management; Asset Management; Performance Measurement; Knowledge Management; Release Management; Incident and Problem Management; Service Management; Change Management.

    The data is clear

    Service configuration management is about more than just doing change management more effectively.

    Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=684 organizations, 2019 to July 2022.

    Make the case to use configuration management to improve IT operations

    Consider the impact of access to data for informing innovations, optimization efforts, and risk assessments.

    75% of Uptime's 2021 survey respondents who had an outage in the past three years said the outage would have been prevented if they'd had better management or processes.(1)

    75%

    75% of Uptime's 2021 survey respondents who had an outage in the past three years said the outage would have been prevented if they'd had better management or processes.(1)

    42%

    of publicly reported outages were due to software or configuration issues. (1)

    58%

    of networking-related IT outages were due to configuration and change management failure.(1)

    It doesn't have to be that way!

    Enterprise-grade IT service management (ITSM) tools require a CMDB for the different modules to work together and to enable IT operations management (ITOM), providing greater visibility.

    Decisions about changes can be made with accurate data, not guesses.

    The CMDB can give the service desk fast access to helpful information about the impacted components, including a history of similar incidents and resolutions and the relationship between the impacted components and other systems and components.

    Turn your team into IT superheroes.

    CMDB data makes it easier for IT Ops groups to:

    • Avoid change collisions.
    • Eliminate poor changes due to lack of visibility into complex systems.
    • Identify problematic equipment.
    • Troubleshoot incidents.
    • Expand the services provided by tier 1 and through automation.

    Benefits of configuration management

    For IT

    • Configuration management will supercharge processes that have relied on inherent knowledge of the IT environment to make decisions.
    • IT will more quickly analyze and understand issues and will be positioned to improve and automate issue identification and resolution.
    • Increase confidence and reduce risks for decisions involving release and change management with access to accurate data, regardless of the complexity of the environment.
    • Reduce or eliminate unplanned work related to poor outcomes due to decisions made with incorrect or incomplete data.

    For the Business

    • Improve strategic planning for business initiatives involving IT solutions, which may include integrations, development, or security concerns.
    • More quickly deploy new solutions or updates due to visibility into complex environments.
    • Enable business outcomes with reliable and stable IT systems.
    • Reduce disruptions caused by planning without accurate data and improve resolution times for service interruptions.
    • Improve access to reporting for budgeting, showbacks, and chargebacks as well as performance metrics.

    Measure the value of this blueprint

    Fast-track your planning and increase the success of a configuration management program with this blueprint

    Workshop feedback
    8.1/10

    $174,000 savings

    30 average days saved

    Guided Implementation feedback

    8.7/10

    $31,496 average savings

    41 average days saved

    "The workshop was well run, with good facilitation, and gained participation from even the most difficult parts of the audience. The best part of the experience was that if I were to find myself in the same position in the future, I would repeat the workshop."

    – University of Exeter

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Prioritize services and use cases.

    Call #3: Identify data needed to meet goals.

    Call #4: Define roles and responsibilities.

    Call #5: Define and prioritize your services.

    Call #6: Evaluate and test CMDB default classifications.

    Call #7: Build a data model diagram.

    Call #8: Define processes for onboarding, offboarding, and maintaining data.

    Call #9: Discuss configuration baselines.

    Call #10: Build a data validation and audit plan.

    Call #11: Define key metrics.

    Call #12: Build a configuration management policy and communications plan.

    Call #13: Build a roadmap.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 9 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4

    Configuration Management Strategy

    CMDB Data Structure

    Process Design

    Communications & Roadmap

    Activities
    • Introduction
    • Define challenges and goals.
    • Define and prioritize use cases.
    • Identify data needed to meet goals.
    • Define roles and responsibilities.
    • Define and prioritize your services.
    • Evaluate CMDB default classifications.
    • Test configuration items against existing categories.
    • Build a data model diagram.
    • Define processes for onboarding, offboarding, and maintaining data in the CMDB.
    • Define practices for configuration baselines.
    • Build a data validation and auditing plan.
    • Define key metrics for configuration management.
    • Define metrics for supporting services.
    • Build configuration management policies.
    • Create a communications plan.
    • Build a roadmap.

    Deliverables

    • Roles and responsibility matrix
    • Data and reporting use cases based on stakeholder requirements
    • List of CI types and relationships to be added to default settings
    • CMDB data model diagram
    • Documented processes and workflows
    • Data validation and auditing plan
    • Policy for configuration management
    • Roadmap for next steps
    • Communications documents

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Configuration Management Project Charter

    Detail your approach to building an SCM practice and a CMDB.

    Screenshot from the Configuration Management Project Charter

    Use Cases and Data Worksheet

    Capture the action items related to your SCM implementation project.

    Screenshot from the Use Cases and Data Worksheet

    Configuration Manager Job Description

    Use our template for a job posting or internal job description.

    Screenshot from the Configuration Manager Job Description

    Configuration Management Diagram Template Library

    Use these diagrams to simplify building your SOP.

    Screenshot from the Configuration Management Diagram Template Library

    Configuration Management Policy

    Set expectations for configuration control.

    screenshot from the Configuration Management Policy

    Configuration Management Audit and Validation Checklist

    Use this framework to validate controls.

    Screenshot from the Configuration Management Audit and Validation Checklist

    Configuration Control Board Charter

    Define the board's responsibilities and meeting protocols.

    Screenshot from the Configuration Management Audit and Validation Checklist

    Key deliverable:

    Configuration Management Standard Operating Procedures Template

    Outlines SCM roles and responsibilities, the CMDB data model, when records are expected to change, and configuration baselines.

    Four Screenshots from the Configuration Management Standard Operating Procedures Template

    Phase 1

    Configuration Management Strategy

    Strategy Data Structure Processes Roadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspects of a configuration management system:

    • Scope
    • Use Cases
    • Reports and Analytics

    This phase involves the following participants:

    • IT and business service owners
    • Business/customer relationship managers
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager
    • SCM project sponsor

    Harness Service Configuration Management Superpowers

    Establish clear definitions

    Ensure everyone is using the same terms.

    Term Definition
    Configuration Management

    The purpose of configuration management is to:

    • "Ensure that accurate and reliable information about the configuration of services, and the CIs that support them, is available when and where it is needed. This includes information on how CIs are configured and the relationships between them" (AXELOS).
    • "Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents" (ISACA, 2018).
    Configuration Management System (CMS) A set of tools and databases used to manage, update, and present data about all configuration items and their relationships. A CMS may maintain multiple federated CMDBs and can include one or many discovery and dependency mapping tools.
    Configuration Management Database (CMDB) A repository of configuration records. It can be as simple as a spreadsheet or as complex as an integrated database populated through multiple autodiscovery tools.
    Configuration Record Detailed information about a configuration item.
    Configuration Item (CI)

    "Any component that needs to be managed in order to deliver an IT service" (AXELOS).

    These components can include everything from IT services and software to user devices, IT infrastructure components, and documents (e.g. maintenance agreements).
    Attributes Characteristics of a CI included in the configuration record. Common attributes include name, version, license expiry date, location, supplier, SLA, and owner.
    Relationships Information about the way CIs are linked. A CI can be part of another CI, connect to another CI, or use another CI. A CMDB is significantly more valuable when relationships are recorded. This information allows CMDB users to identify dependencies between components when investigating incidents, performing root-cause analysis, assessing the impact of changes before deployment, and much more.

    What is a configuration management database (CMDB)?

    The CMDB is a system of record of your services and includes a record for everything you need to track to effectively manage your IT services.

    Anything that is tracked in your CMDB is called a configuration item (CI). Examples of CIs include:

    • User-Facing Services
    • IT-Facing Services
    • Business Capabilities
    • Relationships
    • IT Infrastructure Components
    • Enterprise Software
    • End-User Devices
    • Documents

    Other systems of record can refer to CIs, such as:

    • Ticket database: Tickets can refer to which CI is impacted by an incident or provided as part of a service request.
    • Asset management database (AMDB): An IT asset is often also a CI. By associating asset records with CI records, you can leverage your IT asset data in your reporting.
    • Financial systems: If done well, the CMDB can supercharge your IT financial cost model.

    CMDBs can allow you to:

    • Query multiple databases simultaneously (so long as you have the CI name field in each database).
    • Build automated workflows and chatbots that interact with data across multiple databases.
    • More effectively identify the potential impact of changes and releases.

    Do not confuse asset with configuration

    Asset and configuration management look at the same world through different lenses

    • IT asset management (ITAM) tends to focus on each IT asset in its own right: assignment or ownership, lifecycle, and related financial obligations and entitlements.
    • Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations with other CIs.
    • ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they may use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
    • Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.

    A comparison between Asset and Configuration Management Databases

    *Discovery, dependency mapping, and data normalization are often features or modules of configuration management, asset management, or IT service management tools.

    Start with ITIL 4 guiding principles to make your configuration management project valuable and realistic

    Focus on where CMDB data will provide value and ensure the cost of bringing that data in will be reasonable for its purpose. Your end goal should be not just to build a CMDB but to use a CMDB to manage workload and workflows and manage services appropriately.

    Focus on value

    Include only the relevant information required by stakeholders.

    Start where you are

    Use available sources of information. Avoid adding new sources and tools unless they are justified.

    Progress iteratively with feedback

    Regularly review information use and confirm its relevance, adjusting the CMDB scope if needed.

    Collaborate and promote visibility

    Explain and promote available sources of configuration information and the best ways to use them, then provide hints and tips for more efficient use.

    Think and work holistically

    Consider other sources of data for decision making. Do not try to put everything in the CMDB.

    Keep it simple and practical

    Provide relevant information in the most convenient way; avoid complex interfaces and reports.

    Optimize and automate

    Continually optimize resource-consuming practice activities. Automate CDMB verification, data collection, relationship discovery, and other activities.

    ITIL 4 guiding principles as described by AXELOS

    Step 1.1

    Identify use cases and desired benefits for service configuration management

    Activities

    1.1.1 Brainstorm data collection challenges

    1.1.2 Define goals and how you plan to meet them

    1.1.3 Brainstorm and prioritize use cases

    1.1.4 Identify the data needed to reach your goals

    1.1.5 Record required data sources

    This step will walk you through the following aspects of a configuration management system:

    • Scope
    • Use cases

    This phase involves the following participants:

    • IT and business service owners
    • Business/customer relationship managers
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project sponsor
    • Project manager

    Identify potential obstacles in your organization to building and maintaining a CMDB

    Often, we see multiple unsuccessful attempts to build out a CMDB, with teams eventually losing faith and going back to spreadsheets. These are common obstacles:

    • Significant manual data collection, which is rarely current and fully accurate.
    • Multiple discovery solutions creating duplicate records, with no clear path to deduplicate records.
    • Manual dependency mapping that isn't accurate because it's not regularly assessed and updated.
    • Hybrid cloud and on-premises environment with discovery solutions only partially collecting as the right discovery and dependency mapping solutions aren't in place.
    • Dynamic environments (virtual, cloud, or containers) that may exist for a very short time, but no one knows how they should be managed.
    • Lack of expertise to maintain and update the CMDB or lack of an assigned owner for the CMDB. If no one owns the process and is assigned as a steward of data, it will not be maintained.
    • Database that was designed with other purposes in mind and is heavily customized, making it difficult to use and maintain.

    Understanding the challenges to accessing and maintaining quality data will help define the risks created through lack of quality data.

    This knowledge can drive buy-in to create a configuration management practice that benefits the organization.

    1.1.1 Brainstorm data collection challenges

    Involve stakeholders.
    Allot 45 minutes for this discussion.

    1. As a group, brainstorm the challenges you have with data:
    2. Accuracy and trustworthiness: What challenges do you have with getting accurate data on IT services and systems?
      1. Access: Where do you have challenges with getting data to people when they need it?
      2. Manually created data: Where are you relying on data that could be automatically collected?
      3. Data integration: Where do you have issues with integrating data from multiple sources?
      4. Impact: What is the result of these challenges?
    3. Group together these challenges into similar issues and identify what goals would help overcome them.
    4. Record these challenges in the Configuration Management Project Charter, section 1.2: Project Purpose.

    Download the Configuration Management Project Charter

    Input

    Output

    • None
    • List of high-level desired benefits for SCM
    Materials Participants
    • Whiteboard/flip charts
    • Sticky notes
    • Markers/pens
    • Configuration Management Project Charter
    • IT and business service owners
    • Business/customer relationship managers
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Info-Tech Maturity Ladder

    Identify your current and target state

    INNOVATOR

    • Characteristics of business partner
    • Integration with orchestration tools

    BUSINESS PARTNER

    Data collection and validation is fully automated

    Integrated with several IT processes

    Meets the needs of IT and business use cases

    TRUSTED OPERATOR

    • Data collection and validation is partially or fully automated
    • Trust in data accuracy is high, meets the needs of several IT use cases

    FIREFIGHTER

    • Data collection is partially or fully automated, validation is ad hoc
    • Trust in data accuracy is variable, used for decision making

    UNSTABLE

    INNOVATOR

    • Characteristics of business partner
    • Integration with orchestration tools

    BUSINESS PARTNER

    • Data collection and validation is fully automated
    • Integrated with several IT processes
    • Meets the needs of IT and business use cases

    TRUSTED OPERATOR

    • Data collection and validation is partially or fully automated
    • Trust in data accuracy is high, meets the needs of several IT use cases

    FIREFIGHTER

    • Data collection is partially or fully automated, validation is ad hoc
    • Trust in data accuracy is variable, used for decision making

    UNSTABLE

    A tower is depicted, with arrows pointing to Current (orange) and Target(blue)

    Define goals for your CMDB to ensure alignment with all stakeholders

    • How are business or IT goals being hindered by not having the right data available?
    • If the business isn't currently asking for service-based reporting and accountability, start with IT goals. This will help to develop goals that will be most closely aligned to the IT teams' needs and may help incentivize the right behavior in data maintenance.
    • Configuration management succeeds by enabling its stakeholders to achieve their outcomes. Set goals for configuration management based on the most important outcomes expected from this project. Ask your stakeholders:
      1. What are the business' or IT's planned transformational initiatives?
      2. What are your highest priority goals?
      3. What should the priorities of the configuration management practice be?
    • The answers to these questions will shape your approach to configuration management. Direct input from your leadership and executives, or their delegates, will help ensure you're setting a solid foundation for your practice.
    • Identify which obstacles will need to be overcome to meet these goals.

    "[T]he CMDB System should be viewed as a 'system of relevance,' rather than a 'single source of truth.' The burdens of relevance are at once less onerous and far more meaningful in terms of action, analysis, and automation. While 'truth' implies something everlasting or at least stable, relevance suggests a far more dynamic universe."

    – CMDB Systems, Making Change Work in the Age of Cloud and Agile, Drogseth et al

    Identify stakeholders to discuss what they need from a CMDB; business and IT needs will likely differ

    Define your audience to determine who the CMDB will serve and invite them to these conversations. The CMDB can aid the business and IT and can be structured to provide dashboards and reports for both.

    Nondiscoverable configuration items will need to be created for both audiences to organize CIs in a way that makes sense for all uses.

    Integrations with other systems may be required to meet the needs of your audience. Note integrations for future planning.

    Business Services

    Within the data sets, service configuration models can be used for:

    • Impact analysis
    • Cause and effect analysis
    • Risk analysis
    • Cost allocation
    • Availability analysis and planning

    Technical Services

    Connect to IT Finance for:

    • Service-based consumption and costing
    • Financial awareness through showback
    • Financial recovery through chargeback
    • Support IT strategy through financial transparency
    • Cost optimization
    • Reporting for depreciation, location-related taxation, and capitalization (may also use asset management for these)

    Intersect with IT Processes to:

    • Reduce time to restore services through incident management
    • Improve stability through change management
    • Reduce outages through problem management
    • Optimize assets through IT asset management
    • Provide detailed reporting for audit/governance, risk, and compliance

    1.1.2 Define goals and how you plan to meet them

    Involve stakeholders.

    Allot 45 minutes for this discussion.

    As a group, identify current goals for building and using a CMDB.

    Why are we doing this?

    • How do you hope to use the data within the CMDB?
    • What processes will be improved through use of this data and what are the expected outcomes?

    How will we improve the process?

    • What processes will be put in place to ensure data integrity?
    • What tools will be put in place to improve the methods used to collect and maintain data?

    Record these goals in the Configuration Management Project Charter, section 1.3: Project Objectives.

    Input

    Output

    • None
    • List of high-level desired benefits for SCM
    Materials Participants
    • Whiteboard/flip charts
    • Sticky notes
    • Markers/pens
    • Configuration Management Project Charter
    • IT and business service owners
    • Business/customer relationship managers
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    It's easy to think that if you build it, they will come, but CMDBs rarely succeed without solid use cases

    Set expectations for your organization that defined and fulfilled use cases will factor into prioritization exercises, functional plans, and project milestones to achieve ROI for your efforts.

    A good use case:

    • Justifies resource allocation
    • Gains funding for the right tools
    • Builds stakeholder support
    • Drives interest and excitement
    • Gains support from anyone in a position to help build out and validate the data
    • Helps to define success

    In the book CMDB Systems, Making Change Work in the Age of Cloud and Agile, authors Drogseth, Sturm, and Twing describe the secrets of success:

    A documented evaluation of CMDB System vendors showed that while most "best case" ROI fell between 6 and 9 months for CMDB deployments, one instance delivered ROI for a significant CMDB investment in as little as 2 weeks!

    If there's a simple formula for quick time to value for a CMDB System, it's the following:

    Mature levels of process awareness
    + Strong executive level support
    + A ready and willing team with strongly supportive stakeholders
    + Clearly defined and ready phase one use case
    + Carefully selected, appropriate technologies

    All this = Powerful early-phase CMDB System results

    Define and prioritize use cases for how the CMDB will be used to drive value

    The CMDB can support several use cases and may require integration with various modules within the ITSM solution and integration with other systems.

    Document the use cases that will drive your CMDB to relevance, including the expected benefits for each use case.

    Identify the dependencies that will need to be implemented to be successful.

    Define "done" so that once data is entered, verified, and mapped, these use cases can be realized.

    "Our consulting experience suggests that more than 75% of all strategic initiatives (CMDB or not) fail to meet at least initial expectations across IT organizations. This is often due more to inflated expectations than categorical failure."

    – CMDB Systems, Making Change Work in the Age of Cloud and Agile, Drogseth et al.

    This image demonstrates how CMBD will be used to drive value.

    After identifying use cases, determine the scope of configuration items required to feed the use cases

    On-premises software and equipment will be critical to many use cases as the IT team and partners work on network and data-center equipment, enterprise software, and integrations through various means, including APIs and middleware. Real-time and near real-time data collection and validation will ensure IT can act with confidence.

    Cloud use can include software as a service (SaaS) solutions as well as infrastructure and platform as a service (IaaS and PaaS), and this may be more challenging for data collection. Tools must be capable of connecting to cloud environments and feeding the information back into the CMDB. Where on-premises and cloud applications show dependencies, you might need to validate data if multiple discovery and dependency mapping solutions are used to get a complete picture. Tagging will be crucial to making sense of the data as it comes into the CMDB.

    In-house developed software would be beneficial to have in the CMDB but may require more manual work to identify and classify once discovered. A combination of discovery and tagging may be beneficial to input and classification.

    Highly dynamic environments may require data collection through integration with a variety of solutions to manage and record continuous deployment models and verifications, or they may rely on tags and activity logs to record historical activity. Work with a partner who specializes in CI/CD to help architect this use case.

    Containers will require an assessment of the level of detail required. Determine if the container is a CI and if the content will be described as attributes. If there is value to your use case to map the contents of each container as separate CIs within the container CI, then you can map to that level of detail, but don't map to that depth unless the use case calls for it.

    Internet of Things (IoT) devices and applications will need to match a use case as well. IoT device asset data will be useful to track within an asset database but may have limited value to add to a CMDB. If there are connections between IoT applications and data warehouses, the dependencies should likely be mapped to ensure continued dataflow.

    Out of scope

    A single source of data is highly beneficial, but don't make it a catchall for items that are not easily stored in a CMDB.

    Source code should be stored in a definitive media library (DML). Code can be linked to the CMDB but is generally too big to store in a CMDB and will reduce performance for data retrieval.

    Knowledge articles and maintenance checklists are better suited to a knowledge base. They can also be linked to the CDMB if needed but this can get messy where many-to-many relationships between articles and CIs exist.

    Fleet (transportation) assets and fixed assets should be in fleet management systems and accounting systems, respectively. Storing these types of data in the CMDB doesn't provide value to the support process.

    1.1.3 Brainstorm and prioritize use cases

    Which IT practices will you supercharge?

    Focus on improving both operations and strategy.

    1. Brainstorm the list of relevant use cases. What do you want to do with the data from the CMDB? Consider:
      1. ITSM management and governance practices
      2. IT operations, vendor orchestration, and service integration and management (SIAM) to improve vendor interactions
      3. IT finance and business service reporting needs
    2. Identify which use cases are part of your two- to three-year plan, including the purpose for adding configuration data into that process. Prioritize one or two of these use cases to accomplish in your first year.
    3. Identify dependencies to manage as part of the solution and define a realistic timeline for implementing integrations, modules, or data sources.
    4. Document this table in the Configuration Management Project Charter, section 2.2: Use Cases.
    Audience Use Case Goal/Purpose Project/Solution Dependencies Proposed Timeline Priority
    • IT
    • Change Management

    Stabilize the process by seeing:

    Change conflict reporting

    Reports of CI changes without change records

    System availability

    RFC mapping requires discovered CIs

    RFC review requires criticality, technical and business owners

    Conflict reporting requires dependency mapping

    • Discovery and manual information entered by October
    • Dependency mapping implemented by December

    High

    Determine what additional data will be needed to achieve your use cases

    Regardless of which use cases you are planning to fulfill with the CMDB, it is critical to not add data and complexity with the plan of resolving every possible inquiry. Ensure the cost and effort of bringing in the data and maintaining it is justified. The complexity of the environment will impact the complexity of data sources and integrations for discovery and dependency mapping.

    Before bringing in new data, consider:

    • Is this information available in other maintained databases now?
    • Will this data be critical for decision making? If it is nice to have or optional, can it be automatically moved into the database and maintained using existing integrations?
    • Is there a cost to bringing the data into the CMDB and maintaining it? Is that cost reasonable for its purpose?
    • How frequently will this information be accessed, and can it be updated in an adequate cadence to meet these needs?
    • When does this information need to be available?

    Info-Tech Insight

    If data will be used only occasionally upon request, determine if it will be more efficient to maintain it or to retrieve it from the CMDB or another data source as needed.

    Remember, within the data sets, service configuration models can be used for:

    • Impact analysis
    • Cause and effect analysis
    • Risk analysis
    • Cost allocation
    • Availability analysis and planning

    1.1.4 Expand your use cases by identifying the data needed to reach your goals

    Involve stakeholders.

    Allot 60 minutes for this discussion.

    Review use cases and their goals.

    Identify what data will be required to meet those goals and determine whether it will be mandatory or optional/nice-to-have information.

    Identify sources of data for each type of data. Color code or sort.

    Italicize data points that can be automatically discovered.

    Gain consensus on what information will be manually entered.

    Record the data in the Use Cases and Data Worksheet.

    Download the Use Cases and Data Worksheet

    Input

    Output

    • None
    • List of data requirements
    MaterialsParticipants
    • Whiteboard/flip charts
    • Sticky notes
    • Markers/pens
    • Use Cases and Data Worksheet
    • IT and business service owners
    • Business/customer relationship managers
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Use discovery and dependency mapping tools to automatically update the CMDB

    Avoid manual data entry whenever possible.

    Consider these features when looking at tools:

    • Application dependency mapping: Establishing and tracking the relationships and dependencies between system components, applications, and IT services. The ideal tool will be able to generate maps automatically.
    • Agentless and agent discovery: Scanning systems with both agent and agentless approaches. Agent-based scanning provides comprehensive information on applications used in individual endpoints, which is helpful in minimizing its IT footprint. However, agents require endpoint access. Agentless-based scanning provides a broader and holistic view of deployed applications without the need to install an agent on end devices, which can be good enough for inventory awareness.
    • Data export capability: Easy exporting of application inventory information to be used in reports and other tools.
    • Dashboards and chart visualization: Detailed list of the application inventory, including version number, number of users, licenses, deployment location, and other application details. These details will inform decision makers of each application's health and its candidacy for further rationalization activities.
    • Customizable scanning scripts: Tailor your application discovery approach by modifying the scripts used to scan your systems.
    • Integration with third-party tools: Easy integration with other systems with out-of-the-box plugins or customizable APIs.

    Determine which data collection methods will be used to populate the CMDB

    The effort-to-value ratio is an important factor in populating a CMDB. Manual efforts require a higher process focus, more intensive data validation, and a constant need to remind team members to act on every change.

    Real-Time Data AIOps continual scans Used for event and incident management
    Near Real-Time Data Discovery and dependency mapping run on a regular cycle Used for change and asset management
    Historical Data Activity log imports, manual data entry Used for IT finance, audit trail
    • Determine what amount of effort is appropriate for each data grouping and use case. As decisions are made to expand data within the CMDB, the effort-to-value ratio should always factor in. To be usable, data must be accurate, and every piece of data that needs to be manually entered runs the risk of becoming obsolete.
    • Identify which data sources will bring in each type of data. Where there is a possibility of duplicate records being created, one of the data sources will need to be identified as the primary.
    • If the decision is to manually enter configuration items early in the process, be aware that automation may create duplicates of the CIs that will need to be deduplicated at some point in the process to make the information more usable.
    • Typically, items are discovered, validated, then mapped, but there will be variations depending on the source.
    • Active Directory or LDAP may be used to bring users and technicians into the CMDB. Data may be imported from spreadsheets. Identify efforts where data cleanup may have to happen before transferring into the CMDB.
    • Identify how often manual imports will need to be conducted to make sure data is usable.

    Identify other nondiscoverable data that will need to be added to or accessed by the CMDB

    Foundational data, such as technicians, end users and approvers, roles, location, company, agency, department, building, or cost center, may be added to tables that are within or accessed by the CMDB. Work with your vendor to understand structure and where this information resides.

    • These records can be imported from CSV files manually, but this will require manual removal or edits as information changes.
    • Integration with the HRIS, Active Directory, or LDAP will enable automatic updates through synchronization or scheduled imports.
    • If synchronization is fully enabled, new data can be added and removed from the CMDB automatically.
    • Identify which nondiscoverable attributes will be needed, such as system criticality, support groups, groups it is managed by, location.
    • If partially automating the process, identify where manual updates will need to occur.
    • If fully automating the process, notifications will need to be set up when business owner or product or technical owner fields become empty to prompt defining a replacement within the CMDB.
    • Determine who will manage these updates.
    • Work with your CMDB implementation vendor to determine the best option for bringing this information in.

    1.1.5 Record required data sources

    Allot 15 minutes for this discussion.

    1. Where do you track the work involved in providing services? Typically, your ticket database tracks service requests and incidents. Additional data sources can include:
      • Enterprise resource planning tools for tracking purchase orders
      • Project management information system for tracking tasks
    2. What trusted data sources exist for the technology that supports these services? Examples include:
      • Management tools (e.g. Microsoft Endpoint Configuration Manager)
      • Architectural diagrams and network topology diagrams
      • IT asset management database
      • Spreadsheets
      • Other systems of record
    3. What other data sources can help you gather the data you identified in activity 1.1.4?
    4. Record the relevant data sources for each use case in the Configuration Management Standard Operating Procedures, section 6: Data Collection and Updates.

    Info-Tech Insight

    Improve the trustworthiness of your CMDB as a system of record by relying on data that is already trusted.

    Input

    Output

    • Use cases
    • List of data requirements
    MaterialsParticipants
    • Use Cases and Data Worksheet
    • Configuration Management Standard Operating Procedures
    • IT and business service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Step 1.2

    Define roles and responsibilities

    Activities

    1.2.1 Record the project team and stakeholders

    1.2.2 Complete a RACI chart to define who will be accountable and responsible for configuration tasks

    This step will walk you through the following aspects of a configuration management system:

    • Roles and responsibilities

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project manager

    Identify the roles you need in your SCM project

    Determine which roles will need to be involved in the initial project and how to source these roles.

    Leadership Roles
    Oversee the SCM implementation

    1. Configuration Manager – The practice owner for SCM. This is a long-term role.
    2. Configuration Control Board (CCB) Chair – An optional role that oversees proposed alterations to configuration plans. If a CCB is implemented, this is a long-term role.
    3. Project Sponsor or Program Sponsor – Provides the necessary resources for building the CMDB and SCM practices.
    4. Architecture Roles
      Plan the program to build strong foundation
      1. Configuration Management Architect – Technical leader who defines the overall CM solution, plans the scope, selects a tool, and leads the technical team that will implement the solution.
      2. Requirements Analyst – Gathers and manages the requirements for CM.
      3. Process Engineer – Defines, documents, and implements the entire process.

    Architecture Roles
    Plan the program to build strong foundation

    1. Configuration Management Architect – Technical leader who defines the overall CM solution, plans the scope, selects a tool, and leads the technical team that will implement the solution.
    2. Requirements Analyst – Gathers and manages the requirements for CM.
    3. Process Engineer – Defines, documents, and implements the entire process.

    Engineer Roles
    Implement the system

    1. Logical Database Analyst (DBA) Designs the structure to hold the configuration management data and oversees implementation.
    2. Communications and Trainer – Communicates the goals and functions of CM and teaches impacted users the how and why of the process and tools.

    Administrative Roles
    Permanent roles involving long-term ownership

    1. Technical Owner – The system administrator responsible for their system's uptime. These roles usually own the data quality for their system.
    2. Configuration Management Integrator – Oversees regular transfer of data into the CMDB.
    3. Configuration Management Tool Support – Selects, installs, and maintains the CM tool.
    4. Impact Manager – Analyzes configuration data to ensure relationships between CIs are accurate; conducts impact analysis.

    1.2.1 Record the project team and stakeholders

    Allocate 25 minutes to this discussion.

    1. Record the project team.
      1. Identify the project manager who will lead this project.
      2. Identify key personnel that will need to be involved in design of the configuration management system and processes.
      3. Identify where vendors/outsourcers may be required to assist with technical aspects.
      4. Document the project team in the Configuration Management Project Charter, section 1.1: Project Team.
    1. Record a list of stakeholders.
      1. Identify stakeholders internal and external to IT.
      2. Build the stakeholder profile. For each stakeholder, identify their role, interest in the project, and influence on project success. You can score these criteria high/medium/low or score them out of ten.
      3. If managed service providers will need to be part of the equation, determine who will be the liaison and how they will provide or access data.
    Input

    Output

    • Project team members
    • Project plan resources
    MaterialsParticipants
    • Configuration Management Project Charter
    • List of project stakeholders and participants
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Even with full automation, this cannot be a "set it and forget it" project if it is to be successful long-term

    Create a team to manage the process and data updates and to ensure data is always usable.

    • Services may be added and removed.
    • Technology will change as technical debt is reduced.
    • Vendors may change as contract needs develop.
    • Additional use cases may be introduced by IT and the business as approaches to management evolve.
    • AIOps can reduce the level of effort and improve visibility as configuration items change from the baseline and notifications are automated.
    • Changes can be checked against requests for changes through automated reconciliations, but changes will still need to be investigated where they do not meet expectations.
    • Manual data changes will need to be made regularly and verified.

    "We found that everyone wanted information from the CMDB, but no one wanted to pay to maintain it. People pointed to the configuration management team and said, 'It's their responsibility.'

    Configuration managers, however, cannot own the data because they have no way of knowing if the data is accurate. They can own the processes related to checking accuracy, but not the data itself."
    – Tim Mason, founding director at TRM Associates
    (Excerpt from Viewpoint: Focus on CMDB Leadership)

    Include these roles in your CMDB practice to ensure continued success and continual improvement

    These roles can make up the configuration control board (CCB) to make decisions on major changes to services, data models, processes, or policies. A CCB will be necessary in complex environments.

    Configuration Manager

    This role is focused on ensuring everyone works together to build the CMDB and keep it up to date. The configuration manager is responsible to:

    • Plan and manage the standards, processes, and procedures and communicate all updates to appropriate staff. Focused on continual improvement.
    • Plan and manage population of the CMDB and ensure data included meets criteria for cost effectiveness and reasonable effort for the value it brings.
    • Validate scope of services and CIs to be included and controlled within the CMDB and manage exceptions.
    • Audit data quality to ensure it is valid, is current, and meets defined standards.
    • Evaluate and recommend tools to support processes, data collection, and integrations.
    • Ensure configuration management processes interface with all other service and business management functions to meet use cases.
    • Report on configuration management performance and take appropriate action on process adherence and quality issues.

    Configuration Librarian

    This role is most important where manual data entry is prevalent and where many nonstandard configurations are in place. The librarian role is often held by the tool administrator. The librarian focuses specifically on data within the CMDB, including:

    • Manual updates to configuration data.
    • CMDB data verification on a regular schedule.
    • Processing ad hoc requests for data.

    Product/Service/Technical Owners

    The product or technical owner will validate information is correctly updating and reflects the existing data requirements as new systems are provisioned or as existing systems change.

    Interfacing Practice Owners

    All practice owners, such as change manager, incident manager, or problem manager, must work with the configuration team to ensure data is usable for each of the use cases they are responsible for.

    Download the Configuration Manager job description

    Assign configuration management responsibilities and accountabilities

    Align authority and accountability.

    • A RACI exercise will help you discuss and document accountability and responsibility for critical configuration management activities.
    • When responsibility and accountability are not well documented, it's often useful to invite a representative of the roles identified to participate in this alignment exercise. The discussion can uncover contrasting views on responsibility and governance, which can help you build a stronger management and governance model.
    • The RACI chart can help you identify who should be involved when making changes to a given activity. Clarify the variety of responsibilities assigned to each key role.
    • In the future, you may need to define roles in more detail as you change your configuration management procedures.

    Responsible: The person who actually gets the job done.
    Different roles may be responsible for different aspects of the activity relevant to their role.

    Accountable: The one role accountable for the activity (in terms of completion, quality, cost, etc.)
    Must have sufficient authority to be held accountable; responsible roles are often accountable to this role.

    Consulted: Those who need the opportunity to provide meaningful input at certain points in the activity; typically, subject matter experts or stakeholders. The more people you must consult, the more overhead and time you'll add to a process.

    Informed: Those who receive information regarding the task but do not need to provide feedback.
    Information might relate to process execution, changes, or quality.

    Complete a RACI chart to define who will be accountable and responsible for configuration tasks

    Determine what roles will be in place in your organization and who will fulfill them, and create your RACI chart to reflect what makes sense for your organization. Additional roles may be involved where there is complexity.

    R = responsible, A = accountable, C = consulted, I = informed CCB Configuration Manager Configuration Librarian Technical Owner(s) Interfacing Practice Owners Tool Administrator
    Plan and manage the standards, processes, and procedures and communicate all updates to appropriate staff. Focused on continual improvement. A R
    Plan and manage population of the CMDB and ensure data included meets criteria for cost effectiveness and reasonable effort for the value it brings. A R
    Validate scope of services and CIs to be included and controlled within the CMDB and manage exceptions. A R
    Audit data quality to ensure it is valid, is current, and meets defined standards. A,R
    Evaluate and recommend tools to support processes, data collection, and integrations. A,R
    Ensure configuration management processes interface with all other service and business management functions to meet use cases. A
    Report on configuration management performance and take appropriate action on process adherence and quality issues. A
    Make manual updates to configuration data. A
    Conduct CMDB data verification on a regular schedule. A
    Process ad hoc requests for data. A
    Enter new systems into the CMDB. A R
    Update CMDB as systems change. A R
    Identify new use cases for CMDB data. R A
    Validate data meets the needs for use cases and quality. R A
    Design reports to meet use cases. R
    Ensure integrations are configured as designed and are functional. R

    1.2.2 Complete a RACI chart to define who will be accountable and responsible for configuration tasks

    Allot 60 minutes for this discussion.

    1. Open the Configuration Management Standard Operating Procedures, section 4.1: Responsibility Matrix. In the RACI chart, review the top row of roles. Smaller organizations may not need a configuration control board, in which case the configuration manager may have more authority.
    2. Modify or expand the process tasks in the left column as needed.
    3. For each role, identify what that person is responsible for, accountable for, consulted on, or informed of. Fill out each column.
    4. Document in the SOP. Schedule a time to share the results with organization leads.
    5. Distribute the chart among all teams in your organization.
    6. Describe additional roles as needed in the documentation.
    7. Add accountabilities and responsibilities for the CCB into the Configuration Control Board Charter.
    8. If appropriate, add auxiliary roles to the Configuration Management Standard Operating Procedures, section 4.2: Configuration Management Auxiliary Role Definitions.

    Notes:

    1. Assign one Accountable for each task.
    2. Have one or more Responsible for each task.
    3. Avoid generic responsibilities such as "team meetings."
    4. Keep your RACI definitions in your documents for quick reference.

    Refer back to the RACI chart when building out the communications plan to ensure accountable and responsible team members are on board and consulted and informed people are aware of all changes.

    Input

    Output

    • Task assignments
    • RACI chart with roles and responsibilities
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures, RACI chart
    • Configuration Control Board Charter, Responsibilities section
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Phase 2

    Configuration Management Data Model

    StrategyData StructureProcessesRoadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspects of a configuration management system:

    • Data Model
    • Customer-Facing and Supporting Services
    • Business Capabilities
    • Relationships
    • IT Infrastructure Components
    • Enterprise Software
    • End-User Devices
    • Documents

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • CM practice manager
    • CM project manager

    Step 2.1

    Build a framework for CIs and relationships

    Activities

    Document services:

    2.1.1 Define and prioritize your services

    2.1.2 Test configuration items against existing categories

    2.1.3 Create a configuration control board charter to define the board's responsibilities and protocols

    This step will walk you through the following aspects of a configuration management system:

    • Data model
    • Configuration items
    • Relationships

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • CM practice manager
    • Project manager

    Making sense of data daily will be key to maintaining it, starting with services

    As CIs are discovered and mapped, they will automatically map to each other based on integrations, APIs, queries, and transactions. However, CIs also need to be mapped to a conceptional model or service to present the service and its many layers in an easily consumable way.

    These services will need to be manually created or imported into the CMDB and manually connected to the application services. Services can be mapped to technical or business services or both.

    If business services reporting has been requested, talk to the business to develop a list of services that will be required. Use terms the business will be expecting and identify which applications and instances will be mapped to those services.

    If IT is using the CMDB to support service usage and reporting, develop the list of IT services and identify which applications and instances will be mapped to those services.

    This image show the relationship between Discoverable and Nondiscoverable CIs. The discoverable CIs are coloured in purple, and the nondiscoverables are blue.

    Work with your stakeholders to ensure catalog items make sense to them

    There isn't a definitive right or wrong way to define catalog items. For example, the business and IT could both reference application servers, but only IT may need to see technical services broken down by specific locations or device types.

    Refer back to your goals and use cases to think through how best to meet those objectives and determine how to categorize your services.

    Define the services that will be the top-level, nondiscoverable services, which will group together the CIs that make up the complete service. Identify which application(s) will connect into the technical service.

    When you are ready to start discovery, this list of services will be connected to the discovered data to organize it in a way that makes sense for how your stakeholders need to see the data.

    While working toward meeting the goals of the first few use cases, you will want to keep the structure simple. Once processes are in place and data is regularly validated, complexities of different service types and names can be integrated into the data.

    This image show the relationship between Discoverable and Nondiscoverable CIs. Both Discoverable and nondiscoverable CIs are blue.

    Application Service(blue); Technical Service(Purple); IT Shared Services(Orange); Billable Services(green); Service Portfolio(red)

    Define the service types to manage within the CMDB to logically group CIs

    Determine which method of service groupings will best serve your audience for your prioritized use cases. This will help to name your service categories. Service types can be added as the CMDB evolves and as the audience changes.

    Application Service

    Technical Service

    IT Shared Services

    Billable Services

    Service Portfolio

    A set of interconnected applications and hosts configured to offer a service to the organization.

    Example: Financial application service, which may include email, web server, application server, databases, and middleware.

    A logical grouping of CIs based on common criteria.

    Example: Toronto web services, which may include several servers, web applications, and databases.

    A logical grouping of IT and business services shared and used across the organization.

    Example: VoIP/phone services or networking or security services.

    A group of services that will be billed out to departments or customers and would require logical groupings to enable invoicing.

    A group of business and technical service offerings with specific performance reporting levels. This may include multiple service levels for different customer audiences for the same service.

    2.1.1 Define and prioritize your services

    Prioritize your starting point. If multiple audiences need to be accommodated, work with one group at a time.

    Timing: will vary depending on number of services, and starting point

    1. Create your list of services, referencing an existing service catalog, business continuity or disaster recovery plan, list of applications, or brainstorming sessions. Use the terminology that makes the most sense for the audience and their reporting requirements.
    2. If this list is already in place, assess for relevance and reduce the list to only those services that will be managed through the CMDB.
    3. Determine what data will be relevant for each service based on the exercises done in 1.1.4 and 1.1.5. For example, if priority was a required attribute for use case data, ensure each service lists the priority of that service.
    4. For each of these, identify the supporting services. These items can come from your technical service catalog or list of systems and software.
    5. Document this table in the Use Cases and Data Worksheet, tab 3: Service Catalog.

    Service Record Example

    Service: Email
    Supporting Services: M365, Authentication Services

    Service Attributes

    Availability: 24/7 (99.999%)
    Priority: Critical
    Users: All
    Used for: Collaboration
    Billable: Departmental
    Support: Unified Support Model, Account # 123456789

    The CMDB will be organized by services and will enable data analysis through multiple categorization schemes

    To extract maximum service management benefit from a CMDB, the highest level of CI type should be a service, as demonstrated below. While it is easier to start at the system or single-asset level, taking the service mapping approach will provide you with a useful and dynamic view of your IT environment as it relates to the services you offer, instead of a static inventory of components.

    Level 1: Services

    • Business Service Offering: A business service is an IT service that supports a business process, or a service that is delivered to business customers. Business service offerings typically are bound by service-level agreements.
    • IT Service Offering: An IT service supports the customer's business processes and is made up of people, processes, and technology. IT service offerings typically are bound by service-level agreements.

    Level 2: Infrastructure CIs

    • IT Component Set: An IT service offering consists of one of more sets of IT components. An IT component set allows you to group or bundle IT components with other components or groupings.
    • IT Component: An IT system is composed of one or more supporting components. Many components are shared between multiple IT systems.

    Level 3: Supporting CIs

    • IT Subcomponent: Any IT asset that is uniquely identifiable and a component of an IT system.
    • IT components can have subcomponents, and those components can have subcomponents, etc.

    Two charts, showing Enterprise Architect Model and Configuration Service Model. Each box represents a different CI.

    Assess your CMDB's standard category offerings against your environment, with a plan to minimize customization

    Standard categorization schemes will allow for easier integration with multiple tools and reporting and improve results if using machine learning to automate categorization. If the CMDB chosen includes structured categories, use that as your starting point and focus only on gaps that are not addressed for CIs unique to your environment.

    There is an important distinction between a class and a type. This concept is foundational for your configuration data model, so it is important that you understand it.

    • Types are general groupings, and the things within a type will have similarities. For attributes that you want to collect on a type, all children classes and CIs will have those attribute fields.
    • Classes are a more specific grouping within a type. All objects within a class will have specific similarities. You can also use subclasses to further differentiate between CIs.
    • Individual CIs are individual instances of a class or subclass. All objects in a class will have the same attribute fields and behave the same, although the values of their attributes will likely differ.
    • Attributes may be discovered or nondiscoverable and manually added to CIs. The attributes are properties of the CI such as serial number, version, memory, processor speed, or asset tag.

    Use inheritance structures to simplify your configuration data model.

    An example CM Data Model is depicted.

    Assess the list of classes of configuration items against your requirements

    Types are general groupings, and the things within a type will have similarities. Each type will have its own table within the CMDB. Classes within a type are a more specific grouping of configuration items and may include subclasses.

    Review your vendor's CMDB documentation. Find the list of CI types or classes. Most CMDBs will have a default set of classes, like this standard list. If you need to build your own, use the table below as a starting point. Define anything required for unique classes. Create a list and consult with your installation partner.

    Sample list of classes organized by type

    Types Services Network Hardware Storage Compute App Environment Documents
    Classes
    • Application Service
    • Technical Service
    • IT Shared Service
    • Billable Service
    • Service Portfolio
    • Switch
    • Router
    • Firewall
    • Modem
    • SD-WAN
    • Load Balancer
    • UPS
    • Computer
    • Laptop
    • Server
    • Tablet
    • Database
    • Network-Attached Storage
    • Storage Array Network
    • Blob
    • Operating System
    • Hypervisor
    • Virtual Server
    • Virtual Desktop
    • Appliance
    • Virtual Application
    • Enterprise Application
    • Line of Business Application Software
    • Development
    • Test
    • Production
    • Contract
    • Business Impact Analysis
    • Requirements

    Review relationships to determine which ones will be most appropriate to map your dependencies

    Your CMDB should include multiple relationship types. Determine which ones will be most effective for your environment and ensure everyone is trained on how to use them. As CIs are mapped, verify they are correct and only manually map what is incorrect or not mapping through automation.

    Manually mapping CMDB relationships may be time consuming and prone to error, but where manual mapping needs to take place, ensure the team has a common view of the dependency types available and what is important to map.

    Use automated mapping whenever possible to improve accuracy, provide functional visualizations, and enable dynamic updates as the environment changes.

    Where a dependency maps to external providers, determine where it makes sense to discover and map externally provided CIs.

    • Only connect where there is value in mapping to vendor-owned systems.
    • Only connect where data and connections can be trusted and verified.

    Most common dependency mapping types

    A list of the most common dependency mapping types.

    2.1.2 Test configuration items against existing categories

    Time to complete: 1-2 hours

    1. Select a service to test.
    2. Identify the various components that make up the service, focusing on configuration items, not attributes
    3. Categorize configuration items against types and classes in the default settings of the CMDB.
    4. Using the default relationships within the CMDB, identify the relationships between the configuration items.
    5. Identify types, classes, and relationships that do not fit within the default settings. Determine if there are common terms for these items or determine most appropriate name.
    6. Validate these exceptions with the publisher.
    7. Document exceptions in the Configuration Management Standard Operating Procedures, Appendix 2: Types and Classes of Configuration Items
    Input

    Output

    • List of default settings for classes, types, and relationships
    • Small list of services for testing
    • List of CIs to map to at least one service
    • List of categories to add to the CMDB solution.
    MaterialsParticipants
    • Use Cases and Data Worksheet
    • Configuration Management Standard Operating Procedures
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    2.1.3 Create a configuration control board charter to define the board's responsibilities and protocols

    A charter will set the tone for meetings, ensure purpose is defined and meeting cadence is set for regular reviews.

    1. Open the Configuration Control Board Charter. Review the document and modify as appropriate for your CCB. This will include:
      • Purpose and mandate of the committee – Reference objectives from the project charter.
      • Team composition – Determine the right mix of team members. A team of six to ten people can provide a good balance between having a variety of opinions and getting work done.
      • Voting option – Determine the right quorum to approve changes.
      • Responsibilities – List responsibilities, starting with RACI chart items.
      • Authority – Define the control board's span of control.
      • Governing laws and regulations – List any regulatory requirements that will need to be met to satisfy your auditors.
      • Meeting preparation – Set expectations to ensure meetings are productive.
    2. Distribute the charter to CCB members.
    Input

    Output

    • Project team members
    • Project plan resources
    MaterialsParticipants
    • Configuration Control Board Charter
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Assess the default list of statuses for each state

    Align this list with your CMDB

    Minimize the number of customizations that will make it difficult to update the platform.

    1. Review the default status list within the tool.
    2. Identify which statuses will be most used. Write a definition for each status.
    3. Update this list as you update process documentation in Step 3.1. After initial implementation, this list should only be modified through change enablement.
    4. Record this list of statuses in the Configuration Management Standard Operating Procedures, Appendix 4: Statuses
    State Status Description
    Preparation Ordered Waiting delivery from the vendor
    In Planning Being created
    Received Vendor has delivered the item, but it is not ready for deployment
    Production In Stock Available to be deployed
    In Use Deployed
    On Loan Deployed to a user on a temporary basis
    For Removal Planning to be phased out but still deployed to an end user
    Offline In Transit Moving to a new location
    Under Maintenance Temporarily offline while a patch or change is applied
    Removed Decommissioned Item has been retired and is no longer in production
    Disposed Item has been destroyed and we are no longer in possession of it
    Lost Item has been lost
    Stolen Item has been stolen

    Step 2.2

    Document statuses, attributes, and data sources

    Activities

    2.2.1 Follow the packet and map out the in-scope services and data centers

    2.2.2 Build data model diagrams

    2.2.3 Determine access rights for your data

    This step will walk you through the following aspects of a configuration management system:

    • Statuses
    • Attributes for each class of CI

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project manager

    Outcomes of this step

    • Framework for approaching CI statuses
    • Attributes for each class of CI
    • Data sources for those attributes

    Service mapping approaches

    As you start thinking about dependency mapping, it's important to understand the different methods and how they work, as well as your CMDB's capabilities. These approaches may be all in the same tool, or the tool may only have the top-down options.

    Top down, most common

    Pattern-based

    Most common option, which includes indicators of connections such as code, access rights, scripting, host discovery, and APIs.

    Start with pattern-based, then turn on traffic-based for more detail. This combination will provide the most accuracy.

    Traffic-based

    Map against traffic patterns involving connection rules to get more granular than pattern-based.

    Traffic-based can add a lot of overhead with extraneous data, so you may not want to run it continuously.

    Tag-based

    Primarily used for cloud, containers, and virtual machines and will attach the cloud licenses to their dependent services and any related CIs.

    Tags work well with cloud but will not have the same hierarchical view as on-premises dependency mapping.

    Machine learning

    Machine learning will look for patterns in the traffic-based connections, match CIs to categories and help organize the data.

    Machine learning (ML) may not be in every solution, but if you have it, use it. ML will provide many suggestions to make the life of the data manager easier.

    Model hierarchy

    Automated data mapping will be helpful, but it won't be foolproof. It's critical to understand the data model to validate and map nondiscoverable CIs correctly.

    The framework consists of the business, enterprise, application, and implementation layers.

    The business layer encodes real-world business concepts via the conceptual model.

    The enterprise layer defines all enterprise data assets' details and their relationships.

    The application layer defines the data structures as used by a specific application.

    The implementation layer defines the data models and artifacts for use by software tools.

    An example of Model Hierarchy is depicted.

    Learn how to create data models with Info-Tech's blueprint Create and Manage Enterprise Data Models

    2.2.1 Follow the packet and map out the in-scope services and data centers

    Reference your network topology and architecture diagrams.

    Allot 1 hour for this activity.

    1. Start with a single service that is well understood and documented.
    2. Identify the technical components (hardware and applications) that make up the service.
    3. Determine if there is a need to further break down services into logical service groupings. For example, the email service to the right is broken down into authentication and mail flow.
    4. If you don't have a network diagram to follow, create a simple one to identify workflows within the service and components the service uses.
    5. Record the apps and underlying components in the Configuration Management Standard Operating Procedures, Appendix 1: Configuration Data Model Structure.

    This information will be used for CM project planning and validating the contents of the CMDB.

    an example of a Customer-facing service is shown, for Email sample topology.

    Download the Configuration Management Diagram Template Library to see an example.

    Build your configuration data model

    Rely on out-of-the-box functionality where possible and keep a narrow focus in the early implementation stages.

    1. If you have an enterprise architecture, then your configuration management data model should align with it.
    2. Keep a narrow focus in the early implementation stages. Don't fill up your CMDB until you are ready to validate and fix the data.
    3. Rely on out-of-the-box (OOTB) functionality where possible. If your configuration management database (CMDB) and platform do not have a data model OOTB, then rely on a publicly available data model.
    4. Map your business or IT service offering to the first few layers.

    Once this is built out in the system, you can let the automated dependency mapping take over, but you will still need to validate the accuracy of the automated mapping and investigate anything that is incorrect.

    Sample Configuration Data Model

    Every box represents a CI, and every line represents a relationship

    A sample configuration Data model is shown.

    Example: Data model and CMDB visualization

    Once the data model is entered into the CMDB, it will provide a more dynamic and complex view, including CIs shared with other services.

    An example of a Data Model Exercise

    CMDB View

    An example of a CMDB View of the Data Model Exercise

    2.2.2 Build data model diagrams

    Visualize the expected CI classes and relationships.

    Allot 45 minutes.

    1. Identify the different data model views you need. Use multiple diagrams to keep the information simple to read and understand. Common diagrams include:
      1. Network level: Outline expected CI classes and relationships at the network level.
      2. Application level: Outline the expected components and relationships that make up an application.
      3. Services level: Outline how business capability CIs and service CIs relate to each other and to other types of CIs.
    1. Use boxes to represent CI classes.
    2. Use lines to represent relationships. Include details such as:
      1. Relationship name: Write this name on the arrow.
      2. Direction: Have an arrow point to each child.

    Review samples in Configuration Management Diagram Template Library.
    Record these diagrams in the Configuration Management Standard Operating Procedures, Appendix 1: Configuration Data Model Structure.

    Input

    Output

    • List of default settings for classes, types, and relationships
    • Small list of services for testing
    • List of CIs to map to at least one service
    • List of additions of categories to add to the CMDB solution.
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Download the Configuration Management Diagram Template Library to see examples.

    Determine governance for data security, access, and validation

    Align CMDB access to the organization's access control policy to maintain authorized and secure access for legitimate staff performing their role.

    Data User Type Access Role
    Data consumers
    • View-only access
    • Will need to view and use the data but will not need to make modifications to it
    • Service desk
    • Change manager
    • Major incident manager
    • Finance
    CMDB owner
    • Read/write access with the ability to update and validate data as needed
    • Configuration manager
    Domain owner
    • Read/write access for specific domains
    • Data owner within their domain, which includes validating that data is in the database and that it is correctly categorized.
    • Enterprise architect
    • Application owner
    Data provider
    • Read/write access for specific domains
    • Ensures automated data has been added and adds nondiscoverable assets and attributes as needed
    • Server operations
    • Database management
    • Network teams
    CMDB administrator
    • View-only access for data
    • Will need to have access for modifying the structure of the product, including adding fields, as determined by the CCB
    • ITSM tool administrator

    2.2.3 Determine access rights for your data

    Allot 30 minutes for this discussion.

    1. Open the Configuration Management Standard Operating Procedures, section 5: Access Rights.
    2. Review the various roles from an access perspective.
      1. Who needs read-only access?
      2. Who needs read/write access?
      3. Should there be restrictions on who can delete data?
    1. Fill in the chart and communicate this to your CMDB installation vendor or your CMDB administrator.
    Input

    Output

    • Task assignments
    • Access rights and roles
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Phase 3

    Configuration Record Updates

    StrategyData StructureProcessesRoadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspects of a configuration management system:

    • ITSM Practices and Workflows
    • Discovery and Dependency Mapping Tools
    • Auditing and Data Validation Practices

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager
    • IT audit

    Harness Service Configuration Management Superpowers

    Step 3.1

    Keep CIs and relationships up to date through lifecycle process integrations

    Activities

    3.1.1 Define processes to bring new services into the CMDB

    3.1.2 Determine when each type of CI will be created in the CMDB

    3.1.3 Identify when each type of CI will be retired in the CMDB

    3.1.4 Record when and how attributes will change

    3.1.5 Institute configuration control and configuration baselines

    This step will walk you through the following aspects of a configuration management system:

    1. ITSM Practices and Workflows
    2. Discovery and Dependency Mapping Tools

    This phase involves the following participants:

    1. IT service owners
    2. Enterprise architects
    3. Practice owners and managers
    4. SCM practice manager
    5. Project manager

    Outcomes of this step

    • List of action items for updating interfacing practices and processes
    • Identification of where configuration records will be manually updated

    Incorporate CMDB updates into IT operations

    Determine which processes will prompt changes to the CMDB data

    Onboard new services - Offboard Redundant Services. Onboard new CIs - Offboard Redundant CIs; Maintain CIs - Update Attributes.

    Change enablement

    Identify which process are involved in each stage of data input, maintenance, and removal to build out a process for each scenario.

    Project management

    Change enablement

    Asset management

    Security controls

    Project management

    Incident management

    Deployment management

    Change enablement

    Asset management

    Security controls

    Project management

    Incident management

    Service management

    Formalize the process for adding new services to the CMDB

    As new services and products are introduced into the environment, you can improve your ability to correctly cost the service, design integrations, and ensure all operational capabilities are in place, such as data backup and business continuity plans.
    In addition, attributes such as service-level agreements (SLAs), availability requirements, and product, technical, and business owners should be documented as soon as those new systems are made live.

    • Introduce the technical team and CCB to the product early to ensure the service record is created before deployment and to quickly map the services once they are moved into the production environment.
    • Engage with project managers or business analysts to define the process to include security and technical reviews early.
    • Engage with the security and technical reviewers to start documenting the service as soon as it is approved.
    • Determine which practices will be involved in the creation and approval of new services and formalize the process to streamline entry of the new service, onboarding corresponding CIs and mapping dependencies.

    an example of the review and approval process for new service or products is shown.

    3.1.1 Define processes to bring new services into the CMDB

    Start with the most frequent intake methods, and if needed, use this opportunity to streamline the process.

    1. Discuss the methods for new services to be introduced to the IT environment.
    2. Critique existing methods to assess consistency and identify issues that could prevent the creation of services in the CMDB in a timely manner.
    3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
    4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
    5. Discuss the validation process and determine where control points are. Document these on the workflows.
    6. Complete the Configuration Management Standard Operating Procedures, section 8.1: Introduce New Service and Data Model.

    Possible intake opportunities:

    • Business-driven project intake process
    • IT-driven project intake process
    • Change enablement reviews
    • Vendor-driven product changes
    Input

    Output

    • Discussion
    • Intake processes
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Identify scenarios where CIs are added and removed in the configuration management database

    New CIs may be introduced with new services or may be introduced and removed as part of asset refreshes or through service restoration in incident management. Updates may be done by your own services team or a managed services provider.
    Determine the various ways the CIs may be changed and test with various CI types.
    Review attributes such as SLAs, availability requirements, and product, technical, and business owners to determine if changes are required.

    • Identify what will be updated automatically or manually. Automation could include discovery and dependency mapping or synchronization with AMDB or AIOps tools.
    • Engage with relevant program managers to define and validate processes.
    • Identify control points and review audit requirements.

    An example of New or refresh CI from Procurement.

    Info-Tech Insight

    Data deemed no longer current may be archived or deleted. Retained data may be used for tracing lifecycle changes when troubleshooting or meeting audit obligations. Determine what types of CIs and use cases require archived data to meet data retention policies. If none do, deletion of old data may be appropriate.

    3.1.2 Identify when each type of CI will be created in the CMDB

    Allot 45 minutes for discussion.

    1. Discuss the various methods for new CIs to be introduced to the IT environment.
    2. Critique existing methods to assess consistency and identify issues that could prevent the creation of CIs in the CMDB in a timely manner.
    3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
    4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
    5. Discuss the validation process and determine where control points are. Document these on the workflows.
    6. Complete Configuration Management Standard Operating Procedures, section 8.2: Introduce New Configuration Items to the CMDB

    Possible intake opportunities:

    • Business-driven project intake process
    • IT-driven project intake process
    • Change enablement reviews
    • Vendor-driven product changes
    • Incident management
    • Asset management, lifecycle refresh
    Input

    Output

    • Discussion
    • Retirement processes
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    3.1.3 Identify when each type of CI will be retired in the CMDB

    Allot 45 minutes for discussion.

    1. Discuss the various methods for CIs to be removed from the IT environment.
    2. Critique existing methods to assess consistency and identify issues that could prevent the retirement of CIs in the CMDB in a timely manner.
    3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
    4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
    5. Discuss the validation process and determine where control points are. Document these on the workflows.
    6. Discuss data retention. How long will retired information need to be archived? What are the potential scenarios where legacy information may be needed for analysis?
    7. Complete the Configuration Management Standard Operating Procedures, section 8.4: Retire and Archive Configuration Records.

    Possible retirement scenarios:

    • Change enablement reviews
    • Vendor-driven product changes
    • Incident management
    • Asset management, lifecycle refresh
    Input

    Output

    • Discussion
    • Intake processes
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Determine appropriate actions for detecting new or changed CIs through discovery

    Automated detection will provide the most efficient way of recording planned changes to CIs as well as detected unplanned changes. Check with the tool to determine what reports or notifications are available for the configuration management process and define what actions will be appropriate.

    As new CIs are detected, identify the process by which they should have been introduced into configuration management and compare against those records. If your CMDB can automatically check for documentation, this may be easier. Weekly reporting will allow you to catch changes quickly, and alerts on critical CIs could enable faster remediation, if the tool allows for alerting. AIOps could identify, notify of, and process many changes in a highly dynamic environment.

    Type of Change

    Impacted Process

    Validation

    Findings

    Actions

    Configuration change to networking equipment or software

    Change management

    Check for request for change

    No RFC

    Add to CAB agenda, notify technical owner

    Configuration change to end-user device or software

    Asset management

    Check for service ticket

    No ticket

    Escalate to asset agenda, notify service manager

    New assets coming into service

    Security incident and event management

    Check for SIEM integration

    No SIEM integration

    Notify security operations team to investigate

    The configuration manager may not have authority to act but can inform the process owners of unauthorized changes for further action. Once the notifications are forwarded to the appropriate process owner, the configuration manager will note the escalation and follow up on data corrections as deemed appropriate by the associated process owner.

    3.1.4 Record when and how attributes will change

    These lists will help with configuration control plans and your implementation roadmap.

    1. List each attribute that will change in that CI type's life.
    2. Write all the times that each attribute will change. Identify:
      1. The name of the workflow, service request, process, or practice that modifies the attribute.
      2. Whether the update is made automatically or manually.
      3. The role or tool that updates the CMDB.
    1. Update the relevant process or procedure documentation. Explicitly identify when the configuration records are updated.

    Document these tables in Configuration Management Standard Operation Procedures, Section 8.7: Practices That Modify CIs.

    Network Equipment
    Attributes

    Practices That Modify This Attribute

    Status
    • Infra Deployment (updated manually by Network Engineering)
    • Change Enablement (updated manually by CAB or Network Engineering)
    Assigned User
    • IT Employee Offboarding or Role Change (updated manually by Network Engineering)
    Version
    • Patch Deployment (updated automatically by SolarWinds)
    End-User Computers
    Attributes
    Practices That Modify This Attribute
    Status
    • Device Deployment (updated manually by Desktop Support)
    • Device Recovery (updated manually by Desktop Support)
    • Employee Offboarding and Role Change (updated manually by Service Desk)
    Assigned User
    • Device Deployment (updated manually by Desktop Support)
    • Device Recovery (updated manually by Desktop Support)
    • Employee Offboarding and Role Change (updated manually by Service Desk)
    Version
    • Patch Deployment (updated automatically by ConfigMgr)

    Institute configuration control and configuration baselines where appropriate

    A baseline enables an assessment of one or more systems against the desired state and is useful for troubleshooting incidents or problems and validating changes and security settings.

    Baselines may be used by enterprise architects and system engineers for planning purposes, by developers to test their solution against production copies, by technicians to assess configuration drift that may be causing performance issues, and by change managers to assess and verify the configuration meets the target design.

    Configuration baselines are a snapshot of configuration records, displaying attributes and first-level relationships of the CIs. Standard configurations may be integral to the success of automated workflows, deployments, upgrades, and integrations, as well as prevention of security events. Comparing current CIs against their baselines will identify configuration drift, which could cause a variety of incidents. Configuration baselines are updated through change management processes.
    Configuration baselines can be used for a variety of use cases:

    • Version control – Management of software and hardware versions, https://dj5l3kginpy6f.cloudfront.net/blueprints/harness-configuration-management-superpowers-phases-1-4/builds, and releases.
    • Access control – Management of access to facilities, storage areas, and the CMS.
    • Deployment control – Take a baseline of CIs before performing a release so you can use this to check against actual deployment.
    • Identify accidental changes Everyone makes mistakes. If someone installs software on the wrong server or accidentally drops a table in a database, the CMS can alert IT of the unauthorized change (if the CI is included in configuration control).

    Info-Tech Insight

    Determine the appropriate method for evaluating and approving changes to baselines. Delegating this to the CCB every time may reduce agility, depending on volume. Discuss in CCB meetings.

    A decision tree for deploying requested changes.

    3.1.5 Institute configuration control and configuration baselines where appropriate

    Only baseline CIs and relationships that you want to control through change enablement.

    1. Determine criteria for capturing configuration baselines, including CI type, event, or processes.
    2. Identify who will use baselines and how they will use the data. Identify their needs.
    3. Identify CIs that will be out of scope and not have baselines created.
    4. Document requirements in the SOP.
    5. Ensure appropriate team members have training on how to create and capture baselines in the CMDB.
    6. Document in the Configuration Management Standard Operating Procedures, section 8.5: Establish and Maintain Configuration Baselines.
    Process Criteria Systems
    Change Enablement & Deployment All high-risk changes must have the baseline captured with version number to revert to stable version in the event of an unsuccessful change
    • Servers (physical and virtual)
    • Enterprise software
    • IaaS
    • Data centers
    Security Identify when configuration drift may impact risk mitigation strategies
    • Servers (physical and virtual)
    • Enterprise software
    • IaaS
    • Data centers
    Input

    Output

    • Discussion
    • Baseline configuration guidelines
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Step 3.2

    Validate data within the CMDB

    Activities

    3.2.1 Build an audit plan and checklist

    This step will walk you through the following aspects of a configuration management system:

    • Data validation and audit

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project manager
    • IT audit

    Outcomes of this step

    • Updates to processes for data validation
    • Plan for auditing and validating the data in the CMDB

    Audit and validate the CMDB

    Review the performance of the supporting technologies and processes to validate the accuracy of the CMDB.

    A screenshot of the CM Audit Plan.

    CM Audit Plan

    • CM policies
    • CM processes and procedures
    • Interfacing processes
    • Content within the CMDB

    "If the data in your CMDB isn't accurate, then it's worthless. If it's wrong or inaccurate, it's going to drive the wrong decisions. It's going to make IT worse, not better."
    – Valence Howden, Research Director, Info-Tech Research Group

    Ensure the supporting technology is working properly

    Does the information in the database accurately reflect reality?

