Adding the Right Value: Building Cloud Brokerages That Enable

Considerations for implementing an institutional-focused cloud brokerage.

Your Challenge

Increasingly, large institutions and governments are adopting cloud-first postures for delivering IT resources. Combined with the growth of cloud offerings that are able to meet the certifications and requirements of this segment that has been driven by federal initiatives like Cloud-First in Canada and Cloud Smart in the United States, these two factors have left institutions (and the businesses that serve them) with the challenge of delivering cloud services to their users while maintaining compliance, control, and IT sanity.

In many cases, the answer is to develop a cloud brokerage to manage the complexity. But what should your cloud broker be delivering and how?

Navigating the Problem

Not all cloud brokerages are the same. And while they can be an answer to cloud complexity, an ineffective brokerage can drain value and complicate operations even further. Cloud brokerages need to be designed:

1. To deliver the right type of value to its users.
2. To strike the balance between effective governance & security and flexibility & ease of use.

Info-Tech’s Approach

By defining your end goals, framing solutions based on the type of value and rigor your brokerage needs to deliver, and focusing on the right balance of security and flexibility, you can deliver a brokerage that delivers the best of all worlds.

1. Define the brokerage value you want to deliver.
2. Build the catalog and partner ecosystem.
3. Understand how to maximize adoption and minimize disintermediation while maintaining architectural discipline and compliance.

Info-Tech Insight

Sometimes a brokerage delivery model makes sense, sometimes it doesn’t! Understanding the value addition you want your brokerage to provide before creating it allows you to not only avoid pitfalls and maximize benefits but also understand when a brokerage model does and doesn’t make sense in the first place.

Project Overview

Understand what value you want your brokerage to deliver

Different institutions want brokerage delivery for different reasons. It’s important to define up front why your users need to work through a brokerage and what value that brokerage needs to deliver.

What’s in the catalog? Is it there to consolidate and simplify billing and consumption? Or does it add value further up the technology stack or value chain? If so, how does that change the capabilities you need internally and from partners?

Security and compliance are usually the highest priority

Among institutions adopting cloud, a broker that can help deliver their defined security and compliance standards is an almost universal requirement. Especially in government institutions, this can mean the need to meet a high standard in both implementation and validation.

The good news is that even if you lack the complete set of skills in-house, the high certification levels available from hyperscale providers combined with a growing ecosystem of service providers working on these platforms means you can usually find the right partner(s) to make it possible.

The real goal: frictionless intermediation and enablement

Ultimately, if end users can’t get what they need from you, they will go around you to get it. This challenge, which has always existed in IT, is further amplified in a cloud service world that offers users a cornucopia of options outside the brokerage. Furthermore, cloud users expect to be able to consume IT seamlessly. Without frictionless satisfaction of user demand your brokerage will become disintermediated, which risks your highest priorities of security and compliance.

Understand the evolution: Info-Tech thought model

While initial adoption of cloud brokerages in institutions was focused on ensuring the ability of IT to extend its traditional role as gatekeeper to the realm of cloud services, the focus has now shifted upstream to enabling ease of use and smart adoption of cloud services. This is evidenced clearly in examples like the US government’s renaming of its digital strategy from “Cloud First” to “Cloud Smart” and has been mirrored in other regions and institutions.

Info-Tech Insights

To avoid failure, you need to provide security and compliance.

Basic user satisfaction means becoming a frictionless intermediary.

Exceed expectations! Enabling brokers provide knowledge and guidance for the best usage of cloud.

• Security & Compliance
• Frictionless Intermediation
• Cloud-Enabling Brokerage

Define the role of a cloud broker

Where do brokers fit in the cloud model?

• NIST Definition: An entity that manages the use, performance, and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.
• Similar to a telecom master agent, a cloud broker acts as the middle-person and end-user point of contact, consolidating the management of underlying providers.
• A government or institutional cloud broker (GCB) is responsible for the delivery of all cloud services consumed by the departments or agencies it supports or that are mandated to use it.

Balancing governance and agility

Info-Tech Insight

While GCBs fill a critical role as a control point for IT consumption, they can easily turn into a friction point for IT projects. It’s important to find the right balance between enabling compliance and providing frictionless usability.

Model brokerage drivers and benefits

Maintain compliance and ensure architecture discipline: Brokerages can be an effective gating point for ensuring properly governed and managed IT consumption that meets the specific regulations and compliances required for an institution. It can also be a strong catalyst and enabler for moving to even more effective cloud consumption through automation.

Avoid disintermediation: Especially in institutions, cloud brokers are a key tool in the fight against disintermediation – that is, end users circumventing your IT department’s procurement and governance by consuming an ad hoc cloud service.

Leverage economies of scale: Simply put, consolidation of your cloud consumption drives effectiveness by making the most of your buying power.

Info-Tech Insights

Understanding the importance of each benefit type to your brokerage audience will help you define the type of brokerage you need to build and what skills and partners will be required to deliver the right value.

The brokerage landscape

The past ten years have seen governments and institutions evolve from basic acceptance of cloud services to the usage of cloud as the core of most IT initiatives.

• As part of this evolution, many organizations now have well-defined standards and guidance for the implementation, procurement, and regulation of cloud services for their use.
• Both Canada (Strategic Plan for Information Management and Information Technology) and the United States (Cloud Smart – formerly known as Cloud First) have recently updated their guidance on adoption of cloud services. The Australian Government has also recently updated its Cloud Computing Policy.
• AWS and Azure both now claim Full FedRAMP (Federal Risk and Authorization Management Program) certification.
• This has not only enabled easy adoption of these core hyperscale cloud service by government but also driven the proliferation of a large ecosystem of FedRAMP-authorized cloud service providers.
• This trend started with government at the federal level but has cascaded downstream to provincial and municipal governments globally, and the same model seems likely to be adopted by other governments and other institution types over time.

Info-Tech Insight

The ecosystem of platforms and tools has grown significantly and examples of best practices, especially in government, are readily available. Once you’ve defined your brokerage’s value stance, the building blocks you need to deliver often don’t need to be built from scratch.

Address the unique challenges of business-led IT in institutions

With the business taking more accountability and management of their own technology, brokers must learn how to evolve from being gatekeepers to enablers.

Turn brokerage pitfalls into opportunities

The greatest risks in using a cloud broker come from its nature as a single point of distribution for service and support. Without resources (or automation) to enable scale, as well as responsive processes for supporting users in finding the right services and making those services available through the brokerage, you will lose alignment with your users’ needs, which inevitably leads to disintermediation, loss of IT control, and broken compliance

Info-Tech Insights

Standardization and automation are your friend when building a cloud brokerage! Sometimes this means having a flexible catalog of options and configurations, but great brokerages can deliver value by helping their users redefine and evolve their workloads to work more effectively in the cloud. This means providing guidance and facilitating the landing/transformation of users’ workloads in the cloud, the right way.

Validate your cloud brokerage strategy using Info-Tech’s approach

Value Definition

• Define your brokerage type and value addition

Capabilities Mapping

• Understand the partners and capabilities you need to be able to deliver

Measuring Value

• Define KPIs for both compliant delivery and frictionless intermediation

Provide Cloud Excellence

• Move from intermediation to enablement and help users land on the cloud the right way

Define the categories for your brokerage’s benefit and value

Depending on the type of brokerage, the value delivered may be as simple as billing consolidation, but many brokerages go much deeper in their value proposition.

Define the categories of brokerage value to add

• Purchasing Agents save the purchaser time by researching services from different vendors and providing the customer with information about how to use cloud computing to support business goals.
• Contract Managers may also be assigned power to negotiate contracts with cloud providers on behalf of the customer. In this scenario, the broker may distribute services across multiple vendors to achieve cost-effectiveness, while managing the technical and procurement complexity of dealing with multiple vendors.
  • The broker may provide users with an application program interface (API) and user interface (UI) that hides any complexity and allows the customer to work with their cloud services as if they were being purchased from a single vendor. This type of broker is sometimes referred to as a cloud aggregator.
• Cloud Enablers can also provide the customer with additional services, such as managing the deduplication, encryption, and cloud data transfer and assisting with data lifecycle management and other activities.
• Cloud Customizers integrate various underlying cloud services for customers to provide a custom offering under a white label or its own brand.
• Cloud Agents are essentially the software version of a Contract Manager and act by automating and facilitating the distribution of work between different cloud service providers.

Info-Tech Insights

Remember that these categories are general guidelines! Depending on the requirements and value a brokerage needs to deliver, it may fit more than one category of broker type.

Brokerage types and value addition

Info-Tech Insights

Each value addition your brokerage invests in delivering should tie to reinforcing efficiency, compliance, frictionlessness, or enablement.

Start by delivering value in these common brokerage service categories

Security & Compliance

• Reporting & Auditing
• SIEM & SOC Services
• Patching & Monitoring

Cost Management

• Right-Sizing
• Billing Analysis
• Anomaly Detection & Change Recommendations

Data Management

• Data Tiering
• Localization Management
• Data Warehouse/Lake Services

Resilience & Reliability

• Backup & Archive
• Replication & Sync
• DR & HA Management
• Ransomware Prevention/Mitigation

Cloud-Native & DevOps Enablement

• Infrastructure as Code (IaC)
• DevOps Tools & Processes
• SDLC Automation Tools

Design, Transformation, and Integration

• CDN Integration
• AI Tools Integration
• SaaS Customizations

Activity: Brokerage value design

Who are you and who are you building this for?

• Internal brokerage (i.e. you are a department in an organization that is tasked with providing IT resources to other internal groups)
  • No profit motivation
  • Primary goal is to maintain compliance and avoid disintermediation
• Third-party brokerage (i.e. you are an MSP that needs to build a brokerage to provide a variety of downstream services and act as the single point of consumption for an organization)
  • Focus on value-addition to the downstream services you facilitate for your client
  • Increased requirement to quickly add new partners/services from downstream as required by your client

What requirements and pains do you need to address?

• Remember that in the world of cloud, users ultimately can go around IT to find the resources and tools they want to use. In short, if you don’t provide ease and value, they will get it somewhere else.
• Assess the different types of cloud brokerages out there as a guide to what sort of value you want to deliver.

Why are you creating a brokerage? There are several categories of driver and more than one may apply.

• Compliance and security gating/validation
• Cost consolidation and governance
• Value-add or feature enhancement of raw/downstream services being consumed

It’s important to clearly understand how best you can deliver unique value to ensure that they want to consume from you.

Understand the ecosystem you’ll require to deliver value

GCB

• Enabling Effectiveness
• Cost Governance
• Adoption and User Satisfaction
• Security & Compliance

Whatever value proposition and associated services your brokerage has defined, either internal resources or additional partners will be required to run the platform and processes you want to offer on top of the defined base cloud platforms.

Info-Tech Insights

Remember to always align your value adds and activities to the four key themes:

• Efficiency
• Compliance
• Frictionlessness
• Cloud Enablement

Delivering value may require an ecosystem

The additional value your broker delivers will depend on the tools and services you can layer on top of the base cloud platform(s) you support.

In many cases, you may require different partners to fulfil similar functions across different base platforms. Although this increases complexity for the brokerage, it’s also a place where additional value can be delivered to end users by your role as a frictionless intermediary.

Base Partner/Platform

• Third-party software & platforms
• Third-party automations & integrations
• Third-party service partners
• Internal value-add functions

Build the ecosystem you need for your value proposition

Leverage partners and automation to bake compliance in.

Different value-add types (based on the category/categories of broker you’re targeting) require different additional platforms and partners to augment the base cloud service you’re brokering.

Security & Config

• IaC Tools
• Cloud Resource Configuration Validation
• Templating Tools
• Security Platforms
• SDN and Networking Platforms
• Resilience (Backup/Replication/DR/HA) Platforms
• Data & Storage Management
• Compliance and Validation Platforms & Partners

Cost Management

• Subscription Hierarchy Management
• Showback and Chargeback Logic
• Cost Dashboarding and Thresholding
• Governance and Intervention

Adoption & User Satisfaction

• Service Delivery SLAs
• Support Process & Tools
• Capacity/Availability Management
• Portal Usability/UX

Speed of Evolution

• Partner and Catalog/Service Additions
• Broker Catalog Roadmapping
• User Request Capture (new services)
• User Request Capture (exceptions)

Build your features and services lists

Incorporate your end user, business, and IT perspectives in defining the list of mandatory and desired features of your target solution.

See our Implement a Proactive and Consistent Vendor Selection Process blueprint for information on procurement practices, including RFP templates.

End User

• Visual, drag-and-drop models to define data models, business logic, and user interfaces
• One-click deployment
• Self-healing application
• Vendor-managed infrastructure
• Active community and marketplace
• Prebuilt templates and libraries
• Optical character recognition and natural language processing

Business

• Audit and change logs
• Theme and template builder
• Template management
• Knowledgebase and document management
• Role-based access
• Business value, operational costs, and other KPI monitoring
• Regulatory compliance
• Consistent design and user experience across applications
• Business workflow automation

IT

• Application and system performance monitoring
• Versioning and code management
• Automatic application and system refactoring and recovery
• Exception and error handling
• Scalability (e.g. load balancing) and infrastructure management
• Real-time debugging
• Testing capabilities
• Security management
• Application integration management

Understand the stakeholders

Depending on the value-add(s) you are trying to deliver, as well as the requirements from your institution(s), you will have a different delineation of responsibilities for each of the value-add dimensions. Typically, there will be at least three stakeholders whose role needs to be considered for each dimension:

• Base Cloud Provider
• Third-Party Platforms/Service Providers
• Internal Resources

Info-Tech Insights

It’s important to remember that the ecosystem of third-party options available to you in each case will likely be dependent on if a given partner operates or supports your chosen base provider.

Define the value added by each stakeholder in your value chain

A basic table of the stakeholders and platforms involved in your value stream is a critical tool for aligning activities and partners with brokerage value.

Remember to tie each value-add category you’re embarking on to at least one of the key themes!

Cost Governance → Efficiency

Security & Compliance → Compliance

Adoption & User Satisfaction → Frictionlessness

New Service Addition Responsiveness → Frictionlessness, Enablement

End-User Cloud Effectiveness → Enablement

Info-Tech Insights

The expectations for how applications are consumed and what a user experience should look like is increasingly being guided by the business and by the disintermediating power of the cloud-app ecosystem.

“Enabling brokers” help embrace business-led IT

In environments where compliance and security are a must, the challenges of handing off application management to the business are even more complex. Great brokers learn to act not just as a gatekeeper but an enabler of business-led IT.

Business Empowerment

Organizations are looking to enhance their Agile and BizDevOps practices by shifting traditional IT practices left and toward the business.

Changing Business Needs

Organizational priorities are constantly changing. Cost reduction opportunities and competitive advantages are lost because of delayed delivery of features.

Low Barrier to Entry

Low- and no-code development tools, full-stack solutions, and plug-and-play architectures allow non-technical users to easily build and implement applications without significant internal technical support or expertise.

Democratization of IT

A wide range of digital applications, services, and information are readily available and continuously updated through vendor and public marketplaces and open-source communities.

Technology-Savvy Business

The business is motivated to learn more about the technology they use so that they can better integrate it into their processes.

Balance usability and compliance: accelerate cloud effectiveness

Move to being an accelerator and an enabler! Rather than creating an additional layer of complexity, we can use the abstraction of a cloud brokerage to bring a wide variety of value-adds and partners into the ecosystem without increasing complexity for end users.

Manage the user experience

• Your portal is a great source of data for optimizing user adoption and satisfaction.
• Understand the KPIs that matter to your clients or client groups from both a technical and a service perspective.

Be proactive and responsive in meeting changing needs

• Determine dashboard consumption by partner view.
• Regularly review and address the gaps in your catalog.
• Provide an easy mechanism for adding user-demanded services.

Think like a service provider

• You do need to be able to communicate and even market internally new services and capabilities as you add them or people won't know to come to you to use them.
• It's also critical in helping people move along the path to enablement and knowing what might be possible that they hadn't considered.

Provide cloud excellence functions

Enablement Broker

• Mentorship & Training
  • Build the skills, knowledge, and experiences of application owners and managers with internal and external expertise.
• Organizational Change Leadership
  • Facilitate cultural, governance, and other organizational changes through strong relationships with business and IT leadership.
• Good Delivery Practices & Thinking
  • Develop, share, and maintain a toolkit of good software development lifecycle (SDLC) practices and techniques.
• Knowledge Sharing
  • Centralize a knowledgebase of up-to-date and accurate documentation and develop community forums to facilitate knowledge transfer.
• Technology Governance & Leadership
  • Implement the organizational standards, policies, and rules for all applications and platforms and coordinate growth and sprawl.
• Shared Services & Integrations
  • Provide critical services and integrations to support end users with internal resources or approved third-party providers and partners.

Gauge value with the right metrics

Focus your effort on measuring key metrics.

Determine measures that demonstrate the value of your brokerage by aligning it with your quality definition, value drivers, and users’ goals and objectives. Recognize that your journey will require constant monitoring and refinement to adjust to situations that may arise as you adopt new products, standards, strategies, tactics, processes, and tools.

Activity Output

Ultimately, the goal is designing a brokerage that can evolve from gatekeeping to frictionless intermediation to cloud enablement.

Maintain focus on the value proposition, your brokerage ecosystem, and the metrics that represent enablement for your users and avoid pitfalls and challenges from the beginning.

Appendix

Related blueprints and tools

Document Your Cloud Strategy

This blueprint covers aligning your value proposition with general cloud requirements.

Define Your Digital Business Strategy

Phase 1 of this research covers identifying value chains to be transformed.

Embrace Business-Managed Applications

Phase 1 of this research covers understanding the business-managed applications as a factor in developing a frictionless intermediary model.

Implement a Proactive and Consistent Vendor Selection Process

This blueprint provides information on partner selection and procurement practices, including RFP templates.

Bibliography

“3 Types of Cloud Brokers That Can Save the Cloud.” Cloud Computing Topics, n.d. Web.

Australian Government Cloud Computing Policy. Government of Australia, October 2014. Web.

“Cloud Smart Policy Overview.” CIO.gov, n.d. Web.

“From Cloud First to Cloud Smart.” CIO.gov, n.d. Web.

Gardner, Dana. “Cloud brokering: Building a cloud of clouds.” ZDNet, 22 April 2011. Web.

