Threat Preparedness Using MITRE ATT&CK®

  • Buy Link or Shortcode: {j2store}252|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Security Strategy & Budgeting
  • Parent Category Link: /security-strategy-and-budgeting
  • To effectively protect your business interests, you need to be able to address what the most pressing vulnerabilities in your network are. Which attack vectors should you model first? How do you adequately understand your threat vectors when attacks continually change and adapt?
  • Security can often be asked the world but given a minimal budget with which to accomplish it.
  • Security decisions are always under pressure from varying demands that pull even the most well-balanced security team in every direction.
  • Adequately modeling any and every possible scenario is ineffective and haphazard at best. Hoping that you have chosen the most pressing attack vectors to model will not work in the modern day of threat tactics.

Our Advice

Critical Insight

  • Precision is critical to being able to successfully defend against threats.
    • Traditional threat modeling such as STRIDE or PASTA is based on a spray-and-pray approach to identifying your next potential threat vector. Instead, take a structured risk-based approach to understanding both an attacker’s tactics and how they may be used against your enterprise. Threat preparedness requires precision, not guesswork.
  • Knowing is half the battle.
    • You may be doing better than you think. Undoubtedly, there is a large surface area to cover with threat modeling. By preparing beforehand, you can separate what’s important from what’s not and identify which attack vectors are the most pressing for your business.
  • Be realistic and measured.
    • Do not try to remediate everything. Some attack vectors and approaches are nearly impossible to account for. Take control of the areas that have reasonable mitigation methods and act on those.
  • Identify blind spots.
    • Understand what is out there and how other enterprises are being attacked and breached. See how you stack up to the myriad of attack tactics that have been used in real-life breaches and how prepared you are. Know what you’re ready for and what you’re not ready for.
  • Analyze the most pressing vectors.
    • Prioritize the attack vectors that are relevant to you. If an attack vector is an area of concern for your business, start there. Do not cover the entire tactics list if certain areas are not relevant.
  • Detection and mitigation lead to better remediation.
    • For each relevant tactic and techniques, there are actionable detection and mitigation methods to add to your list of remediation efforts.

Impact and Result

Using the MITRE ATT&CK® framework, Info-Tech’s approach helps you understand your preparedness and effective detection and mitigation actions.

  • Learn about potential attack vectors and the techniques that hostile actors will use to breach and maintain a presence on your network.
  • Analyze your current protocols versus the impact of an attack technique on your network.
  • Discover detection and mitigation actions.
  • Create a prioritized series of security considerations, with basic actionable remediation items. Plan your next threat model by knowing what you’re vulnerable to.
  • Ensure business data cannot be leaked or stolen.
  • Maintain privacy of data and other information.
  • Secure the network connection points.
  • Mitigate risks with the appropriate services.

This blueprint and associated tool are scalable for all types of organizations within various industry sectors, allowing them to know what types of risk they are facing and what security services are recommended to mitigate those risks.

Threat Preparedness Using MITRE ATT&CK® Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why threat preparedness is a crucial first step in defending your network against any attack type. Review Info-Tech’s methodology and understand the ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Attack tactics and techniques

Review a breakdown of each of the various attack vectors and their techniques for additional context and insight into the most prevalent attack tactics.

  • Threat Preparedness Using MITRE ATT&CK® – Phase 1: Attack Tactics and Techniques

2. Threat Preparedness Workbook mapping

Map your current security protocols against the impacts of various techniques on your network to determine your risk preparedness.

  • Threat Preparedness Using MITRE ATT&CK® – Phase 2: Threat Preparedness Workbook Mapping
  • Enterprise Threat Preparedness Workbook

3. Execute remediation and detective measures

Use your prioritized attack vectors to plan your next threat modeling session with confidence that the most pressing security concerns are being addressed with substantive remediation actions.

  • Threat Preparedness Using MITRE ATT&CK® – Phase 3: Execute Remediation and Detective Measures
[infographic]

Mergers & Acquisitions: The Buy Blueprint

  • Buy Link or Shortcode: {j2store}325|cart{/j2store}
  • member rating overall impact: 9.0/10 Overall Impact
  • member rating average dollars saved: 5 Average Days Saved
  • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • Parent Category Name: IT Strategy
  • Parent Category Link: /it-strategy

There are four key scenarios or entry points for IT as the acquiring organization in M&As:

  • IT can suggest an acquisition to meet the business objectives of the organization.
  • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
  • IT participates in due diligence activities and valuates the organization potentially being acquired.
  • IT needs to reactively prepare its environment to enable the integration.

Consider the ideal scenario for your IT organization.

Our Advice

Critical Insight

Acquisitions are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

  • The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
  • A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
  • Transactions that are driven by digital motivations, requiring IT’s expertise.
  • There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.

Impact and Result

Prepare for a growth/integration transaction by:

  • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
  • Creating a standard strategy that will enable strong program management.
  • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

Mergers & Acquisitions: The Buy Blueprint Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how your organization can excel its growth strategy by engaging in M&A transactions. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Proactive Phase

Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

  • One-Pager: M&A Proactive
  • Case Study: M&A Proactive
  • Information Asset Audit Tool
  • Data Valuation Tool
  • Enterprise Integration Process Mapping Tool
  • Risk Register Tool
  • Security M&A Due Diligence Tool

2. Discovery & Strategy

Create a standardized approach for how your IT organization should address acquisitions.

  • One-Pager: M&A Discovery & Strategy – Buy
  • Case Study: M&A Discovery & Strategy – Buy

3. Due Diligence & Preparation

Evaluate the target organizations to minimize risk and have an established integration project plan.

  • One-Pager: M&A Due Diligence & Preparation – Buy
  • Case Study: M&A Due Diligence & Preparation – Buy
  • IT Due Diligence Charter
  • Technical Debt Business Impact Analysis Tool
  • IT Culture Diagnostic
  • M&A Integration Project Management Tool (SharePoint)
  • SharePoint Template: Step-by-Step Deployment Guide
  • M&A Integration Project Management Tool (Excel)
  • Resource Management Supply-Demand Calculator

4. Execution & Value Realization

Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

  • One-Pager: M&A Execution & Value Realization – Buy
  • Case Study: M&A Execution & Value Realization – Buy

Infographic

Workshop: Mergers & Acquisitions: The Buy Blueprint

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Pre-Transaction Discovery & Strategy

The Purpose

Establish the transaction foundation.

Discover the motivation for acquiring.

Formalize the program plan.

Create the valuation framework.

Strategize the transaction and finalize the M&A strategy and approach.

Key Benefits Achieved

All major stakeholders are on the same page.

Set up crucial elements to facilitate the success of the transaction.

Have a repeatable transaction strategy that can be reused for multiple organizations.

Activities

1.1 Conduct the CIO Business Vision and CEO-CIO Alignment Diagnostics.

1.2 Identify key stakeholders and outline their relationship to the M&A process.

1.3 Identify the rationale for the company's decision to pursue an acquisition.

1.4 Assess the IT/digital strategy.

1.5 Identify pain points and opportunities tied to the acquisition.

1.6 Create the IT vision and mission statements and identify IT guiding principles and the transition team.

1.7 Document the M&A governance.

1.8 Establish program metrics.

1.9 Create the valuation framework.

1.10 Establish the integration strategy.

1.11 Conduct a RACI.

1.12 Create the communication plan.

1.13 Prepare to assess target organization(s).

Outputs

Business perspectives of IT

Stakeholder network map for M&A transactions

Business context implications for IT

IT’s acquiring strategic direction

Governance structure

M&A program metrics

IT valuation framework

Integration strategy

RACI

Communication plan

Prepared to assess target organization(s)

2 Mid-Transaction Due Diligence & Preparation

The Purpose

Establish the transaction foundation.

Discover the motivation for integration.

Assess the target organization(s).

Create the valuation framework.

Plan the integration roadmap.

Key Benefits Achieved

All major stakeholders are on the same page.

Methodology identified to assess organizations during due diligence.

Methodology can be reused for multiple organizations.

Integration activities are planned and assigned.

Activities

2.1 Gather and evaluate the stakeholders involved, M&A strategy, future-state operating model, and governance.

2.2 Review the business rationale for the acquisition.

2.3 Establish the integration strategy.

2.4 Create the due diligence charter.

2.5 Create a list of IT artifacts to be reviewed in the data room.

2.6 Conduct a technical debt assessment.

2.7 Assess the current culture and identify the goal culture.

2.8 Identify the needed workforce supply.

2.9 Create the valuation framework.

2.10 Establish the integration roadmap.

2.11 Establish and align project metrics with identified tasks.

2.12 Estimate integration costs.

Outputs

Stakeholder map

IT strategy assessment

IT operating model and IT governance structure defined

Business context implications for IT

Integration strategy

Due diligence charter

Data room artifacts

Technical debt assessment

Culture assessment

Workforce supply identified

IT valuation framework

Integration roadmap and associated resourcing

3 Post-Transaction Execution & Value Realization

The Purpose

Establish the transaction foundation.

Discover the motivation for integration.

Plan the integration roadmap.

Prepare employees for the transition.

Engage in integration.

Assess the transaction outcomes.

Key Benefits Achieved

All major stakeholders are on the same page.

Integration activities are planned and assigned.

Employees are set up for a smooth and successful transition.

Integration strategy and roadmap executed to benefit the organization.

Review what went well and identify improvements to be made in future transactions.

Activities

3.1 Identify key stakeholders and determine IT transaction team.

3.2 Gather and evaluate the M&A strategy, future-state operating model, and governance.

3.3 Review the business rationale for the acquisition.

3.4 Establish the integration strategy.

3.5 Prioritize integration tasks.

3.6 Establish the integration roadmap.

3.7 Establish and align project metrics with identified tasks.

3.8 Estimate integration costs.

3.9 Assess the current culture and identify the goal culture.

3.10 Identify the needed workforce supply.

3.11 Create an employee transition plan.

3.12 Create functional workplans for employees.

3.13 Complete the integration by regularly updating the project plan.

3.14 Begin to rationalize the IT environment where possible and necessary.

3.15 Confirm integration costs.

3.16 Review IT’s transaction value.

3.17 Conduct a transaction and integration SWOT.

3.18 Review the playbook and prepare for future transactions.

Outputs

M&A transaction team

Stakeholder map

IT strategy assessed

IT operating model and IT governance structure defined

Business context implications for IT

Integration strategy

Integration roadmap and associated resourcing

Culture assessment

Workforce supply identified

Employee transition plan

Employee functional workplans

Updated integration project plan

Rationalized IT environment

SWOT of transaction

M&A Buy Playbook refined for future transactions

Further reading

Mergers & Acquisitions: The Buy Blueprint

For IT leaders who want to have a role in the transaction process when their business is engaging in an M&A purchase.

EXECUTIVE BRIEF

Analyst Perspective

Don’t wait to be invited to the M&A table, make it.

Photo of Brittany Lutes, Research Analyst, CIO Practice, Info-Tech Research Group.
Brittany Lutes
Research Analyst,
CIO Practice
Info-Tech Research Group
Photo of Ibrahim Abdel-Kader, Research Analyst, CIO Practice, Info-Tech Research Group.
Ibrahim Abdel-Kader
Research Analyst,
CIO Practice
Info-Tech Research Group

IT has always been an afterthought in the M&A process, often brought in last minute once the deal is nearly, if not completely, solidified. This is a mistake. When IT is brought into the process late, the business misses opportunities to generate value related to the transaction and has less awareness of critical risks or inaccuracies.