    Perform functional tests during audits and as part of release management practices.

    Audit results need to have a clear status of "compliant," "noncompliant," or "compliant with conditions," and conditions need to be noted. The conditions will generally offer a quick win to improve a process, but don't use these audit results to quickly check off something as "done." Ensure the fix is useful and meaningful to the process.
    The audit should cover three areas:

    • Process: Are process requirements for the program well documented? Are the processes being followed? If there were updates to the process, were those updates to the process documented and communicated? Has behavior changed to suit those modified processes?
    • Physical: Physical configuration audits (PCAs) are audits conducted to verify that a configuration item, as built, conforms to the technical documentation that defines and describes it.
    • Functional: Functional configuration audits (FCAs) are audits conducted to verify that the development of a configuration item has been completed satisfactorily, the item has achieved the functional attributes specified in the functional or allocated baseline, and its technical documentation is complete and satisfactory.

    Build auditing and validation of processes whenever possible

    When technicians and analysts are working on a system, they should check to make sure the data about that system is correct. When they're working in the CMDB, they should check that the data they're working with is correct.

    More frequent audits, especially in the early days, may help move toward process adoption and resolving data quality issues. If audits are happening more frequently, the audits can include a smaller scope, though it's important to vary each one to ensure many different areas have been audited through the year.

    • Watch for data duplication from multiple discovery tools.
    • Review mapping to ensure all relevant CIs are attached to a product or service.
    • Ensure report data is logical.

    Ensure the supporting technology is working properly

    Does the information in the database accurately reflect reality?

    Perform functional tests during audits and as part of release management practices.

    Audit results need to have a clear status of "compliant," "noncompliant," or "compliant with conditions," and conditions need to be noted. The conditions will generally offer a quick win to improve a process, but don't use these audit results to quickly check off something as "done." Ensure the fix is useful and meaningful to the process.
    The audit should cover three areas:

    • Process: Are process requirements for the program well documented? Are the processes being followed? If there were updates to the process, were those updates to the process documented and communicated? Has behavior changed to suit those modified processes?
    • Physical: Physical configuration audits (PCAs) are audits conducted to verify that a configuration item, as built, conforms to the technical documentation that defines and describes it.
    • Functional: Functional configuration audits (FCAs) are audits conducted to verify that the development of a configuration item has been completed satisfactorily, the item has achieved the functional attributes specified in the functional or allocated baseline, and its technical documentation is complete and satisfactory.

    More frequent audits, especially in the early days, may help move toward process adoption and resolving data quality issues. If audits are happening more frequently, the audits can include a smaller scope, though it's important to vary each one to ensure many different areas have been audited through the year.

    • Watch for data duplication from multiple discovery tools.
    • Review mapping to ensure all relevant CIs are attached to a product or service.
    • Ensure report data is logical.

    Identify where processes break down and data is incorrect

    Once process stops working, data becomes less accurate and people find workarounds to solve their own data needs.

    Data within the CMDB often becomes incorrect or incomplete where human work breaks down

    • Investigate processes that are performed manually, including data entry.
    • Investigate if the process executors are performing these processes uniformly.
    • Determine if there are opportunities to automate or provide additional training.
    • Select a sample of the corresponding data in the CMS. Verify if the data is correct.

    Non-CCB personnel may not be completing processes fully or consistently

    • Identify where data in the CMS needs to be updated.
    • Identify whether the process practitioners are uniformly updating the CMS.
    • Discuss options for improving the process and driving consistency for data that will benefit the whole organization.

    Ensure that the data entered in the CMDB is correct

    • Confirm that there is no data duplication. Data duplication is very common when there are multiple discovery tools in your environment. Confirm that you have set up your tools properly to avoid duplication.
    • Build a process to respond to baseline divergence when people make changes without following change processes and when updates alter settings.
    • Audit the system for accuracy and completeness.

    3.2.1 Build an audit plan and checklist

    Use the audit to identify areas where processes are breaking down.

    Audits present you with the ability to address these pain points before they have greater negative impact.

    1. Identify which regulatory requirements and/or auditing bodies will be relevant to audit processes or findings.
    2. Determine frequency of practice audits and how they relate to internal audits or external audits.
    3. Determine audit scope, including requirements for data spot checks.
    4. Determine who will be responsible for conducting audits and validate this is consistent with the RACI chart.
    5. Record audit procedures in the Configuration Management Standard Operating Procedures section 8.6: Verify and Review the Quality of Information Through Auditing.
    6. Review the Configuration Management Audit and Validation Checklist and modify to suit your needs.

    Download the Configuration Management Audit and Validation Checklist

    Input

    Output

    • Discussion
    • Baseline configuration guidelines
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Phase 4

    Service Configuration Roadmap

    StrategyData StructureProcessesRoadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspect of a configuration management system:
    Roadmap
    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager

    Harness Service Configuration Management Superpowers

    Step 4.1

    Define measures of success

    Activities

    4.1.1 Identify key metrics to define configuration management success
    4.1.2 Brainstorm and record desired reports, dashboards, and analytics
    4.1.3 Build a configuration management policy

    This phase will walk you through the following aspects of a configuration management system:

    • Metrics
    • Policy

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager

    The value of metrics can be found in IT efficiency increases

    When determining metrics for configuration management, be sure to separate metrics needed to gauge configuration management success and those that will use data from the CMDB to provide metrics on the success of other practices.

    • Metrics provide accurate indicators for IT and business decisions.
    • Metrics help you identify IT efficiencies and problems and solve issues before they become more serious.
    • Active metrics tracking makes root cause analysis of issues much easier.
    • Proper application of metrics helps IT services identification and prioritization.
    • Operational risks can be prevented by identifying and implementing metrics.
    • Metrics analysis increases the confidence of the executive team and ensures that IT is working well.

    A funnel is shown. The output is IT Performance. The inputs are: Service Desk Metrics; Incident Metrics; Asset Mgmt. Metrics; Release Mgmt. Metrics; Change Mgmt. Metrics; Infra. Metrics

    4.1.1 Identify key metrics to define configuration management success

    Determine what metrics are specifically related to the practice and how and when metrics will be accessed.

    Success factors

    Key metrics

    Source

    Product and service configuration data is relevant

    • Stakeholder satisfaction with data access, accuracy, and usability
    • Stakeholder satisfaction with service configuration management interface, procedures, and reports

    Stakeholder discussions

    • Number of bad decisions made due to incorrect or insufficient data
    • Impact of bad decisions made due to incorrect or insufficient data

    Process owner discussions

    • Number and impact of data identified as incorrect
    • % of CMDB data verified over the period

    CMDB

    Cost and effort are continually optimized

    • Effort devoted to service configuration management
    • Cost of tools directly related to the process

    Resource management or scheduling

    ERP

    Progress reporting

    • Communication execution
    • Process
    • Communications and feedback

    Communications team and stakeholder discussions

    Data – How many products are in the CMDB and are fully and accurately discovered and mapped?

    CMDB

    Ability to meet milestones on time and with appropriate quality

    Project team

    Document metrics in the Configuration Management Standard Operating Procedures, section 7: Success Metrics

    Use performance metrics to identify areas to improve service management processes using CMDB data

    Metrics can indicate a problem with service management processes but cannot provide a clear path to a solution on their own.

    • The biggest challenge is defining and measuring the process and people side of the equation.
    • Expected performance may also need to be compared to actual performance in planning, budgeting, and improvements.
    • The analysis will need to include critical success factors (CSFs), data collection procedures, office routines, engineering practices, and flow diagrams including workflows and key relationships.
    • External benchmarking may also prove useful in identifying how similar organizations are managing aspects of their infrastructure, processing transactions/requests, or staffing. If using external benchmarking for actual process comparisons, clearly defining your internal processes first will make the data collection process smoother and more informative.

    Info-Tech Insight

    Using a service framework such as ITIL, COBIT, or ISO 20000 may make this job easier, and subscribing to benchmarking partners will provide some of the external data needed for comparison.

    4.1.2 Brainstorm and record desired reports, dashboards, and analytics with related practices

    The project team will use this list as a starting point

    Allot 45 minutes for this discussion.

    1. Create a table for each service or business capability.
      1. Have one column for each way of consuming data: reports, dashboards, and ad hoc analytics.
      2. Have one row for each stakeholder group that will consume the information.
    2. Use the challenges and use cases to brainstorm reports, dashboards, and ad hoc analytic capabilities that each stakeholder group will find useful.
    3. Record these results in your Configuration Management Standard Operating Procedures, section 7: Aligned Processes' Desired Analytical Capabilities.
    Stakeholder Groups Reports Dashboards
    Change Management
    • CI changes executed without an RFC
    • RFCs grouped by service
    • Potential collisions in upcoming changes
    Security
    • Configuration changes that no longer match the baseline
    • New configuration items discovered
    Finance
    • Service-based costs
    • Service consumption by department

    Download the blueprint Take Control of Infrastructure and Operations Metrics to create a complete metrics program.

    Create a configuration management policy and communicate it

    Policies are important documents to provide definitive guidelines and clarity around data collection and use, process adherence, and controls.

    • A configuration management policy will apply to IT as the audience, and participants in the program will largely be technical.
    • Business users will benefit from a great configuration management program but will not participate directly.
    • The policy will include objectives and scope, use of data, security and integrity of data, data models and criteria, and baseline configurations.
    • Several governing regulations and practices may intersect with configuration management, such as ITIL, COBIT, and NIST frameworks, as well as change enablement, quality management, asset management, and more.
    • As the policy is written, review processes to ensure policies and processes are aligned. The policy should enable processes, and it may require modifications if it hinders the collection, security, or use of data required to meet proposed use cases.
    • Once the policy is written and approved, ensure all stakeholders understand the importance, context, and repercussions of the policy.

    The approvals process is about appropriate oversight of the drafted policies. For example:

    • Do the policies satisfy compliance and regulatory requirements?
    • Do the policies work with the corporate culture?
    • Do the policies address the underlying need?

    If the draft is approved:

    • Set the effective date and a review date.
    • Begin communication, training, and implementation.

    Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.

    Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.

    Employees must be informed on where to get help or ask questions and who to request policy exceptions from.

    If the draft is rejected:

    • Acquire feedback and make revisions.
    • Resubmit for approval.

    4.1.3 Build a configuration management policy

    This policy provides the foundation for configuration control.

    Use this template as a starting point.

    The Configuration Management Policy provides the foundation for a configuration control board and the use of configuration baselines.
    Instructions:

    1. Review and modify the policy statements. Ensure that the policy statements reflect your organization and the expectations you wish to set.
    2. If you don't have a CCB: The specified responsibilities can usually be assigned to either the configuration manager or the governing body for change enablement.
    3. Determine if you should apply this policy beyond SCM. As written, this policy may provide a good starting point for practices such as:
      • Secure baseline configuration management
      • Software configuration management

    Two screenshots from the Configuration Management Policy template

    Download the Configuration Management Policy template

    Step 4.2

    Build communications and a roadmap

    Activities

    4.2.1 Build a communications plan
    4.2.2 Identify milestones

    This phase will walk you through the following aspects of a configuration management system:

    • Communications plan
    • Roadmap

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager

    Outcomes of this step

    • Documented expectations around configuration control
    • Roadmap and action items for the SCM project

    Do not discount the benefits of a great communications plan as part of change management

    Many configuration management projects have failed due to lack of organizational commitment and inadequate communications.

    • Start at the top to ensure stakeholder buy-in by verifying alignment and use cases. Without a committed project sponsor who believes in the value of configuration management, it will be difficult to draw the IT team into the vision.
    • Clearly articulate the vision, strategy, and goals to all stakeholders. Ensure the team understands why these changes are happening, why they are happening now, and what outcomes you hope to achieve.
    • Gain support from technical teams by clearly expressing organizational and departmental benefits – they need to know "what's in it for me."
    • Clearly communicate new responsibilities and obligations and put a feedback process in place to hear concerns, mitigate risk, and act on opportunities for improvement. Be prepared to answer questions as this practice is rolled out.
    • Be consistent in your messaging. Mixed messages can easily derail progress.
    • Communicate to the business how these efforts will benefit the organization.
    • Share documents built in this blueprint or workshop with your technical teams to ensure they have a clear picture of the entire configuration management practice.
    • Share your measures and view of success and communicate wins throughout building the practice.

    30%

    When people are truly invested in change, it is 30% more likely to stick.
    McKinsey

    82%

    of CEOs identify organizational change management as a priority.
    D&B Consulting

    6X

    Initiatives with excellent change management are six times more likely to meet objectives than those with poor change management.
    Prosci

    For a more detailed program, see Drive Technology Adoption

    Formulate a communications plan to ensure all stakeholders and impacted staff will be aware of the plan

    Communication is key to success in process adoption and in identifying potential risks and issues with integration with other processes. Engage as often as needed to get the information you need for the project and for adoption.

    Identify Messages

    Distinct information that needs to be sent at various times. Think about:

    • Who will be impacted and how.
    • What the goals are for the project/new process.
    • What the audience needs to know about the new process and how they will interface with each business unit.
    • How people can request configuration data.

    Identify Audiences

    Any person or group who will be the target of the communication. This may include:

    • Project sponsors and stakeholders.
    • IT staff who will be involved in the project.
    • IT staff who will be impacted by the project (i.e. who will benefit from it or have obligations to fulfill because of it).
    • Business sponsors and product owners.

    Document and Track

    Document messaging, medium, and responsibility, working with the communications team to refine messages before executing.

    • Identify where people can send questions and feedback to ensure they have the information they need to make or accept the changes.
    • Document Q&A and share in a central location.

    Determine Timing

    Successful communications plans consider timing of various messages:

    • Advanced high-level notice of improvements for those who need to see action.
    • Advanced detailed notice for those who will be impacted by workload.
    • Advanced notice for who will be impacted (i.e. who will benefit from it or have obligations to fulfill because of it) once the project is ready to be transitioned to daily life.

    Determine Delivery

    Work with your communications team, if you have one, to determine the best medium, such as:

    • Meeting announcement for stakeholders and IT.
    • Newsletter for those less impacted.
    • Intranet announcements: "coming soon!"
    • Demonstrations with vendors or project team.

    4.2.1 Build a communications plan

    The communications team will use this list as a starting point.

    Allot 45 minutes for this discussion.

    Identify stakeholders.

    1. Identify everyone who will be affected by the project and by configuration management.

    Craft key messages tailored to each stakeholder group.

    1. Identify the key messages that must be communicated to each group.

    Finalize the communication plan.

    1. Determine the most appropriate timing for communications with each group to maximize receptivity.
    2. Identify any communication challenges you anticipate and incorporate steps to address them into your communication plan.
    3. Identify multiple methods for getting the messages out (e.g. newsletters, emails, meetings).
    1. Identify how feedback will be collected (i.e. through interviews or surveys) to measure whether the changes were communicated well.
    Audience Message Medium Timing Feedback Mechanism
    Configuration Management Team Communicate all key processes, procedures, policies, roles, and responsibilities In-person meetings and email communications Weekly meetings Informal feedback during weekly meetings
    Input

    Output

    • Discussion
    • Rough draft of messaging for communications team
    MaterialsParticipants
    • Project plan
    • Configuration manager
    • Project sponsor
    • IT director
    • Communications team

    Build a realistic, high-level roadmap including milestones

    Break the work into manageable pieces

    1. Plan to have multiple phases with short-, medium-, and long-term goals/timeframes. Building a CMDB is not easy and should be broken into manageable sections.
    2. Set reasonable milestones. For each phase, document goals to define "done" and ensure they're reasonable for the resources you have available. If working with a vendor, include them in your discussions of what's realistic.
    3. Treat the first phase as a pilot. Focus on items you understand well:
      1. Well-understood user-facing and IT services
      2. High-maturity management and governance practices
      3. Trusted data sources
    4. Capture high-value, high-criticality services early. Depending on the complexity of your systems, you may need to split this phase into multiple phases.

    Document this table in the Configuration Management Project Charter, section 3.0: Milestones

    Timeline/Owner Milestone/Deliverable Details
    First four weeks Milestone: Plan defined and validated with ITSM installation vendor Define processes for intake, maintenance, and retirement.
    Rebecca Roberts Process documentation written, approved, and ready to communicate Review CI categories

    4.2.2 Identify milestones

    Build out a high-level view to inform the project plan

    Open the Configuration Management Project Charter, section 3: Milestones.
    Instructions:

    1. Identify high-level milestones for the implementation of the configuration management program. This may include tool evaluation and implementation, assignment of roles, etc.
    2. Add details to fill out the milestone, keeping to a reasonable level of detail. This may inform vendor discussion or further development of the project plan.
    3. Add target dates to the milestones. Validate they are realistic with the team.
    4. Add notes to the assumptions and constraints section.
    5. Identify risks to the plan.

    Two Screenshots from the Configuration Management Project Charter

    Download the Configuration Management Project Charter

    Workshop Participants

    R = Recommended
    O = Optional

    Participants Day 1 Day 2 Day 3 Day 4
    Configuration Management Strategy CMDB Data Structure Processes Communications & Roadmap
    Morning Afternoon Morning Afternoon Morning Afternoon Morning Afternoon
    Head of IT R O
    Project Sponsor R R O O O O O O
    Infrastructure, Enterprise Apps Leaders R R O O O O O O
    Service Manager R R O O O O O O
    Configuration Manager R R R R R R R R
    Project Manager R R R R R R R R
    Representatives From Network, Compute, Storage, Desktop R R R R R R R R
    Enterprise Architecture R R R R O O O O
    Owner of Change Management/Change Control/Change Enablement R R R R R R R R
    Owner of In-Scope Apps, Use Cases R R R R R R R R
    Asset Manager R R R R R R R R

    Related Info-Tech Research

    Research Contributors and Experts

    Thank you to everyone who contributed to this publication

    Brett Johnson, Senior Consultant, VMware

    Yev Khovrenkov, Senior Consultant, Solvera Solutions

    Larry Marks, Reviewer, ISACA New Jersey

    Darin Ohde, Director of Service Delivery, GreatAmerica Financial Services

    Jim Slick, President/CEO, Slick Cyber Systems

    Emily Walker, Sr. Digital Solution Consultant, ServiceNow

    Valence Howden, Principal Research Director, Info-Tech Research Group

    Allison Kinnaird, Practice Lead, IT Operations, Info-Tech Research Group

    Robert Dang, Principal Research Advisor, Security, Info-Tech Research Group

    Monica Braun, Research Director, IT Finance, Info-Tech Research Group

    Jennifer Perrier, Principal Research Director, IT Finance, Info-Tech Research Group

    Plus 13 anonymous contributors

    Bibliography

    An Introduction to Change Management, Prosci, Nov. 2019.
    BAI10 Manage Configuration Audit Program. ISACA, 2014.
    Bizo, Daniel, et al, "Uptime Institute Global Data Center Survey 2021." Uptime Institute, 1 Sept. 2021.
    Brown, Deborah. "Change Management: Some Statistics." D&B Consulting Inc. May 15, 2014. Accessed June 14, 2016.
    Cabinet Office. ITIL Service Transition. The Stationery Office, 2011.
    "COBIT 2019: Management and Governance Objectives. ISACA, 2018.
    "Configuration Management Assessment." CMStat, n.d. Accessed 5 Oct. 2022.
    "Configuration Management Database Foundation." DMTF, 2018. Accessed 1 Feb. 2021.
    Configuration Management Using COBIT 5. ISACA, 2013.
    "Configuring Service Manager." Product Documentation, Ivanti, 2021. Accessed 9 Feb. 2021.
    "Challenges of Implementing configuration management." CMStat, n.d. Accessed 5 Oct. 2022.
    "Determining if configuration management and change control are under management control, part 1." CMStat, n.d. Accessed 5 Oct. 2022.
    "Determining if configuration management and change control are under management control, part 2." CMStat, n.d. Accessed 5 Oct. 2022.
    "Determining if configuration management and change control are under management control, part 3." CMStat, n.d. Accessed 5 Oct. 2022.
    "CSDM: The Recipe for Success." Data Content Manager, Qualdatrix Ltd. 2022. Web.
    Drogseth, Dennis, et al., 2015, CMDB Systems: Making Change Work in the Age of Cloud and Agile. Morgan Kaufman.
    Ewenstein, B, et al. "Changing Change Management." McKinsey & Company, 1 July 2015. Web.
    Farrell, Karen. "VIEWPOINT: Focus on CMDB Leadership." BMC Software, 1 May 2006. Web.
    "How to Eliminate the No. 1 Cause of Network Downtime." SolarWinds, 4 April 2014. Accessed 9 Feb. 2021.
    "ISO 10007:2017: Quality Management -- Guidelines for Configuration Management." International Organization for Standardization, 2019.
    "IT Operations Management." Product Documentation, ServiceNow, version Quebec, 2021. Accessed 9 Feb. 2021.
    Johnson, Elsbeth. "How to Communicate Clearly During Organizational Change." Harvard Business Review, 13 June 2017. Web.
    Kloeckner, K. et al. Transforming the IT Services Lifecycle with AI Technologies. Springer, 2018.
    Klosterboer, L. Implementing ITIL Configuration Management. IBM Press, 2008.
    Norfolk, D., and S. Lacy. Configuration Management: Expert Guidance for IT Service Managers and Practitioners. BCS Learning & Development Limited, revised ed., Jan. 2014.
    Painarkar, Mandaar. "Overview of the Common Data Model." BMC Documentation, 2015. Accessed 1 Feb. 2021.
    Powers, Larry, and Ketil Been. "The Value of Organizational Change Management." Boxley Group, 2014. Accessed June 14, 2016.
    "Pulse of the Profession: Enabling Organizational Change Throughout Strategic Initiatives." PMI, March 2014. Accessed June 14, 2016.
    "Service Configuration Management, ITIL 4 Practice Guide." AXELOS Global Best Practice, 2020
    "The Guide to Managing Configuration Drift." UpGuard, 2017.

    Don't try this at home

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    Brilliant little and very amusing way to deal with a scammer.

    But do not copy this method as it will actually reveal quite a bit and confirm that your email is valid and active.

    Click to watch Joe Lycett

     

    Enterprise Storage Solution Considerations

    • Buy Link or Shortcode: {j2store}507|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Enterprise storage technology and options are challenging to understand.
    • There are so many options. How do you decide what the best solution is for your storage challenge??
    • Where do you start when trying to solve your enterprise storage challenge?

    Our Advice

    Critical Insight

    Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

    Impact and Result

    Look to existing use cases based on actual Info-Tech analyst calls to help in your decision-making process.

    Enterprise Storage Solution Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Storage Solution Considerations – Narrow your focus with the right product type and realize efficiencies.

    Explore the building blocks of enterprise storage so you can select the best solution, narrow your focus with the correct product type, explore the features that should be considered when evaluating enterprise storage offerings, and examine use cases based on actual Info-Tech analyst calls to find a storage solution for your situation.

    • Enterprise Storage Solution Considerations Storyboard

    2. Modernize Enterprise Storage Workbook – Understand your data requirements.

    The first step in solving your enterprise storage challenge is identifying your data sources, data volumes, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions. This tool can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.

    • Modernize Enterprise Storage Workbook
    [infographic]

    Further reading

    Enterprise Storage Solution Considerations

    Narrow your focus with the right product type and realize efficiencies.

    Analyst Perspective

    The vendor landscape is continually evolving, as are the solutions they offer. The options and features are increasing and appealing.

    The image contains a picture of P.J. Ryan.

    To say that the current enterprise storage landscape looks interesting would be an understatement. The solutions offered by vendors continue to grow and evolve. Flash and NVMe are increasing the speed of storage media and reducing latency. Software-defined storage is finding the most efficient use of media to store data where it is best served while managing a variety of vendor storage and older storage area networks and network-attached storage devices.

    Storage as a service is taking on a new meaning with creative solutions that let you keep the storage appliance on premises or in a colocated data center while administration, management, and support are performed by the vendor for a nominal monthly fee.

    We cannot discuss enterprise storage without mentioning the cloud. Bring a thermometer because you must understand the difference between hot, warm, and cold storage when discussing the cloud options. Very hot and very cold may also come into play.

    Storage hardware can assume a higher total cost of ownership with support options that replace the controllers on a regular basis. The options with this type of service are also varied, but the concept of not having to replace all disks and chassis nor go through a data migration is very appealing to many companies.

    The cloud is growing in popularity when it comes to enterprise storage, but on-premises solutions are still in demand, and whether you choose cloud or on premises, you can be guaranteed an array of features and options to add stability, security, and efficiency to your enterprise storage.

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Info-Tech Insight

    The vendor landscape is continually evolving, as are the solutions they offer.

    Storage providers are getting acquired by bigger players, “outside the box” thinking is disrupting the storage support marketplace, “as a service” storage offerings are evolving, and what is a data lake and do I need one? The traditional storage vendors are not alone in the market, and the solutions they offer are no longer traditional either. Explore the landscape and understand your options before you make any enterprise storage solution purchases.

    Understand the building blocks of storage so you can select the best solution.

    There are multiple storage formats for data, along with multiple hardware form factors and disk types to hold those various data formats. Software plays a significant role in many of these storage solutions, and cloud offerings take advantage of all the various formats, form factors, and disks. The challenge is matching your data type with the correct storage format and solution.

    Look to existing use cases to help in your decision-making process.

    Explore previous experiences from others by reading use cases to determine what the best solution is for your challenge. You’re probably not the first to encounter the challenge you’re facing. Another organization may have previously reached out for assistance and found a viable solution that may be just what you also need.

    Enterprise storage has evolved, with more options than ever

    Data is growing, data security will always be a concern, and vendors are providing more and more options for enterprise storage.

    “By 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!” (Visual Capitalist)

    “Modern criminal groups target not only endpoints and servers, but also central storage systems and their backup infrastructure.” (Continuity Software)

    Cloud or on premises? Maybe a hybrid approach with both cloud and on premises is best for you. Do you want to remove the headaches of storage administration, management, and support with a fully managed storage-as-a-service solution? Would you like to upgrade your controllers every three or four years without a major service interruption? The options are increasing and appealing.

    High-Level Considerations

    1. Understand Your Data

    Understand how much data you have and where it is located. This will be crucial when evaluating enterprise storage solutions.

    2. Plan for Growth

    Your enterprise storage considerations should include your data needs now and in the future.

    3. Understand the Mechanics

    Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

    Storage formats, disk drives, and technology

    Common data storage formats, technology, and drive types are outlined below. Understanding how data is stored as well as the core building blocks for larger systems will help you decide which solution is best for your storage needs.

    Format

    What it is

    Disk Drives and Technology

    File Storage

    File storage is hierarchical storage that uses files, folders, subfolders, and directories. You enter a specific filename and path to access the file, such as P:\users\johndoe\strategy\cloud.doc. If you ever saved a file on a server, you used file storage. File storage is usually managed by some type of file manager, such as File Explorer in Windows. Network-attached storage (NAS) devices use file storage.

    Hard Disk Drives (HDD)

    HDD use a platter of spinning disks to magnetically store data. The disks are thick enough to make them rigid and are referred to as hard disks.

    HDD is older technology but is still in demand and offered by vendors.

    Object Storage

    Object storage is when data is broken into distinct units, called objects. These objects are stored in a flat, non-hierarchical structure in a single location or repository. Each object is identified by its associated ID and metadata. Objects are accessed by an application programming interface (API).

    Flash

    Flash storage uses flash memory chips to store data. The flash memory chips are written with electricity and contain no moving parts. Flash storage is very fast, which is how the technology got its name (“Flash vs. SSD Storage,” Enterprise Storage Forum, 2018).

    Block Storage

    Block storage is when data is divided up into fixed-size blocks and stored with a unique identifier. Blocks can be stored in different environments, such as Windows or Linux. Storage area networks (SANs) use block storage.

    Solid-State Drive (SSD)

    SSD is a storage mechanism that also does not use any moving parts. Most SSD drives use flash storage, but other options are available for SSD.

    Nonvolatile Memory Express (NVMe)

    NVMe is a communications standard developed specially for SSDs by a consortium of vendors including Intel, Samsung, SanDisk, Dell, and Seagate. It operates across the PCIe bus (hence the “Express” in the name), which allows the drives to act more like the fast memory that they are rather than the hard disks they imitate (PCWorld).

    Narrow your focus with the right product type

    On-premises enterprise storage solutions fit into a few distinct product types.

    Network-Attached Storage

    Storage Area Network

    Software-Defined Storage

    Hyperconverged Infrastructure

    NAS refers to a storage device that is connected directly to your network. Any user or device with access to your network can access the available storage provided by the NAS. NAS storage is easily scalable and can add data redundancy through RAID technology. NAS uses the file storage format.

    NAS storage may or may not be the first choice in terms of enterprise storage, but it does have a solid market appeal as an on-premises primary backup storage solution.

    A SAN is a dedicated network of pooled storage devices. The dedicated network, separate from the regular network, provides high speed and scalability without concern for the regular network traffic. SANs use block storage format and can be divided into logical units that can be shared between servers or segregated from other servers. SANs can be accessed by multiple servers and systems at the same time. SANs are scalable and offer high availability and redundancy through RAID technology.

    SANs can use a variety of disk types and sizes and are quite common among on-premises storage solutions.

    “Software-defined storage (SDS) is a storage architecture that separates storage software from its hardware. Unlike traditional network-attached storage (NAS) or storage area network (SAN) systems, SDS is generally designed to perform on any industry-standard or x86 system, removing the software’s dependence on proprietary hardware.” (RedHat)

    SDS uses software-based policies and rules to grow and protect storage attached to applications.

    SDS allows you to use server-based storage products to add management, protection, and better usage.

    Hyperconverged storage uses virtualization and software-defined storage to combine the storage, compute, and network resources along with a hypervisor into one appliance.

    Hyperconverged storage can scale out by adding more nodes or appliances, but scaling up, or adding more resources to each appliance, can have limitations. There is flexibility as hyperconverged storage can work with most network and compute manufacturers.

    Cloud storage

    • Cloud storage is online storage offered by a cloud provider. Cloud storage is available almost anywhere and is set up with high availability features such as data duplication, redundancy, backup, and power failure protection.
    • Cloud storage is very scalable and typically is offered as object storage, block storage, or file storage. Cloud storage vendors may have their own naming scheme for object, block, or file storage.
    • Cloud-hosted data is marketed according to the frequency of access and length of time in storage. There are typically three main levels of storage: hot, warm, or cold. Vendors may have their own naming convention for hot, warm, and cold storage. Some may also add more layers such as very hot or very cold.
      • Hot storage is for data that is frequently accessed and modified. It is available on demand and is the most costly of the storage levels.
      • Cold storage is for data that will sit for a long period of time and not need to be accessed. Cold storage is usually only available after several hours or days. Cold storage is very low cost and, in some cases, even free, but retrieval or restoration for the free services can be costly.
      • Warm storage sits in between hot and cold storage. It is for data that is infrequently needed. The cost of warm storage is also in between hot and cold storage costs, and access times are measured in terms of minutes or hours.
      • It is not uncommon for data to start in hot storage and, as it ages, move to warm and eventually cold storage.

    “Enterprise cloud storage offers nearly unlimited scalability. Enterprises can add storage quickly and easily as it is needed, eliminating the risk and cost of over-provisioning.”

    – Spectrum Enterprise

    “Hot data will operate on fresh data. Cold data will operate on less frequent data and [is] used mainly for reporting and planning. Warm data is a balance between the two.”

    – TechBlost

    Enterprise storage features

    The features listed below, while not intended to cover all features offered by all vendors, should be considered and could act as a baseline for discussions with storage providers when evaluating enterprise storage offerings.

    • Scalability
      • What are the options to expand, and how easy or difficult it is to expand capacity in the future?
    • Security
      • Does the solution offer data encryption options as well as ransomware protections?
    • Integration options
      • Can the solution support seamless connectivity with other solutions and applications, such as cloud-based storage or backup software?
    • Storage reduction
      • Does the solution offer space-reduction options such as deduplication or data compression?
    • Replication
      • Does the solution offer replication options such as device to device on premises, device to device when geographically separated, device to cloud, or a combination of these scenarios?
    • Performance
      • “Enterprise storage systems have two main ‘speed’ measurements: throughput and IOPS. Throughput is the data transfer rate to and from storage media, measured in bytes per second; IOPS measures the number of reads and writes – input/output (I/O) operations – per second.” (Computer Weekly)
    • Protocol support
      • Does the solution support object-based, block-based, and file-based storage protocols?
    • Storage Efficiency
      • How efficient is the solution? Can they prove it?
      • Storage efficiencies must be available and baselined.
    • Management platform
      • A management/reporting platform should be a component included in the system.
    • Multi-parity
      • Does the solution offer multi-level block “parity” for RAID 6 protection equivalency, which would allow for the simultaneous failure of two disks?
    • Proactive support
      • Features such as call home, dial in, or remote support must be available on the system.
    • Financial considerations
      • The cost is always a concern, but are there subscription-based or “as-a-service” options?
      • Internally, is it better for this expenditure to be a capital expenditure or an ongoing operating expense?

    What’s new in enterprise storage

    • Data warehouses are not a new concept, but the data storage evolution and growth of data means that data lakes and data lakehouses are growing in popularity.
      • “A data lake is a centralized repository that allows you to store all your structured and unstructured data at any scale. You can store your data as-is, without having to first structure the data” (Amazon Web Services).
      • Analytics with a data lake is possible, but manipulation of the data is hindered due to the nature of the data. A data lakehouse adds data management and analytics to a data lake, similar to the data warehouse functionality added to databases.
    • Options for on-premises hardware support is changing.
      • Pure Storage was the first to shake up the SAN support model with its Evergreen support option. Evergreen//Forever support allows for storage controller upgrades without having to migrate data or replace your disks or chassis (Pure Storage).
      • In response to the Pure Storage Evergreen offering, Dell, HPE, NetApp, and others have come out with similar programs that offer controller upgrades while maintaining the data, disks, and chassis.
    • “As a service” is available as a hybrid solution.
      • Storage as a service (STaaS) originally referred to hosted, fully cloud-based offerings without the need for any on-premises hardware.
      • The latest STaaS offerings provide on-premises or colocated hardware with pay-as-you-go subscription pricing for data consumption. Administration, management, and support are included. The vendor will supply support and manage everything on your behalf.
      • Most of the major storage vendors offer a variation of storage as a service.

    “Because data lakes mostly consist of raw unprocessed data, a data scientist with specialized expertise is typically needed to manipulate and translate the data.”

    – DevIQ

    “A Lakehouse is also a type of centralized data repository, integrated from heterogeneous sources. As can be expected from its name, It shares features with both datawarehouses and data lakes.”

    – Cesare

    “Storage as a service (STaaS) eliminates Capex, simplifies management and offers extensive flexibility.”

    – TechTarget

    Major vendors

    The current vendor landscape for enterprise storage solutions represents a range of industry veterans and the brands they’ve aggregated along the way, as well as some relative newcomers who have come to the forefront within the past ten years.

    Vendors like Dell EMC and HPE are longstanding veterans of storage appliances with established offerings and a back catalogue of acquisitions fueling their growth. Others such as Pure Storage offer creative solutions like all-flash arrays, which are becoming more and more appealing as flash storage becomes more commoditized.

    Cloud-based vendors have become popular options in recent years. Cloud storage provides many options and has attracted many other vendors to provide a cloud option in addition to their on-premises solutions. Some software and hardware vendors also partner with cloud vendors to offer a complete solution that includes storage.

    Info-Tech Insight

    Explore your current vendor’s solutions as a starting point, then use that understanding as a reference point to dive into other players in the market

    Key Players

    • Amazon
    • Cisco
    • Dell EMC
    • Google
    • Hewlett Packard Enterprise
    • Hitachi Vantara
    • IBM
    • Microsoft
    • NetApp
    • Nutanix
    • Pure Storage

    Enterprise Storage Use Cases

    Block, object, or file storage? NAS, SAN, SDS, or HCI? Cloud or on prem? Hot, warm, or cold?
    Which one do you choose?
    The following use cases based on actual Info-Tech analyst calls may help you decide.

    1. Offsite backup solution
    2. Infrastructure consolidation
    3. DR/BCP datacenter duplication
    4. Expansion of existing storage
    5. Complete backup solution
    6. Existing storage solution going out of support soon
    7. Video storage
    8. Classify and offload storage

    Offsite backup solution

    “Offsite” may make you think of geographical separation or even cloud-based storage, but what is the best option and why?

    Use Case: How a manufacturing company dealt with retired applications

    • A leading manufacturing company had to preserve older applications no longer in use.
    • The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies, and although the data they held had been migrated to a replacement solution, executives felt they should hold on to these applications for a period of time, just in case.
    • A modern archiving solution was considered, but a research advisor from Info-Tech Research joined a call with the manufacturing company and helped the client realize that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment.
    • The data could be exported from the legacy application into a nonsequential database, compressed, and stored in cloud-based cold storage for less than $5 per terabyte per month. The manufacturing company staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.
    • Cold storage is inexpensive until you start retrieving that data frequently. The manufacturing company knew they did not have a requirement to retrieve the application and data for a very long time, so cloud-based cold storage was ideal.

    “Data retrieval from cold storage is harder and slower than it is from hot storage. … Because of the longer retrieval time, online cold storage plans are often much cheaper. … The downside is that you’d incur additional costs when retrieving the data.”

    – Ben Stockton, Cloudwards

    Infrastructure consolidation

    Hyperconverged infrastructure combines storage, virtual infrastructure, and associated management into one piece of equipment.

    Use Case: How one company dealt with equipment and storage needs

    • One Info-Tech client had recently started in the role of IT director and realized he had inherited aging infrastructure along with a serious data challenge. The storage appliances were old and out of support. The appliances were performing inadequately, and the client was in need of more data due to ongoing growth, but he also realized that the virtual environment was running on very old servers that were no longer supported. The IT director reached out to Info-Tech to find solutions to the virtualization challenge, but the storage problem also came up throughout the course of the conversation with an analyst.
    • The analyst quickly realized that the IT director was an ideal candidate for a hyperconverged infrastructure (HCI) storage solution, which would also provide the necessary virtual environment.
    • The analyst explained the benefits of having a single appliance that would provide virtualization needs as well as storage needs. The built-in management features would ease the burden of administration, and the software-defined nature of the HCI would allow for the migration of data as well as future expansion options.
    • Hyperconverged infrastructure is offered by many vendors under a variety of names. Most are similar but some may have a better interface or other features. The expansion process is simple, and HCI is a good fit for many organizations looking to consolidate virtual infrastructure and storage.

    “HCI environments use a hypervisor, usually running on a server that uses direct-attached storage (DAS), to create a data center pool of systems and resources.”

    – Samuel Greengard, Datamation

    Datacenter duplication

    SAN providers offer a varied range of options for their products, and those options are constantly evolving.

    Use Case: Independent school district provides better data access using SAN technology

    • An independent school district was expanding by adding a second data center in a new school. This new data center would be approximately 20 miles away from the original data center used by the district. The intent was not to replace the original data center but to use both centers to store data and provide services concurrently. The district’s ideal scenario would be that users would not know or care which data center they were reaching, and there would be no difference in the service received from each data center. The school district reached out to Info-Tech when planning discussions reached the topic of data duplication and replication software.
    • An Info-Tech analyst joined a call with the school district and guided the conversation toward the existing environment to understand what options might be available. The analyst quickly discovered that all the district’s servers were virtual, and all associated data was stored on a single SAN.
    • The analyst informed the school district staff about SAN options, including SAN-to-SAN replication. If the school district had a sufficient link between the two data centers, SAN-to-SAN replication would work for them and provide the two identical copies of data at two locations.
    • The analyst continued to offer explanations of other features that some vendors offer with their SANs, such as the ability to turn on or off deduplication and compression, as well as disk options such as flash or NVMe.
    • The school district was moving to the request for proposal (RFP) stage but hoped to have SAN-to-SAN replication implemented before the next academic year started.

    “SAN-to-SAN replication is a low-cost, highly efficient way to manage mounting quantities of stored data.”

    – Secure Infrastructure & Services

    Expansion of existing storage

    That old storage area network may still have some useful life left in it.

    Use Case: Municipality solves data storage aging and growth challenge

    • A municipality in the United States reached out to Info-Tech for guidance on its storage challenge. The municipality had accumulated multiple SANs from different vendors over the years. These SANs were running out of storage, and more data storage was needed. The municipality’s data was growing at a rapid pace, thanks to municipal growth and expansion of services. The IT team was also concerned with modernizing their storage and not hindering their long-term growth by making the wrong purchase decision for their current storage needs.
    • An analyst from Info-Tech discussed several options with the municipality but in the end advised that software-defined storage may be the best solution.
    • Software-defined storage (SDS) would allow the municipality to gain better visibility into existing storage while making more efficient use of existing and new storage. SDS could take over the management of the existing storage from multiple vendors and add additional storage as required. SDS would also be able to integrate cloud-based storage if that was the direction taken by the municipality in the future.
    • The municipality moved forward with an SDS solution and added some additional storage capacity. They used some of their existing SANs but retired the more troublesome ones. The SDS system managed all the storage instances and data management. The administration of the storage environment was easier for the storage admins, and long-term savings were achieved through better storage management.

    “Often enterprises have added storage on an ad hoc basis as they needed it for various applications. That can result in a mishmash of heterogenous storage hardware from a wide variety of vendors. SDS offers the ability to unify management of these different storage devices, allowing IT to be more efficient.”

    – Cynthia Harvey, Enterprise Storage Forum (“What Is Software Defined Storage?”, 2018)

    Complete backup solution

    Many backup software solutions can provide backups to multiple locations, making two-location backups simple.

    Use Case: How an oil refinery modernized its backup solution

    • A large oil refinery needed a better solution for the storage of backups. The refinery was replacing its backup software solution but also wanted to improve the backup storage situation and move away from tape-based storage. All other infrastructure was reasonably modern and not in need of replacement at this time.
    • A research analyst from Info-Tech helped the client realize that the solution was a modified backup. The general guidance for backups is have a least one copy offsite, so the cloud was the obvious focal point. The analyst also explained that it would be beneficial to have a recent copy of the backup available on site for common restoration requests in addition to having the offsite copy for disaster recovery (DR) purposes.
    • The refinery staff conducted a data analysis to determine how much data was being backed up on a daily basis. The solution proposed by the analyst included network-attached storage (NAS) with adequate storage to hold 30 days' worth of on-premises data. The backup software would also simultaneously copy each backup to a cloud-based storage repository. The backup software was smart enough to only back up and transfer data that had changed since the previous backup, so transfer time and capacity was not a factor.
    • The NAS would allow for the restoration of any local, on-premises data while the cloud storage would provide a safe location offsite for backup data. It could also serve as the backup location for other cloud-based services that required a backup.

    “Data protection demands that enterprises have multiple methods of keeping data safe and replicating it in case of disaster or loss.”

    – Drew Robb, Enterprise Storage Forum, 2021

    Storage going out of support

    SAN solutions have come a long way with improvements in how data is stored and what is used to store the data.

    Use Case: How one organization replaced its old storage with a similar solution

    • A government organization was looking for a solution for its aging storage area network appliances. The SANs were old and would be no longer supported by the manufacturer within four months. The SANs had slower spinning disks and their individual capacity was at its limit through the addition of extra shelves and disks over the years.
    • The organization reached out to Info-Tech for guidance. An analyst arranged a call with them, and they discussed the storage situation in detail, including desired benefits from a storage solution and growth requirements. They also discussed cloud storage, but the government organization was not in a position to move its data to the cloud for a variety of reasons.
    • Although the individual SANs were at their storage capacity limit, the total amount of data was well within the limits of many modern on-premises storage solutions. SSD and flash or NVMe storage can store large amounts of data in small footprints and form factors.
    • The analyst reviewed several vendors with the client and discussed some advantages and disadvantages of each. They explored the features offered as well as scalability options.
    • SANs have been around for a long time but the features and capabilities that come with them has evolved. They are still a very viable solution for many organizations in a variety of scenarios.

    “A rapidly growing portion of SAN deployments leverages all-flash storage to gain its high performance, consistent low latency, and lower total cost when compared to spinning disk.”

    – NetApp

    Video storage

    Cloud storage would not be sufficient if you were using a dial up connection, just as on-premises storage solutions would not suffice if they were using floppy disks.

    Use Case: Body cams and public cameras in municipalities are driving storage growth

    • Municipal law enforcement agencies are wearing body cameras more frequently, for their own protection as well as for the protection of the public. Camera footage can be useful in legal situations as well. Municipalities are also installing more and more public cameras for the purposes of public safety. The recorded video footage from these cameras can result in large data files, which in turn drive data storage requirements.
    • Info-Tech analysts are joining calls about video data storage with increasing frequency. The concerns are repetitive, and the guidance is similar on most of these calls.
    • The “object” storage format is ideal for video and media data. Most cloud-based storage solutions use object storage, but it is also available with on-premises solutions such as NAS or SAN. The challenges clients are expressing are typically related to inadequate bandwidth for cloud-based storage or other storage formats instead of “object” storage. Cloud-based storage can also grow beyond the budgeted numbers, causing an increase in the monthly cloud cost. Older, slower on-premises hardware sometimes reveals itself as the latency culprit.
    • Object storage is well suited for the unstructured data that is video footage. It uses metadata to tag the video file for future retrieval and is easily expandable, which also makes it cost effective.
    • Video data stored in a cloud-based repository will work fine as long as the bandwidth is adequate. On-premises storage of video data is also quite adequate on the right storage format, with fast disks and a reasonably up-to-date network infrastructure.

    “The captured video is stored for days, weeks, months and sometimes years and consumes a lot of space. Data storage plays a new and important role in these systems. Object storage is ideal to store the video data.”

    – Object-Storage.Info

    Classify and offload primary storage

    Some software products have storage options available as a result of agreements with other storage vendors. Several backup and archive software products fall into this category.

    Use Case: Enterprise storage can help reduce data sprawl

    • A large engineering firm was trying to manage its data sprawl. The team sampled a small percentage of their data and quickly realized that when they applied their findings on the 1% of data to their entire data estate, the sheer volume of personal files, older files, and unclassified data was going to be a challenge.
    • They found a solution in archiving software. The archiving software would tag data based on several factors. The software would move older files away from primary storage to an alternate storage platform but still leave a stub of the moved file in place and maintain limited access to those files. This would reduce primary storage requirements and allow the firm to eliminate multiple file servers
    • The engineering firm reached out to Info-Tech and participated in an analyst call. During that call, they laid out their plans, and the analyst made them aware of cloud storage. The positive and negative aspects of cloud storage were discussed, and the firm fully understood that the colder the storage tier, the slower the recovery. The firm's stance was if the files had not been accessed in the past six months, waiting a day or two for retrieval would not be a concern, and the firm was content with cold storage in the cloud.
    • The firm had not purchased the archiving software at the time of the analyst call, and the analyst also explained to them that the archiving software may have an existing agreement with a cloud provider for storage options, which could be more cost effective than purchasing cloud storage separately.
    • Cold cloud-based storage was the preferred solution for this firm, but this use case also highlights the option that some software products carry regarding storage. Several backup and archive products have a cloud storage option that should be investigated, as they may be cost-effective options.

    “Cold storage is perfect for archiving your data. Online backup providers offer low-cost, off-site data backups at the expense of fast speeds and easy access, even though data retrieval often comes at an added cost. If you need to keep your data long-term, but don’t need to access it often, this is the kind of storage you need.”

    – Ben Stockton, Cloudwards

    Understand your data requirements

    Activity

    The first step in solving your enterprise storage challenge is identifying your data sources or drivers, data volume size, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions.

    • Info-Tech’s Modernize Enterprise Storage Workbook can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.
    • An example of the Storage Capacity Calculator tab from that workbook is displayed on the right. Using the Storage Capacity Requirements Calculator requires minimal steps.
    1. Enter the current date and planning timeline (horizon) in months
    2. Identify the top sources of data within the business – the current data drivers. Areas of focus could include business applications, file shares, backup, and archives.
    3. For each of these data drivers, include your best estimate of:
    • Current data volume
    • Growth rate
  • Identify the top future data drivers, such as new applications or initiatives that will result from current business plans and priorities, and record the following details:
    • Initial data volumes
    • Projected growth rates
    • Planned implementation date
  • The spreadsheet will automatically calculate the data volume at the planning horizon based on the growth rate.
  • Download the Modernize Enterprise Storage Workbook and take the first step toward understanding your data requirements.

    The image contains a screenshot of the Modernize Enterprise Storage Workbook.

    Download the Modernize Enterprise Storage Workbook

    Related Info-Tech Research

    Modernize Enterprise Storage

    Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

    Modernize Enterprise Storage Workbook

    This workbook will complement the discussions and activities found in the Modernize Enterprise Storage blueprint. Use this workbook in conjunction with the blueprint to develop a strategy for storage modernization.

    Bibliography

    Bakkianathan, Raghunathan. “What is the difference between Hot Warm and Cold data storage?” TechBlost, n.d.. Accessed 14 July 2022.
    Cesare. “Data warehouse vs Data lake vs Lakehouse… and DeltaLake?“ Medium, 14 June 2021. Accessed 26 July 2022.
    Davison, Shawn and Ryan Sappenfield. “Data Lake Vs Lakehouse Vs Data Mesh: The Evolution of Data Transformation.” DevIQ, May 2022. Accessed 23 July 2022.
    Desjardins, Jeff. “Infographic: How Much Data is Generated Each Day?” Visual Capitalist, 15 April 2019. Accessed 26 July 2022.
    Greengard, Samuel. “Top 10 Hyperconverged Infrastructure (HCI) Solutions.” Datamation, 22 December 2020. Accessed 23 July 2022.
    Harvey, Cynthia. “Flash vs. SSD Storage: Is there a Difference?” Enterprise Storage Forum, 10 July 2018. Accessed 23 July 2022.
    Harvey, Cynthia. “What Is Software Defined Storage? Features & Benefits.” Enterprise Storage Forum, 22 February 2018. Accessed 23 July 2022.
    Hecht, Gil. “4 Predictions for storage and backup security in 2022.” Continuity Software, 09 January 2022. Accessed 22 July 2022.
    Jacobi, Jonl. “NVMe SSDs: Everything you need to know about this insanely fast storage.” PCWorld, 10 March 2019. Accessed 22 July 2022
    Pritchard, Stephen. “Briefing: Cloud storage performance metrics.” Computer Weekly, 16 July 2021. Accessed 23 July 2022
    Robb, Drew. “Best Enterprise Backup Software & Solutions 2022.” Enterprise Storage Forum, 09 April 2021. Accessed 23 July 2022.
    Sheldon, Robert. “On-premises STaaS shifts storage buying to Opex model.” TechTarget, 10 August 2020. Accessed 22 July 2022.
    “Simplify Your Storage Ownership, Forever.” PureStorage. Accessed 20 July 2022.
    Stockton, Ben. “Hot Storage vs Cold Storage in 2022: Instant Access vs Long-Term Archives.” Cloudwards, 29 September 2021. Accessed 22 July 2022.
    “The Cost Savings of SAN-to-SAN Replication.” Secure Infrastructure and Services, 31 March 2016. Accessed 16 July 2022.
    “Video Surveillance.” Object-Storage.Info, 18 December 2019. Accessed 25 July 2022.
    “What is a Data Lake?” Amazon Web Services, n.d. Accessed 17 July 2022.
    “What is enterprise cloud storage?” Spectrum Enterprise, n.d. Accessed 28 July 2022.
    “What is SAN (Storage Area Network).” NetApp, n.d. Accessed 25 July 2022.
    “What is software-defined storage?” RedHat, 08 March 2018. Accessed 16 July 2022.

    Reduce Shadow IT With a Service Request Catalog

    • Buy Link or Shortcode: {j2store}302|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $129,999 Average $ Saved
    • member rating average days saved: 35 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.
    • Renewal Management: The contracts and asset teams need to be aware of upcoming renewals and have adequate time to review renewals.
    • Over-purchasing: Contracts may be renewed without a clear picture of usage, potentially renewing unused applications.

    Our Advice

    Critical Insight

    There is a direct correlation between service delivery dissatisfaction and increases in shadow IT. Whether the goal is to reduce shadow IT or gain control, improved customer service and fast delivery are key to making lasting changes.

    Impact and Result

    Our blueprint will help you design a service that draws the business to use it. If it is easier for them to buy from IT than it is to find their own supplier, they will use IT.

    A heavy focus on customer service, design optimization, and automation will provide a means for the business to get what they need, when they need it, and provide visibility to IT and security to protect organizational interests.

    This blueprint will help you:

    • Design the request service
    • Design the request catalog
    • Build the request catalog
    • Market the service

    Reduce Shadow IT With a Service Request Catalog Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Reduce Shadow IT With a Service Request Catalog – A step-by-step document that walks you through creation of a request service management program.

    Use this blueprint to create a service request management program that provides immediate value.

    • Reduce Shadow IT With a Service Request Catalog Storyboard

    2. Nonstandard Request Assessment – A template for documenting requirements for vetting and onboarding new applications.

    Use this template to define what information is needed to vet and onboard applications into the IT environment.

    • Nonstandard Request Assessment

    3. Service Request Workflows – A library of workflows used as a starting point for creating and fulfilling requests for applications and equipment.

    Use this library of workflows as a starting point for creating and fulfilling requests for applications and equipment in a service catalog.

    • Service Request Workflows

    4. Application Portfolio – A template to organize applications requested by the business and identify which items are published in the catalog.

    Use this template as a starting point to create an application portfolio and request catalog.

    • Application Portfolio

    5. Reduce Shadow IT With a Service Request Catalog Communications Template – A presentation and communications plan to announce changes to the service and introduce a catalog.

    Use this template to create a presentation and communications plan for launching the new service and service request catalog.

    • Reduce Shadow IT with a Service Request Catalog Communications Template
    [infographic]

    Workshop: Reduce Shadow IT With a Service Request Catalog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Design the Service

    The Purpose

    Collaborate with the business to determine service model.

    Collaborate with IT teams to build non-standard assessment process.

    Key Benefits Achieved

    Designed a service for service requests, including new product intake.

    Activities

    1.1 Identify challenges and obstacles.

    1.2 Complete customer journey map.

    1.3 Design process for nonstandard assessments.

    Outputs

    Nonstandard process.

    2 Design the Catalog

    The Purpose

    Design the service request catalog management process.

    Key Benefits Achieved

    Ensure the catalog is kept current and is integrated with IT service catalog if applicable.

    Activities

    2.1 Determine what will be listed in the catalog.

    2.2 Determine process to build and maintain the catalog, including roles, responsibilities, and workflows.

    2.3 Define success and determine metrics.

    Outputs

    Catalog scope.

    Catalog design and maintenance plan.

    Defined success metrics

    3 Build and Market the Catalog

    The Purpose

    Determine catalog contents and how requests will be fulfilled.

    Key Benefits Achieved

    Catalog framework and service level agreements will be defined.

    Create communications documents.

    Activities

    3.1 Determine how catalog items will be displayed.

    3.2 Complete application categories for catalog.

    3.3 Create deployment categories and SLAs.

    3.4 Design catalog forms and deployment workflows.

    3.5 Create roadmap.

    3.6 Create communications plan.

    Outputs

    Catalog workflows and SLAs.

    Roadmap.

    Communications deck.

    4 Breakout Groups – Working Sessions

    The Purpose

    Create an applications portfolio.

    Prepare to populate the catalog.

    Key Benefits Achieved

    Portfolio and catalog contents created.

    Activities

    4.1 Using existing application inventory, add applications to portfolio and categorize.

    4.2 Determine which applications should be in the catalog.

    4.3 Determine which applications are packaged and can be easily deployed.

    Outputs

    Application Portfolio.

    List of catalog items.

    Further reading

    Reduce Shadow IT With a Service Request Catalog

    Foster business partnerships with sourcing-as-a-service.

    Analyst Perspective

    Improve the request management process to reduce shadow IT.

    In July 2022, Ivanti conducted a study on the state of the digital employee experience, surveying 10,000 office workers, IT professionals, and C-suite executives. Results of this study indicated that 49% of employees are frustrated by their tools, and 26% of employees were considering quitting their jobs due to unsuitable tech. 42% spent their own money to gain technology to improve their productivity. Despite this, only 21% of IT leaders prioritized user experience when selecting new tools.

    Any organization’s workers are expected to be productive and contribute to operational improvements or customer experience. Yet those workers don’t always have the tools needed to do the job. One option is to give the business greater control, allowing them to choose and acquire the solutions that will make them more productive. Info-Tech's blueprint Embrace Business-Managed Applications takes you down this path.

    However, if the business doesn’t want to manage applications, but just wants have access to better ones, IT is positioned to provide services for application and equipment sourcing that will improve the employee experience while ensuring applications and equipment are fully managed by the asset, service, and security teams.

    Improving the request management and deployment practice can give the business what they need without forcing them to manage license agreements, renewals, and warranties.

    Photo of Sandi Conrad

    Sandi Conrad
    ITIL Managing Professional
    Principal Research Director, IT Infrastructure & Operations,
    Info-Tech Research Group

    Your challenge

    This research is designed to help organizations that are looking to improve request management processes and reduce shadow IT.

    Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.

    Renewal management: The contracts and asset teams need to be aware of upcoming renewals and have adequate time to review renewals.

    Over-purchasing and over-spending: Contracts may be renewed without a clear picture of utilization, potentially renewing unused applications. Applications or equipment may be purchased at retail price where corporate, government, or educational discounts exist.

    Info-Tech Insight

    To increase the visibility of the IT environment, IT needs to transform the request management process to create a service that makes it easier for the business to access the tools they need rather than seeking them outside of the organization.

    609
    Average number of SaaS applications in large enterprises

    40%
    On average, only 60% of provisioned SaaS licenses are used, with the remaining 40% unused.

    — Source: Zylo, SaaS Trends for IT Leaders, 2022

    Common obstacles

    Too many layers of approvals and a lack of IT workers makes it difficult to rethink service request fulfillment.

    Delays: The business may not be getting the applications they need from IT to do their jobs or must wait too long to get the applications approved.

    Denials: Without IT’s support, the business is finding alternative options, including SaaS applications, as they can be bought and used without IT’s input or knowledge.

    Threats: Applications that have not been vetted by security or installed without their knowledge may present additional threats to the organization.

    Access: Self-serve isn’t mature enough to support an applications catalog.

    A diagram that shows the number of SaaS applications being acquired outside of IT is increasing year over year, and that business units are driving the majority of SaaS spend.

    8: average number of applications entering the organization every 30 days

    — Source: Zylo, SaaS Trends for Procurement, 2022

    Info-Tech’s approach

    Improve the request management process to create sourcing-as-a-service for the business.

    • Improve customer service
    • Reduce shadow IT
    • Gain control in a way that keeps the business happy

    1. Design the service

    Collaborate with the business

    Identify the challenges and obstacles

    Gain consensus on priorities

    Design the service

    2. Design the catalog

    Determine catalog scope

    Create a process to build and maintain the catalog

    Define metrics for the request management process

    3. Build the catalog

    Determine descriptions for catalog items

    Create definitions for license types, workflows, and SLAs

    Create application portfolio

    Design catalog forms and workflows

    4. Market the service

    Create a roadmap

    Determine messaging

    Build a communications plan

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Communications Presentation

    Photo of Communications Presentation

    Application Portfolio

    Photo of Application Portfolio

    Visio Library

    Photo of Visio Library

    Nonstandard Request Assessment

    Photo of Nonstandard Request Assessment

    Create a request management process and service catalog to improve delivery of technology to the business

    Implement and Mature Your User Experience Design Practice

    • Buy Link or Shortcode: {j2store}430|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design

    Many organizations want to get to market quickly and on budget but don’t know the steps to get the right product/service to satisfy the users and business. This may be made apparent through uninformed decisions leading to lack of adoption of your product or service, rework due to post-implementation user feedback, or the competition discovering new approaches that outshine yours.

    Our Advice

    Critical Insight

    Ensure your practice has a clear understanding of the design problem space – not just the solution. An understanding of the user is critical to this.

    Impact and Result

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.
    • Create a practice that develops solutions specific to the needs of users, customers, and stakeholders.

    Implement and Mature Your User Experience Design Practice Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement an experience design practice, review Info-Tech’s methodology, and understand the four dimensions we recommend using to mature your practice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the foundation

    Motivate your team with a common vision, mission, and goals.

    • Design Roadmap Workbook
    • User Experience Practice Roadmap

    2. Review the design dimensions

    Examine your practice – from the perspectives of organizational alignment, business outcomes, design perspective, and design integration – to determine what it takes to improve your maturity.

    3. Build your roadmap and communications

    Bring it all together – determine your team structure, the roadmap for the practice maturity, and communication plan.

    [infographic]

    Workshop: Implement and Mature Your User Experience Design Practice

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Answer “So What?”

    The Purpose

    Make the case for UX. Bring the team together with a common mission, vision, and goals.

    Key Benefits Achieved

    Mission, vision, and goals for design

    Activities

    1.1 Define design practice goals.

    1.2 Generate the vision statement.

    1.3 Develop the mission statement.

    Outputs

    Design vision statement

    Design mission statement

    Design goals

    2 Examine Design Dimensions

    The Purpose

    Review the dimensions that help organizations to mature, and assess what next steps make sense for your organization.

    Key Benefits Achieved

    Develop initiatives that are right-sized for your organization.

    Activities

    2.1 Examine organizational alignment.

    2.2 Establish priorities for initiatives.

    2.3 Identify business value sources.

    2.4 Identify design perspective.

    2.5 Brainstorm design integration.

    2.6 Complete UCD-Canvas.

    Outputs

    Documented initiatives for design maturity

    Design canvas framework

    3 Create Structure and Initiatives

    The Purpose

    Make your design practice structure right for you.

    Key Benefits Achieved

    Examine patterns and roles for your organization.

    Activities

    3.1 Structure your design practice.

    Outputs

    Design practice structure with patterns

    4 Roadmap and Communications

    The Purpose

    Define the communications objectives and audience for your roadmap.

    Develop your communication plan.

    Sponsor check-in.

    Key Benefits Achieved

    Complete in-progress deliverables from previous four days.

    Set up review time for workshop deliverables and to discuss next steps.

    Activities

    4.1 Define the communications objectives and audience for your roadmap.

    4.2 Develop your communication plan.

    Outputs

    Communication Plan and Roadmap

    Drive Real Business Value with an HRIS Strategy

    • Buy Link or Shortcode: {j2store}586|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $43,457 Average $ Saved
    • member rating average days saved: 36 Average Days Saved
    • Parent Category Name: Human Resource Systems
    • Parent Category Link: /human-resource-systems
    • In most organizations, the HR application portfolio has evolved tactically on an as-needed basis, resulting in un-integrated systems and significant effort spent on manual workarounds.
    • The relationship between HR and IT is not optimal for technology decision making. System-related decisions are made by HR and IT is typically involved only post-purchase to fix issues as they arise and offer workarounds.
    • IT systems for HR are not viewed as a strategic differentiator or business enabler, thereby leading to a limited budget and resources for HR IT systems and subsequently hindering the adoption of a strategic, holistic perspective.
    • Some organizations overinvest, while others underinvest in lightweight, point-to-point solutions. Finding the sweet spot between a full suite and lightweight functionality is no easy task.

    Our Advice

    Critical Insight

    • Align HRIS goals with the business. Organizations must position HR as a partner prior to embarking on an HRIS initiative, aligning technology goals with organizational objectives before looking at software.
    • Communication is key. Often, HR and IT speak different languages. Maintain a high degree of communication by engaging stakeholder groups early.
    • Plan where you want to go. Designing a roadmap based on clear requirements, alignment with the business, and an understanding of priorities will contribute to success.

    Impact and Result

    • Evaluate the current state of HRIS, understand the pain points, and visualize your ideal processes prior to choosing a solution.
    • Explore the different solution alternatives: maintain current system, integrate and consolidate, augment, or replace system entirely.
    • Create a plan to engage IT and HR throughout the project. Equip HR with the decision-making tools to meet business objectives and drive business strategy. Establish a common language for IT and HR to effectively communicate.
    • Develop a practical and actionable roadmap that the entire organization can buy into.

    Drive Real Business Value with an HRIS Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop an HRIS strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Conduct an environmental scan

    Create a clear project vision that outlines the goals and objectives for the HRIS strategy. Subsequently, construct an HRIS business model that is informed by enablers, barriers, and the organizational, IT, and HR needs.

    • Drive Real Business Value with an HRIS Strategy – Phase 1: Conduct an Environmental Scan
    • Establish an HRIS Strategy Project Charter Template
    • HRIS Readiness Assessment Checklist

    2. Design the future state

    Gather high-level requirements to determine the ideal future state. Explore solution alternatives and choose the path that is best aligned with the organization's needs.

    • Drive Real Business Value with an HRIS Strategy – Phase 2: Design the Future State
    • HRIS Strategy Stakeholder Interview Guide
    • Process Owner Assignment Guide

    3. Finalize the roadmap

    Identify roadmap initiatives. Prioritize initiatives based on importance and effort.

    • Drive Real Business Value with an HRIS Strategy – Phase 3: Finalize the Roadmap
    • Initiative Roadmap Tool
    • HRIS Stakeholder Presentation Template
    [infographic]

    Workshop: Drive Real Business Value with an HRIS Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Conduct an Environmental Scan

    The Purpose

    Understand the importance of creating an HRIS strategy before proceeding with software selection and implementation.

    Learn why a large percentage of HRIS projects fail and how to avoid common mistakes.

    Set expectations for the HRIS strategy and understand Info-Tech’s HRIS methodology.

    Complete a project charter to gain buy-in, build a project team, and track project success.   

    Key Benefits Achieved

    A go/no-go decision on the project appropriateness.

    Project stakeholders identified.

    Project team created with defined roles and responsibilities.

    Finalized project charter to gain buy-in.  

    Activities

    1.1 Set a direction for the project by clarifying the focus.

    1.2 Identify the right stakeholders for your project team.

    1.3 Identify HRIS needs, barriers, and enablers.

    1.4 Map the current state of your HRIS.

    1.5 Align your business goals with your HR goals and objectives.

    Outputs

    Project vision

    Defined project roles and responsibilities

    Completed HRIS business model

    Completed current state map and thorough understanding of the HR technology landscape

    Strategy alignment between HR and the business

    2 Design the Future State

    The Purpose

    Gain a thorough understanding of the HRIS-related pains felt throughout the organization.