Narcisi, Gina. “Cloud, Next-Gen Services Help Master Agents Grow Quickly And Beat 'The Squeeze' “As Connectivity Commissions Decline.” CRN, 14 June 2017. Web.

Smith, Spencer. “Asigra calls out the perils of cloud brokerage model.” TechTarget, 28 June 2019. Web.

Tan, Aaron. “Australia issues new cloud computing guidelines.” TechTarget, 27 July 2020. Web.

The European Commission Cloud Strategy. ec.europa.eu, 16 May 2019. Web.

“TrustRadius Review: Cloud Brokers 2022.” TrustRadius, 2022. Web.

Yedlin, Debbie. “Pros and Cons of Using a Cloud Broker.” Technology & Business Integrators, 17 April 2015. Web.

Build an IT Risk Taxonomy

If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

Analyst Perspective

The pace and uncertainty of the current business environment introduce new and emerging vulnerabilities that can disrupt an organization’s strategy on short notice. Having a long-term view of risk while navigating the short term requires discipline and a robust and strategic approach to risk management. Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise. Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making. This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level. Donna Bales Principal Research Director Info-Tech Research Group

Executive Summary

Info-Tech Insight

A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

Increasing threat landscape

The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.

Persistent and emerging threats

Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood, controlled, and embedded into decision-making.

Blueprint benefits

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

IT Risk Taxonomy Committee Charter Template Create a cross-functional IT risk taxonomy committee.		Build an IT Risk Taxonomy Guideline Use IT risk taxonomy as a baseline to build your organization’s approach.
Build an IT Risk Taxonomy Design Template Use this template to design and test your taxonomy.		Risk Register Tool Update your risk register with your IT risk taxonomy.

Key deliverable:

Build an IT Risk Taxonomy Workbook

Use the tools and activities in each phase of the blueprint to customize your IT risk taxonomy to suit your organization’s needs.

Benefit from industry-leading best practices

As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series

of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Understand Risk Management Fundamentals

Governance, risk, and compliance (GRC)

Risk management is one component of an organization’s GRC function.

GRC principles are important tools to support enterprise management.

Governance sets the guardrails to ensure that the enterprise is in alignment with standards, regulations, and board decisions. A governance framework will communicate rules and expectations throughout the organization and monitor adherence.

Risk management is how the organization protects and creates enterprise value. It is an integral part of an organization’s processes and enables a structured decision-making approach.

Compliance is the process of adhering to a set of guidelines; these could be external regulations and guidelines or internal corporate policies.

GRC principles are tightly bound and continuous

Enterprise risk management

Regardless of size or structure, every organization makes strategic and operational decisions that expose it to uncertainties.

Enterprise risk management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS).

An ERM is program is crucial because it will:

• Help shape business objectives, drive revenue growth, and execute risk-based decisions.
• Enable a deeper understanding of risks and assessment of current risk profile.
• Support forward-looking risk management and more constructive dialogue with the board and regulatory agencies.
• Provide insight on the robustness and efficacy of risk management processes, tools, and controls.
• Drive a positive risk culture.

ERM is supported by strategy, effective processes, technology, and people

Risk frameworks

Risk frameworks are leveraged by the industry to “provide a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.” COSO Enterprise Risk Management, 2nd edition

• Many organizations lean on the Committee of Sponsoring Organizations’ Enterprise Risk Management framework (COSO ERM) and ISO 31000 to view organizational risks from an enterprise perspective.
• Prior to the introduction of standardized risk frameworks, it was difficult to quantify the impact of a risk event on the entire enterprise, as the risk was viewed in a silo or as an individual risk component.
• Recently, the National Institute of Science and Technology (NIST) published guidance on developing an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

Source: National Institute of Standards and Technology

New NIST guidance (NISTIR 8286) emphasizes the complexity of risk management and the need for the risk management process to be carried out seamlessly across three tiers with the overall objective of continuous improvement.

Enterprise risk appetite

“The amount of risk an organization is willing to take in pursuit of its objectives”

– Robert R. Moeller, COSO ERM Framework Model

• A primary role of the board and senior management is to balance value creation with effectively management of enterprise risks.
• As part of this role, the board will approve the enterprise’s risk appetite. Placing this responsibility with the board ensures that the risk appetite is aligned with the company’s strategic objectives.
• The risk appetite is used throughout the organization to assess and respond to individual risks, acting as a constant to make sure that risks are managed within the organization’s acceptable limits.
• Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and approved by the board.
• Risk appetite will vary across organizations for several reasons, such as industry, company culture, competitors, the nature of the objectives pursued, and financial strength.

Change or new risks » adjust enterprise risk profile » adjust risk appetite

Risk profile vs. risk appetite

Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.

Where the IT risk appetite fits into the risk program

• Your organization’s strategy and associated risk appetite cascade down to each business department. Overall strategy and risk appetite also set a strategy and risk appetite for each department.
• Both risk appetite and risk tolerances set boundaries for how much risk an organization is willing or prepared to take. However, while appetite is often broad, tolerance is tactical and focused.
• Tolerances apply to specific objectives and provide guidance to those executing on a day-to-day basis. They measure the variation around performance expectations that the organization will tolerate.
• Ideally, they are incorporated into existing governance, risk, and compliance systems and are also considered when evaluated business cases.
• IT risk appetite statements are based on IT level 1 risk types.

The risk appetite has a risk lens but is also closely linked to corporate performance.

Statements of risk

Risk scenarios

Risk scenarios serve two main purposes: to help decision makers understand how adverse events can affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.

ISACA

• Organizations’ pervasive use of and dependency on technology has increased the importance of scenario analysis to identify relevant and important risks and the potential impacts of risk events on the organization if the risk event were to occur.
• Risk scenarios provide “what if” analysis through a structured approach, which can help to define controls and document assumptions.
• They form a constructive narrative and help to communicate a story by bringing in business context.
• For the best outcome, have input from business and IT stakeholders. However, in reality, risk scenarios are usually driven by IT through the asset management practice.
• Once the scenarios are developed, they are used during the risk analysis phase, in which frequency and business impacts are estimated. They are also a useful tool to help the risk team (and IT) communicate and explain risks to various business stakeholders.

Top-down approach – driven by the business by determining the business impact, i.e. what is the impact on my customers, reputation, and bottom line if the system that supports payment processing fails?

Bottom-up approach – driven by IT by identifying critical assets and what harm could happen if they were to fail.

Example risk scenario

Use level 1 IT risks to derive potential scenarios.

Phase 2

Set Your Organization Up for Success

This phase will walk you through the following activities:

• How to set up a cross-functional IT risk taxonomy committee

This phase involves the following participants:

• CIO
• CISO
• CRO
• IT Risk Owners
• Business Leaders
• Human Resources

What is a risk taxonomy?

A risk taxonomy provides a common risk view and enables integrated risk

• A risk taxonomy is the (typically hierarchical) categorization of risk types. It is constructed out of a collection of risk types organized by a classification scheme.
• Its purpose is to assist with the management of an organization’s risk by arranging risks in a classification scheme.
• It provides foundational support across the risk management lifecycle in relation to each of the key risks.
• More material risk categories form the root nodes of the taxonomy, and risk types cascade into more granular manifestations (child nodes).
• From a risk management perspective, a taxonomy will:
  • Enable more effective risk aggregation and interoperability.
  • Provide the organization with a complete view of risks and how risks might be interconnected or concentrated.
  • Help organizations form a robust control framework.
  • Give risk managers a structure to manage risks proactively.

Typical Tree Structure

What is integrated risk management?

• Integrated risk management is the process of ensuring all forms of risk information, including risk related to information and technology, are considered and included in the organization’s risk management strategy.
• It removes the siloed approach of classifying risks related to specific departments or areas of the organization, recognizing that each risk is a potential threat to the overarching enterprise.
• By aggregating the different threats or uncertainty that might exist within an organization, integrated risk management enables more informed decisions to be made that align to strategic goals and continue to drive value back to the business.
• By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

Integrated risk management: A strategic and collaborative way to manage risks across the organization. It is a forward-looking, business-specific outlook with the objective of improving risk visibility and culture.

Drivers and benefits of integrated risk

Drivers for Integrated Risk Management

• Business shift to digital experiences
• The breadth and number of risks requiring oversight
• The need for faster risk analysis and decision making

Benefits of Integrated Risk Management

• Enables better scenario planning
• Enables more proactive risk responses
• Provides more relevant risk assurance to key stakeholders
• Improves transparency and comparability of risks across organizational silos
• Supports better financial resilience

Business velocity and complexity are making real-time risk management a business necessity.

If integrated risk is the destination, your taxonomy is your road to get you there

Info-Tech’s Model for Integrated Risk

How the risk practices intersect

The risk taxonomy provides a common classification of risks that allows risks to roll up systematically to enterprise risk, enabling more effective risk responses and more informed decision making.

ERM taxonomy

Relative to the base event types, overall there is an increase in the number of level 1 risk types in risk taxonomies

Oliver Wyman

• The changing risk profile of organizations and regulatory focus in some industries is pushing organizations to rethink their risk taxonomies.
• Generally, the expansion of level 1 risk types is due to the increase in risk themes under the operational risk umbrella.
• Non-financial risks are risks that are not considered to be traditional financial risks, such as operational risk, technology risk, culture, and conduct. Environmental, social, and governance (ESG) risk is often referred to as a non-financial risk, although it can have both financial and non-financial implications.
• Certain level 1 ERM risks, such as strategic risk, reputational risk, and ESG risk, cover both financial and non-financial risks.

Operational resilience

• The concept of operational resiliency was first introduced by European Central Bank (ECB) in 2018 as an attempt to corral supervisory cooperation on operational resiliency in financial services.
• The necessity for stronger operational resiliency became clear during the early stages of COVID-19 when many organizations were not prepared for disruption, leading to serious concern for the safety and soundness of the financial system.
• It has gained traction and is now defined in global supervisory guidance. Canada’s prudential regulator, Office of the Superintendent of Financial Institutions (OSFI), defines it as “the ability of a financial institution to deliver its operations, including its critical operations, through disruption.”
• Practically, its purpose is to knit together several operational risk management categories such as business continuity, security, and third-party risk.
• The concept has been adopted by information and communication technology (ICT) companies, as technology and cyber risks sit neatly under this risk type.
• It is now not uncommon to see operational resiliency as a level 1 risk type in a financial institution’s ERM framework.

Operational resilience will often feature in ERM frameworks in organizations that deliver critical services, products, or functions, such as financial services

ERM level 1 risk categories

Although many organizations have expanded their enterprise risk management taxonomies to address new threats, most organizations will have the following level 1 risk types:

Different models of ERM

Some large organizations will elevate certain operational risks to level 1 organizational risks due to risk materiality.

Every organization will approach its risk management taxonomy differently; the number of level 1 risk types will vary and depend highly on perceived impact.

Some of the reasons why an organization would elevate a risk to a level 1 ERM risk are:

• The risk has significant impact on the organization's strategy, reputation, or financial performance.
• The regulator has explicitly called out board oversight within legislation.
• It is best practice in the organization’s industry or business sector.
• The organization has structured its operations around a particular risk theme due to its potential negative impact. For example, the organization may have a dedicated department for data privacy.

Risk and impact

Mapping risks to business outcomes happens within the ERM function and by enterprise fiduciaries.

• When mapping risk events to enterprise risk types, the relationship is rarely linear. Rather, risk events typically will have multiple impacts on the enterprise, including strategic, reputational, ESG, and financial impacts.
• As risk information is transmitted from lower levels, it informs the next level, providing the appropriate information to prioritize risk.
• In the final stage, the enterprise portfolio view will reflect the enterprise impacts according to risk dimensions, such as strategic, operational, reporting, and compliance.

Rolling Up Risks to a Portfolio View

1. A risk event within IT will roll up to the enterprise via the IT risk register.
2. The impact of the risk on cash flow and operations will be aggregated and allocated in the enterprise risk register by enterprise fiduciaries (e.g. CFO).
3. The impacts are translated into full value exposures or modified impact and likelihood assessments.

Common challenges

How to synthesize different objectives between IT risk and enterprise risk

Commingling risk data is a major challenge when developing a risk taxonomy, but one of the underlying reasons is that the enterprise and IT look at risk from different dimensions.

Establish a team

Cross-functional collaboration is key to defining level 1 risk types.

Establish a cross-functional working group.

• Level 1 IT risk types are the most important to get right because they are the root nodes that all subtypes of risk cascade from.
• To ensure the root nodes (level 1 risk types) address the risks of your organization, it is vital to have a strong understanding or your organization’s value chain, so your organizational strategy is a key input for defining your IT level 1 risk types.
• Since the taxonomy provides the method for communicating risks to the people who need to make decisions, a wide understanding and acceptance of the taxonomy is essential. This means that multiple people across your organization should be involved in defining the taxonomy.
• Form a cross-functional tactical team to collaborate and agree on definitions. The team should include subject matter experts and leaders in key risk and business areas. In terms of governance structure, this committee might sit underneath the enterprise risk council, and members of your IT risk council may also be good candidates for this tactical working group.
• The committee would be responsible for defining the taxonomy as well as performing regular reviews.
• The importance of collaboration will become crystal clear as you begin this work, as risks should be connected to only one risk type.

2.1 Establish a cross-functional working group

2-3 hours

1. Consider your organization’s operating model and current governance framework, specifically any current risk committees.
2. Consider the members of current committees and your objectives and begin defining:
   1. Committee mandate, goals, and success factors.
   2. Responsibility and membership.
   3. Committee procedures and policies.
3. Make sure you define how this tactical working group will interact with existing committees.

Download Build an IT Risk Taxonomy Workbook

Phase 3

Structure Your IT Risk Taxonomy

This phase will walk you through the following activities:

• Establish level 1 risk types
• Test level 1 risk types
• Define level 2 and level 3 risk types
• Test the taxonomy via your control framework

This phase involves the following participants:

• CIO
• CISO
• CRO
• IT Risk Owners
• Business Leaders
• Human Resources

Structuring your IT risk taxonomy

Do’s

• Ensure your organization’s values are embedded into the risk types.
• Design your taxonomy to be forward looking and risk based.
• Make level 1 risk types generic so they can be used across the organization.
• Ensure each risk has its own attributes and belongs to only one risk type.
• Collaborate on and communicate your taxonomy throughout organization.

Don’ts

• Don’t develop risk types based on function.
• Don’t develop your taxonomy in a silo.

A successful risk taxonomy is forward looking and codifies the most frequently used risk language across your organization.

Level 1

Parent risk types aligned to organizational values

Level 2

Subrisks to level 1 risks

Level 3

Further definition

Steps to define your IT risk taxonomy

Step 1

Leverage Info-Tech’s Build an IT Risk Taxonomy Guideline and identify IT level 1 risk types. Consider corporate inputs and macro trends.

Step 2

Test level 1 IT risk types by mapping to your enterprise's ERM level 1 risk types.

Step 3

Draft your level 2 and level 3 risk types. Be mutually exclusive to the extent possible.

Step 4

Work backward – align risk events and controls to the lowest level risk category. In our examples, we align to level 3.

Step 5

Add risk levels to your risk registry.

Step 6

Optional – Add IT risk appetite statements to risk register.

Inputs to use when defining level 1

To help you define your IT risk taxonomy, leverage your organization’s strategy and risk management artifacts, such as outputs from risk assessments, audits, and test results. Also consider macro trends and potential risks unique to your organization.

Step 1 – Define Level 1 Risk Types

Use corporate inputs to help structure your taxonomy

• Corporate Strategy
• Risk Assessment
• Audit
• Test Results

Consider macro trends that may have an impact on how you manage IT risks

• Geopolitical Risk
• Economic Downturn
• Regulation
• Competition
• Climate Risk
• Industry Disruption

Evaluate from an organizational lens

Ask risk-based questions to help define level 1 IT risks for your organization.

Level 1 IT taxonomy structure

Step 2 – Consider your organization’s strategy and areas where risks may manifest and use this guidance to advance your thinking. Many factors may influence your taxonomy structure, including internal organizational structure, the size of your organization, industry trends and organizational context, etc.

Most IT organizations will include these level 1 risks in their IT risk taxonomy

Level 1 IT taxonomy structure cont'd

Step 2 – Large and more complex organizations may have more level 1 risk types. Variances in approaches are closely linked to the type of industry and business in which the organization operates as well as how they view and position risks within their organization.

Common challenges

Considerations when defining level 1 IT risk types

• Ultimately, the identification of a level 1 IT risk type will be driven by the potential for and materiality of vulnerabilities that may impede an organization from delivering successful business outcomes.
• Senior leaders within organizations play a central role in protecting organizations against vulnerabilities and threats.
• The size and structure of your organization will influence how you manage risk.
• The following slide shows typical roles and responsibilities for data privacy.
• Large enterprises and organizations that use a lot of personal identifiable information (PII) data, such as those in healthcare, financial services, and online retail, will typically have data as a level 1 IT risk and data privacy as a level 2 risk type.
• However, smaller organizations or organizations that do not use a lot of data will typically fold data privacy under either technology risk or security risk.

Deciding placement in taxonomy

• In larger enterprises, data risks are managed within a dedicated functional department with its own governance structure. In small organizations, the CIO is typically responsible and accountable for managing data privacy risk.

Common challenges

Defining security risk and where it resides in the taxonomy

• For risk management to be effective, risk professionals need to speak the same language, but the terms “information security,” “cybersecurity,” and “IT security” are often used interchangeably.
• Traditionally, cyber risk was folded under technology risk and therefore resided at a lower level of a risk taxonomy. However, due to heightened attention from regulators and boards stemming from the pervasiveness of cyber threats, some organizations are elevating security risks to a level 1 IT risk.
• Furthermore, regulatory cybersecurity requirements have emphasized control frameworks. As such, many organizations have adopted NIST because it is comprehensive, regularly updated, and easily tailored.
• While NIST is prescriptive and action oriented, it start with controls and does not easily integrate with traditional ERM frameworks. To address this, NIST has published new guidance focused on an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

Definitional Nuances

“Cybersecurity” describes the technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

“IT security” describes a function as well as a method of implementing policies, procedures, and systems to defend the confidentiality, integrity, and availability of any digital information used, transmitted, or stored throughout the organization’s environment.