To prevent this mistake, IT leadership needs to develop strong business relationships and gain respect for their innovative suggestions. In fact, when it comes to modern M&A activity, IT should be the ones suggesting potential transactions to meet business needs, specifically when it comes to modernizing the business or adopting digital capabilities.

IT needs to stop waiting to be invited to the acquisition or divestiture table. IT needs to suggest that the table be constructed and actively work toward achieving the strategic objectives of the business.

Executive Summary

Your Challenge

There are four key scenarios or entry points for IT as the acquiring organization in M&As:

  • IT can suggest an acquisition to meet the business objectives of the organization.
  • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
  • IT participates in due diligence activities and valuates the organization potentially being acquired.
  • IT needs to reactively prepare its environment to enable the integration.

Consider the ideal scenario for your IT organization.

Common Obstacles

Some of the obstacles IT faces include:

  • IT is often told about the transaction once the deal has already been solidified and is now forced to meet unrealistic business demands.
  • The business does not trust IT and therefore does not approach IT to define value or reduce risks to the transaction process.
  • The people and culture element are forgotten or not given adequate priority.

These obstacles often arise when IT waits to be invited into the transaction process and misses critical opportunities.

Info-Tech's Approach

Prepare for a growth/integration transaction by:

  • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
  • Creating a standard strategy that will enable strong program management.
  • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

Info-Tech Insight

As the number of merger, acquisition, and divestiture transactions continues to increase, so too does IT’s opportunity to leverage the growing digital nature of these transactions and get involved at the onset.

The changing M&A landscape

Businesses will embrace more digital M&A transactions in the post-pandemic world

  • When the pandemic occurred, businesses reacted by either pausing (61%) or completely cancelling (46%) deals that were in the mid-transaction state (Deloitte, 2020). The uncertainty made many organizations consider whether the risks would be worth the potential benefits.
  • However, many organizations quickly realized the pandemic is not a hindrance to M&A transactions but an opportunity. Over 16,000 American companies were involved in M&A transactions in the first six months of 2021 (The Economist). For reference, this had been averaging around 10,000 per six months from 2016 to 2020.
  • In addition to this transaction growth, organizations have increasingly been embracing digital. These trends increase the likelihood that, as an IT leader, you will engage in an M&A transaction. However, it is up to you when you get involved in the transactions.

The total value of transactions in the year after the pandemic started was $1.3 billion – a 93% increase in value compared to before the pandemic. (Nasdaq)

Virtual deal-making will be the preferred method of 55% of organizations in the post-pandemic world. (Wall Street Journal, 2020)

Your challenge

IT is often not involved in the M&A transaction process. When it is, it’s often too late.

  • The most important driver of an acquisition is the ability to access new technology (DLA Piper), and yet 50% of the time, IT isn’t involved in the M&A transaction at all (IMAA Institute, 2017).
  • Additionally, IT’s lack of involvement in the process negatively impacts the business:
    • Most organizations (60%) do not have a standardized approach to integration (Steeves and Associates).
    • Weak integration teams contribute to the failure of 70% of M&A integrations (The Wall Street Journal, 2019).
    • Less than half (47%) of organizations actually experience the positive results sought by the M&A transaction (Steeves and Associates).
  • Organizations pursuing M&A and not involving IT are setting themselves up for failure.

Only half of M&A deals involve IT (Source: IMAA Institute, 2017)

Common Obstacles

These barriers make this challenge difficult to address for many organizations:

  • IT is rarely afforded the opportunity to participate in the transaction deal. When IT is invited, this often happens later in the process where integration will be critical to business continuity.
  • IT has not had the opportunity to demonstrate that it is a valuable business partner in other business initiatives.
  • One of the most critical elements that IT often doesn’t take the time or doesn’t have the time to focus on is the people and leadership component.
  • IT waits to be invited to the process rather then actively involving themselves and suggesting how value can be added to the process.

In hindsight, it’s clear to see: Involving IT is just good business.

47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion. (Source: IMAA Institute, 2017)

40% of acquiring businesses discovered a cybersecurity problem at an acquisition.” (Source: Okta)

Info-Tech's approach

Acquisitions & Divestitures Framework

Acquisitions and divestitures are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

  1. The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
  2. Transactions that are driven by digital motivations, requiring IT’s expertise.
  3. A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
  4. There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.
A diagram highlighting the 'IT Executives' Role in Acquisitions and Divestitures' when they are integrated at different points in the 'Core Business Timeline'. There are four main entry points 'Proactive', 'Discovery and Strategy', 'Due Diligence and Preparation', and 'Execution and Value Realized'. It is highlighted that IT can and should start at 'Proactive', but most organizations start at 'Execution and Value Realized'. 'Proactive': suggest opportunities to evolve the organization; prove IT's value and engage in growth opportunities early. Innovators start here. Steps of the business timeline in 'Proactive' are 'Organization strategies are defined' and 'M and A is considered to enable strategy'. After a buy or sell transaction is initiated is 'Discovery and Strategy': pre-transaction state. If it is a Buy transaction, 'Establish IT's involvement and approach'. If it is a Sell transaction, 'Prepare to engage in negotiations'. Business Partners start here. Steps of the business timeline in 'Discovery and Strategy' are 'Searching criteria is set', 'Potential candidates are considered', and 'LOI is sent/received'. 'Due Diligence and Preparation': mid-transaction state. If it is a Buy transaction, 'Identify potential transaction benefits and risks'. If it is a Sell transaction, 'Comply, communicate, and collaborate in transaction'. Trusted Operators start here. Steps of the business timeline in 'Due Diligence and Preparation' are 'Due diligence engagement occurs', 'Final agreement is reached', and 'Preparation for transaction execution occurs'. 'Execution and Value Realization': post-transaction state. If it is a Buy transaction, 'Integrate the IT environments and achieve business value'. If it is a Sell transaction, 'Separate the IT environment and deliver on transaction terms'. Firefighters start here. Steps of the business timeline in 'Execution and Value Realization' are 'Staff and operations are addressed appropriately', 'Day 1 of implementation and integration activities occurs', '1st 100 days of new entity state occur' and 'Ongoing risk mitigating and value creating activities occur'.

The business’ view of IT will impact how soon IT can get involved

There are four key entry points for IT

A colorful visualization of the four key entry points for IT and a fifth not-so-key entry point. Starting from the top: 'Innovator', Information and Technology as a Competitive Advantage, 90% Satisfaction; 'Business Partner', Effective Delivery of Strategic Business Projects, 80% Satisfaction; 'Trusted Operator', Enablement of Business Through Application and Work Orders, 70% Satisfaction; 'Firefighter', Reliable Infrastructure and IT Service Desk, 60% Satisfaction; and then 'Unstable', Inability to Consistently Deliver Basic Services, <60% Satisfaction.
  1. Innovator: IT suggests an acquisition to meet the business objectives of the organization.
  2. Business Partner: IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspective.
  3. Trusted Operator: IT participates in due diligence activities and valuates the organization potentially being acquired.
  4. Firefighter: IT reactively engages in the integration with little time to prepare.

Merger, acquisition, and divestiture defined

Merger

A merger looks at the equal combination of two entities or organizations. Mergers are rare in the M&A space, as the organizations will combine assets and services in a completely equal 50/50 split. Two organizations may also choose to divest business entities and merge as a new company.

Acquisition

The most common transaction in the M&A space, where an organization will acquire or purchase another organization or entities of another organization. This type of transaction has a clear owner who will be able to make legal decisions regarding the acquired organization.

Divestiture

An organization may decide to sell partial elements of a business to an acquiring organization. They will separate this business entity from the rest of the organization and continue to operate the other components of the business.

Info-Tech Insight

A true merger does not exist, as there is always someone initiating the discussion. As a result, most M&A activity falls into acquisition or divestiture categories.

Buying vs. selling

The M&A process approach differs depending on whether you are the executive IT leader on the buy side or sell side

This blueprint is only focused on the buy side:

  • More than two organizations could be involved in a transaction.
  • Examples of buy-related scenarios include:
    • Your organization is buying another organization with the intent of having the purchased organization keep its regular staff, operations, and location. This could mean minimal integration is required.
    • Your organization is buying another organization in its entirety with the intent of integrating it into your original company.
    • Your organization is buying components of another organization with the intent of integrating them into your original company.
  • As the purchasing organization, you will probably be initiating the purchase and thus will be valuating the selling organization during due diligence and leading the execution plan.

The sell side is focused on:

  • Examples of sell-related scenarios include:
    • Your organization is selling to another organization with the intent of keeping its regular staff, operations, and location. This could mean minimal separation is required.
    • Your organization is selling to another organization with the intent of separating to be a part of the purchasing organization.
    • Your organization is engaging in a divestiture with the intent of:
      • Separating components to be part of the purchasing organization permanently.
      • Separating components to be part of a spinoff and establish a unit as a standalone new company.
  • As the selling organization, you could proactively seek out suitors to purchase all or components of your organization, or you could be approached by an organization.

For more information on divestitures or selling your entire organization, check out Info-Tech’s Mergers & Acquisitions: The Sell Blueprint.

Core business timeline

For IT to be valuable in M&As, you need to align your deliverables and your support to the key activities the business and investors are working on.

Info-Tech’s methodology for Buying Organizations in Mergers, Acquisitions, or Divestitures

1. Proactive

2. Discovery & Strategy

3. Due Diligence & Preparation

4. Execution & Value Realization

Phase Steps

  1. Identify Stakeholders and Their Perspective of IT
  2. Assess IT’s Current Value and Future State
  3. Drive Innovation and Suggest Growth Opportunities
  1. Establish the M&A Program Plan
  2. Prepare IT to Engage in the Acquisition
  1. Assess the Target Organization
  2. Prepare to Integrate
  1. Execute the Transaction
  2. Reflection and Value Realization

Phase Outcomes

Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

Create a standardized approach for how your IT organization should address acquisitions.

Evaluate the target organizations successfully and establish an integration project plan.

Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

Potential metrics for each phase

1. Proactive

2. Discovery & Strategy

3. Due Diligence & Preparation

4. Execution & Value Realization

  • % Share of business innovation spend from overall IT budget
  • % Critical processes with approved performance goals and metrics
  • % IT initiatives that meet or exceed value expectation defined in business case
  • % IT initiatives aligned with organizational strategic direction
  • % Satisfaction with IT's strategic decision-making abilities
  • $ Estimated business value added through IT-enabled innovation
  • % Overall stakeholder satisfaction with IT
  • % Percent of business leaders that view IT as an Innovator
  • % IT budget as a percent of revenue
  • % Assets that are not allocated
  • % Unallocated software licenses
  • # Obsolete assets
  • % IT spend that can be attributed to the business (chargeback or showback)
  • % Share of CapEx of overall IT budget
  • % Prospective organizations that meet the search criteria
  • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
  • % Business leaders that view IT as a Business Partner
  • % Defects discovered in production
  • $ Cost per user for enterprise applications
  • % In-house-built applications vs. enterprise applications
  • % Owners identified for all data domains
  • # IT staff asked to participate in due diligence
  • Change to due diligence
  • IT budget variance
  • Synergy target
  • % Satisfaction with the effectiveness of IT capabilities
  • % Overall end-customer satisfaction
  • $ Impact of vendor SLA breaches
  • $ Savings through cost-optimization efforts
  • $ Savings through application rationalization and technology standardization
  • # Key positions empty
  • % Frequency of staff turnover
  • % Emergency changes
  • # Hours of unplanned downtime
  • % Releases that cause downtime
  • % Incidents with identified problem record
  • % Problems with identified root cause
  • # Days from problem identification to root cause fix
  • % Projects that consider IT risk
  • % Incidents due to issues not addressed in the security plan
  • # Average vulnerability remediation time
  • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
  • # Time (days) to value realization
  • % Projects that realized planned benefits
  • $ IT operational savings and cost reductions that are related to synergies/divestitures
  • % IT staff–related expenses/redundancies
  • # Days spent on IT integration
  • $ Accurate IT budget estimates
  • % Revenue growth directly tied to IT delivery
  • % Profit margin growth

The IT executive’s role in the buying transaction is critical

And IT leaders have a greater likelihood than ever of needing to support a merger, acquisition, or divestiture.

  1. Reduced Risk

    IT can identify risks that may go unnoticed when IT is not involved.
  2. Increased Accuracy

    The business can make accurate predictions around the costs, timelines, and needs of IT.
  3. Faster Integration

    Faster integration means faster value realization for the business.
  4. Informed Decision Making

    IT leaders hold critical information that can support the business in moving the transaction forward.
  5. Innovation

    IT can suggest new opportunities to generate revenue, optimize processes, or reduce inefficiencies.

The IT executive’s critical role is demonstrated by:

  • Reduced Risk

    47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion (IMAA Institute, 2017).
  • Increased Accuracy

    87% of respondents to a Deloitte survey effectively conducted a virtual deal, with a focus on cybersecurity and integration (Deloitte, 2020).
  • Faster Integration

    Integration costs range from as low as $4 million to as high as $3.8 billion, making the process an investment for the organization (CIO Dive).
  • Informed Decision Making

    Only 38% of corporate and 22% of private equity firms include IT as a significant aspect in their transaction approach (IMAA Institute, 2017).
  • Innovation

    Successful CIOs involved in M&As can spend 70% of their time on aspects outside of IT and 30% of their time on technology and delivery (CIO).

Playbook benefits

IT Benefits

  • IT will be seen as an innovative partner to the business, and its suggestions and involvement in the organization will lead to benefits, not hindrances.
  • Develop a streamlined method to valuate the potential organization being purchased and ensure risk management concerns are brought to the business’ attention immediately.
  • Create a comprehensive list of items that IT needs to do during the integration that can be prioritized and actioned.

Business Benefits

  • The business will get accurate and relevant information about the organization being acquired, ensuring that the anticipated value of the transaction is correctly planned for.
  • Fewer business interruptions will happen, because IT can accurately plan for and execute the high-priority integration tasks.
  • The business can make a fair offer to the purchased organization, having properly valuated all aspects being bought, including the IT environment.

Insight summary

Overarching Insight

As an IT executive, take control of when you get involved in a growth transaction. Do this by proactively identifying acquisition targets, demonstrating the value of IT, and ensuring that integration of IT environments does not lead to unnecessary and costly decisions.

Proactive Insight

CIOs on the forefront of digital transformation need to actively look for and suggest opportunities to acquire or partner on new digital capabilities to respond to rapidly changing business needs.

Discovery & Strategy Insight

IT organizations that have an effective M&A program plan are more prepared for the buying transaction, enabling a successful outcome. A structured strategy is particularly necessary for organizations expected to deliver M&As rapidly and frequently.

Due Diligence & Preparation Insight

Most IT synergies can be realized in due diligence. It is more impactful to consider IT processes and practices (e.g. contracts and culture) in due diligence rather than later in the integration.

Execution & Value Realization Insight

IT needs to realize synergies within the first 100 days of integration. The most successful transactions are when IT continuously realizes synergies a year after the transaction and beyond.

Blueprint deliverables

Key Deliverable: M&A Buy Playbook

The M&A Buy Playbook should be a reusable document that enables your IT organization to successfully deliver on any acquisition transaction.

Screenshots of the 'M and A Buy Playbook' deliverable.

M&A Buy One-Pager

See a one-page overview of each phase of the transaction.

Screenshots of the 'M and A Buy One-Pagers' deliverable.

M&A Buy Case Studies

Read a one-page case study for each phase of the transaction.

Screenshots of the 'M and A Buy Case Studies' deliverable.

M&A Integration Project Management Tool (SharePoint)

Manage the integration process of the acquisition using this SharePoint template.

Screenshots of the 'M and A Integration Project Management Tool (SharePoint)' deliverable.

M&A Integration Project Management Tool (Excel)

Manage the integration process of the acquisition using this Excel tool if you can’t or don’t want to use SharePoint.

Screenshots of the 'M and A Integration Project Management Tool (Excel)' deliverable.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 6 to 10 calls over the course of 2 to 4 months.

    Proactive Phase

  • Call #1: Scope requirements, objectives, and your specific challenges.
  • Discovery & Strategy Phase

  • Call #2: Determine stakeholders and their perspectives of IT.
  • Call #3: Identify how M&A could support business strategy and how to communicate.
  • Due Diligence & Preparation Phase

  • Call #4: Establish a transaction team and acquisition strategic direction.
  • Call #5: Create program metrics and identify a standard integration strategy.
  • Call #6: Assess the potential organization(s).
  • Call #7: Identify the integration program plan.
  • Execution & Value Realization Phase

  • Call #8: Establish employee transitions to retain key staff.
  • Call #9: Assess IT’s ability to deliver on the acquisition transaction.

The Buy Blueprint

Phase 1

Proactive

Phase 1

Phase 2 Phase 3 Phase 4
  • 1.1 Identify Stakeholders and Their Perspective of IT
  • 1.2 Assess IT’s Current Value and Future State
  • 1.3 Drive Innovation and Suggest Growth Opportunities
  • 2.1 Establish the M&A Program Plan
  • 2.2 Prepare IT to Engage in the Acquisition
  • 3.1 Assess the Target Organization
  • 3.2 Prepare to Integrate
  • 4.1 Execute the Transaction
  • 4.2 Reflection and Value Realization

This phase will walk you through the following activities:

  • Conduct the CEO-CIO Alignment diagnostic
  • Conduct the CIO Business Vision diagnostic
  • Visualize relationships among stakeholders to identify key influencers
  • Group stakeholders into categories
  • Prioritize your stakeholders
  • Plan to communicate
  • Valuate IT
  • Assess the IT/digital strategy
  • Determine pain points and opportunities
  • Align goals to opportunities
  • Recommend growth opportunities

This phase involves the following participants:

  • IT and business leadership

What is the Proactive phase?

Embracing the digital drivers

As the number of merger, acquisition, or divestiture transactions driven by digital means continues to increase, IT has an opportunity to not just be involved in a transaction but actively seek out potential deals.

In the Proactive phase, the business is not currently considering a transaction. However, the business could consider one to reach its strategic goals. IT organizations that have developed respected relationships with the business leaders can suggest these potential transactions.

Understand the business’ perspective of IT, determine who the critical M&A stakeholders are, valuate the IT environment, and examine how it supports the business goals in order to suggest an M&A transaction.

In doing so, IT isn’t waiting to be invited to the transaction table – it’s creating it.

Goal: To support the organization in reaching its strategic goals by suggesting M&A activities that will enable the organization to reach its objectives faster and with greater-value outcomes.

Proactive Prerequisite Checklist

Before coming into the Proactive phase, you should have addressed the following:

  • Understand what mergers, acquisitions, and divestitures are.
  • Understand what mergers, acquisitions, and divestitures mean for the business.
  • Understand what mergers, acquisitions, and divestitures mean for IT.

Review the Executive Brief for more information on mergers, acquisitions, and divestitures for purchasing organizations.

Proactive

Step 1.1

Identify M&A Stakeholders and Their Perspective of IT

Activities

  • 1.1.1 Conduct the CEO-CIO Alignment diagnostic
  • 1.1.2 Conduct the CIO Business Vision diagnostic
  • 1.1.3 Visualize relationships among stakeholders to identify key influencers
  • 1.1.4 Group stakeholders into categories
  • 1.1.5 Prioritize your stakeholders
  • 1.16 Plan to communicate

This step involves the following participants:

  • IT executive leader
  • IT leadership
  • Critical M&A stakeholders

Outcomes of Step

Understand how the business perceives IT and establish strong relationships with critical M&A stakeholders.

Business executives' perspectives of IT

Leverage diagnostics and gain alignment on IT’s role in the organization

  • To suggest or get involved with a merger, acquisition, or divestiture, the IT executive leader needs to be well respected by other members of the executive leadership team and the business.
  • Specifically, the Proactive phase relies on the IT organization being viewed as an Innovator within the business.
  • Identify how the CEO/business executive currently views IT and where they would like IT to move within the Maturity Ladder.
  • Additionally, understand how other critical department leaders view IT and how they view the partnership with IT.
A colorful visualization titled 'Maturity Ladder' detailing levels of IT function that a business may choose from based on the business executives' perspectives of IT. Starting from the bottom: 'Struggle', Does not embarrass, Does not crash; 'Support', Keeps business happy, Keeps costs low; 'Optimize', Increases efficiency, Decreases costs; 'Expand', Extends into new business, Generates revenue; 'Transform', Creates new industry.

Misalignment in target state requires further communication between the CIO and CEO to ensure IT is striving toward an agreed-upon direction.

Info-Tech’s CIO Business Vision (CIO BV) diagnostic measures a variety of high-value metrics to provide a well-rounded understanding of stakeholder satisfaction with IT.

Sample of Info-Tech's CIO Business Vision diagnostic measuring percentages of high-value metrics like 'IT Satisfaction' and 'IT Value' regarding business leader satisfaction. A note for these two reads 'Evaluate business leader satisfaction with IT this year and last year'. A section titled 'Relationship' has metrics such as 'Understands Needs' and 'Trains Effectively'. A note for this section reads 'Examine indicators of the relationship between IT and the business'. A section titled 'Security Friction' has metrics such as 'Regulatory Compliance-Driven' and 'Office/Desktop Security'.

Business Satisfaction and Importance for Core Services

The core services of IT are important when determining what IT should focus on. The most important services with the lowest satisfaction offer the largest area of improvement for IT to drive business value.

Sample of Info-Tech's CIO Business Vision diagnostic specifically comparing the business satisfaction of 12 core services with their importance. Services listed include 'Service Desk', 'IT Security', 'Requirements Gathering', 'Business Apps', 'Data Quality', and more. There is a short description of the services, a percentage for the business satisfaction with the service, a percentage comparing it to last year, and a numbered ranking of importance for each service. A note reads 'Assess satisfaction and importance across 12 core IT capabilities'.