    Use stakeholder-identified pains to directly inform the HRIS strategy and long-term solution.

    Visualize your ideal processes and realize the art of the possible.  

    Key Benefits Achieved

    Requirements to strengthen the business case and inform the strategy.

    The art of the possible.

    Activities

    2.1 Requirements gathering.

    2.2 Sketch ideal future state processes.

    2.3 Establish process owners.

    2.4 Determine guiding principles.

    2.5 Identify metrics.

    Outputs

    Pain points classified by data, people, process, and technology

    Ideal future process vision

    Assigned process owners, guiding principles, and metrics for each HR process in scope

    3 Create Roadmap and Finalize Deliverable

    The Purpose

    Brainstorm and prioritize short- and long-term HRIS tasks.

    Key Benefits Achieved

    Understand next steps for the HRIS project.

    Activities

    3.1 Create a high-level implementation plan that shows dependencies.

    3.2 Identify risks and mitigation efforts.

    3.3 Finalize stakeholder presentation.

    Outputs

    Completed implementation plan

    Completed risk management plan

    HRIS stakeholder presentation

    Change Management

    • Buy Link or Shortcode: {j2store}3|cart{/j2store}
    • Related Products: {j2store}3|crosssells{/j2store}
    • Up-Sell: {j2store}3|upsells{/j2store}
    • Download01-Title: Change Management Executive Brief
    • Download-01: Visit Link
    • member rating overall impact: 9.6/10
    • member rating average dollars saved: $35,031
    • member rating average days saved: 34
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    Every company needs some change management. Both business and IT teams benefit from knowing what changes when.

    incident, problem, problemchange

    Security Priorities 2022

    • Buy Link or Shortcode: {j2store}244|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Ransomware activities and the cost of breaches are on the rise.
    • Cybersecurity talent is hard to find, and an increasing number of cybersecurity professionals are considering leaving their jobs.
    • Moving to the digital world increases the risk of a breach.

    Our Advice

    Critical Insight

    • The pandemic has fundamentally changed the technology landscape. Security programs must understand how their threat surface is now different and adapt their controls to meet the challenge.
    • The upside to the upheaval in 2021 is new opportunities to modernize your security program.

    Impact and Result

    • Use the report to ensure your plan in 2022 addresses what’s important in cybersecurity.
    • Understand the current situation in the cybersecurity space.

    Security Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Security Priorities 2022 – A report that describes priorities and recommendations for CISOs in 2022.

    Use this report to understand the current situation in the cybersecurity space and inform your plan for 2022. This report includes sections on protecting against and responding to ransomware, acquiring and retaining talent, securing a remote workforce, securing digital transformation, and adopting zero trust.

    • Security Priorities for 2022 Report

    Infographic

    Further reading

    Security Priorities 2022

    The pandemic has changed how we work

    disruptions to the way we work caused by the pandemic are here to stay.

    The pandemic has introduced a lot of changes to our lives over the past two years, and this is also true for various aspects of how we work. In particular, a large workforce moved online overnight, which shifted the work environment rapidly.

    People changed how they communicate, how they access company information, and how they connect to the company network. These changes make cybersecurity a more important focus than ever.

    Although changes like the shift to remote work occurred in response to the pandemic, they are largely expected to remain, regardless of the progression of the pandemic itself. This report will look into important security trends and the priorities that stemmed from these trends.

    30% more professionals expect transformative permanent change compared to one year ago.

    47% of professionals expect a lot of permanent change; this remains the same as last year. (Source: Info-Tech Tech Trends 2022 Survey; N=475)

    The cost of a security breach is rising steeply

    The shift to remote work exposes organizations to more costly cyber incidents than ever before.

    $4.24 million

    Average cost of a data breach in 2021
    The cost of a data breach rose by nearly 10% in the past year, the highest rate in over seven years.

    $1.07 million

    More costly when remote work involved in the breach

    The average cost of breaches where remote work is involved is $1.07 million higher than breaches where remote work is not involved.

    The ubiquitous remote work that we saw in 2021 and continue to see in 2022 can lead to more costly security events. (Source: IBM, 2021)

    Remote work is here to stay, and the cost of a breach is higher when remote work is involved.

    The cost comes not only directly from payments but also indirectly from reputational loss. (Source: IBM, 2021)

    Security teams can participate in the solution

    The numbers are clear: in 2022, when we face a threat environment like WE’VE never EXPERIENCED before, good security is worth the investment

    $1.76 million

    Saved when zero trust is deployed facing a breach

    Zero trust controls are realistic and effective controls.

    Organizations that implement zero trust dramatically reduce the cost of an adverse security event.

    35%

    More costly if it takes more than 200 days to identify and contain a breach

    With increased BYOD and remote work, detection and response is more challenging than ever before – but it is also highly effective.

    Organizations that detect and respond to incidents quickly will significantly reduce the impact. (Source: IBM, 2021)

    Breaches are 34% less costly when mature zero trust is implemented.

    A fully staffed and well-prepared security team could save the cost through quick responses. (Source: IBM, 2021)

    Top security priorities and constraints in 2022

    Survey results

    As part of its research process for the 2022 Security Priorities Report, Info-Tech Research Group surveyed security and IT leaders (N=97) to ask their top security priorities as well as their main obstacles to security success in 2022:

    Top Priorities
    A list of the top three priorities identified in the survey with their respective percentages, 'Acquiring and retaining talent, 30%', 'Protecting against and responding to ransomware, 23%', and 'Securing a remote workforce, 23%'.

    Survey respondents were asked to force-rank their security priorities.

    Among the priorities chosen most frequently as #1 were talent management, addressing ransomware threats, and securing hybrid/remote work.

    Top Obstacles
    A list of the top three obstacles identified in the survey with their respective percentages, 'Staffing constraints, 31%', 'Demand of ever-changing business environment, 23%', and 'Budget constraints, 15%'.

    Talent management is both the #1 priority and the top obstacle facing security leaders in 2022.

    Unsurprisingly, the ever-changing environment in a world emerging from a pandemic and budget constraints are also top obstacles.

    We know the priorities…

    But what are security leaders actually working on?

    This report details what we see the world demanding of security leaders in the coming year.

    Setting aside the demands – what are security leaders actually working on?

    A list of 'Top security topics among Info-Tech members' with accompanying bars, 'Security Strategy', 'Security Policies', 'Security Operations', 'Security Governance', and 'Security Incident Response'.

    Many organizations are still mastering the foundations of a mature cybersecurity program.

    This is a good idea!

    Most breaches are still due to gaps in foundational security, not lack of advanced controls.

    We know the priorities…

    But what are security leaders actually working on?

    A list of industries with accompanying bars representing their demand for security. The only industry with a significant positive percentage is 'Government'. Security projects included in annual plan relative to industry.

    One industry plainly stands out from the rest. Government organizations are proportionally much more active in security than other industries, and for good reason: they are common targets.

    Manufacturing and professional services are proportionally less interested in security. This is concerning, given the recent targeting of supply chain and personal data holders by ransomware gangs.

    5 Security Priorities for 2022 Logo for Info-Tech. Logo for ITRG.

    People

    1. Acquiring and Retaining Talent
      Create a good working environment for existing and potential employees. Invest time and effort into talent issues to avoid being understaffed.
    2. Securing a Remote Workforce
      Create a secure environment for users and help your people build safe habits while working remotely.

    Process

    1. Securing Digital Transformation
      Build in security from the start and check in frequently to create agile and secure user experiences.

    Technology

    1. Adopting Zero Trust
      Manage access of sensitive information based on the principle of least privilege.
    2. Protecting Against and Responding to Ransomware
      Put in your best effort to build defenses but also prepare for a breach and know how to recover.

    Main Influencing Factors

    COVID-19 Pandemic
    The pandemic has changed the way we interact with technology. Organizations are universally adapting their business and technology processes to fit the post-pandemic paradigm.
    Rampant Cybercrime Activity
    By nearly every conceivable metric, cybercrime is way up in the past two years. Cybercriminals smell blood and pose a more salient threat than before. Higher standards of cybersecurity capability are required to respond to this higher level of threat.
    Remote Work and Workforce Reallocation
    Talented IT staff across the globe enabled an extraordinarily fast shift to remote and distance work. We must now reckon with the security and human resourcing implications of this huge shift.

    Acquire and Retain Talent

    Priority 01

    Security talent was in short supply before the pandemic, and it's even worse now.

    Executive summary

    Background

    Cybersecurity talent has been in short supply for years, but this shortage has inflected upward since the pandemic.

    The Great Resignation contributed to the existing talent gap. The pandemic has changed how people work as well as how and where they choose work. More and more senior workers are retiring early or opting for remote working opportunities.

    The cost to acquire cybersecurity talent is huge, and the challenge doesn’t end there. Retaining top talent can be equally difficult.

    Current situation

    • A 2021 survey by ESG shows that 76% of security professional agree it’s difficult to recruit talent, and 57% said their organization is affected by this talent shortage.
    • (ISC)2 reports there are 2.72 million unfilled job openings and an increasing workforce gap (2021).

    2.72 million unfilled cybersecurity openings (Source: (ISC)2, 2021)

    IT leaders must do more to attract and retain talent in 2022

    • Over 70% of IT professionals are considering quitting their jobs (TalentLMS, 2021). Meanwhile, 51% of surveyed cybersecurity professionals report extreme burnout during the last 12 months and many of them have considered quitting because of it (VMWare, 2021).
    • Working remotely makes it easier for people to look elsewhere, lowering the barrier to leaving.
    • This is a big problem for security leaders, as cybersecurity talent is in very short supply. The cost of acquiring and retaining quality cybersecurity staff in 2022 is significant, and many organizations are unwilling or unable to pay the premium.
    • Top talent will demand flexible working conditions – even though remote work comes with security risk.
    • Most smart, talented new hires in 2022 are demanding to work remotely most of the time.
    Top reasons for resignations in 2021
    Burnout 30%
    Other remote opportunities 20%
    Lack of growth opportunities 20%
    Poor culture 20%
    Acquisition concerns 10%
    (Source: Survey of West Coast US cybersecurity professionals; TechBeacon, 2021)

    Talent will be 2022’s #1 strength and #1 weakness

    Staffing obstacles in 2022:

    “Attracting and retaining talent is always challenging. We don’t pay as well and my org wants staff in the office at least half of the time. Most young, smart, talented new hires want to work remotely 100 percent of the time.“

    “Trying to grow internal resources into security roles.”

    “Remote work expectations by employees and refusal by business to accommodate.”

    “Biggest obstacle: payscales that are out of touch with cybersecurity market.”

    “Request additional staff. Obtaining funding for additional position is most significant obstacle.”

    (Info-Tech Tech Security Priorities Survey 2022)
    Top obstacles in 2022:

    As you can see, respondents to our security priorities survey have strong feelings on the challenges of staffing a cybersecurity team.

    The growth of remote work means local talent can now be hired by anybody, vastly increasing your competition as an employer.

    Hiring local will get tougher – but so will hiring abroad. People who don’t want to relocate for a new job now have plenty of alternatives. Without a compelling remote work option, you will find non-local prospects unwilling to move for a new job.

    Lastly, many organizations are still reeling at the cost of experienced cybersecurity talent. Focused internal training and development will be the answer for many organizations.

    Recommended Actions

    Provide career development opportunities

    Many security professionals are dissatisfied with their unclear career development paths. To improve retention, organizations should provide their staff with opportunities and clear paths for career and skills advancement.

    Be open-minded when hiring

    To broaden the candidate pool, organizations should be open-minded when considering who to hire.

    • Enable remote work.
    • Do not fixate on certificates and years of experience; rather, be open to developing those who have the right interest and ability.
    • Consider using freelance workers.
    Facilitate work-life balance

    Many security professionals say they experience burnout. Promoting work-life balance in your organization can help retain critical skills.

    Create inclusive environment

    Hire a diverse team and create an inclusive environment where they can thrive.

    Talent acquisition and retention plan

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Address a top priority and a top obstacle with a plan to attract and retain top organizational and cybersecurity talent.

    Initiative Description:

    • Provide secure remote work capabilities for staff.
    • Work with HR to refine a hiring plan that addresses geographical and compensation gaps with cybersecurity and general staff.
    • Survey staff engagement to identify points of friction and remediate where needed.
    • Define a career path and growth plan for staff.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.
    Reduction in costs due to turnover and talent loss

    Other Expected Business Benefits:

    Arrow pointing up.
    Productivity due to good morale/ engagement
    Arrow pointing up.
    Improved corporate culture
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Big organizational and cultural changes
    • Increased attack surface of remote/hybrid workforce

    Related Info-Tech Research:

    Secure a Remote Workforce

    Priority 02

    Trends suggest remote work is here to stay. Addressing the risk of insecure endpoints can no longer be deferred.

    Executive summary

    Remote work poses unique challenges to cybersecurity teams. The personal home environment may introduce unauthorized people and unknown network vulnerabilities, and the organization loses nearly all power and influence over the daily cyber hygiene of its users.

    In addition, the software used for enabling remote work itself can be a target of cybersecurity criminals.

    Current situation

    • 70% of workers in technical services work from home.
    • Employees of larger firms and highly paid individuals are more likely to be working outside the office.
    • 80% of security and business leaders find that remote work has increased the risk of a breach.
    • (Source: StatCan, 2021)

    70% of tech workers work from home (Source: Statcan, 2021)

    Remote work demands new security solutions

    The security perimeter is finally gone

    The data is outside the datacenter.
    The users are outside the office.
    The endpoints are … anywhere and everywhere.

    Organizations that did not implement digital transformation changes following COVID-19 experience higher costs following a breach, likely because it is taking nearly two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely (IBM, 2021).

    In 2022 the cumulative risk of so many remote connections means we need to rethink how we secure the remote/hybrid workforce.

    Security
    • Distributed denial of service
    • DNS hijacking
    • Weak VPN protocols
    Identity
    • One-time verification allowing lateral movement
    Colorful tiles representing the surrounding security solutions. Network
    • Risk perimeter stops at corporate network edge
    • Split tunneling
    Authentication
    • Weak authentication
    • Weak password
    Access
    • Man-in-the-middle attack
    • Cross-site scripting
    • Session hijacking

    Recommended Actions

    Mature your identity management

    Compromised identity is the main vector to breaches in recent years. Stale accounts, contractor accounts, misalignment between HR and IT – the lack of foundational practices leads to headline-making breaches every week.
    Tighten up identity control to keep your organization out of the newspaper.

    Get a handle on your endpoints

    Work-from-home (WFH) often means unknown endpoints on unknown networks full of other unknown devices…and others in the home potentially using the workstation for non-work purposes. Gaining visibility into your endpoints can help to keep detection and resolution times short.

    Educate users

    Educate everyone on security best practices when working remotely:

    • Apply secure settings (not just defaults) to the home network.
    • Use strong passwords.
    • Identify suspicious email.
    Ease of use

    Many workers complain that the corporate technology solution makes it difficult to get their work done.

    Employees will take productivity over security if we force them to choose, so IT needs to listen to end users’ needs and provide a solution that is nimble and secure.

    Roadmap to securing remote/hybrid workforce

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    The corporate network now extends to the internet – ensure your security plan has you covered.

    Initiative Description:

    • Reassess enterprise security strategy to include the WFH attack surface (especially endpoint visibility).
    • Ensure authentication requirements for remote workers are sufficient (e.g. MFA, strong passwords, hardware tokens for high-risk users/connections).
    • Assess the value of zero trust networking to minimize the blast radius in the case of a breach.
    • Perform penetration testing annually.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.


    Reduced cost of security incidents/reputational damage

    Other Expected Business Benefits:

    Arrow pointing up.
    Improved ability to attract and retain talent
    Arrow pointing up.
    Increased business adaptability
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential disruption to traditional working patterns
    • Cost of investing in WFH versus risk of BYOD

    Related Info-Tech Research:

    Secure Digital Transformation

    Priority 03

    Digital transformation could be a competitive advantage…or the cause of your next data breach.

    Executive summary

    Background

    Digital transformation is occurring at an ever-increasing rate these days. As Microsoft CEO Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months.”

    We have heard similar stories from Info-Tech members who deployed rollouts that were scheduled to take months over a weekend instead.

    Microsoft’s own shift to rapidly expand its Teams product is a prime example of how quickly the digital landscape has changed. The global adaption to a digital world has largely been a success story, but rapid change comes with risk, and there is a parallel story of rampant cyberattacks like we have never seen before.

    Insight

    There is an adage that “slow is smooth, and smooth is fast” – the implication being that fast is sloppy. In 2022 we’ll see a pattern of organizations working to catch up their cybersecurity with the transformations we all made in 2020.

    $1.78 trillion expected in digital transformation investments (Source: World Economic Forum, 2021)

    An ounce of security prevention versus a pound of cure

    The journey of digital transformation is a risky one.

    Digital transformations often rely heavily on third-party cloud service providers, which increases exposure of corporate data.

    Further, adoption of new technology creates a new threat surface that must be assessed, mitigations implemented, and visibility established to measure performance.

    However, digital transformations are often run on slim budgets and without expert guidance.

    Survey respondents report as much: rushed deployments, increased cloud migration, and shadow IT are the top vulnerabilities reported by security leaders and executives.

    In a 2020 Ponemon survey, 82% of IT security and C-level executives reported experiencing at least one data breach directly resulting from a digital transformation they had undergone.

    Scope creep is inevitable on any large project like a digital transformation. A small security shortcut early in the project can have dire consequences when it grows to affect personal data and critical systems down the road.

    Recommended Actions

    Engage the business early and often

    Despite the risks, organizations engage in digital transformations because they also have huge business value.

    Security leaders should not be seeking to slow or stop digital transformations; rather, we should be engaging with the business early to get ahead of risks and enable successful transformation.

    Establish a vendor security program

    Data is moving out of datacenters and onto third-party environments. Without security requirements built into agreements, and clear visibility into vendor security capabilities, that data is a major source of risk.

    A robust vendor security program will create assurance early in the process and help to reinforce the responsibility of securing data with other parts of the organization.

    Build/revisit your security strategy

    The threat surface has changed since before your transformation. This is the right time to revisit or rebuild your security strategy to ensure that your control set is present throughout the new environment – and also a great opportunity to show how your current security investments are helping secure your new digital lines of business!

    Educate your key players

    Only 16% of security leaders and executives report alignment between security and business processes during digital transformation.

    If security is too low a priority, then key players in your transformation efforts are likely unaware of how security risks impact their own success. It will be incumbent upon the CISO to start that conversation.

    Securing digital transformation

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Ensure your investment in digital transformation is appropriately secured.

    Initiative Description:

    • Engage security with digital transformation and relevant governance structures (steering committees) to ensure security considerations are built into digital transformation planning.
    • Incorporate security stage gates in project management procedures.
    • Establish a vendor security assessment program.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased likelihood of digital transformation success

    Other Expected Business Benefits:

    Arrow pointing up.
    Ability to make informed decisions for the field rep strategy
    Arrow pointing down.
    Reduced long-term cost of digital transformation
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential increased up front cost (reduced long-term cost)
    • Potential slowed implementation with security stage gates in project management

    Related Info-Tech Research:

    Adopt Zero Trust

    Priority 04

    Governments are recognizing the importance of zero trust strategies. So should your organization.

    Why now for zero trust?

    John Kindervag modernized the concept of zero trust back in 2010, and in the intervening years there has been enormous interest in cybersecurity circles, yet in 2022 only 30% of organizations report even beginning to roll out zero trust capabilities (Statista, 2022).

    Why such little action on a revolutionary and compelling model?

    Zero trust is not a technology; it is a principle. Zero trust adoption takes concerted planning, effort, and expense, for which the business value has been unclear throughout most of the last 10 years. However, several recent developments are changing that:

    • Securing technology has become very hard! The size, complexity, and attack surface of IT environments has grown significantly – especially since the pandemic.
    • Cyberattacks have become rampant as the cost to deploy harmful ransomware has become lower and the impact has become higher.
    • The shift away from on-premises datacenters and offices created an opening for zero trust investment, and zero trust technology is more mature than ever before.

    The time has come for zero trust adoption to begin in earnest.

    97% will maintain or increase zero trust budget (Source: Statista, 2022)

    Traditional perimeter security is not working

    Zero trust directly addresses the most prevalent attack vectors today

    A hybrid workforce using traditional VPN creates an environment where we are exposed to all the risks in the wild (unknown devices at any location on any network), but at a stripped-down security level that still provides the trust afforded to on-premises workers using known devices.

    What’s more, threats such as ransomware are known to exploit identity and remote access vulnerabilities before moving laterally within a network – vectors that are addressed directly by zero trust identity and networking. Ninety-three percent of surveyed zero trust adopters state that the benefits have matched or exceeded their expectations (iSMG, 2022).

    Top reasons for building a zero trust program in 2022

    (Source: iSMG, 2022)

    44%

    Enforce least privilege access to critical resources

    44%

    Reduce attacker ability to move laterally

    41%

    Reduce enterprise attack surface

    The business case for zero trust is clearer than ever

    Prior obstacles to Zero Trust are disappearing

    A major obstacle to zero trust adoption has been the sheer cost, along with the lack of business case for that investment. Two factors are changing that paradigm in 2022:

    The May 2021 US White House Executive Order for federal agencies to adopt zero trust architecture finally placed zero trust on the radar of many CEOs and board members, creating the business interest and willingness to consider investing in zero trust.

    In addition, the cost of adopting zero trust is quickly being surpassed by the cost of not adopting zero trust, as cyberattacks become rampant and successful zero trust deployments create a case study to support investment.

    Bar chart titled 'Cost to remediate a Ransomware attack' with bars representing the years '2021' and '2020'. 2021's cost sits around $1.8M while 2020's was only $750K The cost to remediate a ransomware attack more than doubled from 2020 to 2021. Widespread adoption of zero trust capabilities could keep that number from doubling again in 2022. (Source: Sophos, 2021)

    The cost of a data breach is on average $1.76 million less for organizations with mature zero trust deployments.

    That is, the cost of a data breach is 35% reduced compared to organizations without zero trust controls. (Source: IBM, 2021)

    Recommended Actions

    Start small

    Don’t put all your eggs in one basket by deploying zero trust in a wide swath. Rather, start as small as possible to allow for growing pains without creating business friction (or sinking your project altogether).

    Build a sensible roadmap

    Zero trust principles can be applied in a myriad of ways, so where should you start? Between identities, devices, networking, and data, decide on a use case to do pilot testing and then refine your approach.

    Beware too-good-to-be-true products

    Zero trust is a powerful buzzword, and vendors know it.

    Be skeptical and do your due diligence to ensure your new security partners in zero trust are delivering what you need.

    Zero trust roadmap

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Develop a practical roadmap that shows the business value of security investment.

    Initiative Description:

    • Define desired business and security outcomes from zero trust adoption.
    • Assess zero trust readiness.
    • Build roadmaps for zero trust:
      1. Identity
      2. Networking
      3. Devices
      4. Data
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased security posture and business agility

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced impact of security events
    Arrow pointing down.
    Reduced cost of managing complex control set
    Arrow pointing up.
    More secure business transformation (i.e. cloud/digital)
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Learning curve of implementation (start small and slow)
    • Transition from current control set to zero trust model

    Related Info-Tech Research:

    Protect Against and Respond to Ransomware

    Priority 05

    Ransomware is still the #1 threat to the safety of your data.

    Executive summary

    Background

    • Ransomware attacks have transformed in 2021 and show no sign of slowing in 2022. There is a new major security breach every week, despite organizations spending over $150 billion in a year on cybersecurity (Nasdaq, 2021).
    • Ransomware as a service (RaaS) is commonplace, and attackers are doubling down by holding encrypted data ransom and also demanding payment under threat to disclose exfiltrated data – and they are making good on their threats.
    • The global cost of ransomware is expected to rise to $265 billion by 2031 (Cybersecurity Ventures, 2021).
    • We expect to see an increase in ransomware incidents in 2022, both in severity and volume – multiple attacks and double extortion are now the norm.
    • High staff turnover increases risk because new employees are unfamiliar with security protocols.

    150% increase ransomware attacks in 2020 (Source: ENISA)

    This is a new golden age of ransomware

    What is the same in 2022

    Unbridled ransomware attacks make it seem like attackers must be using complex new techniques, but prevalent ransomware attack vectors are actually well understood.

    Nearly all modern variants are breaching victim systems in one of three ways:

    • Email phishing
    • Software vulnerabilities
    • RDP/Remote access compromise
    What is new in 2022
    The sophistication of victim targeting

    Victims often find themselves asking, “How did the attackers know to phish the most security-oblivious person in my staff?” Bad actors have refined their social engineering and phishing to exploit high-risk individuals, meaning your chain is only as strong as the weakest link.

    Ability of malware to evade detection

    Modern ransomware is getting better at bypassing anti-malware technology, for example, through creative techniques such as those seen in the MedusaLocker variant and in Ghost Control attacks.

    Effective anti-malware is still a must-have control, but a single layer of defense is no longer enough. Any organization that hopes to avoid paying a ransom must prepare to detect, respond, and recover from an attack.

    Many leaders still don’t know what a ransomware recovery would look like

    Do you know what it would take to recover from a ransomware incident?

    …and does your executive leadership know what it would take to recover?

    The organizations that are most likely to pay a ransom are unprepared for the reality of recovering their systems.

    If you have not done a tabletop or live exercise to simulate a true recovery effort, you may be exposed to more risk than you realize.

    Are your defenses sufficiently hardened against ransomware?

    Organizations with effective security prevention are often breached by ransomware – but they are prepared to contain, detect, and eradicate the infection.

    Ask yourself whether you have identified potential points of entry for ransomware. Assume that your security controls will fail.

    How well are your security controls layered, and how difficult would it be for an attacker to move east/west within your systems?

    Recommended Actions

    Be prepared for a breach

    There is no guarantee that an organization will not fall victim to ransomware, so instead of putting all their effort into prevention, organizations should also put effort into planning to respond to a breach.

    Security awareness training/phishing detection

    Phishing continues to be the main point of entry for ransomware. Investing in phishing awareness and detection among your end users may be the most impactful countermeasure you can implement.

    Zero trust adoption

    Always verify at every step of interaction, even when access is requested by internal users. Manage access of sensitive information based on the principle of least privilege access.

    Encrypt and back up your data

    Encrypt your data so that even if there is a breach, the attackers don’t have a copy of your data. Also, keep regular backups of data at a separate location so that you still have data to work with after a breach occurs.

    You never want to pay a ransom. Being prepared to deal with an incident is your best chance to avoid paying!

    Prevent and respond to ransomware

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Determine your current readiness, response plan, and projects to close gaps.

    Initiative Description:

    • Execute a systematic assessment of your current security and ransomware recovery capabilities.
    • Perform tabletop activities and live recoveries to test data recovery capabilities.
    • Train staff to detect suspicious communications and protect their identities.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Improved productivity and brand protection

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced downtime and disruption
    Arrow pointing down.
    Reduced cost due to incidents (ransom payments, remediation)
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Friction with existing staff

    Related Info-Tech Research:

    Deepfakes: Dark-horse threat for 2022

    Deepfake video

    How long has it been since you’ve gone a full workday without having a videoconference with someone?

    We have become inherently trustful that the face we see on the screen is real, but the technology required to falsify that video is widely available and runs on commercially available hardware, ushering in a genuinely post-truth online era.

    Criminals can use deepfakes to enhance social engineering, to spread misinformation, and to commit fraud and blackmail.

    Deepfake audio

    Many financial institutions have recently deployed voiceprint authentication. TD describes its VoicePrint as “voice recognition technology that allows us to use your voiceprint – as unique to you as your fingerprint – to validate your identity” over the phone.

    However, hackers have been defeating voice recognition for years already. There is ripe potential for voice fakes to fool both modern voice recognition technology and the accounts payable staff.

    Bibliography

    “2021 Ransomware Statistics, Data, & Trends.” PurpleSec, 2021. Web.

    Bayern, Macy. “Why 60% of IT security pros want to quit their jobs right now.” TechRepublic, 10 Oct. 2018. Web.

    Bresnahan, Ethan. “How Digital Transformation Impacts IT And Cyber Risk Programs.” CyberSaint Security, 25 Feb. 2021. Web.

    Clancy, Molly. “The True Cost of Ransomware.” Backblaze, 9 Sept. 2021.Web.

    “Cost of a Data Breach Report 2021.” IBM, 2021. Web.

    Cybersecurity Ventures. “Global Ransomware Damage Costs To Exceed $265 Billion By 2031.” Newswires, 4 June 2021. Web.

    “Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe.” Ponemon Institute, June 2020. Web.

    “Global Incident Response Threat Report: Manipulating Reality.” VMware, 2021.

    Granger, Diana. “Karmen Ransomware Variant Introduced by Russian Hacker.” Recorded Future, 18 April 2017. Web.

    “Is adopting a zero trust model a priority for your organization?” Statista, 2022. Web.

    “(ISC)2 Cybersecurity Workforce Study, 2021: A Resilient Cybersecurity Profession Charts the Path Forward.” (ISC)2, 2021. Web.

    Kobialka, Dan. “What Are the Top Zero Trust Strategies for 2022?” MSSP Alert, 10 Feb. 2022. Web.

    Kost, Edward. “What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security.” UpGuard, 1 Nov. 2021. Web.

    Lella, Ifigeneia, et al., editors. “ENISA Threat Landscape 2021.” ENISA, Oct. 2021. Web.

    Mello, John P., Jr. “700K more cybersecurity workers, but still a talent shortage.” TechBeacon, 7 Dec. 2021. Web.

    Naraine, Ryan. “Is the ‘Great Resignation’ Impacting Cybersecurity?” SecurityWeek, 11 Jan. 2022. Web.

    Oltsik, Jon. “ESG Research Report: The Life and Times of Cybersecurity Professionals 2021 Volume V.” Enterprise Security Group, 28 July 2021. Web.

    Osborne, Charlie. “Ransomware as a service: Negotiators are now in high demand.” ZDNet, 8 July 2021. Web.

    Osborne, Charlie. “Ransomware in 2022: We’re all screwed.” ZDNet, 22 Dec. 2021. Web.

    “Retaining Tech Employees in the Era of The Great Resignation.” TalentLMS, 19 Oct. 2021. Web.

    Rubin, Andrew. “Ransomware Is the Greatest Business Threat in 2022.” Nasdaq, 7 Dec. 2021. Web.

    Samartsev, Dmitry, and Daniel Dobrygowski. “5 ways Digital Transformation Officers can make cybersecurity a top priority.“ World Economic Forum, 15 Sept. 2021. Web.

    Seymour, John, and Azeem Aqil. “Your Voice is My Passport.” Presented at black hat USA 2018.

    Solomon, Howard. “Ransomware attacks will be more targeted in 2022: Trend Micro.” IT World Canada, 6 Jan. 2022. Web.

    “The State of Ransomware 2021.” Sophos, April 2021. Web.

    Tarun, Renee. “How The Great Resignation Could Benefit Cybersecurity.” Forbes Technology Council, Forbes, 21 Dec. 2021. Web.

    “TD VoicePrint.” TD Bank, n.d. Web.

    “Working from home during the COVID-19 pandemic, April 202 to June 2021.” Statistics Canada, 4 Aug. 2021. Web.

    “Zero Trust Strategies for 2022.” iSMG, Palo Alto Networks, and Optiv, 28 Jan. 2022. Web.

    Improve Security Governance With a Security Steering Committee

    • Buy Link or Shortcode: {j2store}373|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
    • Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.

    Our Advice

    Critical Insight

    • Work to separate the Information Security Steering Committee (ISSC) from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
    • Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that makes sense to the entire organization.
    • Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.

    Impact and Result

    • Define a clear scope of purpose and responsibilities for the ISSC to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
    • Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
    • Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
    • Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.

    Improve Security Governance With a Security Steering Committee Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to improve your security governance with a security steering committee, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define committee purpose and responsibilities

    Identify the purpose of your committee, determine the capabilities of the committee, and define roles and responsibilities.

    • Improve Security Governance With a Security Steering Committee – Phase 1: Define Committee Purpose and Responsibilities
    • Information Security Steering Committee Charter

    2. Determine information flows, membership & accountabilities

    Determine how information will flow and the process behind that.

    • Improve Security Governance With a Security Steering Committee – Phase 2: Determine Information Flows, Membership & Accountabilities

    3. Operate the Information Security Steering Committee

    Define your meeting agendas and the procedures to support those meetings. Hold your kick-off meeting. Identify metrics to measure the committee’s success.

    • Improve Security Governance With a Security Steering Committee – Phase 3: Operate the Information Security Steering Committee
    • Security Metrics Summary Document
    • Information Security Steering Committee Stakeholder Presentation
    [infographic]

    Further reading

    Improve Security Governance With a Security Steering Committee

    Build an inclusive committee to enable holistic strategic decision making.

    ANALYST PERSPECTIVE

    "Having your security organization’s steering committee subsumed under the IT steering committee is an anachronistic framework for today’s security challenges. Conflicts in perspective and interest prevent holistic solutions from being reached while the two permanently share a center stage.

    At the end of the day, security is about existential risks to the business, not just information technology risk. This focus requires its own set of business considerations, information requirements, and delegated authorities. Without an objective and independent security governance body, organizations are doomed to miss the enterprise-wide nature of their security problems."

    – Daniel Black, Research Manager, Security Practice, Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIOs
    • CISOs
    • IT/Security Leaders

    This Research Will Help You:

    • Develop an effective information security steering committee (ISSC) that ensures the right people are involved in critical decision making.
    • Ensure that business and IT strategic direction are incorporated into security decisions.

    This Research Will Also Assist:

    • Information Security Steering Committee (ISSC) members

    This Research Will Help Them:

    • Formalize roles and responsibilities.
    • Define effective security metrics.
    • Develop a communication plan to engage executive management in the organization’s security planning.

    Executive summary

    Situation

    • Successful information security governance requires a venue to address security concerns with participation from across the entire business.
    • Without access to requisite details of the organization – where we are going, what we are trying to do, how the business expects to use its technology – security can not govern its strategic direction.

    Complication

    • Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
    • Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.

    Resolution

    • Define a clear scope of purpose and responsibilities for the Information Security Steering Committee to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
    • Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
    • Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
    • Create security metrics that are aligned with committee members’ operational goals to incentivize participation.
    • Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.

    Info-Tech Insight

    1. Work to separate the ISSC from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
    2. Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that make sense to the entire organization.
    3. Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.

    Empower your security team to act strategically with an ISSC

    Establishing an Information Security Steering Committee (ISSC)

    Even though security is a vital consideration of any IT governance program, information security has increasingly become an important component of the business, moving beyond the boundaries of just the IT department.

    This requires security to have its own form of steering, beyond the existing IT Steering Committee, that ensures continual alignment of the organization’s security strategy with both IT and business strategy.

    An ISSC should have three primary objectives:

    • Direct Strategic Planning The ISSC formalizes organizational commitments to strategic planning, bringing visibility to key issues and facilitating the integration of security controls that align with IT and business strategy.
    • Institute Clear Accountability The ISSC facilitates the involvement and commitment of executive management through clearly defined roles and accountabilities for security decisions, ensuring consistency in participation as the organization’s strategies evolve.
    • Optimize Security Resourcing The ISSC maximizes security by monitoring the implementation of the security strategic plan, making recommendations on prioritization of effort, and securing necessary resources through the planning and budgeting processes, as necessary.

    What does the typical ISSC do?

    Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

    Your ISSC should aim to provide the following core governance functions for your security program:

    1. Define Clarity of Intent and Direction How does the organization’s security strategy support the attainment of the business and IT strategies? The ISSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.
    2. Establish Clear Lines of Authority Security programs contain many important elements that need to be coordinated. There needs to be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.
    3. Provide Unbiased Oversight The ISSC should vet the organization’s systematic monitoring processes to make certain there is adherence to defined risk tolerance levels and ensure that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.
    4. Optimize Security Value Delivery Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

    Formalize the most important governance functions for your organization

    Creation of an ISSC is deemed the most important governance and oversight practice that a CISO can implement, based on polling of IT security leaders analyzing the evolving role of the CISO.

    Relatedly, other key governance practices reported – status updates, upstream communications, and executive-level sponsorship – are within the scope of what organizations traditionally formalize when establishing their ISSC.

    Vertical bar chart highlighting the most important governance functions according to respondents. The y axis is labelled 'Percentage of Respondents' with the values 0%-60%, and the x axis is labelled 'Governance and Oversight Practices'. Bars are organized from highest percentage to lowest with 'Creation of cross-functional committee to oversee security strategy' at 56%, 'Regularly scheduled reporting on the state of security to stakeholders' at 55%, 'Upstream communication channel from security leadership to CEO' at 46%, and 'Creation of program charter approved by executive-level sponsor' at 37%. Source: Ponemon Institute, 2017; N=184 organizations; 660 respondents.

    Despite the clear benefits of an ISSC, organizations are still falling short

    83% of organizations have not established formal steering committees to evaluate the business impact and risks associated with security decisions. (Source: 2017 State of Cybersecurity Metrics Report)

    70% of organizations have delegated cybersecurity oversight to other existing committees, providing security limited agenda time. (Source: PwC 2017 Annual Corporate Director Survey)

    "This is a group of risk managers an institution would bring together to deal with a response anyway. Having them in place to do preventive discussions and formulate policy to mitigate the liability sets and understand compliance obligations is just powerful." (Kirk Bailey, CISO, University of Washington)

    Prevent the missteps that make 9 out of 10 steering committees unsuccessful

    Why Do Steering Committees Fail?

    1. A lack of appetite for a steering committee from business partners. An effective ISSC requires participation from core members of the organization’s leadership team. The challenge is that most business partners don’t understand the benefits of an ISSC and the responsibilities aren’t tailored to participants’ needs or interests. It’s the CISO’s (or senior IT/security leader’s) responsibility to make this case to stakeholders and right-size the committee responsibilities and membership.
    2. ISSC committees are given inappropriate responsibilities. The steering committee is fundamentally about decision making; it’s not a working committee. Security leadership typically struggles with clarifying these responsibilities on two fronts: either the responsibilities are too vague and there is no clear way to execute on them within a meeting or responsibilities are too tactical and require knowledge that participants do not have. Responsibilities should determine who is on the ISSC, not the other way around.
    3. Lack of process around execution. An ISSC is only valuable if members are able to successfully execute on its mandate. Without well-defined processes it becomes nearly impossible for the ISSC to be actionable. As a result, participants lack the information they need to make critical decisions, agendas are unmet, and meetings are seen as a waste of time.

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Improve Security Governance With a Security Steering Committee – project overview

    1. Define Committee Purpose and Responsibilities

    2. Determine Information Flows, Membership & Accountabilities

    3. Operate the Information Security Steering Committee

    Supporting Tool icon

    Best-Practice Toolkit

    1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC

    1.2 Conduct a SWOT analysis of your information security governance capabilities

    1.3 Identify the responsibilities and duties of the ISSC

    1.4 Draft the committee purpose statement of your ISSC

    2.1 Define your SIPOC model for each of the ISSC responsibilities

    2.2 Identify committee participants and responsibility cadence

    2.3 Define ISSC participant RACI for each of the responsibilities

    3.1 Define the ISSC meeting agendas and procedures

    3.2 Define which metrics you will report to the ISSC

    3.3 Hold a kick-off meeting with your ISSC members to explain the process, responsibilities, and goals

    3.4 Tailor the Information Security Steering Committee Stakeholder Presentation template

    3.5 Present the information to the security leadership team

    3.6 Schedule your first meeting of the ISSC

    Guided Implementations

    • Identify the responsibilities and duties of the ISSC.
    • Draft the committee purpose of the ISSC.
    • Determine SIPOC modeling of information flows.
    • Determine accountabilities and responsibilities.
    • Set operational standards.
    • Determine effectiveness metrics.
    • Steering committee best practices.
    Associated Activity icon

    Onsite Workshop

    This blueprint can be combined with other content for onsite engagements, but is not a standalone workshop.
    Phase 1 Outcome:
    • Determine the purpose and responsibilities of your information security steering committee.
    Phase 2 Outcome:
    • Determine membership, accountabilities, and information flows to enable operational excellence.
    Phase 3 Outcome:
    • Define agendas and standard procedures to operate your committee.
    • Design an impactful stakeholder presentation.

    Improve Security Governance With a Security Steering Committee

    PHASE 1

    Define Committee Purpose and Responsibilities

    Phase 1: Define Committee Purpose and Responsibilities

    ACTIVITIES:

    • 1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC
    • 1.2 Conduct a SWOT analysis of your information security governance capabilities
    • 1.3 Identify the responsibilities and duties of the ISSC
    • 1.4 Draft the committee purpose statement for your ISSC

    OUTCOMES:

    • Conduct an analysis of your current information security governance capabilities and identify opportunities and weaknesses.
    • Define a clear scope of purpose and responsibilities for your ISSC.
    • Begin to customize your ISSC charter.

    Info-Tech Insight

    Balance vision with direction. Purpose and responsibilities should be defined so that they encompass your mission and objectives to the enterprise in clear terms, but provide enough detail that you can translate the charter into operational plans for the security team.

    Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC

    Supporting Tool icon 1.1

    A charter is the organizational mandate that outlines the purpose, scope, and authority of the ISSC. Without a charter, the steering committee’s value, scope, and success criteria are unclear to participants, resulting in unrealistic stakeholder expectations and poor organizational acceptance.

    Start by reviewing Info-Tech’s template. Throughout the next two sections we will help you to tailor its contents.

    • Committee Purpose: The rationale, benefits of, and overall function of the committee.
    • Organization and Membership: Who is on the committee and how is participation measured against organizational need.
    • Responsibilities and Duties: What tasks/decisions the accountable committee is making.
    • RACI: Who is accountable, responsible, consulted, and informed regarding each responsibility.
    • Committee Procedures and Agendas: Includes how the committee will be organized and how the committee will interact and communicate with interested parties.
    Sample of the Info-Tech deliverable 'Information Security Steering Committee Charter Template'.

    Download the Information Security Steering Committee Charter to customize your organization’s charter

    Conduct a SWOT analysis of your information security governance capabilities

    Associated Activity icon 1.2

    INPUT: Survey outcomes, Governance overview handouts

    OUTPUT: SWOT analysis, Top identified challenges and opportunities

    1. Hold a meeting with your IT leadership team to conduct a SWOT analysis on your current information security governance capabilities.
    2. In small groups, or individually, have each group complete a SWOT analysis for one of the governance areas. For each consider:
      • Strengths: What is currently working well in this area?
      • Weaknesses: What could you improve? What are some of the challenges you’re experiencing?
      • Opportunities: What are some organizational trends that you can leverage? Consider whether your strengths or weaknesses could create opportunities.
      • Threats: What are some key obstacles across people, process, and technology?
    3. Have each team or individual rotate until each person has contributed to each SWOT. Add comments from the stakeholder survey to the SWOT.
    4. As a group, rank the inputs from each group and highlight the top five challenges and the top five opportunities you see for improvement.

    Identify the responsibilities and duties of the ISSC

    Associated Activity icon 1.3

    INPUT: SWOT analysis, Survey reports

    OUTPUT: Defined ISSC responsibilities

    1. With your security leadership team, review the typical responsibilities of the ISSC on the following slides (also included in the templated text of the charter linked below).
    2. Print off the following two slides, and in small teams or individually, identify which responsibilities the ISSC should have in your organization, brainstorm any additional responsibilities, and document reasoning.
    3. Have each team present to the larger group, track the similarities and differences between each of the groups, and come to consensus on the list of categories and responsibilities.
    4. Complete a sanity check: review your SWOT analysis. Do the responsibilities you’ve identified resolve the critical challenges or weaknesses?
    5. As a group, consider the responsibilities and whether you can reasonably implement those in one year or if there are any that will need to wait until year two of the committee.

    Add or modify responsibilities in Info-Tech’s Information Security Steering Committee Charter.

    Typical ISSC responsibilities and duties

    Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

    Strategic Oversight

    • Provide oversight and ensure alignment between information security strategy and company objectives.
    • Assess the adequacy of resources and funding to sustain and advance successful security programs and practices for identifying, assessing, and mitigating cybersecurity risks across all business functions.
    • Review controls to prevent, detect, and respond to cyber-attacks or information or data breaches involving company electronic information, intellectual property, data, or connected devices.
    • Review the company’s cyberinsurance policies to ensure appropriate coverage.
    • Provide recommendations, based on security best practices, for significant technology investments.

    Policy Governance

    • Review company policies pertaining to information security and cyberthreats, taking into account the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors.
    • Review privacy and information security policies and standards and the ramifications of updates to policies and standards.
    • Establish standards and procedures for escalating significant security incidents to the ISSC, board, other steering committees, government agencies, and law enforcement, as appropriate.

    Typical ISSC responsibilities and duties (continued)

    Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

    Risk Governance

    • Review and approve the company’s information risk governance structure and key risk management processes and capabilities.
    • Assess the company’s high-risk information assets and coordinate planning to address information privacy and security needs.
    • Provide input to executive management regarding the enterprise’s information risk appetite and tolerance.
    • Review the company’s cyber-response preparedness, incident response plans, and disaster recovery capabilities as applicable to the organization’s information security strategy.
    • Promote an open discussion regarding information risk and integrate information risk management into the enterprise’s objectives.

    Monitoring & Reporting

    • Receive periodic reports and coordinate with management on the metrics used to measure, monitor, and manage cyber and IT risks posed to the company and to review periodic reports on selected risk topics as the Committee deems appropriate.
    • Review reports provided by the IT organization regarding the status of and plans for the security of the company’s data stored on internal resources and with third-party providers.
    • Monitor and evaluate the quality and effectiveness of the company’s technology security, capabilities for disaster recovery, data protection, cyberthreat detection and cyber incident response, and management of technology-related compliance risks.

    Review the organization’s security strategy to solidify understanding of the ISSC’s purpose

    The ISSC should consistently evolve to reflect the strategic purpose of the security program. If you completed Info-Tech’s Security Strategy methodology, review the results to inform the scope of your committee. If you have not completed Info-Tech’s methodology, determining these details should be achieved through iterative stakeholder consultations.

    Strategy Components

    ISSC Considerations

    Security Pressure Analysis

    Review the ten security domains and your organization’s pressure levels to review the requisite maturity level of your security program. Consider how this may impact the focus of your ISSC.

    Security Drivers/Obligations

    Review how your security program supports the attainment of the organization’s business objectives. By what means should the ISSC support these objectives? This should inform the rationale, benefits, and overall function of the committee.

    Security Strategy Scope and Boundaries

    Consider the scope and boundaries of your security program to reflect on what the program is responsible for securing. Is this reflected adequately in the language of the committee’s purpose? Should components be added or redacted?

    Draft the committee purpose statement of your ISSC

    Associated Activity icon 1.4

    INPUT: SWOT Analysis, Security Strategy

    OUTPUT: ISSC Committee Purpose

    1. In a meeting with your IT leadership team – and considering the organization’s security strategy, defined responsibilities, and opportunities and threats identified – review the example goal statement in the Information Security Steering Committee Charter, and identify whether any of these statements apply to your organization. Select the statements that apply and collaboratively make any changes needed.
    2. Define unique goal statements by considering the following questions:
      • What three things would you realistically list for the ISSC to achieve?
      • If you were to accomplish three things in the next year, what would those be?
    3. With those goal statements in mind, consider the overall purpose of the committee. The purpose statement should be a reflection of what the committee does, why, and the goals.
    4. Have each individual review the example purpose statement and draft what they think a good purpose statement would be.
    5. Present each statement, and work together to determine a best-of-breed statement.

    Alter the Committee Purpose section in the Information Security Steering Committee Charter.

    Secure IT-OT Convergence

    • Buy Link or Shortcode: {j2store}382|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $10,499 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations

    IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:

    • Governing and managing IT and OT security and accountabilities.
    • Converging security architecture and controls between IT and OT environments.
    • Compliance with regulations and standards.
    • Metrics for OT security effectiveness and efficiency.

    Our Advice

    Critical Insight

    • Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
    • Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
    • OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.

    Impact and Result

    Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to

    • initiate communication to define roles and responsibilities.
    • establish governance and build cross-functional team.
    • identify convergence components and compliance obligations.
    • assess readiness.

    Secure IT/OT Convergence Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure IT/OT Convergence Storyboard – A step-by-step document that walks you through how to secure IT-OT convergence.

    Info-Tech provides a three-phase framework of secure IT/OT convergence, namely Plan, Enhance, and Monitor & Optimize. The essential steps in Plan are to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.
    • Secure IT/OT Convergence Storyboard

    2. Secure IT/OT Convergence Requirements Gathering Tool – A tool to map organizational goals to secure IT-OT goals.

    This tool serves as a repository for information about the organization, compliance, and other factors that will influence your IT/OT convergence.

    • Secure IT/OT Convergence Requirements Gathering Tool

    3. Secure IT/OT Convergence RACI Chart Tool – A tool to identify and understand the owners of various IT/OT convergence across the organization.

    A critical step in secure IT/OT convergence is populating a RACI (Responsible, Accountable, Consulted, and Informed) chart. The chart assists you in organizing roles for carrying out convergence steps and ensures that there are definite roles that different individuals in the organization must have. Complete this tool to assign tasks to suitable roles.

    • Secure IT/OT Convergence RACI Chart Tool
    [infographic]

    Further reading

    Secure IT/OT Convergence

    Create a holistic IT/OT security culture.

    Analyst Perspective

    Are you ready for secure IT/OT convergence?

    IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

    In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.

    A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.

    Photo of Ida Siahaan, Research Director, Security and Privacy Practice, Info-Tech Research Group. Ida Siahaan
    Research Director, Security and Privacy Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

    • Governing and managing IT and OT security and accountabilities.
    • Converging security architecture and controls between IT and OT environments.
    • Compliance with regulations and standards.
    • Metrics for OT security effectiveness and efficiency.
    Common Obstacles
    • IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
    • OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
    • Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).
    Info-Tech’s Approach

    Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

    • Initiate communication to define roles and responsibilities.
    • Establish governance and build a cross-functional team.
    • Identify convergence components and compliance obligations.
    • Assess readiness.

    Info-Tech Insight

    Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

    Consequences of unsecure IT/OT convergence

    OT systems were built with no or little security design

    90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

    Bar graph comparing three years, 2019-2021, of four different OT security incidents: 'Ransomeware', 'Insider breaches', 'Phishing', and 'Malware'.
    (Source: Fortinet, 2021.)
    Lack of visibility

    86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

    The need for secure IT/OT convergence

    Important Industrial Control System (ICS) cyber incidents

    2000
    Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.
    2012
    Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.
    2014
    Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down.
    2017
    Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic.
    2022
    Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services.
    Timeline of Important Industrial Control System (ICS) cyber incidents.
    1903
    Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.”
    2010
    Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).
    2013
    Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers
    2016
    Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers.
    2021
    Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

    (Source: US Department of Energy, 2018.


    ”Significant Cyber Incidents,” CSIS, 2022


    MIT Technology Review, 2022.)

    Info-Tech Insight

    Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

    Case Study

    Horizon Power
    Logo for Horizon Power.
    INDUSTRY
    Utilities
    SOURCE
    Interview

    Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

    Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

    In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

    The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

    Results

    The lessons learned in converging IT and OT from Horizon Power were:

    • Start with forming relationships to build trust and overcome any divide between IT and OT.
    • Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
    • Switch the focus from confidentiality and integrity to availability in solutions evaluation
    • Develop training and awareness programs for all levels of the organization.
    • Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
    • Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
    • Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

    The Secure IT/OT Convergence Framework

    IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.
    Convergence Elements
    • Process convergence
    • Software and data convergence
    • Network and infrastructure convergence
    Target Groups
    • OT leader and teams
    • IT leader and teams
    • Security leader and teams
    Security Components
    • Governance and compliance
    • Security strategy
    • Risk management
    • Security policies
    • IR, DR, BCP
    • Security awareness and training
    • Security architecture and controls

    Plan

    • Initiate communication
    • Define roles and responsibilities
    • Establish governance and build a cross-functional team
    • Identify convergence elements and compliance obligations
    • Assess readiness

    Governance

    Compliance

    Enhance

    • Update security strategy for IT/OT convergence
    • Update risk-management framework for IT/OT convergence
    • Update security policies and procedures for IT/OT convergence
    • Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

    Security strategy

    Risk management

    Security policies and procedures

    IR, DR, and BCP

    Monitor &
    Optimize

    • Implement awareness, induction, and cross-training program
    • Design and deploy converging security architecture and controls
    • Establish and monitor IT/OT security metrics on effectiveness and efficiency
    • Red-team followed by blue-team activity for cross-functional team building

    Awareness and cross-training

    Architecture and controls

    Phases
    Color-coded phases with arrows looping back up from the bottom to top phase.
    • Plan
    • Enhance
    • Monitor & Optimize
    Plan Outcomes
    • Mapping business goals to IT/OT security goals
    • RACI chart for priorities and accountabilities
    • Compliance obligations register
    • Readiness checklist
    Enhance Outcomes
    • Security strategy for IT/OT convergence
    • Risk management framework
    • Security policies & procedures
    • IR, DR, BCP
    Monitor & Optimize Outcomes
    • Security awareness and training
    • Security architecture and controls
    Plan Benefits
    • Improved flexibility and less divided IT/OT
    • Improved compliance
    Enhance Benefits
    • Increased strategic common goals
    • Increased efficiency and versatility
    Monitor & Optimize Benefits
    • Enhanced security
    • Reduced costs

    Plan

    Initiate communication

    To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
    IT OT
    Remote Access Well-defined access control Usually single-level access control
    Interfaces Human Machine, equipment
    Software ERP, CRM, HRIS, payroll SCADA, DCS
    Hardware Servers, switches, PCs PLC, HMI, sensors, motors
    Networks Ethernet Fieldbus
    Focus Reporting, communication Up-time, precision, safety
    Change management Frequent updates and patches Infrequent updates and patches
    Security Confidentiality, integrity, availability Safety, reliability, availability
    Time requirement Normally not time critical Real time

    Info-Tech Insight

    OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

    Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

    • Security leaders need to understand the direction the organization is headed in.
    • Wise security investments depend on aligning your security initiatives to the organization.
    • Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

    Map organizational goals to IT/OT security goals

    Input: Corporate, IT, and OT strategies

    Output: Your goals for the security strategy

    Materials: Secure IT/OT Convergence Requirements Gathering Tool

    Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management

    1. As a group, brainstorm organization goals.
      1. Review relevant corporate, IT, and OT strategies.
    2. Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
    3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

    Download the Secure IT/OT Convergence Requirements Gathering Tool

    Record organizational goals

    Sample of the definitions table with columns numbered 1-4.

    Refer to the Secure IT/OT Convergence Framework when filling in the following elements.

    1. Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    2. For each of your organizational goals, identify IT alignment goals.
    3. For each of your organizational goals, identify OT alignment goals.
    4. For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.

    Establish scope and boundaries

    It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
    This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.

    This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

    Physical Scope and Boundaries

    • How many offices and locations does your organization have?
    • Which locations/offices will be covered by your information security management system (ISMS)?
    • How sensitive is the data residing at each location?
    • You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

    IT Systems Scope and Boundaries

    • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
    • Is the system owned or outsourced?
    • Where are you accountable for security?
    • How sensitive is the data that each system handles?

    Organizational Scope and Boundaries

    • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
    • Do you have the ability to make security decisions for each department?
    • Who are the key stakeholders/data owners for each department?

    OT Systems Scope and Boundaries

    • There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
    • Is the system owned or outsourced?
    • Where are you accountable for safety and security?
    • What reliability requirements does each system handle?

    Record scope and boundaries

    Sample Scope and Boundaries table. Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
    • Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    • For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

    Plan

    Define roles and responsibilities

    Input: List of relevant stakeholders

    Output: Roles and responsibilities for the secure IT/OT convergence program

    Materials: Secure IT/OT Convergence RACI Chart Tool

    Participants: Executive leadership, OT leader, IT leader, Security leader

    There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:

    • Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
    • Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
    • Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
    • Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

    Download the Secure IT/OT Convergence RACI Chart Tool

    Define RACI Chart

    Sample RACI chart with only the 'Plan' section enlarged.

    Define responsible, accountable, consulted, and informed (RACI) stakeholders.
    1. Customize the "work units" to best reflect your operation with applicable stakeholders.
    2. Customize the "action“ rows as required.
    Info-Tech Insight

    The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

    Plan

    Establish governance and build cross-functional team

    To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.

    The maturity ladder with levels 'Fully Converged', 'Collaborative Partners', 'Trusted Resources', 'Affiliated Entities', and 'Siloed' at the bottom. Each level has four maturity indicators listed.

    Info-Tech Insight

    To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.

    Centralized security governance model example

    Example of a centralized security governance model.

    Plan

    Identify convergence elements and compliance obligations

    To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
    • A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
    • However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
    • Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

    Level 5: Enterprise Network

    Level 4: Site Business

    Level 3.5: DMZ
    Example: Patch Management Server, Application Server, Remote Access Server

    Level 3: Site Operations
    Example: SCADA Server, Engineering Workstation, Historian

    Level 2: Area Supervisory Control
    Example: SCADA Client, HMI

    Level 1: Basic Control
    Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

    Level 0: Process
    Example: Sensors, Actuators, Field Devices

    (Source: “Purdue Enterprise Reference Architecture (PERA) Model,” ISA-99.)

    Identify compliance obligations

    To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.
    Example table of compliance obligations standards. Example tables of compliance obligations regulations and guidelines.

    Source:
    ENISA, 2013
    DHS, 2009.

    • OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
    • OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
    • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

    IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series

    International series of standards for asset owners, system integrators, and product manufacturers.
    Diagram of the international series of standards for asset owners.
    (Source: Cooksley, 2021)
    • IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
    • In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
    • For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
    • For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

    Record your compliance obligations

    Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
      1. Laws
      2. Government regulations
      3. Industry standards
      4. Contractual agreements
      Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
    2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
    3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.
    Table of mandatory and voluntary security compliance obligations.

    Plan

    Assess readiness

    Readiness checklist for secure IT/OT convergence

    People

    • Define roles and responsibilities on interaction based on skill sets and the degree of support and alignment.
    • Adopt well-established security governance practices for cross-functional teams.
    • Analyze and develop skills required by implementing awareness, induction, and cross-training program.

    Process

    • Conduct a maturity assessment of key processes and highlight interdependencies.
    • Redesign cybersecurity processes for your secure IT/OT convergence program.
    • Develop a baseline and periodically review on risks, security policies and procedures, incident response, disaster recovery, and business continuity plan.

    Technology

    • Conduct a maturity assessment and identify convergence elements and compliance obligations.
    • Develop a roadmap and deploy converging security architecture and controls step by step, working with trusted technology partners.
    • Monitor security metrics on effectiveness and efficiency and conduct continuous testing by red-team and blue-team activities.

    (Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)

    Enhance

    Update security strategy

    To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.

    Cycle for updating security strategy: 'Architecture design', 'Procurement', 'Installation', 'Maintenance', 'Decommissioning'.
    (Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.)
    • OT system life cycle is like the IT system life cycle, starting with architectural design and ending with decommissioning.
    • Currently, IT only gets involved from installation or maintenance, so they may not fully understand the OT system. Therefore, if OT security is compromised, the same personnel who commissioned the OT system (e.g. engineering, electrical, and maintenance specialists) must be involved. Thus, it is important to have the IT team collaborate with the OT team in each stage of the OT system’s life cycle.
    • Finally, it is necessary to have propositional sharing of responsibilities between IT leaders, security leaders, and OT leaders who have broader responsibilities.

    Enhance

    Update risk management framework

    The need for asset and threat taxonomy

    • One of issues in IT/OT convergence is that OT systems focus on production, so IT solutions like security patching or updates may deteriorate a machine or take a machine offline and may not be applicable. For example, some facilities run with reliability of 99.999%, which only allows maximum of 5 minutes and 35 seconds or less of downtime per year.
    • Managing risks requires an understanding of the assets and threats for IT/OT systems. Having a taxonomy of the assets and the threats cand help.
    • Applying normal IT solutions to mitigate security risks may not be applicable in an OT environment, e.g. running an antivirus tool on OT system may remove essential OT operations files. Thus, this approach must be avoided; instead, systems must be rebuilt from golden images.
    Risk management framework.
    (Source: ENISA, 2018.)

    Enhance

    Update security policies and procedures

    • Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations, but compliance is applicable to all organizations, and vulnerabilities affect organizations of all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers.
    • Updating security policies to align with the OT system so that there is a uniform approach to securing both IT and OT environments has several benefits. For example, enhancing the overall security posture as issues are pre-emptively avoided, being better prepared for auditing and compliance requirements, and improving governance especially when OT governance is weak.
    • In updating security policies, it is important to redefine the policy framework to include the OT framework and to prioritize the development of security policies. For example, entities that own or manage US and Canadian electric power grids must comply with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, specifically CIP-003 for Policy and Governance. This can be achieved by understanding the current state of policies and by right-sizing the policy suite based on a policy hierarchy.
    The White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) in 2021 that establishes new requirements on the scope of protection and security policy such that it must include both IT and OT.

    Policy hierarchy example

    This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.

    Example policy hierarchy with four levels, from top-down: 'Governance', 'Process-based policies', 'Prescriptive/ technical (for IT including OT elements)', 'Prescriptive/ technical (for users)'.

    Enhance

    Update IR, DR, and BCP

    A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)

    1. Customize organizational chart for IT/OT IR, DR, BCP based on governance and management model.
      E.g. ad hoc, internal distributed, internal centralized, combined distributed, and decentralized. (Software Engineering Institute, 2003)
    2. Adjust the authority of the new organizational chart and decide if it requires additional staffing.
      E.g. full authority, shared authority. (Software Engineering Institute, 2003)
    3. Update IR plan, DR plan, and BCP for IT/OT convergence.
      E.g. incorporate zero trust principles for converge network
    4. Testing updated IR plan, DR plan, and BCP.

    Optimize

    Implement awareness, induction, and cross-training

    To develop training and awareness programs for all levels of the organization, it is important to understand the common challenges in IT security that also affect secure IT/OT convergence and how to overcome those challenges.

    Alert Fatigue

    Too many false alarms, too many events to process, and an evolving threat landscape that wastes analysts’ valuable time on mundane tasks such as evidence collection. Meanwhile, only limited time is given for decision and conclusion, which results in fear of missing an incident and alert fatigue.

    Skill Shortages

    Obtaining and retaining cybersecurity-skilled talent is challenging. Organizations need to invest in the people, but not all organizations will be able to invest sufficiently to have their own dedicated security team.

    Lack of Insight

    To report progress, clear metrics are needed. However, cybersecurity still falls short in this area, as the system itself is complex, and much work is siloed. Furthermore, lessons learned are not yet distilled into insights yet for improving future accuracy.

    Lack of Visibility

    Ensuring complete visibility of the threat landscape, risks, and assets requires system integration and consistent workflow across the organization, and the convergence of OT, IoT, and IT enhances this challenge (e.g. machines cannot be scanned during operational uptime).
    (Source: Security Intelligence, 2020.)
    “Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.” (Danny Palmer, ZDNET News, 2022)

    Awareness may not correspond to readiness

    • An issue with IT/OT convergence training and awareness happens when awareness exists, but the personnel are trained only for IT security and are not trained for OT-specific security. For example, some organizations still use generic topics such as not opening email attachments, when the personnel do not even operate using email nor in a web browsing environment. (“Assessing Operational Readiness,” Dragos, 2022)
    • Meanwhile, as is the case with IT, OT security training topics are broad, such as OT threat intelligence, OT-specific incident response, and tabletop exercises.
    • Hence, it requires the creation of a training program development plan that considers the various audiences and topics and maps them accordingly.
    • Moreover, roles are also evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security & ops team might consist of an IT security specialist, SCADA technician/engineer, and OT/IIOT security specialist where OT/IIOT security specialist is a new role. (Grid Modernization: Optimize Opportunities and Minimize Risks,” Info-Tech)
    • In conclusion, it is important to approach talent development with an open mind. The ability to learn and flexibility in the face of change are important attributes, and technical skill sets can be improved with certifications and training.
    “One area regularly observed by Dragos is a weakness in overall cyber readiness and training tailored specific to the OT environment.” (“Assessing Operational Technology,” Dragos, 2022.)

    Certifications

    What are the options?
    • One of issues in certification is the complexity on relevancy in topics with respect to roles and levels.
    • An example solution is the European Union Agency for Cybersecurity (ENISA)’s approach to analyzing existing certifications by orientation, scope, and supporting bodies, grouped into specific certifications, relevant certifications, and safety certifications.

    Specific cybersecurity certification of ICS/SCADA
    Example: ISA-99/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP), Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course.

    Other relevant certification schemes
    Example: Network and Information Security (NIS) Driving License, ISA Certified Automation Professional (CAP), Industrial Security Professional Certification (NCMS-ISP).

    Safety Certifications
    Example: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organisations (ENSHPO).

    Order of certifications with 'Orientation' at the top, 'Scope', then 'Support'.(Source: ENISA, 2015.)

    Optimize

    Design and deploy converging security architecture and controls

    • IT/OT convergence architecture can be modeled as a layered structure based on security. In this structure, the bottom layer is referred as “OT High-Security Zone” and the topmost layer is “IT Low-Security Zone.” In this model, each layer has its own set of controls configured and acts like an additional layer of security for the zone underneath it.
    • The data flows from the “OT High-Security Zone” to the topmost layer, the “IT Low-Security Zone,” and the traffic must be verified to pass to another zone based on the need-to-know principle.
    • In the normal control flow within the “OT High-Security Zone” from level 3 to level 0, the traffic must be verified to pass to another level based on the principle of least privilege.
    • Remote access (dotted arrow) is allowed under strict access control and change control based on the zero-trust principle with clear segmentation and a point for disconnection between the “OT High-Security Zone” and the “OT Low-Security Zone”
    • This model simplifies the security process, as if the lower layers have been compromised, then the compromise can be confined on that layer, and it also prevents lateral movement as access is always verified.
    Diagram for the deployments of converging security architecture.(Source: “Purdue Enterprise Reference Architecture (PERA) model,” ISA-99.)

    Off-the-shelf solutions

    Getting the right recipe: What criteria to consider?

    Image of a shopping cart with the four headlines on the right listed in order from top to bottom.
    Icon of an eye crossed out. Visibility and Asset Management

    Passive data monitoring using various protocol layers, active queries to devices, or parsing configuration files of OT, IoT, and IT environments on assets, processes, and connectivity paths.