“Information security” defines the people, processes, and technology involved in protecting data (information) in any form – whether digital or on paper – through its creation, storage, transmission, exchange, and destruction.

3.1 Establish level 1 risk types

2-3 hours

1. Consider your current and future corporate goals and business initiatives, risk management artifacts, and macro industry trends.
2. Ask questions to understand risks unique to your organization.
3. Review Info-Tech’s IT level 1 risk types and identify the risk types that apply to your organization.
4. Add any risk types that are missing and unique to your organization.
5. Refine the definitions to suit your organization.
6. Be mutually exclusive and collectively exhaustive to the extent possible.

Download Build an IT Risk Taxonomy Workbook

3.2 Map IT risk types against ERM level 1 risk types

1-2 hours

1. Using the output from Activity 3.1, map your IT risk types to your ERM level 1 risk types.
2. Record in the Build an IT Risk Taxonomy Workbook.

Download Build an IT Risk Taxonomy Workbook

Map IT level 1 risk types to ERM

Test your level 1 IT risk types by mapping to your organization’s level 1 risk types.

Step 2 – Map IT level 1 risk types to ERM

3.3 Establishing level 2 and 3 risk types

3-4 hours

1. Using the level 1 IT risk types that you have defined and using Info-Tech’s Risk Taxonomy Guideline, first begin to identify level 2 risk types for each level 1 type.
2. Be mutually exclusive and collectively exhaustive to the extent possible.
3. Once satisfied with your level 2 risk types, break them down further to level 3 risk types.

Note: Smaller organizations may only define two risk levels, while larger organizations may define further to level 4.

Download Build an IT Risk Taxonomy Design Template

Level 2 IT taxonomy structure

Step 3 – Break down your level 1 risk types into subcategories. This is complicated and may take many iterations to reach a consistent and accepted approach. Try to make your definitions intuitive and easy to understand so that they will endure the test of time.

Security vulnerabilities often surface through third parties, but where and how you manage this risk is highly dependent on how you structure your taxonomy. Organizations with a lot of exposure may have a dedicated team and may manage and report security risks under a level 1 third-party risk type.

Level 3 IT taxonomy structure

Step 3 – Break down your level 2 risk types into lower-level subcategories. The number of levels of risk you have will depend on the size of and magnitude of risks within your organization. In our examples, we demonstrate three levels.

Risk taxonomies for smaller organizations may only include two risk levels. However, large enterprises or more complex organizations may extend their taxonomy to level 3 or even 4. This illustration shows just a few examples of level 3 risks.

Test using risk events and controls

Ultimately risk events and controls need to roll up to level 1 risks in a consistent manner. Test the robustness of your taxonomy by working backward.

Step 4 – Work backward to test and align risk events and controls to the lowest level risk category.

• A key function of IT risk management is to monitor and maintain internal controls.
• Internal controls help to reduce the level of inherent risk to acceptable levels, known as residual risk.
• As risks evolve, new controls may be needed to upgrade protection for tech infrastructure and strengthen connections between critical assets and third-party suppliers.

Example – Third Party Risk

3.4 Test your IT taxonomy

2-3 hours

1. Leveraging the output from Activities 3.1 to 3.3 and your IT Risk Taxonomy Design Template, begin to test the robustness of the taxonomy by working backward from controls to level 1 IT risks.
2. The lineage should show clearly that the control will mitigate the impact of a realized risk event. Refine the control or move the control to another level 1 risk type if the control will not sufficiently reduce the impact of a realized risk event.
3. Once satisfied, update your risk register or your risk management software tool.

Download Build an IT Risk Taxonomy Design Template

Update risk register

Step 5 – Once you are satisfied with your risk categories, update your risk registry with your IT risk taxonomy.

Use Info-Tech’s Risk Register Tool or populate your internal risk software tool.

Download Info-Tech’s Risk Register Tool

Augment the risk event list using COBIT 2019 processes (Optional)

Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

1. Managed IT Management Framework
2. Managed Strategy
3. Managed Enterprise Architecture
4. Managed Innovation
5. Managed Portfolio
6. Managed Budget and Costs
7. Managed Human Resources
8. Managed Relationships
9. Managed Service Agreements
10. Managed Vendors
11. Managed Quality
12. Managed Risk
13. Managed Security
14. Managed Data
15. Managed Programs
16. Managed Requirements Definition
17. Managed Solutions Identification and Build
18. Managed Availability and Capacity
19. Managed Organizational Change Enablement
20. Managed IT Changes
21. Managed IT Change Acceptance and Transitioning
22. Managed Knowledge
23. Managed Assets
24. Managed Configuration
25. Managed Projects
26. Managed Operations
27. Managed Service Requests and Incidents
28. Managed Problems
29. Managed Continuity
30. Managed Security Services
31. Managed Business Process Controls
32. Managed Performance and Conformance Monitoring
33. Managed System of Internal Control
34. Managed Compliance with External Requirements
35. Managed Assurance
36. Ensured Governance Framework Setting and Maintenance
37. Ensured Benefits Delivery
38. Ensured Risk Optimization
39. Ensured Resource Optimization
40. Ensured Stakeholder Engagement

Example IT risk appetite

When developing your risk appetite statements, ensure they are aligned to your organization’s risk appetite and success can be measured.

3.5 Draft your IT risk appetite statements

Optional Activity

2-3 hours

1. Using your completed taxonomy and your organization’s risk appetite statement, draft an IT risk appetite statement for each level 1 risk in your workbook.
2. Socialize the statements and gain approval.
3. Add the approved risk appetite statements to your IT risk register.

Download Build an IT Risk Taxonomy Workbook

Key takeaways and next steps

• The risk taxonomy is the backbone of a robust enterprise risk management program. A good taxonomy is frequently used and well understood.
• Not only is the risk taxonomy used to assess organizational impact, but it is also used for risk reporting, scenarios analysis and horizon scanning, and risk appetite expression.
• It is essential to capture IT risks within the ERM framework to fully understand the impact and allow for consistent risk discussions and meaningful aggregation.
• Defining an IT risk taxonomy is a team sport, and organizations should strive to set up a cross-functional working group that is tasked with defining the taxonomy, monitoring its effectiveness, and ensuring continual improvement.
• The work does not end when the taxonomy is complete. The taxonomy should be well socialized throughout the organization after inception through training and new policies and procedures. Ultimately, it should be an activity embedded into risk management practices.
• The taxonomy is a living document and should be continually improved upon.

3.6 Prepare to communicate the taxonomy internally

1-2 hours

To gain acceptance of your risk taxonomy within your organization, ensure it is well understood and used throughout the organization.

1. Consider your audience and agree on the key elements you want to convey.
2. Prepare your presentation.
3. Test your presentation with a smaller group before communicating to senior leadership or the board.

Coming soon: Look for our upcoming research Communicate Any IT Initiative.

Related Info-Tech Research

Build an IT Risk Management Program

• Use this blueprint to transform your ad hoc risk management processes into a formalized ongoing program and increase risk management success.
• Learn how to take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest's risks before they occur.

Integrate IT Risk Into Enterprise Risk

• Use this blueprint to understand gaps in your organization’s approach to risk management.
• Learn how to integrate IT risks into the foundational risk practice

Coming Soon: Communicate Any IT initiative

• Use this blueprint to compose an easy-to-understand presentation to convey the rationale of your initiative and plan of action.
• Learn how to identify your target audience and tailor and deliver the message in an authentic and clear manner.

Risk definitions

Risk definitions

Research Contributors and Experts

LynnAnn Brewer
Director
McLean & Company

Sandi Conrad
Principal Research Director
Info-Tech Research Group

Valence Howden
Principal Research Director
Info-Tech Research Group

John Kemp
Executive Counsellor – Executive Services
Info-Tech Research Group

Brittany Lutes
Research Director
Info-Tech Research Group

Carlene McCubbin
Practice Lead – CIO Practice
Info-Tech Research Group

Frank Sargent
Senior Workshop Director
Info-Tech Research Group

Frank Sewell
Advisory Director
Info-Tech Research Group

Ida Siahaan
Research Director
Info-Tech Research Group

Steve Willis
Practice Lead – Data Practice
Info-Tech Research Group

Bibliography

Andrea Tang, “Privacy Risk Management”. ISACA Journal, June 2020, Accessed January 2023
Anthony Kruizinga, “Reshaping the risk taxonomy”. PwC, April 2021, Accessed January 2023
Auditboard, "The Essentials of Integrated Risk Management (IRM)", June 2022, Accessed January 2023
Brenda Boultwood, “How to Design an ERM-Friendly Risk Data Architecture”. Global Association of Risk Professionals, February 2020, Accessed January 2023
BSI Standards Publication, "Risk Management Guidelines", ISO 31000, 2018
Dan Swinhoe, "What is Physical Security, How to keep your facilities and devices safe from onsite attackers", August 2021, Accessed January 2023
Eloise Gratton, “Data governance and privacy risk in Canada: A checklist for boards and c-suite”. Borden Ladner Gervais, November 2022 , Accessed January 2023
European Union Agency for Cyber Security Glossary
European Banking Authority, "Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)", September 2017, Accessed February 2023
European Banking Authority, "Regulatory Framework for Mitigating Key Resilient Risks", Sept 2018, Accessed February 2023
EY, "Seeking stability within volatility: How interdependent risks put CROs at the heart of the banking business", 12th annual EY/IFF global bank risk management survey, 2022, Accessed February 2023
Financial Stability Board, "Cyber Lexicon", November 2018, Accessed February 2023
Financial Stability Board, "Principles for Effective Risk Appetite Framework", November 2013, Accessed January 2023
Forbes Technology Council, "14 Top Data Security Risks Every Business Should Address", January 2020, Accessed January 2023
Frank Martens, Dr. Larry Rittenberg, "COSO, Risk Appetite Critical for Success, Using Risk Appetite to Thrive in a Changing World", May 2020, Accessed January 2023
Gary Stoneurmer, Alice Goguen and Alexis Feringa, "NIST, Risk Management Guide for Information Technology Systems", Special Publication, 800-30, September 2012, Accessed February 2023
Guy Pearce, "Real-World Data Resilience Demands and Integrated Approach to AI, Data Governance and the Cloud", ISACA Journal, May 2022
InfoTech Tech Trends Report, 2023
ISACA, "Getting Started with Risk Scenarios", 2022, Accessed February 2023
James Kaplan, "Creating a technology risk and cyber risk appetite framework," McKinsey & Company, August 2022, Accessed February 2023
Jean-Gregorie Manoukian, Wolters Kluwer, "Risk appetite and risk tolerance: what’s the difference?", Sept 2016, Accessed February 2023
Jennifer Bayuk, “Technology’s Role in Enterprise Risk Management”, ISACA Journal, March 2018, Accessed in February 2023
John Thackeray, "Global Association of Risk Professionals, 7 Key Elements of Effective ERM", January 2020, Accessed January 2023
KPMG, "Regulatory rigor: Managing technology and cyber risk, How FRFI’s can achieve outcomes laid out in OSFI B-13", October 2022, Accessed January 2023
Marc Chiapolino et al, “Risk and resilience priorities, as told by chief risk officers”, McKinsey and Company, December 2022, Accessed January 2023
Mike Rost, Workiva, "5 Steps to Effective Strategic Management", Updated February 2023. Accessed February 2023
NIST, "Risk Management Framework for Information Systems and Organization, The System Life Cycle Approach for Security and Privacy," December 2018, Accessed February 2023
NIST, NISTIR, "Integrating CyberSecurity and Enterprise Risk", October 2020, Accessed February 2023
Oliver Wyman, "The ORX Reference Taxonomy for operational and non-financial risk summary report", 2019, Accessed February 2023.
Office of the Superintendent of Financial Institutions, "Operational Resilience Consultation Results Summary", December 2021, Accessed January 2023
Open Risk Manual, Risk Taxonomy Definitions
Ponemon. "Cost of a Data Breach Report 2021." IBM, July 2021. Web.
Protiviti, "Executive Perspectives on Top Risks, 2023 & 2032, Key Issues being discussed in the boardroom and c-suite", February 2023, Accessed February 2023
RIMS, ISACA, "Bridging the Digital Gap, How Collaboration Between IT and Risk Management can Enhance Value Creation", September 2019, Accessed February 2023
Robert, R. Moeller, "COSO, Enterprise Risk Management, Second Edition, 2011", Accessed February 2023
Robert Putrus, "Effective Reporting to the BoD on Critical Assets, Cyberthreats and Key Controls: The Qualitative and Quantitative Model", ISACA Journal, January 2021, Accessed January 2023
Ron Brash, "Prioritizing Asset Risk Management in ICS Security", August 2020, Accessed February 2023
Ronald Van Loon, "What is Data Culture and How to Implement it?", November 2023, Accessed February 2023
SAS, "From Crisis to Opportunity, Redefining Risk Management", 2021Accessed January 2023
Satori, Cloudian, "Data Protection and Privacy: 12 Ways to Protect User Data", Accessed January 2023
Spector Information Security, "Building your Asset and Risk Register to Manage Technology Risk", November 2021, Accessed January 2023
Talend, "What is data culture", Accessed February 2023
Tom Schneider, "Managing Cyber Security Risk as Enterprise Risk", ISACA Journal, September 2022, Accessed February 2023
Tony Martin –Vegue, "How to Write Strong Risk Scenarios and Statements", ISACA Journal, September 2021, Accessed February 2023
The Wall Street Journal, "Making Data Risk a Top Priority", April 2018, Accessed February 2023

Foster Data-Driven Culture With Data Literacy

Data literacy is an essential part of a data-driven culture, bridging the data knowledge gaps across all levels of the organization.

Analyst Perspective

Data literacy is the missing link to becoming a data-driven organization.

“Digital transformation” and “data driven” are two terms that are inseparable. With organizations accelerating in their digital transformation roadmap implementation, organizations need to invest in developing data skills with their people. Talent is scarce and the demand for data skills is huge, with 70% of employees expected to work heavily with data by 2025. There is no time like the present to launch an organization-wide data literacy program to bridge the data knowledge gap and foster a data-driven culture.

Data literacy training is as important as your cybersecurity training. It impacts all levels of the organization. Data literacy is critical to success with digital transformation and AI analytics.

Annabel Lui

Principal Advisory Director, Data & Analytics Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

By thoughtfully designing a data literacy training program for the audience's own experience, maturity level, and learning style, organizations build the data-driven and engaged culture that helps them to unlock their data's full potential and outperform other organizations.

Your Challenge

Data literacy is the missing link to drive business outcomes from data.

• Having a data-driven culture as an organization’s mission statement without implementing a data literacy program is like making an empty promise and leaving the value unrealized and unattainable.
• A study conducted by the Data Literacy Project clearly indicates that organizations with aggressive data literacy programs will outperform those who do not have such programs. By 2030, data literacy will be one of the most sought-after skill sets. All employees require data literacy skills.
• Everyone has a role in data. From employees who are actively involved in data collection to operational teams who create reports with analytics tools and finally to executives who use data to make business decisions – they all require continuous data literacy training in a data-driven organization. Because of differences in maturity, data literacy strategies cannot be one-size-fits-all.

“Data literacy is the ability to read, work with, analyze, and communicate with data. It's a skill that empowers all levels of workers to ask the right questions of data and machines, build knowledge, make decisions, and communicate meaning to others.” – Qlik, n.d.

75% of organizational employees have access to data tools – only 21% demonstrated confidence in their data skills.

Source: Accenture, 2020.

89% of C-level executives expect team members to explain how data has informed their decisions, but only 11% employees are fully confident in their ability to read, analyze, work with, and communicate with data

Source: Qlik, 2022.

Data debt or data asset?

Manage your data as strategic assets.

“[Data debt is] when you have undocumented, unused, incomplete, and inconsistent data,” according to Secoda (2023). “When … data debt is not solved, data teams could risk wasting time managing reports no one uses and producing data that no one understands.”

Signs of data debt when considering investing in data literacy:

• Lack of definition and understanding of data terms, therefore they don’t speak the same language. Without data literacy, an organization will not succeed in becoming a data-driven organization.
• Putting data literacy as a low priority. Organization sees this as “another” training to put on the list and keeps it on the back burner.
• Data literacy is not seen as the number one skill set needed in the organization. However, anyone who works with data requires data skills.
• End users are not trained on self-serve features and tools.
• Focusing on a minority group of people rather than everyone in the organization or seeing it as a one-off exercise.
• Delays or failure to deliver digital transformation projects due to lack of data skills and data access issues.

66%

of organizations say a backlog of data debt is impacting new data management initiatives.

40%

of organizations say individuals within the business do not trust data insights.

30%

of organizations are unable to become data-driven.

Source: Experian, 2020

Info-Tech’s Approach

Data literacy is critical to success with digital transformation and AI analytics.

The Info-Tech difference:

1. More than just technical training. Data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data.
2. More than a one-off exercise. To keep literacy skills alive, the program must be routine and sustainable, tailored to different needs across all levels of the organization.
3. More than one delivery format. Different delivery methods need to be considered to suit various learning styles.

Data needs to be processed

Data – facts – are organized, processed, and given meaning to become insights.

Image source: Welocalize, 2020.

Data represents a discrete fact or event without relation to other things (e.g. it is raining). Data is unorganized and not useful on its own.

Information organizes and structures data so that it is meaningful and valuable for a specific purpose (i.e. it answers questions). Information is a refined form of data.

When information is combined with experience and intuition, it results in knowledge. It is our personal map/model of the world.

Knowledge set with context generates insight. We become knowledgeable as a result of reading, researching, and memorizing (i.e. accumulating information).

Wisdom means the ability to make sound judgments. Wisdom synthesizes knowledge and experiences into insights.

Investment in data literacy is a game changer.

Data literacy is the ability to collect, manage, evaluate, and apply data in a critical manner.

A data-driven culture is “an operating environment that seeks to leverage data whenever and wherever possible to enhance business efficiency and effectiveness” (Forbes).

Info-Tech Insight

Data-driven culture refers to a workplace where decisions are made based on data evidence, not on gut instinct.

Info-Tech’s methodology for building a data literacy program

Insight Summary

“In a world of more data, the companies with more data-literate people are the ones that are going to win.”