1.1.1 Conduct the CEO-CIO Alignment diagnostic

2 weeks

Input: IT organization expertise and the CEO-CIO Alignment diagnostic

Output: An understanding of an executive business stakeholder’s perception of IT

Materials: CEO-CIO Alignment diagnostic, M&A Buy Playbook

Participants: IT executive/CIO, Business executive/CEO

  1. The CEO-CIO Alignment diagnostic can be a powerful input. Speak with your Info-Tech account representative to conduct the diagnostic. Use the results to inform current IT capabilities.
  2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret and draw conclusions from the results.
  3. Examine the results of the survey and note where there might be specific capabilities that could be improved.
  4. Determine whether there are any areas of significant disagreement between the you and the CEO. Mark down those areas for further conversations. Additionally, take note of areas that could be leveraged to support growth transactions or support your rationale in recommending growth transactions.

Download the sample report.

Record the results in the M&A Buy Playbook.

1.1.2 Conduct the CIO Business Vision diagnostic

2 weeks

Input: IT organization expertise, CIO BV diagnostic

Output: An understanding of business stakeholder perception of certain IT capabilities and services

Materials: CIO Business Vision diagnostic, Computer, Whiteboard and markers, M&A Buy Playbook

Participants: IT executive/CIO, Senior business leaders

  1. The CIO Business Vision (CIO BV) diagnostic can be a powerful tool for identifying IT capability focus areas. Speak with your account representative to conduct the CIO BV diagnostic. Use the results to inform current IT capabilities.
  2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret the results and draw conclusions from the diagnostic.
  3. Examine the results of the survey and take note of any IT services that have low scores.
  4. Read through the diagnostic comments and note any common themes. Especially note which stakeholders identified they have a favorable relationship with IT and which stakeholders identified they have an unfavorable relationship. For those who have an unfavorable relationship, identify if they will have a critical role in a growth transaction.

Download the sample report.

Record the results in the M&A Buy Playbook.

Create a stakeholder network map for M&A transactions

Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

Example:

Diagram of stakeholders and their relationships with other stakeholders, such as 'Board Members', 'CFO/Finance', 'Compliance', etc. with 'CIO/IT Leader' highlighted in the middle. There are unidirectional black arrows and bi-directional green arrows indicating each connection.

    Legend
  • Black arrows indicate the direction of professional influence
  • Dashed green arrows indicate bidirectional, informal influence relationships

Info-Tech Insight

Your stakeholder map defines the influence landscape that the M&A transaction will occur within. This will identify who holds various levels of accountability and decision-making authority when a transaction does take place.

Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

1.1.3 Visualize relationships among stakeholders to identify key influencers

1-3 hours

Input: List of M&A stakeholders

Output: Relationships among M&A stakeholders and influencers

Materials: M&A Buy Playbook

Participants: IT executive leadership

  1. The purpose of this activity is to list all the stakeholders within your organization that will have a direct or indirect impact on the M&A transaction.
  2. Determine the critical stakeholders, and then determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
  3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
  4. Construct a diagram linking stakeholders and their influencers together.
    • Use black arrows to indicate the direction of professional influence.
    • Use dashed green arrows to indicate bidirectional, informal influence relationships.

Record the results in the M&A Buy Playbook.

Categorize your stakeholders with a prioritization map

A stakeholder prioritization map helps IT leaders categorize their stakeholders by their level of influence and ownership in the merger, acquisition, or divestiture process.

A prioritization map of stakeholder categories split into four quadrants. The vertical axis is 'Influence', from low on the bottom to high on top. The horizontal axis is 'Ownership/Interest', from low on the left to high on the right. 'Spectators' are low influence, low ownership/interest. 'Mediators' are high influence, low ownership/interest. 'Noisemakers' are low influence, high ownership/interest. 'Players' are high influence, high ownership/interest.

There are four areas in the map, and the stakeholders within each area should be treated differently.

Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

1.1.4 Group stakeholders into categories

30 minutes

Input: Stakeholder map, Stakeholder list

Output: Categorization of stakeholders and influencers

Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

Participants: IT executive leadership, Stakeholders

  1. Identify your stakeholders’ interest in and influence on the M&A process as high, medium, or low by rating the attributes below.
  2. Map your results to the model to the right to determine each stakeholder’s category.

Same prioritization map of stakeholder categories as before. This one has specific stakeholders mapped onto it. 'CFO' is mapped as low interest and middling influence, between 'Mediator' and 'Spectator'. 'CIO' is mapped as higher than average interest and high influence, a 'Player'. 'Board Member' is mapped as high interest and high influence, a 'Player'.

Level of Influence
  • Power: Ability of a stakeholder to effect change.
  • Urgency: Degree of immediacy demanded.
  • Legitimacy: Perceived validity of stakeholder’s claim.
  • Volume: How loud their “voice” is or could become.
  • Contribution: What they have that is of value to you.
Level of Interest

How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

Record the results in the M&A Buy Playbook.

Prioritize your stakeholders

There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

Level of Support

Supporter

Evangelist

Neutral

Blocker

Stakeholder Category Player Critical High High Critical
Mediator Medium Low Low Medium
Noisemaker High Medium Medium High
Spectator Low Irrelevant Irrelevant Low

Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How significant is that stakeholder to the M&A or divestiture process?

These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

1.1.5 Prioritize your stakeholders

30 minutes

Input: Stakeholder matrix

Output: Stakeholder and influencer prioritization

Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

Participants: IT executive leadership, M&A/divestiture stakeholders

  1. Identify the level of support of each stakeholder by answering the following question: How significant is that stakeholder to the M&A transaction process?
  2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

Stakeholder

Category

Level of Support

Prioritization

CMO Spectator Neutral Irrelevant
CIO Player Supporter Critical

Record the results in the M&A Buy Playbook.

Define strategies for engaging stakeholders by type

A revisit to the map of stakeholder categories, but with strategies listed for each one, and arrows on the side instead of an axis. The vertical arrow is 'Authority', which increases upward, and the horizontal axis is Ownership/Interest which increases as it moves to the right. The strategy for 'Players' is 'Engage', for 'Mediators' is 'Satisfy', for 'Noisemakers' is 'Inform', and for 'Spectators' is 'Monitor'.

Type

Quadrant

Actions

Players High influence, high interest – actively engage Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.
Mediators High influence, low interest – keep satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.
Noisemakers Low influence, high interest – keep informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
Spectators Low influence, low interest – monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates.

Info-Tech Insight

Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying stakeholder groups, the IT executive leader can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of Mediators and Players are met.

1.1.6 Plan to communicate

30 minutes

Input: Stakeholder priority, Stakeholder categorization, Stakeholder influence

Output: Stakeholder communication plan

Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

Participants: IT executive leadership, M&A/divestiture stakeholders

The purpose of this activity is to make a communication plan for each of the stakeholders identified in the previous activities, especially those who will have a critical role in the M&A transaction process.

  1. In the M&A Buy Playbook, input the type of influence each stakeholder has on IT, how they would be categorized in the M&A process, and their level of priority. Use this information to create a communication plan.
  2. Determine the methods and frequency of communication to keep the necessary stakeholder satisfied and maintain or enhance IT’s profile within the organization.

Record the results in the M&A Buy Playbook.

Proactive

Step 1.2

Assess IT’s Current Value and Method to Achieve a Future State

Activities

  • 1.2.1 Valuate IT
  • 1.2.2 Assess the IT/digital strategy

This step involves the following participants:

  • IT executive leader
  • IT leadership
  • Critical stakeholders to M&A

Outcomes of Step

Identify critical opportunities to optimize IT and meet strategic business goals through a merger, acquisition, or divestiture.

How to valuate your IT environment

And why it matters so much

  • Valuating your current organization’s IT environment is a critical step that all IT organizations should take, whether involved in an M&A or not, to fully understand what it might be worth.
  • The business investments in IT can be directly translated into a value amount. For every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
  • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT is so critical.
  • There are three ways a business or asset can be valuated:
    • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
    • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
    • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.
  • (Source: “Valuation Methods,” Corporate Finance Institute)

Four ways to create value through digital

  1. Reduced costs
  2. Improved customer experience
  3. New revenue sources
  4. Better decision making
  5. (Source: McKinsey & Company)

1.2.1 Valuate IT

1 day

Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

Output: Valuation of IT

Materials: Relevant templates/tools listed on the following slides, Capital budget, Operating budget, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership

The purpose of this activity is to demonstrate that IT is not simply an operational functional area that diminishes business resources. Rather, IT contributes significant value to the business.

  1. Review each of the following slides to valuate IT’s data, applications, infrastructure and operations, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount.
  2. Input the financial amounts identified for each critical area into a summary slide. Use this information to determine where IT is delivering value to the organization.

Info-Tech Insight

Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

Record the results in the M&A Buy Playbook.

Data valuation

Data valuation identifies how you monetize the information that your organization owns.

Create a data value chain for your organization

When valuating the information and data that exists in an organization, there are many things to consider.

Info-Tech has two tools that can support this process:

  1. Information Asset Audit Tool: Use this tool first to take inventory of the different information assets that exist in your organization.
  2. Data Valuation Tool: Once information assets have been accounted for, valuate the data that exists within those information assets.

Data Collection

Insight Creation

Value Creation

Data Valuation

01 Data Source
02 Data Collection Method
03 Data
04 Data Analysis
05 Insight
06 Insight Delivery
07 Consumer
08 Value in Data
09 Value Dimension
10 Value Metrics Group
11 Value Metrics
Screenshots of Tab 2 of Info-Tech's Data Valuation Tool.

Instructions

  1. Using the Data Valuation Tool, start gathering information based on the eight steps above to understand your organization’s journey from data to value.
  2. Identify the data value spectrum. (For example: customer sales service, citizen licensing service, etc.)
  3. Fill out the columns for data sources, data collection, and data first.
  4. Capture data analysis and related information.
  5. Then capture the value in data.
  6. Add value dimensions such as usage, quality, and economic dimensions.
    • Remember that economic value is not the only dimension, and usage/quality has a significant impact on economic value.
  7. Collect evidence to justify your data valuation calculator (market research, internal metrics, etc.).
  8. Finally, calculate the value that has a direct correlation with underlying value metrics.

Application valuation

Calculate the value of your IT applications

When valuating the applications and their users in an organization, consider using a business process map. This shows how business is transacted in the company by identifying which IT applications support these processes and which business groups have access to them. Info-Tech has a business process mapping tool that can support this process:

  • Enterprise Integration Process Mapping Tool: Complete this tool first to map the different business processes to the supporting applications in your organization.

Instructions

  1. Start by calculating user costs. This is the product of the (# of users) × (% of time spent using IT) × (fully burdened salary).
  2. Identify the revenue per employee and divide that by the average cost per employee to calculate the derived productivity ratio (DPR).
  3. Once you have calculated the user costs and DPR, multiply those total values together to get the application value.
  4. User Costs

    Total User Costs

    Derived Productivity Ratio (DPR)

    Total DPR

    Application Value

    # of users % time spent using IT Fully burdened salary Multiply values from the 3 user costs columns Revenue per employee Average cost per employee (Revenue P.E) ÷ (Average cost P.E) (User costs) X (DPR)

  5. Once the total application value is established, calculate the combined IT and business costs of delivering that value. IT and business costs include inflexibility (application maintenance), unavailability (downtime costs, including disaster exposure), IT costs (common costs statistically allocated to applications), and fully loaded cost of active (full-time equivalent [FTE]) users.
  6. Calculate the net value of applications by subtracting the total IT and business costs from the total application value calculated in step 3.
  7. IT and Business Costs

    Total IT and Business Costs

    Net Value of Applications

    Application maintenance Downtime costs (include disaster exposure) Common costs allocated to applications Fully loaded costs of active (FTE) users Sum of values from the four IT and business costs columns (Application value) – (IT and business costs)

(Source: CSO)

Infrastructure valuation

Assess the foundational elements of the business’ information technology

The purpose of this exercise is to provide a high-level infrastructure valuation that will contribute to valuating your IT environment.