    Icon of gears. Threat Detection, Mitigation, and Response (+ Hunting)

    Automation of threat analysis (signature-based, specification-based, anomaly-based, sandboxing) not only in IT but also in relevant environments, e.g. IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

    Icon of a check and pen. Risk Assessment and Vulnerability Management

    Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

    Icon of a wallet. Usability, Architecture, Cost

    The user and administrative experience, multiple deployment options and extensive integration capabilities, and affordability.

    Optimize

    Establish and monitor IT/OT security metrics for effectiveness and efficiency

    Role of security metrics in a cybersecurity program (EPRI, 2017.)
    • Requirements for secure IT/OT are derived from mandatory or voluntary compliance, e.g. NERC CIP, NIST SP 800-53.
    • Frameworks for secure IT/OT are used to build and implement security, e.g. NIST CSF, AESCSF.
    • Maturity of secure IT/OT is used to measure the state of security, e.g. C2M2, CMMC.
    • Security metrics have the role of measuring effectiveness and efficiency.

    Icon of a person ascending stairs.
    Safety

    OT interfaces with the physical world. Thus, metrics based on risks related with life, health, and safety are crucial. These metrics motivate personnel by making clear why they should care about security. (EPRI, 2017.)

    Icon of a person ascending stairs.
    Business Performance

    The impact of security on the business can be measured in various metrics such as operational metrics, service level agreements (SLAs), and financial metrics. (BMC, 2022.)

    Icon of a person ascending stairs.
    Technology Performance

    Early detection will lead to faster remediation and less damage. Therefore, metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability. (Dark Reading, 2022)

    Icon of a person ascending stairs.
    Security Culture

    The metrics for the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

    Further information

    Related Info-Tech Research

    Sample of 'Build an Information Security Strategy'.

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

    This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

    Sample of 'Preparing for Technology Convergence in Manufacturing'.

    Preparing for Technology Convergence in Manufacturing

    Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

    Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

    Sample of 'Implement a Security Governance and Management Program'.

    Implement a Security Governance and Management Program

    Your security governance and management program needs to be aligned with business goals to be effective.

    This approach also helps provide a starting point to develop a realistic governance and management program.

    This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

    Bibliography

    Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015.

    “Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web.

    Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

    “Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

    “Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022.

    “Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web.

    “Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022.

    Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022.

    “Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web.

    Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022

    Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.

    “ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013.

    Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003.

    Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022.

    Bibliography

    O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.

    Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022.

    Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web.

    Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022.

    “Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web.

    Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022.

    “Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022.

    Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web.

    “2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022.

    “2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web.

    Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022.

    Research Contributors and Experts

    Photo of Jeff Campbell, Manager, Technology Shared Services, Horizon Power, AU. Jeff Campbell
    Manager, Technology Shared Services
    Horizon Power, AU

    Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors.

    Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability.

    As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures.

    Christopher Harrington
    Chief Technology Officer (CTO)
    Carolinas Telco Federal Credit Union

    Frank DePaola
    Vice President, Chief Information Security Officer (CISO)
    Enpro

    Kwasi Boakye-Boateng
    Cybersecurity Researcher
    Canadian Institute for Cybersecurity

    Why learn from Tymans Group?

    The TY classes contain in-depth learning material based on over 30 years of experience in IT Operations and Resilience.

    You receive the techniques, tips, tricks, and "professional secrets" you need to succeed in your resilience journey.

    Why would I share "secrets?"

    Because over time, you will find that "secrets" are just manifested experiences.

    What do I mean by that? Gordon Ramsay, who was born in 1966 like me, decided to focus on his culinary education at age 19. According to his Wikipedia page, that was a complete accident. (His Wikipedia page is a hoot to read, by the way.) And he has nothing to prove anymore. His experience in his field speaks for itself.

    I kept studying in my original direction for just one year longer, but by 21, I founded my first company in Belgium in 1987, in the publishing industry. This was extended by IT experiences in various sectors, like international publishing and hospitality, culminating in IT for high-velocity international financial markets and insurance.

    See, "secrets" are a great way to get you to sign up for some "guru" program that will "tell all!" Don't fall for it, especially if the person is too young to have significant experience.

    There are no "secrets." There is only experience and 'wisdom." And that last one only comes with age.

    If I were in my 20s, 30s, or 40s, there is no chance I would share my core experiences with anyone who could become my competitor. At that moment, I'm building my own credibility and my own career. I like helping people, but not to the extent that it will hurt my prospects. 

    And that is my second lesson: be always honest about your intentions. Yes, always. 

    At the current point in my career, "hurting my prospects" is less important. Yes, I still need to make a living, and in another post, I will explain more about that. Here, I feel it is important to share my knowledge and experience with the next people who will take my place in the day-to-day operations of medium and large corporations. And that is worth something. Hence, "sharing my secrets."

    Gert

    Why learn about resilience from us?

    This is a great opportunity to learn from my 30+ years of resilience experience. TY's Gert experienced 9/11 in New York, and he was part of the Lehman Disaster Recovery team that brought the company back within one (one!) week of the terrorist attack.

    He also went through the London Bombings of 2005 and the 2008 financial crisis, which required fast incident responses, the Covid 2020 issues, and all that entailed. Not to mention that Gert was part of the Tokyo office disaster response team as early as 1998, ensuring that Salomon was protected from earthquakes and floods in Japan.

    Gert was part of the solution (for his clients) to several further global events, like the admittedly technical log4J event in 2021, the 2024 Crowdstrike event, and many other local IT incidents, to ensure that clients could continue using the services they needed at that time.

    Beyond the large corporate world, we helped several small local businesses improve their IT resilience with better cloud storage and security solutions. 

    These solutions and ways of thinking work for any business, large or small.

    The TY team

    Explore our resilience solutions.

    Project Management

    • Buy Link or Shortcode: {j2store}48|cart{/j2store}
    • Related Products: {j2store}48|crosssells{/j2store}
    • member rating overall impact: 9.7/10
    • member rating average dollars saved: $303,499
    • member rating average days saved: 42
    • Parent Category Name: Project Portfolio Management and Projects
    • Parent Category Link: /ppm-and-projects

    The challenge

    • Ill-defined or even lack of upfront project planning will increase the perception that your IT department cannot deliver value because most projects will go over time and budget.
    • The perception is those traditional ways of delivering projects via the PMBOK only increase overhead and do not have value. This is less due to the methodology and more to do with organizations trying to implement best-practices that far exceed their current capabilities.
    • Typical best-practices are too clinical in their approach and place unrealistic burdens on IT departments. They fail to address the daily difficulties faces by staff and are not sized to fit your organization.
    • Take a flexible approach and ensure that your management process is a cultural and capacity fit for your organization. Take what fits from these frameworks and embed them tailored into your company.

    Our advice

    Insight

    • The feather-touch is often the right touch. Ensure that you have a lightweight approach for most of your projects while applying more rigor to the more complex and high-risk developments.
    • Pick the right tools. Your new project management processes need the right tooling to be successful. Pick a tool that is flexible enough o accommodate projects of all sizes without imposing undue governance onto smaller projects.
    • Yes, take what fits within your company from frameworks, but there is no cherry-picking. Ensure your processes stay in context: If you do not inform for effective decision-making, all will be in vain. Develop your methods such that guide the way to big-picture decision taking and support effective portfolio management.

    Impact and results 

    • The right amount of upfront planning is a function of the type of projects you have and your company. The proper levels enable better scope statements, better requirements gathering, and increased business satisfaction.
    • An investment in a formal methodology is critical to projects of all sizes. An effective process results in more successful projects with excellent business value delivery.
    • When you have a repeatable and consistent approach to project planning and execution, you can better communicate between the IT project managers and decision-makers.
    • Better communication improves the visibility of the overall project activity within your company.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started.

    Read our executive brief to understand why you should tailor project management practices to the type of projects you do and your company and review our methodology. We show you how we can support you.

    Lay the groundwork for project management success

    Assess your current capabilities to set the right level of governance.

    • Tailor Project Management Processes to Fit Your Projects – Phase 1: Lay the Groundwork for PM Success (ppt)
    • Project Management Triage Tool (xls)
    • COBIT BAI01 (Manage Programs and Projects) Alignment Workbook (xls)
    • Project Level Definition Matrix (xls)
    • Project Level Selection Tool (xls)
    • Project Level Assessment Tool (xls)
    • Project Management SOP Template (doc)

    Small project require a lightweight framework

    Increase small project's throughput.

    • Tailor Project Management Processes to Fit Your Projects – Phase 2: Build a Lightweight PM Process for Small Initiatives (ppt)
    • Level 1 Project Charter Template (doc)
    • Level 1 Project Status Report Template (doc)
    • Level 1 Project Closure Checklist Template (doc)

    Build the standard process medium and large-scale projects

    The standard process contains fully featured initiation and planning.

    • Tailor Project Management Processes to Fit Your Projects – Phase 3: Establish Initiation and Planning Protocols for Medium-to-Large Projects (ppt)
    • Project Stakeholder and Impact Assessment Tool (xls)
    • Level 2 Project Charter Template (doc)
    • Level 3 Project Charter Template (doc)
    • Kick-Off Meeting Agenda Template (doc)
    • Scope Statement Template (doc)
    • Project Staffing Plan(xls)
    • Communications Management Plan Template (doc)
    • Customer/Sponsor Project Status Meeting Template (doc)
    • Level 2 Project Status Report Template (doc)
    • Level 3 Project Status Report Template (doc)
    • Quality Management Workbook (xls)
    • Benefits Management Plan Template (xls)
    • Risk Management Workbook (xls)

    Build a standard process for the execution and closure of medium to large scale projects

    • Tailor Project Management Processes to Fit Your Projects – Phase 4: Develop Execution and Closing Procedures for Medium-to-Large Projects (ppt)
    • Project Team Meeting Agenda Template (doc)
    • Light Project Change Request Form Template (doc)
    • Detailed Project Change Request Form Template (doc)
    • Light Recommendation and Decision Tracking Log Template (xls)
    • Detailed Recommendation and Decision Tracking Log Template (xls)
    • Deliverable Acceptance Form Template (doc)
    • Handover to Operations Template (doc)
    • Post-Mortem Review Template (doc)
    • Final Sign-Off and Acceptance Form Template (doc)

    Implement your project management standard operating procedures (SOP)

    Develop roll-out and training plans, implement your new process and track metrics.

    • Tailor Project Management Processes to Fit Your Projects – Phase 5: Implement Your PM SOP (ppt)
    • Level 2 Project Management Plan Template (doc)
    • Project Management Process Costing Tool (xls)
    • Project Management Process Training Plan Template (doc)
    • Project Management Training Monitoring Tool (xls)
    • Project Management Process Implementation Timeline Tool (MS Project)
    • Project Management Process Implementation Timeline Tool (xls)

     

     

    Implement Lean Management Practices That Work

    • Buy Link or Shortcode: {j2store}116|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • Service delivery teams do not measure, or have difficulty demonstrating, the value they provide.
    • There is a lack of continuous improvement.
    • There is low morale within the IT teams leading to low productivity.

    Our Advice

    Critical Insight

    • Create a problem-solving culture. Frequent problem solving is the differentiator between sustaining Lean or falling back to old management methods.
    • Commit to employee growth. Empower teams to problem solve and multiply your organizational effectiveness.

    Impact and Result

    • Apply Lean management principles to IT to create alignment and transparency and drive continuous improvement and customer value.
    • Implement huddles and visual management.
    • Build team capabilities.
    • Focus on customer value.
    • Use metrics and data to make better decisions.
    • Systematically solve problems and improve performance.
    • Develop an operating rhythm to promote adherence to Lean.

    Implement Lean Management Practices That Work Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a Lean management system can help you increase transparency, demonstrate value, engage your teams and customers, continuously improve, and create alignment.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand Lean concepts

    Understand what a Lean management system is, review Lean philosophies, and examine simple Lean tools and activities.

    • Implement Lean Management Practices That Work – Phase 1: Understand Lean Concepts
    • Lean Management Education Deck

    2. Determine the scope of your implementation

    Understand the implications of the scope of your Lean management program.

    • Implement Lean Management Practices That Work – Phase 2: Determine the Scope of Your Implementation
    • Lean Management Scoping Tool

    3. Design huddle board

    Examine the sections and content to include in your huddle board design.

    • Implement Lean Management Practices That Work – Phase 3: Design Huddle Board
    • Lean Management Huddle Board Template

    4. Design Leader Standard Work and operating rhythm

    Determine the actions required by leaders and the operating rhythm.

    • Implement Lean Management Practices That Work – Phase 4: Design Leader Standard Work and Operating Rhythm
    • Leader Standard Work Tracking Template
    [infographic]

    Workshop: Implement Lean Management Practices That Work

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Lean Concepts

    The Purpose

    Understand Lean management.

    Key Benefits Achieved

    Gain a common understanding of Lean management, the Lean management thought model, Lean philosophies, huddles, visual management, team growth, and voice of customer.

    Activities

    1.1 Define Lean management in your organization.

    1.2 Create training materials.

    Outputs

    Lean management definition

    Customized training materials

    2 Understand Lean Concepts (Continued) and Determine Scope

    The Purpose

    Understand Lean management.

    Determine the scope of your program.

    Key Benefits Achieved

    Understand metrics and performance review.

    Understand problem identification and continuous improvement.

    Understand Kanban.

    Understand Leader Standard Work.

    Define the scope of the Lean management program.

    Activities

    2.1 Develop example operational metrics

    2.2 Simulate problem section.

    2.3 Simulate Kanban.

    2.4 Build scoping tool.

    Outputs

    Understand how to use operational metrics

    Understand problem identification

    Understand Kanban/daily tasks section

    Defined scope for your program

    3 Huddle Board Design and Huddle Facilitation Coaching

    The Purpose

    Design the sections and content for your huddle board.

    Key Benefits Achieved

    Initial huddle board design.

    Activities

    3.1 Design and build each section in your huddle board.

    3.2 Simulate coaching conversations.

    Outputs

    Initial huddle board design

    Understanding of how to conduct a huddle

    4 Design and Build Leader Standard Work

    The Purpose

    Design your Leader Standard Work activities.

    Develop a schedule for executing Leader Standard Work.

    Key Benefits Achieved

    Standard activities identified and documented.

    Sample schedule developed.

    Activities

    4.1 Identify standard activities for leaders.

    4.2 Develop a schedule for executing Leader Standard Work.

    Outputs

    Leader Standard Work activities documented

    Initial schedule for Leader Standard Work activities

    Initiate Digital Accessibility for IT

    • Buy Link or Shortcode: {j2store}520|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Determining IT requirements (legal and business needs) is overwhelming.
    • Prioritizing people in the process is often overlooked.
    • Mandating changes instead of motivating change isn’t sustainable.

    Our Advice

    Critical Insight

    • Compliance is the minimum; the people and behavior changes are the harder part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility makes the necessary behavior changes easier. Communicate, communicate, and communicate some more.
    • Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative, however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging, the tendency is to start with tech or compliance, however, starting with the people is key. It must be culture.
    • Think about accessibility like you think about IT security. Use IT security concepts that you and your team are already familiar with to initiate the accessibility program.

    Impact and Result

    • Take away the overwhelm that many feel when they hear ‘accessibility’ and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.
    • Build your accessibility plan while prioritizing the necessary culture change
    • Use change management and communication practices to elicit the behavior shift needed to sustain accessibility.

    Initiate Digital Accessibility for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Initiate Digital Accessibility for IT – Use this blueprint to narrow down the requirements for your organization and team while also clearly communicating why accessibility is critical and how it supports the organization’s key objectives and initiatives.

    A step-by-step approach to walk you through understanding the IT accessibility compliance requirements, building your roadmap, and communicating with your department. This storyboard will help you figure out what’s needed from IT to support the business and launch accessibility with your team.

    • Initiate Digital Accessibility for IT – Phases 1-2

    2. IT Manager Meeting Template – A clear, concise, and compelling communication to introduce accessibility for your organization to IT managers and to facilitate their participation in building the roadmap.

    Accessibility compliance can be overwhelming at first. Use this template to simplify the requirements for the IT managers and build out a roadmap.

    • IT Manager Meeting Template

    3. Accessibility Compliance Tracking Tool – This tool helps to decrease the overwhelm of accessibility compliance. Narrow down the list of controls needed to the ones that apply to your organization and to IT.

    Using the EN 301 549 V3.2.1 (2021-03) as a basis for digital accessibility conformance. Use this tool to build a priorities list of requirements that are applicable to your organization.

    • Accessibility Compliance Tracking Tool

    4. Departmental Meeting Template – Cascade your communication down to the IT department with this facilitation guide for introducing accessibility and the roadmap to the entire IT team.

    Use this pre-built slide deck to customize your accessibility communication to the IT department. It will help you build a shared vision for accessibility, a current state picture, and plans to build to the target future state.

    • Departmental Meeting Template
    • Accessibility Quick Cards

    Infographic

    Further reading

    Initiate Digital Accessibility For IT

    Make accessibility accessible.

    EXECUTIVE BRIEF

    Analyst Perspective

    Accessibility is a practice, not a project.

    Accessibility is an organizational directive; however, IT plays a fundamental role in its success. As business partners require support and expertise to assist with their accessibility requirements IT needs to be ready to respond. Even if your organization hasn't fully committed to an accessibility standard, you can proactively get ready by planting the seeds to change the culture. By building understanding and awareness of the significant impact technology has on accessibility, you can start to change behaviors.

    Implementing an accessibility program requires many considerations: legal requirements; international guidelines, such as Web Content Accessibility Guidelines (WCAG); training for staff; ongoing improvement; and collaborating with accessibility experts and people with disabilities. It can be overwhelming to know where to start. The tendency is to start with compliance, which is a fantastic first step. For a sustained program use, change management practices are needed to change behaviors and build inclusion for people with disabilities.

    15% of the world's population identify as having some form of a disability (not including others that are impacted, e.g. caretakers, family). Why would anyone want to alienate over 1.1 billion people?

    This is a picture of Heather Leier-Murray

    Heather Leier-Murray
    Senior Research Analyst, People & Leadership
    Info-Tech Research Group

    Disability is part of being human

    Merriam-Webster defines disability as a "physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person's ability to engage in certain tasks or actions or participate in typical daily activities and interactions."(1)

    The World Health Organization points out that a crucial part of the definition of disability is that it's not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.(2)

    The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.(2)

    Many people acquire disabilities as they age yet may not identify as "a person with a disability."3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. (4)

    "Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out."
    – Paudie Healy, CEO, Universal Access

    (1.) Merriam-Webster
    (2.) World Health Organization, 2022
    (3.) Digital Leaders, as cited in WAI, 2018
    (4.) Disabled World, as cited in WAI, 2018

    Executive Summary

    Your Challenge

    You know the push for accessibility is coming in your organization. You might even have a program started or approval to build one. But you're not sure if you and your team are ready to support and enable the organization on its accessibility journey.

    Common Obstacles

    Understanding where to start, where accessibility lives, and if or when you're done can be overwhelmingly difficult. Accessibility is an organizational initiative that IT enables; being able to support the organization requires a level of understanding of common obstacles.

    • Determining IT requirements (legal and business needs) is overwhelming.
    • Prioritizing people in the process is often overlooked.
    • Mandating changes instead of motivating change isn't sustainable.

    Info-Tech's Approach

    Prepare your people for accessibility and inclusion, even if your organization doesn't have a formal standard yet. Take your accessibility from mandate to movement, i.e. from Phase 1 - focused on compliance to Phase 2 - driven by experience for sustained change.

    • Use this blueprint to build your accessibility plan while prioritizing the necessary culture change.
    • Use change management and communication practices to elicit the behavior shift needed to sustain accessibility.

    Info-Tech Insight

    Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative; however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging because the tendency is to start with tech or compliance; however, starting with the people is key. It must be a change in organizational culture.

    Your challenge

    This research is designed to help IT leaders who are looking to:

    • Determine accessibility requirements of IT based on the business' needs and priorities, and the existing standards and regulations.
    • Prepare the IT leaders to implement and sustain accessibility and prepare for the behavior shift that is necessary.
    • Build the plan for IT as it pertains to accessibility, including a list of business needs and priorities, and prioritization of accessibility initiatives that IT is responsible for.
    • Ensure that accessibility is sustained in the IT department by following phase 2 of this blueprint on using change management and communication to impact behavior and change the culture.

    90% of companies claim to prioritize diversity.
    Source: Harvard Business Review, 2020

    Over 30% of those that claim to prioritize diversity are focused on compliance.
    Source: Harvard Business Review, 2022

    Accessibility is an organizational initiative

    Is IT ready and capable to enable it?

    • With increasing rates of lawsuits related to digital accessibility, more organizations are prioritizing initiatives to support increased accessibility. About 68% of Applause's survey respondents indicated that digital accessibility is a higher priority for their organization than it was last year.
    • This increase in priority will trickle into IT's tasks – get ahead and start working toward accessibility proactively so you're ready when business requests start coming in.

    A survey of nearly 1,800 respondents conducted by Applause found that:

    • 79% of respondents rated digital accessibility either a top priority or important for their organizations.
    • 42% of respondents indicated they have limited or no in-house expertise or resources to test accessibility.
      Source: Business Wire, May 2022

    How organizations prioritize digital accessibility

    • 43% rated accessibility as a top priority.
    • 36% rated accessibility as important.
    • Fewer than 5% rated accessibility as either low priority or not even on the radar.
    • More than 65% agreed or strongly agreed that accessibility is a higher priority than last year.

    Source: Angel Business Communications, 2022

    Why organizations address accessibility

    Top three reasons:

    1. 61% To comply with laws
    2. 62% To provide the best user experience
    3. 78% To include people with disabilities
      Source: Level Access, 2022

    Still, most businesses aren't meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.

    Source: Institute for Disability Research, Policy, and Practice, 2022

    Info-Tech's approach to Initiate Digital Accessibility

    An image of the Business Case for Accessibility

    The Info-Tech difference:

    1. Phase 1 of this blueprint gets you started and helps you build a plan to get you to the initial compliance driven maturity level. It's focused more on standards and regulations than on the user and employee experience.
    2. Phase 2 takes you further in maturity and helps you become experience driven in your efforts. It focuses on building your accessibility maturity into the developing, defined, and managed levels, as well as balancing mandate and movement of the accessibility maturity continuum.

    Determining conformance seems overwhelming

    Unfortunately, it's the easier part.

    • Focus on local regulations and what corporate leaders are setting as accessibility standards for the organization. This will narrow down the scope of what compliance looks like for your team.
    • Look to best practices like WCAG guidelines to ensure digital assets are accessible and usable for all users. WCAG's international guideline outlines principles that can also aid in scoping.
    • In phase 1 of this blueprint, use the Accessibility Compliance Tracking Toolto prioritize criteria and legislation for which IT is responsible.
    • Engage with business partners and other areas of the organization to figure out what is needed from IT. Accessibility is an organizational initiative; it shouldn't be on IT to figure it all out. Determine what your team is specifically responsible for before tackling it all.

    Motivating behavior change

    This is the hard part.

    Changing behaviors and mindsets is necessary to be experience driven and sustain accessibility.

    • Compliance is the minimum when it comes to accessibility, much like employment or labor regulations.
    • Making accessibility an organizational imperative is an iterative process. Managing the change is hard. People, culture, and behavior change matures accessibility from compliance driven to experience driven, increasing the benefits of accessibility.
    • Focus accessibility initiatives on improving the experience of everyone and improving engagement (customer and employee).
    • Being people focused and experience driven enables the organization to provide the best user experience and realize the benefits of accessibility.

    A picture of Jordyn Zimmerman

    "Compliance is the minimum. And when we look at web tech, people are still arguing about their positioning on the standards that need to be enforced in order to comply, forgetting that it isn't enough to comply."
    -- Jordyn Zimmerman, M.Ed., Director of Professional Development, The Nora Project, and Appointee, President's Committee for People with Intellectual Disabilities.

    This is an image of the Info-Tech Accessibility Maturity Framework Table.

    To see more on the Info-Tech Accessibility Maturity Framework:

    The Accessibility Business Case for IT

    Think of accessibility like you think of IT security

    Use IT security concepts to build your accessibility program.

    • Risk management: identify and prioritize accessibility risks and implement controls to mitigate those risks.
    • Compliance: use an IT security-style compliance approach to ensure that the accessibility program is compliant with the many accessibility regulations and standards.
    • Defense in depth: implement multiple layers of accessibility controls to address different types of accessibility risks and issues.
    • Response and recovery: quickly and effectively respond to accessibility issues, minimizing the potential impact on the organization and its users.
    • End-user education: educate end users about accessibility best practices, such as how to use assistive technologies and how to report accessibility issues.
    • Monitor and audit: use monitoring and auditing tools to ensure that accessibility remains over time and to identify and address issues that arise.
    • Collaboration: ensure the accessibility program is effective and addresses the needs of all users by collaborating with accessibility experts and people with disabilities.

    "As an organization matures, the impact of accessibility shifts. A good company will think of security at the very beginning. The same needs to be applied to accessibility thinking. At the peak of accessibility maturity an organization will have people with disabilities involved at the outset."
    -- Cam Beaudoin, Owner, Accelerated Accessibility

    This is a picture of Cam Beaudoin

    Info-Tech's methodology for Initiate Digital Accessibility for IT

    1. Planning IT's accessibility requirements

    2. Change enablement of accessibility

    Phase Steps

    1. Determine accessibility requirements of IT
    2. Build the IT accessibility plan
    1. Build awareness
    2. Support new behaviors
    3. Continuous reinforcement

    Phase Outcomes

    List of business needs and priorities related to accessibility

    IT accessibility requirements for conformance

    Assessment of state of accessibility conformance

    Prioritization of accessibility initiatives for IT

    Remediation plan for IT related to accessibility conformance

    Accessibility commitment statement

    Team understanding of what, why, and how

    Accessibility Quick Cards

    Sustainment plan

    Insight summary

    Overarching insight

    Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative; however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging. The tendency is to start with tech or compliance; however, starting with the people is key. It must be a change in organizational culture.

    Insight 1

    Compliance is the minimum; people and behavior changes are the hardest part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility makes the necessary behavior changes easier. Communicate, communicate, and communicate some more.

    Insight 2

    Think about accessibility like you think about IT security. Use IT security concepts that you and your team are already familiar with to initiate the accessibility program.

    Insight 3

    People are learning a new way to behave and think; this can be an unsettling period. Patience, education, communication, support, and time are keys for success of the implementation of accessibility. There is a transition period needed; people will gradually change their practices and attitudes. Celebrate small successes as they arise.

    Insight 4

    Accessibility isn't a project as there is no end. Effective planning and continuous reinforcement of "the new way of doing things" is necessary to enable accessibility as the new status quo.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    IT Manager Meeting Template

    IT Manager Meeting Template
    Use this meeting slide deck to work with IT managers to build out the accessibility remediation plan and commitment statement.

    Departmental Meeting Template

    Departmental Meeting Template
    Use this meeting slide deck to introduce the concept of accessibility and communicate IT goals and objectives.

    Accessibility Quick Cards

    Accessibility Quick Cards
    Using the Info-Tech IT Management and Governance Framework to identify key activities to help improve and maintain the accessibility of your organization and your core IT processes.

    Key deliverable:

    Accessibility Compliance Tracking Tool

    Accessibility Compliance Tracking Tool
    This tool will assist you in identifying remediation priorities applicable to your organization.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Know and understand your role and responsibility in accessibility implementation within the organization.
    • Provide effective support and excellent business service experience to internal stakeholders related to accessibility.
    • You will be set up to effectively support your team through the necessary behavior, process, and thinking changes.
    • Proactively prepare for accessibility requests that will be coming in.
    • Move beyond compliance to support your organization's sustainment of accessibility.
    • Don't lose out on a trillion-dollar market.
    • Don't miss opportunities to work with organizations because you're not accessible.
    • Enable and empower current employees with disabilities.
    • Minimize potential for negative brand reputation due to a lack of consideration for people with disabilities.
    • Decrease the risk of legal action being brought upon the organization.

    Measure the value of this blueprint

    Improve IT effectiveness and employee buy-in to change.

    Measuring the effectiveness of your program helps contribute to a culture of continuous improvement. Having consistent measures in place helps to inform decisions and enables your plan to be iterative to take advantage of emerging opportunities.

    Monitor employee engagement, overall stakeholder satisfaction with IT, and the overall end-customer satisfaction.

    Remember, accessibility is not a project – just because measures are positive does not mean your work is done.

    In phase 1 of this blueprint, we will help you establish metrics for your organization.
    In phase 2, we will help you develop a sustainment for achieving those metrics.

    A screenshot of the slide titled Establish Baseline Metrics.

    Suggested Metrics
    • Overall end-customer satisfaction
    • Requests for accommodation or assistive technology fulfilled
    • Employee engagement
    • Overall compliance status

    Info-Tech's IT Metrics Library

    Executive brief case study

    INDUSTRY: Technology


    SOURCE: Microsoft.com
    https://blogs.microsoft.com/accessibility/accessib...

    Microsoft

    Microsoft's accessibility journey starts with the goal of building a culture of accessibility and disability inclusion. They recognize that the starting point for the magnitude of organizational change is People.

    "Accessibility in Action Badge"

    Every employee at Microsoft is trained on accessibility to build understanding of why and how to be inclusive using accessibility. The program entails 90 minutes of virtual content.

    Microsoft treats accessibility and inclusion like a business, managing and measuring it to ensure sustained growth and success. They have worked over the years to bust systemic bias company-wide and to build a program with accessibility criteria that works for their business.

    Results

    The program Microsoft has built allows them to shift the accessibility lens earlier in their processes and listen to its users' needs. This allows them to continuously mature their accessibility program, which means continuously improving its users' experience.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided implementation

    What does a typical guided implementation (GI) on this topic look like?

    Phase 1 Phase 2

    Call #1: Discuss motivation for the initiative and foundational knowledge requirements.
    Call #2: Discuss stakeholder analysis and business needs of IT.

    Call #3: Identify current maturity and IT accountabilities.
    Call #4: Discuss introduction to senior IT leaders and drivers.
    Call #5: Discuss manager meeting outline and slides.

    Call #6: Review key messages and next steps to prepare for departmental meeting.
    Call #7: Discuss post-meetings next steps and timelines.

    Call #8: Review sustainment plan and plan next steps.

    A GI is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is eight to ten calls over the course of four to six months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Understand Your Legislative Environment

    Understand Your Current State

    Define the
    IT Target State

    Build the IT Accessibility Plan

    Prepare for Change Enablement

    Next Steps and
    Wrap-Up

    Activities

    0.1 Make a list of the legislation you need to comply with
    0.2 Seek legal counsel or and/or professional services' input on compliance
    0.3 Complete the Accessibility Maturity Assessment
    0.4 Conduct stakeholder analysis

    1.1 Define the risks of inaction
    1.2 Review maturity assessment
    1.3 Conduct stakeholder focus group

    2.1 Define IT compliance accountabilities
    2.2 Define IT accessibility goals/objectives/ metrics
    2.3 Indicate the target-state maturity

    3.1 Assess current accessibility compliance and mitigation
    3.2 Decide on priorities
    3.3 Write an IT accessibility commitment statement

    4.1 Prepare the roadmap
    4.2 Prepare the communication plan

    5.1 Complete in-progress deliverables from previous four days
    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables

    1. Legislative requirements for your organization
    2. List of stakeholders
    3. Completed maturity assessment.
    1. Defined risks of inaction
    2. Stakeholder analysis completed with business needs identified
    1. IT accessibility goals/objectives
    2. Target maturity
    1. Accessibility Compliance Tracking Tool completed
    2. Accessibility commitment statement
    3. Current compliance and mitigation assessed
    1. IT accessibility roadmap
    2. Communication plan
    1. IT accessibility roadmap
    2. Communication plan

    Phase 1

    Planning IT's Accessibility Requirements.

    Phase 1

    Phase 2

    1.1 Determine accessibility requirements of IT

    1.2 Build IT accessibility plan

    2.1 Build awareness

    2.2 Support new behaviors

    2.3 Continuous reinforcement

    Initiate Digital Accessibility For IT

    This phase will walk you through the following activities:

    • Analyzing stakeholders to determine accessibility needs of business for IT.
    • Determining accessibility compliance requirements of IT.
    • Build a manager communication deck.
    • Assess current accessibility compliance and mitigation.
    • Prioritize and assign timelines.
    • Build a sunrise diagram to visualize your accessibility roadmap.
    • Write an IT accessibility commitment statement.

    This phase involves the following participants:

    • CIO
    • IT leadership team
    • Business partners in other areas of the organization (e.g., HR, finance, communications)

    Step 1.1

    Determine the accessibility requirements of IT.

    Activities

    1.1.1 Determine what the business needs from IT
    1.1.2 Complete the Accessibility Maturity Assessment (optional)
    1.1.3 Determine IT compliance requirements
    1.1.4 Define target state
    1.1.5 Create a list of goals and objectives
    1.1.6 Finalize key metrics
    1.1.7 Prepare a meeting for IT managers

    Prepare to support the organization with accessibility

    This step involves the following participants:

    • CIO
    • IT senior leaders
    • IT managers
    • Business partners in other areas of the organization (e.g., HR, finance, communications)

    Outcomes of this step

    • Stakeholder analysis with business needs listed
    • Defined target future state
    • List of goals and objectives
    • Key metrics
    • Communication deck for IT management rollout meeting

    While defining future state, consider your drivers

    The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.

    • Over 30% of organizations are focused on compliance, according to a 2022 survey by Harvard Business Review and Slack's Future Forum. The survey asked more than 10,000 workers in six countries about their organizations' approach to diversity, equity, and inclusion (DEI).(2)
    • Even though 90% of companies claim to prioritize diversity, over 30% are focused on compliance.(1)

    1. Harvard Business Review, 2020
    2. Harvard Business Review, 2022

    31.6% of companies remain in the compliant stage where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement, from Harvard Business Review 2022.

    Info-Tech accessibility maturity framework

    This is an image of Info-Tech's accessibility maturity framework

    Info-Tech Insight

    IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to IT accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.

    After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you'll optimize by continuously improving.

    Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.

    At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.

    Align the benefits of program drivers to organizational goals or outcomes

    Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.

    This is an image of a table describing the maturity level; Description; Advantages, and Disadvantages for the three drivers: Compliance; Experience; and Incorporation.

    Accessibility maturity levels

    Driver Description Benefits
    Initial Compliance
    • Accessibility processes are mostly undocumented.
    • Accessibility happens mostly on a reactive or ad hoc basis.
    • No one is aware of who is responsible for accessibility or what role they play.
    • Heavily focused on complying with regulations and standards to decrease legal risk.
    • The organization is aware of the need for accessibility.
    • Legal risk is decreased.
    Developing Experience
    • The organization is starting to take steps to increase accessibility beyond compliance.
    • Lots of opportunity for improvement.
    • Defining and refining processes.
    • Working toward building a library of assistive tools.
    • Awareness of the need for accessibility is growing.
    • Process review for accessibility increases process efficiency through avoiding rework.
    Defined Experience
    • Accessibility processes are repeatable.
    • There is a tendency to resort to old habits under stress.
    • Tools are in place to facilitate accommodation.
    • Employees know accommodations are available to them.
    • Accessibility is becoming part of daily work.
    Managed Experience
    • Defined by effective accessibility controls, processes, and metrics.
    • Mostly anticipating preferences.
    • Roles and responsibilities are defined.
    • Disability is included as part of DEI.
    • Employees understand their role in accessibility.
    • Engagement is positively impacted.
    • Attraction and retention are positively impacted.
    Optimized Incorporation
    • Not the goal for every organization.
    • Characterized by a dramatic shift in organizational culture and a feeling of belonging.
    • Ongoing continuous improvement.
    • Seamless interactions with the organization for everyone.
    • Using feedback to inform future initiatives.
    • More likely to be innovative and inclusive, reach more people positively, and meet emerging global legal requirements.
    • Better equipped for success.

    Cheat sheet: Identify stakeholders

    Ask stakeholders, "Who else should I be talking to?" to discover additional stakeholders and ensure you don't miss anyone.

    Identify stakeholders through the following questions:

    Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.

    • Who in areas of influence will be adversely affected by potential environmental and social impacts of what you are doing?
    • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
    • Will other stakeholders emerge as the phases are started and completed?
    • Who is sponsoring the initiative?
    • Who benefits from the initiative?
    • Who is negatively impacted by the initiative?
    • Who can make approvals?
    • Who controls resources?
    • Who has specialist skills?
    • Who implements the changes?
    • Who are the owners, governors, customers, and suppliers of impacted capabilities or functions?
    • Executives
    • Peers
    • Direct reports
    • Partners
    • Customers
    • Subcontractors
    • Suppliers
    • Contractors
    • Lobby groups
    • Regulatory agencies

    Categorize your stakeholders with a stakeholder prioritization map

    A stakeholder prioritization map help teams categorize their stakeholders by their level of influence and ownership.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    This is an image of a quadrant analysis for mediators; players; spectators; and noisemakers.
    • Players – Players have a high interest in the initiative and high influence to affect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
    • Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
    • Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
    • Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.

    Strategize to engage stakeholders by type

    Each group of stakeholders draws attention and resources away from critical tasks.

    By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy spectators and noisemakers while ensuring the needs of the mediators and players are met.

    Type Quadrant Actions
    Players High influence, high interest Actively Engage
    Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
    Mediators High influence, low interest Keep Satisfied
    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest Keep InformedTry to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using mediators to help them.
    Spectators Low influence, low interest MonitorThey are followers. Keep them in the loop by providing clarity on objectives and status updates.

    1.1.1 Determine what the business needs from IT (stakeholder analysis)

    1.5 hours

    1. Consider all the potential individuals or groups of individuals who will be impacted or influence the accessibility needs of IT.
    2. List each of the stakeholders you identify. If in person, use sticky notes to define the target audiences. The individuals or group of individuals that potentially have needs from IT related to accessibility before, during, or after the initiative.
    3. As you list each stakeholder, consider how they perceive IT. This perception could impact how you choose to interact with them.
    4. For each stakeholder identified as potentially having a business need requirement for IT related to accessibility, conduct an analysis to understand their degree of influence or impact.
    5. Based on the stakeholder, the influence or impact of the business need can inform the interaction and prioritization of IT requirements.
    6. Update slide 9 of the IT Manager Meeting Template.

    Input

    • The change
    • Why the change is needed
    • Key stakeholder map from activity 2.1.1 of The Accessibility Business Case for IT (optional)

    Output

    • The degree of influence or impact each stakeholder has on accessibility needs from IT

    Materials

    • Stakeholder Management Analysis Tool (optional)

    Participants

    • CIO/ head of IT/ initiative lead
    • Business partners

    Proactively consider how accessibility could be received

    Think about the positive and negative reactions you could face about implementing accessibility.

    It's likely individuals will have an emotional reaction to change and may have different emotions at different times during the change process.
    Plan for how to leverage support and deal with resistance to change by assessing people's emotional responses:

    • What are possible questions, objections, suggestions, and concerns that might arise.
    • How will you respond to the possible questions and concerns.
    • Include proactive messaging in your communications that address possible objections.
    • Express an understanding for others point of views by re-positioning objections and suggestions as questions.

    This is an image of the 10 change chakras

    Determine your level of maturity

    Use Info-Tech's Accessibility Maturity Assessment.

    On the accessibility questionnaire, tab 2, choose the amount you agree or disagree with each statement. Answer the questions based on your knowledge of your current state organizationally.

    Once you've answered all the questions, see the results on the tab 3, Accessibility Results. You can see your overall maturity level and the maturity level for each of six dimensions that are necessary to increase the success of an accessibility program.

    Click through to tab 4, Recommendations, to see specific recommendations based on your results and proven research to progress through the maturity levels. Keep in mind that not all organizations will or should aspire to the "Optimize" maturity level.

    A series of three screenshots from the Accessibility Maturity Assessment

    Download the Accessibility Maturity Assessment

    1.1.2 Complete the Accessibility Maturity Assessment (optional)

    1. Download the Accessibility Maturity Assessment and save it with the date so that as you work on your accessibility program, you can reassess later and track your progress.
    2. Once you have saved the assessment, select the appropriate answer for each statement on tab 2, Accessibility Questions, based on your knowledge of the organization's approach.
    3. After reviewing all the accessibility statements, see your maturity level results on tab 3, Accessibility Results. Then see tab 4, Recommendations, for suggestions based on your answers.
    4. Document your accessibility maturity results on slides 12 and 13 of the IT Manager Meeting Template and slide 17 of the Departmental Meeting Template.
    5. Use the maturity assessment results in activity 1.1.3.

    Input

    • Assess your current state of accessibility by choosing all the statements that apply to your organization

    Output

    • Identified accessibility maturity level

    Materials

    • Accessibility Maturity Assessment
    • Accessibility Business Case Template

    Participants

    • Project leader/sponsor
    • IT leadership team

    1.1.3 Determine IT compliance responsibilities

    1-3 hours

    Before you start this activity, you may need to discuss with your organization's legal counsel to determine the legislation that applies to your organization.

    1. Determine which controls apply to your organization based on your knowledge of the organization goals, stakeholders, and accessibility maturity target. If you haven't determined your current and future state maturity model, use the Info-Tech resource from the Accessibility Business Case for IT(see previous two slides).
    2. Using the drop down in column J – Applies to My Org., select "Yes" or "No" for each control on each of the data entry tabs of the Accessibility Compliance Tracking Tool.
    3. For each control you have selected "Yes" for in column J, identify the control owner in column I.
    4. Update slide 10 in the IT Manager Meeting Template and slide 13 in the IT Departmental Meeting Template.

    Input

    • Local, regional, and/or global legislation and guidelines applicable to your organization
    • Organizational accessibility standard
    • Business needs list
    • Completed Accessibility Maturity Assessment (optional)

    Output

    • List of legislation and standards requirements that are narrowed based on organization need

    Materials

    • Accessibility Maturity Assessment
    • Accessibility Business Case Template

    Participants

    • CIO/ head of IT/ CAO/ initiative leader
    • Legal counsel

    Download the Accessibility Compliance Tracking Tool

    1.1.4 Conduct future-state analysis*

    Identify your target state of maturity.

      1. Provide the group with the accessibility maturity levels to review as well as the slides on the framework and drivers (slides 27-29).
      2. Ask the group to brainstorm pain points created by inaccessibility (e.g. challenges related to stakeholders, process issues).
      3. Next, discuss opportunities to be gained from improving these practices.
      4. Then, have everyone look at the accessibility maturity levels and, based on the descriptions, determine as a group the current maturity level of accessibility in your organization .
      5. Next, review the benefits listed on the accessibility maturity levels slide to those that you named in step 3 and determine which maturity level best describes your target state. Discuss as a group and agree on one desired maturity level to reach.
      6. Document your current and target states on slide 14 of the IT Manager Meeting Template.

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activities 2.1.2 and 2.1.3.

    Input

    • Accessibility maturity levels chart, framework, and drivers slides
    • Maturity level assessment results (optional)

    Output

    • Target maturity level documented

    Materials

    • Paper and pens
    • Handouts of maturity levels

    Participants

    • CIO
    • IT senior leaders

    What does a good goal look like?

    SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.

    Use the SMART framework to build effective goals.

    S

    Specific: Is the goal clear, concrete, and well defined?

    M

    Measurable: How will you know when the goal is met?

    A

    Achievable: Is the goal possible to achieve in a reasonable time?

    R

    Relevant: Does this goal align with your responsibilities and with departmental and organizational goals?

    T

    Time-based: Have you specified a time frame in which you aim to achieve the goal?

    1.1.5 Create a list of goals and objectives*

    Use the outcomes from activity 1.2.1.

    1. Using the information from activity 1.2.1, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives on slides 6 and 9 in your IT Manager Meeting Template.

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activity 2.2.1.

    Input

    • Outcomes of activity 1.2.1
    • Organizational and departmental goals

    Output

    • Accessibility goals and objectives identified

    Materials

    • n/a

    Participants

    • CIO/ head of IT/ initiative lead
    • IT senior leaders

    Establish baseline metrics

    Baseline metrics will be improved through:

    1. Progressing through the accessibility maturity model.
    2. Addressing accessibility earlier in processes with input from people with disabilities.
    3. Motivating behavior changes and culture that supports accessibility and disability inclusion.
    4. Ensuring compliance with regulations and standards.
    5. Focusing on experience and building a disability inclusive culture.
    Metric Definition Calculation
    Overall end-customer satisfaction The percentage of end customers who are satisfied with the IT department. Number of end customers who are satisfied / Total number of end customers
    Requests for accommodation or assistive technology fulfilled The percentage of accommodation/assistive technology requests fulfilled by the IT department. Number of requests fulfilled / Total number of requests
    Employee engagement The percentage of employees who are engaged within an organization. Number of employees who are engaged / Total number of employees
    Overall compliance status The percentage of accessibility controls in place in the IT department. The number of compliance controls in place / Total number of applicable accessibility controls

    1.1.6 Finalize key metrics*

    Finalize key metrics the organization will use to measure accessibility success.

    1. Brainstorm how you will measure the success of each goal you identified in the previous activity, based on the benefits, challenges, and risks you previously identified.
    2. Write each of the metric ideas down and finalize three to five key metrics which you will track. The metrics you choose should relate to the key challenges or risks you have identified and match your desired maturity level and driver.
    3. Document your key metrics on slide 15 of your IT Manager Meeting Templateand slide 23 of the Departmental Meeting Template.

    Input

    • Accessibility challenges and benefits
    • Goals from activity 1.2.2

    Output

    • Three to five key metrics to track

    Materials

    • n/a

    Participants

    • IT leadership team
    • Project lead/sponsor

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activity 2.2.2.

    Use Info-Tech's template to communicate with IT managers

    Cascade messages down to IT managers next. This ensures they will have time to internalize the change before communicating it to others.

    Communicate with and build the accessibility plan with IT managers by customizing Info-Tech's IT Manager Meeting Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.

    It includes:

    • Project scope and objectives
    • Current state analysis
    • Compliance planning
    • Commitment statement drafting

    IT Manager Meeting Template

    Download the IT Manager Meeting Template

    Info-Tech Insight

    Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier.

    1.1.7 Prepare a meeting for IT managers

    Now that you understand your current and desired accessibility maturity, the next step is to communicate with IT managers and begin planning your initiatives.

    Know your audience:

    1. Consider who will be included in your presentation audience.
    2. You want your presentation to be succinct and hard-hitting. Managers are under huge demands and time is tight, they will lose interest if you drag out the delivery.
    3. Contain the presentation and planning activities to no more than an afternoon. You want to ensure adequate time for questions and answers, as well as the planning activities necessary to inform the roll out to the larger IT department later.
    4. Schedule a meeting with the IT managers.

    Download the IT Manager Meeting Template

    Input

    • Activity results

    Output

    • A completed presentation to communicate your accessibility initiatives to IT managers

    Materials

    • IT Manager Meeting Template

    Participants

    • CIO/ head of IT/ initiative lead
    • IT senior leaders
    • IT managers

    Step 1.2

    Build the IT accessibility action plan.

    Activities

    1.2.1 Assess current accessibility compliance and mitigation

    1.2.2 Decide on your priorities

    1.2.3 Add priorities to the roadmap

    1.2.4 Write an IT accessibility commitment statement

    Planning IT's accessibility requirements

    This step involves the following participants:

    • CIO/ head of IT/ initiative lead
    • IT senior leaders
    • IT managers

    Outcomes of this step

    • Priority controls and mitigation list with identified control owners.
    • IT accessibility commitment statement.
    • Draft visualization of roadmap/sunrise diagram.

    Involve managers in assessing current compliance

    To know what work needs to happen you need to know what's already happening.

    Use the spreadsheet from activity 1.1.3 where you identified which controls apply to your organization.

    Have managers work in groups to identify which controls (of the applicable ones) are currently being met and which ones have an existing mitigation plan.

    Info-Tech Insight

    Based on EN 301 549 V3.2.1 (2021-03) as a basis for digital accessibility conformance. This tool is designed to assist you in building a priorities list of requirements that are applicable to your organization. EN 301 549 is currently the most robust accessibility regulation and encompasses other regulations within it. Although EN 301 549 is the European Standard, other countries are leaning on it as the standard they aspire to as well.

    This is an image of the Compliance Tracing Tool, with a green box drawn around the columns for Current Compliance, and Mitigation.

    1.2.1 Assess current accessibility compliance and mitigation

    1-3 hours

    1. Share the Accessibility Compliance Tracking Tool with the IT leaders and managers during the meeting with IT management that you scheduled in activity 1.1.7.
    2. Break into smaller groups (or if too small, continue as a single group):
      1. Divide up the controls between the small groups to work on assessing current compliance and mitigation plans.
      2. For each control that is identified as applying to your organization, identify if there currently is compliance by selecting "yes" from the drop-down. For controls where the organization is not compliant, select "no" and identify if there is a mitigation plan in place by selecting "yes" or "no" in column L.
      3. Use the comments column to add any pertinent information regarding the control.

    Input

    • List of IT compliance requirements applicable to the org. from activities 1.1.2 and 1.1.3

    Output

    • List of IT compliance requirements that have current compliance or mitigation plans

    Materials

    • Accessibility Compliance Tracking Tool

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Download the Accessibility Compliance Tracking Tool

    Involve managers in building accountability into the accessibility plan

    Building accountability into your compliance tracking will help ensure accessibility is prioritized.

    Use the spreadsheet from activity 1.3.1.

    Have managers work in the same groups to prioritize controls by assigning a quarterly timeline for compliance.

    An image of the Compliance Tracking tool, with the timeline column highlighted in green.

    1.2.2 Decide on your priorities

    1-3 hours

    1. In the same groups used in activity 1.2.1, prioritize the list of controls that have no compliance and no mitigation plan.
    2. As you work through the spreadsheet again, assign a timeline using the drop-down menu in column M for each control that applies to the organization and has no current compliance. Consider the following in your prioritization:
      1. Does the control impact customers or is it public-facing?
      2. What are the business needs related to accessibility?
      3. Does the team currently have the skills and knowledge needed to address the control?
      4. What future state accessibility maturity are you targeting?
    3. Be prepared to review with the larger group.

    Input

    • List from activity 1.2.1
    • Business needs from activity 1.1.1

    Output

    • List of IT compliance requirements with accountability timelines

    Materials

    • Accessibility Compliance Tracking Tool

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Download the Accessibility Compliance Tracking Tool

    Review your timeline

    Don't overload your team. Make sure the timelines assigned in the breakout groups make sense and are realistic.

    A screenshot of the Accessibility Compliance Dashboard.

    Download the Accessibility Compliance Tracking Tool

    Empty roadmap template

    An image of an empty Roadmap Template.

    1.2.3 Add priorities to the roadmap

    1 hour

    1. Using the information entered in the compliance tracking spreadsheet during activities 1.2.1 and 1.2.2, build a visual representation to capture your strategic initiatives over time, using themes and timelines. Consider group initiatives in four categories, technology, people, process, and other.
    2. Copy and paste the controls onto the roadmap from the Accessibility Compliance Tracking Toolto the desired time quadrant on the roadmap.
    3. Set your desired timelines by changing the Q1-Q4 blocks (set the timelines that make sense for your situation).

    Input

    • Output of activity 1.2.2
    • Roadmap template
    • Other departmental project plans and timelines

    Output

    • Visual roadmap of accessibility compliance controls

    Materials

    • n/a

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Communicate commitment

    Support people leaders in leading by example with an accessibility commitment statement.

    A commitment statement communicates why accessibility and disability inclusion are important and guides behaviors toward the ideal state. The statement will guide and align work, build accountability, and acknowledge the dedication of the leadership team to accessibility and disability inclusion. The statement will:

    • Publicly commit the team to fostering disability inclusivity.
    • Highlight related values and goals of the team or organization.
    • Set expectations.
    • Help build trust and increase feelings of belonging.
    • Connect the necessary changes (people, process, and technology related) to organization strategy.

    Take action! Writing the statement is only the first step. It takes more than words to build accessibility and make your work environment more disability inclusive.

    Info-Tech Insight

    Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier.

    Sample accessibility commitment statements

    theScore

    "theScore strives to provide products and services in a way that respects the dignity and independence of persons with disabilities. We are committed to giving persons with disabilities the same opportunity to access our products and services and allowing them to benefit from the same services, in the same place and in a similar way as other clients. We are also committed to meeting the needs of persons with disabilities in a timely manner, and we will meet applicable legislative requirements for preventing and removing barriers."(1)

    Apple Canada

    "Apple Canada is committed to ensuring equal access and participation for people with disabilities. Apple Canada is committed to treating people with disabilities in a way that allows them to maintain their dignity and independence. Apple Canada believes in integration and is committed to meeting the needs of people with disabilities in a timely manner. Apple Canada will do so by removing and preventing barriers to accessibility and meeting accessibility requirements under the AODA and provincial and federal laws across Canada." (2)

    Google Canada

    "We are committed to meeting the accessibility needs of people with disabilities in a timely manner, and will do so by identifying, preventing and removing barriers to accessibility, and by meeting the accessibility requirements under the AODA." (3)

    Source 1: theScore
    Source 2: Apple Canada
    Source 3: Google Canada.

    1.2.4 Write an IT accessibility commitment statement

    45 minutes

    1. As a group, brainstorm the key reasons and necessity for disability inclusion and accessibility for your organization, and the drivers and behaviors required. Record the ideas brainstormed by the group.
    2. Break into smaller groups or pairs (or if too small, continue as a single group):
      • Each group uses the brainstormed ideas to draft an accessibility commitment statement.
    3. Each smaller group shares their statement with the larger group and receives feedback. Smaller groups redraft their statements based on the feedback.
    4. Post each redrafted statement and provide each person two dot stickers to place on the two statements that resonate the most with them.
    5. Using the two statements with the highest number of dot votes, write the final accessibility commitment statement.
    6. Add the commitment statement to slide 18 of the Departmental Meeting Template.

    Input

    • Business objectives
    • Risks related to accessibility
    • Target future accessibility maturity

    Output

    • IT accessibility commitment statement

    Materials

    • Whiteboard/flip charts
    • Dot stickers or other voting mechanism

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Phase 2

    Change Enablement for Accessibility.

    Phase 1

    Phase 2

    1.1 Determine accessibility requirements of IT

    1.2 Build IT accessibility plan

    2.1 Build awareness

    2.2 Support new behaviors

    2.3 Continuous reinforcement

    This phase will walk you through the following activities:

    • Clarifying key messages
    • IT department accessibility presentation
    • Establishing a frequency and timeframe for communications
    • Obtaining feedback
    • Sustainment plan

    This phase involves the following participants:

    • CIO
    • IT senior leaders
    • IT managers
    • Other key business stakeholders
    • Marketing and communications team

    Be experience driven

    Building awareness and focusing on experience helps move along the accessibility maturity framework. Shifting from mandate to movement.

    In this phase, start to move beyond compliance. Build the IT team's understanding of accessibility, disability inclusion, and their role.
    Communicate the following messages to your team:

    • The motivation behind the change.
    • The reasons for the change.
    • And encourage feedback.

    Info-Tech Accessibility Maturity Framework

    an image of the Info-Tech Accessibility Maturity Framework

    Info-Tech Insight

    Compliance is the minimum; the people and behavior changes are the harder part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier. Communicate, communicate, and communicate some more.

    What is an organizational change?

    Before communicating, understand the degree of change.

    Incremental Change:

    • Changes made to improve current processes or systems (e.g. optimizing current technology).

    Transitional Change:

    • Changes that involve dismantling old systems and/or processes in favor of new ones (e.g. new product or services added).

    Transformational Change:

    • Significant change in organizational strategy or culture resulting in substantial shift in direction.

    Examples:

    • New or changed policy
    • Switching from on-premises to cloud-first infrastructure
    • Implementing ransomware risk controls
    • Implementing a Learning and Development Plan

    Examples:

    • Moving to an insourced or outsourced service desk
    • Developing a BI and analytics function
    • Integrating risk into organization risk
    • Developing a strategy (technology, architecture, security, data, service, infrastructure, application)

    Examples:

    • Organizational redesign
    • Acquisition or merger of another organization
    • Implementing a digital strategy
    • A new CEO or board taking over the organization's direction

    Consider the various impacts of the change

    Invest time at the start to develop a detailed understanding of the impact of the change. This will help to create a plan that will simplify the change and save time. Evaluate the impact from a people, process, and technology perspective.

    Leverage a design thinking principle: Empathize with the stakeholder – what will change?

    People

    Process Technology
    • Team structure
    • Reporting structure
    • Career paths
    • Job skills
    • Responsibilities
    • Company vision/mission
    • Number of FTE
    • Culture
    • Training required
    • Budget
    • Work location
    • Daily workflow
    • Working conditions
    • Work hours
    • Reward structure
    • Required number of completed tasks
    • Training required
    • Required tools
    • Required policies
    • Required systems
    • Training required

    Change depends on how well people understand it

    Help people internalize what they can do to make the organization more inclusive.

    Anticipate responses to change:

    1. Emotional reaction – different people require different styles of management to guide them through the change. Individual's may have different emotions at different times during the change process. The more easily you can identify persona characteristics, the better you can manage them.
    2. Level of impact – the higher level of change on an individual's day-to-day, the more difficult it will be to adjust to the change. The more impactful the change, the more time focused on people management.

    an image showing staff personas at different stages through the change process.

    Quickly assess the size of change by answering these questions:

    1. Will the change affect your staff's daily work?
    2. Is the change high urgency?
    3. Is there a change in reporting relationships?
    4. Is there a change in skills required for staff to be successful?
    5. Will the change modify entrenched cultural practices?
    6. Is there a change in the mission or vision of the role?

    If you answered "Yes" to two or more questions, the change is bigger than you think. Your staff will feel the impact.

    Ensure effective communication by focusing on four key elements

    1. Audience
    • Stakeholders (either groups or individuals) who will receive the communication.
  • Message
    • Information communicated to impacted stakeholders. Must be rooted in a purpose or intent.
  • Messenger
    • Person who delivers the communication to the audience. The communicator and owner are two different things.
  • Channel
    • Method or channel used to communicate to the audience.
  • Step 2.1

    Build awareness and define key messages for IT.

    This step involves the following participants:

    • IT leadership team
    • Marketing/communications (optional)

    Outcomes of this step

    • Key accessibility messages

    Determine the desired outcome of communicating within IT

    This phase is focused on communicating within IT. All communication has an overall goal. This outcome or purpose of communicating is often dependent on the type of influence the stakeholder wields within the organization as well as the type of impact the change will have on them. Consider each of the communication outcomes listed below.

    Communicating within IT

    • Obtain buy-in
    • Inform about the IT change
    • Create a training plan
    • Inform about department changes
    • Inform about organization changes
    • Inform about a crisis
    • Obtain adoption related to the change
    • Distribute key messages to change agents

    Departmental Meeting Template

    Departmental Meeting Template

    Accessibility Quick Cards

    Accessibility Quick Cards

    Establish and define key messages based on organizational objectives

    What are key messages?

    1. Key messages guide all internal communications to ensure they are consistent, unified, and straightforward.
    2. Distill key messages down from organizational objectives and use them to reinforce the organization's strategic direction. Key messages should inspire employees to act in a way that will help the organization reach its objectives.

    How to establish key messages

    Ground key messages in organizational strategy and culture. These should be the first places you look to determine the organization's key messages:

    • Refer to organizational strategy documents. What needs to be reinforced in internal communications to ensure the organization can achieve its strategy? This is a key message.
    • Look at the organization's values. How do values guide how work should be done? Do employees need to behave in a certain way or keep a certain value top of mind? This is a key message.

    The intent of key messages is to convey important information in a way that is relatable and memorable, to promote reinforcement, and ultimately, to drive action.

    Info-Tech Insight

    Empathizing with the audience is key to anticipating and addressing objections as well as identifying benefits. Customize messaging based on audience attributes such as work model (e.g. hybrid), anticipated objections, what's in it for me?, and specific expectations.

    2.1.1 Clarify the key messages

    30 minutes

    1. Brainstorm the key stakeholders and target audiences you will likely need to communicate with to sustain the accessibility initiative (depending on the size of your group, you might break into pairs or smaller groups and each work on one target audience).
    2. Based on the outcome expected from engaging the target audience in communications, define one to five key messages that should be expressed about accessibility.
    3. The key messages should highlight benefits anticipated, concerns anticipated, details about the change, plan of action, or next steps. The goal here is to ensure the target audience is included in the communication process.
    4. The key messages should be focused on how the target audience receives a consistent message, especially if different communication messengers are involved.
    5. Document the key messages on Tab 3 of the Communications Planner Tool.

    Download the Communications Planner Tool

    Input

    • The change
    • Target audience
    • Communication outcomes

    Output

    • Key messages to support a consistent approach

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • IT leadership team
    • Marketing/communications partner (optional)

    Step 2.2

    Support new behaviors.

    Activities

    2.2.1 Prepare for IT department meeting

    2.2.2 Practice delivery of your presentation

    2.2.3 Hold department meeting

    This step involves the following participants:

    • Entire IT department

    Outcomes of this step

    • IT departmental meeting slides
    • Accessibility quick cards
    • Task list of how each IT team will support the accessibility roadmap

    Key questions to answer with change communication

    To effectively communicate change, answer questions before they're asked, whenever possible. To do this, outline at each stage of the change process what's happening next for the audience, as well as answer other anticipated questions. Pair key questions with core messages.

    Examples of key questions by change stage include:

    The outline for each stage of the change process, showing what happens next.

    2.2.1 Prepare for the IT departmental meeting

    2 hours

    1. Download the IT Department Presentation Template and follow the instructions on each slide to update for your organization.
    2. Insert information on the current accessibility maturity level. If you haven't determined your current and future state maturity level, use the Info-Tech resource from The Accessibility Business Case for IT.
    3. Review the presentation with the information added.
    4. Consider what could be done to make the presentation better:
      1. Concise: Identify opportunities to remove unnecessary information.
      2. Clear: It uses only terms or language the target audience would understand.
      3. Relevant: It matters to the target audience and the problems they face.
      4. Consistent: The message could be repeated across audiences.
    5. Schedule a departmental meeting or add the presentation to an existing departmental meeting.

    Download the Departmental Presentation Template

    Input

    • Organizational accessibility risks
    • Accessibility maturity current state
    • Outputs from manager presentation
    • Key messages

    Output

    • Prepared presentation to introduce accessibility to the entire IT department

    Materials

    • Departmental Presentation Template

    Participants

    • CIO/ head of IT/ CAO/ initiative leader

    Hone presentation skills before meeting with key stakeholders

    Using voice and body

    Think about the message you are trying to convey and how your body can support that delivery. Hands, stance, frame – all have an impact on what might be conveyed.

    If you want your audience to lean in and be eager about your next point, consider using a pause or softer voice and volume.

    Be professional and confident

    State the main points of your presentation confidently. While this should be obvious, it is essential. Your audience should be able to clearly see that you believe the points you are stating.

    Present in a way that is genuine to you and your voice. Whether you have an energetic personality or calm and composed personality, the presentation should be authentic to you.

    Connect with your audience

    Look each member of the audience in the eye at least once during your presentation. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention.

    Avoid reading from your slides. If there is text on a slide, paraphrase it while maintaining eye contact.

    Info-Tech Insight

    You are responsible for the response of your audience. If they aren't engaged, it is on you as the communicator.

    2.2.2 Practice delivery of your presentation and schedule department meeting

    45 minutes

    1. Take ten minutes to think about how to deliver your presentation. Where will you emphasize words, speak louder, softer, lean in, stand tall, make eye contact, etc.?
    2. Set a timer on your phone or watch. Record yourself if possible.
    3. Take a few seconds to center yourself and prepare to deliver your pitch.
    4. Practice delivery of your presentation out loud. Don't forget to use your body language and your voice to deliver.
    5. Listen to the recording. Are the ideas communicated correctly? Are you convinced?
    6. Review and repeat.

    Input

    • Presentation deck from activity 2.2.1
    • Best practices for delivering

    Output

    • An ability to deliver the presentation in a clear and concise manner that creates understanding

    Materials

    • Recorder
    • Timer

    Participants

    • CIO/ head of IT/ initiative leader

    2.2.3 Lead the IT department meeting

    1–2 hours

    1. Gather the IT department in a manner appropriate for your organization and facilitate the meeting prepared in activity 2.2.1.
    2. Within the meeting, capture all key action items and outcomes from the Quick Cards Development and Roadmap Planning.
    3. Following the meeting, review the quick cards that everyone built and share these with all IT participants.
    4. Update your sunrise diagram to include any initiatives that came up in the team meetings to support moving to experiential.

    Input

    • Presentation deck from activity 2.2.1

    Output

    • A shared understanding of accessibility at your organization and everyone's role
    • Area task list (including behavior change needs)
    • Accessibility quick cards

    Materials

    Participants

    • CIO/ head of IT/ initiative leader

    Download the Accessibility Quick Cards template

    Step 2.3

    Continuous reinforcement – keep the conversation going – sustain the change.

    Activities

    2.3.1 Establish a frequency and timeframe for communications

    2.3.2 Obtain feedback and improve

    2.3.3 Sustainment plan

    This step involves the following participants:

    • CIO/ head of IT/ initiative lead
    • IT leadership team

    Outcomes of this step

    • Assigned roles for ongoing program monitoring
    • Communication plan
    • Accessibility maturity monitoring plan
    • Program evaluation

    Communication is ongoing before, during, and after implementing a change initiative

    Just because you've rolled out the plan doesn't mean you can stop talking about it.

    An image of the five steps, with steps four and five highlighted in a green box. The five headings are: Identify and Prioritize; Prepare for initiative; Create a communication plan; Implement change; Sustain the desired outcome

    Don't forget: Cascade messages down through the organization to ensure those who need to deliver messages have time to internalize the change before communicating it to others. Include a mix of personal and organizational messages, but where possible, separate personal and organizational content into different communications.

    2.3.1 Establish a frequency and timeframe

    30 minutes

    1. For each row in Tab 3, determine how frequently that communication needs to take place and when that communication needs to be completed by.
      • Frequency: How often the communication will be delivered to the audience (e.g. one-time, monthly, as needed).
      • Timeframe: When the communication will be delivered to the audience (e.g. a planned period or a specific date).
    2. When selecting the timeframe, consider what dependencies need to take place prior to that communication. For example, IT employees should not be communicated with on anything that has not yet been approved by the CEO. Also consider when other communications might be taking place so that the message is not lost in the noise.
    3. For frequency, the only time that a communication needs to take place once is when presenting up to senior leaders of the organizations. And even then, it will sometimes require more than one conversation. Be mindful of this.