– Miro Kazakoff, senior lecturer, MIT Sloan, in MIT Sloan School of Management, 2021

Overarching insight

By thoughtfully designing a data literacy training program personalized to each audience's maturity level, learning style, and experience, organizations can develop and grow a data-driven culture that unlocks the data's full potential for competitive differentiation.

Module 1 insight

We can learn a lot from each other. Literacy works both ways – business data stewards learn to “speak data” while IT data custodians understand the business context and value. Everyone should strive to exchange knowledge.

Module 2 insight

Avoid traditional classroom teaching – create a data literacy program that is learner-centric to allow participants to learn and experiment with data.

Aligning program design to those learning styles will make participants more likely to be receptive to learning a new skill.

Module 3 insight

A data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data. With executive support and partnership with business, running a data literacy program means that it won’t end up being just another technical training. The program needs to address why, what, how questions.

Tactical insight

A lot of programs don’t include the fundamentals. To get data concepts to stick, focus on socializing the data/information/knowledge/wisdom foundation.

Tactical insight

Many programs speak in abstract terms. We present case studies and tangible use cases to personalize training to the audience’s world and showcase opportunities enabled through data.

Key performance indicators (KPIs) for your data literacy program

How do you know if your data literacy program is successful? Here are some useful KPIs:

Program Adoption Metrics

• Percentage of employees attending data literacy training
• Percentage of participants who report gains in data management knowledge after training sessions
• Maturity assessment result
• Survey and diagnostic feedback before and after training
• Trend analysis of overall data literacy program

Operational Metrics

• Number of requests for analytics/reporting services
• Number of reports created by users
• Speed and quality of business decisions
• User satisfaction with reports and analytics services
• Improved business performance (customer satisfaction)
• Improved valuation of organization data

A data-driven culture builds tools and skills, builds users’ trust in the quality of data across sources, and raises the skills and understanding among the frontlines by encouraging everyone to leverage data for critical thinking and innovation.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of the project."

Diagnostics and consistent frameworks are used throughout all four options.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Define Data Literacy Objectives

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Understand the organization’s needs.
• Create vision and objective for data literacy program.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

1.1 Gauge your organization’s current data culture

Conduct data culture survey or diagnostic.

1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
2. Conduct an information session to introduce Info-Tech’s Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organization’s current data culture and inform the improvement of that culture.
3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

1.2 Define data literacy objectives

1. Understand the organization’s needs by identifying opportunities and challenges relating to data. Document the described real-life examples.
2. Categorize the list and identify areas where data literacy can address the business problem.
3. Create a vision statement for the data literacy program, ensuring that it covers all levels of the organization.
4. Articulate the intended targets and goals in planning for a data literacy program.

Quick wins for improving data literacy

Data collected through Info-Tech’s Data Culture Diagnostic suggests three ways to improve data literacy:

87%

think more can be done to define and document commonly used terms with methods such as a business data glossary.

68%

think they can have a better understanding of the meaning of all data elements that are being captured or managed.

86%

feel that they can have more training in terms of tools as well as on what data is available at the organization.

Source: Info-Tech Research Group's Data Culture Diagnostic, 2022; N=2,652

Quick Wins

• Create a business data glossary to document and define common terms.
• Provide easy access to the business data glossary and procedures on how data is captured and managed.
• Launch an organization-wide data literacy program.

Delivering value is a means and the goal

Start with real business problems in a hands-on format to demonstrate the value of data.

Identify business problem:

• Business decisions without facts are just guesses.
• Management spends a lot of time finding and fixing data.
• Unknown challenges on data assets and risk.
• Incomplete view of customer/client and industry.
• Not ready for modern data opportunities (e.g. artificial intelligence).

Create an objective

Treat data as a strategic asset to gain insight into our customers for all levels of organization.

The solution: Data-driven culture powered by people who speak data.

• Data dictionary
• Data literacy
• Trusted single source
• Access to analytics tools
• Decision making

"According to Forrester, 91% of organizations find it challenging to improve the use of data insights for decision-making – even though 90% see it as a priority. Why the disconnect? A lack of data literacy."

– Alation, 2020

Fundamental data literacy

Data literacy is more than just a technical training or a one-off exercise.

Info-Tech provides various topics suited for a data literacy program that can accommodate different data skill requirements and encompasses relevant aspects of business, IT, and data.

Info-Tech Research Group’s Data Literacy Program

Use discovery and diagnostics to understand users’ comfort level and maturity with data.

Data lunch 'n' learn

• The power and value of data
• Everyone is a data steward
• Becoming data literate
• Data 101
• The future is data

1 hour

Speak data

• What is data
• Meet the data team
• Day in the life of a steward
• How data impacts you
• Tools of the trade

1/2 day

Your data story

• Ask the right questions
• Find the top five data elements
• Understand your data
• Present your data story
• Lessons from COVID-19

1/2 day

Phase 2

Assess Learning Style and Align to Program Design

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Identify your audience.
• Assess learning styles and align them to the data program design.
• Determine the right delivery method.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

Avoid common pitfalls

75%

feel that training was too long to remember or to apply in their day-to-day work.

21%

find training had insufficient follow-up to help them apply on the job.

Source: Grovo, 2018.

1. Information Overload

   Trying to cover too much useful information results in overwhelm and does not deliver on key training objectives.

2. Limited Implementation

   Learning is only the beginning. The real results are obtained when learning is followed by practice, which turns new knowledge into reliable habits.

3. Lack of Organizational Alignment

   Implementing training without a clear link to organizational objectives leaves you unable to clearly communicate its value, undermines your ability to secure buy-in from attendees and executives, and leaves you unable to verify that the training is actually improving effectiveness.

2.1 Understand learning style

1. Create persona and identify the audiences and their roles in data across all levels of the organization.
2. Identify the data program initiatives and assign the best delivery method to each initiative.
3. Assign participants to each program initiative based on their skill gap and learning style.

You and data

Is data an integral part of your work?

Do you feel comfortable finding and using data in your organization?

• Many people feel intimidated by data and therefore miss out on what data can do for them.
• Often the obstacle is language. If you don’t understand the semantics around data, you will not feel confident to contribute to discussions around data.
• You use data every day but need additional vocabulary to understand how to handle it properly.
• Data literacy is the ability to “speak data” and to understand what data means (i.e. how to read charts and graphs, draw valid conclusions, and recognize when data is misinterpreted or used inappropriately to be misleading).
• The business often doesn’t understand its role in data governance and how it informs and assists IT in responsible data management.

Info-Tech Insight

IT and data professionals need to understand the business as much as business needs to talk about data. Bidirectional learning and feedback improves the synergy between business and IT.

Create personas

Persona creation is a way to brainstorm ideas for the data literacy program.

Choose a data role (e.g. data steward, data owner, data scientist).

Describe the persona based on goals, priorities, tenures, preferred learning style, type of work with data.

Identify data skill and level of skills required.

Consider these other ways to brainstorm:

• Review current in-flight projects.
• Analyze types of data requests.
• Understand needs by department.
• Share learnings in a community of practice.

Program design

Categorize into six data skill areas

Not everyone needs the same level of skill sets

Map the personas to the program

Bridging the data knowledge gap.

• Each component will promote the value of data to all levels of employees when demonstrating the right way for data to be understood, managed, and consumed in the organization.
• Categorizing the data literacy program into six areas and levels of skill sets will provide clarity into which areas to focus on.
• The program is intended to be implemented in stages, allowing the audience to learn and adopt the new skills. Leveraging in-flight projects for rolling out training will have a higher success because the need is already built into the project.

Align program design to learning styles

Info-Tech Insight

Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to different levels of users.

When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to spread knowledge throughout your organization. It should target everyone from executive leadership to management to subject matter experts across all functions of the business.

Discussion method

Delivery Method

• Interactive format between instructor and learner
• Instructor empowers and motivates learner through dialogues and exercises

The imaginative learner

The imaginative learner group likes to engage in feelings and spend time on reflection. This type of learner desires personal meaning and involvement. They focus on personal values for themselves and others and make connections quickly.

For this group of learners, their question is: why should I learn this?

Learning characteristics

• Seek meaning
• Need to be personally involved
• Learn by listening and sharing ideas
• Function through social interaction

Information method

Delivery Method

• Instructor does most of the talking in the training
• Instructor is teaching the content, delivering the training content, and demonstrating

Analytical learner

The analytical learner group likes to listen, to think about information, and to come up with ideas. They are interested in acquiring facts and delving into concepts and processes. They can learn effectively and enjoy doing independent research.

For this group of learners, their question is: what should I learn?

Learning characteristics

• Seek and examine the facts
• Need to know what experts think
• Interested in ideas and concepts
• Critique information and collect data
• Function by adapting to experts

Coaching method

Delivery Method

• Learning has on-the-job training or learning through role-play exercises
• Instructor is coaching and facilitating learner

Common sense learner

The common sense learner group likes thinking and doing. They are satisfied when they can carry out experiments, build and design, and create usability. They like tinkering and applying useful ideas.

For this group of learners, their question is: how should I learn?

Learning characteristics

• Seek usability
• Need to know how things work
• Learn by testing theories using practical methods
• Use factual data to build concepts
• Enjoy hands-on experience

Self-discovery method

Delivery Method

• Interactive format between instructor and learner
• Instructor provides evaluation and remedial instruction

Common sense learner

The dynamic learner group learns through doing and experiencing. They are continually looking for hidden possibilities and researching ideas to make original adjustments. They learn through trial and error and self-discovery.

For this group of learners, their question is: what if I learn this?

Learning characteristics

• Seek hidden possibilities
• Need to know what can be done with things
• Learn by trial and error
• Enjoy variety and excel in being flexible

Delivery method considerations

There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

Phase 3

Map Out Data Literacy Roadmap and Milestones

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Complete a roadmap exercise.
• Set key performance metrics and milestones.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

3.1 Build the data literacy roadmap and milestones

1-3 hours

1. Gather the data literacy objectives and list of program initiatives with their assigned groups.
2. Discuss each program initiative with the data literacy creation team, assigning content owners and estimating effort required to build the content.

For the Gantt chart:

• Input the roadmap start year.
• List each data literacy topic and delivery method.
• Populate the planned start and end dates for the prepopulated list of program initiatives.

Data literacy journey mapping

Making it sustainable

• Deliver the literacy program in stages to make it easier for the audience to consume the content.
• Allow opportunities to apply the learnings at work.
• Map out the data literacy trainings as they get delivered and identify gaps, if any. Continue to refine and adjust the program and delivery method for better outcome.
• Set clear goals and KPIs measurement up front.
• Conduct Info-Tech Research Group’s Data Culture Diagnostics to set the baseline and repeat the assessment in 12 to 18 months.
• Assign champions to lead change and influence end users to adopt better processes.

Research contributors

Info-Tech’s Data Literacy Program

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Related Info-Tech Research

Establish Data Governance

Deliver measurable business value.

Build a Robust and Comprehensive Data Strategy

Key to building and fostering a data-driven culture.

Create a Data Management Roadmap

Streamline your data management program with our simplified framework.

Bibliography

About Learning. “4MAT overview.” About Learning., 16 Aug. 2001. Web.

Accenture. “The Human Impact of Data Literacy,” Accenture, 2020. Web.

Anand, Shivani. “IDC Reveals India Data and Content Technologies Predictions for 2022 and onwards; Focus on Data Literacy for an Elevated data Culture.” IDC, 14 Mar. 2022. Web.

Belissent, Jennifer, and Aaron Kalb. “Data Literacy: The Key to Data-Driven Decision Making.” Alation, April 2020. Web.

Brown, Sara. “How to build data literacy in your company.” MIT Sloan School of Management, 9 Feb 2021. Web.

---. “How to build a data-driven company.” MIT Sloan School of Management, 24 Sept. 2020. Web.

Domo. “Data Never Sleeps 9.0.” Domo, 2021. Web.

Dykes, Brent. “Creating A Data-Driven Culture: Why Leading By Example Is Essential.” Forbes, 26 Oct. 2017. Web.

Experian. “10 signs you are sitting on a pile of data debt.” Experian, 2020. Accessed 25 June 2021. Web.

Experian. “2019 Global Data Management Research.” Experian, 2019. Web.

Knight, Michelle. “Data Literacy Trends in 2023: Formalizing Programs.” Dataversity, 3 Jan. 2023. Web.

Ghosh, Paramita. “Data Literacy Skills Every Organization Should Build.” Dataversity, 2 Nov. 2022. Web.

Johnson, A., et al., “How to Build a Strategy in a Digital World,” Compact, 2018, vol. 2. Web.

LifeTrain. “Learning Style Quiz.” EMTrain, Web.

Lambers, E., et al. “How to become data literate and support a data-drive culture.” Compact, 2018, vol. 4. Web.

Marr, Benard. “Why is data literacy important for any business?” Bernard Marr & Co., 16 Aug. 2022. Web.

Marr, Benard. “8 simple ways to enhance your data literacy skills.” Bernard Marr & Co., 16 Aug. 2022. Web/

Mendoza, N.F. “Data literacy: Time to cure data phobia” Tech Republic, 27 Sept. 2022. Web.

Mizrahi, Etai. “How to stay ahead of data debt and downtime?” Secoda, 17 April 2023. Web.

Needham, Mass., “IDC FutureScape: Top 10 Predictions for the Future of Intelligence.” IDC, 5 Dec. 2022. Web.

Paton, J., and M.A.P. op het Veld. “Trusted Analytics.” Compact, 2017, vol. 2. Web.

Qlik. “Data Literacy to be Most In-Demand Skill by 2030 as AI Transforms Global Workplaces.” Qlik., 16 Mar 2022. Web.

Qlik. “What is data literacy?” Qlik, n.d. Web.

Reed, David. Becoming Data Literate. Harriman House Publishing, 1 Sept. 2021. Print.

Salomonsen, Summer. “Grovo’s First-Time Manager Microlearning® Program Will Help Your New Managers Thrive in 2018.” Grovos Blog, 5 Dec. 2018. Web.

Webb, Ryan. “More Than Just Reporting: Uncovering Actionable Insights From Data.” Welocalize, 1 Sept. 2020. Web.

Create a Transparent and Defensible IT Budget

Build in approvability from the start.

EXECUTIVE BRIEF

Analyst Perspective

A budget’s approvability is about transparency and rationale, not the size of the numbers.

It’s that time of year again – budgeting. Most organizations invest a lot of time and effort in a capital project selection process, tack a few percentage points onto last year’s OpEx, do a round of trimming, and call it a day. However, if you want to improve IT financial transparency and get your business stakeholders and the CFO to see the true value of IT, you need to do more than this. Yourcrea IT budget is more than a once-a-year administrative exercise. It’s an opportunity to educate, create partnerships, eliminate nasty surprises, and build trust. The key to doing these things rests in offering a range of budget perspectives that engage and make sense to your stakeholders, as well as providing iron-clad rationales that tie directly to organizational objectives. The work of setting and managing a budget never stops – it’s a series of interactions, conversations, and decisions that happen throughout the year. If you take this approach to budgeting, you’ll greatly enhance your chances of creating and presenting a defensible annual budget that gets approved the first time around.

Jennifer Perrier Principal Research Director IT Financial Management Practice Info-Tech Research Group

Executive Summary

Info-Tech Insight
CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.

IT struggles to get budgets approved due to low transparency and failure to engage

Reflect on the numbers…

To move forward, first you need to get unstuck

Today’s IT budgeting challenges have been growing for a long time. Overcoming these challenges means untangling yourself from the grip of the root causes.

The three principles above are all about IT’s changing relationship to the business. IT leaders need a systematic and repeatable approach to budgeting that addresses these principles by:

• Clearly illustrating the alignment between the IT budget and business objectives.
• Showing stakeholders the overall value that IT investment will bring them.
• Demonstrating where IT is already realizing efficiencies and economies of scale.
• Gaining consensus on the IT budget from all parties affected by it.

“The culture of the organization will drive your success with IT financial management.”

– Dave Kish, Practice Lead, IT Financial Management Practice, Info-Tech Research Group

Info-Tech’s approach

CIOs need a straightforward way to convince approval-granting CFOs, CEOs, boards, and committees to spend money on IT to advance the organization’s strategies.

IT budget approval cycle

The Info-Tech difference:

This blueprint provides a framework, method, and templated exemplars for building and presenting your IT budget to different stakeholders. These will speed the approval process and ensure that a higher percentage of your proposed spend is approved.

Info-Tech’s methodology for how to create a transparent and defensible it budget

Insight summary

Overarching insight: Create a transparent and defensible IT budget

CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.

Phase 1 insight: Lay your foundation

IT needs to step back and look at it’s budget-creation process by first understanding exactly what a budget is intended to do and learning what the IT budget means to IT’s various business stakeholders.

Phase 2 Insight: Get into budget-starting position

Presenting your proposed IT budget in the context of past IT expenditure demonstrates a pattern of spend behavior that is fundamental to next year’s expenditure rationale.

Phase 3 insight: Develop your forecasts

Forecasting costs according to a range of views, including CapEx vs. OpEx and project vs. non-project, and then positioning it according to different stakeholder perspectives, is key to creating a transparent budget.

Phase 4 insight: Build your proposed budget

Fine-tuning and hardening the rationales behind every aspect of your proposed budget is one of the most important steps for facilitating the budgetary approval process and increasing the amount of your budget that is ultimately approved.

Phase 5 insight: Create and deliver your budget presentation

Selecting the right content to present to your various stakeholders at the right level of granularity ensures that they see their priorities reflected in IT’s budget, driving their interest and engagement in IT financial concerns.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

IT Cost Forecasting and Budgeting Workbook This Excel tool allows you to capture and work through all elements of your IT forecasting from the perspective of multiple key stakeholders and generates compelling visuals to choose from to populate your final executive presentation.

Also download this completed sample:

Sample: IT Cost Forecasting and Budgeting Workbook

Key deliverable

IT Budget Executive Presentation Template

Phase 5: Create a focused presentation for your proposed IT budget that will engage your audience and facilitate approval.

Blueprint benefits

Measure the value of this blueprint

Ease budgetary approval and improve its accuracy.

Near-term goals

• Percentage of budget approved: Target 95%
• Percentage of IT-driven projects approved: Target 100%
• Number of iterations/re-drafts required to proposed budget: One iteration

Long-term goal

• Variance in budget vs. actuals: Actuals less than budget and within 2%

In Phases 1 and 2 of this blueprint, we will help you understand what your approvers are looking for and gather the right data and information.