Calculating the value of the infrastructure will require different methods depending on the environment. For example, a fully cloud-hosted organization will have different costs than a fully on-premises IT environment.

Instructions:

  1. Start by listing all of the infrastructure-related items that are relevant to your organization.
  2. Once you have finalized your items column, identify the total costs/value of each item.
    • For example, total software costs would include servers and storage.
  3. Calculate the total cost/value of your IT infrastructure by adding all of values in the right column.

Item

Costs/Value

Hardware Assets Total Value +$3.2 million
Hardware Leased/Service Agreement -$
Software Purchased +$
Software Leased/Service Agreement -$
Operational Tools
Network
Disaster Recovery
Antivirus
Data Centers
Service Desk
Other Licenses
Total:

For additional support, download the M&A Runbook for Infrastructure and Operations.

Risk and security

Assess risk responses and calculate residual risk

The purpose of this exercise is to provide a high-level risk assessment that will contribute to valuating your IT environment. For a more in-depth risk assessment, please refer to the Info-Tech tools below:

  1. Risk Register Tool
  2. Security M&A Due Diligence Tool

Instructions

  1. Review the probability and impact scales below and ensure you have the appropriate criteria that align to your organization before you conduct a risk assessment.
  2. Identify the probability of occurrence and estimated financial impact for each risk category detail and fill out the table on the right. Customize the table as needed so it aligns to your organization.
  3. Probability of Risk Occurrence

    Occurrence Criteria
    (Classification; Probability of Risk Event Within One Year)

    Negligible Very Unlikely; ‹20%
    Very Low Unlikely; 20 to 40%
    Low Possible; 40 to 60%
    Moderately Low Likely; 60 to 80%
    Moderate Almost Certain; ›80%

Note: If needed, you can customize this scale with the severity designations that you prefer. However, make sure you are always consistent with it when conducting a risk assessment.

Financial & Reputational Impact

Budgetary and Reputational Implications
(Financial Impact; Reputational Impact)

Negligible (‹$10,000; Internal IT stakeholders aware of risk event occurrence)
Very Low ($10,000 to $25,000; Business customers aware of risk event occurrence)
Low ($25,000 to $50,000; Board of directors aware of risk event occurrence)
Moderately Low ($50,000 to $100,000; External customers aware of risk event occurrence)
Moderate (›$100,000; Media coverage or regulatory body aware of risk event occurrence)

Risk Category Details

Probability of Occurrence

Estimated Financial Impact

Estimated Severity (Probability X Impact)

Capacity Planning
Enterprise Architecture
Externally Originated Attack
Hardware Configuration Errors
Hardware Performance
Internally Originated Attack
IT Staffing
Project Scoping
Software Implementation Errors
Technology Evaluation and Selection
Physical Threats
Resource Threats
Personnel Threats
Technical Threats
Total:

1.2.2 Assess the IT/digital strategy

4 hours

Input: IT strategy, Digital strategy, Business strategy

Output: An understanding of an executive business stakeholder’s perception of IT, Alignment of IT/digital strategy and overall organization strategy

Materials: Computer, Whiteboard and markers, M&A Buy Playbook

Participants: IT executive/CIO, Business executive/CEO

The purpose of this activity is to review the business and IT strategies that exist to determine if there are critical capabilities that are not being supported.

Ideally, the IT and digital strategies would have been created following development of the business strategy. However, sometimes the business strategy does not directly call out the capabilities it requires IT to support.

  1. On the left half of the corresponding slide in the M&A Buy Playbook, document the business goals, initiatives, and capabilities. Input this information from the business or digital strategies. (If more space for goals, initiatives, or capabilities is needed, duplicate the slide).
  2. On the other half of the slide, document the IT goals, initiatives, and capabilities. Input this information from the IT strategy and digital strategy.

For additional support, see Build a Business-Aligned IT Strategy.

Record the results in the M&A Buy Playbook.

Proactive

Step 1.3

Drive Innovation and Suggest Growth Opportunities

Activities

  • 1.3.1 Determine pain points and opportunities
  • 1.3.2 Align goals with opportunities
  • 1.3.3 Recommend growth opportunities

This step involves the following participants:

  • IT executive leader
  • IT leadership
  • Critical M&A stakeholders

Outcomes of Step

Establish strong relationships with critical M&A stakeholders and position IT as an innovative business partner that can suggest growth opportunities.

1.3.1 Determine pain points and opportunities

1-2 hours

Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade

Output: List of pain points or opportunities that IT can address

Materials: Computer, Whiteboard and markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Business stakeholders

The purpose of this activity is to determine the pain points and opportunities that exist for the organization. These can be external or internal to the organization.

  1. Identify what opportunities exist for your organization. Opportunities are the potential positives that the organization would want to leverage.
  2. Next, identify pain points, which are the potential negatives that the organization would want to alleviate.
  3. Spend time considering all the options that might exist, and keep in mind what has been identified previously.

Opportunities and pain points can be trends, other departments’ initiatives, business perspectives of IT, etc.

Record the results in the M&A Buy Playbook.

1.3.2 Align goals with opportunities

1-2 hours

Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade, List of pain points and opportunities

Output: An understanding of an executive business stakeholder’s perception of IT, Foundations for growth strategy

Materials: Computer, Whiteboard and markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Business stakeholders

The purpose of this activity is to determine whether a growth or separation strategy might be a good suggestion to the business in order to meet its business objectives.

  1. For the top three to five business goals, consider:
    1. Underlying drivers
    2. Digital opportunities
    3. Whether a growth or reduction strategy is the solution
  2. Just because a growth or reduction strategy is a solution for a business goal does not necessarily indicate M&A is the way to go. However, it is important to consider before you pursue suggesting M&A.

Record the results in the M&A Buy Playbook.

1.3.3 Recommend growth opportunities

1-2 hours

Input: Growth or separation strategy opportunities to support business goals, Stakeholder communication plan, Rationale for the suggestion

Output: M&A transaction opportunities suggested

Materials: M&A Buy Playbook

Participants: IT executive/CIO, Business executive/CEO

The purpose of this activity is to recommend a merger, acquisition, or divestiture to the business.

  1. Identify which of the business goals the transaction would help solve and why IT is the one to suggest such a goal.
  2. Leverage the stakeholder communication plan identified previously to give insight into stakeholders who would have a significant level of interest, influence, or support in the process.

Info-Tech Insight

With technology and digital driving many transactions, leverage this opening and begin the discussions with your business on how and why an acquisition would be a great opportunity.

Record the results in the M&A Buy Playbook.

By the end of this Proactive phase, you should:

Be prepared to suggest M&A opportunities to support your company’s goals through growth or acquisition transactions

Key outcome from the Proactive phase

Develop progressive relationships and strong communication with key stakeholders to suggest or be aware of transformational opportunities that can be achieved through growth or reduction strategies such as mergers, acquisitions, or divestitures.

Key deliverables from the Proactive phase
  • Business perspective of IT examined
  • Key stakeholders identified and relationship to the M&A process outlined
  • Ability to valuate the IT environment and communicate IT’s value to the business
  • Assessment of the business, digital, and IT strategies and how M&As could support those strategies
  • Pain points and opportunities that could be alleviated or supported through an M&A transaction
  • Acquisition or buying recommendations

The Buy Blueprint

Phase 2

Discovery & Strategy

Phase 1

Phase 2

Phase 3Phase 4
  • 1.1 Identify Stakeholders and Their Perspective of IT
  • 1.2 Assess IT’s Current Value and Future State
  • 1.3 Drive Innovation and Suggest Growth Opportunities
  • 2.1 Establish the M&A Program Plan
  • 2.2 Prepare IT to Engage in the Acquisition
  • 3.1 Assess the Target Organization
  • 3.2 Prepare to Integrate
  • 4.1 Execute the Transaction
  • 4.2 Reflection and Value Realization

This phase will walk you through the following activities:

  • Create the mission and vision
  • Identify the guiding principles
  • Create the future-state operating model
  • Determine the transition team
  • Document the M&A governance
  • Create program metrics
  • Establish the integration strategy
  • Conduct a RACI
  • Create the communication plan
  • Assess the potential organization(s)

This phase involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Company M&A team

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Pre-Work

Day 1

Day 2

Day 3

Day 4

Day 5

Establish the Transaction FoundationDiscover the Motivation for AcquiringFormalize the Program PlanCreate the Valuation FrameworkStrategize the TransactionNext Steps and Wrap-Up (offsite)

Activities

  • 0.1 Conduct the CIO Business Vision and CEO-CIO Alignment diagnostics
  • 0.2 Identify key stakeholders and outline their relationship to the M&A process
  • 0.3 Identify the rationale for the company's decisions to pursue an acquisition
  • 1.1 Review the business rationale for the acquisition
  • 1.2 Assess the IT/digital strategy
  • 1.3 Identify pain points and opportunities tied to the acquisition
  • 1.4 Create the IT vision statement, create the IT mission statement, and identify IT guiding principles
  • 2.1 Create the future-state operating model
  • 2.2 Determine the transition team
  • 2.3 Document the M&A governance
  • 2.4 Establish program metrics
  • 3.1 Valuate your data
  • 3.2 Valuate your applications
  • 3.3 Valuate your infrastructure
  • 3.4 Valuate your risk and security
  • 3.5 Combine individual valuations to make a single framework
  • 4.1 Establish the integration strategy
  • 4.2 Conduct a RACI
  • 4.3 Review best practices for assessing target organizations
  • 4.4 Create the communication plan
  • 5.1 Complete in-progress deliverables from previous four days
  • 5.2 Set up review time for workshop deliverables and to discuss next steps

Deliverables

  1. Business perspectives of IT
  2. Stakeholder network map for M&A transactions
  1. Business context implications for IT
  2. IT’s acquisition strategic direction
  1. Operating model for future state
  2. Transition team
  3. Governance structure
  4. M&A program metrics
  1. IT valuation framework
  1. Integration strategy
  2. RACI
  3. Communication plan
  1. Completed M&A program plan and strategy
  2. Prepared to assess target organization(s)

What is the Discovery & Strategy phase?

Pre-transaction state

The Discovery & Strategy phase during an acquisition is a unique opportunity for many IT organizations. IT organizations that can participate in the acquisition transaction at this stage are likely considered a strategic partner of the business.

For one-off acquisitions, IT being invited during this stage of the process is rare. However, for organizations that are preparing to engage in many acquisitions over the coming years, this type of strategy will greatly benefit from IT involvement. Again, the likelihood of participating in an M&A transaction is increasing, making it a smart IT leadership decision to, at the very least, loosely prepare a program plan that can act as a strategic pillar throughout the transaction.

During this phase of the pre-transaction state, IT will also be asked to participate in ensuring that the potential organization being sought will be able to meet any IT-specific search criteria that was set when the transaction was put into motion.