    Input

    • The change
    • Target audience
    • Communication outcome
    • Communication channel

    Output

    • Frequency and timeframe of the communication

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • Changes based on those who would be relevant to your initiative

    Download the Communications Planner Tool

    Ensure feedback mechanisms are in place

    Soliciting and acting on feedback involves employees in the decision-making process and demonstrates to them that their contributions matter.

    Make sure you have established feedback mechanisms to collect feedback on both the messages delivered and how they were delivered. Some ways to collect feedback include:

    • Evaluating intranet comments and interactions (e.g. likes, etc.) if this function is enabled.
    • Measuring comprehension and satisfaction through surveys and polls.
    • Looking for themes in the feedback and questions employees bring forward to managers during in-person briefings.

    Feedback Mechanisms:

    • CIO business vision survey
    • Engagement surveys
    • Focus groups
    • Suggestion boxes
    • Team meetings
    • Random sampling
    • Informal feedback
    • Direct feedback
    • Audience body language
    • Repeating the message back

    Gather feedback on plan and iterate

    Who

    The project team gathers feedback from:

    • As many members of impacted groups as possible, as it helps build broad buy-in for the plan.
    • All levels (e.g. frontline employees, managers, directors).

    What

    Gather feedback on:

    • How to implement tactics successfully.
    • The timing of implementation (helps inform the next slide).
    • The resources required (helps inform the next slide).
    • Potential unforeseen impacts, questions, and concerns.

    How

    • Use focus groups to gather feedback.
    • Adjust sustainment plan based on feedback.

    Use Info-Tech's Standard Focus Group Guide

    2.3.2 Obtain feedback and improve

    20 minutes

    1. Evenly distribute the number of rows in the communication plan to all those involved. Consider a metric that would help inform whether the communication outcome was achieved.
    2. For each row, identify a feedback mechanism (slide 75) that could be used to enable the collection and confirm a successful outcome.
    3. Come back as a group and validate the feedback mechanisms selected.
    4. The important aspect here is not just to measure if the desired outcome was achieved. If the desired outcome is not achieved, consider what you might do to change or enable better communication to that target audience.
    5. Every communication can be better. Feedback, whether it be tactical or strategic, will help inform methods to improve future communication activities.

    Input

    • Communication outcome
    • Target audience
    • Communication channel

    Output

    • A mechanism to measure communication feedback and adjust future communications when necessary

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • Changes based on those who would be relevant to your initiative

    Download the Communications Planner Tool

    Identify owners and assign other roles

    • Eventually there needs to be a hand off to leaders to sustain accessibility. Senior leaders continue to play the role of guide and facilitator, helping the team identify owners and transfer ownership.
    • Guide the team to work with owners to assign roles to other stakeholders. Spread responsibility across multiple people to avoid overload.

    R

    Responsible
    Carries out the work to implement the component (e.g. payroll manager).

    A

    Accountable
    Owner of the component and held accountable for its implementation (e.g. VP of finance).

    C

    Consulted
    Asked for feedback and input to modify sustainment tactics (e.g. sustainment planning team).

    I

    Informed
    Told about progress of implementation (senior leadership team, impacted staff).

    Identify required resources and secure budget

    Sustainment is critical to success of accessibility

    • This step (i.e. sustainment) often gets overlooked because leaders are focused on the implementation. It takes resources and budget to sustain a plan and change as well.
    • Resorting to the old way is more likely to occur when you don't plan to support sustainment with ongoing resources and budget that's required.

    Resources

    Identify resources required for sustainment components using metrics and input from implementation owners, subject matter experts, and frontline managers.

    For example:

    • Inventory
    • Collateral for communications
    • Technology
    • Physical space
    • People resources (FTE)

    Budget

    Estimate the budget required for resources based on past projects that used similar resources, and then estimate the time it will take until the change evolves into "business as usual" (e.g. 6 months, 12 months).

    Monitor accessibility maturity

    If you haven't already performed the Accessibility Maturity Assessment, complete it in the wake of the accessibility initiative to assess improvements and progress toward target future accessibility maturity.
    As your accessibility program starts to scale out over a range of projects, revisit the assessment on a quarterly or bi-annual basis to help focus your improvement efforts across the six accessibility categories.

    • Vendor relations
    • Products and services
    • Policy and process
    • Support and accommodation
    • Communication
    • People and culture

    Info-Tech Insight

    To drive continual improvement of your organizational accessibility and disability inclusion, continue to share progress, wins, challenges, feedback, and other accessibility related concerns with stakeholders. At the end of the day, IT's efforts to become a change leader and support organizational accessibility will come down to stakeholder perceptions based upon employee morale and benefits realized.

    Download the Accessibility Maturity Assessment

    An image of the maturity level bar graph.

    Evaluate and iterate the program on an ongoing basis

    1. Continually monitor the results of project metrics.
      • Track progress toward goals and metrics set at the beginning of the initiative to gauge the success of the program.
      • Analyze metrics at the work-unit level to highlight successes and challenges in accessibility and disability inclusion and the parameters around it for each impacted unit.
    2. Regularly gather feedback on program effectiveness using questions such as:
      • Has the desired culture been effectively communicated and leveraged, or has the culture changed?
      • Collect feedback through regular channels (e.g. manager check-ins) and set up a cadence to survey employees on the program (e.g. three months after rollout and then annually).
    3. Determine if changes to the program structure are needed.
      • Revisit the accessibility maturity framework and the compliance requirements of IT. Understand what is being experienced; it may be necessary to select a different target or adjust the parameters to mitigate the common challenges.
      • Evaluate the effectiveness of current internal processes to determine if the program would benefit from a dedicated resource.

    2.3.3 Sustain the change

    1. Identify who will own what pieces of the program going forward and assign roles to transition the initiative from implementation to the new normal.
    2. Continue to communicate with stakeholders about accessibility and disability inclusion initiatives, controls, and requirements.
    3. Identify required resources and secure any budget that will be needed to support the accessibility program. Think about employee training, consulting needs, assistive technology requirements, human resources (FTE), etc.
    4. Continue to monitor your accessibility maturity. Use the Accessibility Maturity Assessment tool to periodically evaluate progress on goals and targets. Also, use this tool to communicate progress with senior leaders and executives.
    5. Strive for continuous improvement by evaluating and iterating the program on an ongoing basis.

    Input

    • Activity outputs from this blueprint

    Output

    • Ongoing continuous improvement and progress related to accessibility
    • Demonstrable results

    Materials

    • n/a

    Participants

    • CIO/ head of IT/ initiative Lead
    • IT senior leaders
    • IT managers

    Related Info-Tech Research

    The Accessibility Business Case for IT

    • Take away the overwhelm that many feel when they hear "accessibility" and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization's key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    Lead Staff through Change

    • Anticipate and respond to staff questions about the change in order to keep messages consistent, organized, and clear.
    • Manage staff based on their specific concerns and change personas to get the best out of your team during the transition through change.
    • Maintain a feedback loop between staff, executives, and other departments in order to maintain the change momentum and reduce angst throughout the process.

    IT Diversity and Inclusion Tactics

    • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
    • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

    Implement and Mature Your User Experience Design Practice

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.

    Works cited

    "2021 State of Digital Accessibility." Level Access, n.d. Accessed 10 Aug. 2022
    "Apple Canada Accessibility Policy & Plan." Apple Canada, 11 March 2019. .
    Casey, Caroline. "Do Your D&I Efforts Include People With Disabilities?" Harvard Business Review, 19 March 2020. Accessed 28 July 2022.
    Digitalisation World. "Organisations failing to meet digital accessibility standards." Angel Business Communications, 19 May 2022. Accessed Oct. 2022.
    "disability." Merriam-Webster.com Dictionary, Merriam-Webster, . Accessed 10 Aug. 2022.
    "Disability." World Health Organization, 2022. Accessed 10 Aug 2022.
    "Google Canada Corporation Accessibility Policy and Multi Year Plan." Google Canada, June 2020. .
    Hypercontext. "The State of High Performing Teams in Tech 2022." Hypercontext. 2022..
    Lay-Flurrie, Jenny. "Accessibility Evolution Model: Creating Clarity in your Accessibility Journey." Microsoft, 2023. <https://blogs.microsoft.com/accessibility/accessibility-evolution-model/>.
    Maguire, Jennifer. "Applause 2022 Global Accessibility Survey Reveals Organizations Prioritize Digital Accessibility but Fall Short of Conformance with WCAG 2.1 Standards." Business Wire, 19 May 2022. . Accessed 2 January 2023.
    "The Business Case for Digital Accessibility." W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.
    "THESCORE's Commitment to Accessibility." theScore, May 2021. .
    "The WebAIM Million." Web AIM, 31 March 2022. Accessed 28 Jul. 2022.
    Washington, Ella F. "The Five Stages of DEI Maturity." Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.
    Web AIM. "The WebAIM Million." Institute for Disability Research, Policy, and Practice, 31 March 2022. Accessed 28 Jul. 2022.

    Design Data-as-a-Service

    • Buy Link or Shortcode: {j2store}129|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $1,007 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Lack of a consistent approach in accessing internal and external data within the organization and sharing data with third parties.
    • Data consumed by most organizations lacks proper data quality, data certification, standards tractability, and lineage.
    • Organizations are looking for guidance in terms of readily accessible data from others and data that can be shared with others or monetized.

    Our Advice

    Critical Insight

    • Despite data being everywhere, most organizations struggle to find accurate, trustworthy, and meaningful data when required.
    • Connecting to data should be as easy as connecting to the internet. This is achievable if all organizations start participating in the data marketplace ecosystem by leveraging a Data-as-a-Service (DaaS) framework.

    Impact and Result

    • Data marketplaces facilitate data sharing between the data producer and the data consumer. The data product must be carefully designed to truly benefit in today’s connected data ecosystem.
    • Follow Info-Tech’s step-by-step approach to establish your DaaS framework:
      1. Understand Data Ecosystem
      2. Design Data Products
      3. Establish DaaS framework

    Design Data-as-a-Service Research & Tools

    Start here – Read the Executive Brief

    Read our concise Executive Brief to find out why you should design Data-as-a-Service (DaaS), review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand data ecosystem

    Provide clear benefits of adopting the DaaS framework and solid rationale for moving towards a more connected data ecosystem and avoiding data silos.

    • Design Data-as-a-Service – Phase 1: Understand Data Ecosystem

    2. Design data product

    Leverage design thinking methodology and templates to document your most important data products.

    • Design Data-as-a-Service – Phase 2: Design Data Product

    3. Establish a DaaS framework

    Capture internal and external data sources critical to data products success for the organization and document an end-to-end DaaS framework.

    • Design Data-as-a-Service – Phase 3: Establish a DaaS Framework
    [infographic]

    Workshop: Design Data-as-a-Service

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Data Marketplace and DaaS Explained

    The Purpose

    The purpose of this module is to provide a clear understanding of the key concepts such as data marketplace, data sharing, and data products.

    Key Benefits Achieved

    This module will provide clear benefits of adopting the DaaS framework and solid rationale for moving towards a more connected data ecosystem and avoiding data silos.

    Activities

    1.1 Review the business context

    1.2 Understand the data ecosystem

    1.3 Draft products ideas and use cases

    1.4 Capture data product metrics

    Outputs

    Data product ideas

    Data sharing use cases

    Data product metrics

    2 Design Data Product

    The Purpose

    The purpose of this module is to leverage design thinking methodology and templates to document the most important data products.

    Key Benefits Achieved

    Data products design that incorporates end-to-end customer journey and stakeholder map.

    Activities

    2.1 Create a stakeholder map

    2.2 Establish a persona

    2.3 Data consumer journey map

    2.4 Document data product design

    Outputs

    Data product design

    3 Assess Data Sources

    The Purpose

    The purpose of this module is to capture internal and external data sources critical to data product success.

    Key Benefits Achieved

    Break down silos by integrating internal and external data sources

    Activities

    3.1 Review the conceptual data model

    3.2 Map internal and external data sources

    3.3 Document data sources

    Outputs

    Internal and external data sources relationship map

    4 Establish a DaaS Framework

    The Purpose

    The purpose of this module is to document end-to-end DaaS framework.

    Key Benefits Achieved

    End-to-end framework that breaks down silos and enables data product that can be exchanged for long-term success.

    Activities

    4.1 Design target state DaaS framework

    4.2 Document DaaS framework

    4.3 Assess the gaps between current and target environments

    4.4 Brainstorm initiatives to develop DaaS capabilities

    Outputs

    Target DaaS framework

    DaaS initiative

    Stabilize Release and Deployment Management

    • Buy Link or Shortcode: {j2store}453|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $38,699 Average $ Saved
    • member rating average days saved: 37 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Lack of control over the release process, poor collaboration between teams, and manual deployments lead to poor quality releases at a cost to the business.

    Our Advice

    Critical Insight

    • Manage risk. Release management should stabilize the IT environment. A poorly designed release can take down the whole business. Rushing releases out the door leads to increased risk for the business.
    • Quality processes are key. Standardized process will enable your release and deployment management teams to have a framework to deploy new releases with minimal chance of costly downtime further down the production chain.
    • Business must own the process. Release managers need oversight of the business to remain good stewards of the release management process.

    Impact and Result

    • Be prepared with a release management policy. With vulnerabilities discovered and published at an alarming pace, organizations have to build a plan to address and fix them quickly. A detailed release and patch policy should map out all the logistics of the deployment in advance, so that when necessary, teams can handle rollouts like a well-oiled machine.
    • Automate your software deployment and patch management strategy. Replace tedious and time-consuming manual processes with the use of automated release and patch management tools. Some organizations have a variety of release tools for various tasks and processes to ensure all or most of the required processes are covered across a diverse development environment.
    • Test deployments and monitor your releases. Larger organizations may have the luxury of a test environment prior to deployment, but that may be cost prohibitive for smaller organizations. If resources are a constraint, roll out the patch gradually and closely monitor performance to be able to quickly revert in the event of an issue.

    Stabilize Release and Deployment Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should control and stabilize your release and deployment management practice while improving the quality of releases and deployments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Analyze current state

    Begin improving release management by assessing the current state and gaining a solid understanding of how core operational processes are actually functioning within the organization.

    • Stabilize Release and Deployment Management – Phase 1: Analyze Current State
    • Release Management Maturity Assessment
    • Release Management Project Roadmap Tool
    • Release Management Workflow Library (Visio)
    • Release Management Workflow Library (PDF)
    • Release Management Standard Operating Procedure
    • Patch Management Policy
    • Release Management Policy
    • Release Management Deployment Tracker
    • Release Management Build Procedure Template

    2. Plan releases and deployments

    Plan releases to gather all the pieces in one place and define what, why, when, and how a release will happen.

    • Stabilize Release and Deployment Management – Phase 2: Release and Deployment Planning

    3. Build, test, deploy

    Take a holistic and comprehensive approach to effectively designing and building releases. Get everything right the first time.

    • Stabilize Release and Deployment Management – Phase 3: Build, Test, Deploy

    4. Measure, manage, improve

    Determine desired goals for release management to ensure both IT and the business see the benefits of implementation.

    • Stabilize Release and Deployment Management – Phase 4: Measure, Manage, Improve
    [infographic]

    Workshop: Stabilize Release and Deployment Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Analyze Current State

    The Purpose

    Release management improvement begins with assessment of the current state.

    Key Benefits Achieved

    A solid understanding of how core operational processes are actually functioning within the organization.

    Activities

    1.1 Evaluate process maturity.

    1.2 Assess release management challenges.

    1.3 Define roles and responsibilities.

    1.4 Review and rightsize existing policy suite.

    Outputs

    Maturity Assessment

    Release Management Policy

    Release Management Standard Operating Procedure

    Patch Management Policy

    2 Release Management Planning

    The Purpose

    In simple terms, release planning puts all the pertinent pieces in one place.

    Key Benefits Achieved

    It defines the what, why, when, and how a release will happen.

    Activities

    2.1 Design target state release planning process.

    2.2 Define, bundle, and categorize releases.

    2.3 Standardize deployment plans and models.

    Outputs

    Release Planning Workflow

    Categorization and prioritization schemes

    Deployment models aligned to release types

    3 Build, Test, and Deploy

    The Purpose

    Take a holistic and comprehensive approach to effectively designing and building releases.

    Key Benefits Achieved

    Standardize build and test procedures to begin to drive consistency.

    Activities

    3.1 Standardize build procedures for deployments.

    3.2 Standardize test plans aligned to release types.

    Outputs

    Build procedure for hardware and software releases

    Test models aligned to deployment models

    4 Measure, Manage, and Improve

    The Purpose

    Determine and define the desired goals for release management as a whole.

    Key Benefits Achieved

    Agree to key metrics and success criteria to start tracking progress and establish a post-deployment review process to promote continual improvement.

    Activities

    4.1 Determine key metrics to track progress.

    4.2 Establish a post-deployment review process.

    4.3 Understand and define continual improvement drivers.

    Outputs

    List of metrics and goals

    Post-deployment validation checklist

    Project roadmap

    Improve IT-Business Alignment Through an Internal SLA

    • Buy Link or Shortcode: {j2store}455|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • The business is rarely satisfied with IT service levels, yet there is no clear definition of what is acceptable.
    • Dissatisfaction with service levels is often based on perception. Your uptime might be four 9s, but the business only remembers the outages.
    • IT is left trying to hit a moving target with a limited budget and no agreement on where services levels need to improve.

    Our Advice

    Critical Insight

    • Business leaders have service level expectations regardless of whether there is a formal agreement. The SLA process enables IT to manage those expectations.
    • Track current service levels and report them in plain language (e.g. hours and minutes of downtime, not “how many 9s” which then need to be translated) to gain a clearer mutual understanding of current versus desired service levels.
    • Use past incidents to provide context (how much that hour of downtime actually impacted the business) in addition to a business impact analysis to define appropriate target service levels based on actual business need.

    Impact and Result

    Create an effective internal SLA by following a structured process to report current service levels and set realistic expectations with the business. This includes:

    • Defining the current achievable service level by establishing a metrics tracking and monitoring process.
    • Determining appropriate (not ideal) business needs.
    • Creating an SLA that clarifies expectations to reduce IT-business friction.

    Improve IT-Business Alignment Through an Internal SLA Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create an internal SLA, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scope the pilot project

    Establish the SLA pilot project and clearly document the problems and challenges that it will address.

    • Improve IT-Business Alignment Through an Internal SLA – Phase 1: Scope the Pilot Project
    • Internal SLA Process Flowcharts (PDF)
    • Internal SLA Process Flowcharts (Visio)
    • Build an Internal SLA Project Charter Template
    • Internal SLA Maturity Scorecard Tool

    2. Establish current service levels

    Expedite the SLA process by thoroughly, carefully, and clearly defining the current achievable service levels.

    • Improve IT-Business Alignment Through an Internal SLA – Phase 2: Determine Current Service Levels
    • Availability and Reliability SLA Metrics Tracking Template
    • Service Desk SLA Metrics Tracking Template
    • Service Catalog SLA Metrics Tracking Template

    3. Identify target service levels and create the SLA

    Create a living document that aligns business needs with IT targets by discovering the impact of your current service level offerings through a conversation with business peers.

    • Improve IT-Business Alignment Through an Internal SLA – Phase 3: Set Target Service Levels and Create the SLA
    • SLA Project Roadmap Tool
    • Availability Internal Service Level Agreement Template
    • Service Catalog Internal Service Level Agreement Template
    • Service Desk Internal Service Level Agreement Template
    • Internal SLA Executive Summary Presentation Template
    [infographic]

    Deliver a Customer Service Training Program to Your IT Department

    • Buy Link or Shortcode: {j2store}484|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $4,339 Average $ Saved
    • member rating average days saved: 6 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • The scope of service that the service desk must provide has expanded. With the growing complexity of technologies to support, it becomes easy to forget the customer service side of the equation. Meanwhile, customer expectations for prompt, frictionless, and exceptional service from anywhere have grown.
    • IT departments struggle to hire and retain talented service desk agents with the right mix of technical and customer service skills.
    • Some service desk agents don’t believe or understand that customer service is an integral part of their role.
    • Many IT leaders don’t ask for feedback from users to know if there even is a customer service problem.

    Our Advice

    Critical Insight

    • There’s a common misconception that customer service skills can’t be taught, so no effort is made to improve those skills.
    • Even when there is a desire to improve customer service, it’s hard for IT teams to make time for training and improvement when they’re too busy trying to keep up with tickets.
    • A talented service desk agent with both great technical and customer service skills doesn’t have to be a rare unicorn, and an agent without innate customer service skills isn’t a lost cause. Relevant and impactful customer service habits, techniques, and skills can be taught through practical, role-based training.
    • IT leaders can make time for this training through targeted, short modules along with continual on-the-job coaching and development.

    Impact and Result

    • Good customer service is critical to the success of the service desk. How a service desk treats its customers will determine its customers' satisfaction with not only IT but also the company as a whole.
    • Not every technician has innate customer service skills. IT managers need to provide targeted, practical training on what good customer service looks like at the service desk.
    • One training session is not enough to make a change. Leaders must embed the habits, create a culture of engagement and positivity, provide continual coaching and development, regularly gather customer feedback, and seek ways to improve.

    Deliver a Customer Service Training Program to Your IT Department Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should deliver customer service training to your team, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Deliver a Customer Service Training Program to Your IT Department – Executive Brief
    • Deliver a Customer Service Training Program to Your IT Department Storyboard

    1. Deliver customer service training to your IT team

    Understand the importance of customer service training, then deliver Info-Tech's training program to your IT team.

    • Customer Service Training for the Service Desk – Training Deck
    • Customer Focus Competency Worksheet
    • Cheat Sheet: Service Desk Communication
    • Cheat Sheet: Service Desk Written Communication
    [infographic]

    Extend Agile Practices Beyond IT

    • Buy Link or Shortcode: {j2store}175|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Your organization has started to realize benefits from adopting Agile principles and practices. However, these advances are contained within your IT organization.
    • You are seeking to extend Agile development beyond IT into other areas of the organization. You are looking for a coordinated approach aligned to business priorities.

    Our Advice

    Critical Insight

    • Not all lessons from scaling Agile to IT are transferable. IT Agile scaling processes are tailored to IT’s scope, team, and tools, which may not account for diverse attributes within your organization.
    • Control may be necessary for coordination. With increased time-to-value, enforcing consistent cadences, reporting, and communication is a must if teams are not disciplined or lack good governance.
    • Extend Agile in departments tolerant to change. Incrementally roll out Agile in departments where its principles are accepted (e.g. a culture that embraces failures as lessons).

    Impact and Result

    • Complete an assessment of your prior efforts to scale Agile across IT to gauge successful, consistent adoption. Identify the business objectives and the group drivers that are motivating the extension of Agile to the business.
    • Understand the challenges that you may face when extending Agile to business partners. Investigate the root causes of existing issues that can derail your efforts.
    • Ideate solutions to your scaling challenges and envision a target state for your growing Agile environment. Your target state should realize new opportunities to drive more business value and eliminate current activities driving down productivity.
    • Coordinate the implementation and execution of your scaling Agile initiatives with an implementation action plan. This collaborative document will lay out the process, roles, goals, and objectives needed to successfully manage your Agile environment.

    Extend Agile Practices Beyond IT Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should extend Agile practices to improve product delivery, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your readiness to scale agile vertically

    Assess your readiness to scale Agile vertically by identifying and mitigating potential Agile maturity gaps remaining after scaling Agile across your IT organization.

    • Extend Agile Practices Beyond IT – Phase 1: Assess Your Readiness to Scale Agile Vertically
    • Agile Maturity Assessment Tool

    2. Establish an enterprise scaled agile framework

    Complete an overview of various scaled Agile models to help you develop your own customized delivery framework.

    • Extend Agile Practices Beyond IT – Phase 2: Establish an Enterprise Scaled Agile Framework
    • Framework Selection Tool

    3. Create your implementation action plan

    Determine the effort and steps required to implement your extended delivery framework.

    • Extend Agile Practices Beyond IT – Phase 3: Create Your Implementation Action Plan
    [infographic]

    Workshop: Extend Agile Practices Beyond IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Current State of Agile Maturity

    The Purpose

    Assess your readiness to scale Agile vertically.

    Identify and mitigate potential Agile maturity gaps remaining after scaling Agile across your IT organization.

    Key Benefits Achieved

    IT Agile maturity gaps identified and mitigated to ensure successful extension of Agile to the business

    Activities

    1.1 Characterize your Agile implementation using the CLAIM model.

    1.2 Assess the maturity of your Agile teams and organization.

    Outputs

    Maturity gaps identified with mitigation requirements

    2 Establish an Enterprise Scaled Agile Framework

    The Purpose

    Complete a review of scaled Agile models to help you develop your own customized delivery framework.

    Key Benefits Achieved

    A customized Agile delivery framework

    Activities

    2.1 Explore various scaled frameworks.

    2.2 Select an appropriate scaled framework for your enterprise.

    2.3 Define the future state of your team and the communication structure of your functional business group.

    Outputs

    Blended framework delivery model

    Identification of team and communication structure impacts resulting from the new framework

    3 Create Your Implementation Action Plan

    The Purpose

    Create your implementation action plan for the new Agile delivery framework.

    Key Benefits Achieved

    A clearly defined action plan

    Activities

    3.1 Define your value drivers.

    3.2 Brainstorm the initiatives that must be completed to achieve your target state.

    3.3 Estimate the effort of your Agile initiatives.

    3.4 Define your Agile implementation action plan.

    Outputs

    List of target state initiatives

    Estimation of effort to achieve target state

    An implementation action plan

    Modernize Your Microsoft Licensing for the Cloud Era

    • Buy Link or Shortcode: {j2store}304|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $102,414 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Microsoft licensing is complicated. Often, the same software can be licensed a number of ways. It’s difficult to know which edition and licensing model is best.
    • Licensing and features often change with the release of new software versions, compounding the problem by making it difficult to stay current.
    • In tough economic times, IT is asked to reduce capital and operating expenses wherever possible. As one of the top five expense items in most enterprise software budgets, Microsoft licensing is a primary target for cost reduction.

    Our Advice

    Critical Insight

    • Focus on needs first. Conduct a thorough needs assessment and document the results. Well-documented needs will be your best asset in navigating Microsoft licensing and negotiating your agreement.
    • Beware the bundle. Be aware when purchasing the M365 suite that there is no way out. Negotiating a low price is critical, as all leverage swings to Microsoft once it is on your agreement.
    • If the cloud doesn’t fit, be ready to pay up or start making room. Microsoft has drastically reduced discounting for on-premises products, support has been reduced, and product rights have been limited. If you are planning to remain on premises, be prepared to pay up.

    Impact and Result

    • Understand what your organization needs and what your business requirements are. It’s always easier to purchase more later than try to reduce your spend.
    • Complete cost calculations carefully, as the cloud might end up costing significantly more for the desired feature set. However, in some scenarios, it may be more cost efficient for organizations to license in the cloud.
    • If there are significant barriers to cloud adoption, discuss and document them. You’ll need this documentation in three years when it’s time to renew your agreement.

    Modernize Your Microsoft Licensing for the Cloud Era Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Modernize Your Microsoft Licensing Deck – A deck to help you build a strategy for your Microsoft licensing renewal.

    This storyboard will help you build a strategy for your Microsoft licensing renewal from conducting a thorough needs assessment to examining your licensing position, evaluating Microsoft's licensing options, and negotiations.

    • Modernize Your Microsoft Licensing for the Cloud Era – Phases 1-4

    2. Microsoft Cloud Products Cost Modeler – A tool to model estimated costs for Microsoft's cloud products.

    The Microsoft Cloud Products Cost Modeler will provide a rough estimate of what you can expect to pay for Office 365 or Dynamics CRM licensing, before you enter into negotiations. This is not your final cost, but it will give you an idea.

    • Microsoft Cloud Products Cost Modeler

    3. Microsoft Licensing Purchase Reference Guide - A template to capture licensing stakeholder information, proposed changes to licensing, and negotiation items.

    The Microsoft Licensing Purchase Reference Guide can be used throughout the process of licensing review: from initial meetings to discuss compliance state and planned purchases, to negotiation meetings with resellers. Use it in conjunction with Info-Tech's Microsoft Licensing Effective License Position Template.

    • Microsoft Licensing Purchase Reference Guide

    4. Negotiation Timeline for Microsoft – A template to navigate your negotiations with Microsoft.

    This tool will help you plot out your negotiation timeline, depending on where you are in your contract negotiation process.

  • 6-12 months
  • Less than 3 months
    • Negotiation Timeline for Microsoft – Visio
    • Negotiation Timeline for Microsoft – PDF

    5. Effective Licensing Position Tool – A template to help you create an effective licensing position and determine your compliance position.

    This template helps organizations to determine the difference between the number of software licenses they own and the number of software copies deployed. This is known as the organization’s effective license position (ELP).

    • Effective Licensing Position Tool
    [infographic]

    Define Your Digital Business Strategy

    • Buy Link or Shortcode: {j2store}55|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $83,641 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Your organizational digital business strategy sits on the shelf because it fails to guide implementation.
    • Your organization has difficulty adapting new technologies or rethinking their existing business models.
    • Your organization lacks a clear vision for the digital customer journey.
    • Your management team lacks a framework to rethink how your organization delivers value today, which causes annual planning to become an ideation session that lacks focus.

    Our Advice

    Critical Insight

    • Pre-pandemic digital strategies have been primarily focused on automation. However, your post-pandemic digital strategy must focus on driving resilience for growth opportunities.

    Impact and Result

    • Design a strategy that applies innovation to your business model, streamline and transform processes, and make use of technologies to enhance interactions with customers and employees.
    • Use digital for transforming non-routine cognitive activities and for derisking key elements of the value chain.
    • Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

    Define Your Digital Business Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Digital Business Strategy Deck – A step-by-step document that walks you through how to identify top value chains and a digitally enabled growth opportunity, transform stakeholder journeys, and build a digital transformation roadmap.

    This blueprint guides you through a value-driven approach to digital transformation that allows you to identify what aspects of the business to transform, what technologies to embrace, what processes to automate, and what new business models to create. This approach to digital transformation unifies digital possibilities with your customer experiences.

    • Define Your Digital Business Strategy – Phases 1-4

    2. Digital Business Strategy Workbook – A tool to guide you in planning and prioritizing projects to build an effective digital business strategy.

    This tool guides you in planning and prioritizing projects to build an effective digital business strategy. Key activities include conducting a horizon scan, conducting a journey mapping exercise, prioritizing opportunities from a journey map, expanding opportunities into projects, and lastly, building the digital transformation roadmap using a Gantt chart visual to showcase project execution timelines.

    • Digital Strategy Workbook

    3. Digital Business Strategy Final Report Template – Use this template to capture the synthesized content from outputs of the activities.

    This deck is a visual presentation template for this blueprint. The intent is to capture the contents of the activities in a presentation PowerPoint. It uses sample data from “City of X” to demonstrate the digital business strategy.

    • Digital Business Strategy Final Report Template
    [infographic]

    Workshop: Define Your Digital Business Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Two Existing Value Chains

    The Purpose

    Understand how your organization creates value today.

    Key Benefits Achieved

    Identify opportunities for digital transformation in how you currently deliver value today.

    Activities

    1.1 Validate business context.

    1.2 Assess business ecosystem.

    1.3 Identify and prioritize value streams.

    1.4 Break down value stream into value chains.

    Outputs

    Business context

    Overview of business ecosystem

    Value streams and value chains

    2 Identify a Digitally Enabled Growth Opportunity

    The Purpose

    Leverage strategic foresight to evaluate how complex trends can evolve over time and identify opportunities to leapfrog competitors.

    Key Benefits Achieved

    Identify a leapfrog idea to sidestep competitors.

    Activities

    2.1 Conduct a horizon scan.

    2.2 Identify leapfrog ideas.

    2.3 Identify impact to existing or new value chains.

    Outputs

    One leapfrog idea

    Corresponding value chain

    3 Transform Stakeholder Journeys

    The Purpose

    Design a journey map to empathize with your customers and identify opportunities to streamline or enhance existing and new experiences.

    Key Benefits Achieved

    Identify a unified view of customer experience.

    Identify opportunities to automate non-routine cognitive tasks.

    Identify gaps in value delivery.

    Improve customer journey.

    Activities

    3.1 Identify stakeholder persona.

    3.2 Identify journey scenario.

    3.3 Conduct one journey mapping exercise.

    3.4 Identify opportunities to improve stakeholder journey.

    3.5 Break down opportunities into projects.

    Outputs

    Stakeholder persona

    Stakeholder scenario

    Journey map

    Journey-based projects

    4 Build a Digital Transformation Roadmap

    The Purpose

    Build a customer-centric digital transformation roadmap.

    Key Benefits Achieved

    Keep your team on the same page with key projects, objectives, and timelines.

    Activities

    4.1 Prioritize and categorize initiatives.

    4.2 Build roadmap.

    Outputs

    Digital goals

    Unified roadmap

    Further reading

    Define Your Digital Business Strategy

    After a major crisis, find your place in the digital economy.

    Info-Tech Research Group

    Info-Tech is a provider of best-practice IT research advisory services that make every IT leader’s job easier.

    35,000 members sharing best practices you can leverage

    Millions spent developing tools and templates annually

    Leverage direct access to over 100 analysts as an extension of your team

    Use our massive database of benchmarks and vendor assessments

    Get up to speed in a fraction of the time

    Analyst Perspective

    Build business resilience and prepare for a digital economy.

    This is a picture of Senior Research Analyst, Dana Daher

    Dana Daher
    Senior Research Analyst

    To survive one of the greatest economic downturns since the Great Depression, organizations had to accelerate their digital transformation by engaging with the Digital Economy. To sustain growth and thrive as the pandemic eases, organizations must focus their attention on building business resilience by transforming how they deliver value today.
    This requires a value-driven approach to digital transformation that is capable of identifying what aspects of the business to transform, what technologies to embrace, what processes to automate, and what new business models to create. And most importantly, it needs to unify digital possibilities with your customer experiences.
    If there was ever a time for an organization to become a digital business, it is today.

    Executive Summary

    Your Challenge

    • Your organization has difficulty adapting new technologies or rethinking the existing business models.
    • Your management lacks a framework to rethink how your organization delivers value today, which causes annual planning to become an ideation session that lacks focus.
    • There is uncertainty on how to meet evolving customer needs and how to compete in a digital economy.

    Common Obstacles

    • Your organization might approach digital transformation as if we were still in 2019, not recognizing that the pandemic resulted in a major shift to an end-to-end digital economy.
    • Your senior-most leadership thinks digital is "IT's problem" because digital is viewed synonymously with technology.
    • On the other hand, your IT team lacks the authority to make decisions without the executives’ involvement in the discussion around digital.

    Info-Tech’s Approach

    • Design a strategy that applies innovation to your business model, streamline and transform processes, and make use of technologies to enhance interactions with customers and employees.
    • Use digital for transforming non-routine cognitive activities and for de-risking key elements of the value chain.
    • Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

    Info-Tech Insight

    After a major crisis, focus on restarting the growth engine and bolstering business resilience.

    Your digital business strategy aims to transform the business

    Digital Business Strategy

    • Looks for ways to transform the business by identifying what technologies to embrace, what processes to automate, and what new business models to create.
    • Unifies digital possibilities with your customer experiences.
    • Accountability lies with the executive leadership.
    • Must involve cross-functional participation from senior management from the different areas of the organization.

    IT Strategy

    • Aims to identify how to change, fix, or improve technology in support of the organization’s business strategy.
    • Accountability lies with the CIO.
    • Must involve IT management and gather strategic input from the business.

    Becoming a digital business

    Automate tasks to free up time for innovation.

    Business activities (tasks, procedures, and processes, etc.) are used to create, sell, buy, and deliver goods and services.

    When we convert information into a readable format used by computers, we call this digitization (e.g. converting paper into digital format). When we convert these activities into a format to be processed by a computer, we have digitalization (e.g. scheduling appointments online).

    These two processes alter how work takes place in an organization and form the foundation of the concept digital transformation.

    We maintain that digital transformation is all about becoming a “digital business” – an organization that performs more than 66% of all work activities via executable code.

    As organizations take a step closer to this optimal state, new avenues are open to identify advances to promote growth, enhance customer experiences, secure sustainability, drive operational efficiencies, and unearth potential future business ventures.

    Key Concepts:

    Digital: The representation of a physical item in a format used by computers

    Digitization: Conversion of information and processes into a digital format

    Digitalization: Conversion of information into a format to be processed by a computer

    Why transform your business?

    COVID-19 has irrefutably changed livelihoods, businesses, and the economy. During the pandemic, digital tools have acted as a lifeline, helping businesses and economies survive, and in the process, have acted as a catalyst for digital transformation.

    As organizations continue to safeguard business continuity and financial recovery, in the long term, recovery won’t be enough.

    Although many pandemic/recession recovery periods have occurred before, this next recovery period will present two first-time challenges no one has faced before. We must find ways to:

    • Recover from the COVID-19 recession.
    • Compete in a digital economy.

    To grow and thrive in this post-pandemic world, organizations must provide meaningful and lasting changes to brace for a future defined by digital technologies. – Dana Daher, Info-Tech Research Group

    We are amid an economic transformation

    What we are facing today is a paradigm shift transforming the ways in which we work, live, and relate to one another.

    In the last 60 years alone, performance and productivity have been vastly improved by IT in virtually all economic activities and sectors. And today, digital technologies continue to advance IT's contribution even further by bringing unprecedented insights into economic activities that have largely been untouched by IT.

    As technological innovation and the digitalization of products and services continue to support economic activities, a fundamental shift is occurring that is redefining how we live, work, shop, and relate to one another.

    These rapid changes are captured in a new 21st century term:

    The Digital Economy.

    90% of CEOs believe the digital economy will impact their industry. But only 25% have a plan in place. – Paul Taylor, Forbes, 2020

    Analyst Perspective

    Become a Digital Business

    this is a picture of Research Fellow, Kenneth McGee

    Kenneth McGee
    Research Fellow

    Today, the world faces two profoundly complex, mega-challenges simultaneously:

    1. Ending the COVID-19 pandemic and recession.
    2. Creating strategies for returning to business growth.

    Within the past year, healthcare professionals have searched for and found solutions that bring real hope to the belief the global pandemic/recession will soon end.

    As progress towards ending COVID-19 continues, business professionals are searching for the most effective near-term and long-term methods of restoring or exceeding the rates of growth they were enjoying prior to 2020.

    We believe developing a digital business strategy can deliver cost savings to help achieve near-term business growth while preparing an enterprise for long-term business growth by effectively competing within the digital economy of the future.

    The Digital Economy

    The digital economy refers to a concept in which all economic activity is facilitated or managed through digital technologies, data, infrastructure, services, and products (OECD, 2020).

    The digital economy captures decades of digital trends including:

    • Declining enterprise computing costs
    • Improvements in computing power and performance; unprecedent analytic capabilities
    • Rapid growth in network speeds, affordability, and geographic reach
    • High adoption rates of PCs, mobile, and other computing devices

    These trends among others have set the stage to permanently alter how buying and selling will take place within and between local, regional, national, and international economies.

    The emerging digital economy concept is so compelling that the world economists, financial experts, and others are currently investigating how they must substantially rewrite the rules governing how taxes, trade, tangible and intangible assets, and countless other financial issues will be assessed and valued in a digital economy.

    Download Info-Tech’s Digital Economy Report

    Signals of Change

    60%
    of People on Earth Use the Internet
    (DataReportal, 2021)
    20%
    of Global Retail Sales Performed via E-commerce
    (eMarketer, 2021)
    6.64T
    Global Business-to-Business
    E-commerce Market
    (Derived from The Business Research Company, 2021)
    9.6%
    of US GDP ($21.4T) accounted for by the digital economy ($2.05T)
    (Bureau of Economic Analysis, 2021)

    The digital economy captures technological developments transforming the way in which we live, work, and socialize

    Technological evolution

    this image contains a timeline of technological advances, from computers and information technology, to the digital economy of the future

    Info-Tech’s approach to digital business strategy

    A path to thrive in a digital economy.

    1. Identify top value chains to be transformed
    2. Identify a digitally enabled growth opportunity
    3. Transform stakeholder journeys
    4. Build a digital transformation roadmap

    Info-Tech Insight

    Pre-pandemic digital strategies have been primarily focused on automation. However, your post-pandemic digital strategy must focus on driving resilience for growth opportunities.

    The Info-Tech difference:

    • Understand how your organization creates value today to identify opportunities for digital transformation.
    • Leverage strategic foresight to evaluate how complex trends can evolve over time and identify opportunities to leapfrog competitors.
    • Design a journey map to empathize with your customers and identify opportunities to streamline or enhance existing and new experiences.
    • Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

    A digital transformation starts by transforming how you deliver value today

    As digital transformation is an effort to transform how you deliver value today, it is important to understand the different value-generating activities that deliver an outcome for and from your customers.

    We do this by looking at value streams –which refer to the specific set of activities an industry player undertakes to create and capture value for and from the end consumer (and so the question to ask is, how do you make money as an organization?).

    Our approach helps you to digitally transform those value streams that generate the most value for your organization.

    Higher Education Value stream

    Recruitment → Admission → Student Enrolment → Instruction & Research → Graduation → Advancement

    Local Government Value Stream

    Sustain Land, Property, and the Environment → Facilitate Civic Engagement → Protect Local Health and Safety → Grow the Economy → Provide Regional Infrastructure

    Manufacturing Value Stream

    Design Product → Produce Product → Sell Product

    Visit Info-Tech’s Industry Coverage Research to identify your industry’s value streams

    Assess your external environment to identify new value generators

    Assessing your external environment allows you to identify trends that will have a high impact on how you deliver value today.

    Traditionally, a PESTLE analysis is used to assess the external environment. While this is a helpful tool, it is often too broad as it identifies macro trends that are not relevant to an organization's addressable market. That is because not every factor that affects the macro environment (for example, the country of operation) affects a specific organization’s industry in the same way.

    And so, instead of simply assessing the macro environment and trying to project its evolution along the PESTLE factors, we recommend to:

    • Conduct a PESTLE first and deduce, from the analysis, what are possible shifts in six characteristics of an organization’s industry, or
    • Proceed immediately with identifying evolutionary trends that impact the organization’s direct market.

    the image depicts the relationship of factors from the Macro Environment, to the Industry/Addressable Market, to the Organization. the macro environmental factors are Political; Economic; Social; Technological; Legal; and Environmental. the Industry/addressable market factors are the Customer; Talent; Regulation; technology and; Supply chain.

    Info-Tech Insight

    While PESTLE is helpful to scan the macro environment, the analysis often lacks relevance to an organization’s industry.

    An analysis of evolutionary shifts in five industry-specific characteristics would be more effective for identifying trends that impact the organization

    A Market Evolution Trend Analysis (META) identifies changes in prevailing market conditions that are directly relevant to an organization’s industry, and thus provides some critical input to the strategy design process, since these trends can bring about strategic risks or opportunities.
    Shifts in these five characteristics directly impact an organization:

    ORGANIZATION

    • Customer Expectations
    • Talent Availability
    • Regulatory System
    • Supply Chain Continuity
    • Technological Landscape

    Capture existing and new value generators through a customer journey map

    As we prioritize value streams, we break them down into value chains – that is the “string” of processes that interrelate that work.

    However, once we identify these value chains and determine what parts we wish to digitally transform, we take on the perspective of the user, as the way they interact with your products and services will be different to the view of those within the organization who implement and provide those services.

    This method allows us to build an empathetic and customer-centric lens, granting the capability to uncover challenges and potential opportunities. Here, we may define new experiences or redesign existing ones.

    This image contains an example of how a school might use a value chain and customer journey map. the value streams listed include: Recruitment; Admission; Student Enrolment; Instruction& Research; Graduation; and Advancement. the Value chain for the Instruction and Research Value stream. The value chain includes: Research; Course Creation, Delivery, and assessment. The Customer journey map for curricula delivery includes: Understanding the needs of students; Construct the course material; Deliver course material; Conduct assessment and; Upload Grades into system

    A digital transformation is not just about customer journeys but also about building business resilience

    Pre-pandemic, a digital transformation was primarily focused around improving customer experiences. Today, we are facing a paradigm shift in the way in which we capture the priorities and strategies for a digital transformation.

    As the world grows increasingly uncertain, organizations need to continue to focus on improving customer experience while simultaneously protecting their enterprise value.

    Ultimately, a digital transformation has two purposes:

    1. The classical model – whereby there is a focus on improving digital experiences.
    2. Value protection or the reduction of enterprise risk by systematically identifying how the organization delivers value and digitally transforming it to protect future cashflows and improve the overall enterprise value.
    Old Paradigm New Paradigm
    Predictable regulatory changes with incremental impact Unpredictable regulatory changes with sweeping impact
    Reluctance to use digital collaboration Wide acceptance of digital collaboration
    Varied landscape of brick-and-mortar channels Last-mile consolidation
    Customers value brand Customers value convenience/speed of fulfilment
    Intensity of talent wars depends on geography Broadened battlefields for the war for talent
    Cloud-first strategies Cloud-only strategies
    Physical assets Aggressive asset decapitalization
    Digitalization of operational processes Robotization of operational processes
    Customer experience design as an ideation mechanism Business resilience for value protection and risk reduction

    Key deliverable:

    Digital Business Strategy Presentation Template

    A highly visual and compelling presentation template that enables easy customization and executive-facing content.

    three images are depicted, which contain slides from the Digital Business Strategy presentation template, which will be available in 2022.

    *Coming in 2022

    Blueprint deliverables

    The Digital Business Strategy Workbook supports each step of this blueprint to help you accomplish your goals:

    Initiative Prioritization

    A screenshot from the Initiative Prioritization blueprint is depicted, no words are legible in the image.

    Use the weighted scorecard approach to evaluate and prioritize your opportunities and initiatives.

    Roadmap Gantt Chart

    A screenshot from the Roadmap Gantt Chart blueprint is depicted, no words are legible in the image.

    Populate your Gantt chart to visually represent your key initiative plan over the next 12 months.

    Journey Mapping Workbook

    A screenshot from the Journey Mapping Workbook blueprint is depicted, no words are legible in the image.

    Populate the journey maps to evaluate a user experience over its end-to-end journey.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 0 Phase 1 Phase 2 Phase 3 Phase 4
    Call #1:
    Discuss business context and customize your organization’s capability map.
    Call #2:
    Assess business ecosystem.
    Call #3:
    Perform horizon scanning and trends identification.
    Call #5:
    Identify stakeholder personas and scenarios.
    Call #7:
    Discuss initiative generation and inputs into roadmap.
    Call #3:
    Identify how your organization creates value.
    Call #4:
    Discuss value chain impact.
    Call #6:
    Complete journey mapping exercise.
    Call #8:
    Summarize results and plan next steps.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

    Workshop Requirements

    Business Inputs

    Gather business strategy documents and find information on:

    • Business goals
    • Current transformation initiatives
    • Business capabilities to create or enhance
    • Identify top ten revenue and expense generators
    • Identify stakeholders

    Interview the following stakeholders to uncover business context information:

    • CEO
    • CIO

    Download the Business Context Discovery Tool

    Optional Diagnostic

    • Assess your digital maturity (Concierge Service)

    Visit Assess Your Digital Maturity

    Phase 1

    Identify top value chains to be transformed

    • Understand the business
    • Assess your business ecosystem
    • Identify two value chains for transformation

    This phase will walk you through the following activities:

    Understand how your organization delivers value today and identify value chains to be transformed.

    This phase involves the following participants:

    A cross-functional cohort across all levels of the organization.

    Outcomes

    • Business ecosystem
    • Existing value chains to be transformed

    Step 1.1

    Understand the business

    Activities

    • Review business documents.

    Identify top value chains to be transformed

    This step will walk you through the following activities:

    In this section you will gain an understanding of the business context for your strategy.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Business Context

    Understand the business context

    Understanding the business context is a must for all strategic initiatives. A pre-requisite to all strategic planning should be to elicit the business context from your business stakeholders.

    Inputs Document(s)/ Method Outputs
    Key stakeholders Strategy Document Stakeholders that are actively involved in, affected by or influence outcome of the organization, e.g. employers, customers, vendors.
    Vision and mission of the organization Website Strategy Document What the organization wants to achieve and how it strives to accomplish those goals.
    Business drivers CEO Interview Inputs and activities that drive the operational and financial results of the organization.
    Key targets CEO Interview Quantitative benchmarks to support strategic goals, e.g. double the enterprise EBITD, improve top-of-mind brand awareness by 15%,
    Strategic investment goals CFO Interview
    Digital Strategy
    Financial investments corresponding with strategic objectives of the organization, e.g. geographic expansion, digital investments.
    Top three value-generating lines of business Financial Document Identification of your top three value-generating products and services or lines of business.
    Goals of the organization over the next 12 months Strategy Document
    Corporate Retreat Notes
    Strategic goals to support the vision, e.g. hire 100 new sales reps, improve product management and marketing.
    Top business initiatives over the next 12 months Strategy Document
    CEO Interview
    Internal campaigns to support strategic goals, e.g. invest in sales team development, expand the product innovation team.
    Business model Strategy Document Products or services that the organization plans to sell, the identified market and customer segments, price points, channels and anticipated expenses.
    Competitive landscape Internal Research Analysis Who your typical or atypical competitors are.

    1.1 Understand the business context

    Objective: Elicit the business context with a careful review of business and strategy documents.

    1. Gather the strategy creation team and review your business context documents. This includes business strategy documents, interview notes from executive stakeholders, and other sources for uncovering the business strategy.
    2. Brainstorm in smaller groups answers to the question you were assigned:
      • What are the strengths and weaknesses of the organization?
      • What are some areas of improvement or opportunity?
      • What does it mean to have a digital business strategy?
    3. Discuss the questions above with participants and document key findings. Share with the group and work through the balanced scorecard questions to complete this exercise.
    4. Document your findings.

    Assess your digital readiness with Info-Tech’s Digital Maturity Assessment

    Input

    • Business Strategy Documents
    • Executive Stakeholder Interviews

    Output

    • Business Context Information

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Step 1.2

    Assess your business ecosystem

    Activities

    • Identify disruptors and incumbents.

    Info-Tech Insight

    Your digital business strategy cannot be formulated without a clear vision of the evolution of your industry.

    Identify top value chains to be transformed

    This step will walk you through the following activities:

    In this section, we will assess who the incumbents and disruptors are in your ecosystem and identify who your stakeholders are.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Business Ecosystem

    Assess your business ecosystem

    Understand the nature of your competition.

    Learn what your competitors are doing.

    To survive, grow, or transform in today's digital era, organizations must first have a strong pulse on their business ecosystem. Learning what your competitors are doing to grow their bottom line is key to identifying how to grow your own. Start by understanding who the key incumbents and disruptors in your industry are to identify where your industry is heading.

    Incumbents: These are established leaders in the industry that possess the largest market share. Incumbents often focus their attention to their most demanding or profitable customers and neglect the needs of those down market.

    Disruptors: Disruptors are primarily new entrants (typically startups) that possess the ability to displace the existing market, industry, or technology. Disruptors are often focused on smaller markets that the incumbents aren’t focused on. (Clayton Christenson, 1997)

    An image is shown demonstrating the relationship within an industry between incumbents, disruptors, and the organization. The incumbents are represented by two large purple circles. The disruptors are represented by 9 smaller blue circles, which represent smaller individual customer bases, but overall account for a larger portion of the industry.

    ’Disruption’ specifically refers to what happens when the incumbents are so focused on pleasing their most profitable customers that they neglect or misjudge the needs of their other segments.– Ilan Mochari, Inc., 2015

    Example Business Ecosystem Analysis

    Business Target Market & Customer Product/Service & Key Features Key Differentiators Market Positioning
    University XYZ
    • Local Students
    • Continuous Learner
    • Certificate programs
    • Associate degrees
    • Strong engineering department with access to high-quality labs
    • Strong community impact
    Affordable education with low tuition cost and access to bursaries & scholarships.
    University CDE University CDE
    • Local students
    • International students
    • Continuous learning students
    • Continuous learning offerings (weekend classes)
    • Strong engineering program
    • Strong continuous learning programs
    Outcome focused university with strong co-ops/internship programs and career placements for graduates
    University MNG
    • Local students
    • Non degree, freshman and continuous learning adults
    • Associate degrees
    • Certificate programs (IT programs)
    • Dual credit program
    • More locations/campuses
    • Greater physical presence
    • High web presence
    Nurturing university with small student population and classroom sizes. University attractive to adult learners.
    Disruptors Online Learning Company EFG
    • Full-time employees & executives– (online presence important)
    • Shorter courses
    • Full-time employees & executives– (online presence important)
    Competitive pricing with an open acceptance policy
    University JKL Online Credential Program
    • High school
    • University students
    • Adult learners
    • Micro credentials
    • Ability to acquire specific skills
    Borderless and free (or low cost) education

    1.2 Understand your business ecosystem

    Objective: Identify the incumbents and disruptors in your business ecosystem.

    1. Identify the key incumbents and disruptors in your business ecosystem.
      • Incumbents: These are established leaders in the industry that possess the largest market share.
      • Disruptors: Disruptors are primarily new entrants (startups) that possess the ability to displace the existing market, industry, or technology.
    2. Identify target market and key customers. Who are the primary beneficiaries of your products or service offerings? Your key customers are those who keep you in business, increase profits, and are impacted by your operations.
    3. Identify what their core products or services are. Assess what core problem their products solve for key customers and what key features of their solution support this.
    4. Assess what the competitors' key differentiators are. There are many differentiators that an organization can have, examples include product, brand, price, service, or channel.
    5. Identify what the organization’s value proposition is. Why do customers come to them specifically? Leverage insights from the key differentiators to derive this.
    6. Finally, assess how your organization derives value relative to your competitors.

    Input

    • Market Assessment

    Output

    • Key Incumbents and Disruptors

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Step 1.3

    Value-chain prioritization

    Activities

    • Identify and prioritize value chains for innovation.

    Identify top value chains to be transformed

    This step will walk you through the following activities:

    Identify and prioritize how your organization currently delivers value today and identify value chains to be transformed.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Prioritized Value Chains

    Determine what value the organization creates

    Identify areas for innovation.

    Value streams and value chains connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities. Those activities are dependent on the specific industry segment an organization operates within.

    Different types of value your organization creates

    This an example of a value chain which a school would use to analyze how their organization creates value. The value streams listed include: Recruitment; Admission; Student Enrolment; Instruction& Research; Graduation; and Advancement. the Value chain for the Student enrolment stream is displayed. The value chain includes: Matriculation; Enrolment into a Program and; Unit enrolment.

    Value Streams

    A value stream refers to the specific set of activities an industry player undertakes to create and capture value for and from the end consumer.

    Value Chains

    A value chain is a ”string” of processes within a company that interrelate and work together to meet market demand. Examining the value chain of a company will reveal how it achieves competitive advantage.

    Visit Info-Tech’s Industry Coverage Research to identify value streams

    Begin with understanding your industry’s value streams

    Value Streams

    Recruitment

    • The promotion of the institution and the communication with prospective students is accommodated by the recruitment component.
    • Prospective students are categorized as domestic and international, undergraduate and graduate. Each having distinct processes.

    Admission

    • Admission into the university involves processes distinct from recruitment. Student applications are processed and evaluated and the students are informed of the decision.
    • This component is also concerned with transfer students and the approval of transfer credits.

    Student Enrolment

    • Student enrolment is concerned with matriculation when the student first enters the institution, and subsequent enrolment and scheduling of current students.
    • The component is also concerned with financial aid and the ownership of student records.

    Instruction & Research

    • Instruction involves program development, instructional delivery and assessment, and the accreditation of courses of study.
    • The research component begins with establishing policy and degree fundamentals and concerns the research through to publication and impact assessment.

    Graduation

    • Graduation is not only responsible for the ceremony but also the eligibility of the candidate for an award and the subsequent maintenance of transcripts.

    Advancement

    • Alumni relations are the first responsibility of advancement. This involves the continual engagement with former students.
    • Fundraising is the second responsibility. This includes the solicitation and stewardship of gifts from alumni and other benefactors.

    Value stream defined…

    Value streams connect business goals to the organization’s value realization activities in the marketplace. Those activities are dependent on the specific industry segment in which an organization operates.

    There are two types of value streams: core value streams and support value streams.

    • Core value streams are mostly externally facing. They deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map.
    • Support value streams are internally facing and provide the foundational support for an organization to operate.

    An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers.

    Leverage your industry’s capability maps to identify value chains

    Business Capability Map Defined

    A business capability defines what a business does to enable value creation, rather than how. Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically, will have a defined business outcome.

    A capability map is a great starting point to identify value chains within an organization as it is a strong indicator of the processes involved to deliver on the value streams.

    this image contains an example of a business capability map using the value streams identified earlier in this blueprint.

    Info-Tech Insight

    Leverage your industry reference architecture to define value streams and value chains.

    Visit Info-Tech’s Industry Coverage Research to identify value streams

    Prioritize value streams to be supported or enhanced

    Use an evaluation criteria that considers both the human and business value generators that these streams provide.

    two identical value streams are depicted. The right most value stream has Student Enrolment and Instruction Research highlighted in green. between the two streams, are two boxes. In these boxes is the following: Business Value: Profit; Enterprise Value; Brand value. Human Value: Faculty satisfaction; Student satisfaction; Community impact.

    Info-Tech Insight

    To produce maximum impact, focus on value streams that provide two-thirds of your enterprise value.

    Business Value

    Assess the value generators to the business, e.g. revenue dollars, enterprise value, cost or differentiation (competitiveness), etc.

    Human Value

    Assess the value generators to people, e.g. student/faculty satisfaction, well-being, and social cohesion.

    Identify value chains for transformation

    Value chains, pioneered by the academic Michael Porter, refer to the ”string” of processes within a company that interrelate and work together to meet market demand. An organization’s value chain is connected to the larger part of the value stream. This perspective of how value is generated encourages leaders to see each activity as a part of a series of steps required deliver value within the value stream and opens avenues to identify new opportunities for value generation.

    this image depicts two sample value chains for the value streams: student enrolment and Instruction & Research. Each value chain has a stakeholder associated with it. This is the primary stakeholder that seeks to gain value from that value chain.

    Prioritize value chains for transformation

    Once we have identified the key value chains within each value stream element, evaluate the individual processes within the value chain to identify opportunities for transformation. Evaluate the value chain processes based on the level of pain experienced by a stakeholder to accomplish that task, and the financial impact that level of the process has on the organization.

    this image depicts the same value chains as the image above, with a legend showing which steps have a financial impact, which steps have a high degree of risk, and which steps are prioritized for transformation. Matriculation and publishing are shown to have a financial impact. Research foundation is shown to have a high degree of risk, and enrollment into a program and conducting research are prioritized for transformation.

    1.3 Value chain analysis

    Objective: Determine how the organization creates value, and prioritize value chains for innovation.

    1. The first step of delivering value is defining how it will happen. Use the organization’s industry segment to start a discussion on how value is created for customers. Working back from the moment value is realized by the customer, consider the sequential steps required to deliver value in your industry segment.
    2. Define and validate the organization’s value stream. Write a short description of the value stream that includes a statement about the value provided and a clear start and end for the value stream.
    3. Prioritize the value streams based on an evaluation criteria that reflects business and human value generators to the organization.
    4. Identify value chains that are associated with each value stream. The value chains refer to a string of processes within the value stream element. Each value chain also captures a particular stakeholder that benefits from the value chain.
    5. Once we have identified the key value chains within each value stream element, evaluate the individual processes within the value chain and identify areas for transformation. Evaluate the value chain processes based on the level of pain or exposure to risk experienced by a stakeholder to accomplish that task and the financial impact that level of the process has on the organization.

    Visit Info-Tech’s Industry Coverage Research to identify value streams and capability maps

    Input

    • Market Assessment

    Output

    • Key Incumbents and Disruptors

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Phase 2

    Identify a digitally enabled growth opportunity

    • Conduct horizon scan
    • Identify leapfrog idea
    • Conduct value chain impact analysis

    This phase will walk you through the following activities:

    Assess trends that are impacting your industry and identify strategic growth opportunities.

    This phase involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes

    Identify new growth opportunities and value chains impacted

    Phase 2.1

    Horizon scanning

    Activities

    • Scan the internal and external environment for trends.

    Info-Tech Insight

    Systematically scan your environment to identify avenues or opportunities to skip one or several stages of technological development and stay ahead of disruption.

    Identify a digitally enabled growth opportunity

    This step will walk you through the following activities:

    Scan the environment for external environment for megatrends, trends, and drivers. Prioritize trends and build a trends radar to keep track of trends within your environment.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Growth opportunity

    Horizon scanning

    Understand how your industry is evolving.

    Horizon scanning is a systematic analysis of detecting early signs of future changes or threats.

    Horizon scanning involves scanning, analyzing, and communicating changes in an organization’s environment to prepare for potential threats and opportunities. Much of what we know about the future is based around the interactions and trajectory of macro trends, trends, and drivers. These form the foundations for future intelligence.

    Macro Trends

    A macro trend captures a large-scale transformative trend that could impact your addressable market.

    Trends

    A trend captures a business use case of the macro trend. Consider trends in relation to competitors in your industry.

    Drivers

    A driver is an underlying force causing the trend to occur. There can be multiple causal forces, or drivers, that influence a trend, and multiple trends can be influenced by the same causal force.

    Identify signals of change in the present and their potential future impacts.

    Identifying macro trends

    A macro trend captures a large-scale transformative trend that could change the addressable market. Here are some examples of macro trends to consider when horizon scanning for your own organization:

    Talent Availability

    • Decentralized workforce
    • Hybrid workforce
    • Diverse workforce
    • Skills gap
    • Digital workforce
    • Multigenerational workforce

    Customer Expectations

    • Personalization
    • Digital experience
    • Data ownership
    • Transparency
    • Accessibility

    Technological Landscape

    • AI & robotics
    • Virtual world
    • Ubiquitous connectivity,
    • Genomics
    • Materials (smart, nano, bio)

    Regulatory System

    • Market control
    • Economic shifts
    • Digital regulation
    • Consumer protection
    • Global green

    Supply Chain Continuity

    • Resource scarcity
    • Sustainability
    • Supply chain digitization
    • Circular supply chains
    • Agility

    Identifying trends and drivers

    A trend captures a business use case of a macro trend. Assessing trends can reduce some uncertainties about the future and highlight potential opportunities for your organization. A driver captures the internal or external forces that lead the trend to occur. Understanding and capturing drivers is important to understanding why these trends are occurring and the potential impacts to your value chains.

    This image contains a flow chart, demonstrating the relationship between Macro trends, Trends, and Drivers. in this example, the macro trend is Accessibility. The Trends, or patterns of change, are an increase in demands for micro-credentials, and Preference for eLearning. The Drivers, or the why, are addressing skill gaps for increase in demand for micro-credentials, and Accommodating adult/working learners- for Preference for eLearning.

    Leverage industry roundtables and trend reports to understand the art of the possible

    Uncover important business and industry trends that can inform possibilities for technology innovation.

    Explore trends in areas such as:

    • Machine Learning
    • Citizen Dev 2.0
    • Venture Architecture
    • Autonomous Organizations
    • Self-Sovereign Cloud
    • Digital Sustainability

    Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to identify your industry’s value streams

    this image contains three screenshots from Rethinking Higher Education Report and 2021 Tech Trends Report

    Images are from Info-Tech’s Rethinking Higher Education Report and 2021 Tech Trends Report

    Example horizon scanning activity

    Macro Trends Trends Drivers
    Talent Availability Diversity Inclusive campus culture Systemic inequities
    Hybrid workforce Online learning staff COVID-19 and access to physical institutions
    Customer Expectations Digital experience eLearning for working learners Accommodate adult learners
    Accessibility Micro-credentials for non-traditional students Addressing skills gap
    Technological Landscape Artificial intelligence and robotics AI for personalized learning Hyper personalization
    IoT IoT for monitoring equipment Asset tracking
    Augmented reality Immersive education AR and VR Personalized experiences
    Regulatory System Regulatory System Alternative funding for research Changes in federal funding
    Global Green Environmental and sustainability education curricula Regulatory and policy changes
    Supply Chain Continuity Circular supply chains Vendors recycling outdated technology Sustainability
    Cloud-based solutions Cloud-based eLearning software Convenience and accessibility

    Visit Info-Tech’s Industry Coverage Research to identify your industry’s value streams

    Prioritize trends

    Develop a cross-industry holistic view of trends.

    Visualize emerging and prioritize action.

    Moving from horizon scanning to action requires an evaluation process to determine which trends can lead to growth opportunities. First, we need to make a short list of trends to analyze. For your digital strategy, consider trends on the time horizon that are under 24 months. Next, we need to evaluate the shortlisted opportunities by a second set of criteria: relevance to your organization and impact on industry.

    Timing

    The estimated time to disruption this trend will have for your industry. Assess whether the trend will require significant developments to support its entry into the ecosystem.

    Relevance

    The relevance of the trend to your organization. Does the trend fulfil the vision or goals of the organization?

    Impact

    The degree of impact the trend will have on your industry. A trend with high impact will drive new business models, products, or services.

    Prioritize trends to adopt into your organization

    Prioritize trends based on timing, impact, and relevance.

    Trend Timing
    (S/M/L)
    Impact
    (1-5)
    Relevance
    ( 1-5)
    1. Micro-credentialing S 5 5
    2. IoT-connected devices for personalized experience S 1 3
    3. International partnerships with educational institutions M
    4. Use of chatbots throughout enrollment process L
    5. IoT for energy management of campus facilities L
    6. Gamification of digital course content M
    7. Flexible learning curricula S 4 3
    Deprioritize trends
    that have a time frame
    to disruption of more
    than 24 months.
    this image contains a graph demonstrating the relationship between relevance (x axis) and Impact (Y axis).

    2.1 Scanning the horizon

    Objective: Generate trends

    60 minutes

    • Start by selecting macro trends that are occurring in your environment using the five categories. These are the large-scale transformative trends that impact your addressable market. Macro trends have three key characteristics:
      • They span over a long period of time.
      • They impact all geographic regions.
      • They impact governments, individuals, and organizations.
    • Begin to break down these macro trends into trends. Trends should reflect the direction of a macro trend and capture the pattern in events. Consider trends that directly impact your organization.
    • Understand the drivers behind these trends. Why are they occurring? What is driving them? Understanding the drivers helps us understand the value they may generate.
    • Deprioritize trends that are expected to happen beyond 24 months.
    • Prioritize trends that have a high impact and relevance to the organization.
    • If you identify more than one trend, discuss with the group which trend you would like to pursue and limit it to one opportunity.