In Phase 3, we will help you forecast your IT costs it terms of four stakeholder views so you can craft a more meaningful IT budget narrative.

In Phases 4 and 5, we will help you build a targeted presentation for your proposed IT budget.

Value you will receive:

1. Increased forecast accuracy through using a sound cost-forecasting methodology.
2. Improved budget accuracy by applying more thorough and transparent techniques.
3. Increased budget transparency and completeness by soliciting input earlier and validating budgeting information.
4. Stronger alignment between IT and enterprise goals through building a better understanding of the business values and using language they understand.
5. A more compelling budget presentation by offering targeted, engaging, and rationalized information.
6. A faster budgeting rework process by addressing business stakeholder concerns the first time.

An analogy…

“A budget isn’t like a horse and cart – you can’t get in front of it or behind it like that. It’s more like a river…

When developing an annual budget, you have a good idea of what the OpEx will be – last year’s with an annual bump. You know what that boat is like and if the river can handle it.

But sometimes you want to float bigger boats, like capital projects. But these boats don’t start at the same place at the same time. Some are full of holes. And does your river even have the capacity to handle a boat of that size?

Some organizations force project charters by a certain date and only these are included in the following year’s budget. The project doesn’t start until 8-12 months later and the charter goes stale. The river just can’t float all these boats! It’s a failed model. You have to have a great governance processes and clear prioritization so that you can dynamically approve and get boats on the river throughout the year.”

– Mark Roman, Managing Partner, Executive Services,
Info-Tech Research Group and Former Higher Education CIO

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Lay Your Foundation

This phase will walk you through the following activities:

• Seeing your budget as a living governance tool
• Understanding the point of view of different stakeholders
• Gaining tactics for setting future IT spend expectations

This phase involves the following participants:

• Head of IT
• IT Financial Lead
• Other IT Management

Lay Your Foundation

Before starting any process, you need to understand exactly why you’re doing it.

This phase is about understanding the what, why, and who of your IT budget.

• Understand what your budget is and does. A budget isn’t just an annual administrative event – it’s an important governance tool. Understand exactly what a budget is and your budgetary accountabilities as an IT leader.
• Know your stakeholders. The CFO, CEO, and CXOs in your organization have their own priorities, interests, and professional mandates. Get to know what their objectives are and what IT’s budget means to them.
• Continuously pre-sell your budget. Identifying, creating, and capitalizing on opportunities to discuss your budget well in advance of its formal presentation will get influential stakeholders and approvers on side, foster collaborations, and avoid unpleasant surprises on all fronts.

“IT finance is more than budgeting. It’s about building trust and credibility in where we’re spending money, how we’re spending money. It’s about relationships. It’s about financial responsibility, financial accountability. I rely on my entire leadership team to all understand what their spend is. We are a steward of other people’s money.”

– Rick Hopfer, CIO, Hawaii Medical Service Association

What does your budget actually do?

A budget is not just a painful administrative exercise that you go through once a year.

Most people know what a budget is, but it’s important to understand its true purpose and how it’s used in your organization before you engage in any activity or dialogue about it.

In strictly objective terms:

• A budget is a calculated estimate of income vs. expenditure for a period in the future, often one year. Basically, it’s an educated guess about how much money will come into a business entity or unit and how much money will go out of it.
• A balanced budget is where income and expenditure amounts are equal.
• The goal in most organizations is for the income component of the budget to match or exceed the expenditure component.
  If it doesn’t, this results in a deficit that may lead to debt.

Simply put, a budget’s fundamental purpose is to plan and communicate how an organization will avoid deficit and debt and remain financially viable while meeting its various accountabilities and responsibilities to its internal and external stakeholders.

“CFOs are not thinking that they want to shut down IT spend. Nobody wants to do that. I always looked at things in terms of revenue streams – where the cash inflow is coming from, where it’s going to, and if I can align my cash outflows to my revenue stream. Where I always got suspicious as a CFO is if somebody can’t articulate spending in terms of a revenue stream. I think that’s how most CFOs operate.”

– Carol Carr, Technical Counselor,
Info-Tech Research Group and Former CFO

Put your IT budget in context

Your IT budget is just one of several budgets across your organization that, when combined, create an organization-wide budget. In this context, IT’s in a tough spot.

It’s a competition: The various units in your organization are competing for the biggest piece they can get of the limited projected income pie. It’s a zero-sum game. The organization’s strategic and operational priorities will determine how this projected income is divvied up.

Direct-to-revenue units win: Business units that directly generate revenue often get bigger relative percentages of the organizational budget since they’re integral to bringing in the projected income part of the budget that allows the expenditure across all business units to happen in the first place.

Indirect-to-revenue units lose: Unlike sales units, for example, IT’s relationship to projected income tends to be indirect, which means that IT must connect a lot more dots to illustrate its positive impact on projected income generation.

In financial jargon, IT really is a cost center: This indirect relationship to revenue also explains why the focus of IT budget conversations is usually on the expenditure side of the equation, meaning it doesn’t have a clear positive impact on income.

Contextual metrics like IT spend as a percentage of revenue, IT OpEx as a percentage of organizational OpEx, and IT spend per organizational employee are important baseline metrics to track around your budget, internally benchmark over time, and share, in order to illustrate exactly where IT fits into the broader organizational picture.

Budgeting isn’t a once-a-year thing

Yet, many organizations treat it like a “one and done” point of annual administration. This is a mistake that misses out on the real benefits of budgeting.

Many organizations have an annual budgeting and planning event that takes place during the back half of the fiscal year. This is where all formal documentation around planned projects and proposed spend for the upcoming year is consolidated, culminating in final presentation, adjustment, and approval. It’s basically a consolidation and ranking of organization-wide priorities at the highest level.

If things are running well, this culmination point in the overall budget development and management process is just a formality, not the beginning, middle, and end of the real work. Ideally:

• Budgets are actually used: The whole organization uses budgets as tools to actively manage day-to-day operations and guide decision making throughout the year in alignment with priorities as opposed to something that’s put on a shelf or becomes obsolete within a few months.
• Interdependencies are evident: No discrete area of spend focus is an island – it’s connected directly or indirectly with other areas of spend, both within IT and across the organization. For example, one server interacts with multiple business applications, IT and business processes, multiple IT staff, and even vendors or external managed service providers. Cost-related decisions about that one server – maintain, repurpose, consolidate, replace, discard – will drive other areas of spend up or down.
• There are no surprises: While this does happen, your budget presentation isn’t a great time to bring up a new point of significant spend for the first time. The items in next year’s proposed budget should be priorities that are already known, vetted, supported, and funded.

"A well developed and presented budget should be the numeric manifestation of your IT strategy that’s well communicated and understood by your peers. When done right, budgets should merely affirm what’s already been understood and should get approved with minimal pushback.“

– Patrick Gray, TechRepublic, 2020

Understand your budgetary responsibilities as the IT leader

It’s in your job description. For some stakeholders, it’s the most important part of it.

While not a contract per se, your IT budget is an objective and transparent statement made in good faith that shows:

• You know what it takes to keep the organization viable.
• You understand the organization’s accountabilities and responsibilities as well as those of its leaders.
• You’re willing and able to do your part to meet these accountabilities and responsibilities.
• You know what your part of this equation is, as well as what parts should and must be played by others.

When it comes to your budget (and all things financial), your job is to be ethical, careful, and wise:

1. Be honest. Business ethics matter.
2. Be as accurate as possible. Your expenditure predictions won’t be perfect, but they need to be best-effort and defensible.
3. Respect the other players. They have their own roles, motivations, and mandates. Accept and respect these by being a supporter of their success instead of an obstacle to them achieving it.
4. Connect the dots to income. Always keep the demonstration of business value in your sights. Often, IT can’t draw a straight line to income, but demonstrating how IT expenditure supports and benefits future, current, and past (but still relevant) business goals and strategies, which in turn affect income, is the best course.
5. Provide alternatives. There are only so many financial levers your organization can pull. An action on one lever will have wanted and unwanted consequences on another. Aim to put financial discussions in terms of risk-focused “what if” stories and let your business partners decide if those risks are satisfactory.

Budgeting processes tend to be similar – it’s budgeting cultures that drive differences

The basic rules of good budgeting are the same everywhere. Bad budgeting processes, however, are usually caused by cultural factors and can be changed.

1.1 Review your budgeting process and culture

1 hour

1. Review the following components of your budget process using the questions provided for each as a guideline.
1. Legal and regulatory mandates. What are the external rules that govern how we do financial tracking and reporting? How do they manifest in our processes?
2. Accounting rules used. What rules does our finance department use and why? Do these rules allow for more meaningful representations of IT spend? Are there policies or practices in place that don’t appear to be backed by any external standards?
3. Timeframes and deadlines. Are we starting the budgeting process too late? Do we have enough time to do proper due diligence? Will expenditures approved now be out of date when we go to execute? Are there mechanisms to update spend plans mid-cycle?
4. Order of operations. What areas of spend do we always look at first, such as CapEx? Are there any benefits to changing the order in which we do things, such as examining OpEx first?
5. Areas of focus. Is CapEx taking up most of our budgeting cycle time? Are we spending enough time examining OpEx? Is IT getting enough time from the CFO compared to other units?
6. Funding sources and ownership. Is IT footing most of the technology bills? Are business unit leaders fronting any technology business case pitches? Is IT appropriately included in business case development? Is there any benefit to implementing show-back or charge-back?
7. Review/approval mechanisms. Are strategies and priorities used to rank proposed spend clear and well communicated? Are spend approvers objective in their decision making? Do different approvers apply the same standards and tools?
8. Templates and tools. Are the ones provided by Finance, the PMO, and other groups sufficient to document what we need to document? Are they accessible and easy to use? Are they automated and integrated so we only have to enter data once?
2. On the slide following these activity instructions, rate how effective each of the above is on a scale of 1-10 (where 10 is very effective) in supporting the budgeting process. Note specific areas of challenge and opportunity for change.

1.1 Review your budgeting process and culture

Budget process and culture assessment

Document the outcomes of your assessment. Examples are provided below.

Receptive audiences make communication a lot easier

To successfully communicate anything, you need to be heard and understood.

The key to being heard and understood is first to hear and understand the perspective of the people with whom you’re trying to communicate – your stakeholders. This means asking some questions:

• What context are they operating in?
• What are their goals and responsibilities?
• What are their pressures and stresses?
• How do they deal with novelty and uncertainty?
• How do they best take in information and learn?

The next step of this blueprint shows the perspectives of IT’s key stakeholders and how they’re best able to absorb and accept the important information contained in your IT budget. You will:

• Learn a process for discovering these stakeholders’ IT budget information needs within the context of your organization’s industry, goals, culture, organizational structure, personalities, opportunities, and constraints.
• Document key objectives and messages when communicating with these various key stakeholders.

There are certain principles, mandates, and priorities that drive your stakeholders; they’ll want to see these reflected in you, your work, and your budget.

Your IT budget means different things to different stakeholders

Info-Tech’s ITFM Cost Model lays out what matters most from various points of view.

The CFO: Understand their role

The CFO is the first person that comes to mind in dealing with budgets. They’re personally and professionally on the line if anything runs amiss with the corporate purse.

What are the CFO’s role and responsibilities?

• Tracking cash flow and balancing income with expenditures.
• Ensuring fiscal reporting and legal/regulatory compliance.
• Working with the CEO to ensure financial-strategic alignment.
• Working with business unit heads to set aligned budgets.
• Seeing the big picture.

What’s important to the CFO?

• Costs
• Benefits
• Value
• Analysis
• Compliance
• Risk Management
• Strategic alignment
• Control
• Efficiency
• Effectiveness
• Reason
• Rationale
• Clarity
• Objectivity
• Return on investment

“Often, the CFO sees IT requests as overhead rather than a need. And they hate increasing overhead.”

– Larry Clark, Executive Counselor, Info-Tech Research Group and Former CIO

The CFO carries big responsibilities focused on mitigating organizational risks. It’s not their job to be generous or flexible when so much is at stake. While the CEO appears higher on the organizational chart than the CFO, in many ways the CFO’s accountabilities and responsibilities are on par with, and in some cases greater than, those of the CEO.

The CFO: What they want from the IT budget

What they need should look familiar, so do your homework and be an open book.

The CFO: Budget challenges and opportunities

Budget season is a great time to start changing the conversation and building trust.

The CXO: Understand their role

CXOs are a diverse group who lead a range of business functions including admin, operations, HR, legal, production, sales and service, and marketing, to name a few.

What are the CXO’s role and responsibilities?

Like you, the CXO’s job is to help the organization realize its goals and objectives. How each CXO does this is specific to the domain they lead. Variations in roles and responsibilities typically revolve around:

• Law and regulation. Some functions have compliance as a core mandate, including legal, HR, finance, and corporate risk groups.
• Finance and efficiency. Other functions prioritize time, money, and process such as finance, sales, customer service, marketing, production, operations, and logistics units.
• Quality. These functions prioritize consistency, reliability, relationship, and brand such as production, customer service, and marketing.

What’s important to the CXO?

• Staffing
• Skills
• Reporting
• Funding
• Planning
• Performance
• Predictability
• Customers
• Visibility
• Inclusion
• Collaboration
• Reliability
• Information
• Knowledge
• Acknowledgement

Disagreement is common between business-function leaders – they have different primary focus areas, and conflict and misalignment are natural by-products of that fact. It’s also hard to make someone care as much about your priorities as you do. Focus your efforts on sharing and partnering, not converting.

The CXO: What they want from the IT budget

Focus on their unique part of the organization and show that you see them.

The CXO: Budget challenges and opportunities

Seek out your common ground and be the solution for their real problems.

The CEO: Understand their role

A CEO sets the tone for an organization, from its overall direction and priorities to its values and culture. What’s possible and what’s not is usually determined by them.

What are the CEO’s role and responsibilities?

• Assemble an effective team of executives and advisors.
• Establish, communicate, and exemplify the organizations core values.
• Study the ecosystem within which the organization exists.
• Identify and evaluate opportunities.
• Set long-term directions, priorities, goals, and strategies.
• Ensure ongoing organizational performance, profitability, and growth.
• Connect the inside organization to the outside world.
• Make the big decisions no one else can make.

What’s important to the CEO?

• Strategy
• Leadership
• Vision
• Values
• Goals
• Priorities
• Performance
• Metrics
• Accountability
• Stakeholders
• Results
• Insight
• Growth
• Cohesion
• Context

Unlike the CFO and CXOs, the CEO is responsible for seeing the big picture. That means they’re operating in the realm of big problems and big ideas – they need to stay out of the weeds. IT is just one piece of that big picture, and your problems and ideas are sometimes small in comparison. Use any time you get with them wisely.

The CEO: What they want from the IT budget

The CEO wants what the CFO wants, but at a higher level and with longer-term vision.

The CEO: Budget challenges and opportunities

Strategically address the big issues, but don’t count on their direct assistance.

What about the CIO view on the IT budget?

IT leaders tend to approach budgeting from an IT services perspective. After all, that’s how their departments are typically organized.

The CFO expense view, CXO business view, and CEO innovation view represent IT’s stakeholders. The CIO service view, however, represents you, the IT budget creator. This means that the CIO service view plays a slightly different role in developing your IT budget communications.

1.2 Assess your stakeholders

1 hour

1. Use the “Stakeholder alignment assessment” template slide following this one to document the outcomes of this activity.
2. As an IT management team, identify your key budget stakeholders and specifically those in an approval position.
3. Use the information provided in this blueprint about various stakeholder responsibilities, areas of focus, and what’s typically important to them to determine each key stakeholder’s needs regarding the information contained in your IT budget. Note their stated needs, any idiosyncrasies, and IT’s current relationship status with the stakeholder (positive, neutral, or negative).
4. Assess previous years’ IT budgets to determine how well they targeted each different stakeholder’s needs. Note any gaps or areas for future improvement.
5. Develop a high-level list of items or elements to stop, start, or continue during your next budgeting cycle.

Stakeholder alignment assessment

Document the outcomes of your assessment below. Examples are provided below.

Set your IT budget pre-selling strategy

Pre-selling is all about ongoing communication with your stakeholders. This is the most game-changing thing you can do to advance a proposed IT budget’s success.

When IT works well, nobody notices. When it doesn’t, the persistent criticism about IT not delivering value will pop up, translating directly into less funding. Cut this off at the pass with an ongoing communications strategy based on facts, transparency, and perspective taking.

1. Know your channels

Identify all the communication channels you can leverage including meetings, committees, reporting cycles, and bulletins. Set up new channels if they don’t exist.

2. Identify partners

Nothing’s better than having a team of supporters when pitch day comes. Quietly get them on board early and be direct about the role each of you will play.

3. Always be prepared

Have information and materials about proposed initiatives at-the-ready. You never know when you’ll get your chance. But if your facts are still fuzzy, do more homework first.

4. Don’t be annoying

Talking about IT all the time will turn people off. Plan chats that don’t mention IT at all. Ask questions about their world and really listen. Empathy’s a powerful tool.

5. Communicate IT initiatives at launch

Describe what you will be doing and how it will benefit the business in language that makes sense to the beneficiaries of the initiative.

6. Communicate IT successes

Carry the same narrative forward through to the end and tell the whole story. Include comments from stakeholders and beneficiaries about the value they’re receiving.

Pre-selling with partners

The thing with pre-selling to partners is not to take a selling approach. Take a collaborative approach instead.

A partner is an influencer, advocate, or beneficiary of the expenditure or investment you’re proposing. Partners can:

• Advise you on real business impacts.
• Voice their support for your funding request.
• Present the initial business case for funding approval themselves.
• Agree to fund all or part of an initiative from their own budget.

When partners agree to pitch or fund an initiative, IT can lose control of it. Make sure you set specific expectations about what IT will help with or do on an ongoing basis, such as:

• Calculating the upfront and ongoing technology maintenance/support costs of the initiative.
• Leading the technology vetting and selection process, including negotiating with vendors, setting service-level agreements, and finalizing contracts.
• Implementing selected technologies and training users.
• Maintaining and managing the technology, including usage metering.
• Making sure the bills get paid.