Goal: To identify a repeatable program plan that IT can leverage when acquiring all or parts of another organization’s IT environment, ensuring customer satisfaction and business continuity

Discovery & Strategy Prerequisite Checklist

Before coming into the Discovery & Strategy phase, you should have addressed the following:

  • Understand the business perspective of IT.
  • Know the key stakeholders and have outlined their relationships to the M&A process.
  • Be able to valuate the IT environment and communicate IT's value to the business.
  • Understand the rationale for the company's decisions to pursue an acquisition and the opportunities or pain points the acquisition should address.

Discovery & Strategy

Step 2.1

Establish the M&A Program Plan

Activities

  • 2.1.1 Create the mission and vision
  • 2.1.2 Identify the guiding principles
  • 2.1.3 Create the future-state operating model
  • 2.1.4 Determine the transition team
  • 2.1.5 Document the M&A governance
  • 2.1.6 Create program metrics

This step involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Company M&A team

Outcomes of Step

Establish an M&A program plan that can be repeated across acquisitions.

The vision and mission statements clearly articulate IT’s aspirations and purpose

The IT vision statement communicates a desired future state of the IT organization, whereas the IT mission statement portrays the organization’s reason for being. While each serves its own purpose, they should both be derived from the business context implications for IT.

Vision Statements

Mission Statements

Characteristics

  • Describe a desired future
  • Focus on ends, not means
  • Concise
  • Aspirational
  • Memorable
  • Articulate a reason for existence
  • Focus on how to achieve the vision
  • Concise
  • Easy to grasp
  • Sharply focused
  • Inspirational

Samples

To be a trusted advisor and partner in enabling business innovation and growth through an engaged IT workforce. (Source: Business News Daily) IT is a cohesive, proactive, and disciplined team that delivers innovative technology solutions while demonstrating a strong customer-oriented mindset. (Source: Forbes, 2013)

2.1.1 Create the mission and vision statements

2 hours

Input: Business objectives, IT capabilities, Rationale for the transaction

Output: IT’s mission and vision statements for growth strategies tied to mergers, acquisitions, and divestitures

Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to create mission and vision statements that reflect IT’s intent and method to support the organization as it pursues a growth strategy.

  1. Review the definitions and characteristics of mission and vision statements.
  2. Brainstorm different versions of the mission and vision statements.
  3. Edit the statements until you get to a single version of each that accurately reflects IT’s role in the growth process.

Record the results in the M&A Buy Playbook.

Guiding principles provide a sense of direction

IT guiding principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting IT investment portfolio management, solution development, and procurement decisions.

A diagram illustrating the place of 'IT guiding principles' in the process of making 'Decisions on the use of IT'. There are four main items, connecting lines naming the type of process in getting from one step to the next, and a line underneath clarifying the questions asked at each step. On the far left, over the question 'What decisions should be made?', is 'Business context and IT implications'. This flows forward to 'IT guiding principles', and they are connected by 'Influence'. Next, over the question 'How should decisions be made?', is the main highlighted section. 'IT guiding principles' flows forward to 'Decisions on the use of IT', and they are connected by 'Guide and inform'. On the far right, over the question 'Who has the accountability and authority to make decisions?', is 'IT policies'. This flows back to 'Decisions on the use of IT', and they are connected by 'Direct and control'.

IT principles must be carefully constructed to make sure they are adhered to and relevant

Info-Tech has identified a set of characteristics that IT principles should possess. These characteristics ensure the IT principles are relevant and followed in the organization.

Approach focused. IT principles should be focused on the approach – how the organization is built, transformed, and operated – as opposed to what needs to be built, which is defined by both functional and non-functional requirements.

Business relevant. Create IT principles that are specific to the organization. Tie IT principles to the organization’s priorities and strategic aspirations.

Long lasting. Build IT principles that will withstand the test of time.

Prescriptive. Inform and direct decision making with actionable IT principles. Avoid truisms, general statements, and observations.

Verifiable. If compliance can’t be verified, people are less likely to follow the principle.

Easily Digestible. IT principles must be clearly understood by everyone in IT and by business stakeholders. IT principles aren’t a secret manuscript of the IT team. IT principles should be succinct; wordy principles are hard to understand and remember.

Followed. Successful IT principles represent a collection of beliefs shared among enterprise stakeholders. IT principles must be continuously communicated to all stakeholders to achieve and maintain buy-in.

In organizations where formal policy enforcement works well, IT principles should be enforced through appropriate governance processes.

Consider the example principles below

IT Principle Name

IT Principle Statement

1. Risk Management We will ensure that the organization’s IT Risk Management Register is properly updated to reflect all potential risks and that a plan of action against those risks has been identified.
2. Transparent Communication We will ensure employees are spoken to with respect and transparency throughout the transaction process.
3. Integration for Success We will create an integration strategy that enables the organization and clearly communicates the resources required to succeed.
4. Managed Data We will handle data creation, modification, integration, and use across the enterprise in compliance with our data governance policy.
5. Establish a single IT Environment We will identify, prioritize, and manage the applications and services that IT provides in order to eliminate redundant technology and maximize the value that users and customers experience.
6. Compliance With Laws and Regulations We will operate in compliance with all applicable laws and regulations for both our organization and the potentially purchased organization.
7. Defined Value We will create a plan of action that aligns with the organization’s defined value expectations.
8. Network Readiness We will ensure that employees and customers have immediate access to the network with minimal or no outages.
9. Operating to Succeed We will bring all of IT into a central operating model within two years of the transaction.

2.1.2 Identify the guiding principles

2 hours

Input: Business objectives, IT capabilities, Rationale for the transaction, Mission and vision statements

Output: IT’s guiding principles for growth strategies tied to mergers, acquisitions, and divestitures

Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to create the guiding principles that will direct the IT organization throughout the growth strategy process.

  1. Review the role of guiding principles and the examples of guiding principles that organizations have used.
  2. Brainstorm different versions of the guiding principles. Each guiding principle should start with the phrase “We will…”
  3. Edit and consolidate the statements until you have a list of approximately eight to ten statements that accurately reflect IT’s role in the growth process.
  4. Review the guiding principles every six months to ensure they continue to support the delivery of the business’ growth strategy goals.

Record the results in the M&A Buy Playbook.

Create two IT teams to support the transaction

IT M&A Transaction Team

  • The IT M&A Transaction Team should consist of the strongest members of the IT team who can be expected to deliver on unusual or additional tasks not asked of them in normal day-to-day operations.
  • The roles selected for this team will have very specific skills sets or deliver on critical integration capabilities, making their involvement in the combination of two or more IT environments paramount.
  • These individuals need to have a history of proving themselves very trustworthy, as they will likely be required to sign an NDA as well.
  • Expect to have to certain duplicate capabilities or roles across the M&A transaction team and operational team.

IT Operational Team

  • This group is responsible for ensuring the business operations continue.
  • These employees might be those who are newer to the organization but can be counted on to deliver consistent IT services and products.
  • The roles of this team should ensure that end users or external customers remain satisfied.

Key capabilities to support M&A

Consider the following capabilities when looking at who should be a part of the M&A transaction team.

Employees who have a significant role in ensuring that these capabilities are being delivered will be a top priority.

Infrastructure

  • Systems Integration
  • Data Management

Business Focus

  • Service-Level Management
  • Enterprise Architecture
  • Stakeholder Management
  • Project Management

Risk & Security

  • Privacy Management
  • Security Management
  • Risk & Compliance Management

Build a lasting and scalable operating model

An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy.

It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design.

The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.

As you assess the current operating model, consider the following:

  • Does the operating model contain all the necessary capabilities your IT organization requires to be successful?
  • What capabilities should be duplicated?
  • Are there individuals with the skill set to support those roles? If not, is there a plan to acquire or develop those skills?
  • A dedicated project team strictly focused on M&A is great. However, is it feasible for your organization? If not, what blockers exist?
A diagram with 'Initiatives' and 'Solutions' on the left and right of an area chart, 'Customer' at the top, the area between them labelled 'Functional Area n', and six horizontal bars labelled 'IT Capability' stacked on top of each other. The 'IT Capability' bars are slightly skewed to the 'Solutions' side of the chart.

Info-Tech Insight

Investing time up-front getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and allowing your model to change as the business changes.

2.1.3 Create the future-state operating model

4 hours

Input: Current operating model, IT strategy, IT capabilities, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

Output: Future-state operating model

Materials: Operating model, Capability overlay, Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to establish what the future-state operating model will be if your organization needs to adjust to support a growth transaction.

  1. Ensuring that all the IT capabilities are identified by the business and IT strategy, document your organization’s current operating model.
  2. Identify what core capabilities would be critical to the buying transaction process and integration. Highlight and make copies of those capabilities in the M&A Buy Playbook.
  3. Arrange the capabilities to clearly show the flow of inputs and outputs. Identify critical stakeholders of the process (such as customers or end users) if that will help the flow.
  4. Ensure the capabilities that will be decentralized are clearly identified. Decentralized capabilities do not exist within the central IT organization but rather in specific lines of businesses or products to better understand needs and deliver on the capability.

An example operating model is included in the M&A Buy Playbook. This process benefits from strong reference architecture and capability mapping ahead of time.

Record the results in the M&A Buy Playbook.

2.1.4 Determine the transition team

3 hours

Input: IT capabilities, Future-state operating model, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

Output: Transition team

Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to create a team that will support your IT organization throughout the transaction. Determining which capabilities and therefore which roles will be required ensures that the business will continue to get the operational support it needs.

  1. Based on the outcome of activity 2.1.3, review the capabilities that your organization will require on the transition team. Group capabilities into functional groups containing capabilities that are aligned well with one another because they have similar responsibilities and functionalities.
  2. Replace the capabilities with roles. For example, stakeholder management, requirements gathering, and project management might be one functional group. Project management and stakeholder management might combine to create a project manager role.
  3. Review the examples in the M&A Buy Playbook and identify which roles will be a part of the transition team.

For more information, see Redesign Your Organizational Structure

What is governance?

And why does it matter so much to IT and the M&A process?

  • Governance is the method in which decisions get made, specifically as they impact various resources (time, money, and people).
  • Because M&A is such a highly governed transaction, it is important to document the governance bodies that exist in your organization.
  • This will give insight into what types of governing bodies there are, what decisions they make, and how that will impact IT.
  • For example, funds to support integration need to be discussed, approved, and supplied to IT from a governing body overseeing the acquisition.
  • A highly mature IT organization will have automated governance, while a seemingly non-existent governance process will be considered ad hoc.
A pyramid with four levels representing the types of governing bodies that are available with differing levels of IT maturity. An arrow beside the pyramid points upward. The bottom of the arrow is labelled 'Traditional (People and document centric)' and the top is labelled 'Adaptive (Data centric)'. Starting at the bottom of the pyramid is level 1 'Ad Hoc Governance', 'Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people'. Level 2 is 'Controlled Governance', 'Governance focused on compliance and decisions driven by hierarchical authority. Levels of authority are defined and often driven by regulatory'. Level 3 is 'Agile Governance', 'Governance that is flexible to support different needs and quick response in the organization. Driven by principles and delegated throughout the company'. At the top of the pyramid is level 4 'Automated Governance', 'Governance that is entrenched and automated into organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival'.