    Input

    • Macro Trends
    • Trends

    Output

    • Trends Prioritization

    Materials

    • Digital Strategy Workbook

    Participants

    • Executive Team

    Step 2.2

    Leapfrogging ideation

    Activities

    • Identify leapfrog ideas.
    • Identify impact to value chain.

    Info-Tech Insight

    A systematic approach to leapfrog ideation is one of the most critical ways in which an organization can build the capacity for resilient innovation.

    This step will walk you through the following activities:

    Evaluate trend opportunities and determine the strategic opportunities they pose. You will also work towards identifying the impact the trend has on your value chain.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Strategic growth opportunities
    • Value chain impact

    Leapfrog into the future

    Turn trends into growth opportunities.

    To thrive in the digital age, organizations must innovate big, leverage internal creativity, and prepare for flexibility.

    In this digital era, organizations are often playing catch up to a rapidly evolving technological landscape and following a strict linear approach to innovation. However, this linear catch-up approach does not help companies get ahead of competitors. Instead, organizations must identify avenues to skip one or several stages of technological development to leapfrog ahead of their competitors.

    The best way to predict the future is to invent it. – Alan Kay

    Leapfrogging takes place when an organization introduces disruptive innovation into the market and sidesteps competitors who are unable to mobilize to respond to the opportunities.

    Case Study

    Classroom of the Future

    Higher Education: Barco’s Virtual Classroom at UCL

    University College London (UCL), in the United Kingdom, selected Barco weConnect virtual classroom technology for its continuing professional development medical education offering. UCL uses the platform for synchronous teaching, where remote students can interact with a lecturer.

    One of the main advantages of the system is that it enables direct interaction with students through polls, questions, and whiteboarding. The system also allows you to track student engagement in real time.

    The system has also been leveraged for scientific research and publications. In their “Delphi” process, key opinion leaders were able to collaborate in an effective way to reach consensus on a subject matter. The processes that normally takes months were successfully completed in 48 hours (McCann, 2020).

    Results

    The system has been largely successful and has supported remote, real-time teaching, two-way engagement, engagement with international staff, and an overall enriched teaching experience.

    Funnel trends into leapfrog ideas

    Go from trend insights into ideas.

    Brainstorm ways of generating leapfrog ideas from trend insights.

    Dealing with trends is one of the most important tasks for innovation. It provides the basis of developing the future orientation of the organization. However, being aware of a trend is one thing, to develop strategies for response is another.

    To identify the impact the trend has on the organization, consider the four areas of growth strategies for the organization:

    1. New Customers: Leverage the trend to target new customers for existing products or services.
    2. New Business Models: Adjust the business model to capture a change in how the organization delivers value.
    3. New Markets: Enter or create new markets by applying existing products or services to different problems.
    4. New Product or Service Offerings: Introduce new products or services to the existing market.
    A funnel shaped image is depicted. At the top, at the entrance of the funnel, is the word Trend. At the bottom of the image, at the output of the funnel, is the word Opportunity.

    From trend to leapfrog ideas

    Trend New Customer New Market New Business Model New Product or Service
    What trends pose a high-immediate impact to the organization? Target new customers for existing products or services Enter or create new markets by applying existing products or services to different problems Adjust the business model to capture a change in how the organization delivers value Introduce new products or services to the existing market
    Micro-credentials for non-traditional students Target non-traditional learners/students - Online delivery Introduce mini MBA program

    2.2 Identify and prioritize opportunities

    60 minutes

    1. Gather the prioritized trend identified in the horizon scanning exercise (the trend identified to be “adopted” within the organization).
    2. Analyze each trend identified and assess whether the trend provides an opportunity for a new customers, new markets, new business models, or new products and services.

    Input

    • “Adopt” Trends

    Output

    • Trends to pursue
    • Breakdown of strategic opportunities that the trends pose

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Step 2.3

    Value chain impact

    Activities

    • Identify impact to value chain.

    This step will walk you through the following activities:

    Evaluate trend opportunities and determine the strategic opportunities they pose. Prioritize the opportunities and identify impact to your value chain.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Strategic growth opportunities

    Value chain analysis

    Identify implications of strategic growth opportunities to the value chains.

    As we identify and prioritize the opportunities available to us, we need to assess their impacts on value chains. Does the opportunity directly impact an existing value chain? Or does it open us to the creation of a new value chain?

    The value chain perspective allows an organization to identify how to best minimize or enhance impacts and generate value.
    As we move from opportunity to impact, it is important to break down opportunities into the relevant pieces so we can see a holistic picture of the sources of differentiation.

    this image depicts the value chain for the value stream, student enrolment.

    2.3 Value chain impact

    Objective: Identify impacts to the value chain from the opportunities identified.
    60 minutes

    1. Once you have identified the opportunity, turn back to the value stream, and with the working group, identify the value stream impacted most by the opportunity. Leverage the human impact/business impact criteria to support the identification of the value stream to be impacted.
    2. Within the value stream, brainstorm what parts of the value chain will be impacted by the new opportunity. Or ask whether this new opportunity provides you with a new value chain to be created.
    3. If this opportunity will require a new value chain, identify what set of new processes or steps will be created to support this new entrant.
    4. Identify any critical value chains that will be impacted by the new opportunity. What areas of the value chain pose the greatest risk? And where can we estimate the financial revenue will be impacted the most?

    Input

    • Opportunity

    Output

    • Value chains impacted

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Phase 3

    Transform stakeholder journeys

    • Identify stakeholder personas and scenarios
    • Conduct journey map
    • Identify projects

    This phase will walk you through the following activities:

    Take the prioritized value chains and create a journey map to capture the end-to-end experience of a stakeholder.

    Through a journey mapping exercise, you will identify opportunities to digitize parts of the journey. These opportunities will be broken down into functional initiatives to tackle in your strategy.

    This phase involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes

    1. Stakeholder persona
    2. Stakeholder scenario
    3. Stakeholder journey map
    4. Opportunities

    Step 3.1

    Identify stakeholder persona and journey scenario

    Activities

    • Identify stakeholder persona.
    • Identify stakeholder journey scenario.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    In this step, you with identify stakeholder personas and scenarios relating to the prioritized value chains.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • A taxonomy of critical stakeholder journeys.

    Identify stakeholder persona and journey scenario

    From value chain to journey scenario.

    Stakeholder personas and scenarios help us build empathy towards our customers. It helps put us into the shoes of a stakeholder and relate to their experience to solve problems or understand how they experience the steps or processes required to accomplish a goal. A user persona is a valuable basis for stakeholder journey mapping.

    A stakeholder scenario describes the situation the journey map addresses. Scenarios can be real (for existing products and services) or anticipated.

    A stakeholder persona is a fictitious profile to represent a customer or a user segment. Creating this persona helps us understand who your customers really are and why they are using your service or product.

    Learn more about applying design thinking methodologies

    Identify stakeholder scenarios to map

    For your digital strategy, leverage the existing and opportunity value chains identified in phase 1 and 2 for journey mapping.

    Identify two existing value chains to be transformed.
    In section 1, we identified existing value chains to be transformed. For example, your stakeholder persona is a member of the faculty (engineering), and the scenario is the curricula design process.
    this image contains the value chains for instruction (engineering) and enrolment of engineering student. the instruction(engineering) value chain includes curricula research, curricula design, curricula delivery, and Assessment for the faculty-instructor. The enrolment of engineering student value chain includes matriculation, enrolment into a program, and unit enrolment for the student. In the instruction(engineering) value chain, curricula design is highlighted in blue. In the enrolment of engineering student value chain, Enrolment into a program is highlighted.
    Identify one new value chain.
    In section 2, we identified a new value chain. However, for a new opportunity, the scenario is more complex as it may capture many different areas of a value chain. Subsequently, a journey map for a new opportunity may require mapping all parts of the value chain.
    this image contains an example of a value chain for micro-credentialing (mini online MBA)

    Identify stakeholder persona

    Who are you transforming for?

    To define a stakeholder scenario, we need to understand who we are mapping for. In each value chain, we identified a stakeholder who gains value from that value chain. We now need to develop a stakeholder persona: a representation of the end user to gain a strong understanding of who they are, what they need, and their pains and gains.

    One of the best ways to flesh out your stakeholder persona is to engage with the stakeholders directly or to gather the input of those who may engage with them within the organization.

    For example, if we want to define a journey map for a student, we might want to gather the input of students or teaching faculty that have firsthand encounters with different student types and are able to define a common student type.

    Info-Tech Insight

    Run a survey to understand your end users and develop a stronger picture of who they are and what they are seeking to gain from your organization.

    Example Stakeholder Persona

    Name: Anne
    Age: 35
    Occupation: Engineering Faculty
    Location: Toronto, Canada

    Pains

    What are their frustrations, fears, and anxieties?

    • Time restraints
    • Using new digital tools
    • Managing a class while incorporating individual learning
    • Varying levels within the same class
    • Unmotivated students

    What do they need to do?

    What do they want to get done? How will they know they are successful?

    • Design curricula in a hybrid mode without loss of quality of experience of in-classroom learning.

    Gains

    What are their wants, needs, hopes, and dreams?

    • Interactive content for students
    • Curriculum alignment
    • Ability to run a classroom lab (in hybrid format)
    • Self-paced and self-directed learning opportunities for students

    (Adapted from Osterwalder, et al., 2014)

    Define a journey statement for mapping

    Now that we understand who we are mapping for, we need to define a journey statement to capture the stakeholder journey.
    Leverage the following format to define the journey statement.
    As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].

    this image contains the instruction(engineering) value chain shown above. next to it is a stakeholder journey statement, which states: As an engineering faculty member, I want to design my curricula in a hybrid mode of delivery so that I can simulate in-classroom experiences.

    3.1 Identify stakeholder persona and journey scenario

    Objective: Identify stakeholder persona and journey scenario statement for journey mapping exercise.

    1. Start by identifying who your stakeholder is. Give your stakeholder a demographic profile – capture a typical stakeholder for this value chain.
    2. Identify what the gains and pains are during this value chain and what the stakeholder is seeking to accomplish.
    3. Looking at the value chain, create a statement that captures the goals and needs of the stakeholder. Use the following format to create a statement:
      As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].

    Input

    • Prioritized Value Chains (existing and opportunity)

    Output

    • Stakeholder Persona
    • Stakeholder Journey Statement

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)
    • Stakeholder Persona Canvas

    Participants

    • Executive Team
    • Stakeholders (if possible)
    • Individual who works directly with stakeholders

    Step 3.2

    Map stakeholder journeys

    Activities

    • Map stakeholder journeys.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Prioritize the journeys by focusing on what matters most to the stakeholders and estimating the organizational effort to improve those experiences.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Candidate journeys identified for redesign or build.

    Leverage customer journey mapping to capture value chains to be transformed

    Conduct a journey mapping exercise to identify opportunities for innovation or automation.

    A journey-based approach helps an organization understand how a stakeholder moves through a process and interacts with the organization in the form of touch points, channels, and supporting characters. By identifying pain points in the journey and the activity types, we can identify opportunities for innovation and automation along the journey.

    Embrace design thinking methodologies to elevate the stakeholder journey and to build a competitive advantage for your organization.

    this image contains an example of the result of a journey mapping exercise. the main headings are Awareness, Consideration, Acquisition, Service and, Loyalty.

    Internal vs. external stakeholder perspective

    In journey mapping, we always start with the stakeholder's perspective, then eventually transition into what the organization does business-wise to deliver value to each stakeholder. It is important to keep in mind both perspectives while conducting a journey mapping exercise as there are often different roles, processes, and technologies associated with each of the journey steps.

    Stakeholder Journey
    (External Perspective)

    • Awareness
    • Consideration
    • Selecting
    • Negotiating
    • Approving

    Business Processes
    (Internal Perspective)

    • Preparation
    • Prospecting
    • Presentation
    • Closing
    • Follow-Up

    Info-Tech Insight

    Take the perspective of an end user, who interacts with your products and services, as it is different from the view of those inside the organization, who implement and provide those services.

    Build a stakeholder journey map

    A stakeholder journey map is a tool used to illustrate the user’s perceptions, emotions, and needs as they move through a process and interact with the organization in the form of touch points, channels, and supporting characters.

    this image depicts an example of a stakeholder journey map, the headings in the map are: Journey Activity; Touch Points; Metrics; Nature of Activity; Key Moments & Pain Points; Opportunities

    Stakeholder Journey Map: Journey Activity

    The journey activity refers to the steps taken to accomplish a goal.

    The journey activity comprises the steps or sequence of tasks the stakeholder takes to accomplish their goal. These steps reflect the high-level process your candidates perform to complete a task or solve a problem.

    Stakeholder Journey Map: Touch Points

    Touch points are the points of interaction between a stakeholder and the organization.

    A touch point refers to any time a stakeholder interacts with your organization or brand. Consider three main points of interaction with the customer in the journey:

    • Before: How did they find out about you? How did they first contact you to start this journey? What channels or mediums were used?
      • Social media
      • Rating & reviews
      • Word of mouth
      • Advertising
    • During: How was the sale or service accomplished?
      • Website
      • Catalog
      • Promotions
      • Point of sale
      • Phone system
    • After: What happened after the sale or service?
      • Billing
      • Transactional emails
      • Marketing emails
      • Follow-ups
      • Thank-you emails

    Stakeholder Journey Map: Nature of Activity

    The nature of activity refers to the type of task the journey activity captures.

    We categorize the activity type to identify opportunities for automation. There are four main types of task types, which in combination (as seen in the table below) capture a task or job to be automated.

    Routine Non-Routine
    Cognitive Routine Cognitive: repeatable tasks that rely on knowledge work, e.g. sales, administration
    Prioritize for automation (2)
    Non-Routine Cognitive: infrequent tasks that rely on knowledge work, e.g. driving, fraud detection
    Prioritize for automation (3)
    Non-Routine Cognitive: infrequent tasks that rely on knowledge work, e.g. driving, fraud detection Prioritize for automation (3) Routine Manual: repeatable tasks that rely on physical work, e.g. manufacturing, production
    Prioritize for automation (1)
    Non-Routine Manual: infrequent tasks that rely on physical work, e.g. food preparation
    Not mature for automation

    Info-Tech Insight

    Where automation makes sense, routine manual activities should be transformed first, followed by routine cognitive activities. Non-routine cognitive activities are the final frontier.

    Stakeholder Journey Map: Metrics

    Metrics are a quantifiable measurement of a process, activity, or initiative.

    Metrics are crucial to justify expenses and to estimate growth for capacity planning and resourcing. There are multiple benefits to identifying and implementing metrics in a journey map:

    • Metrics provide accurate indicators for accurate IT and business decisions.
    • Metrics help you identify stakeholder touch point efficiencies and problems and solve issues before they become more serious.
    • Active metrics tracking makes root cause analysis of issues much easier.

    Example of journey mapping metrics: Cost, effort, turnaround time, throughput, net promoter score (NPS), satisfaction score

    Stakeholder Journey Map: Key Moments & Pain Points

    Key moments and pain points refer to the emotional status of a stakeholder at each stake of the customer journey.

    The key moments are defining pieces or periods in a stakeholder's experience that create a critical turning point or memory.

    The pain points are the critical problems that the stakeholder is facing during the journey or business continuity risks. Prioritize identifying pain points around key moments.

    Info-Tech Insight

    To identify key moments, look for moments that can dramatically influence the quality of the journey or end the journey prematurely. To improve the experience, analyze the hidden needs and how they are or aren’t being met.

    Stakeholder Journey Map: Opportunities

    An opportunity is an investment into people, process, or technology for the purposes of building or improving a business capability and accomplishing a specific organizational objective.

    An opportunity refers to the initiatives or projects that should address a stakeholder pain. Opportunities should also produce a demonstrable financial impact – whether direct (e.g. cost reduction) or indirect (e.g. risk mitigation) – and be evaluated based on how technically difficult it will be to implement.

    Customer

    Create new or different experiences for customers

    Workforce

    Generate new organizational skills or new ways of working

    Operations

    Improve responsiveness and resilience of operations

    Innovation

    Develop different products or services

    Example of stakeholder journey output: Higher Education

    Stakeholder: A faculty member
    Journey: As an engineering faculty member, I want to design my curricula in a hybrid mode of delivery so that I can simulate in-classroom experiences

    Journey activity Understanding the needs of students Construct the course material Deliver course material Conduct assessments Upload grades into system
    Touch Points
    • Research (primary or secondary)
    • Teaching and learning center
    • Training on tools
    • Office suite
    • Video tools
    • PowerPoint live
    • Chat (live)
    • Forum (FAQ
    • Online assessment tool
    • ERP
    • LMS
    Nature of Activity Non-routine cognitive Non-routine cognitive Non-routine cognitive Routine cognitive Routine Manual
    Metrics
    • Time to completion
    • Time to completion
    • Student satisfaction
    • Student satisfaction
    • Student scores
    Ken Moments & Pain Points Lack of centralized repository for research knowledge
    • Too many tools to use
    • Lack of Wi-Fi connectivity for students
    • Loss of social aspects
    • Adjusting to new forms of assessments
    No existing critical pain points; process already automated
    Opportunities
    • Centralized repository for research knowledge
    • Rationalize course creation tool set
    • Connectivity self-assessment/checklist
    • Forums for students
    • Implement an online proctoring tool

    3.2 Stakeholder journey mapping

    Objective: Conduct journey mapping exercise for existing value chains and for opportunities.

    1. Gather the working group and, with the journey mapping workbook, begin to map out the journey scenario statements identified in the value chain analysis. In total, there should be three journey maps:
      • Two for the existing value chains. Map out the specific point in the value chain that is to be transformed.
      • One for the opportunity value chain. Map out all parts of the value chain to be impacted by the new opportunity.
    2. Start with the journey activity and map out the steps involved to accomplish the goal of the stakeholder.
    3. Identify the touch points involved in the value chain.
    4. Categorize the nature of the activity in the journey activity.
    5. Identify metrics for the journey. How can we measure the success of the journey?
    6. Identify pain points and opportunities in parallel with one another.

    Input

    • Value Chain Analysis
    • Stakeholder Personas
    • Journey Mapping Scenario

    Output

    • Journey Map

    Materials

    • Digital Strategy Workbook, Stakeholder Journey tab

    Participants

    • Executives
    • Individuals in the organization that have a direct interaction with the stakeholders

    Info-Tech Insight

    Aim to build out 90% of the stakeholder journey map with the working team; validate the last 10% with the stakeholder themselves.

    Step 3.3

    Prioritize opportunities

    Activities

    • Prioritize opportunities.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Prioritize the opportunities that arose from the stakeholder journey mapping exercise.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Prioritized opportunities

    Prioritization of opportunities

    Leverage design-thinking methods to prioritize opportunities.

    As there may be many opportunities arising from the journey map, we need to prioritize ideas to identify which ones we can tackle first – or at all. Leverage IDEO’s design-thinking “three lenses of innovation” to support prioritization:

    • Feasibility: Do you currently have the capabilities to deliver on this opportunity? Do we have the right partners, resources, or technology?
    • Desirability: Is this a solution the stakeholder needs? Does it solve a known pain point?
    • Viability: Does this initiative have an impact on the financial revenue of the organization? Is it a profitable solution that will support the business model? Will this opportunity require a complex cost structure?
    Opportunities Feasibility
    (L/M/H)
    Desirability
    (L/M/H)
    Viability
    (L/M/H)
    Centralized repository for research knowledge H H H
    Rationalize course creation tool set H H H
    Connectivity self-assessment/ checklist H M H
    Forums for students M H H
    Exam preparation (e.g. education or practice exams) H H H

    3.3 Prioritization of opportunities

    Objective: Prioritize opportunities for creating a roadmap.

    1. Gather the opportunities identified in the journey mapping exercise
    2. Assess the opportunities based on IDEO’s three lenses of innovation:
      • Feasibility: Do you currently have the capabilities to deliver on this opportunity? Do we have the right partners, resources, or technology?
      • Viability: Does this initiative have an impact on the financial revenue of the organization? Is it a profitable solution that will support the business model? Will this opportunity require a complex cost structure?
      • Desirability: Is this a solution the stakeholder needs? Does it solve a known pain point?
    3. Opportunities that score high in all three areas are prioritized for the roadmap.

    Input

    • Opportunities From Journey Map

    Output

    • Prioritized Opportunities

    Materials

    • Digital Strategy Workbook

    Participants

    • Executives

    Step 3.4

    Define digital goals

    Activities

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Define a digital goal as it relates to the prioritized opportunities and the stakeholder journey map.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Digital goals

    Define digital goals

    What digital goals can be derived from the stakeholder journey?

    With the prioritized set of opportunities for each stakeholder journey, take a step back and assess what the sum of these opportunities mean for the journey. What is the overall goal or objective of these opportunities? How do these opportunities change or facilitate the journey experience? From here, identify a single goal statement for each stakeholder journey.

    Stakeholder Scenario Prioritized Opportunities Goal
    Faculty (Engineering) As a faculty (Engineering), I want to prepare and teach my course in a hybrid mode of delivery Centralized repository for research knowledge
    Rationalized course creation tool set
    Support hybrid course curricula development through value-driven toolsets and centralized knowledge

    3.4 Define digital goals

    Objective: Identify digital goals derived from the journey statements.

    1. With the prioritized set of opportunities for each stakeholder journey (the two existing journeys and one opportunity journey) take a step back and assess what the sum of these opportunities means for each journey.
      • What is the overall goal or objective of these opportunities?
      • How do these opportunities change or facilitate the journey experience?
    2. From here, identify a single goal for each stakeholder journey.

    Input

    • Opportunities From Journey Map
    • Stakeholder Persona

    Output

    • Digital Goals

    Materials

    • Prioritization Matrix

    Participants

    • Executives

    Step 3.5

    Breakdown opportunities into series of initiatives

    Activities

    • Identify initiatives from the opportunities.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Identify people, process, and technology initiatives for the opportunities identified.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • People, process, and technology initiatives

    Break down opportunities into a series of initiatives

    Brainstorm initiatives for each high-priority opportunity using the framework below. Describe each initiative as a plan or action to take to solve the problem.

    Opportunity → Initiatives:

    People: What initiatives are required to manage people, data, and other organizational factors that are impacted by this opportunity?

    Process: What processes must be created, changed, or removed based on the data?

    Technology: What systems are required to support this opportunity?

    Break down opportunities into a series of initiatives

    Initiatives
    Centralized repository for research knowledge Technology Acquire and implement knowledge management application
    People Train researchers on functionality
    Process Periodically review and validate data entries into repository
    Initiatives
    Rationalize course creation toolset Technology Retire duplicate or under-used tools
    People Provide training on tool types and align to user needs
    Process Catalog software applications and tools across the organization
    Identify under-used or duplicate tools/applications

    Info-Tech Insight

    Ruthlessly evaluate if a initiative should stand alone or if it can be rolled up with another. Fewer initiatives or opportunities increases focus and alignment, allowing for better communication.

    3.5 Break down opportunities into initiatives

    Objective: Break down opportunities into people, process, and technology initiatives.

    1. Split into groups and identify initiatives required to deliver on each opportunity. Document each initiative on sticky notes.
    2. Have each team answer the following questions to identify initiatives for the prioritized opportunities:
      • People: What initiatives are required to manage people, data, and other organizational factors that are impacted by this opportunity?
      • Process: What processes must be created, changed, or removed based on the data?
      • Technology: What systems are required to support this opportunity?
    3. Document findings in the Digital Strategy Workbook.

    Input

    • Opportunities

    Output

    • Opportunity initiatives categorized by people, process and technology

    Materials

    • Digital Strategy Workbook

    Participants

    • Executive team

    Phase 4

    Build a digital transformation roadmap

    • Detail initiatives
    • Build a unified roadmap roadmap

    This phase will walk you through the following activities:

    Build a digital transformation roadmap that captures people, process, and technology initiatives.

    This phase involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes

    • Digital transformation roadmap

    Step 4.1

    Detail initiatives

    Activities

    • Detail initiatives.

    Build a digital transformation roadmap

    This step will walk you through the following activities:

    Detail initiatives for each priority initiative on your horizon.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • A roadmap for your digital business strategy.

    Create initiative profiles for each high-priority initiative on your strategy

    this image contains a screenshot of an example initiative profile

    Step 4.2

    Build a roadmap

    Activities

    • Create a roadmap of initiatives.

    Build a digital transformation roadmap

    Info-Tech Insight

    A roadmap that balances growth opportunities with business resilience will transform your organization for long-term success in the digital economy.

    This step will walk you through the following activities:

    Identify timing of initiatives and build a Gantt chart roadmap.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • A roadmap for your digital transformation and the journey canvases for each of the prioritized journeys.

    Build a roadmap to visualize your key initiative plan

    Visual representations of data are more compelling than text alone.

    Develop a high-level document that travels with the initiative from inception through executive inquiry, project management, and finally execution.

    A initiative needs to be discrete: able to be conceptualized and discussed as an independent item. Each initiative must have three characteristics:

    • Specific outcome: Describe an explicit change in the people, processes, or technology of the enterprise.
    • Target end date: When the described outcome will be in effect.
    • Owner: Who on the IT team is responsible for executing on the initiative.
    this image contains screenshots of a sample roadmap for supporting hybrid course curricula development through value-driven toolsets and centralized knowledge.

    4.2 Build your roadmap (30 minutes)

    1. For the Gantt chart:
      • Input the Roadmap Start Year date.
      • Change the months and year in the Gantt chart to reflect the same roadmap start year.
      • Populate the planned start and planned end date for the pre-populated list of high-priority initiatives in each category (people, process, and technology).

    Input

    • Initiatives
    • Initiative start & end dates
    • Initiative category

    Output

    • Digital strategy roadmap visual

    Materials

    • Digital Strategy Workbook

    Participants

    • Senior Executive

    Learn more about project portfolio management strategy

    Step 4.3

    Create a refresh strategy

    Activities

    • Refresh your strategy.

    Build a digital transformation roadmap

    Info-Tech Insight

    A digital strategy is a design process, it must be revisited to pressure test and account for changes in the external environment.

    This step will walk you through the following activities:

    Detail a refresh strategy.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Refresh strategy

    Create a refresh strategy

    It is important to dedicate time to your strategy throughout the year. Create a refresh plan to assess for the changing business context and its impact on the digital business strategy. Make sure the regular planning cycle is not the primary trigger for strategy review. Put a process in place to review the strategy and make your organization proactive. Start by examining the changes to the business context and how the effect would trickle downwards. It’s typical for organizations to build a refresh strategy around budget season and hold planning and touch points to accommodate budget approval time.
    Example:

    this image contains an example of a refresh strategy.

    4.3 Create a refresh strategy (30 minutes)

    1. Work with the digital strategy creation team to identify the time frequencies the organization should consider to refresh the digital business strategy. Time frequencies can also be events that trigger a review (i.e. changing business goals). Record the different time frequencies in the Refresh of the Digital Business Strategy slide of the section.
    2. Discuss with the team the different audience members for each time frequency and the scope of the refresh. The scope represents what areas of the digital business strategy need to be re-examined and possibly changed.

    Example:

    Frequency Audience Scope Date
    Annually Executive Leadership Resurvey, review/ validate, update schedule Pre-budget
    Touch Point Executive Leadership Status update, risks/ constraints, priorities Oct 2021
    Every Year (Re-build) Executive Leadership Full planning Jan 2022

    Input

    • Digital Business Strategy

    Output

    • Refresh Strategy

    Materials

    • Digital Business Strategy Presentation Template
    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Leaders

    Related Info-Tech Research

    Design a Customer-Centric Digital Operating Model

    Design a Customer-Centric Digital Operating Model

    Establish a new way of working to deliver value on your digital transformation initiatives.

    Develop a Project Portfolio Management Strategy

    Develop a Project Portfolio Management Strategy

    Drive project throughput by throttling resource capacity.

    Adopt Design Thinking in Your Organization

    Adopt Design Thinking in Your Organization

    Innovation needs design thinking.

    Digital Maturity Improvement Service

    Digital Maturity Improvement Service

    Prepare your organization for digital transformation – or risk falling behind.

    Research Contributors and Experts

    Kenneth McGee

    this is a picture of Research Fellow, Kenneth McGee

    Research Fellow
    Info-Tech Research Group

    Kenneth McGee is a Research Fellow within the CIO practice at Info-Tech Research Group and is focused on IT business and financial management issues, including IT Strategy, IT Budgets and Cost Management, Mergers & Acquisitions (M&A), and Digital Transformation. He also has extensive experience developing radical IT cost reduction and return-to-growth initiatives during and following financial recessions.

    Ken works with CIOs and IT leaders to help establish twenty-first-century IT organizational charters, structures, and responsibilities. Activities include IT organizational design, IT budget creation, chargeback, IT strategy formulation, and determining the business value derived from IT solutions. Ken’s research has specialized in conducting interviews with CEOs of some of the world’s largest corporations. He has also interviewed a US Cabinet member and IT executives at the White

    House. He has been a frequent keynote speaker at industry conventions, client sales kick-off meetings, and IT offsite planning sessions.

    Ken obtained a BA in Cultural Anthropology from Dowling College, Oakdale, NY, and has pursued graduate studies at Polytechnic Institute (now part of NYU University). He has been an adjunct instructor at State University of New York, Westchester Community College.

    Jack Hakimian

    this is a picture of Vice President of the Info-Tech Research Group, Jack Hakimian

    Vice President
    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multi-billion dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.

    Prior to joining the Info-Tech Research Group, he worked for leading consulting players such as Accenture, Deloitte, EY, and IBM.

    Jack led digital business strategy engagements as well as corporate strategy and M&A advisory services for clients across North America, Europe, the Middle East, and Africa. He is a seasoned technology consultant who has developed IT strategies and technology roadmaps, led large business transformations, established data governance programs, and managed the deployment of mission-critical CRM and ERP applications.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Bibliography

    Abrams, Karin von. “Global Ecommerce Forecast 2021.” eMarketer, Insider Intelligence, 7 July 2021. Web.

    Christenson, Clayton. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business School, 1997. Book.

    Drucker, Peter F., and Joseph A. Maciariello. Innovation and Entrepreneurship. Routledge, 2015.

    Eagar, Rick, David Boulton, and Camille Demyttenaere. “The Trends in Megatrends.” Arthur D Little, Prism, no. 2, 2014. Web.

    Enright, Sara, and Allison Taylor. “The Future of Stakeholder Engagement.” The Business of a Better World, October 2016. Web.

    Hatem, Louise, Daniel Ker, and John Mitchell. “A roadmap toward a common framework for measuring the digital economy.” Report for the G20 Digital Economy Task Force, OECD, 2020. Web.

    Kemp, Simon. “Digital 2021 April Statshot Report.” DataReportal, Global Digital Insights, 21 Apr. 2021. Web.

    Larson, Chris. “Disruptive Innovation Theory: 4 Key Concepts.” Business Insights, Harvard Business School, HBS Online, 15 Nov. 2016. Web.

    McCann, Leah. “Barco's Virtual Classroom at UCL: A Case Study for the Future of All University Classrooms?” rAVe, 2 July 2020. Web.

    Mochari, Ilan. “The Startup Buzzword Almost Everyone Uses Incorrectly.” Inc., 19 Nov. 2015. Web.

    Osterwalder, Alexander, et al. Value Proposition Design. Wiley, 2014.

    Reed, Laura. “Artificial Intelligence: Is Your Job at Risk?” Science Node, 9 August 2017.

    Rodeck, David. “Alphabet Soup: Understanding the Shape of a Covid-19 Recession.” Forbes, 8 June 2020. Web.

    Tapscott, Don. Wikinomics. Atlantic Books, 2014.

    Taylor, Paul. “Don't Be A Dodo: Adapt to the Digital Economy.” Forbes, 27 Aug. 2015. Web.

    The Business Research Company. "Wholesale Global Market Report 2021: COVID-19 Impact and Recovery to 2030." Research and Markets, January 2021. Press Release.

    “Topic 1: Megatrends and Trends.” BeFore, 11 October 2018.

    “Updated Digital Economy Estimates – June 2021.” Bureau of Economic Analysis, June 2021. Web.

    Williamson, J. N. The Leader Manager. John Wiley & Sons, 1984.

    Improve Requirements Gathering

    • Buy Link or Shortcode: {j2store}523|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $153,578 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design
    • Poor requirements are the number one reason that projects fail. Requirements gathering and management has been an ongoing issue for IT professionals for decades.
    • If proper due diligence for requirements gathering is not conducted, then the applications that IT is deploying won’t meet business objectives and will fail to deliver adequate business value.
    • Inaccurate requirements definition can lead to significant amounts of project rework and hurt the organization’s financial performance. It will also create significant damage to the working relationship between IT and the business.
    • Often, business analysts haven’t developed the right competencies to successfully execute requirements gathering processes, even when they are in place.

    Our Advice

    Critical Insight

    • To avoid makeshift solutions, an organization needs to gather requirements with the desired future state in mind.
    • Creating a unified set of standard operating procedures is essential for effectively gathering requirements, but many organizations fail to do it.
    • Centralizing governance of requirements processes with a requirements gathering steering committee or requirements gathering center of excellence can bring greater uniformity and cohesion when gathering requirements across projects.
    • Business analysts must be targeted for competency development to ensure that the processes developed above are being successfully executed and the right questions are being asked of project sponsors and stakeholders.

    Impact and Result

    • Enhanced requirements analysis will lead to tangible reductions in cycle time and reduced project overhead.
    • An improvement in requirements analysis will strengthen the relationship between business and IT, as more and more applications satisfy stakeholder needs.
    • More importantly, the applications delivered by IT will meet all of the must-have and at least some of the nice-to-have requirements, allowing end users to successfully execute their day-to-day responsibilities.

    Improve Requirements Gathering Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should invest in optimizing your requirements gathering processes.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the target state for the requirements gathering process

    Capture a clear understanding of the target needs for the requirements process.

    • Build a Strong Approach to Business Requirements Gathering – Phase 1: Build the Target State for the Requirements Gathering Process
    • Requirements Gathering SOP and BA Playbook
    • Requirements Gathering Maturity Assessment
    • Project Level Selection Tool
    • Business Requirements Analyst
    • Requirements Gathering Communication Tracking Template

    2. Define the elicitation process

    Develop best practices for conducting and structuring elicitation of business requirements.

    • Build a Strong Approach to Business Requirements Gathering – Phase 2: Define the Elicitation Process
    • Business Requirements Document Template
    • Scrum Documentation Template

    3. Analyze and validate requirements

    Standardize frameworks for analysis and validation of business requirements.

    • Build a Strong Approach to Business Requirements Gathering – Phase 3: Analyze and Validate Requirements
    • Requirements Gathering Documentation Tool
    • Requirements Gathering Testing Checklist

    4. Create a requirements governance action plan

    Formalize change control and governance processes for requirements gathering.

    • Build a Strong Approach to Business Requirements Gathering – Phase 4: Create a Requirements Governance Action Plan
    • Requirements Traceability Matrix
    [infographic]

    Workshop: Improve Requirements Gathering

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define the Current State and Target State for Requirements Gathering

    The Purpose

    Create a clear understanding of the target needs for the requirements gathering process.

    Key Benefits Achieved

    A comprehensive review of the current state for requirements gathering across people, processes, and technology.

    Identification of major challenges (and opportunity areas) that should be improved via the requirements gathering optimization project.

    Activities

    1.1 Understand current state and document existing requirement process steps.

    1.2 Identify stakeholder, process, outcome, and training challenges.

    1.3 Conduct target state analysis.

    1.4 Establish requirements gathering metrics.

    1.5 Identify project levels 1/2/3/4.

    1.6 Match control points to project levels 1/2/3/4.

    1.7 Conduct project scoping and identify stakeholders.

    Outputs

    Requirements Gathering Maturity Assessment

    Project Level Selection Tool

    Requirements Gathering Documentation Tool

    2 Define the Elicitation Process

    The Purpose

    Create best practices for conducting and structuring elicitation of business requirements.

    Key Benefits Achieved

    A repeatable framework for initial elicitation of requirements.

    Prescribed, project-specific elicitation techniques.

    Activities

    2.1 Understand elicitation techniques and which ones to use.

    2.2 Document and confirm elicitation techniques.

    2.3 Create a requirements gathering elicitation plan for your project.

    2.4 Build the operating model for your project.

    2.5 Define SIPOC-MC for your selected project.

    2.6 Practice using interviews with business stakeholders to build use case models.

    2.7 Practice using table-top testing with business stakeholders to build use case models.

    Outputs

    Project Elicitation Schedule

    Project Operating Model

    Project SIPOC-MC Sub-Processes

    Project Use Cases

    3 Analyze and Validate Requirements

    The Purpose

    Build a standardized framework for analysis and validation of business requirements.

    Key Benefits Achieved

    Policies for requirements categorization, prioritization, and validation.

    Improved project value as a result of better prioritization using the MOSCOW model.

    Activities

    3.1 Categorize gathered requirements for use.

    3.2 Consolidate similar requirements and eliminate redundancies.

    3.3 Practice prioritizing requirements.

    3.4 Build the business process model for the project.

    3.5 Rightsize the requirements documentation template.

    3.6 Present the business requirements document to business stakeholders.

    3.7 Identify testing opportunities.

    Outputs

    Requirements Gathering Documentation Tool

    Requirements Gathering Testing Checklist

    4 Establish Change Control Processes

    The Purpose

    Create formalized change control processes for requirements gathering.

    Key Benefits Achieved

    Reduced interjections and rework – strengthened formal evaluation and control of change requests to project requirements.

    Activities

    4.1 Review existing CR process.

    4.2 Review change control process best practices and optimization opportunities.

    4.3 Build guidelines for escalating changes.

    4.4 Confirm your requirements gathering process for project levels 1/2/3/4.

    Outputs

    Requirements Traceability Matrix

    Requirements Gathering Communication Tracking Template

    5 Establish Ongoing Governance for Requirements Gathering

    The Purpose

    Establish governance structures and ongoing oversight for business requirements gathering.

    Key Benefits Achieved

    Consistent governance and oversight of the requirements gathering process, resulting in fewer “wild west” scenarios.

    Better repeatability for the new requirements gathering process, resulting in less wasted time and effort at the outset of projects.

    Activities

    5.1 Define RACI for the requirements gathering process.

    5.2 Define the requirements gathering steering committee purpose.

    5.3 Define RACI for requirements gathering steering committee.

    5.4 Define the agenda and cadence for the requirements gathering steering committee.

    5.5 Identify and analyze stakeholders for communication plan.

    5.6 Create communication management plan.

    5.7 Build the action plan.

    Outputs

    Requirements Gathering Action Plan

    Further reading

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Analyst Perspective

    A strong process for business requirements gathering is essential for application project success. However, most organizations do not take a strategic approach to optimizing how they conduct business analysis and requirements definition.

    "Robust business requirements are the basis of a successful project. Without requirements that correctly articulate the underlying needs of your business stakeholders, projects will fail to deliver value and involve significant rework. In fact, an Info-Tech study found that of projects that fail over two-thirds fail due to poorly defined business requirements.

    Despite the importance of good business requirements to project success, many organizations struggle to define a consistent and repeatable process for requirements gathering. This results in wasted time and effort from both IT and the business, and generates requirements that are incomplete and of dubious value. Additionally, many business analysts lack the competencies and analytical techniques needed to properly execute the requirements gathering process.

    This research will help you get requirements gathering right by developing a set of standard operating procedures across requirements elicitation, analysis, and validation. It will also help you identify and fine-tune the business analyst competencies necessary to make requirements gathering a success."

    – Ben Dickie, Director, Enterprise Applications, Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • The IT applications director who has accountability for ensuring that requirements gathering procedures are both effective and efficient.
    • The designated business analyst or requirements gathering professional who needs a concrete understanding of how to execute upon requirements gathering SOPs.

    This Research Will Help You:

    • Diagnose your current state and identify (and prioritize) gaps that exist between your target requirements gathering needs and your current capabilities and processes.
    • Build a requirements gathering SOP that prescribes a framework for requirements governance and technology usage, as well as techniques for elicitation, analysis, and validation.

    This Research Will Also Assist:

    • The business partner/stakeholder who is interested in ways to work with IT to improve upon existing procedures for requirements gathering.
    • Systems analysts and developers who need to understand how business requirements are effectively gathered upstream.

    This Research Will Help Them:

    • Understand the significance and importance of business requirements gathering on overall project success and value alignment.
    • Create rules of engagement for assisting IT with the collection of requirements from the right stakeholders in a timely fashion.

    Executive summary

    Situation

    • Strong business requirements are essential to project success – inadequate requirements are the number one reason that projects fail.
    • Organizations need a consistent, repeatable, and prescriptive set of standard operating procedures (SOPs) that dictate how business requirements gathering should be conducted.

    Complication

    • If proper due diligence for requirements gathering is not conducted, then the applications that IT is deploying won’t meet business objectives, and they will fail to deliver adequate business value.
    • Inaccurate requirements definition can lead to significant amounts of project rework and hurt the organization’s financial performance. It will also damage the relationship between IT and the business.

    Resolution

    • To avoid delivering makeshift solutions (paving the cow path), organizations need to gather requirements with the desired future state in mind. Organizations need to keep an open mind when gathering requirements.
    • Creating a unified set of SOPs is essential for effectively gathering requirements; these procedures should cover not just elicitation, analysis, and validation, but also include process governance and documentation.
    • BAs who conduct requirements gathering must demonstrate proven competencies for stakeholder management, analytical techniques, and the ability to speak the language of both the business and IT.
    • An improvement in requirements analysis will strengthen the relationship between business and IT, as more and more applications satisfy stakeholder needs. More importantly, the applications delivered by IT will meet all of the must-have and at least some of the nice-to-have requirements, allowing end users to execute their day-to-day responsibilities.

    Info-Tech Insight

    1. Requirements gathering SOPs should be prescriptive based on project complexity. Complex projects will require more analytical rigor. Simpler projects can be served by more straightforward techniques like user story development.
    2. Business analysts (BA) can make or break the execution of the requirements gathering process. A strong process still needs to be executed well by BAs with the right blend of skills and knowledge.

    Understand what constitutes a strong business requirement

    A business requirement is a statement that clearly outlines the functional capability that the business needs from a system or application. There are several attributes to look at in requirements:

    Verifiable
    Stated in a way that can be easily tested

    Unambiguous
    Free of subjective terms and can only be interpreted in one way

    Complete
    Contains all relevant information

    Consistent
    Does not conflict with other requirements

    Achievable
    Possible to accomplish with budgetary and technological constraints

    Traceable
    Trackable from inception through to testing

    Unitary
    Addresses only one thing and cannot be decomposed into multiple requirements

    Agnostic
    Doesn’t pre-suppose a specific vendor or product

    Not all requirements will meet all of the attributes.

    In some situations, an insight will reveal new requirements. This requirement will not follow all of the attributes listed above and that’s okay. If a new insight changes the direction of the project, re-evaluate the scope of the project.

    Attributes are context specific.

    Depending on the scope of the project, certain attributes will carry more weight than others. Weigh the value of each attribute before elicitation and adjust as required. For example, verifiable will be a less-valued attribute when developing a client-facing website with no established measuring method/software.

    Build a firm foundation: requirements gathering is an essential step in any project, but many organizations struggle

    Proper requirements gathering is critical for delivering business value from IT projects, but it remains an elusive and perplexing task for most organizations. You need to have a strategy for end-to-end requirements gathering, or your projects will consistently fail to meet business expectations.

    50% of project rework is attributable to problems with requirements. (Info-Tech Research Group)

    45% of delivered features are utilized by end users. (The Standish Group)

    78% of IT professionals believe the business is “usually” or “always” out of sync with project requirements. (Blueprint Software Systems)

    45% of IT professionals admit to being “fuzzy” about the details of a project’s business objectives. (Blueprint Software Systems)

    Requirements gathering is truly an organization-spanning issue, and it falls directly on the IT directors who oversee projects to put prudent SOPs in place for managing the requirements gathering process. Despite its importance, the majority of organizations have challenges with requirements gathering.

    What happens when requirements are no longer effective?

    • Poor requirements can have a very visible and negative impact on deployed apps.
    • IT receives the blame for any project shortcomings or failures.
    • IT loses its credibility and ability to champion future projects.
    • Late projects use IT resources longer than planned.

    Requirements gathering is a core component of the overall project lifecycle that must be given its due diligence

    PMBOK’s Five Phase Project Lifecycle

    Initiate – Plan: Requirements Gathering Lives Here – Execute – Control – Close

    Inaccurate requirements is the 2nd most common cause of project failure (Project Management Institute ‒ Smartsheet).

    Requirements gathering is a critical stage of project planning.

    Depending on whether you take an Agile or Waterfall project management approach, it can be extended into the initiate and execute phases of the project lifecycle.

    Strong stakeholder satisfaction with requirements gathering results in higher satisfaction in other areas

    Organizations that had high satisfaction with requirements gathering were more likely to be highly satisfied with the other areas of IT. In fact, 72% of organizations that had high satisfaction with requirements gathering were also highly satisfied with the availability of IT capacity to complete projects.

    A bar graph measuring % High Satisfaction when projects have High Requirements Gathering vs. Not High Requirements Gathering. The graph shows a substantially higher percentage of high satisfaction on projects with High Requirements Gathering

    Note: High satisfaction was classified as organizations with a score greater or equal to 8. Not high satisfaction was every other organization that scored below 8 on the area questions.

    N=395 organizations from Info-Tech’s CIO Business Vision diagnostic

    Requirements gathering efforts are filled with challenges; review these pitfalls to avoid in your optimization efforts

    The challenges that afflict requirements gathering are multifaceted and often systemic in nature. There isn’t a single cure that will fix all of your requirements gathering problems, but an awareness of frequently encountered challenges will give you a basis for where to consider establishing better SOPs. Commonly encountered challenges include:

    Process Challenges

    • Requirements may be poorly documented, or not documented at all.
    • Elicitation methods may be inappropriate (e.g. using a survey when collaborative whiteboarding is needed).
    • Elicitation methods may be poorly executed.
    • IT and business units may not be communicating requirements in the same terms/language.
    • Requirements that conflict with one another may not be identified during analysis.
    • Requirements cannot be traced from origin to testing.

    Stakeholder Challenges

    • Stakeholders may be unaware of the requirements needed for the ideal solution.
    • Stakeholders may have difficulty properly articulating their desired requirements.
    • Stakeholders may have difficulty gaining consensus on the ideal solution.
    • Relevant stakeholders may not be consulted on requirements.
    • Sign-off may not be received from the proper stakeholders.

    70% of projects fail due to poor requirements. (Info-Tech Research Group)

    Address the root cause of poor requirements to increase project success

    Root Causes of Poor Requirements Gathering:

    • Requirements gathering procedures don’t exist.
    • Requirements gathering procedures exist but aren’t followed.
    • There isn't enough time allocated to the requirements gathering phase.
    • There isn't enough involvement or investment secured from business partners.
    • There is no senior leadership involvement or mandate to fix requirements gathering.
    • There are inadequate efforts put towards obtaining and enforcing sign-off.

    Outcomes of Poor Requirements Gathering:

    • Rework due to poor requirements leads to costly overruns.
    • Final deliverables are of poor quality.
    • Final deliverables are implemented late.
    • Predicted gains from deployed applications are not realized.
    • There are low feature utilization rates by end users.
    • There are high levels of end-user dissatisfaction.
    • There are high levels of project sponsor dissatisfaction.

    Info-Tech Insight

    Requirements gathering is the number one failure point for most development or procurement projects that don’t deliver value. This has been and continues to be the case as most organizations still don't get requirements gathering right. Overcoming organizational cynicism can be a major obstacle when it is time to optimize the requirements gathering process.

    Reduce wasted project work with clarity of business goals and analysis of requirements

    You can reduce the amount of wasted work by making sure you have clear business goals. In fact, you could see an improvement of as much as 50% by going from a low level of satisfaction with clarity of business goals (<2) to a high level of satisfaction (≥5).

    A line graph demonstrating that as the amount of wasted work increases, clarity of business goals satisfaction decreases.

    Likewise, you could see an improvement of as much as 43% by going from a low level of satisfaction with analysis of requirements (less than 2) to a high level of satisfaction (greater than or equal to 5).

    A line graph demonstrating that as the Amount of Wasted Work decreases, the level of satisfaction with analysis of requirements shifts from low to high.

    Note: Waste is measured by the amount of cancelled projects; suboptimal assignment of resources; analyzing, fixing, and re-deploying; inefficiency, and unassigned resources.

    N=200 teams from the Project Portfolio Management diagnostic

    Effective requirements gathering supports other critical elements of project management success

    Good intentions and hard work aren’t enough to make a project successful. As you proceed with a project, step back and assess the critical success factors. Make sure that the important inputs and critical activities of requirements gathering are supporting, not inhibiting, project success.

    1. Streamlined Project Intake
    2. Strong Stakeholder Management
    3. Defined Project Scope
    4. Effective Project Management
    5. Environmental Analysis

    Don’t improvise: have a structured, end-to-end approach for successfully gathering useful requirements

    Creating a unified SOP guide for requirements elicitation, analysis, and validation is a critical step for requirements optimization; it gives your BAs a common frame of reference for conducting requirements gathering.

    • The key to requirements optimization is to establish a strong set of SOPs that provide direction on how your organization should be executing requirements gathering processes. This SOP guide should be a holistic document that walks your BAs through a requirements gathering project from beginning to end.
    • An SOP that is put aside is useless; it must be well communicated to BAs. It should be treated as the veritable manifesto of requirements management in your organization.

    Info-Tech Insight

    Having a standardized approach to requirements management is critical, and SOPs should be the responsibility of a group. The SOP guide should cover all of the major bases of requirements management. In addition to providing a walk-through of the process, an SOP also clarifies requirements governance.

    Leverage Info-Tech’s proven Requirements Gathering Framework as the basis for building requirements processes

    A graphic with APPLICATIONS THAT DELIVER BUSINESS VALUE written in the middle. Three steps are named: Elicit; Analyze; Validate. Around the outer part of the graphic are 4 arrows arranged in a circle, with the labels: Plan; Monitor; Communicate; Manage.

    Info-Tech’s Requirements Gathering Framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework has been extensively road-tested with our clients to ensure that it balances the needs of IT and business stakeholders to give a holistic, end-to-end approach for requirements gathering. It covers the foundational issues (elicitation, analysis, and validation) and prescribes techniques for planning, monitoring, communicating, and managing the requirements gathering process.

    Don’t forget resourcing: the best requirements gathering process will still fail if you don’t develop BA competencies

    When creating the process for requirements gathering, think about how it will be executed by your BAs, and what the composition of your BA team should look like. A strong BA needs to serve as an effective translator, being able to speak the language of both the business and IT.

    1. To ensure alignment of your BAs to the requirements gathering process, undertake a formal skills assessment to identify areas where analysts are strong, and areas that should be targeted for training and skills development.
    2. Training of BAs on the requirements gathering process and development of intimate familiarity with SOPs is essential; you need to get BAs on the same page to ensure consistency and repeatability of the requirements process.
    3. Consider implementing a formal mentorship and/or job shadowing program between senior and junior BAs. Many of our members report that leveraging senior BAs to bootstrap the competencies of more junior team members is a proven approach to building skillsets for requirements gathering.

    What are some core competencies of a good BA?

    • Strong stakeholder management.
    • Proven track record in facilitating elicitation sessions.
    • Ability to bridge the gulf between IT and the business by speaking both languages.
    • Ability to ask relevant probing questions to uncover latent needs.
    • Experience with creating project operating models and business process diagrams.
    • Ability to set and manage expectations throughout the process.

    Throughout this blueprint, look for the “BA Insight” box to learn how steps in the requirements gathering process relate to the skills needed by BAs to facilitate the process effectively.

    A mid-sized local government overhauls its requirements gathering approach and sees strong results

    CASE STUDY

    Industry

    Government

    Source

    Info-Tech Research Group Workshop

    The Client

    The organization was a local government responsible for providing services to approximately 600,000 citizens in the southern US. Its IT department is tasked with deploying applications and systems (such as HRIS) that support the various initiatives and mandate of the local government.

    The Requirements Gathering Challenge

    The IT department recognized that a strong requirements gathering process was essential to delivering value to its stakeholders. However, there was no codified process in place – each BA unilaterally decided how they would conduct requirements gathering at the start of each project. IT recognized that to enhance both the effectiveness and efficiency of requirements gathering, it needed to put in place a strong, prescriptive set of SOPs.

    The Improvement

    Working with a team from Info-Tech, the IT leadership and BA team conducted a workshop to develop a new set of SOPs that provided clear guidance for each stage of the requirements process: elicitation, analysis, and validation. As a result, business satisfaction and value alignment increased.

    The Requirements Gathering SOP and BA Playbook offers a codified set of SOPs for requirements gathering gave BAs a clear playbook.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Strong Approach to Business Requirements Gathering – project overview

    1. Build the Target State for Requirements Gathering 2. Define the Elicitation Process 3. Analyze and Validate Requirements 4. Create a Requirements Governance Action Plan
    Best-Practice Toolkit

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    Guided Implementations
    • Review Info-Tech’s requirements gathering methodology.
    • Assess current state for requirements gathering – pains and challenges.
    • Determine target state for business requirements gathering – areas of opportunity.
    • Assess elicitation techniques and determine best fit to projects and business environment.
    • Review options for structuring the output of requirements elicitation (i.e. SIPOC).
    • Create policies for requirements categorization and prioritization.
    • Establish best practices for validating the BRD with project stakeholders.
    • Discuss how to handle changes to requirements, and establish a formal change control process.
    • Review options for ongoing governance of the requirements gathering process.
    Onsite Workshop Module 1: Define the Current and Target State Module 2: Define the Elicitation Process Module 3: Analyze and Validate Requirements Module 4: Governance and Continuous Improvement Process
    Phase 1 Results: Clear understanding of target needs for the requirements process. Phase 2 Results: Best practices for conducting and structuring elicitation. Phase 3 Results: Standardized frameworks for analysis and validation of business requirements. Phase 4 Results: Formalized change control and governance processes for requirements.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Define Current State and Target State for Requirements Gathering

    • Understand current state and document existing requirement process steps.
    • Identify stakeholder, process, outcome, and reigning challenges.
    • Conduct target state analysis.
    • Establish requirements gathering metrics.
    • Identify project levels 1/2/3/4.
    • Match control points to project levels 1/2/3/4.
    • Conduct project scoping and identify stakeholders.

    Define the Elicitation Process

    • Understand elicitation techniques and which ones to use.
    • Document and confirm elicitation techniques.
    • Create a requirements gathering elicitation plan for your project.
    • Practice using interviews with business stakeholders to build use case models.
    • Practice using table-top testing with business stakeholders to build use case models.
    • Build the operating model for your project

    Analyze and Validate Requirements

    • Categorize gathered requirements for use.
    • Consolidate similar requirements and eliminate redundancies.
    • Practice prioritizing requirements.
    • Rightsize the requirements documentation template.
    • Present the business requirements document (BRD) to business stakeholders.
    • Identify testing opportunities.

    Establish Change Control Processes

    • Review existing CR process.
    • Review change control process best practices & optimization opportunities.
    • Build guidelines for escalating changes.
    • Confirm your requirements gathering process for project levels 1/2/3/4.

    Establish Ongoing Governance for Requirements Gathering

    • Define RACI for the requirements gathering process.
    • Define the requirements gathering governance process.
    • Define RACI for requirements gathering governance.
    • Define the agenda and cadence for requirements gathering governance.
    • Identify and analyze stakeholders for communication plan.
    • Create communication management plan.
    • Build the action plan.
    Deliverables
    • Requirements gathering maturity assessment
    • Project level selection tool
    • Requirements gathering documentation tool
    • Project elicitation schedule
    • Project operating model
    • Project use cases
    • Requirements gathering documentation tool
    • Requirements gathering testing checklist
    • Requirements traceability matrix
    • Requirements gathering communication tracking template
    • Requirements gathering action plan

    Phase 1: Build the Target State for the Requirements Gathering Process

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Build the Target State

    Proposed Time to Completion: 2 weeks

    Step 1.1: Understand the Benefits of Requirements Optimization

    Start with an analyst kick off call:

    • Review Info-Tech’s requirements gathering methodology.

    Then complete these activities…

    • Hold a fireside chat.

    With these tools & templates:

    Requirements Gathering SOP and BA Playbook

    Step 1.2: Determine Your Target State for Requirements Gathering

    Review findings with analyst:

    • Assess current state for requirements gathering – pains and challenges.
    • Determine target state for business requirements gathering – areas of opportunity.

    Then complete these activities…

    • Identify your business process model.
    • Define project levels.
    • Match control points to project level.
    • Identify and analyze stakeholders.

    With these tools & templates:

    • Requirements Gathering Maturity Assessment
    • Project Level Selection Tool
    • Business Requirements Analyst job description
    • Requirements Gathering Communication Tracking Template

    Phase 1 Results & Insights:

    Clear understanding of target needs for the requirements process.

    Step 1.1: Understand the Benefits of Requirements Optimization

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Identifying challenges with requirements gathering and identifying objectives for the workshop.
    This step involves the following participants:
    • Business stakeholders
    • BAs
    Outcomes of this step
    • Stakeholder objectives identified.

    Requirements optimization is powerful, but it’s not free; gauge the organizational capital you’ll need to make it a success

    Optimizing requirements management is not something that can be done in isolation, and it’s not necessarily going to be easy. Improving your requirements will translate into better value delivery, but it takes real commitment from IT and its business partners.

    There are four “pillars of commitment” that will be necessary to succeed with requirements optimization:

    1. Senior Management Organizational Capital
      • Before organizations can establish revised SOPs for requirements gathering, they’ll need a strong champion in senior management to ensure that updated elicitation and sign-off techniques do not offend people. A powerful sponsor can lead to success, especially if they are in the business.
    2. End-User Organizational Capital
      • To overcome cynicism, you need to focus on convincing end users that there is something to be gained from participating in requirements gathering (and the broader process of requirements optimization). Frame the value by focusing on how good requirements mean better apps (e.g. faster, cheaper, fewer errors, less frustration).
    3. Staff Resourcing
      • You can have a great SOP, but if you don’t have the right resources to execute on it you’re going to have difficulty. Requirements gathering needs dedicated BAs (or equivalent staff) who are trained in best practices and can handle elicitation, analysis, and validation successfully.
    4. Dedicated Cycle Time
      • IT and the business both need to be willing to demonstrate the value of requirements optimization by giving requirements gathering the time it needs to succeed. If these parties are convinced by the concept in theory, but still try to rush moving to the development phase, they’re destined for failure.

    Rethink your approach to requirements gathering: start by examining the business process, then tackle technology

    When gathering business requirements, it’s critical not to assume that layering on technology to a process will automatically solve your problems.

    Proper requirements gathering views projects holistically (i.e. not just as an attempt to deploy an application or technology, but as an endeavor to enable new or re-engineered business processes). Neglecting to see requirements gathering in the context of business process enablement leads to failure.

    • Far too often, organizations automate an existing process without putting much thought into finding a better way to do things.
    • Most organizations focus on identifying a series of small improvements to make to a process and realize limited gains.
    • The best way to generate transformational gains is to reinvent how the process should be performed and work backwards from there.
    • You should take a top-down approach and begin by speaking with senior management about the business case for the project and their vision for the target state.
    • You should elicit requirements from the rank-and-file employees while centering the discussion and requirements around senior management’s target state. Don’t turn requirements gathering into a griping session about deficiencies with a current application.

    Leverage Info-Tech’s proven Requirements Gathering Framework as the basis for building requirements processes

    A graphic with APPLICATIONS THAT DELIVER BUSINESS VALUE written in the middle. Three steps are named: Elicit; Analyze; Validate. Around the outer part of the graphic are 4 arrows arranged in a circle, with the labels: Plan; Monitor; Communicate; Manage.

    Info-Tech’s Requirements Gathering Framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework has been extensively road-tested with our clients to ensure that it balances the needs of IT and business stakeholders to give a holistic, end-to-end approach for requirements gathering. It covers both the foundational issues (elicitation, analysis, and validation) as well as prescribing techniques for planning, monitoring, communicating, and managing the requirements gathering process.

    Requirements gathering fireside chat

    1.1.1 – 45 minutes

    Output
    • Stakeholder objectives
    Materials
    • Whiteboard, markers, sticky notes
    Participants
    • BAs

    Identify the challenges you’re experiencing with requirements gathering, and identify objectives.

    1. Hand out sticky notes to participants, and ask the group to work independently to think of challenges that exist with regards to requirements gathering. (Hint: consider stakeholder challenges, process challenges, outcome challenges, and training challenges.) Ask participants to write their current challenges on sticky notes, and place them on the whiteboard.
    2. As a group, review all sticky notes and group challenges into themes.
    3. For each theme you uncover, work as a group to determine the objective that will overcome these challenges throughout the workshop and write this on the whiteboard.
    4. Discuss how these challenges will be addressed in the workshop.

    Don’t improvise: have a structured, prescriptive end-to-end approach for successfully gathering useful requirements

    Creating a unified SOP guide for requirements elicitation, analysis, and validation is a critical step for requirements optimization; it gives your BAs a common frame of reference for conducting requirements gathering.

    • The key to requirements optimization is to establish a strong set of SOPs that provide direction on how your organization should be executing requirements gathering processes. This SOP guide should be a holistic document that walks your BAs through a requirements gathering project from beginning to end.
    • An SOP that is put aside is useless; it must be well communicated to BAs. It should be treated as the veritable manifesto of requirements management in your organization.

    Info-Tech Insight

    Having a standardized approach to requirements management is critical, and SOPs should be the responsibility of a group. The SOP guide should cover all of the major bases of requirements management. In addition to providing a walk-through of the process, an SOP also clarifies requirements governance.

    Use Info-Tech’s Requirements Gathering SOP and BA Playbook to assist with requirements gathering optimization

    Info-Tech’s Requirements Gathering SOP and BA Playbook template forms the basis of this blueprint. It’s a structured document that you can fill out with defined procedures for how requirements should be gathered at your organization.

    Info-Tech’s Requirements Gathering SOP and BA Playbook template provides a number of sections that you can populate to provide direction for requirements gathering practitioners. Sections provided include: Organizational Context Governance Procedures Resourcing Model Technology Strategy Knowledge Management Elicitation SOPs Analysis SOPs Validation SOPs.

    The template has been pre-populated with an example of requirements management procedures. Feel free to customize it to fit your specific needs.

    Download the Requirements Gathering SOP and BA Playbook template.

    Step 1.2: Determine Your Target State for Requirements Gathering

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Conduct a current and target state analysis.
    • Identify requirements gathering business process model.
    • Establish requirements gathering performance metrics.
    • Define project levels – level 1/2/3/4.
    • Match control points to project level.
    • Conduct initial brainstorming on the project.
    This step involves the following participants:
    • BAs
    Outcomes of this step:
    • Requirements gathering maturity summary.
    • Requirements gathering business process model.
    • Identification of project levels.
    • Identification of control points.

    Plan for requirements gathering

    The image is the Requirements Gathering Framework from earlier slides, but with all parts of the graphic grey-out, except for the arrows containing Plan and Monitor, at the top.

    Establishing an overarching plan for requirements governance is the first step in building an SOP. You must also decide who will actually execute the requirements gathering processes, and what technology they will use to accomplish this. Planning for governance, resourcing, and technology is something that should be done repeatedly and at a higher strategic level than the more sequential steps of elicitation, analysis, and validation.

    Establish your target state for requirements gathering processes to have a cogent roadmap of what needs to be done

    Visualize how you want requirements to be gathered in your organization. Do not let elements of the current process restrict your thinking.

    • First, articulate the impetus for optimizing requirements management and establish clear goals.
    • Use these goals to drive the target state.

    For example:

    • If the goal is to improve the accuracy of requirements, then restructure the validation process.
    • If the goal is to improve the consistency of requirements gathering, then create SOPs or use electronic templates and tools.

    Refrain from only making small changes to improve the existing process. Think about the optimal way to structure the requirements gathering process.

    Define the attributes of a good requirement to help benchmark the type of outputs that you’re looking for

    Attributes of Good Requirements

    Verifiable – It is stated in a way that can be tested.

    Unambiguous – It is free of subjective terms and can only be interpreted in one way.

    Complete – It contains all relevant information.

    Consistent – It does not conflict with other requirements.

    Achievable – It is possible to accomplish given the budgetary and technological constraints.

    Traceable – It can tracked from inception to testing.

    Unitary – It addresses only one thing and cannot be decomposed into multiple requirements.

    Accurate – It is based on proven facts and correct information.

    Other Considerations:

    Organizations can also track a requirement owner, rationale, priority level (must have vs. nice to have), and current status (approved, tested, etc.).

    Info-Tech Insight

    Requirements must be solution agnostic – they should focus on the underlying need rather than the technology required to satisfy the need as it can be really easy to fall into the technology solution trap.

    Use Info-Tech’s Requirements Gathering Maturity Assessment tool to help conduct current and target state analysis

    Use the Requirements Gathering Maturity Assessment tool to help assess the maturity of your requirements gathering function in your organization, and identify the gaps between the current state and the target state. This will help focus your organization's efforts in closing the gaps that represent high-value opportunities.

    • On tab 2. Current State, use the drop-down responses to provide the answer that best matches your organization, where 1= Strongly disagree and 5 = Strongly agree. On tab 3. Target State, answer the same questions in relation to where your organization would like to be.
    • Based on your responses, tab 4. Maturity Summary will display a visual of the gap between the current and target state.

    Conduct a current and target state analysis

    1.2.1 – 1 hour

    Complete the Requirements Gathering Maturity Assessment tool to define your target state, and identify the gaps in your current state.