A collaborative approach tends to result in a higher level of commitment than a selling approach.

Put yourself in their shoes using their language. Asking “How will this affect you?” focuses on what’s in it for them.

Example:

CIO: “We’re thinking of investing in technology that marketing can use to automate posting content to social media. Is that something you could use?”

CMO: “Yes, we currently pay two employees to post on Facebook and Twitter, so if it could make that more efficient, then there would be cost savings there.”

Pre-selling with approvers

The key here is to avoid surprises and ensure the big questions are answered well in advance of decision day.

An approver is the CFO, CEO, board, council, or committee that formally commits funding support to a program or initiative. Approvers can:

• Point out factors that could derail realization of intended benefits.
• Know that a formal request is coming and factor it into their planning.
• Connect your idea with others to create synergies and efficiencies.
• Become active advocates.

When approvers cool to an idea, it’s hard to warm them up again. Gradually socializing an idea well in advance of the formal pitch gives you the chance to isolate and address those cooling factors while they’re still minor. Things you can address if you get an early start with future approvers include:

• Identify and prepare for administrative, regulatory, or bureaucratic hurdles.
• Incorporate approvers’ insights about organizational realities and context.
• Further reduce the technical jargon in your language.
• Fine tune the relevance and specificity of your business benefits statements.
• Get a better sense of the most compelling elements to focus on.

Blindsiding approvers with a major request at a budget presentation could trigger an emotional response, not the rational and objective one you want.

Make approvers part of the solution by soliciting their advice and setting their expectations well in advance.

Example:

CIO: “The underwriting team and I think there’s a way to cut new policyholder approval turnaround from 8 to 10 days down to 3 or 4 using an online intake form. Do you see any obstacles?”

CFO: “How do the agents feel about it? They submit to underwriting differently and might not want to change. They’d all need to agree on it. Exactly how does this impact sales?”

1.3 Set your budget pre-selling strategy

1 hour

1. Use the “Stakeholder pre-selling strategy” template slide following this instruction slide to document the outcomes of this activity.
2. Carry forward your previously-generated stakeholder alignment assessment from Step 1.2. As a management team, discuss the following for each stakeholder:
   1. Forums and methods of contact and interaction.
   2. Frequency of interaction.
   3. Content or topics typically addressed during interactions.
3. Discuss what the outcomes of an ideal interaction would look like with each stakeholder.
4. List opportunities to change or improve the nature of interactions and specific actions you plan to take.

Stakeholder pre-selling strategy

Document the outcomes of your discussion. Examples are provided below.

Phase recap: Lay your foundation

Build in the elements from the start that you need to facilitate budgetary approval.

You should now have a deeper understanding of the what, why, and who of your IT budget. These elements are foundational to streamlining the budget process, getting aligned with peers and the executive, and increasing your chances of winning budgetary approval in the end.

In this phase, you have:

• Reviewed what your budget is and does. Your budget is an important governance and communication tool that reflects organizational priorities and objectives and IT’s understanding of them.
• Taken a closer look at your stakeholders. The CFO, CEO, and CXOs in your organization have accountabilities of their own to meet and need IT and its budget to help them succeed.
• Developed a strategy for continuously pre-selling your budget. Identifying opportunities and approaches for building relationships, collaborating, and talking meaningfully about IT and IT expenditure throughout the year is one of the leading things you can do to get on the same page and pave the way for budget approval.

“Many departments have mostly labor for their costs. They’re not buying a million and a half or two million dollars’ worth of software every year or fixing things that break. They don’t share IT’s operations mindset and I think they get frustrated.”

– Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County

Phase 2

Get Into Budget-Starting Position

This phase will walk you through the following activities:

• Putting together your budget team and gather your data.
• Selecting which views of the ITFM Cost Model you’ll use.
• Mapping and analyzing IT’s historical expenditure.
• Setting goals and metrics for the next budgetary cycle.

This phase involves the following participants:

• Head of IT
• IT Financial Lead
• Other IT Management

Get into budget-starting position

Now’s the time to pull together your budgeting resources and decision-making reference points.

This phase is about clarifying your context and defining your boundaries.

• Assemble your resources. This includes the people, data, and other information you’ll need to maximize insight into future spend requirements.
• Understand the four views of the IT Cost Model. Firm up your understanding of the CFO expense view, CIO service view, CXO business view, and CEO innovation view and decide which ones you’ll use in your analysis and forecasting.
• Review last year’s budget versus actuals. You need last year’s context to inform next year’s numbers as well as demonstrate any cost efficiencies you successfully executed.
• Review five-year historical trends. This long-term context gives stakeholders and approvers important information about where IT fits into the business big picture and reminds them how you got to where you are today.
• Set your high-level goals. You need to decide if you’re increasing, decreasing, or holding steady on your budget and whether you can realistically meet any mandates you’ve been handed on this front. Set a target as a reference point to guide your decisions and flag areas where you might need to have some tough conversations.

“A lot of the preparation is education for our IT managers so that they understand what’s in their budgets and all the moving parts. They can actually help you keep it within bounds.”

– Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

Gather your budget-building team

In addition to your CFO, CXOs, and CEO, there are other people who will provide important information, insight, and skill in identifying IT budget priorities and costs.

As the head of IT, your role is as the budgeting team lead. You understand both the business and IT strategies, and have relationships with key business partners. Your primary responsibilities are to guide and approve all budget components and act as a liaison between finance, business units, and IT.

Set expectations with your budgeting team

Be clear on your goals and ensure everyone has what they need to succeed.

2.1 Brief and mobilize your IT budgeting team

2 hours

1. Download the IT Cost Forecasting and Budgeting Workbook
2. Organize a meeting with your IT department management team, team leaders, and project managers.
3. Review their general financial management accountabilities and responsibilities.
4. Discuss the purpose and context of the budgeting exercise, different budget components, and the organization’s milestones/deadlines.
5. Identify specific tasks and activities that each member of the team must complete in support of the budgeting exercise.
6. Set up additional checkpoints, working sessions, or meetings that will take you through to final budget submission.
7. Document your budget team members, responsibilities, deliverables, and due dates on the “Planning Variables” tab in the IT Cost Forecasting & Budgeting Workbook.

Download the IT Cost Forecasting and Budgeting Workbook

Leverage the ITFM Cost Model

Each of the four views breaks down IT costs into a different array of categories so you and your stakeholders can see expenditure in a way that’s meaningful for them.

You may decide not to use all four views based on your goals, audience, and available time. However, let’s start with how you can use the first two views, the CFO expense view and the CIO service view.

Extend your dialogue to the business

Applying the business optimization views of the ITFM Cost Model can bring a level of sophistication to your IT cost analysis and forecasting efforts.

Some views take a bit more work to map out, but they can be powerful tools for communicating the value of IT to the business. Let’s look at the last two views, the CXO business view and the CEO innovation view.

2.2 Select the ITFM Cost Model views you plan to complete based on your goals

30 minutes

The IT Cost Forecasting and Budgeting Workbook contains standalone sections for each view, as well as rows for each lowest-tier sub-category in a view, so each view can be analyzed and forecasted independently.

1. Review Info-Tech’s ITFM Cost Model and the expenditure categories and sub-categories each view contains.
2. Revisit your stakeholder analysis for the budgeting exercise. Plan to:
   1. Complete the CFO expense view regardless.
   2. Complete the CIO service view – consider doing this one first for forecasting purposes as it may be most familiar to you and serve as an easier entry point into the forecasting process.
   3. Complete the CXO business view – consider doing this only for select business units if you have the objective of enhancing awareness of their true consumption of IT resources or if you have (or plan to have) a show-back/chargeback mechanism.
   4. Complete the CEO innovation view only if your data allows it and there’s a compelling reason to discuss the strategic or innovative role of IT in the organization.

Gather your budget-building data

Your data not only forms the content of your budget but also serves as the supporting evidence for the decisions you’ve made.

Ensure you have the following data and information available to you and your budgeting team before diving in:

Past data

• Last fiscal year’s budget.
• Actuals for the past five fiscal years.
• Pre-set capital depreciation/amortization amounts to be applied to next fiscal year’s budget.

Current data

• Current-year IT positions and salaries.
• Active vendor contracts with payment schedules and amounts (including active multi-year agreements).
• Cost projections for remainder of any projects that are committed or in-progress, including projected OpEx for ongoing maintenance and support.

Future data

• Estimated market value for any IT positions to be filled next year (both backfill of current vacancies and proposed net-new positions).
• Pricing data on proposed vendor purchases or contracts.
• Cost estimates for any capital/strategic projects that are being proposed but not yet committed, including resulting maintenance/support OpEx.
• Any known pending credits to be received or applied in the next fiscal year.

If you’re just getting started building a repeatable budgeting process, treat it like any other project, complete with a formal plan/ charter and a central repository for all related data, information, and in-progress and final documents.

Once you’ve identified a repeatable approach that works for you, transition the budgeting project to a regular operational process complete with policies, procedures, and tools.

Review last year’s budget vs. actuals

This is the starting point for building your high-level rationale around what you’re proposing for next fiscal year.

But first, some quick definitions:

• Budgeted: What you planned to spend when you started the fiscal year.
• Actual: What you ended up spending in real life by the end of the fiscal year.
• Variance: The difference between budgeted expenditure and actual expenditure.

For last fiscal year, pinpoint the following metrics and information:

Next, review your five-year historical expenditure trends

The longer-term pattern of IT expenditure can help you craft a narrative about the overarching story of IT.

For the previous five fiscal years, focus on the following:

Actual IT expenditure as a percentage of organizational revenue.

Again, for historical years 2-5, you can break this down into granular cost categories like workforce, software, and infrastructure like you did for last fiscal year. Avoid getting bogged down and focusing on the past – you ultimately want to redirect stakeholders to the future.

Percentage expenditure increase/decrease year to year.

You may choose to show overall IT expenditure amounts, breakdowns by CapEx and OpEx, as well as high-level cost categories.

As you go back in time, some data may not be available to you, may be unreliable or incomplete, or employ the same cost categories you’re using today. Use your judgement on the level of granularity you want to and can apply when going back two to five years in the past.

So, what’s the trend? Consider these questions:

• Is the year-over-year trend on a steady trajectory or are there notable dips and spikes?
• Are there any one-time capital projects that significantly inflated CapEx and overall spend in a given year or that forced maintenance-and support-oriented OpEx commitments in subsequent years?
• Does there seem to be an overall change in the CapEx-to-OpEx ratio due to factors like increased use of cloud services, outsourcing, or contract-based staff?

Take a close look at financial data showcasing the cost-control measures you’ve taken

Your CFO will look for evidence that you’re gaining efficiencies by controlling costs, which is often a prerequisite for them approving any new funding requests.

Your objective here is threefold:

1. Demonstrate IT’s track record of fiscal responsibility and responsiveness to business priorities.
2. Acknowledge and celebrate your IT-as-cost-center efficiency gains to clear the way for more strategic discussions.
3. Identify areas where you can potentially source and reallocate recouped funds to bolster other initiatives or business cases for net-new spend.

This step is about establishing credibility, demonstrating IT value, building trust, and showing the CFO you’re on their team.

Do the following:

• List any specific cost-control initiatives and their initial objectives and targets.
• Identify any changes made to those targets and your approaches due to changing conditions, with rationales for the decisions made. For example:
  • Mid-year, the business decided to allow approximately half the workforce to work from home on a permanent basis.
  • As a result, remote-worker demand on the service desk remained high and actually increased in some areas. You were unable to reduce service desk staff headcount as originally planned.
  • You’re now exploring ways to streamline ticket intake and assignment to increase throughput and speed resolution.
• Report on completed cost-control initiatives first, including targets, actuals, and related impacts. Include select feedback from business stakeholders and users about the impact of your cost-control measure on them.
• For in-progress initiatives, report progress made to-date, benefits realized to date, and plans for continuation next fiscal year.

“Eliminate the things you don’t need. People will give you what you need when you need it if you’re being responsible with what you already have.”

– Angela Hintz, VP of PMO & Integrated Services,
Blue Cross and Blue Shield of Louisiana

2.3 Review your historical IT expenditure

8 hours

1. Download the IT Cost Forecasting and Budgeting Workbook.
2. On Tab 1, “Historical Events & Projects,” note the cost-driving and cost-saving events that occurred last fiscal year that drove any variance between budgeted and actual expenditure. Describe the nature of their impact and current status (ongoing, resolved – temporary impact, or resolved – permanent impact).
3. Also on Tab 1, “Historical Events & Projects”, summarize the work done on capital or strategic projects, expenditures, and status (in progress, deferred, canceled, or complete).
4. On Tab 2, “Historical Expenditure”:
   1. Enter the budgeted and actuals data for last fiscal year in columns D-H for the views of the ITFM Cost Model you’re opted to do, i.e. CFO expense view, CIO service view, CXO business view, and CEO innovation view.
   2. Enter a brief rationale for any notable budgeted-versus-actuals variances or other interesting items in column K.
   3. Enter actuals data for the remaining past five fiscal years in columns L-O. Year-over-year comparative metrics will be calculated for you.
   4. Enter FTEs by business function in columns R-AA, rows 34-43.
      Expenditure per FTE and year-over year comparative metrics will be
      calculated for you.
5. Using Tabs 2, “Historical Expenditure” and 3, “Historical Analysis”, review and analyze the resulting data sets and graphs to identify overall patterns, specifically notable increases or decreases in a particular category of expenditure or where rationales are repeated across categories or views (these are significant).
6. Finally, flag any data points that help demonstrate achievement of, or progress toward, any cost-control measures you implemented.

2.3 Review your historical IT expenditure

Pull historical trends into a present-day context when setting your high-level goals

What’s happening to your organization and the ecosystem within which it’s operating right now? Review current business concerns, priorities, and strategies.

Knowing what happened in the past can provide good insights and give you a chance to show stakeholders your money-management track record. However, what stakeholders really care about is “now” and “next”. For them, it’s all about current business context.

Ask these questions about your current context to assess the relevance of your historical trend data:

Set metrics and targets for some broader budget effectiveness improvement efforts

Budget goalsetting isn’t limited to CapEx and OpEx targets. There are several effectiveness metrics to track overall improvement in your budgeting process.

Step back and think about other budget and expenditure goals you have.
Do you want to:

• Better align the budget with organizational objectives?
• Increase cost forecasting accuracy?
• Increase budget transparency and completeness?
• Improve the effectiveness of your budget presentation?
• Reduce the amount of budget rework?
• Increase the percentage of the budget that’s approved?
• Reduce variance between what was budgeted and actuals?

Establish appropriate metrics and targets that will allow you to define success, track progress, and communicate achievement on these higher-level goals.

Check out some example metrics in the table below.

Set your high-level OpEx budget targets

The high-level targets you set now don’t need to be perfect. Think of them as reference points or guardrails to sanity-check the cost forecasting exercise to come.

If cost-cutting or optimization is a priority, then a zero-based approach is the right decision. If doing this every year is too onerous, plan to do it for your OpEx at least every few years to examine what’s actually in there, clean house, and re-set.

Set your high-level CapEx budget targets

A lot of IT CapEx is conceived in business projects, so your proposed expenditure here may not be up to you. Exercise as much influence as you can.

Unanticipated hiring and the need to buy end-user hardware is cited as a top cause of budget grief by IT leaders – get ahead of this. Project CapEx, however, is usually determined via business-based capital project approval mechanisms well in advance. And don’t forget to factor in pre-established capital asset depreciation amounts generated by all the above!

2.4 Set your high-level IT budget targets and metrics

8 hours

1. Download the IT Cost Forecasting and Budgeting Workbook to document the outcomes of this activity.
2. Review the context in which your organization is currently operating and expects to operate in the next fiscal year. Specifically, look at:
   1. The state of the economy.
   2. Stated goals, objectives, and targets.
   3. The executive’s point of view on budget increase requests.
   Document your factors, assessment, rationale, and considerations in the “Business Context Assessment” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.
3. Based on the business context, anticipated flips of former CapEx to OpEx, and realization of previous years’ efficiency measures, set a general non-project OpEx target as a percentage increase or decrease for next fiscal year to serve as a guideline in the cost forecasting guideline. Document this in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook. sed on known capital projects, changes in headcount, typical “business as usual” equipment expenditure, and pre-established capital asset depreciation amounts, set general project CapEx and non-project CapEx targets. Document these in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.
4. Finally, set your overarching IT budget process success metrics. Also document these in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.

Download the IT Cost Forecasting and Budgeting Workbook

2.4 Set your high-level IT budget targets and metrics

Phase recap: Get into budget-starting position

Now you’re ready to do the deep dive into forecasting your IT budget for next year.

In this phase, you clarified your business context and defined your budgetary goals, including:

• Assembling your resources. You’ve built and organized your IT budgeting team, as well as gathered the data and information you’ll need to do your historical expenditure analysis and future forecasting
• Understanding the four views of the IT Cost Model. You’ve become familiar with the four views of the model and have selected which ones you’ll map for historical analysis and forecasting purposes.
• Reviewing last year’s budget versus actuals and five-year historical trends. You now have the critical rationale-building context to inform next year’s numbers and demonstrate any cost efficiencies you’ve successfully executed.
• Setting your high-level goals. You’ve established high-level targets for project and non-project CapEx and OpEx, as well as set some IT budget process improvement goals.

“We only have one dollar but five things. Help us understand how to spend that dollar.”

– Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

Phase 3

Develop Your Forecasts

This phase will walk you through the following activities:

• Documenting the assumptions behind your proposed budget and develop alternative scenarios.
• Forecasting your project CapEx.
• Forecasting your non-project CapEx and OpEx.

This phase involves the following participants:

• Head of IT
• IT Financial Lead
• Other IT Management

Develop your forecasts

Start making some decisions.

This phase focuses on putting real numbers on paper based on the research and data you’ve collected. Here, you will:

• Develop assumptions and alternative scenarios. The assumptions you make are the logical foundation for your decisions, and your primary and alternative scenarios focus your thinking and demonstrate that you’ve thoroughly examined your organization’s current and future context.
• Forecast your project CapEx costs. These costs are comprised of all the project-related capital expenditures for strategic or capital projects, including in-house labor.
• Forecast your non-project CapEx and OpEx costs. These costs are the ongoing “business as usual” expenditures incurred via the day-to-day operations of IT and delivery of IT services.