2.1.5 Document M&A governance

1-2 hours

Input: List of governing bodies, Governing body committee profiles, Governance structure

Output: Documented method on how decisions are made as it relates to the M&A transaction

Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to determine the method in which decisions are made throughout the M&A transaction as it relates to IT. This will require understanding both governing bodies internal to IT and those external to IT.

  1. First, determine the other governance structures within the organization that will impact the decisions made about M&A. List out these bodies or committees.
  2. Create a profile for each committee that looks at the membership, purpose of the committee, decision areas (authority), and the process of inputs and outputs. Ensure IT committees that will have a role in this process are also documented. Consider the benefits realized, risks, and resources required for each.
  3. Organize the committees into a structure, identifying the committees that have a role in defining the strategy, designing and building, and running.

Record the results in the M&A Buy Playbook.

Current-state structure map – definitions of tiers

Strategy: These groups will focus on decisions that directly connect to the strategic direction of the organization.

Design & Build: The second tier of groups will oversee prioritization of a certain area of governance as well as design and build decisions that feed into strategic decisions.

Run: The lowest level of governance will be oversight of more-specific initiatives and capabilities within IT.

Expect tier overlap. Some committees will operate in areas that cover two or three of these governance tiers.

Measure the IT program’s success in terms of its ability to support the business’ M&A goals

Upper management will measure IT’s success based on your ability to support the underlying reasons for the M&A. Using business metrics will help assure business stakeholders that IT understands their needs and is working with the business to achieve them.

Business-Specific Metrics

  • Revenue Growth: Increase in the top line as seen by market expansion, product expansion, etc. by percentage/time.
  • Synergy Extraction: Reduction in costs as determined by the ability to identify and eliminate redundancies over time.
  • Profit Margin Growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs over time.

IT-Specific Metrics

  • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure over time.
  • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
  • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
  • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
  • Business capability support: Delivering the end state of IT that supports the expected business capabilities and growth.

Establish your own metrics to gauge the success of IT

Establish SMART M&A Success Metrics

S pecific Make sure the objective is clear and detailed.
M easurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
A ctionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
R ealistic Objectives must be achievable given your current resources or known available resources.
T ime-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.
  • What should IT consider when looking to identify potential additions, deletions, or modifications that will either add value to the organization or reduce costs/risks?
  • Provide a definition of synergies.
  • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure.
  • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
  • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
  • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
  • Revenue growth: Increase in the top line as a result, as seen by market expansion, product expansion, etc.
  • Synergy extraction: Reduction in costs, as determined by the ability to identify and eliminate redundancies.
  • Profit margin growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs.

Metrics for each phase

1. Proactive

2. Discovery & Strategy

3. Valuation & Due Diligence

4. Execution & Value Realization

  • % Share of business innovation spend from overall IT budget
  • % Critical processes with approved performance goals and metrics
  • % IT initiatives that meet or exceed value expectation defined in business case
  • % IT initiatives aligned with organizational strategic direction
  • % Satisfaction with IT's strategic decision-making abilities
  • $ Estimated business value added through IT-enabled innovation
  • % Overall stakeholder satisfaction with IT
  • % Percent of business leaders that view IT as an Innovator
  • % IT budget as a percent of revenue
  • % Assets that are not allocated
  • % Unallocated software licenses
  • # Obsolete assets
  • % IT spend that can be attributed to the business (chargeback or showback)
  • % Share of CapEx of overall IT budget
  • % Prospective organizations that meet the search criteria
  • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
  • % Business leaders that view IT as a Business Partner
  • % Defects discovered in production
  • $ Cost per user for enterprise applications
  • % In-house-built applications vs. enterprise applications
  • % Owners identified for all data domains
  • # IT staff asked to participate in due diligence
  • Change to due diligence
  • IT budget variance
  • Synergy target
  • % Satisfaction with the effectiveness of IT capabilities
  • % Overall end-customer satisfaction
  • $ Impact of vendor SLA breaches
  • $ Savings through cost-optimization efforts
  • $ Savings through application rationalization and technology standardization
  • # Key positions empty
  • % Frequency of staff turnover
  • % Emergency changes
  • # Hours of unplanned downtime
  • % Releases that cause downtime
  • % Incidents with identified problem record
  • % Problems with identified root cause
  • # Days from problem identification to root cause fix
  • % Projects that consider IT risk
  • % Incidents due to issues not addressed in the security plan
  • # Average vulnerability remediation time
  • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
  • # Time (days) to value realization
  • % Projects that realized planned benefits
  • $ IT operational savings and cost reductions that are related to synergies/divestitures
  • % IT staff–related expenses/redundancies
  • # Days spent on IT integration
  • $ Accurate IT budget estimates
  • % Revenue growth directly tied to IT delivery
  • % Profit margin growth

2.1.6 Create program metrics

1-2 hours

Input: IT capabilities, Mission, vision, and guiding principles, Rationale for the acquisition

Output: Program metrics to support IT throughout the M&A process

Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to determine how IT’s success throughout a growth transaction will be measured and determined.

  1. Document a list of appropriate metrics on the whiteboard. Remember to include metrics that demonstrate the business impact. You can use the sample metrics listed on the previous slide as a starting point.
  2. Set a target and deadline for each metric. This will help the group determine when it is time to evaluate progression.
  3. Establish a baseline for each metric based on information collected within your organization.
  4. Assign an owner for tracking each metric as well as someone to be accountable for performance.

Record the results in the M&A Buy Playbook.

Discovery & Strategy

Step 2.2

Prepare IT to Engage in the Acquisition

Activities

  • 2.2.1 Establish the integration strategy
  • 2.2.2 Conduct a RACI
  • 2.2.3 Create the communication plan
  • 2.2.4 Assess the potential organization(s)

This step involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Company M&A team

Outcomes of Step

Identify IT’s plan of action when it comes to the acquisition and align IT’s integration strategy with the business’ M&A strategy.

Integration strategies

There are several IT integration strategies that will help you achieve your target technology environment.

IT Integration Strategies
  • Absorption. Convert the target organization’s strategy, structure, processes, and/or systems to that of the acquiring organization.
  • Best-of-Breed. Pick and choose the most effective people, processes, and technologies to form an efficient operating model.
  • Transformation Retire systems from both organizations and use collective capabilities, data, and processes to create something entirely new.
  • Preservation Retain individual business units that will operate within their own capability. People, processes, and technologies are unchanged.

The approach IT takes will depend on the business objectives for the M&A.

  • Generally speaking, the integration strategy is well understood and influenced by the frequency of and rationale for acquiring.
  • Based on the initiatives generated by each business process owner, you need to determine the IT integration strategy that will best support the desired target technology environment.

Key considerations when choosing an IT integration strategy include:

  • What are the main business objectives of the M&A?
  • What are the key synergies expected from the transaction?
  • What IT integration best helps obtain these benefits?
  • What opportunities exist to position the business for sustainable growth?

Absorption and best-of-breed

Review highlights and drawbacks of absorption and best-of-breed integration strategies

Absorption
    Highlights
  • Recommended for businesses striving to reduce costs and drive efficiency gains.
  • Economies of scale realized through consolidation and elimination of redundant applications.
  • Quickest path to a single company operation and systems as well as lower overall IT cost.
    Drawbacks
  • Potential for disruption of the target company’s business operations.
  • Requires significant business process changes.
  • Disregarding the target offerings altogether may lead to inferior system decisions that do not yield sustainable results.
Best-of-Breed
    Highlights
  • Recommended for businesses looking to expand their market presence or acquire new products. Essentially aligning the two organizations in the same market.
  • Each side has a unique offering but complementing capabilities.
  • Potential for better buy-in from the target because some of their systems are kept, resulting in willingness to
    Drawbacks
  • May take longer to integrate because it tends to present increased complexity that results in higher costs and risks.
  • Requires major integration efforts from both sides of the company. If the target organization is uncooperative, creating the desired technology environment will be difficult.

Transformation and preservation

Review highlights and drawbacks of transformation and preservation integration strategies

Transformation
    Highlights
  • This is the most customized approach, although it is rarely used.
  • It is essential to have an established long-term vision of business capabilities when choosing this path.
  • When executed correctly, this approach presents potential for significant upside and creation of sustainable competitive advantages.
    Drawbacks
  • This approach requires extensive time to implement, and the cost of integration work may be significant.
  • If a new system is created without strategic capabilities, the organizations will not realize long-term benefits.
  • The cost of correcting complexities at later stages in the integration effort may be drastic.
Preservation
    Highlights
  • This approach is appropriate if the merging organizations will remain fairly independent, if there will be limited or no communication between companies, and if the companies’ market strategies, products, and channels are entirely distinct.
  • Environment can be accomplished quickly and at a low cost.
    Drawbacks
  • Impact to each business is minimal, but there is potential for lost synergies and higher operational costs. This may be uncontrollable if the natures of the two businesses are too different to integrate.
  • Reduced benefits and limited opportunities for IT integration.

2.2.1 Establish the integration strategy

1-2 hours

Input: Business integration strategy, Guiding principles, M&A governance

Output: IT’s integration strategy

Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to determine IT’s approach to integration. The approach might differ slightly from transaction to transaction. However, the business’ approach to transactions should give insight into the general integration strategy IT should adopt.

  1. Make sure you have clearly articulated the business objectives for the M&A, the technology end state for IT, and the magnitude of the overall integration.
  2. Review and discuss the highlights and drawbacks of each type of integration.
  3. Use Info-Tech’s Integration Posture Selection Framework on the next slide to select the integration posture that will appropriately enable the business. Consider these questions during your discussion:
    1. What are the main business objectives of the M&A? What key IT capabilities will need to support business objectives?
    2. What key synergies are expected from the transaction? What opportunities exist to position the business for sustainable growth?
    3. What IT integration best helps obtain these benefits?

Record the results in the M&A Buy Playbook.

Integration Posture Selection Framework

Business M&A Strategy

Resultant Technology Strategy

M&A Magnitude (% of Acquirer Assets, Income, or Market Value)

IT Integration Posture

A. Horizontal Adopt One Model ‹10% Absorption
10 to 75% Absorption or Best-of-Breed
›75% Best-of-Breed
B. Vertical Create Links Between Critical Systems Any
  • Preservation (Differentiated Functions)
  • Absorption or Best-of-Breed (Non-Differentiated Functions)
C. Conglomerate Independent Model Any Preservation
D. Hybrid: Horizontal & Conglomerate Independent Model Any Preservation

2.2.2 Conduct a RACI

1-2 hours

Input: IT capabilities, Transition team, Integration strategy

Output: Completed RACI for transition team

Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to identify the core accountabilities and responsibilities for the roles identified as critical to your transition team. While there might be slight variation from transaction to transaction, ideally each role should be performing certain tasks.

  1. First, identify a list of critical tasks that need to be completed to support the purchase or acquisition. For example:
    • Communicate with the company M&A team.
    • Identify critical IT risks that could impact the organization after the transaction.
    • Identify key artifacts to collect and review during due diligence.
  2. Next, identify at the activity level which role is accountable or responsible for each activity. Enter an A for accountable, R for responsible, or A/R for both.

Record the results in the M&A Buy Playbook.