    Input
    • Current and target state maturity rating
    Output
    • Requirements gathering maturity summary
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    1. For each component of requirements gathering, write out a series of questions to evaluate your current requirements gathering practices. Use the Requirements Gathering Maturity Assessment tool to assist you in drafting questions.
    2. Review the questions in each category, and agree on a rating from 1-5 on their current maturity: 1= Strongly disagree and 5 = Strongly agree. (Note: it will likely be very rare that they would score a 5 in any category, even for the target state.)
    3. Once the assigned categories have been completed, have groups present their assessment to all, and ensure that there is consensus. Once consensus has been reached, input the information into the Current State tab of the tool to reveal the overall current state of maturity score for each category.
    4. Now that the current state is complete, go through each category and define the target state goals.
    5. Document any gaps or action items that need to be addressed.

    Example: Conduct a current and target state analysis

    The Requirements Gathering Maturity Assessment - Target State, with example data inputted.

    Select the project-specific KPIs that will be used to track the value of requirements gathering optimization

    You need to ensure your requirements gathering procedures are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.

    • Without following up on requirements gathering by tracking project metrics and KPIs, organizations will not be able to accurately gauge if the requirements process re-engineering is having a tangible, measurable effect. They will also not be able to determine what changes (if any) need to be made to SOPs based on project performance.
    • This is a crucial step that many organizations overlook. Creating a retroactive list of KPIs is inadequate, since you must benchmark pre-optimization project metrics in order to assess and isolate the value generated by reducing errors and cycle time and increasing value of deployed applications.

    Establish requirements gathering performance metrics

    1.2.2 – 30 minutes

    Input
    • Historical metrics
    Output
    • Target performance metrics
    Materials
    • Whiteboard
    • Markers
    • Paper
    Participants
    • BAs
    1. Identify the following information for the last six months to one year:
      1. Average number of reworks to requirements.
      2. Number of change requests.
      3. Percent of feature utilization by end users.
      4. User adoption rate.
      5. Number of breaches in regulatory requirements.
      6. Percent of final deliverables implemented on time.
      7. End-user satisfaction score (if possible).
    2. As a group, look at each metric in turn and set your target metrics for six months to one year for each of these categories.

    Document the output from this exercise in section 2.2 of the Requirements Gathering SOP and BA Playbook.

    Visualize your current and target state process for requirements gathering with a business process model

    A business process model (BPM) is a simplified depiction of a complex process. These visual representations allow all types of stakeholders to quickly understand a process, how it affects them, and enables more effective decision making. Consider these areas for your model:

    Stakeholder Analysis

    • Identify who the right stakeholders are
    • Plan communication
    • Document stakeholder responsibilities in a RACI

    Elicitation Techniques

    • Get the right information from stakeholders
    • Document it in the appropriate format
    • Define business need
    • Enterprise analysis

    Documentation

    • How are outputs built?
    • Process flows
    • Use cases
    • Business rules
    • Traceability matrix
    • System requirements

    Validation & Traceability

    • Make sure requirements are accurate and complete
    • Trace business needs to requirements

    Managing Requirements

    • Organizing and prioritizing
    • Gap analysis
    • Managing scope
    • Communicating
    • Managing changes

    Supporting Tools

    • Templates to standardize
    • Checklists
    • Software to automate the process

    Your requirements gathering process will vary based on the project level

    It’s important to determine the project levels up front, as each project level will have a specific degree of elicitation, analysis, and validation that will need to be completed. That being said, not all organizations will have four levels.

    Level 4

    • Very high risk and complexity.
    • Projects that result in a transformative change in the way you do business. Level 4 projects affect all lines of business, multiple technology areas, and have significant costs and/or risks.
    • Example: Implement ERP

    Level 3

    • High risk and complexity.
    • Projects that affect multiple lines of business and have significant costs and/or risks.
    • Example: Implement CRM

    Level 2

    • Medium risk and complexity.
    • Projects with broader exposure to the business that present a moderate level of risk to business operations.
    • Example: Deploy Office 365

    Level 1

    • Low risk and complexity.
    • Routine/straightforward projects with limited exposure to the business and low risk of negative business impact.
    • Example: SharePoint Update

    Use Info-Tech’s Project Level Selection Tool to classify your project level and complexity

    1.3 Project Level Selection Tool

    The Project Level Selection Tool will classify your projects into four levels, enabling you to evaluate the risk and complexity of a particular project and match it with an appropriate requirements gathering process.

    Project Level Input

    • Consider the weighting criteria for each question and make any needed adjustments to better reflect how your organization values each of the criterion.
    • Review the option levels 1-4 for each of the six questions, and make any modifications necessary to better suit your organization.
    • Review the points assigned to each of the four buckets for each of the six questions, and make any modifications needed.

    Project Level Selection

    • Use this tab to evaluate the project level of each new project.
    • To do so, answer each of the questions in the tool.

    Define project levels – Level 1/2/3/4

    1.2.3 – 1 hour

    Input
    • Project level assessment criteria
    Output
    • Identification of project levels
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs

    Define the project levels to determine the appropriate requirements gathering process for each.

    1. Begin by asking participants to review the six criteria for assessing project levels as identified in the Project Level Selection Tool. Have participants review the list and ensure agreement around the factors. Create a chart on the board using Level 1, Level 2, Level 3, and Level 4 as column headings.
    2. Create a row for each of the chosen factors. Begin by filling in the chart with criteria for a level 4 project: What constitutes a level 4 project according to these six factors?
    3. Repeat the exercise for Level 3, Level 2, and Level 1. When complete, you should have a chart that defines the four project levels at your organization.
    4. Input this information into the tool, and ask participants to review the weighting factors and point allocations and make modifications where necessary.
    5. Input the details from one of the projects participants had selected prior to the workshop beginning and determine its project level. Discuss whether this level is accurate, and make any changes needed.

    Document the output from this exercise in section 2.3 of the Requirements Gathering SOP and BA Playbook.

    Define project levels

    1.2.3 – 1 hour

    Category Level 4 Level 3 Level 2 Level 1
    Scope of Change Full system update Full system update Multiple modules Minor change
    Expected Duration 12 months + 6 months + 3-6 months 0-3 months
    Impact Enterprise-wide, globally dispersed Enterprise-wide Department-wide Low users/single division
    Budget $1,000,000+ $500,000-1,000,000 $100,000-500,000 $0-100,000
    Services Affected Mission critical, revenue impacting Mission critical, revenue impacting Pervasive but not mission critical Isolated, non-essential
    Confidentiality Yes Yes No No

    Define project levels

    1.2.3 – 1 hour

    The tool is comprised of six questions, each of which is linked to at least one type of project risk.

    Using the answers provided, the tool will calculate a level for each risk category. Overall project level is a weighted average of the individual risk levels, based on the importance weighting of each type of risk set by the project manager.

    This tool is an excerpt from Info-Tech’s exhaustive Project Level Assessment Tool.

    The image shows the Project Level Tool, with example data filled in.

    Build your initial requirements gathering business process models: create different models based on project complexity

    1.2.4 – 30 minutes

    Input
    • Current requirements gathering process flow
    Output
    • Requirements gathering business process model
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs

    Brainstorm the ideal target business process flows for your requirements gathering process (by project level).

    1. As a group, create a process flow on the whiteboard that covers the entire requirements gathering lifecycle, incorporating the feedback from exercise 1.2.1. Draw the process with input from the entire group.
    2. After the process flow is complete, compare it to the best practice process flow on the following slide. You may want to create different process flows based on project level (i.e. a process model for Level 1 and 2 requirements gathering, and a process model for how to collect requirements for Level 3 and 4). As you work through the blueprint, revisit and refine these models – this is the initial brainstorming!

    Document the output from this exercise in section 2.4 of the Requirements Gathering SOP and BA Playbook.

    Example: requirements gathering business process model

    An example of the requirements gathering business process model. The model depicts the various stages of the requirements gathering process.

    Develop your BA team to accelerate collecting, analyzing, and translating requirements

    Having an SOP is important, but it should be the basis for training the people who will actually execute the requirements gathering process. Your BA team is critical for requirements gathering – they need to know the SOPs in detail, and you need to have a plan for recruiting those with an excellent skill set.

    • The designated BA(s) for the project have responsibility for end-to-end requirements management – they are responsible for executing the SOPs outlined in this blueprint, including elicitation, analysis, and validation of requirements during the project.
    • Designated BAs must work collaboratively with their counterparts in the business and IT (e.g. developer teams or procurement professionals) to ensure that the approved requirements are met in a timely and cost-effective manner.

    The ideal candidates for requirements gathering are technically savvy analysts (but not necessarily computer science majors) from the business who are already fluent with the business’ language and cognizant of the day-to-day challenges that take place. Organizationally, these BAs should be in a group that bridges IT and the business (such as an RGCOE or PMO) and be specialists rather than generalists in the requirements management space.

    A BA resourcing strategy is included in the SOP. Customize it to suit your needs.

    "Make sure your people understand the business they are trying to provide the solution for as well if not better than the business folks themselves." – Ken Piddington, CIO, MRE Consulting

    Use Info-Tech’s Business Requirements Analyst job description template for sourcing the right talent

    1.4 Business Requirements Analyst

    If you don’t have a trained group of in-house BAs who can execute your requirements gathering process, consider sourcing the talent from internal candidates or calling for qualified applicants. Our Business Requirements Analyst job description template can help you quickly get the word out.

    • Sometimes, you will have a dedicated set of BAs, and sometimes you won’t. In the latter case, the template covers:
      • Job Title
      • Description of Role
      • Responsibilities
      • Target Job Skills
      • Target Job Qualifications
    • The template is primarily designed for external hiring, but can also be used to find qualified internal candidates.

    Info-Tech Deliverable
    Download the Business Requirements Analyst job description template.

    Standardizing process begins with establishing expectations

    CASE STUDY

    Industry Government

    Source Info-Tech Workshop

    Challenge

    A mid-sized US municipality was challenged with managing stakeholder expectations for projects, including the collection and analysis of business requirements.

    The lack of a consistent approach to requirements gathering was causing the IT department to lose credibility with department level executives, impacting the ability of the team to engage project stakeholders in defining project needs.

    Solution

    The City contracted Info-Tech to help build an SOP to govern and train all BAs on a consistent requirements gathering process.

    The teams first set about establishing a consistent approach to defining project levels, defining six questions to be asked for each project. This framework would be used to assess the complexity, risk, and scope of each project, thereby defining the appropriate level of rigor and documentation required for each initiative.

    Results

    Once the project levels were defined, the team established a formalized set of steps, tools, and artifacts to be created for each phase of the project. These tools helped the team present a consistent approach to each project to the stakeholders, helping improve credibility and engagement for eliciting requirements.

    The project level should set the level of control

    Choose a level of control that facilitates success without slowing progress.

    No control Right-sized control Over-engineered control
    Final deliverable may not satisfy business or user requirements. Control points and communication are set at appropriate stage-gates to allow for deliverables to be evaluated and assessed before proceeding to the next phase. Excessive controls can result in too much time spent on stage-gates and approvals, which creates delays in the schedule and causes milestones to be missed.

    Info-Tech Insight

    Throughout the requirements gathering process, you need checks and balances to ensure that the projects are going according to plan. Now that we know our stakeholder, elicitation, and prioritization processes, we will set up the control points for each project level.

    Plan your communication with stakeholders

    Determine how you want to receive and distribute messages to stakeholders.

    Communication Milestones Audience Artifact Final Goal
    Project Initiation Project Sponsor Project Charter Communicate Goals and Scope of Project
    Elicitation Scheduling Selected Stakeholders (SMEs, Power Users) Proposed Solution Schedule Elicitation Sessions
    Elicitation Follow-Up Selected Stakeholders Elicitation Notes Confirm Accuracy of Notes
    First Pass Validation Selected Stakeholders Consolidated Requirements Validate Aggregated Requirements
    Second Pass Validation Selected Stakeholders Prioritized Requirements Validate Requirements Priority
    Eliminated Requirements Affected Stakeholders Out of Scope Requirements Affected Stakeholders Understand Impact of Eliminated Requirements
    Solution Selection High Authority/Expertise Stakeholders Modeled Solutions Select Solution
    Selected Solution High Authority/Expertise Stakeholders and Project Sponsor Requirements Package Communicate Solution
    Requirements Sign-Off Project Sponsor Requirements Package Obtain Sign-Off

    Setting control points – approvals and sign-offs

    # – Control Point: A decision requiring specific approval or sign-off from defined stakeholders involved with the project. Control points result in accepted or rejected deliverables/documents.

    A – Plan Approval: This control point requires a review of the requirements gathering plan, stakeholders, and elicitation techniques.

    B – Requirements Validation: This control point requires a review of the requirements documentation that indicates project and product requirements.

    C – Prioritization Sign-Off: This requires sign-off from the business and/or user groups. This might be sign-off to approve a document, prioritization, or confirm that testing is complete.

    D – IT or Peer Sign-Off: This requires sign-off from IT to approve technical requirements or confirm that IT is ready to accept a change.

    Match control points to project level and identify these in your requirements business process models

    1.2.5 – 45 minutes

    Input
    • Activity 1.2.4 business process diagram
    Output
    • Identify control points
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • Business stakeholders
    • BAs

    Define all of the key control points, required documentation, and involved stakeholders.

    1. On the board, post the initial business process diagram built in exercise 1.2.4. Have participants suggest appropriate control points. Write the control point number on a sticky note and place it where the control point should be.
    2. Now that we have identified the control points, consider each control point and define who will be involved in each one, who provides the approval to move forward, the documentation required, and the overall goal.

    Document the output from this exercise in section 6.1 of the Requirements Gathering SOP and BA Playbook.

    A savvy BA should clarify and confirm project scope prior to embarking on requirements elicitation

    Before commencing requirements gathering, it’s critical that your practitioners have a clear understanding of the initial business case and rationale for the project that they’re supporting. This is vital for providing the business context that elicitation activities must be geared towards.

    • Prior to commencing the requirements gathering phase, the designated BA should obtain a clear statement of scope or initial project charter from the project sponsor. It’s also advisable for the BA to have an in-person meeting with the project sponsor(s) to understand the overarching strategic or tactical impetus for the project. This initial meeting should be less about eliciting requirements and more about understanding why the project is moving forward, and the business processes it seeks to enable or re-engineer (the target state).
    • During this meeting, the BA should seek to develop a clear understanding of the strategic rationale for why the project is being undertaken (the anticipated business benefits) and why it is being undertaken at this time. If the sponsor has any business process models they can share, this would be a good time to review them.

    During requirements gathering, BAs should steer clear of solutions and focus on capturing requirements. Focus on traceable, hierarchical, and testable requirements. Focusing on solution design means you are out of requirements mode.

    Identify constraints early and often, and ensure that they are adequately communicated to project sponsors and end users

    Constraints come in many forms (i.e. financial, regulatory, and technological). Identifying these constraints prior to entering requirements gathering enables you to remain alert; you can separate what is possible from what is impossible, and set stakeholder expectations accordingly.

    • Most organizations don’t inventory their constraints until after they’ve gathered requirements. This is dangerous, as clients may inadvertently signal to end users or stakeholders that an infeasible requirement is something they will pursue. As a result, stakeholders are disappointed when they don’t see it materialize.
    • Organizations need to put advanced effort into constraint identification and management. Too much time is wasted pursuing requirements that aren't feasible given existing internal (e.g. budgets and system) and external (e.g. legislative or regulatory) constraints.
    • Organizations need to manage diverse stakeholders for requirements analysis. Communication will not always be solely with internal teams, but also with suppliers, customers, vendors, and system integrators.

    Stakeholder management is a critical aspect of the BA’s role. Part of the BA’s responsibility is prioritizing solutions and demonstrating to stakeholders the level of effort required and the value attained.

    A graphic, with an arrow running down the left side, pointing downward, which is labelled Constraint Malleability. On the right side of the arrow are three rounded arrows, stacked. The top arrow is labelled Legal/Regulatory Constraints, the second is labelled System/Technical Constraints and the third is labelled Stakeholder Constraints

    Conduct initial brainstorming on the scope of a selected enterprise application project (real or a sample of your choice)

    1.2.6 – 30 minutes

    Input
    • Project details
    Output
    • Initial project scoping
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Begin the requirements gathering process by conducting some initial scoping on why we are doing the project, the goals, and the constraints.

    1. Share the project intake form/charter with each member of the group, and give them a few minutes to read over the project details.
    2. On the board write the project topic and three sub-topics:
      • Why does the business want this?
      • What do you want customers (end users) to be able to do?
      • What are the constraints?
    3. As a group, brainstorm answers to each of these questions and write them on the board.

    Example: Conduct initial brainstorming on the project

    Image shows an example for initial brainstorming on a project. The image shows the overall idea, Implement CRM, with question bubbles emerging out of it, and space left blank to brainstorm the answers to those questions.

    Identify stakeholders that must be consulted during the elicitation part of the process; get a good spectrum of subject matter experts (SMEs)

    Before you can dive into most elicitation techniques, you need to know who you’re going to speak with – not all stakeholders hold the same value.

    There are two broad categories of stakeholders:

    Customers: Those who ask for a system/project/change but do not necessarily use it. These are typically executive sponsors, project managers, or interested stakeholders. They are customers in the sense that they may provide the funding or budget for a project, and may have requests for features and functionality, but they won’t have to use it in their own workflows.

    Users: Those who may not ask for a system but must use it in their routine workflows. These are your end users, those who will actually interact with the system. Users don’t necessarily have to be people – they can also be other systems that will require inputs or outputs from the proposed solution. Understand their needs to best drive more granular functional requirements.

    "The people you need to make happy at the end of the day are the people who are going to help you identify and prioritize requirements." – Director of IT, Municipal Utilities Provider

    Need a hand with stakeholder identification? Leverage Info-Tech’s Stakeholder Planning Tool to catalog and prioritize the stakeholders your BAs will need to contact during the elicitation phase.

    Exercise: Identify and analyze stakeholders for the application project prior to beginning formal elicitation

    1.2.7 – 45 minutes

    Input
    • List of stakeholders
    Output
    • Stakeholder analysis
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs

    Practice the process for identifying and analyzing key stakeholders for requirements gathering.

    1. As a group, generate a complete list of the project stakeholders. Consider who is involved in the problem and who will be impacted by the solution, and record the names of these stakeholders/stakeholder groups on a sticky note. Categories include:
      1. Who is the project sponsor?
      2. Who are the user groups?
      3. Who are the project architects?
      4. Who are the specialty stakeholders (SMEs)?
      5. Who is your project team?
    2. Now that you’ve compiled a complete list, review each user group and indicate their level of influence against their level of involvement in the project to create a stakeholder power map by placing their sticky on a 2X2 grid.
    3. At the end of the day, record this list in the Requirements Gathering Communication Tracking Template.

    Use Info-Tech’s Requirements Gathering Communication Tracking Template

    1.5 Requirements Gathering Communication Tracking Template

    Use the Requirements Gathering Communication Tracking Template for structuring and managing ongoing communications among key requirements gathering implementation stakeholders.

    An illustration of the Stakeholder Power Map Template tab of the Requirements Gathering Communication Tracking Template

    Use the Stakeholder Power Map tab to:

    • Identify the stakeholder's name and role.
    • Identify their position on the power map using the drop-down menu.
    • Identify their level of support.
    • Identify resisters' reasons for resisting as: unwilling, unable, and/or unknowing.
    • Identify which committees they currently sit on, and which they will sit on in the future state.
    • Identify any key objections the stakeholder may have.

    Use the Communication Management Plan tab to:

    • Identify the vehicle/communication medium (status update, meeting, training, etc.).
    • Identify the audience for the communication.
    • Identify the purpose for communication.
    • Identify the frequency.
    • Identify who is responsible for the communication.
    • Identify how the communication will be distributed, and the level of detail.

    Right-size your investments in requirements management technology; sometimes the “suite spot” isn’t necessary

    Recording and analyzing requirements needs some kind of tool, but don’t overinvest in a dedicated suite if you can manage with a more inexpensive solution (such as Word, Excel, and/or Visio). Top-tier solutions may be necessary for an enterprise ERP deployment, but you can use a low-cost solution for low-level productivity application.

    • Many companies do things in the wrong order. Organizations need to right-size the approach that they take to recording and analyzing requirements. Taking the suite approach isn’t always better – often, inputting the requirements into Word or Excel will suffice. An RM suite won’t solve your problems by itself.
    • If you’re dealing with strategic approach or calculated approach projects, their complexity likely warrants a dedicated RM suite that can trace system dependencies. If you’re dealing with primarily elementary or fundamental approach projects, use a more basic tool.

    Your SOP guide should specify the technology platform that your analysts are expected to use for initial elicitation as well as analysis and validation. You don’t want them to use Word if you’ve invested in a full-out IBM RM solution.

    The graphic shows a pyramid shape next to an arrow, pointing up. The arrow is labelled Project Complexity. The pyramid includes three text boxes, reading (from top to bottom) Dedicated RM Suite; RM Module in PM Software; and Productivity APP (Word/Excel/Visio)

    If you need to opt for a dedicated suite, these vendors should be strong contenders in your consideration set

    Dedicated requirements management suites are a great (although pricey) way to have full control over recording, analysis, and hierarchical categorization of requirements. Consider some of the major vendors in the space if Word, Excel, and Visio aren’t suitable for you.

    • Before you purchase a full-scale suite or module for requirements management, ensure that the following contenders have been evaluated for your requirements gathering technology strategy:
      • Micro Focus Requirements Management
      • IBM Requisite Pro
      • IBM Rational DOORS
      • Blueprint Requirements Management
      • Jama Software
      • Polarion Software (a Siemens Company)

    A mid-sized consulting company overhauls its requirement gathering software to better understand stakeholder needs

    CASE STUDY

    Industry Consulting

    Source Jama Software

    Challenge

    ArcherPoint is a leading Microsoft Partner responsible for providing business solutions to its clients. Its varied customer base now requires a more sophisticated requirements gathering software.

    Its process was centered around emailing Word documents, creating versions, and merging issues. ArcherPoint recognized the need to enhance effectiveness, efficiency, and accuracy of requirements gathering through a prescriptive set of elicitation procedures.

    Solution

    The IT department at ArcherPoint recognized that a strong requirements gathering process was essential to delivering value to stakeholders. It needed more scalable and flexible requirements gathering software to enhance requirements traceability. The company implemented SaaS solutions that included traceability and seamless integration features.

    These features reduced the incidences of repetition, allowed for tracing of requirements relationships, and ultimately led to an exhaustive understanding of stakeholders’ needs.

    Results

    Projects are now vetted upon an understanding of the business client’s needs with a thorough requirements gathering collection and analysis.

    A deeper understanding of the business needs also allows ArcherPoint to better understand the roles and responsibilities of stakeholders. This allows for the implementation of structures and policies which makes the requirements gathering process rigorous.

    There are different types of requirements that need to be gathered throughout the elicitation phase

    Business Requirements

    • Higher-level statements of the goals, objectives, or needs of the enterprise.
    • Describe the reasons why a project has been initiated, the objectives that the project will achieve, and the metrics that will be used to measure its success.
    • Business requirements focus on the needs of the organization as a whole, not stakeholders within it.
    • Business requirements provide the foundation on which all further requirements analysis is based:
      • Ultimately, any detailed requirements must map to business requirements. If not, what business need does the detailed requirement fulfill?

    Stakeholder Requirements

    • Statements of the needs of a particular stakeholder or class of stakeholders, and how that stakeholder will interact with a solution.
    • Stakeholder requirements serve as a bridge between business requirements and the various classes of solution requirements.
    • When eliciting stakeholder requirements, other types of detailed requirements may be identified. Record these for future use, but keep the focus on capturing the stakeholders’ needs over detailing solution requirements.

    Solution options or preferences are not requirements. Be sure to identify these quickly to avoid being forced into untimely discussions and sub-optimal solution decisions.

    Requirement types – a quick overview (continued)

    Solution Requirements: Describe the characteristics of a solution that meet business requirements and stakeholder requirements. They are frequently divided into sub-categories, particularly when the requirements describe a software solution:

    Functional Requirements

    • Describe the behavior and information that the solution will manage. They describe capabilities the system will be able to perform in terms of behaviors or operations, i.e. specific information technology application actions or responses.
    • Functional requirements are not detailed solution specifications; rather, they are the basis from which specifications will be developed.

    Non-Functional Requirements

    • Capture conditions that do not directly relate to the behavior or functionality of the solution, but rather describe environmental conditions under which the solution must remain effective or qualities that the systems must have. These can include requirements related to capacity, speed, security, availability, and the information architecture and presentation of the user interface.
    • Non-functional requirements often represent constraints on the ultimate solution. They tend to be less negotiable than functional requirements.
    • For IT solutions, technical requirements would fit in this category.
    Info-Tech Insight

    Remember that solution requirements are distinct from solution specifications; in time, specifications will be developed from the requirements. Don’t get ahead of the process.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2.1 Conduct current and target state analysis

    An analyst will facilitate a discussion to assess the maturity of your requirements gathering process and identify any gaps in the current state.

    1.2.2 Establish requirements gathering performance metrics

    Speak to an analyst to discuss and determine key metrics for measuring the effectiveness of your requirements gathering processes.

    1.2.4 Identify your requirements gathering business process model

    An analyst will facilitate a discussion to determine the ideal target business process flow for your requirements gathering.

    1.2.3; 1.2.5 Define control levels and match control points

    An analyst will assist you with determining the appropriate requirements gathering approach for different project levels. The discussion will highlight key control points and define stakeholders who will be involved in each one.

    1.2.6; 1.2.7 Conduct initial scoping and identify key stakeholders

    An analyst will facilitate a discussion to highlight the scope of the requirements gathering optimization project as well as identify and analyze key stakeholders in the process.

    Phase 2: Define the Elicitation Process

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Define the Elicitation Process

    Proposed Time to Completion: 2 weeks

    Step 2.1: Determine Elicitation Techniques

    Start with an analyst kick off call:

    • Understand and assess elicitation techniques.
    • Determine best fit to projects and business environment.

    Then complete these activities…

    • Understand different elicitation techniques.
    • Record the approved elicitation techniques.
    Step 2.2: Structure Elicitation Output

    Review findings with analyst:

    • Review options for structuring the output of requirements elicitation.
    • Build the requirements gathering operating model.

    Then complete these activities…

    • Build use case model.
    • Use table-top testing to build use case models.
    • Build the operating model.

    With these tools & templates:

    • Business Requirements Document Template
    • Scrum Documentation Template
    Phase 2 Results & Insights:
    • Best practices for conducting and structuring elicitation.

    Step 2.1: Determine Elicitation Techniques

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:

    • Understand requirements elicitation techniques.

    This step involves the following participants:

    • BAs
    • Business stakeholders

    Outcomes of this step

    • Select and record best-fit elicitation techniques.

    Eliciting requirements is all about effectively creating the initial shortlist of needs the business has for an application

    The image is the Requirements Gathering Framework, shown earlier. All parts of the framework are greyed-out, except for the arrow containing the word Elicit in the center of the image, with three bullet points beneath it that read: Prepare; Conduct; Confirm.

    The elicitation phase is where the BAs actually meet with project stakeholders and uncover the requirements for the application. Major tasks within this phase include stakeholder identification, selecting elicitation techniques, and conducting the elicitation sessions. This phase involves the most information gathering and therefore requires a significant amount of time to be done properly.

    Good requirements elicitation leverages a strong elicitation framework and executes the right elicitation techniques

    A mediocre requirements practitioner takes an order taker approach to elicitation: they elicit requirements by showing up to a meeting with the stakeholder and asking, “What do you want?” This approach frequently results in gaps in requirements, as most stakeholders cannot free-form spit out an accurate inventory of their needs.

    A strong requirements practitioner first decides on an elicitation framework – a mechanism to anchor the discussion about the business requirements. Info-Tech recommends using business process modelling (BPM) as the most effective framework. The BA can now work through several key questions:

    • What processes will this application need to support?
    • What does the current process look like?
    • How could we improve the process?
    • In a target state process map, what are the key functional requirements necessary to support this?

    The second key element to elicitation is using the right blend of elicitation techniques: the tactical approach used to actually collect the requirements. Interviews are the most popular means, but focus groups, JAD sessions, and observational techniques can often yield better results – faster. This section will touch on BPM/BPI as an elicitation framework, then do deep dive on different elicitation techniques.

    The elicitation phase of most enterprise application projects follows a similar four-step approach

    Prepare

    Stakeholders must be identified, and elicitation frameworks and techniques selected. Each technique requires different preparation. For example, brainstorming requires ground rules; focus groups require invitations, specific focus areas, and meeting rooms (perhaps even cameras). Look at each of these techniques and discuss how you would prepare.

    Conduct

    A good elicitor has the following underlying competencies: analytical thinking, problem solving, behavioral characteristics, business knowledge, communication skills, interaction skills, and proficiency in BA tools. In both group and individual elicitation techniques, interpersonal proficiency and strong facilitation is a must. A good BA has an intuitive sense of how to manage the flow of conversations, keep them results-oriented, and prevent stakeholder tangents or gripe sessions.

    Document

    How you document will depend on the technique you use. For example, recording and transcribing a focus group is probably a good idea, but you still need to analyze the results and determine the actual requirements. Use cases demand a software tool – without one, they become cumbersome and unwieldy. Consider how you would document the results before you choose the technique. Some analysts prefer to use solutions like OneNote or Evernote for capturing the raw initial notes, others prefer pen and paper: it’s what works best for the BA at hand.

    Confirm

    Review the documentation with your stakeholder and confirm the understanding of each requirement via active listening skills. Revise requirements as necessary. Circulating the initial notes of a requirements interview or focus group is a great practice to get into – it ensures jargon and acronyms are correctly captured, and that nothing has been lost in the initial translation.

    BPM is an extremely useful framework for framing your requirements elicitation discussions

    What is BPM? (Source: BPMInstitute.org)

    BPMs can take multiple forms, but they are created as visual process flows that depict a series of events. They can be customized at the discretion of the requirements gathering team (swim lanes, legends, etc.) based on the level of detail needed from the input.

    When to use them?

    BPMs can be used as the basis for further process improvement or re-engineering efforts for IT and applications projects. When the requirements gathering process owner needs to validate whether or not a specific step involved in the process is necessary, BPM provides the necessary breakdown.

    What’s the benefit?

    Different individuals absorb information in a variety of ways. Visual representations of a process or set of steps tend to be well received by a large sub-set of individuals, making BPMs an effective analysis technique.

    This related Info-Tech blueprint provides an extremely thorough overview of how to leverage BPM and process improvement approaches.

    Use a SIPOC table to assist with zooming into a step in a BPM to help define requirements

    Build a Sales Report
    • Salesforce
    • Daily sales results
    • Sales by product
    • Sales by account rep
    • Receive customer orders
    • Process invoices
    • GL roll-up
    • Sales by region
    • Sales by rep
    • Director of Sales
    • CEO
    • Report is accurate
    • Report is timely
    • Balance to GL
    • Automated email notification

    Source: iSixSigma

    Example: Extract requirements from a BPM for a customer service solution

    Look at an example for a claims process, and focus on the Record Claim task (event).

    Task Input Output Risks Opportunities Condition Sample Requirements
    Record Claim Customer Email Case Record
    • An agent accidentally misses the email and the case is not submitted.
    • The contents of the email are not properly ported over into the case for the claim.
    • The claim is routed to the wrong recipient within the claims department.
    • There is translation risk when the claim is entered in another language from which it is received.
    • Reduce the time to populate a customer’s claim information into the case.
    • Automate the data capture and routing.
    • Pre-population of the case with the email contents.
    • Suggested routing based on the nature of the case.
    • Multi-language support.

    Business:

    • The system requires email-to-case functionality.

    Non-Functional:

    • The cases must be supported in multiple languages.
    • Case management requires Outlook integration.

    Functional:

    • The case must support the following information:
    • Title; Customer; Subject; Case Origin; Case Type; Owner; Status; Priority
    • The system must pre-populate the claims agent based on the nature of the case.

    The image is an excerpt from a table, with the title Claims Process at the top. The top row is labelled Customer Service, and includes a textbox that reads Record Claim. The bottom row is labelled Claims, and includes a textbox that reads Manage Claim. A downward-pointing arrow connects the two textboxes.

    Identify the preferred elicitation techniques in your requirements gathering SOP: outline order of operations

    Conducting elicitation typically takes the greatest part of the requirements management process. During elicitation, the designated BA(s) should be reviewing documentation, and conducting individual and group sessions with key stakeholders.

    • When eliciting requirements, it’s critical that your designated BAs use multiple techniques; relying only on stakeholder interviews while neglecting to conduct focus groups and joint whiteboarding sessions will lead to trouble.
    • Avoid makeshift solutions by focusing on target state requirements, but don’t forget about the basic user needs. These can often be neglected because one party assumes that the other already knows about them.
    • The SOP guide should provide your BAs with a shortlist of recommended/mandated elicitation techniques based on business scenarios (examples in this section). Your SOP should also suggest the order in which BAs use the techniques for initial elicitation. Generally, document review comes first, followed by group, individual, and observational techniques.

    Elicitation is an iterative process – requirements should be refined in successive steps. If you need more information in the analysis phases, don’t be afraid to go back and conduct more elicitation.

    Understand different elicitation techniques

    2.1.1 – 1 hour

    Input
    • Elicitation techniques
    Output
    • Elicitation technique assessment
    Materials
    • Whiteboard
    • Markers
    • Paper
    Participants
    • BAs
    1. For this exercise, review the following elicitation techniques: observation, document review, surveys, focus groups, and interviews. Use the material in the next slides to brainstorm around the following questions:
      1. What types of information can the technique be used to collect?
      2. Why would you use this technique over others?
      3. How will you prepare to use the technique?
      4. How will you document the technique?
      5. Is this technique suitable for all projects?
      6. When wouldn’t you use it?
    2. Have each group present their findings from the brainstorming to the group.

    Document any changes to the elicitation techniques in section 4.0 of the Requirements Gathering SOP and BA Playbook.

    Understand different elicitation techniques – Interviews

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Structured One-on-One Interview In a structured one-on-one interview, the BA has a fixed list of questions to ask the stakeholder and follows up where necessary. Structured interviews provide the opportunity to quickly home in on areas of concern that were identified during process mapping or group elicitation techniques. They should be employed with purpose, i.e. to receive specific stakeholder feedback on proposed requirements or to help identify systemic constraints. Generally speaking, they should be 30 minutes or less. Low Medium
    Unstructured One-on-One Interview In an unstructured one-on-one interview, the BA allows the conversation to flow free form. The BA may have broad themes to touch on but does not run down a specific question list. Unstructured interviews are most useful for initial elicitation, when brainstorming a draft list of potential requirements is paramount. Unstructured interviews work best with senior stakeholders (sponsors or power users), since they can be time consuming if they’re applied to a large sample size. It’s important for BAs not to stifle open dialogue and allow the participants to speak openly. They should be 60 minutes or less. Medium Low
    Info-Tech Insight

    Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements, as well as allow effective communication around requirements at a later point (i.e. during the analysis and validation phases).

    Understand the diverse approaches for interviews

    Use a clear interview approach to guide the preparation, facilitation styles, participants, and interview schedules you manage for a specific project.

    Depending on your stakeholder audience and interview objectives, apply one or more of the following approaches to interviews.

    Interview Approaches

    • Unstructured
    • Semi-structured
    • Structured

    The Benefits of Interviews

    Fosters direct engagement

    IT is able to hear directly from stakeholders about what they are looking to do with a solution and the level of functionality that they expect from it.

    Offers greater detail

    With interviews, a greater degree of insight can be gained by leveraging information that wouldn’t be collected through traditional surveys. Face-to-face interactions provide thorough answers and context that helps inform requirements.

    Removes ambiguity

    Face-to-face interactions allow opportunities for follow-up around ambiguous answers. Clarify what stakeholders are looking for and expect in a project.

    Enables stakeholder management

    Interviews are a direct line of communication with a project stakeholder. They provide input and insight, and help to maintain alignment, plan next steps, and increase awareness within the IT organization.

    Select an interview structure based on project objectives and staff types

    Consider stakeholder types and characteristics, in conjunction with the best way to maximize time, when selecting which of the three interview structures to leverage during the elicitation phase of requirements gathering.

    Structured Interviews

    • Interviews conducted using this structure are modelled after the typical Q&A session.
    • The interviewer asks the participant a variety of closed-ended questions.
    • The participant’s response is limited to the scope of the question.

    Semi-Structured Interviews

    • The interviewer may prepare a guide, but it acts as more of an outline.
    • The goal of the interview is to foster and develop conversation.
    • Participants have the ability to answer questions on broad topics without compromising the initial guide.

    Unstructured Interviews

    • The interviewer may have a general interview guide filled with open-ended questions.
    • The objective of the questions is to promote discussion.
    • Participants may discuss broader themes and topics.

    Select the best interview approach

    Review the following questions to determine what interview structure you should utilize. If you answer the question with “Yes,” then follow the corresponding recommendations for the interview elements.

    Question Structure Type Facilitation Technique # of Participants
    Do you have to interview multiple participants at once because of time constraints? Semi-structured Discussion 1+
    Does the business or stakeholders want you to ask specific questions? Structured Q&A 1
    Have you already tried an unsuccessful survey to gather information? Semi-structured Discussion 1+
    Are you utilizing interviews to understand the area? Unstructured Discussion 1+
    Do you need to gather requirements for an immediate project? Structured Q&A 1+

    Decisions to make for interviews

    Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements and allow for effective communication around requirements during the analysis and validation stages.

    Who to engage?

    • Individuals with an understanding of the project scope, constraints and considerations, and high-level objectives.
    • Project stakeholders from across different functional units to solicit a varied set of requirement inputs.

    How to engage?

    • Approach selected interview candidate(s) with a verbal invitation to participate in the requirements gathering process for [Project X].
    • Take the initiative to book time in the candidate’s calendar. Include in your calendar invitation a description of the preparation required for the interview, the anticipated outputs, and a brief timeline agenda for the interview itself.

    How to drive participant engagement?

    • Use introductory interview questions to better familiarize yourself with the interviewee and to create an environment in which the individual feels welcome and at ease.
    • Once acclimatized, ensure that you hold the attention of the interviewee by providing further probing, yet applicable, interview questions.

    Manage each point of the interaction in the interview process

    Interviews generally follow the same workflow regardless of which structure you select. You must manage the process to ensure that the interview runs smoothly and results in an effective gathering requirements process.

    1. Prep Schedule
      • Recommended Actions
        • Send an email with a proposed date and time for the meeting.
        • Include an overview of what you will be discussing.
        • Mention if other people will be joining (if group interview).
    2. Meeting Opening
      • Recommended Actions
        • Provide context around the meeting’s purpose and primary focal points.
        • Let interviewee(s) know how long the interview will last.
        • Ask if they have any blockers that may cause the meeting to end early.
    3. Meeting Discussion
      • Recommended Actions
        • Ask questions and facilitate discussion in accordance with the structure you have selected.
        • Ensure that the meeting’s dialogue is being either recorded using written notes (if possible) or a voice recorder.
    4. Meeting Wrap-Up
      • Recommended Actions
        • Provide a summary of the big findings and what was agreed upon.
        • Outline next steps or anything else you will require from the participant.
        • Let the interviewee(s) know that you will follow up with interview notes, and will require feedback from them.
    5. Meeting Follow-Up
      • Recommended Actions
        • Send an overview of what was covered and agreed upon during the interview.
        • Show the mock-ups of your work based on the interview, and solicit feedback.
        • Give the interviewee(s) the opportunity to review your notes or recording and add value where needed.

    Solve the problem before it occurs with interview troubleshooting techniques

    The interview process may grind to a halt due to challenging situations. Below are common scenarios and corresponding troubleshooting techniques to get your interview back on track.

    Scenario Technique
    Quiet interviewee Begin all interviews by asking courteous and welcoming questions. This technique will warm the interviewee up and make them feel more comfortable. Ask prompting questions during periods of silence in the interview. Take note of the answers provided by the interviewee in your interview guide, along with observations and impact statements that occur throughout the duration of the interview process.
    Disgruntled interviewee Avoid creating a hostile environment by eliminating the interviewee’s perception that you are choosing to focus on issues that the interviewee feels will not be resolved. Ask questions to contextualize the issue. For example, ask why they feel a particular way about the issue, and determine whether they have valid concerns that you can resolve.
    Interviewee has issues articulating their answer Encourage the interviewee to use a whiteboard or pen and paper to kick start their thought process. Make sure you book a room with these resources readily available.

    Understand different elicitation techniques – Observation

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Casual Observation The process of observing stakeholders performing tasks where the stakeholders are unaware they are being observed. Capture true behavior through observation of stakeholders performing tasks without informing them they are being observed. This information can be valuable for mapping business process; however, it is difficult to isolate the core business activities from unnecessary actions. Low Medium
    Formal Observation The process of observing stakeholders performing tasks where the stakeholders are aware they are being observed. Formal observation allows BAs to isolate and study the core activities in a business process because the stakeholder is aware they are being observed. Stakeholders may become distrusting of the BA and modify their behavior if they feel their job responsibilities or job security are at risk Low Medium

    Info-Tech Insight

    Observing stakeholders does not uncover any information about the target state. Be sure to use contextual observation in conjunction with other techniques to discover the target state.

    Understand different elicitation techniques – Surveys

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Closed-Response Survey A survey that has fixed responses for each answer. A Likert-scale (or similar measures) can be used to have respondents evaluate and prioritize possible requirements. Closed response surveys can be sent to large groups and used to quickly gauge user interest in different functional areas. They are easy for users to fill out and don’t require a high investment of time. However, their main deficit is that they are likely to miss novel requirements not listed. As such, closed response surveys are best used after initial elicitation or brainstorming to validate feature groups. Low Medium
    Open-Response Survey A survey that has open-ended response fields. Questions are fixed, but respondents are free to populate the field in their own words. Open-response surveys take longer to fill out than closed, but can garner deeper insights. Open-response surveys are a useful supplement (and occasionally replacement) for group elicitation techniques, like focus groups, when you need to receive an initial list of requirements from a broad cross-section of stakeholders. Their primary shortcoming is the analyst can’t immediately follow up on interesting points. However, they are particularly useful for reaching stakeholders who are unavailable for individual one-on-ones or group meetings. Low Medium

    Info-Tech Insight

    Surveys can be useful mechanisms for initial drafting of raw requirements (open-response) and gauging user interest in proposed requirements or feature sets (closed-response). However, they should not be the sole focus of your elicitation program due to lack of interactivity and two-way dialogue with the BA.

    Be aware: Know the implications of leveraging surveys

    What are surveys?

    Surveys take a sample population’s written responses for data collection. Survey respondents can identify themselves or choose to remain anonymous. Anonymity removes the fear of repercussions for giving critical responses to sensitive topics.

    Who needs to be involved?

    Participants of a survey include the survey writer, respondent(s), and results compiler. There is a moderate amount of work that comes from both the writer and compiler, with little work involved on the end of the respondent.

    What are the benefits?

    The main benefit of surveys is their ability to reach large population groups and segments without requiring personal interaction, thus saving money. Surveys are also very responsive and can be created and modified rapidly to address needs as they arise on an on-going basis.

    When is it best to employ a survey method?

    Surveys are most valuable when completed early in the requirements gathering stage.

    Intake and Scoping → Requirements Gathering → Solution Design → Development/ Procurement → Implementation/ Deployment

    When a project is announced, develop surveys to gauge what users consider must-have, should-have, and could-have requirements.

    Use surveys to profile the demand for specific requirements.

    It is often difficult to determine if requirements are must haves or should haves. Surveys are a strong method to assist in narrowing down a wide range of requirements.

    • If all survey respondents list the same requirement, then that requirement is a must have.
    • If no participants mention a requirement, then that requirement is not likely to be important to project success.
    • If the results are scattered, it could be that the organization is unsure of what is needed.

    Are surveys worth the time and effort? Most of the time.

    Surveys can generate insights. However, there are potential barriers:

    • Well-constructed surveys are difficult to make – asking the right questions without being too long.
    • Participants may not take surveys seriously, giving non-truthful or half-hearted answers.

    Surveys should only be done if the above barriers can easily be overcome.

    Scenario: Survey used to gather potential requirements

    Scenario

    There is an unclear picture of the business needs and functional requirements for a solution.

    Survey Approach

    Use open-ended questions to allow respondents to propose requirements they see as necessary.

    Sample questions

    • What do you believe _______ (project) should include to be successful?
    • How can _______ (project) be best made for you?
    • What do you like/dislike about ________ (process that the project will address)?

    What to do with your results

    Take a step back

    If you are using surveys to elicit a large number of requirements, there is probably a lack of clear scope and vision. Focus on scope clarification. Joint development sessions are a great technique for defining your scope with SMEs.

    Moving ahead

    • Create additional surveys. Additional surveys can help narrow down the large list of requirements. This process can be reiterated until there is a manageable number of requirements.
    • Move onto interviews. Speak directly with the users to get a grasp of the importance of the requirements taken from surveys.

    Employ survey design best practices

    Proper survey design determines how valuable the responses will be. Review survey principles released by the University of Wisconsin-Madison.

    Provide context

    Include enough detail to contextualize questions to the employee’s job duties.

    Where necessary:

    • Include conditions
    • Timeline considerations
    • Additional pertinent details

    Give clear instructions

    When introducing a question identify if it should be answered by giving one answer, multiple answers, or a ranking of answers.

    Avoid IT jargon

    Ensure the survey’s language is easily understood.

    When surveying colleagues from the business use their own terms, not IT’s.

    E.g. laptops vs. hardware

    Saying “laptops” is more detailed and is a universal term.

    Use ranges

    Recommended:

    In a month your Outlook fails:

    • 1-3 times
    • 4-7 times
    • 7+ times

    Not Recommended:

    Your Outlook fails:

    • Almost never
    • Infrequently
    • Frequently
    • Almost always

    Keep surveys short

    Improve responses and maintain stakeholder interest by only including relevant questions that have corresponding actions.

    Recommended: Keep surveys to ten or less prompts.

    Scenario: Survey used to narrow down requirements

    Scenario

    There is a large list of requirements and the business is unsure of which ones to further pursue.

    Survey Approach

    Use closed-ended questions to give degrees of importance and rank requirements.

    Sample questions

    • How often do you need _____ (requirement)?
      • 1-3 times a week; 4-6 times a week; 7+ times a week
    • Given the five listed requirements below, rank each requirement in order of importance, with 1 being the most important and 5 being the least important.
    • On a scale from 1-5, how important is ________ (requirement)?
      • 1 – Not important at all; 2 – Would provide minimal benefit; 3 – Would be nice to have; 4 – Would provide substantial benefit; 5 – Crucial to success

    What to do with your results

    Determine which requirements to further explore

    Avoid simply aggregating average importance and using the highest average as the number-one priority. Group the highest average importance requirements to be further explored with other elicitation techniques.

    Moving ahead

    The group of highly important requirements needs to be further explored during interviews, joint development sessions, and rapid development sessions.

    Scenario: Survey used to discover crucial hidden requirements

    Scenario

    The business wanted a closer look into a specific process to determine if the project could be improved to better address process issues.

    Survey Approach

    Use open-ended questions to allow employees to articulate very specific details of a process.

    Sample questions

    • While doing ________ (process/activity), what part is the most frustrating to accomplish? Why?
    • Is there any part of ________ (process/activity) that you feel does not add value? Why?
    • How would you improve _________ (process/activity)?

    What to do with your results

    Set up prototyping

    Prototype a portion with the new requirement to see if it meets the user’s needs. Joint application development and rapid development sessions pair developers and users together to collaboratively build a solution.

    Next steps

    • Use interviews to begin solution mapping. Speak to SMEs and the users that the requirement would affect. Understand how to properly incorporate the discovered requirement(s) into the solution.
    • Create user stories. User stories allow developers to step into the shoes of the users. Document the user’s requirement desires and their reason for wanting it. Give those user stories to the developers.

    Explore mediums for survey delivery

    Online

    Free online surveys offer quick survey templates but may lack customization. Paid options include customizable features. Studies show that most participants find web-based surveys more appealing, as web surveys tend to have a higher rate of completion.

    Potential Services (Not a comprehensive list)

    SurveyMonkey – free and paid options

    Good Forms – free options

    Ideal for:

    • Low complexity surveys
    • High complexity surveys
    • Quick responses
    • Low cost (free survey options)

    Paper

    Paper surveys offer complete customizability. However, paper surveys take longer to distribute and record, and are also more expensive to administer.

    Ideal for:

    • Low complexity surveys
    • High complexity surveys
    • Quick responses
    • Low cost

    Internally-developed

    Internally-developed surveys can be distributed via the intranet or email. Internal surveys offer the most customization. Cost is the creator’s time, but cost can be saved on distribution versus paper and paid online surveys.

    Ideal for:

    • Low complexity surveys
    • High complexity surveys
    • Quick responses
    • Low cost (if created quickly)

    Understand different elicitation techniques – Focus Groups

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Focus Group Focus groups are sessions held between a small group (typically ten individuals or less) and an experienced facilitator who leads the conversation in a productive direction. Focus groups are highly effective for initial requirements brainstorming. The best practice is to structure them in a cross-functional manner to ensure multiple viewpoints are represented, and the conversation doesn’t become dominated by one particular individual. Facilitators must be wary of groupthink in these meetings (i.e. the tendency to converge on a single POV). Medium Medium
    Workshop Workshops are larger sessions (typically ten people or more) that are led by a facilitator, and are dependent on targeted exercises. Workshops may be occasionally decomposed into smaller group sessions. Workshops are highly versatile: they can be used for initial brainstorming, requirement prioritization, constraint identification, and business process mapping. Typically, the facilitator will use exercises or activities (such as whiteboarding, sticky note prioritization, role-playing, etc.) to get participants to share and evaluate sets of requirements. The main downside to workshops is a high time commitment from both stakeholders and the BA. Medium High

    Info-Tech Insight

    Group elicitation techniques are most useful for gathering a wide spectrum of requirements from a broad group of stakeholders. Individual or observational techniques are typically needed for further follow-up and in-depth analysis with critical power users or sponsors.

    Conduct focus groups and workshops

    There are two specific types of group interviews that can be utilized to elicit requirements: focus groups and workshops. Understand each type’s strengths and weaknesses to determine which is better to use in certain situations.

    Focus Groups Workshops
    Description
    • Small groups are encouraged to speak openly about topics with guidance from a facilitator.
    • Larger groups are led by a facilitator to complete target exercises that promote hands-on learning.
    Strengths
    • Highly effective for initial requirements brainstorming.
    • Insights can be explored in depth.
    • Any part of the requirements gathering process can be done in a workshop.
    • Use of activities can increase the learning beyond simple discussions.
    Weaknesses
    • Loudest voice in the room can induce groupthink.
    • Discussion can easily veer off topic.
    • Extremely difficult to bring together such a large group for extended periods of time.
    Facilitation Guidance
    • Make sure the group is structured in a cross-functional manner to ensure multiple viewpoints are represented.
    • If the group is too large, break the members into smaller groups. Try putting together members who would not usually interact.

    Solution mapping and joint review sessions should be used for high-touch, high-rigor BPM-centric projects

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Solution Mapping Session A one-on-one session to outline business processes. BPM methods are used to write possible target states for the solution on a whiteboard and to engineer requirements based on steps in the model. Solution mapping should be done with technically savvy stakeholders with a firm understanding of BPM methodologies and nomenclature. Generally, this type of elicitation method should be done with stakeholders who participated in tier one elicitation techniques who can assist with reverse-engineering business models into requirement lists. Medium Medium
    Joint Requirements Review Session This elicitation method is sometimes used as a last step prior to moving to formal requirements analysis. During the review session, the rough list of requirements is vetted and confirmed with stakeholders. A one-on-one (or small group) requirements review session gives your BAs the opportunity to ensure that what was recorded/transcribed during previous one-on-ones (or group elicitation sessions) is materially accurate and representative of the intent of the stakeholder. This elicitation step allows you to do a preliminary clean up of the requirements list before entering the formal analysis phase. Low Low

    Info-Tech Insight

    Solution mapping and joint requirements review sessions are more advanced elicitation techniques that should be employed after preliminary techniques have been utilized. They should be reserved for technically sophisticated, high-value stakeholders.

    Interactive whiteboarding and joint development sessions should be leveraged for high-rigor BPM-based projects

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Interactive White- boarding A group session where either a) requirements are converted to BPM diagrams and process flows, or b) these flows are reverse engineered to distil requirement sets. While the focus of workshops and focus groups is more on direct requirements elicitation, interactive whiteboarding sessions are used to assist with creating initial solution maps (or reverse engineering proposed solutions into requirements). By bringing stakeholders into the process, the BA benefits from a greater depth of experience and access to SMEs. Medium Medium
    Joint Application Development (JAD) JAD sessions pair end-user teams together with developers (and BA facilitators) to collect requirements and begin mapping and developing prototypes directly on the spot. JAD sessions fit well with organizations that use Agile processes. They are particularly useful when the overall project scope is ambiguous; they can be used for project scoping, requirements definition, and initial prototyping. JAD techniques are heavily dependent on having SMEs in the room – they should preference knowledge power users over the “rank and file.” High High

    Info-Tech Insight

    Interactive whiteboarding should be heavily BPM-centric, creating models that link requirements to specific workflow activities. Joint development sessions are time-consuming but create greater cohesion and understanding between BAs, developers, and SMEs.

    Rapid application development sessions add some Agile aspects to requirements elicitation

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Rapid Application Development A form of prototyping, RAD sessions are akin to joint development sessions but with greater emphasis on back-and-forth mock-ups of the proposed solution. RAD sessions are highly iterative – requirements are gathered in sessions, developers create prototypes offline, and the results are validated by stakeholders in the next meeting. This approach should only be employed in highly Agile-centric environments. High High

    For more information specific to using the Agile development methodology, refer to the project blueprint Implement Agile Practices That Work.

    The role of the BA differs with an Agile approach to requirements gathering. A traditional BA is a subset of the Agile BA, who typically serves as product owner. Agile BAs have elevated responsibilities that include bridging communication between stakeholders and developers, prioritizing and detailing the requirements, and testing solutions.

    Overview of JAD and RDS techniques (Part 1)

    Use the following slides to gain a thorough understanding of both JAD and rapid development sessions (RDS) to decide which fits your project best.

    Joint Application Development Rapid Development Sessions
    Description JAD pairs end users and developers with a facilitator to collect requirements and begin solution mapping to create an initial prototype. RDS is an advanced approach to JAD. After an initial meeting, prototypes are developed and validated by stakeholders. Improvements are suggested by stakeholders and another prototype is created. This process is iterated until a complete solution is created.
    Who is involved? End users, SMEs, developers, and a facilitator (you).
    Who should use this technique? JAD is best employed in an Agile organization. Agile organizations can take advantage of the high amount of collaboration involved. RDS requires a more Agile organization that can effectively and efficiently handle impromptu meetings to improve iterations.
    Time/effort versus value JAD is a time/effort-intensive activity, requiring different parties at the same time. However, the value is well worth it. JAD provides clarity for the project’s scope, justifies the requirements gathered, and could result in an initial prototype. RDS is even more time/effort intensive than JAD. While it is more resource intensive, the reward is a more quickly developed full solution that is more customized with fewer bugs.

    Overview of JAD and RDS techniques (Part 2)

    Joint Application Development

    Timeline

    Projects that use JAD should not expect dramatically quicker solution development. JAD is a thorough look at the elicitation process to make sure that the right requirements are found for the final solution’s needs. If done well, JAD eliminates rework.

    Engagement

    Employees vary in their project engagement. Certain employees leverage JAD because they care about the solution. Others are asked for their expertise (SMEs) or because they perform the process often and understand it well.

    Implications

    JAD’s thorough process guarantees that requirements gathering is done well.

    • All requirements map back to the scope.
    • SMEs are consulted throughout the duration of the process.
    • Prototyping is only done after final solution mapping is complete.

    Rapid Development Sessions

    Timeline

    Projects that use RDS can either expect quicker or slower requirements gathering depending on the quality of iteration. If each iteration solves a requirement issue, then one can expect that the solution will be developed fairly rapidly. If the iterations fail to meet requirements the process will be quite lengthy.

    Engagement

    Employees doing RDS are typically very engaged in the project and play a large role in helping to create the solution.

    Implications

    RDS success is tied to the organization’s ability to collaborate. Strong collaboration will lead to:

    • Fewer bugs as they are eliminated in each iteration.
    • A solution that is highly customized to meet the user’s needs.

    Poor collaboration will lead to RDS losing its full value.

    When is it best to use JAD?

    JAD is best employed in an Agile organization for application development and selection. This technique best serves relatively complicated, large-scale projects that require rapid or sequential iterations on a prototype or solution as a part of requirements gathering elicitation. JAD effectuates each step in the elicitation process well, from initial elicitation to narrowing down requirements.

    When tackling a project type you’ve never attempted

    Most requirement gathering professionals will use their experience with project type standards to establish key requirements. Avoid only relying on standards when tackling a new project type. Apply JAD’s structured approach to a new project type to be thorough during the elicitation phase.

    In tandem with other elicitation techniques

    While JAD is an overarching requirements elicitation technique, it should not be the only one used. Combine the strengths of other elicitation techniques for the best results.

    When is it best to use RDS?

    RDS is best utilized when one, but preferably both, of the below criteria is met.

    When the scope of the project is small to medium sized

    RDS’ strengths lie in being able to tailor-make certain aspects of the solution. If the solution is too large, tailor-made sections are impossible as multiple user groups have different needs or there is insufficient resources. When a project is small to medium sized, developers can take the time to custom make sections for a specific user group.

    When most development resources are readily available

    RDS requires developers spending a large amount of time with users, leaving less time for development. Having developers at the ready to take on users’ improvement maintains the effectiveness of RDS. If the same developer who speaks to users develops the entire iteration, the process would be slowed down dramatically, losing effectiveness.

    Techniques to compliment JAD/RDS

    1. Unstructured conversations

    JAD relies on unstructured conversations to clarify scope, gain insights, and discuss prototyping. However, a structure must exist to guarantee that all topics are discussed and meetings are not wasted.

    2. Solution mapping and interactive white-boarding

    JAD often involves visually illustrating how high-level concepts connect as well as prototypes. Use solution mapping and interactive whiteboarding to help users and participants better understand the solution.

    3. Focus groups

    Having a group development session provides all the benefits of focus groups while reducing time spent in the typically time-intensive JAD process.

    Plan how you will execute JAD

    Before the meeting

    1. Prepare for the meeting

    Email all parties a meeting overview of topics that will be discussed.

    During the meeting

    2. Discussion

    • Facilitate the conversation according to what is needed (e.g. skip scope clarification if it is already well defined).
    • Leverage solution mapping and other visual aids to appeal to all users.
    • Confirm with SMEs that requirements will meet the users’ needs.
    • Discuss initial prototyping.

    After the meeting

    3. Wrap-up

    • Provide a key findings summary and set of agreements.
    • Outline next steps for all parties.

    4. Follow-up

    • Send the mock-up of any agreed upon prototype(s).
    • Schedule future meetings to continue prototyping.

    JAD provides a detail-oriented view into the elicitation process. As a facilitator, take detailed notes to maximize the outputs of JAD.

    Plan how you will execute RDS

    Before the meeting

    1. Prepare for the meeting

    • Email all parties a meeting overview.
    • Ask employees and developers to bring their vision of the solution, regardless of its level of detail.

    During the meeting

    2. Hold the discussion

    • Facilitate the conversation according to what is needed (e.g. skip scope clarification if already well defined).
    • Have both parties explain their visions for the solution.
    • Talk about initial prototype and current iteration.

    After the meeting

    3. Wrap-up

    • Provide a key findings summary and agreements.
    • Outline next steps for all parties.

    4. Follow-up

    • Send the mock-up of any agreed upon prototype(s).
    • Schedule future meeting to continue prototyping.

    RDS is best done in quick succession. Keep in constant contact with both employees and developers to maintain positive momentum from a successful iteration improvement.

    Develop a tailored facilitation guide for JAD and RDS

    JAD/RDS are both collaborative activities, and as with all group activities, issues are bound to arise. Be proactive and resolve issues using the following guidelines.

    Scenario Technique
    Employee and developer visions for the solution don’t match up Focus on what both solutions have in common first to dissolve any tension. Next, understand the reason why both parties have differences. Was it a difference in assumptions? Difference in what is a requirement? Once the answer has been determined, work on bridging the gaps. If there is no resolution, appoint a credible authority (or yourself) to become the final decision maker.
    Employee has difficulty understanding the technical aspect of the developer’s solution Translate the developer’s technical terms into a language that the employee understands. Encourage the employee to ask questions to further their understanding.
    Employee was told that their requirement or proposed solution is not feasible Have a high-level member of the development team explain how the requirement/solution is not feasible. If it’s possible, tell the employee that the requirement can be done in a future release and keep them updated.

    Harvest documentation from past projects to uncover reusable requirements

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Legacy System Manuals The process of reviewing documentation and manuals associated with legacy systems to identify constraints and exact requirements for reuse. Reviewing legacy systems and accompanying documentation is an excellent way to gain a preliminary understanding of the requirements for the upcoming application. Be careful not to overly rely on requirements from legacy systems; if legacy systems have a feature set up one way, this does not mean it should be set up the same way on the upcoming application. If an upcoming application must interact with other systems, it is ideal to understand the integration points early. None High
    Historical Projects The process of reviewing documentation from historical projects to extract reusable requirements. Previous project documentation can be a great source of information and historical lessons learned. Unfortunately, historical projects may not be well documented. Historical mining can save a great deal of time; however, the fact that it was done historically does not mean that it was done properly. None High

    Info-Tech Insight

    Document mining is a laborious process, and as the term “mining” suggests the yield will vary. Regardless of the outcome, document mining must be performed and should be viewed as an investment in the requirements gathering process.

    Extract internal and external constraints from business rules, policies, and glossaries

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Rules The process of extracting business logic from pre-existing business rules (e.g. explicit or implied workflows). Stakeholders may not be fully aware of all of the business rules or the underlying rationale for the rules. Unfortunately, business rule documents can be lengthy and the number of rules relevant to the project will vary. None High
    Glossary The process of extracting terminology and definitions from glossaries. Terminology and definitions do not directly lead to the generation of requirements. However, reviewing glossaries will allow BAs to better understand domain SMEs and interpret their requirements. None High
    Policy The process of extracting business logic from business policy documents (e.g. security policy and acceptable use). Stakeholders may not be fully aware of the different policies or the underlying rationale for why they were created. Going directly to the source is an excellent way to identify constraints and requirements. Unfortunately, policies can be lengthy and the number of items relevant to the project will vary. None High

    Info-Tech Insight

    Document mining should be the first type of elicitation activity that is conducted because it allows the BA to become familiar with organizational terminology and processes. As a result, the stakeholder facing elicitation sessions will be more productive.

    Review the different types of formal documentation (Part 1)

    1. Glossary

    Extract terminology and definitions from glossaries. A glossary is an excellent source to understand the terminology that SMEs will use.

    2. Policy

    Pull business logic from policy documents (e.g. security policy and acceptable use). Policies generally have mandatory requirements for projects, such as standard compliance requirements.

    3. Rules

    Review and reuse business logic that comes from pre-existing rules (e.g. explicit or implied workflows). Like policies, rules often have mandatory requirements or at least will require significant change for something to no longer be a requirement.

    Review the different types of formal documentation (Part 2)

    4. Legacy System

    Review documents and manuals of legacy systems, and identify reusable constraints and requirements. Benefits include:

    • Gain a preliminary understanding of general organizational requirements.
    • Ease of solution integration with the legacy system if needed.

    Remember to not use all of the basic requirements of a legacy system. Always strive to find a better, more productive solution.

    5. Historical Projects

    Review documents from historical projects to extract reusable requirements. Lessons learned from the company’s previous projects are more applicable than case studies. While historical projects can be of great use, consider that previous projects may not be well documented.

    Drive business alignment as an output from documentation review

    Project managers frequently state that aligning projects to the business goals is a key objective of effective project management; however, it is rarely carried out throughout the project itself. This gap is often due to a lack of understanding around how to create true alignment between individual projects and the business needs.

    Use company-released statements and reports

    Extract business wants and needs from official statements and reports (e.g. press releases, yearly reports). Statements and reports outline where the organization wants to go which helps to unearth relevant project requirements.

    Ask yourself, does the project align to the business?

    Documented requirements should always align with the scope of the project and the business objectives. Refer back frequently to your set of gathered requirements to check if they are properly aligned and ensure the project is not veering away from the original scope and business objectives.

    Don’t just read for the sake of reading

    The largest problem with documentation review is that requirements gathering professionals do it for the sake of saying they did it. As a result, projects often go off course due to not aligning to business objectives following the review sessions.

    • When reading a document, take notes to avoid projects going over time and budget and business dissatisfaction. Document your notes and schedule time to review the set of complete notes with your team following the individual documentation review.

    Select elicitation techniques that match the elicitation scenario

    There is a time and place for each technique. Don’t become too reliant on the same ones. Diversify your approach based on the elicitation goal.

    A chart showing Elicitation Scenarios and Techniques, with each marked for their efficacy.

    This table shows the relative strengths and weaknesses of each elicitation technique compared against the five basic elicitation scenarios.

    A typical project will encounter most of the elicitation scenarios. Therefore, it is important to utilize a healthy mix of techniques to optimize effectiveness.

    Very Strong = Very Effective

    Strong = Effective

    Medium = Somewhat Effective

    Weak = Minimally Effective

    Very Weak = Not Effective

    Record the approved elicitation techniques that your BAs should use

    2.1.2 – 30 minutes

    Input
    • Approved elicitation techniques
    Output
    • Execution procedure
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders
    • BAs

    Record the approved elicitation methods and best practices for each technique in the SOP.

    Identify which techniques should be utilized with the different stakeholder classes.

    Segment the different techniques based by project complexity level.

    Use the following chart to record the approved techniques.

    Stakeholder L1 Projects L2 Projects L3 Projects L4 Projects
    Senior Management Structured Interviews
    Project Sponsor Unstructured Interviews
    SME (Business) Focus Groups Unstructured Interviews
    Functional Manager Focus Groups Structured Interviews
    End Users Surveys; Focus Groups; Follow-Up Interviews; Observational Techniques

    Document the output from this exercise in section 4.0 of the Requirements Gathering SOP and BA Playbook.

    Confirm initial elicitation notes with stakeholders

    Open lines of communication with stakeholders and keep them involved in the requirements gathering process; confirm the initial elicitation before proceeding.