“Our April forecast is what really sets the bar for what our increase is going to be next fiscal year. We realized that we couldn’t change it later, so we needed to do more upfront to get that forecast right.

If we know that IT projects have been delayed, if we know we pulled some things forward, if we know that a project isn’t starting until next year, let’s be really clear on those things so that we’re starting from a better forecast because that’s the basis of deciding two percent, three percent, whatever it’s going to be.”

– Kristen Thurber, IT Director, Office of the CIO, Donaldson Company

When pinning down assumptions, start with negotiable and non-negotiable constraints

Assumptions are things you hold to be true. They may not actually be true, but they are your logical foundation and must be shared with stakeholders so they can follow your thinking.

Start with understanding your constraints. These are either negotiable (adjustable) or non-negotiable (non-adjustable). However, what is non-negotiable for IT may be negotiable for the organization as a whole, such as its strategic objectives. Consider each of the constraints below, determine how it relates to IT expenditure options, and decide if it’s ultimately negotiable or non-negotiable.

Identifying your negotiable and non-negotiable constraints is about knowing what levers you can pull. Government entities have more non-negotiable constraints than private companies, which means IT and the organization as a whole have fewer budgetary levers to pull and a lot less flexibility.

An un-pullable lever and a pullable lever (and how much you can pull it) have one important thing in common – they are all fundamental assumptions that influence your decisions.

Brainstorm your assumptions even further

The tricky thing about assumptions is that they’re taken for granted – you don’t always realize you’ve made them. Consider these common assumptions and test them for validity.

You won’t put some of these assumptions into your final budget presentation. It’s simply worthwhile knowing what they are so you can challenge them when forecasting.

Based on your assumptions, define the primary scenario that will frame your budget

Your primary scenario is the one you believe is most likely to happen and upon which you’ll build your IT cost forecasts.

Now it’s time to outline your primary scenario.

• A scenario is created by identifying the variable factors embedded in your assumptions and manipulating them across the range of possibilities. This manipulation of variables will result in different scenarios, some more likely or feasible than others.
• Your primary scenario is the one you believe is the most feasible and/or likely to happen (i.e. most probable). This is based on:
  • Your understanding of past events and patterns.
  • Your understanding of your organization’s current context.
  • Your understanding of IT’s current context.
  • Your understanding of the organization’s objectives.
  • Your assessment of negotiable and non-negotiable constraints and other assumptions for both IT and the organization.

A note on probability…

• A non-negotiable constraint doesn’t have any variables to manipulate. It’s a 100% probability that must be rigidly accommodated and protected in your scenario. An example is a long-standing industry regulation that shows no signs of being updated or altered and must be complied with in its current state.
• A negotiable constraint has many more variables in play. Your goal is to identify the different potential values of the variables and determine the degree of probability that one value is more likely to be true or feasible than another. An example is that you’re directed to cut costs, but the amount could be as little as 3% or as much as 20%.
• And then there are the unknowns. These are circumstances, events, or initiatives that inevitably happen, but you can’t predict when, what, or how much. This is what contingency planning and insurance are for. Examples include a natural disaster, a pandemic, a supply chain crisis, or the CEO simply changing their mind. Its safe to assume something is going to happen, so if you’re able to establish a contingency fund or mechanisms that let you respond, then do it.

What could or will be your organization’s new current state at the end of next fiscal year?

Next, explore alternative scenarios, even those that may seem a bit outrageous

Offering alternatives demonstrates that you weighed all the pertinent factors and that you’ve thought broadly about the organization’s future and how best to support it.

Primary scenario approval can be helped by putting that scenario alongside alternatives that are less attractive due to their cost, priority, or feasibility. Alternative scenarios are created by manipulating or eliminating your negotiable constraints or treating specific unknowns as knowns. Here are some common alternative scenarios.

The high-cost scenario: Assumes very positive economic prospects. Characterized by more of everything – people and skills, new or more sophisticated technologies, projects, growth, and innovation. Remember to consider the long-term impact on OpEx that higher capital spend may bring in subsequent years.

Target 10-20% more expenditure than your primary scenario

The low-cost scenario: Assumes negative economic prospects or cost-control objectives. Characterized by less of everything, specifically capital project investment, other CapEx, and OpEx. Must assume that business service-level expectations will be down-graded and other sacrifices will be made.

Target 5-15% less expenditure than your primary scenario

The dark horse scenario: This is a more radical proposition that challenges the status quo. For example, what would the budget look like if all data specialists in the organization were centralized under IT? What if IT ran the corporate PMO? What if the entire IT function was 100% outsourced?

No specific target

Case Study

INDUSTRY: Manufacturing

SOURCE: Anonymous

A manufacturing IT Director gets budgetary approval by showing what the business would have to sacrifice to get the cheap option.

3.1 Document your assumptions and alternative scenarios

2 hours

1. Download the IT Cost Forecasting and Budgeting Workbook and document the outcomes of this activity on Tab 9, “Alternative Scenarios.”
2. As a management team, identify and discuss your non-negotiable and negotiable constraints. Document these in rows 4 and 5 respectively in the Workbook.
3. Brainstorm, list, and challenge any other assumptions being made by IT or the organization’s executive in terms of what can and cannot be done.
4. Identify the most likely or feasible scenario (primary) and associated assumptions. You will base your initial forecasting on this scenario.
5. Identify alternative scenarios. Document each scenario’s name, description, and key assumptions, and major opportunities in columns B-D on Tab 9, “Alternative Scenarios.” You will do any calculations for these scenarios after you have completed the forecast for your primary scenario.

Download the IT Cost Forecasting and Budgeting Workbook

Before diving into actual forecasting, get clear on project and non-project CapEx and OpEx

Traditional, binary “CapEx vs. OpEx” distinctions don’t seem adequate for showing where expenditure is really going. We’ve added a new facet to help further differentiate one-time project costs from recurring “business as usual” expenses.

Project CapEx
Includes all workforce and vendor costs associated with planning and execution of projects largely focused on the acquisition or creation of new capital assets.

Non-project CapEx
Includes “business as usual” capital asset acquisition in the interest of managing, maintaining, or supporting ongoing performance of existing infrastructure or services, such as replacement network equipment, end-user hardware (e.g. laptops), or disaster recovery/business continuity redundancies. Also includes ongoing asset depreciation amounts.

Non-project OpEx
Includes all recurring, non-CapEx “business as usual” costs such as labor compensation and training, cloud-based software fees, outsourcing costs, managed services fees, subscriptions, and other discretionary spend.

Depreciation is technically CapEx. However, for practical purposes, most organizations list it under OpEx, which can cause it to get lost in the noise. Here, depreciation is under non-project CapEx to keep its true CapEx nature visible and in the company of other “business as usual” capital purchases that will ultimately join the depreciation ranks.

Forecast your project CapEx costs

This process can be simple as far as overall budget forecasting is concerned. If it isn’t simple now, plan to make it simpler next time around.

What to expect…

• Ideally, the costs for all projects should have been thoroughly estimated, reviewed, and accepted by a steering committee, your CFO, or other approving entity at the start of the budgeting season, and funding already committed to. In a nutshell, forecasting your project costs should already have been done and will only require plugging in those numbers.
• If projects have yet to be pitched and rubber stamped, know that your work is cut out for you. Doing things in a rush or without proper due diligence will result in certain costs being missed. This means that you risk going far over budget in terms of actuals next year, or having to borrow from other areas in your budget to cover unplanned or underestimated project costs.

Key forecasting principles…

Develop rigorous business cases
Secure funding approval well in advance
Tie back costs benefitting business units
Consider the longer-term OpEx impact

For more information about putting together sound business cases for different projects and circumstances, see the following Info-Tech blueprints:

Build a Comprehensive Business Case

Fund Innovation with a Minimum Viable Business Case

Reduce Time to Consensus with an Accelerated Business Case

Apply these project CapEx forecasting tips

A good project CapEx forecast requires steady legwork, not last-minute fast thinking.

Tip #1: Don’t surprise your approvers. Springing a capital project on approvers at your formal presentation isn’t a good idea and stands a good chance of rejection, so do whatever you can to lock these costs down well in advance.

Tip #2: Project costs should be entirely comprised of CapEx if possible. Keep in mind that some of these costs will convert to depreciated non-project CapEx and non-project OpEx as they transition from project costs to ongoing “business as usual” costs, usually in the fiscal year following the year of expenditure. Creating projections for the longer-term impacts of these project CapEx costs on future types of expenditure is a good idea. Remember that a one-time project is not the same thing as a one-time cost.

Tip #3: Capitalize any employee labor costs on capital projects. This ensures the true costs of projects are not underestimated and that operational staff aren’t being used for free at the expense of their regular duties.

Tip #4: Capitalizing cloud costs in year one of a formal implementation project is usually acceptable. It’s possible to continue treating cloud costs as CapEx with some vendors via something called reserved instances, but organizations report that this is a lot of work to set up. In the end, most capitalized cloud will convert into non-project OpEx in years two and beyond.

Tip #5: Build in some leeway. By the time a project is initiated, circumstances may have changed dramatically from when it was first pitched and approved, including business priorities and needs, vendor pricing, and skillset availability. Your costing may become completely out of date. It’s a good practice to work within more general cost ranges than with specific numbers, to give you the flexibility to respond and adapt during actual execution.

3.2 Forecast your project CapEx

Time: Depends on size of project portfolio

1. Download the IT Cost Forecasting and Budgeting Workbook and navigate to Tab 5, “Project CapEx Forecast”. Add more columns as required. Enter the following for all projects:
   • Row 5 – Its name and/or unique identifier.
   • Row 6 – Its known or estimated project start/end dates.
   • Row 7 – Its status (in proposal, committed, or in progress).
2. Distribute each project’s costs across the categories listed for each view you’ve selected to map. Do not include any OpEx here – it will be mapped separately under non-project OpEx.
3. Rationalize your values. A running per-project total for each view, as well as totals for all projects combined, are in rows 16, 28, 39, and 43. Ensure these totals match or are very close across all the views you are mapping. If they don’t match, review the views that are lower-end outliers as there’s a good chance something has been overlooked.

Download the IT Cost Forecasting and Budgeting Workbook

Forecast your non-project OpEx

Most of your budget will be non-project OpEx, so plan to spend most of your forecasting effort here.

What to expect…

Central to the definition of OpEx is the fact that it’s ongoing. It rarely stops, and tends to steadily increase over time due to factors like inflation, rising vendor prices, growing organizational growth, increases in the salary expectations of employees, and other factors.

The only certain ways to reduce OpEx are to convert it to capitalizable expenditure, decrease staffing costs, not pursue cloud technologies, or for the organization to simply not grow. For most organizations, none of these approaches are feasible. Smaller scale efficiencies and optimizations can keep OpEx from running amok, but they won’t change its overall upward trajectory over time. Expect it to increase.

Key forecasting principles…

Focus on optimization and efficiency.
Aim for full spend transparency.
Think about appropriate chargeback options.
Give it the time it deserves.

For more information about how to make the most out of your IT OpEx, see the following Info-Tech blueprints:

Develop Your Cost Optimization Roadmap

Achieve IT Spend & Staffing Transparency

Discover the Hidden Costs of Outsourcing

Apply these non-project OpEx forecasting tips

A good forecast is in the details, so take a very close look to see what’s really there.

Tip #1: Consider zero-based budgeting. You don’t have to do this every year, but re-rationalizing your OpEx every few years, or a just a segment of it on a rotational basis, will not only help you readily justify the expenditure but also find waste and inefficiencies you didn’t know existed.

Tip #2: Capitalize your employee capital project work. While some organizations aren’t allowed to do this, others who can simply don’t bother. Unfortunately, this act can bloat the OpEx side of the equation substantially. Many regular employees spend a significant amount of their time working on capital projects, but this fact is invisible to the business. This is why the business keeps asking why it takes so many people to run IT.

Tip #3: Break out your cloud vs. on-premises costs. Burying cloud apps costs in a generic software bucket works against any transparency ambitions you may have. If you have anything resembling a cloud strategy, you need to track, report, and plan for these costs separately in order to measure benefits realization. This goes for cloud infrastructure costs, too.

Tip #4: Spend time on your CIO service view forecast. Completing this view counts as a first step toward service-based costing and is a good starting point for setting up an accurate service catalog. If looking for cost reductions, you’ll want to examine your forecasts in this view as there will likely be service-level reductions you’ll need to propose to hit your cost-cutting goals.

Tip #5: Budget with consideration for chargeback. chargeback mechanisms for OpEx can be challenging to manage and have political repercussions, but they do shift accountability back to the business, guarantee that the IT bills get paid, and reduce IT’s OpEx burden. Selectively charging business units for applications that only they use may be a good entry point into chargeback. It may also be as far as you want to go with it. Doing the CXO business view forecast will provide insight into your opportunities here.

Forecast your non-project CapEx

These costs are often the smallest percentage of overall expenditure but one of the biggest sources of financial grief for IT.

What to expect…

• These costs can be hard to predict. Anticipating expenditure on end-user hardware such as laptops depends on knowing how many new staff will be hired by the organization next year. Predicting the need to buy networking hardware depends on knowing if, and when, a critical piece of equipment is going to spontaneously fail. You can never be completely sure.
• IT often must reallocate funds from other areas of its budget to cover non-project CapEx costs. Unfortunately, keeping the network running and ensuring employees have access to that network is seen exclusively as an IT problem, not a business problem. Plan to change this mindset.

Key forecasting principles…

Discuss hiring plans with the business.
Pay close attention to your asset lifecycles.
Prepare to advise about depreciation schedules.
Build in contingency for the unexpected.

For more information about ensuring IT isn’t left in the lurch when it comes to non-project CapEx, see the following Info-Tech blueprints:

Manage End-User Devices

Develop an Availability and Capacity Management Plan

Modernize the Network

Apply these non-project CapEx forecasting tips

A good forecast relies on your ability to accurately predict the future.

Tip #1: Top up new hire estimations: Talk to every business unit leader about their concrete hiring plans, not their aspirations. Get a number, increase that number by 25% or 20 FTEs (whichever is less), and use this new number to calculate your end-user non-project CapEx.

Tip #2: Make an arrangement for who’s paying for operational technology (OT) devices and equipment. OT involves specialized devices such as in-the-field sensors, scanners, meters, and other networkable equipment. Historically, operational units have handled this themselves, but this has created security problems and they still rely on IT for support. Sort the financials out now, including whose budget device and equipment purchases appear on, as well as what accommodations IT will need to make in its own budget to support them.

Tip #3: Evaluate cloud infrastructure and managed services. These can dramatically reduce your non-project CapEx, particularly on the network and data center fronts. However, these solutions aren’t necessarily less expensive and will drive up OpEx, so tread cautiously.

Tip #4: Definitely do an inventory. If you haven’t invested in IT asset management, put it on your project and budgetary agenda. You can’t manage what you don’t know you have, so asset discovery should be your first order of business. From there, start gathering asset lifecycle information and build in alerting to aid your spend planning.

Tip #5: Think about retirement: What assets are nearing end of life or the end of their depreciation schedule? What impact is this having on non-project OpEx in terms of maintenance and support? Deciding to retire, replace, or extend an IT operational asset will change your non-project CapEx outlook and will affect costs in other areas.

Tip #6: Create a contingency fund: You need one to deal with surprises and emergencies, so why wait?

Document the organization’s projected FTEs by business function

This data point is usually missing from IT’s budget forecasting data set. Try to get it.

A powerful metric to share with business stakeholders is expenditure per employee or FTE. It’s powerful because:

• It’s one of the few metrics that’s intuitively understood by most people
• It can show changes in IT expenditure over time at both granular and general levels.

This metric is one of the simplest to calculate. The challenge is in getting your hands on the data in the first place.

• Most business unit leaders struggle to pin down this number in terms of actuals as they have difficulty determining what an FTE actually is. Does it include contract staff? Part-time staff? Seasonal workers? Volunteers and interns? And if the business unit has high turnover, this number can fluctuate significantly.
• Encourage your business peers to produce a rational estimate. Unlike the headcount number you’re seeking to forecast for non-project capital expenditure for end-user hardware, this FTE number should strive to be more in the ballpark, as you’re not using it to ensure sufficient funds but comparatively track expenditure year to year.
• Depending on your industry, employees or FTEs may not be the best measurement. Use what works best for you. Number of unique users is a common one. Other industry-specific examples include per student, per bed, per patient, per account, and per resident.

Start to build in long-term and short-term forecasting into your budgeting process

These are growing practices in mature IT organizations that afford significant flexibility.

3.4 Forecast your non-project OpEx and CapEx

Time: Depends on size of vendor portfolio and workforce

1. Download the IT Cost Forecasting and Budgeting Workbook and navigate to Tab 4, “Business as Usual Forecast”. This tab assumes an incremental budgeting approach. Last year’s actuals have been carried forward for you to build upon.
2. Enter expected percentage-based cost increases/decreases for next fiscal year for each of the following variables (columns E-I): inflation, vendor pricing, labor costs, service levels, and depreciation. Do this for all sub-categories for the ITFM cost model views you’ve opted to map. Provide rationales for your percentage values in column K.
3. In columns M and N, enter the anticipated percentage allocation of cost to non-project CapEx versus non-project OpEx.
4. In column O, rows 29-38, enter the projected FTEs for each business function (if available).
5. If you choose, make longer-term, high-level forecasts for 2-3 years in the future in columns P-U. Performing longer-term forecasts for at least the CFO expense view categories is recommended.

Download the IT Cost Forecasting and Budgeting Workbook

Case Study

INDUSTRY: Insurance

SOURCE: Anonymous

Phase recap: Develop your forecasts

The hard math is done. Now it’s time to step back and craft your final proposed budget and its key messages.

This phase focused on developing your forecasts and proposed budget for next fiscal year. It included:

• Developing assumptions and alternative scenarios. These will showcase your understanding of business context as well as what’s most likely to happen (or should happen) next year.
• Forecasting your project CapEx costs. If these costs weren’t laid out already in formal, approved project proposals or plans, now you know why it’s the better approach for developing a budget.
• Forecasting your non-project CapEx and OpEx costs. Now you should have more clarity and transparency concerning where these costs are going and exactly why they need to go there.

“Ninety percent of your projects will get started but a good 10% will never get off the ground because of capacity or the business changes their mind or other priorities are thrown in. There are always these sorts of challenges that come up.”

– Theresa Hughes, Executive Counselor,
Info-Tech Research Group
and Former IT Executive

Phase 4

Build Your Proposed Budget

This phase will walk you through the following activities:

• Pulling your forecasts together into a comprehensive IT budget for next fiscal year.
• Double checking your forecasts to ensure they’re accurate.
• Fine tuning the rationales behind your proposals.

This phase involves the following participants:

• Head of IT
• IT Financial Lead
• Other IT Management

Build your proposed budget

Triple check your numbers and put the finishing touches on your approval-winning rationales.

This phase is where your analysis and decision making finally come together into a coherent budget proposal. Key steps include:

• Aggregating your numbers. This step involves pulling together your project CapEx, non-project CapEx, and non-project OpEx forecasts into a comprehensive whole and sanity-checking your expenditure-type ratios.
• Stress-testing your forecasts. Do some detailed checks to ensure everything’s accounted for and you haven’t overlooked any significant information or factors that could affect your forecasted costs.
• Challenging and perfecting your rationales. Your ability to present hard evidence and rational explanations in support of your proposed budget is often the difference between a yes or a no. Look at your proposals from different stakeholder perspectives and ask yourself, “Would I say yes to this if I were them?”

“We don’t buy servers and licenses because we want to. We buy them because we have to. IT doesn’t need those servers out at our data center provider, network connections, et cetera. Only a fraction of these costs are to support us in the IT department. IT doesn’t have control over these costs because we’re not the consumers.”

– Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County

Great rationales do more than set you up for streamlined budgetary approval

Rationales build credibility and trust in your business capabilities. They can also help stop the same conversations happening year after year.

Any item in your proposed budget can send you down a rabbit hole if not thoroughly defensible.

You probably won’t need to defend every item, but it’s best to be prepared to do so. Ask yourself:

• What areas of spend does the CFO come back to year after year? Is it some aspect of OpEx, such as workforce costs or cloud software fees? Is it the relationship between proposed project spend and business benefits? Provide detailed and transparent rationales for these items to start re-directing long-term conversations to more strategic issues.
• What areas of spend seem to be recurring points of conflict with business unit leaders? Is it surprise spend that comes from business decisions that didn’t include IT? Is it business-unit leaders railing against chargeback? Have frank, information-sharing conversations focused on business applications, service-level requirements, and true IT costs to support them.
• What’s on the CEO’s mind? Are they focused on entering a new overseas market, which will require capital investment? Are they interested in the potential of a new technology because competitors are adopting it? It may not be the same focus as last year, so ensure you have fresh rationales that show how IT will help deliver on these business goals.

“Budgets get out of control when one department fails to care for the implications of change within another department's budget. This wastes time, reduces accuracy and causes conflict.”

– Tara Kinney, Atomic Revenue, LLC.

Rationalizing costs depends on the intention of the spend

Not all spending serves the same purpose. Some types require deeper or different justifications than others.

For the business, there are two main purposes for spend:

1. Spending that drives revenues or the customer experience. Think in terms of return on investment (ROI), i.e. when will the expenditure pay for itself via the revenue gains it helps create?
2. Spending that mitigates and manages risk. Think in terms of cost-benefit, i.e. what are the costs of doing something versus doing nothing at all?

Source: Kris Blackmon, NetSuite Brainyard.

“Approval came down to ROI and the ability to show benefits realization for years one, two, and three through five.”

– Duane Cooney, Executive Counselor, Info-Tech Research Group, and Former Healthcare CIO

Regardless of its ultimate purpose, all expenditure needs statements of assumptions, obstacles, and likelihood of goals being realized behind it.

• What are the assumptions that went into the calculation?
• Is the spend new or a reallocation (and from where)?
• What’s the likelihood of realizing returns or benefits?
• What are potential obstacles to realizing returns or benefits?

Rationales aren’t only for capital projects – they can and should be applied to all proposed OpEx and CapEx. Business project rationales tend to drive revenue and the customer experience, demanding ROI calculations. Internal IT-projects and non-project expenditure are often focused on mitigating and managing risk, requiring cost-benefit analysis.

First, make sure your numbers add up

There are a lot of numbers flying around during a budgeting process. Now’s the time to get out of the weeds, look at the big picture, and ensure everything lines up.

4.1 Aggregate your proposed budget numbers and stress test your forecasts

2 hours

1. Download the IT Cost Forecasting and Budgeting Workbook for this activity. If you have been using it thus far, the Workbook will have calculated your numbers for you across the four views of the ITFM Cost Model on Tab 7, “Proposed Budget”, including:
   1. Forecasted non-project OpEx, non-project CapEx (including depreciation values), project CapEx, and total values.
   2. Numerical and percentage variances from the previous year.
2. Test and finalize your forecasts by applying the questions on the previous slide.
3. Flag cost categories where large variances from the previous year or large numbers in general appear – you will need to ensure your rationales for these variances are rigorous in the next step.
4. Make amendments if needed to Tabs 4, “Business as Usual Forecast” and 5, “Project CapEx Forecast” in the IT Cost Forecasting and Budgeting Workbook.

Download the IT Cost Forecasting and Budgeting Workbook

Case Study

INDUSTRY: Healthcare

SOURCE: Anonymous

The strength of your rationales will determine how readily your budget is approved

When proposing expenditure, you need to thoroughly consider the organization’s goals, its governance culture, and the overall feasibility of what’s being asked.

First, recall what budgets are really about.

The completeness, accuracy, and granularity of your numbers and thorough ROI calculations for projects are essential. They will serve you well in getting the CFO’s attention. However, the numbers will only get you halfway there. Despite what some people think, the work in setting a budget is more about the what, how, and why – that is, the rationale – than about the how much.

Next, revisit Phase 1 of this blueprint and review:

• Your organization’s budgeting culture and processes.
• The typical accountabilities, priorities, challenges, opportunities, and expectations associated with your CFO, CEO, and CXO IT budget stakeholders.
• Your budgetary mandate as the head of IT.

Then, look at each component of your proposed budget through each of these three rationale-building lenses.

Business goals
What are the organization’s strategic priorities?

Governance culture
How constrained is the decision-making process?

Feasibility
Can we make it happen?

Linking proposed spend to strategic goals isn’t just for strategic project CapEx

Tie in your “business as usual” non-project OpEx and CapEx, as well.

Your governance culture will determine what you need to show and when you show it

The rigor of your rationales is entirely driven by “how things are done around here.”

No matter which way your goals and culture lean, ground all your rationales in reality

Objective, unapologetic facts are your strongest rationale-building tool.

Double-check to ensure your bases are covered

For more on creating detailed business cases for projects and investments, see Info-Tech’s comprehensive blueprint, Build a Comprehensive Business Case.

4.2 Challenge and perfect your rationales

2 hours

1. Based on your analysis in Phase 1, review your organization’s current and near-term business goals (context, lifecycle position, opportunities), governance culture (risk tolerance, control, speed to action), and feasibility (funding, capabilities, risk) to understand what’s possible, what’s not, and your general boundaries.
2. Review your proposed budget in its current form and flag items that may be difficult or impossible to sell, given the above.
3. Systematically go through each item in you proposed budget and apply the detailed data and information and high-level rationale checklists on the previous slide to ensure you have considered it from every angle and have all the information you need to defend it.
4. Track down any additional information needed to fill gaps and fine-tune your budget based on any discoveries, including eliminating or adding elements if needed.

Download the IT Cost Forecasting and Budgeting Workbook

Phase recap: Build your proposed budget

You can officially say your proposed IT budget is done. Now for the communications part.

This phase is where everything came together into a coherent budget proposal. You were able to:

• Aggregate your numbers. This involved pulling for project and non-project CapEx and OpEx forecasts into a single proposed IT budget total.
• Stress-test your forecasts. Here, you ensured that all your numbers were accurate and made sense.
• Challenge and perfect your rationales. Finally, you made sure you have all your evidence in place and can defend every component in your proposed IT budget regardless of who’s looking at it.

“Current OpEx is about supporting and aligning with past business strategies. That’s alignment. If the business wants to give up on those past business strategies, that’s up to them.”

– Darin Stahl, Distinguished Analyst and Research Fellow, Info-Tech Research Group

Phase 5

Create and Deliver Your Presentation

This phase will walk you through the following activities:

• Planning the content you’ll include in your budget presentation.
• Pulling together your formal presentation.
• Presenting, finalizing, and submitting your budget.

This phase involves the following participants:

• Head of IT
• IT Financial Lead
• Other IT Management

Create and deliver your presentation

Pull it all together into something you can show your approvers and stakeholders and win IT budgetary approval.

This phase focuses on developing your final proposed budget presentation for delivery to your various stakeholders. Here you will:

• Plan your final content. Decide the narrative you want to tell and select the visualizations and words you want to include in your presentation (or presentations) depending on the makeup of your target audience.
• Build your presentation. Pull together all the key elements in a PowerPoint template in a way that best tells the IT budget story.
• Present to stakeholders. Deliver your IT budgetary message.
• Make final adjustments and submit your budget. Address any questions, make final changes, and deconstruct your budget into the account categories mandated by your Finance Department to plug into the budget template they’ve provided.

“I could have put the numbers together in a week. The process of talking through what the divisions need and spending time with them is more time consuming than the budget itself.”

– Jay Gnuse, IT Director, Chief Industries

The content you select to present depends on your objectives and constraints

Info-Tech classifies potential content according to three basic types: mandatory, recommended, and optional. What’s the difference?

Deciding what to include or exclude depends 100% on your target audience. What will fulfill their basic information needs as well as increase their engagement in IT financial issues?

Revisit your assumptions and alternative scenarios first

These represent the contextual framework for your proposal and explain why you made the decisions you did.

Stating your assumptions and presenting at least two alternative scenarios helps in the following ways:

1. Identifies the factors you considered when setting budget targets and proposing specific expenditures, and shows that you know what the important factors are.
2. Lays the logical foundation for all the rationales you will be presenting.
3. Demonstrates that you’ve thought broadly about the future of the organization and how IT is best able to support that future organization regardless of its state and circumstances.

Your assumptions and alternative scenarios may not appear back-to-back in your presentation, yet they’re intimately connected in that every unique scenario is based on adjustments to your core assumptions. These tweaks – and the resulting scenarios – reflect the different degrees of probability that a variable is likely to land on a certain value (i.e. an alternative assumption).

Your primary scenario is the one you believe is most likely to happen and is represented by the complete budget you’re recommending and presenting.

Target timeframe for presentation: 2 minutes

Key objectives: Setting context, demonstrating breadth of thought.

Potential content for section:

• List of assumptions for the budget being presented (primary target scenario).
• Two or more alternative scenarios.

“Things get cut when the business
doesn’t know what something is,
doesn’t recognize it, doesn’t understand it. There needs to be an education.”

– Angie Reynolds, Principal Research Director, ITFM Practice,
Info-Tech Research Group,

Select your assumptions and scenarios

See Tabs “Planning Variables” and 9, “Alternative Scenarios” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

The first major section of your presentation will be a retrospective

Plan to kick things off with a review of last year’s results, factors that affected what transpired, and longer-term historical IT expenditure trends.

This retrospective on IT expenditure is important for three reasons:

1. Clarifying definitions and the different categories of IT expenditure.
2. Showing your stakeholders how, and how well you aligned IT expenditure with business objectives.
3. Setting stakeholder expectations about what next year’s budget will look like based on past patterns.

You probably won’t have a lot of time for this section, so everything you select to share should pack a punch and perform double duty by introducing concepts you’ll need your stakeholders to have internalized when you present next year’s budget details.

Target timeframe for presentation: 7 minutes

Key objectives: Definitions, alignment, expectations-setting.

Potential content for section:

• Last fiscal year budgeted vs. actuals
• Expenditure by type
• Major capital projects completed
• Top vendor spend
• Drivers of last year’s expenditures and efficiencies
• Last fiscal year in in detail (expense view, service view, business view, innovation view)
• Expenditure trends for the past five years

“If they don’t know the consequences of their actions, how are they ever going to change their actions?”

– Angela Hintz, VP of PMO & Integrated Services,
Blue Cross and Blue Shield of Louisiana

Start at the highest level

See Tabs 1 “Historical Events & Projects,” 3 “Historical Analysis,” and 6 “Vendor Worksheet” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

Describe drivers of costs and savings

See Tab 1, “Historical Events & Projects” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

Also calculate and list the magnitude of costs incurred or savings realized in hard financial terms so that the full impact of these events is truly understood by your stakeholders.

“What is that ongoing cost?
If we brought in a new platform, what
does that do to our operating costs?”

– Kristen Thurber, IT Director, Office of the CIO, Donaldson Company

End with longer-term five-year trends

See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

The historical analysis you can do is endless. You can generate many more cuts of the data or go back even further – it’s up to you.

Keep in mind that you won’t have a lot of time during your presentation, so stick to the high-level, high-impact graphs that demonstrate overarching trends or themes.

Show different views of the details

See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

5.1a Select your retrospective content

30 minutes

1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
2. From Tabs 1, “Historical Events & Projects, 3 “Historical Analysis”, and 6, “Vendor Worksheet,” select the visual outputs (graphs and lists) you plan to include in the retrospective section of your presentation. Consider the following when determining what to include or exclude:
   1. Fundamentals: Elements such as budgeted vs. actual, distribution across expenditure types, and drivers of variance are mandatory.
   2. Key clarifications: What expectations need to be set or common misunderstandings cleared up? Strategically insert visuals that introduce and explain important concepts early.
   3. Your time allowance. Plan for a maximum of seven minutes for every half hour of total presentation time.
3. Note what you plan to include in your presentation and set aside.

Download the IT Cost Forecasting and Budgeting Workbook

Next, transition from past expenditure to your proposal for the future

Build a logical bridge between what happened in the past to what’s coming up next year using a comparative approach and feature major highlights.

This transitional phase between the past and the future is important for the following reasons:

1. It illustrates any consistent patterns of IT expenditure that may exist and be relevant in the near term.
2. It sets the stage for explaining any deviations from historical patterns that you’re about to propose.
3. It grounds proposed IT expenditure within the context of commitments made in previous years.

Consider this the essential core of your presentation – this is the key message and what your audience came to hear.

Target timeframe for presentation: 10 minutes

Key objectives: Transition, reveal proposed budget.

Potential content for section:

• Last year’s actuals vs. next year’s proposed.
• Next year’s proposed budget in context of the past five years’ year-over-year actuals.
• Last year’s actual expenditure type distribution vs. next year’s proposed budget distribution.
• Major projects to be started next year.

“The companies...that invest the most in IT aren’t necessarily the best performers.
On average, the most successful small and medium companies are more frugal when it comes to
company spend on IT (as long as they do it judiciously).”

– Source: Techvera, 2023

Compare next year to last year

See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

Last year’s total actuals vs. next year’s total forecast	Proposed budget in context: Year-over-year expenditure	Last year’s actuals vs. next year’s proposed by expenditure type	Last year’s expenditure per FTE vs. next year’s proposed
Graph	Graph	Graph	Graph
Mandatory: This is the most important graph for connecting the past with the future and is also the first meaningful view your audience will have of your proposed budget for next year.	Mandatory: Here, you will continue the long-term view introduced in your historical data by adding on next year’s projections to your existing five-year historical trend. The percentage change from last year to next year will be the focus.	Recommended: A double-comparative breakdown of last year vs. next year by non-project OpEx, non-project CapEx, and project CapEx illustrates where major events, decisions, and changes are having their impact.	Optional: This graph is particularly useful in demonstrating the success of cost-control if the actual proposed budget is higher that the previous year but the IT cost per employee has gone down.

Select business projects to profile

See Tab 5, “Project CapEx Forecast” in your IT Cost Forecasting and Budgeting Workbook for the data and information to create these outputs.

You can’t profile every project on the list, but it’s important that your stakeholders see their priorities clearly reflected in your budget; projects are the best way to do this.

If you’ve successfully pre-sold your budget and partnered with business-unit leaders to define IT initiatives, your stakeholders should already be very familiar with the project summaries you put in front of them in your presentation.

5.1b Select your transitional past-to-future content

30 minutes

1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
2. From Tabs 5, “Project CapEx Forecast” and 7, “Proposed Budget Analysis”, select the visual outputs (graphs and lists) you plan to include in the transitional section of your presentation. Consider the following when determining what to include or exclude:
   1. Shift from CapEx to OpEx: If this has been a point of contention or confusion with your CFO in the past, or if your organization has actively committed to greater cloud or outsourcing intensity, you’ll want to show this year-to-year shift in expenditure type.
   2. Strategic priorities: Profile major capital projects that reflect stakeholder priorities. If your audience is already very familiar with these projects, you may be able to skip detailed profiles and simply list them.
   3. Your time allowance. Plan for a maximum of 10 minutes for every half hour of total presentation time.
3. Note what you plan to include in your presentation and set aside.

Download the IT Cost Forecasting and Budgeting Workbook

Finally, carefully select detailed drill-downs that add clarity and depth to your proposed budget

The graphs you select here will be specific to your audience and any particular message you need to send.

This detailed phase of your presentation is important because it allows you to:

1. Highlight specific areas of IT expenditure that often get buried under generalities.
2. View your proposed budget from different perspectives that are most meaningful to your audience, such as traditional workforce vs. vendor allocations, expenditure by IT service, business-unit consumption, and the allocation of funds to innovation and growth versus daily IT operations.
3. Get stakeholder attention. For example, laying out exactly how much money will be spent next year in support of the Sales Department compared to other units will get the VP of Sales’ attention…and everyone else’s, for that matter. This kind of transparency is invaluable for enabling meaningful conversations and thoughtful decision-making about IT spend.

Target timeframe for presentation: 7 minutes, but this phase of the presentation may naturally segue into the final Q&A.

Key objectives: Transparency, dialogue, buy-in.

Potential content for section:

• Allocation across workforce vs. vendors
• Top vendors by expenditure
• Allocation across on-premises vs. cloud
• Allocation across core IT services
• Allocation across core business units
• Allocation across business focus area

“A budget is a quantified version of
your service-level agreements.”