    Confirming the notes from the elicitation session with stakeholders will result in three benefits:

    1. Simple miscommunications can compound and result in costly rework if they aren’t caught early. Providing stakeholders with a copy of notes from the elicitation session will eliminate issues before they manifest themselves in the project.
    2. Stakeholders often require an absorption period after elicitation sessions to reflect on the meeting. Following up with stakeholders gives them an opportunity to clarify, enhance, or change their responses.
    3. Stakeholders will become disinterested in the project (and potentially the finished application) if their involvement in the project ends after elicitation. Confirming the notes from elicitation keeps them involved in the process and transitions stakeholders into the analysis phase.

    This is the Confirm stage of the Confirm, Verify, Approve process.

    “Are these notes accurate and complete?”

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 Understand the different elicitation techniques

    An analyst will walk you through the different elicitation techniques including observations, document reviews, surveys, focus groups, and interviews, and highlight the level of effort required for each.

    2.1.2 Select and record the approved elicitation techniques

    An analyst will facilitate the discussion to determine which techniques should be utilized with the different stakeholder classes.

    Step 2.2: Structure Elicitation Output

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Build use-case models.
    • Practice using elicitation techniques with business stakeholders to build use-case models.
    • Practice leveraging user stories to convey requirements.
    This step involves the following participants:
    • BAs
    • Business stakeholders
    Outcomes of this step
    • Understand the value of use-case models for requirements gathering.
    • Practice different techniques for building use-case models with stakeholders.

    Record and capture requirements in solution-oriented formats

    Unstructured notes for each requirement are difficult to manage and create ambiguity. Using solution-oriented formats during elicitation sessions ensures that the content can be digested by IT and business users.

    This table shows common solution-oriented formats for recording requirements. Determine which formats the development team and BAs are comfortable using and create a list of acceptable formats to use in projects.

    Format Description Examples
    Behavior Diagrams These diagrams describe what must happen in the system. Business Process Models, Swim Lane Diagram, Use Case Diagram
    Interaction Diagrams These diagrams describe the flow and control of data within a system. Sequence Diagrams, Entity Diagrams
    Stories These text-based representations take the perspective of a user and describe the activities and benefits of a process. Scenarios, User Stories

    Info-Tech Insight

    Business process modeling is an excellent way to visually represent intricate processes for both IT and business users. For complex projects with high business significance, business process modeling is the best way to capture requirements and create transformational gains.

    Use cases give projects direction and guidance from the business perspective

    Use Case Creation Process

    Define Use Cases for Each Stakeholder

    • Each stakeholder may have different uses for the same solution. Identify all possible use cases attributed to the stakeholders.
    • All use cases are possible test case scenarios.

    Define Applications for Each Use Case

    • Applications are the engines behind the use cases. Defining the applications to satisfy use cases will pinpoint the areas where development or procurement is necessary.

    Consider the following guidelines:

    1. Don’t involve systems in the use cases. Use cases just identify the key end-user interaction points that the proposed solution is supposed to cover.
    2. Some use cases are dependent on other use cases or multiple stakeholders may be involved in a single use case. Depending on the availability of these use cases, they can either be all identified up front (Waterfall) or created at various iterations (Agile).
    3. Consider the enterprise architecture perspective. Existing enterprise architecture designs can provide a foundation of current requirement mappings and system structure. Reuse these resources to reduce efforts.
    4. Avoid developing use cases in isolation. Reusability is key in reducing designing efforts. By involving multiple departments, requirement clashes can be avoided and the likelihood of reusability increases.

    Develop practical use cases to help drive the development effort in the right direction

    Evaluating the practicality and likelihood of use cases is just as important as developing them.

    Use cases can conflict with each other. In certain situations, specific requirements of these use cases may clash with one another even though they are functionally sound. Evaluate use-case requirements and determine how they satisfy the overall business need.

    Use cases are not necessarily isolated; they can be nested. Certain functionalities are dependent on the results of another action, often in a hierarchical fashion. By mapping out the expected workflows, BAs can determine the most appropriate way to implement.

    Use cases can be functionally implemented in many ways. There could be multiple ways to accomplish the same use case. Each of these needs to be documented so that functional testing and user documentation can be based on them.

    Nested Use Case Examples:

    Log Into Account ← Depends on (Nested) Ordering Products Online
    Enter username and password Complete order form
    Verify user is a real person Process order
    Send user forgotten password message Check user’s account
    Send order confirmation to user

    Build a use-case model

    2.2.1 – 45 minutes

    Input
    • Sub processes
    Output
    • Use case model
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders
    • BAs
    Demonstrate how to use elicitation techniques to build use cases for the project.
    1. Identify a sub-process to build the use-case model. Begin the exercise by giving a brief description of the purpose of the meeting.
    2. For each stakeholder, draw a stick figure on the board. Pose the question “If you need to do X, what is your first step?” Go through the process until the end goal and draw each step. Ensure that you capture triggers, causes, decision points, outcomes, tools, and interactions.
    3. Starting at the beginning of the diagram, go through each step again and check with stakeholders if the step can be broken down into more granular steps.
    4. Ask the stakeholder if there are any alternative flows that people use, or any exceptions to process steps. If there are, map these out on the board.
    5. Go back through each step and ask the stakeholder where the current process is causing them grief, and where modification should be made.
    6. Record this information in the Business Requirements Document Template.

    Build a use-case model

    2.2.1

    Example: Generate Letters

    Inspector: Log into system → Search for case → Identify recipient → Determine letter type → Print letter

    Admin: Receive letter from inspector → Package and mail letter

    Citizen: Receive letter from inspector

    Understand user stories and profiles

    What are they?

    User stories describe what requirement a user wants in the solution and why they want it. The end goal of a user story is to create a simple description of a requirement for developers.

    When to use them

    User stories should always be used in requirements gathering. User stories should be collected throughout the elicitation process. Try to recapture user stories as new project information is released to capture any changes in end-customer needs.

    What’s the benefit?

    User stories help capture target users, customers, and stakeholders. They also create a “face” for individual user requirements by providing user context. This detail enables IT leaders to associate goals and end objectives with each persona.

    Takeaway

    To better understand the characteristics driving user requirements, begin to map objectives to separate user personas that represent each of the project stakeholders.

    Are user stories worth the time and effort?

    Absolutely.

    A user’s wants and needs serve as a constant reminder to developers. Developers can use this information to focus on how a solution needs to accomplish a goal instead of only focusing on what goals need to be completed.

    Create customized user stories to guide or structure your elicitation output

    Instructions

    1. During surveys, interviews, and development sessions, ask participants the following questions:
      • What do you want from the solution?
      • Why do you want that?
    2. Separate the answer into an “I want to” and “So that” format.
      • For users who give multiple “I want to” and “So that” statements, separate them into their respective pairs.
    3. Place each story on a small card that can easily be given to developers.
    As a I want to So that Size Priority
    Developer Learn network and system constraints The churn between Operations and I will be reduced. 1 point Low

    Team member

    Increase the number of demonstrations I can achieve greater alignment with business stakeholders. 3 points High
    Product owner Implement a user story prioritization technique I can delegate stories in my product backlog to multiple Agile teams. 3 points Medium

    How to make an effective and compelling user story

    Keep your user stories short and impactful to ensure that they retain their impact.

    Follow a simple formula:

    As a [stakeholder title], I want to [one requirement] so that [reason for wanting that requirement].

    Use this template for all user stories. Other formats will undermine the point of a user story. Multiple requirements from a single user must be made into multiple stories and given to the appropriate developer. User stories should fit onto a sticky note or small card.

    Example

    As an: I want to: So that:
    Administrator Integrate with Excel File transfer won’t possibly lose information
    X Administrator Integrate with Excel and Word File transfer won’t possibly lose information

    While the difference between the two may be small, it would still undermine the effectiveness of a user story. Different developers may work on the integration of Excel or Word and may not receive this user story.

    Assign user stories a size and priority level

    Designate a size to user stories

    Size is an estimate of how many resources must be dedicated to accomplish the want. Assign a size to each user story to help determine resource allocation.

    Assign business priority to user stories

    Based on how important the requirement is to project success, assign each user story a rating of high, medium, or low. The priority given will dictate which requirements are completed first.

    Example:

    Scope: Design software to simplify financial reporting

    User Story Estimated Size Priority
    As an administrator, I want to integrate with Excel so that file transfer won’t possibly lose information. Low High
    As an administrator, I want to simplify graph construction so that I can more easily display information for stakeholders. High Medium

    Combine both size and priority to decide resource allocation. Low-size, high-priority tasks should always be done first.

    Group similar user stories together to create greater impact

    Group user stories that have the same requirement

    When collecting user stories, many will be centered around the same requirement. Group similar user stories together to show the need for that requirement’s inclusion in the solution.

    Even if it isn’t a must-have requirement, if the number of similar user stories is high enough, it would become the most important should-have requirement.

    Group together user stories such as these:
    As an I want So that
    Administrator To be able to create bar graphs Information can be more easily illustrated
    Accountant To be able to make pie charts Budget information can be visually represented

    Both user stories are about creating charts and would be developed similarly.

    Leave these user stories separate
    As an I want So that
    Administrator The program to auto-save Information won’t be lost during power outages
    Accountant To be able to save to SharePoint My colleagues can easily view and edit my work

    While both stories are about saving documents, the development of each feature is vastly different.

    Create customized user profiles

    User profiles are a way of grouping users based on a significant shared details (e.g. in the finance department, website user).

    Go beyond the user profile

    When creating the profile, consider more than the group’s name. Ask yourself the following questions:

    • What level of knowledge and expertise does this user profile have with this type of software?
    • How much will this user profile interact with the solution?
    • What degree of dependency will this user profile have on the solution?

    For example, if a user profile has low expertise but interacts and depends heavily on the program, a more thorough tutorial of the FAQ section is needed.

    Profiles put developers in user’s shoes

    Grouping users together helps developers put a face to the name. Developers can then more easily empathize with users and develop an end solution that is directly catered to their needs.

    Leverage group activities to break down user-story sizing techniques

    Work in groups to run through the following story-sizing activities.

    Planning Poker: This approach uses the Delphi method where members estimate the size of each user story by revealing numbered cards. These estimates are then discussed and agreed upon as a group.

    • Planning poker generates discussion about variances in estimates but dominant personalities may lead to biased results or groupthink.

    Team Sort: This approach can assist in expediting estimation when you are handling numerous user stories.

    • Bucket your user stories into sizes (e.g. extra-small, small, medium, large, and extra-large) based on an acceptable benchmark that may change from project to project.
    • Collaborate as a team to conclude the final size.
    • Next, translate these sizes into points.

    The graphic shows the two activities described, Planning Poker and Team Sort. In the Planning Poker image, 3 sets of cards are shown, with the numbers 13, 5, and 1 on the top of each set. At the bottom of the image are 7 cards, labelled with: 1, 2, 3, 5, 8, 13, 21. In the Team Sort section, there is an arrow pointing in both directions, representing a spectrum from XS to XL. Each size is assigned a point value: XS is 1; S is 3; M is 5; L is 10; and XL is 20. Cards with User Story # written on them are arranged along the spectrum.

    Create a product backlog to communicate business needs to development teams

    Use the product backlog to capture expected work and create a roadmap for the project by showing what requirements need to be delivered.

    How is the product owner involved?

    • The product owner is responsible for keeping in close contact with the end customer and making the appropriate changes to the product backlog as new ideas, insights, and impediments arise.
    • The product owner should have good communication with the team to make accurate changes to the product backlog depending on technical difficulties and needs for clarification.

    How do I create a product backlog?

    • Write requirements in user stories. Use the format: “As a (user role), I want (function) so that (benefit).” Identify end users and understand their needs.
    • Assign each requirement a priority. Decide which requirements are the most important to deliver. Ask yourself, “Which user story will create the most value?”

    What are the approaches to generate my backlog?

    • Team Brainstorming – The product owner, team, and scrum master work together to write and prioritize user stories in a single or a series of meetings.
    • Business Case – The product owner translates business cases into user stories as per the definition of “development ready.”

    Epics and Themes

    As you begin to take on larger projects, it may be advantageous to organize and group your user stories to simplify your release plan:

    • Epics are collections of similar user stories and are used to describe significant and large development initiatives.
    • Themes are collections of similar epics and are normally used to define high-level business objectives.

    To avoid confusion, the pilot product backlog will be solely composed of user stories.

    Example:

    Theme: Increase user exposure to corporate services through mobile devices
    Epic: Access corporate services through a mobile application Epic: Access corporate services through mobile website
    User Story: As a user, I want to find the closest office so that I can minimize travel time As a user, I want to find the closest office so that I can minimize travel time User Story: As a user, I want to submit a complaint so that I can improve company processes

    Simulate product backlog creation

    Overview

    Leverage Info-Tech’s Scrum Documentation Template, using the Backlog and Planning tab, to help walk you through this activity.

    Instructions

    1. Have your product owner describe the business objectives of the pilot project.
    2. Write the key business requirements as user stories.
    3. Based on your business value drivers, identify the business value of your user stories (high, medium, low).
    4. Have your team review the user stories and question the story’s value, priority, goal, and meaning.
    5. Break down the user stories if the feature or business goal is unclear or too large.
    6. Document the perceived business value of each user story, as well as the priority, goal, and meaning.

    Examples:

    As a citizen, I want to know about road construction so that I can save time when driving. Business Value: High

    As a customer, I want to find the nearest government office so that I can register for benefits. Business Value: Medium

    As a voter, I want to know what each candidate believes in so that I can make an informed decision. Business Value: High

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2.1 Build use-case models

    An analyst will assist in demonstrating how to use elicitation techniques to build use-case models. The analyst will walk you through the table testing to visually map out and design process flows for each use case.

    Phase 3: Analyze and Validate Requirements

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Analyze and Validate Requirements

    Proposed Time to Completion: 1 week
    Step 3.1: Create Analysis Framework

    Start with an analyst kick off call:

    • Create policies for requirements categorization and prioritization.

    Then complete these activities…

    • Create functional requirements categories.
    • Consolidate similar requirements and eliminate redundancies.
    • Prioritize requirements.

    With these tools & templates:

    • Requirements Gathering Documentation Tool
    Step 3.2: Validate Business Requirements

    Review findings with analyst:

    • Establish best practices for validating the BRD with project stakeholders.

    Then complete these activities…

    • Right-size the BRD.
    • Present the BRD to business stakeholders.
    • Translate business requirements into technical requirements.
    • Identify testing opportunities.

    With these tools & templates:

    • Business Requirements Document Template
    • Requirements Gathering Testing Checklist

    Phase 3 Results & Insights:

    • Standardized frameworks for analysis and validation of business requirements

    Step 3.1: Create Analysis Framework

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Categorize requirements.
    • Eliminate redundant requirements.
    This step involves the following participants:
    • BAs
    Outcomes of this step
    • Prioritized requirements list.

    Analyze requirements to de-duplicate them, consolidate them – and most importantly – prioritize them!

    he image is the Requirements Gathering Framework, shown earlier. All parts of the framework are greyed-out, except for the arrow containing the word Analyze in the center of the image, with three bullet points beneath it that read: Organize; Prioritize; Verify

    The analysis phase is where requirements are compiled, categorized, and prioritized to make managing large volumes easier. Many organizations prematurely celebrate being finished the elicitation phase and do not perform adequate diligence in this phase; however, the analysis phase is crucial for a smooth transition into validation and application development or procurement.

    Categorize requirements to identify and highlight requirement relationships and dependencies

    Eliciting requirements is an important step in the process, but turning endless pages of notes into something meaningful to all stakeholders is the major challenge.

    Begin the analysis phase by categorizing requirements to make locating, reconciling, and managing them much easier. There are often complex relationships and dependencies among requirements that do not get noted or emphasized to the development team and as a result get overlooked.

    Typically, requirements are classified as functional and non-functional at the high level. Functional requirements specify WHAT the system or component needs to do and non-functional requirements explain HOW the system must behave.

    Examples

    Functional Requirement: The application must produce a sales report at the end of the month.

    Non-Functional Requirement: The report must be available within one minute after midnight (EST) of the last day of the month. The report will be available for five years after the report is produced. All numbers in the report will be displayed to two decimal places.

    Categorize requirements to identify and highlight requirement relationships and dependencies

    Further sub-categorization of requirements is necessary to realize the full benefit of categorization. Proficient BAs will even work backwards from the categories to drive the elicitation sessions. The categories used will depend on the type of project, but for categorizing non-functional requirements, the Volere Requirements Resources has created an exhaustive list of sub-categories.

    Requirements Category Elements

    Example

    Look & Feel Appearance, Style

    User Experience

    Usability & Humanity Ease of Use, Personalization, Internationalization, Learning, Understandability, Accessibility Language Support
    Performance Speed, Latency, Safety, Precision, Reliability, Availability, Robustness, Capacity, Scalability, Longevity Bandwidth
    Operational & Environmental Expected Physical Environment, Interfacing With Adjacent Systems, Productization, Release Heating and Cooling
    Maintainability & Support Maintenance, Supportability, Adaptability Warranty SLAs

    Security

    Access, Integrity, Privacy, Audit, Immunity Intrusion Prevention
    Cultural & Political Global Differentiation Different Statutory Holidays
    Legal Compliance, Standards Hosting Regulations

    What constitutes good requirements

    Complete – Expressed a whole idea or statement.

    Correct – Technically and legally possible.

    Clear – Unambiguous and not confusing.

    Verifiable – It can be determined that the system meets the requirement.

    Necessary – Should support one of the project goals.

    Feasible – Can be accomplished within cost and schedule.

    Prioritized – Tracked according to business need levels.

    Consistent – Not in conflict with other requirements.

    Traceable – Uniquely identified and tracked.

    Modular – Can be changed without excessive impact.

    Design-independent – Does not pose specific solutions on design.

    Create functional requirement categories

    3.1.1 – 1 hour

    Input
    • Activity 2.2.1
    Output
    • Requirements categories
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs
    Practice the techniques for categorizing requirements.
    1. Divide the list of requirements that were elicited for the identified sub-process in exercise 2.2.1 among smaller groups.
    2. Have groups write the requirements on red, yellow, or green sticky notes, depending on the stakeholder’s level of influence.
    3. Along the top of the whiteboard, write the eight requirements categories, and have each group place the sticky notes under the category where they believe they should fit.
    4. Once each group has posted the requirements, review the board and discuss any requirements that should be placed in another category.

    Document any changes to the requirements categories in section 5.1 of the Requirements Gathering SOP and BA Playbook.

    Create functional requirement categories

    The image depicts a whiteboard with different colored post-it notes grouped into the following categories: Look & Feel; Usability & Humanity; Legal; Maintainability & Support; Operational & Environmental; Security; Cultural & Political; and Performance.

    Consolidate similar requirements and eliminate redundancies

    Clean up requirements and make everyone’s life simpler!

    After elicitation, it is very common for an organization to end up with redundant, complementary, and conflicting requirements. Consolidation will make managing a large volume of requirements much easier.

    Redundant Requirements Owner Priority
    1. The application shall feed employee information into the payroll system. Payroll High
    2. The application shall feed employee information into the payroll system. HR Low
    Result The application shall feed employee information into the payroll system. Payroll & HR High
    Complementary Requirements Owner Priority
    1. The application shall export reports in XLS and PDF format. Marketing High
    2. The application shall export reports in CSV and PDF format. Finance High
    Result The application shall export reports in XLS, CSV, and PDF format. Marketing & Finance High

    Info-Tech Insight

    When collapsing redundant or complementary requirements, it is imperative that the ownership and priority metadata be preserved for future reference. Avoid consolidating complementary requirements with drastically different priority levels.

    Identify and eliminate conflict between requirements

    Conflicting requirements are unavoidable; identify and resolve them as early as possible to minimize rework and grief.

    Conflicting requirements occur when stakeholders have requirements that either partially or fully contradict one another, and as a result, it is not possible or practical to implement all of the requirements.

    Steps to Resolving Conflict:

    1. Notify the relevant stakeholders of the conflict and search for a basic solution or compromise.
    2. If the stakeholders remain in a deadlock, appoint a final decision maker.
    3. Schedule a meeting to resolve the conflict with the relevant stakeholders and the decision maker. If multiple conflicts exist between the same stakeholder groups, try to resolve as many as possible at once to save time and encourage reciprocation.
    4. Give all parties the opportunity to voice their rationale and objectively rate the priority of the requirement. Attempt to reach an agreement, consensus, or compromise.
    5. If the parties remain in a deadlock, encourage the final decision maker to weigh in. Their decision should be based on which party has the greater need for the requirement, the difficulty to implement the requirement, and which requirement better aligns with the project goals.

    Info-Tech Insight

    Resolve conflicts whenever possible during the elicitation phase by using cross-functional workshops to facilitate discussions that address and settle conflicts in the room.

    Consolidate similar requirements and eliminate redundancies

    3.1.2 – 30 minutes

    Input
    • Activity 3.1.1
    Output
    • Requirements categories
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs

    Review the outputs from the last exercise and ensure that the list is mutually exclusive by consolidating similar requirements and eliminating redundancies.

    1. Looking at each category in turn, review the sticky notes and group similar, complementary, and conflicting notes together. Put a red dot on any conflicting requirements to be used in a later exercise.
    2. Have the group start by eliminating the redundant requirements.
    3. Have the group look at the complementary requirements, and consolidate each into a single requirement. Discard originals.
    4. Record this information in the Requirements Gathering Documentation Tool.

    Prioritize requirements to assist with solution modeling

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a separate meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure efforts are targeted towards the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.

    The MoSCoW Model of Prioritization

    The image shows the MoSCoW Model of Prioritization, which is shaped like a pyramid. The sections, from top to bottom (becoming incrementally larger) are: Must Have; Should Have; Could Have; and Won't Have. There is additional text next to each category, as follows: Must have - Requirements must be implemented for the solution to be considered successful.; Should have: Requirements are high priority that should be included in the solution if possible.; Could Have: Requirements are desirable but not necessary and could be included if resources are available.; Won't Have: Requirements won’t be in the next release, but will be considered for the future releases.

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994 (Source: ProductPlan).

    Base your prioritization on the right set of criteria

    Effective Prioritization Criteria

    Criteria

    Description

    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy Compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business Value Significance Give a higher priority to high-value requirements.
    Business Risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of Success Especially in proof-of-concept projects, it is recommended that requirements have good odds.
    Implementation Complexity Give a higher priority to low implementation difficulty requirements.
    Alignment With Strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    Info-Tech Insight

    It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.

    Use the Requirements Gathering Documentation Tool to steer your requirements gathering approach during a project

    3.1 Requirements Gathering Documentation Tool

    Use the Requirements Gathering Documentation Tool to identify and track stakeholder involvement, elicitation techniques, and scheduling, as well as to track categorization and prioritization of requirements.

    • Use the Identify Stakeholders tab to:
      • Identify the stakeholder's name and role.
      • Identify their influence and involvement.
      • Identify the elicitation techniques that you will be using.
      • Identify who will be conducting the elicitation sessions.
      • Identify if requirements were validated post elicitation session.
      • Identify when the elicitation will take place.
    • Use the Categorize & Prioritize tab to:
      • Identify the stakeholder.
      • Identify the core function.
      • Identify the business requirement.
      • Describe the requirement.
      • Identify the categorization of the requirement.
      • Identify the level of priority of the requirement.

    Prioritize requirements

    3.1.3 – 30 minutes

    Input
    • Requirements list
    • Prioritization criteria
    Output
    • Prioritized requirements
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs
    • Business stakeholders

    Using the output from the MoSCoW model, prioritize the requirements according to those you must have, should have, could have, and won’t have.

    1. As a group, review each requirement and decide if the requirement is:
      1. Must have
      2. Should have
      3. Could have
      4. Won’t have
    2. Beginning with the must-have requirements, determine if each has any dependencies. Ensure that each of the dependencies are moved to the must-have category. Group and circle the dependent requirements.
    3. Continue the same exercise with the should-have and could-have options.
    4. Record the results in the Requirements Gathering Documentation Tool.

    Step 1 – Prioritize requirements

    3.1.3

    The image shows a whiteboard, with four categories listed at the top: Must Have; Should Have; Could Have; Won't Have. There are yellow post-it notes under each category.

    Step 2-3 – Prioritize requirements

    This image is the same as the previous image, but with the additions of two dotted line squares under the Must Have category, with arrows pointing to them from post-its in the Should have category.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    3.1.1 Create functional requirements categories

    An analyst will facilitate the discussion to brainstorm and determine criteria for requirements categories.

    3.1.2 Consolidate similar requirements and eliminate redundancies

    An analyst will facilitate a session to review the requirements categories to ensure the list is mutually exclusive by consolidating similar requirements and eliminating redundancies.

    3.1.3 Prioritize requirements

    An analyst will facilitate the discussion on how to prioritize requirements according to the MoSCoW prioritization framework. The analyst will also walk you through the exercise of determining dependencies for each requirement.

    Step 3.2: Validate Business Requirements

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Build the BRD.
    • Translate functional requirements to technical requirements.
    • Identify testing opportunities.

    This step involves the following participants:

    • BAs

    Outcomes of this step

    • Finalized BRD.

    Validate requirements to ensure that they meet stakeholder needs – getting sign-off is essential

    The image is the Requirements Gathering Framework shown previously. In this instance, all aspects of the graphic are greyed out with the exception of the Validate arrow, right of center. Below the arrow are three bullet points: Translate; Allocate; Approve.

    The validation phase involves translating the requirements, modeling the solutions, allocating features across the phased deployment plan, preparing the requirements package, and getting requirement sign-off. This is the last step in the Info-Tech Requirements Gathering Framework.

    Prepare a user-friendly requirements package

    Before going for final sign-off, ensure that you have pulled together all of the relevant documentation.

    The requirements package is a compilation of all of the business analysis and requirements gathering that occurred. The document will be distributed among major stakeholders for review and sign-off.

    Some may argue that the biggest challenge in the validation phase is getting the stakeholders to sign off on the requirements package; however, the real challenge is getting them to actually read it. Often, stakeholders sign the requirements document without fully understanding the scope of the application, details of deployment, and how it affects them.

    Remember, this document is not for the BAs; it’s for the stakeholders. Make the package with the stakeholders in mind. Create multiple versions of the requirements package where the length and level of technical details is tailored to the audience. Consider creating a supplementary PowerPoint version of the requirements package to present to senior management.

    Contents of Requirements Package:

    • Project Charter (if available)
    • Overarching Project Goals
    • Categorized Business Requirements
    • Selected Solution Proposal
    • Rationale for Solution Selection
    • Phased Roll-Out Plan
    • Proposed Schedule/Timeline
    • Signatures Page

    "Sit down with your stakeholders, read them the document line by line, and have them paraphrase it back to you so you’re on the same page." – Anonymous City Manager of IT Project Planning Info-Tech Interview

    Capture requirements in a dedicated BRD

    The BRD captures the original business objectives and high-level business requirements for the system/process. The system requirements document (SRD) captures the more detailed functional and technical requirements.

    The graphic is grouped into two sections, indicated by brackets on the right side, the top section labelled BRD and the lower section labelled as SRD. In the BRD section, a box reads Needs Identified in the Business Case. An arrow points from the bottom of the box down to another box labelled Use Cases. In the SRD section, there are three arrows pointing from the Use Cases box to three boxes in a row. They are labelled Functionality; Usability; and Constraints. Each of these boxes has a plus sign between it and the next in the line. At the bottom of the SRD section is a box with text that reads: Quality of Service Reliability, Supportability, and Performance

    Use Info-Tech’s Business Requirements Document Template to specify the business needs and expectations

    3.2 Business Requirements Document Template

    The Business Requirements Document Template can be used to record the functional, quality, and usability requirements into formats that are easily consumable for future analysis, architectural and design activities, and most importantly in a format that is understandable by all business partners.

    The BRD is designed to take the reader from a high-level understanding of the business processes down to the detailed automation requirements. It should capture the following:

    • Project summary and background
    • Operating model
    • Business process model
    • Use cases
    • Requirements elicitation techniques
    • Prioritized requirements
    • Assumptions and constraints

    Rightsize the BRD

    3.2.1 – 30 minutes

    Input
    • Project levels
    • BRD categories
    Output
    • BRD
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Business stakeholders

    Build the required documentation for requirements gathering.

    1. On the board, write out the components of the BRD. As a group, review the headings and decide if all sections are needed for level 1 & 2 and level 3 & 4 projects. Your level 3-4 project business cases will have the most detailed business cases; consider your level 1-2 projects, and remove any categories you don’t believe are necessary for the project level.
    2. Now that you have a right-sized template, break the team into two groups and have each group complete one section of the template for your selected project.
      1. Project overview
      2. Implementation considerations
    3. Once complete, have each group present its section, and allow the group to make additions and modifications to each section.

    Document the output from this exercise in section 6 of the Requirements Gathering SOP and BA Playbook.

    Present the BRD to business stakeholders

    3.2.2 – 1 hour

    Input
    • Activity 3.2.1
    Output
    • BRD presentation
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Practice presenting the requirements document to business stakeholders.

    1. Hold a meeting with a group of selected stakeholders, and have a representative present each section of the BRD for your project.
    2. Instruct participants that they should spend the majority of their time on the requirements section, in particular the operating model and the requirements prioritization.
    3. At the end of the meeting, have the business stakeholders validate the requirements, and approve moving forward with the project or indicate where further requirements gathering must take place.

    Example:

    Typical Requirements Gathering Validation Meeting Agenda
    Project overview 5 minutes
    Project operating model 10 minutes
    Prioritized requirements list 5 minutes
    Business process model 30 minutes
    Implementation considerations 5 minutes

    Translate business requirements into technical requirements

    3.2.3 – 30 minutes

    Input
    • Business requirements
    Output
    • BRD presentation
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders
    • BAs
    • Developers

    Practice translating business requirements into system requirements.

    1. Bring in representatives from the development team, and have a representative walk them through the business process model.
    2. Present a detailed account of each business requirement, and work with the IT team to build out the system requirements for each.
    3. Document the system requirements in the Requirements Gathering Documentation Tool.

    For requirements traceability, ensure you’re linking your requirements management back to your test strategy

    After a solution has been fully deployed, it’s critical to create a strong link between your software testing strategy and the requirements that were collected. User acceptance testing (UAT) is a good approach for requirement verification.

    • Many organizations fail to create an explicit connection between their requirements gathering and software testing strategies. Don’t follow their example!
    • When conducting UAT, structure exercises in the context of the requirements; run through the signed-off list and ask users whether or not the deployed functionality was in line with the expectations outlined in the finalized requirements documentation.
    • If not – determine whether it was a miscommunication on the requirements management side or a failure of the developers (or procurement team) to meet the agreed-upon requirements.

    Download the Requirements Gathering Testing Checklist template.

    Identify the testing opportunities

    3.2.4 – 30 minutes

    Input
    • List of requirements
    Output
    • Requirements testing process
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Developers

    Identify how to test the effectiveness of different requirements.

    1. Ask the group to review the list of requirements and identify:
      1. Which kinds of requirements enable constructive testing efforts?
      2. Which kinds of requirements enable destructive testing efforts?
      3. Which kinds of requirements support end-user acceptance testing?
      4. What do these validation-enabling objectives mean in terms of requirement specificity?
    2. For each, identify who will do the testing and at what stage.

    Verify that the requirements still meet the stakeholders’ needs

    Keep the stakeholders involved in the process in between elicitation and sign-off to ensure that nothing gets lost in transition.

    After an organization’s requirements have been aggregated, categorized, and consolidated, the business requirements package will begin to take shape. However, there is still a great deal of work to complete. Prior to proceeding with the process, requirements should be verified by domain SMEs to ensure that the analyzed requirements continue to meet their needs. This step is often overlooked because it is laborious and can create additional work; however, the workload associated with verification is much less than the eventual rework stemming from poor requirements.

    All errors in the requirements gathering process eventually surface; it is only a matter of time. Control when these errors appear and minimize costs by soliciting feedback from stakeholders early and often.

    This is the Verify stage of the Confirm, Verify, Approve process.

    “Do these requirements still meet your needs?”

    Put it all together: obtain final requirements sign-off

    Use the sign-off process as one last opportunity to manage expectations, obtain commitment from the stakeholders, and minimize change requests.

    Development or procurement of the application cannot begin until the requirements package has been approved by all of the key stakeholders. This will be the third time that the stakeholders are asked to review the requirements; however, this will be the first time that the stakeholders are asked to sign off on them.

    It is important that the stakeholders understand the significance of their signatures. This is their last opportunity to see exactly what the solution will look like and to make change requests. Ensure that the stakeholders also recognize which requirements were omitted from the solution that may affect them.

    The sign-off process needs to mean something to the stakeholders. Once a signature is given, that stakeholder must be accountable for it and should not be able to make change requests. Note that there are some requests from senior stakeholders that can’t be refused; use discretion when declining requests.

    This is the Approve stage of the Confirm, Verify, Approve process.

    "Once requirements are signed off, stay firm on them!" – Anonymous Hospital Business Systems Analyst Info-Tech Interview

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with out Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2.1; 3.2.2 Rightsize the BRD and present it to business stakeholders

    An analyst will facilitate the discussion to gather the required documentation for building the BRD. The analyst will also assist with practicing the presenting of each section of the document to business stakeholders.

    3.2.3; 3.2.4 Translate business requirements into technical requirements and identify testing opportunities

    An analyst will facilitate the session to practice translating business requirements into testing requirements and assist in determining how to test the effectiveness of different requirements.

    Phase 4: Create a Requirements Governance Action Plan

    Phase 4 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Create a Requirements Governance Action Plan

    Proposed Time to Completion: 3 weeks

    Step 4.1: Create Control Processes for Requirements Changes

    Start with an analyst kick off call:

    • Discuss how to handle changes to requirements and establish a formal change control process.

    Then complete these activities…

    • Develop a change control process.
    • Build the guidelines for escalating changes.
    • Confirm your requirements gathering process.
    • Define RACI for the requirements gathering process.

    With these tools & templates:

    • Requirements Traceability Matrix
    Step 4.2: Build Requirements Governance and Communication Plan

    Review findings with analyst:

    • Review options for ongoing governance of the requirements gathering process.

    Then complete these activities…

    • Define the requirements gathering steering committee purpose.
    • Define the RACI for the RGSC.
    • Define procedures, cadence, and agenda for the RGSC.
    • Identify and analyze stakeholders.
    • Create a communications management plan.
    • Build the requirements gathering process implementation timeline.

    With these tools & templates:

    Requirements Gathering Communication Tracking Template

    Phase 4 Results & Insights:
    • Formalized change control and governance processes for requirements.

    Step 4.1: Create Control Processes for Requirements Changes

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Develop change control process.
    • Develop change escalation process.
    This step involves the following participants:
    • BAs
    • Business stakeholders
    Outcomes of this step
    • Requirements gathering process validation.
    • RACI completed.

    Manage, communicate, and test requirements

    The image is the Requirement Gathering Framework graphic from previous sections. In this instance, all parts of the image are greyed out, with the exception of the arrows labelled Communicate and Manage, located at the bottom of the image.

    Although the manage, communicate, and test requirements section chronologically falls as the last section of this blueprint, that does not imply that this section is to be performed only at the end. These tasks are meant to be completed iteratively throughout the project to support the core requirements gathering tasks.

    Prevent requirements scope creep

    Once the stakeholders sign off on the requirements document, any changes need to be tracked and managed. To do that, you need a change control process.

    Thoroughly validating requirements should reduce the amount of change requests you receive. However, eliminating all changes is unavoidable.

    The BAs, sponsor, and stakeholders should have agreed upon a clearly defined scope for the project during the planning phase, but there will almost always be requests for change as the project progresses. Even a high number of small changes can negatively impact the project schedule and budget.

    To avoid scope creep, route all changes, including small ones, through a formal change control process that will be adapted depending on the level of project and impact of the change.

    Linking change requests to requirements is essential to understanding relevance and potential impact

    1. Receive project change request.
    2. Refer to requirements document to identify requirements associated with the change.
      • Matching requirement is found: The change is relevant to the project.
      • Multiple requirements are associated with the proposed change: The change has wider implications for the project and will require closer analysis.
      • The request involves a change or new business requirements: Even if the change is within scope, time, and budget, return to the stakeholder who submitted the request to identify the potentially new requirements that relate to this change. If the sponsor agrees to the new requirements, you may be able to approve the change.
    3. Findings influence decision to escalate/approve/reject change request.

    Develop a change control process

    4.1.1 – 45 minutes

    Input
    • Current change control process
    Output
    • Updated change control process
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Developers
    1. Ask the team to consider their current change control process. It might be helpful to discuss a project that is currently underway, or already completed, to provide context. Draw the process on the whiteboard through discussion with the team.
    2. If necessary, provide some cues. Below are some change control process activities:
      • Submit project change request form.
      • PM assesses change.
      • Project sponsor assesses change.
      • Bring request to project steering committee to assess change.
      • Approve/reject change.
    3. Ask participants to brainstorm a potential separate process for dealing with small changes. Add a new branch for minor changes, which will allow you to make decisions on when to bundle the changes versus implementing directly.

    Document any changes from this exercise in section 7.1 of the Requirements Gathering SOP and BA Playbook.

    Example change control process

    The image is an example of a change control process, depicted via a flowchart.

    Build guidelines for escalating changes

    4.1.2 – 1 hour

    Input
    • Current change control process
    Output
    • Updated change control process
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Developers

    Determine how changes will be escalated for level 1/2/3/4 projects.

    1. Write down the escalation options for level 3 & 4 projects on the whiteboard:
      • Final decision rests with project manager.
      • Escalate to sponsor.
      • Escalate to project steering committee.
      • Escalate to change control board.
    2. Brainstorm categories for assessing the impact of a change and begin creating a chart on the whiteboard by listing these categories in the far left column. Across the top, list the escalation options for level 3 & 4 projects.
    3. Ask the team to agree on escalation conditions for each escalation option. For example, for the final decision to rest with the project manager one condition might be:
      • Change is within original project scope.
    4. Review the output from exercise 4.1.1 and tailor the process model to meet level 3 & 4 escalation models.
    5. Repeat steps 1-4 for level 1 & 2 projects.

    Document any changes from this exercise in section 7.2 of the Requirements Gathering SOP and BA Playbook.

    Example: Change control process – Level 3 & 4

    Impact Category Final Decision Rests With Project Manager If: Escalate to Steering Committee If: Escalate to Change Control Board If: Escalate to Sponsor If:
    Scope
    • Change is within original project scope.
    • Change is out of scope.
    Budget
    • Change can be absorbed into current project budget.
    • Change will require additional funds exceeding any contingency reserves.
    • Change will require the release of contingency reserves.
    Schedule
    • Change can be absorbed into current project schedule.
    • Change will require the final project close date to be delayed.
    • Change will require a delay in key milestone dates.
    Requirements
    • Change can be linked to an existing business requirement.
    • Change will require a change to business requirements, or a new business requirement.

    Example: Change control process – Level 1 & 2

    Impact CategoryFinal Decision Rests With Project Manager If:Escalate to Steering Committee If:Escalate to Sponsor If:
    Scope
    • Change is within original project scope.
    • Change is out of scope.
    Budget
    • Change can be absorbed into current project budget, even if this means releasing contingency funds.
    • Change will require additional funds exceeding any contingency reserves.
    Schedule
    • Change can be absorbed into current project schedule, even if this means moving milestone dates.
    • Change will require the final project close date to be delayed.
    Requirements
    • Change can be linked to an existing business requirement.
    • Change will require a change to business requirements, or a new business requirement.

    Leverage Info-Tech’s Requirements Traceability Matrix to help create end-to-end traceability of your requirements

    4.1 Requirements Traceability Matrix

    Even if you’re not using a dedicated requirements management suite, you still need a way to trace requirements from inception to closure.
    • Ensuring traceability of requirements is key. If you don’t have a dedicated suite, Info-Tech’s Requirements Traceability Matrix can be used as a form of documentation.
    • The traceability matrix covers:
      • Association ID
      • Technical Assumptions and Needs
      • Functional Requirement
      • Status
      • Architectural Documentation
      • Software Modules
      • Test Case Number

    Info-Tech Deliverable
    Take advantage of Info-Tech’s Requirements Traceability Matrix to track requirements from inception through to testing.

    You can’t fully validate what you don’t test; link your requirements management back to your test strategy

    Create a repository to store requirements for reuse on future projects.

    • Reuse previously documented requirements on future projects to save the organization time, money, and grief. Well-documented requirements discovered early can even be reused in the same project.
    • If every module of the application must be able to save or print, then the requirement only needs to be written once. The key is to be able to identify and isolate requirements with a high likelihood of reuse. Typically, requirements pertaining to regulatory and business rule compliance are prime candidates for reuse.
    • Build and share a repository to store historical requirement documentation. The repository must be intuitive and easy to navigate, or users will not take advantage of it. Plan the information hierarchy in advance. Requirements management software suites have the ability to create a repository and easily migrate requirements over from past projects.
    • Assign one person to manage the repository to create consistency and accountability. This person will maintain the master requirements document and ensure the changes that take place during development are reflected in the requirements.

    Confirm your requirements gathering process

    4.1.3 – 45 minutes

    Input
    • Activity 1.2.4
    Output
    • Requirements gathering process model
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs

    Review the requirements gathering process and control levels for project levels 1/2/3/4 and add as much detail as possible to each process.

    1. Draw out the requirements gathering process for a level 4 project as created in exercise 1.2.4 on a whiteboard.
    2. Review each process step as a group, and break down each step so that it is at its most granular. Be sure to include each decision point, key documentation, and approvals.
    3. Once complete, review the process for level 3, 2 & 1. Reduce steps as necessary. Note: there may not be a lot of differentiation between your project level 4 & 3 or level 2 & 1 processes. You should see differentiation in your process between 2 and 3.

    Document the output from this exercise in section 2.4 of the Requirements Gathering SOP and BA Playbook.

    Example: Confirm your requirements gathering process

    The image is an example of a requirements gathering process, representing in the format of a flowchart.

    Define RACI for the requirements gathering process

    4.1.4 – 45 minutes

    Input
    • List of stakeholders
    Output
    • RACI matrix
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Understand who is responsible, accountable, consulted, and informed for key elements of the requirements gathering process for project levels 1/2/3/4.

    1. As a group, identify the key stakeholders for requirements gathering and place those names along the top of the board.
    2. On the left side of the board, list the process steps and control points for a level 4 project.
    3. For each process step, identify who is responsible, accountable, informed, and consulted.
    4. Repeat this process for project levels 3, 2 & 1.

    Example: RACI for requirements gathering

    Project Requestor Project Sponsor Customers Suppliers Subject Matter Experts Vendors Executives Project Management IT Management Developer/ Business Analyst Network Services Support
    Intake Form A C C I R
    High-Level Business Case R A C C C C I I C
    Project Classification I I C I R A R
    Project Approval R R I I I I I I A I I
    Project Charter R C R R C R I A I R C C
    Develop BRD R I R C C C R A C C
    Sign-Off on BRD/ Project Charter R A R R R R
    Develop System Requirements C C C R I C A R R
    Sign-Off on SRD R R R I A R R
    Testing/Validation A I R C R C R I R R
    Change Requests R R C C A I R C
    Sign-Off on Change Request R A R R R R
    Final Acceptance R A R I I I I R R R I I

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    4.1.1; 4.1.2 Develop a change control process and guidelines for escalating changes

    An analyst will facilitate the discussion on how to improve upon your organization’s change control processes and how changes will be escalated to ensure effective tracking and management of changes.

    4.1.3 Confirm your requirements gathering process

    With the group, an analyst will review the requirements gathering process and control levels for the different project levels.

    4.1.4 Define the RACI for the requirements gathering process

    An analyst will facilitate a whiteboard exercise to understand who is responsible, accountable, informed, and consulted for key elements of the requirements gathering process.

    Step 4.2: Build Requirements Governance and Communication Plan

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:

    • Developing a requirements gathering steering committee.
    • Identifying and analyzing stakeholders for requirements governance.
    • Creating a communication management plan.

    This step involves the following participants:

    • Business stakeholders
    • BAs

    Outcomes of this step

    • Requirements governance framework.
    • Communication management plan.

    Establish proper governance for requirements gathering that effectively creates and communicates guiding principles

    If appropriate governance oversight doesn’t exist to create and enforce operating procedures, analysts and developers will run amok with their own processes.

    • One of the best ways to properly govern your requirements gathering process is to establish a working committee within the framework of your existing IT steering committee. This working group should be given the responsibility of policy formulation and oversight for requirements gathering operating procedures. The governance group should be comprised of both business and IT sponsors (e.g. a director, BA, and “voice of the business” line manager).
    • The governance team will not actually be executing the requirements gathering process, but it will be deciding upon which policies to adopt for elicitation, analysis, and validation. The team will also be responsible for ensuring – either directly or indirectly through designated managers – that BAs or other requirements gathering processionals are following the approved steps.

    Requirements Governance Responsibilities

    1. Provide oversight and review of SOPs pertaining to requirements elicitation, analysis, and validation.

    2. Establish corporate policies with respect to requirements gathering SOP training and education of analysts.

    3. Prioritize efforts for requirements optimization.

    4. Determine and track metrics that will be used to gauge the success (or failure) of requirements optimization efforts and make process and policy changes as needed.

    Right-size your governance structure to your organization’s complexity and breadth of capabilities

    Not all organizations will be best served by a formal steering committee for requirements gathering. Assess the complexity of your projects and the number of requirements gathering practitioners to match the right governance structure.

    Level 1: Working Committee
    • A working committee is convened temporarily as required to do periodic reviews of the requirements process (often annually, or when issues are surfaced by practitioners). This governance mechanism works best in small organizations with an ad hoc culture, low complexity projects, and a small number of practitioners.
    Level 2: IT Steering Committee Sub-Group
    • For organizations that already have a formal IT steering committee, a sub-group dedicated to managing the requirements gathering process is desirable to a full committee if most projects are complexity level 1 or 2, and/or there are fewer than ten requirements gathering practitioners.
    Level 3: Requirements Gathering Steering Committee
    • If your requirements gathering process has more than ten practitioners and routinely deals with high-complexity projects (like ERP or CRM), a standing formal committee responsible for oversight of SOPs will provide stronger governance than the first two options.
    Level 4: Requirements Gathering Center of Excellence
    • For large organizations with multiple business units, matrix organizations for BAs, and a very large number of requirements gathering practitioners, a formal center of excellence can provide both governance as well as onboarding and training for requirements gathering.

    Identify and analyze stakeholders

    4.2.1A – 1 hour

    Input
    • Number of practitioners, project complexity levels
    Output
    • Governance structure selection
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Use a power map to determine which governance model best fits your organization.

    The image is a square, split into four equal sections, labelled as follows from top left: Requirements Steering Committee; Requirements Center of Excellence; IT Steering Committee Sub-Group; Working Committee. The left and bottom edges of the square are labelled as follows: on the left, with an arrow pointing upwards, Project Complexity; on the bottom, with arrow pointing right, # of Requirements Practitioners.

    Define your requirements gathering governance structure(s) and purpose

    4.2.1B – 30 minutes

    Input
    • Requirements gathering elicitation, analysis, and validation policies
    Output
    • Governance mandate
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    This exercise will help to define the purpose statement for the applicable requirements gathering governance team.

    1. As a group, brainstorm key words that describe the unique role the governance team will play. Consider value, decisions, and authority.
    2. Using the themes, come up with a set of statements that describe the overall purpose statement.
    3. Document the outcome for the final deliverable.

    Example:

    The requirements gathering governance team oversees the procedures that are employed by BAs and other requirements gathering practitioners for [insert company name]. Members of the team are appointed by [insert role] and are accountable to [typically the chair of the committee].

    Day-to-day operations of the requirements gathering team are expected to be at the practitioner (i.e. BA) level. The team is not responsible for conducting elicitation on its own, although members of the team may be involved from a project perspective.

    Document the output from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.

    A benefits provider established a steering committee to provide consistency and standardization in requirements gathering

    CASE STUDY

    Industry Not-for-Profit

    Source Info-Tech Workshop

    Challenge

    This organization is a not-for-profit benefits provider that offers dental coverage to more than 1.5 million people across three states.

    With a wide ranging application portfolio that includes in-house, custom developed applications as well as commercial off-the-shelf solutions, the company had no consistent method of gathering requirements.

    Solution

    The organization contracted Info-Tech to help build an SOP to put in place a rigorous and efficient methodology for requirements elicitation, analysis, and validation.

    One of the key realizations in the workshop was the need for governance and oversight over the requirements gathering process. As a result, the organization developed a Requirements Management Steering Committee to provide strategic oversight and governance over requirements gathering processes.

    Results

    The Requirements Management Steering Committee introduced accountability and oversight into the procedures that are employed by BAs. The Committee’s mandate included:

    • Provide oversight and review SOPs pertaining to requirements elicitation, analysis, and validation.
    • Establish corporate policies with respect to training and education of analysts on requirements gathering SOPs.
    • Prioritize efforts for requirements optimization.
    • Determine metrics that can be used to gauge the success of requirements optimization efforts.

    Authority matrix – RACI

    There needs to be a clear understanding of who is accountable, responsible, consulted, and informed about matters brought to the attention of the requirements gathering governance team.

    • An authority matrix is often used within organizations to indicate roles and responsibilities in relation to processes and activities.
    • Using the RACI model as an example, there is only one person accountable for an activity, although several people may be responsible for executing parts of the activity.
    • In this model, accountable means end-to-end accountability for the process. Accountability should remain with the same person for all activities of a process.

    RResponsible

    The one responsible for getting the job done.

    A – Accountable

    Only one person can be accountable for each task.

    C – Consulted

    Involvement through input of knowledge and information.

    I – Informed

    Receiving information about process execution and quality.

    Define the RACI for effective requirements gathering governance

    4.2.2 – 30 minutes

    Input
    • Members’ list
    Output
    • Governance RACI
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • Governance team members

    Build the participation list and authority matrix for the requirements gathering governance team.

    1. Have each participant individually consider the responsibilities of the governance team, and write five participant roles they believe should be members of the governance team.
    2. Have each participant place the roles on the whiteboard, group participants, and agree to five participants who should be members.
    3. On the whiteboard, write the responsibilities of the governance team in a column on the left, and place the sticky notes of the participant roles along the top of the board.
    4. Under the appropriate column for each activity, identify who is the “accountable,” “responsible,” “consulted,” and “informed” role for each activity.
    5. Agree to a governance chair.

    Document any changes from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.

    Example: Steps 2-5: Build the governance RACI

    The image shows an example governance RACI, with the top of the chart labelled with Committee Participants, and the left hand column labelled Committee Responsibilities. Some of the boxes have been filled in.

    Define your requirements gathering governance team procedures, cadence, and agenda

    4.2.3 – 30 minutes

    Input
    • Governance responsibilities
    Output
    • Governance procedures and agenda
    Materials
    • Whiteboard
    • Markers
    Participants
    • Steering committee members

    Define your governance team procedures, cadence, and agenda.

    1. Review the format of a typical agenda as well as the list of responsibilities for the governance team.
    2. Consider how you will address each of these responsibilities in the meeting, who needs to present, and how long each presentation should be.
    3. Add up the times to define the meeting duration.
    4. Consider how often you need to meet to discuss the information: monthly, quarterly, or annually? Are there different actions that need to be taken at different points in the year?
    5. As a group, decide how the governance team will approve changes and document any voting standards that should be included in the charter. Will a vote be taken during or prior to the meeting? Who will have the authority to break a tie?
    6. As a group, decide how the committee will review information and documentation. Will members commit to reviewing associated documents before the meeting? Can associated documentation be stored in a knowledge repository and/or be distributed to members prior to the meeting? Who will be responsible for this? Can a short meeting/conference call be held with relevant reviewers to discuss documentation before the official committee meeting?

    Review the format of a typical agenda

    4.2.3 – 30 minutes

    Meeting call to order [Committee Chair] [Time]
    Roll call [Committee Chair] [Time]
    Review of SOPs
    A. Requirements gathering dashboard review [Presenters, department] [Time]
    B. Review targets [Presenters, department] [Time]
    C. Policy Review [Presenters, department] [Time]

    Define the governance procedures and cadence

    4.2.3 – 30 minutes

    • The governance team or committee will be chaired by [insert role].
    • The team shall meet on a [insert time frame (e.g. monthly, semi-annual, annual)] basis. These meetings will be scheduled by the team or committee chair or designated proxy.
    • Approval for all SOP changes will be reached through a [insert vote consensus criteria (majority, uncontested, etc.)] vote of the governance team. The vote will be administered by the governance chair. Each member of the committee shall be entitled to one vote, excepting [insert exceptions].
    • The governance team has the authority to reject any requirements gathering proposal which it deems not to have made a sufficient case or which does not significantly contribute to the strategic objectives of [insert company name].
    • [Name of individual] will record and distribute the meeting minutes and documentation of business to be discussed in the meeting.

    Document any changes from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.

    Changing the requirements gathering process can be disruptive – be successful by gaining business support

    A successful communication plan involves making the initiative visible and creating staff awareness around it. Educate the organization on how the requirements gathering process will differ.

    People can be adverse to change and may be unreceptive to being told they must “comply” to new policies and procedures. Demonstrate the value in requirements gathering and show how it will assist people in their day-to-day activities.

    By demonstrating how an improved requirements gathering process will impact staff directly, you create a deeper level of understanding across lines-of-business, and ultimately a higher level of acceptance for new processes, rules, and guidelines.

    A proactive communication plan will:
    • Assist in overcoming issues with prioritization, alignment resourcing, and staff resistance.
    • Provide a formalized process for implementing new policies, rules, and guidelines.
    • Detail requirements gathering ownership and accountability for the entirety of the process.
    • Encourage acceptance and support of the initiative.

    Identify and analyze stakeholders to communicate the change process

    Who are the requirements gathering stakeholders?

    Stakeholder:

    • A stakeholder is any person, group, or organization who is the end user, owner, sponsor, or consumer of an IT project, change, or application.
    • When assessing an individual or group, ask whether they can impact or be impacted by any decision, change, or activity executed as part of the project. This might include individuals outside of the organization.

    Key Stakeholder:

    • Someone in a management role or someone with decision-making power who will be able to influence requirements and/or be impacted by project outcomes.

    User Group Representatives:

    • For impacted user groups, follow best practice and engage an individual to act as a representative. This individual will become the primary point of contact when making decisions that impact the group.

    Identify the reasons for resistance to change

    Stakeholders may resist change for a variety of reasons, and different strategies are necessary to address each.

    Unwilling – Individuals who are unwilling to change may need additional encouragement. For these individuals, you’ll need to reframe the situation and emphasize how the change will benefit them specifically.

    Unable – All involved requirements gathering will need some form of training on the process, committee roles, and responsibilities. Be sure to have training and support available for employees who need it and communicate this to staff.

    Unaware – Until people understand exactly what is going on, they will not be able to conform to the process. Communicate change regularly at the appropriate detail to encourage stakeholder support.

    Info-Tech Insight

    Resisters who have influence present a high risk to the implementation as they may encourage others to resist as well. Know where and why each stakeholder is likely to resist to mitigate risk. A detailed plan will ensure you have the needed documentation and communications to successfully manage stakeholder resistance.

    Identify and analyze stakeholders

    4.2.4 – 1 hour

    Input
    • Requirements gathering stakeholders list
    Output
    • Stakeholder power map
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • RGSC members

    Identify the impact and level of resistance of all stakeholders to come up with the right communication plan.

    1. Through discussion, generate a complete list of stakeholders for requirements gathering and record the names on the whiteboard or flip chart. Group related stakeholders together.
    2. Using the template on the next slide, draw the stakeholder power map.
    3. Evaluate each stakeholder on the list based on:
      1. Influence: To what degree can this stakeholder impact progress?
      2. Involvement: How involved is the stakeholder already?
      3. Support: Label supporters with green sticky notes, resisters with red notes, and the rest with a third color.
    4. Based on the assessment, write the stakeholder’s name on a green, red, or other colored sticky note, and place the sticky note in the appropriate place on the power map.
    5. For each of the stakeholders identified as resisters, determine why you think they would be resistant. Is it because they are unwilling, unable, and/or unknowing?
    6. Document changes to the stakeholder analysis in the Requirements Gathering Communication Tracking Template.

    Identify and analyze stakeholders

    4.2.4 – 1 hour

    Use a power map to plot key stakeholders according to influence and involvement.

    The image shows a power map, which is a square divided into 4 equally-sized sections, labelled from top left: Focused Engagement; Key Players; Keep Informed; Minimal Engagement. On the left side of the square, there is an arrow pointing upwards labelled Influence; at the bottom of the square, there is an arrow pointing right labelled Involvement. On the right side of the image, there is a legend indicating that a green dot indicates a Supporter; a grey dot indicated Neutral; and a red dot indicates a Resister.

    Example: Identify and analyze stakeholders

    Use a power map to plot key stakeholders according to influence and involvement.

    The image is the same power map image from the previous section, with some additions. A red dot is located at the top left, with a note: High influence with low involvement? You need a strategy to increase engagement. A green dot is located mid-high on the right hand side. Grey dots are located left and right in the bottom of the map. The bottom right grey dot has the note: High involvement with lower influence? Make sure to keep these stakeholders informed at regular intervals and monitor engagement.

    Stakeholder analysis: Reading the power map

    High Risk:

    Stakeholders with high influence who are not as involved in the project or are heavily impacted by the project are less likely to give feedback throughout the project lifecycle and need to be engaged. They are not as involved but have the ability to impact project success, so stay one step ahead.

    Do not limit your engagement to kick-off and close – you need to continue seeking input and support at all stages of the project.

    Mid Risk:

    Key players have high influence, but they are also more involved with the project or impacted by its outcomes and are thus easier to engage.

    Stakeholders who are heavily impacted by project outcomes will be essential to your organizational change management strategy. Do not wait until implementation to engage them in preparing the organization to accept the project – make them change champions.

    Low Risk:

    Stakeholders with low influence who are not impacted by the project do not pose as great of a risk, but you need to keep them consistently informed of the project and involve them at the appropriate control points to collect feedback and approval.

    Inputs to the communications plan

    Stakeholder analysis should drive communications planning.

    Identify Stakeholders
    • Who is impacted by this project?
    • Who can affect project outcomes?
    Assess Stakeholders
    • Influence
    • Involvement
    • Support
    Stakeholder Change Impact Assessment
    • Identify change supporters/resistors and craft change messages to foster acceptance.
    Stakeholder Register
    • Record assessment results and preferred methods of communication.
    The Communications Management Plan:
    • Who will receive information?
    • What information will be distributed?
    • How will information be distributed?
    • What is the frequency of communication?
    • What will the level of detail be?
    • Who is responsible for distributing information?

    Communicate the reason for the change and stay on message throughout the change

    Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.

    The change message should:

    • Explain why the change is needed.
    • Summarize the things that will stay the same.
    • Highlight the things that will be left behind.
    • Emphasize the things that are being changed.
    • Explain how the change will be implemented.
    • Address how the change will affect the various roles in the organization.
    • Discuss staff’s role in making the change successful.

    The five elements of communicating the reason for the change:

    COMMUNICATING THE CHANGE

    What is the change?

    Why are we doing it?

    How are we going to go about it?

    How long will it take us?

    What will the role be for each department and individual?

    Create a communications management plan

    4.2.5 – 45 minutes

    Input
    • Exercise 4.1.1
    Output
    • Communications management plan
    Materials
    • Whiteboard
    • Markers
    Participants
    • RGSC members

    Build the communications management plan around your stakeholders’ needs.

    1. Build a chart on the board using the template on the next slide.
    2. Using the list from exercise 4.1.1, brainstorm a list of communication vehicles that will need to be used as part of the rollout plan (e.g. status updates, training).
    3. Through group discussion, fill in all these columns for at least three communication vehicles:
      • (Target) audience
      • Purpose (description)
      • Frequency (of the communication)
        • The method, frequency, and content of communication vehicles will change depending on the stakeholder involved. This needs to be reflected by your plan. For example, you may have several rows for “Status Report” to cover the different stakeholders who will be receiving it.
      • Owner (of the message)
      • Distribution (method)
      • (Level of) details
        • High/medium/low + headings
    4. Document your stakeholder analysis in the Requirements Gathering Communication Tracking Template.

    Communications plan template

    4.2.5 – 45 minutes

    Sample communications plan: Status reports

    Vehicle Audience Purpose Frequency Owner Distribution Level of Detail
    Communications Guidelines
    • Regardless of complexity, it is important not to overwhelm stakeholders with information that is not relevant to them. Sending more detailed information than is necessary might mean that it does not get read.
    • Distributing reports too widely may lead to people assuming that someone else is reading it, causing them to neglect reading it themselves.
    • Only distribute reports to the stakeholders who need the information. Think about what information that stakeholder requires to feel comfortable.

    Example: Identify and analyze stakeholders

    Sample communications plan: Status reports

    Vehicle Audience Purpose Frequency Owner Distribution Level of Detail
    Status Report Sponsor Project progress and deliverable status Weekly Project Manager Email

    Details for

    • Milestones
    • Deliverables
    • Budget
    • Schedule
    • Issues
    Status Report Line of Business VP Project progress Monthly Project Manager Email

    High Level for

    • Major milestone update

    Build your requirements gathering process implementation timeline

    4.2.6 – 45 minutes

    Input
    • Parking lot items
    Output
    • Implementation timeline
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • RGSC members

    Build a high-level timeline for the implementation.

    1. Collect the action items identified throughout the week in the “parking lot.”
    2. Individually or in groups, brainstorm any additional action items. Consider communication, additional training required, approvals, etc.
      • Write these on sticky notes and add them to the parking lot with the others.
    3. As a group, start organizing these notes into logical groupings.
    4. Assign each of the tasks to a person or group.
    5. Identify any risks or dependencies.
    6. Assign each of the tasks to a timeline.
    7. Following the exercise, the facilitator will convert this into a Gantt chart using the roadmap for requirements gathering action plan.

    Step 3: Organize the action items into logical groupings

    4.2.6 – 45 minutes

    The image shows a board with 5 categories: Documentation, Approval, Communication, Process, and Training. There are groups of post-it notes under each category title.

    Steps 4-6: Organize the action items into logical groupings

    4.2.6 – 45 minutes

    This image shows a chart with Action Items to be listed in the left-most column, Person or Group Responsible in the next column, Risks/Dependencies in the next columns, and periods of time (i.e. 1-3 months, 2-6 months, etc.) in the following columns. The chart has been partially filled in as an exemplar.

    Recalculate the selected requirements gathering metrics

    Measure and monitor the benefits of requirements gathering optimization.

    • Reassess the list of selected and captured requirements management metrics.
    • Recalculate the metrics and analyze any changes. Don’t expect a substantial result after the first attempt. It will take a while for BAs to adjust to the Info-Tech Requirements Gathering Framework. After the third project, results will begin to materialize.
    • Understand that the project complexity and business significance will also affect how long it takes to see results. The ideal projects to beta the process on would be of low complexity and high business significance.
    • Realize that poor requirements gathering can have negative effects on the morale of BAs, IT, and project managers. Don’t forget to capture the impact of these through surveys.

    Major KPIs typically used for benchmarking include:

    • Number of application bugs/defects (for internally developed applications).
    • Number of support requests or help desk tickets for the application, controlled for user deployment levels.
    • Overall project cycle time.
    • Overall project cost.
    • Requirements gathering as a percentage of project time.

    Revisit the requirements gathering metrics selected in the planning phase and recalculate them after requirements gathering optimization has been attempted.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.2.1; 4.2.2; 4.2.3 – Build a requirements gathering steering committee

    The analyst will facilitate the discussion to define the purpose statement of the steering committee, build the participation list and authority matrix for its members, and define the procedures and agenda.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    4.2.4 Identify and analyze stakeholders

    An analyst will facilitate the discussion on how to identify the impact and level of resistance of all stakeholders to come up with the communication plan.

    4.2.5 Create a communications management plan

    An analyst will assist the team in building the communications management plan based on the stakeholders’ needs that were outlined in the stakeholder analysis exercise.

    4.2.6 Build a requirements gathering implementation timeline

    An analyst will facilitate a session to brainstorm and document any action items and build a high-level timeline for implementation.

    Insight breakdown

    Requirements gathering SOPs should be prescriptive based on project complexity.

    • Complex projects will require more analytical rigor. Simpler projects can be served by more straightforward techniques such as user stories.

    Requirements gathering management tools can be pricy, but they can also be beneficial.

    • Requirements gathering management tools are a great way to have full control over recording, analyzing, and categorizing requirements over complex projects.

    BAs can make or break the execution of the requirements gathering process.

    • A strong process still needs to be executed well by BAs with the right blend of skills and knowledge.

    Summary of accomplishment

    Knowledge Gained

    • Best practices for each stage of the requirements gathering framework:
      • Elicitation
      • Analysis
      • Validation
    • A clear understanding of BA competencies and skill sets necessary to successfully execute the requirements gathering process.

    Processes Optimized

    • Stakeholder identification and management.
    • Requirements elicitation, analysis, and validation.
    • Requirements gathering governance.
    • Change control processes for new requirements.
    • Communication processes for requirements gathering.

    Deliverables Completed

    • SOPs for requirements gathering.
    • Project level selection framework.
    • Communications framework for requirements gathering.
    • Requirements documentation standards.

    Organizations and experts who contributed to this research

    Interviews

    • Douglas Van Gelder, IT Manager, Community Development Commission of the County of Los Angeles
    • Michael Lyons, Transit Management Analyst, Metropolitan Transit Authority
    • Ken Piddington, CIO, MRE Consulting
    • Thomas Dong, Enterprise Software Manager, City of Waterloo
    • Chad Evans, Director of IT, Ontario Northland
    • Three anonymous contributors

    Note: This research also incorporates extensive insights and feedback from our advisory service and related research projects.

    Bibliography

    “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint Software Systems, 2012. Web.

    “BPM Definition.” BPMInstitute.org, n.d. Web.

    “Capturing the Value of Project Management.” PMI’s Pulse of the Profession, 2015. Web.

    Eby, Kate. “Demystifying the 5 Phases of Project Management.” Smartsheet, 29 May 2019. Web.

    “Product Management: MoSCoW Prioritization.” ProductPlan, n.d. Web.

    “Projects Delivered on Time & on Budget Result in Larger Market Opportunities.” Jama Software, 2015. Web.

    “SIPOC Table.” iSixSigma, n.d. Web.

    “Survey Principles.” University of Wisconsin-Madison, n.d. Web.

    “The Standish Group 2015 Chaos Report.” The Standish Group, 2015. Web.