Communication and change

Prepare key stakeholders for the potential changes

  • Anytime you are starting a project or program that will depend on users and stakeholders to give up their old way of doing things, change will force people to become novices again, leading to lost productivity and added stress.
  • Change management can improve outcomes for any project where you need people to adopt new tools and procedures, comply with new policies, learn new skills and behaviors, or understand and support new processes.
  • M&As move very quickly, and it can be very difficult to keep track of which stakeholders you need to be communicating with and what you should be communicating.
  • Not all organizations embrace or resist change in the same ways. Base your change communications on your organization’s cultural appetite for change in general.
    • Organizations with a low appetite for change will require more direct, assertive communications.
    • Organizations with a high appetite for change are more suited to more open, participatory approaches.

Three key dimensions determine the appetite for cultural change:

  • Power Distance. Refers to the acceptance that power is distributed unequally throughout the organization.
    In organizations with a high power distance, the unequal power distribution is accepted by the less powerful employees.
  • Individualism. Organizations that score high in individualism have employees who are more independent. Those who score low in individualism fall into the collectivism side, where employees are strongly tied to one another or their groups.
  • Uncertainty Avoidance. Describes the level of acceptance that an organization has toward uncertainty. Those who score high in this area find that their employees do not favor uncertain situations, while those that score low in this area find that their employees are comfortable with change and uncertainty.

2.2.3 Create the communication plan

1-2 hours

Input: IT’s M&A mission, vision, and guiding principles, M&A transition team, IT integration strategy, RACI

Output: IT’s M&A communication plan

Materials: Flip charts/whiteboard, Markers, RACI, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to create a communication plan that IT can leverage throughout the initiative.

  1. Create a structured communication plan that allows for continuous communication with the integration management office, senior management, and the business functional heads.
  2. Outline key topics of communication, with stakeholders, inputs, and outputs for each topic.
  3. Review Info-Tech’s example communication plan in the M&A Buy Playbook and update it with relevant information.
  4. Does this communication plan make sense for your organization? What doesn’t make sense? Adjust the communication guide to suit your organization.

Record the results in the M&A Buy Playbook.

Assessing potential organizations

As soon as you have identified organizations to consider, it’s imperative to assess critical risks. Most IT leaders can attest that they will receive little to no notice when they have to assess the IT organization of a potential purchase. As a result, having a standardized template to quickly gauge the value of the business can be critical.

Ways to Assess

  1. News: Assess what sort of news has been announced in relation to the organization. Have they had any risk incidents? Has a critical vendor announced working with them?
  2. LinkedIn: Scan through the LinkedIn profiles of employees. This will give you a sense of what platforms they have based on their employees.
  3. Trends: Some industries will have specific solutions that are relevant and popular. Assess what the key players are (if you don’t already know) to determine the solution.
  4. Business Architecture: While this assessment won’t perfect, try to understand the business’ value streams and the critical business and IT capabilities that would be needed to support them.

2.2.4 Assess the potential organization(s)

1-2 hours

Input: Publicized historical risk events, Solutions and vendor contracts likely in the works, Trends

Output: IT’s valuation of the potential organization(s) for acquisition

Materials: M&A Buy Playbook

Participants: IT executive/CIO

The purpose of this activity is to assess the organization(s) that your organization is considering purchasing.

  1. Complete the Historical Valuation Worksheet in the M&A Buy Playbook to understand the type of IT organization that your company may inherit and need to integrate with.
    • The business likely isn’t looking for in-depth details at this time. However, as the IT leader, it is your responsibility to ensure critical risks are identified and communicated to the business.
  2. Use the information identified to help the business narrow down which organizations should be targeted for the acquisition.

Record the results in the M&A Buy Playbook.

By the end of this pre-transaction phase you should:

Have a program plan for M&As and a repeatable M&A strategy for IT when engaging in growth transactions

Key outcomes from the Discovery & Strategy phase
  • Be prepared to analyze and recommend potential organizations that the business can acquire or merge with, using a strong program plan that can be repeated across transactions.
  • Create a M&A strategy that accounts for all the necessary elements of a transaction and ensures sufficient governance, capabilities, and metrics exist.
Key deliverables from the Discovery & Strategy phase
  • Create vision and mission statements
  • Establish guiding principles
  • Create a future-state operating model
  • Identify the key roles for the transaction team
  • Identify and communicate the M&A governance
  • Determine target metrics
  • Identify the M&A operating model
  • Select the integration strategy framework
  • Conduct a RACI for key transaction tasks for the transaction team
  • Document the communication plan

M&A Buy Blueprint

Phase 3

Due Diligence & Preparation

Phase 1Phase 2

Phase 3

Phase 4
  • 1.1 Identify Stakeholders and Their Perspective of IT
  • 1.2 Assess IT’s Current Value and Future State
  • 1.3 Drive Innovation and Suggest Growth Opportunities
  • 2.1 Establish the M&A Program Plan
  • 2.2 Prepare IT to Engage in the Acquisition
  • 3.1 Assess the Target Organization
  • 3.2 Prepare to Integrate
  • 4.1 Execute the Transaction
  • 4.2 Reflection and Value Realization

This phase will walk you through the following activities:

  • Drive value with a due diligence charter
  • Identify data room artifacts
  • Assess technical debt
  • Valuate the target IT organization
  • Assess culture
  • Prioritize integration tasks
  • Establish the integration roadmap
  • Identify the needed workforce supply
  • Estimate integration costs
  • Create an employee transition plan
  • Create functional workplans for employees
  • Align project metrics with identified tasks

This phase involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Company M&A team
  • Business leaders
  • Prospective IT organization
  • Transition team

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Pre-Work

Day 1

Day 2

Day 3

Day 4

Day 5

Establish the Transaction FoundationDiscover the Motivation for IntegrationAssess the Target Organization(s)Create the Valuation FrameworkPlan the Integration RoadmapNext Steps and Wrap-Up (offsite)

Activities

  • 0.1 Identify the rationale for the company's decisions to pursue an acquisition.
  • 0.2 Identify key stakeholders and determine the IT transaction team.
  • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
  • 1.1 Review the business rationale for the acquisition.
  • 1.2 Identify pain points and opportunities tied to the acquisition.
  • 1.3 Establish the integration strategy.
  • 1.4 Create the due diligence charter.
  • 2.1 Create a list of IT artifacts to be reviewed in the data room.
  • 2.2 Conduct a technical debt assessment.
  • 2.3 Assess the current culture and identify the goal culture.
  • 2.4 Identify the needed workforce supply.
  • 3.1 Valuate the target organization’s data.
  • 3.2 Valuate the target organization’s applications.
  • 3.3 Valuate the target organization’s infrastructure.
  • 3.4 Valuate the target organization’s risk and security.
  • 3.5 Combine individual valuations to make a single framework.
  • 4.1 Prioritize integration tasks.
  • 4.2 Establish the integration roadmap.
  • 4.3 Establish and align project metrics with identified tasks.
  • 4.4 Estimate integration costs.
  • 5.1 Complete in-progress deliverables from previous four days.
  • 5.2 Set up review time for workshop deliverables and to discuss next steps.

Deliverables

  1. IT strategy
  2. IT operating model
  3. IT governance structure
  4. M&A transaction team
  1. Business context implications for IT
  2. Integration strategy
  3. Due diligence charter
  1. Data room artifacts
  2. Technical debt assessment
  3. Culture assessment
  4. Workforce supply identified
  1. IT valuation framework to assess target organization(s)
  1. Integration roadmap and associated resourcing
  1. Acquisition integration strategy for IT

What is the Due Diligence & Preparation phase?

Mid-transaction state

The Due Diligence & Preparation phase during an acquisition is a critical time for IT. If IT fails to proactively participate in this phase, IT will have to merely react to integration expectations set by the business.

While not all IT organizations are able to participate in this phase, the evolving nature of M&As to be driven by digital and technological capabilities increases the rationale for IT being at the table. Identifying critical IT risks, which will inevitably be business risks, begins during the due diligence phase.

This is also the opportunity for IT to plan how it will execute the planned integration strategy. Having access to critical information only available in data rooms will further enable IT to successfully plan and execute the acquisition to deliver the value the business is seeking through a growth transaction.

Goal: To thoroughly evaluate all potential risks associated with the organization(s) being pursued and create a detailed plan for integrating the IT environments

Due Diligence Prerequisite Checklist

Before coming into the Due Diligence & Preparation phase, you must have addressed the following:

  • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
  • Identify the key roles for the transaction team.
  • Identify the M&A governance.
  • Determine target metrics.
  • Select an integration strategy framework.
  • Conduct a RACI for key transaction tasks for the transaction team.

Before coming into the Due Diligence & Preparation phase, we recommend addressing the following:

  • Create vision and mission statements.
  • Establish guiding principles.
  • Create a future-state operating model.
  • Identify the M&A operating model.
  • Document the communication plan.
  • Examine the business perspective of IT.
  • Identify key stakeholders and outline their relationship to the M&A process.
  • Be able to valuate the IT environment and communicate IT’s value to the business.

The Technology Value Trinity

Delivery of Business Value & Strategic Needs

  • Digital & Technology Strategy
    The identification of objectives and initiatives necessary to achieve business goals.
  • IT Operating Model
    The model for how IT is organized to deliver on business needs and strategies.
  • Information & Technology Governance
    The governance to ensure the organization and its customers get maximum value from the use of information and technology.

All three elements of the Technology Value Trinity work in harmony to deliver business value and achieve strategic needs. As one changes, the others need to change as well.

  • Digital and IT Strategy tells you what you need to achieve to be successful.
  • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
  • Information & Technology Governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy. It’s the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy. This oversight evaluates, directs, and monitors the delivery of outcomes to ensure that the use of resources results in the achieving the organization’s goals.

Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest – not based on what is in the best interest of the organization.

Due Diligence & Preparation

Step 3.1

Assess the Target Organization

Activities

  • 3.1.1 Drive value with a due diligence charter
  • 3.1.2 Identify data room artifacts
  • 3.1.3 Assess technical debt
  • 3.1.4 Valuate the target IT organization
  • 3.1.5 Assess culture

This step involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Company M&A team
  • Business leaders
  • Prospective IT organization
  • Transition team

Outcomes of Step

This step of the process is when IT should actively evaluate the target organization being pursued for acquisition.

3.1.1 Drive value with a due diligence charter

1-2 hours

Input: Key roles for the transaction team, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

Output: IT Due Diligence Charter

Materials: M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to create a charter leveraging the items completed in the previous phase, as listed on the Due Diligence Prerequisite Checklist slide, to gain executive sign-off.

  1. In the IT Due Diligence Charter in the M&A Buy Playbook, complete the aspects of the charter that are relevant for you and your organization.
  2. We recommend including these items in the charter:
    • Communication plan
    • Transition team roles
    • Goals and metrics for the transaction
    • Integration strategy
    • Acquisition RACI
  3. Once the charter has been completed, ensure that business executives agree to the charter and sign off on the plan of action.

Record the results in the M&A Buy Playbook.

3.1.2 Identify data room artifacts

4 hours

Input: Future-state operating model, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

Output: List of items to acquire and review in the data room

Materials: Critical domain lists on following slides, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

The purpose of this activity is to create a list of the key artifacts that should be asked for and reviewed during the due diligence process.

  1. Review the lists on the following pages as a starting point. Identify which domains, stakeholders, artifacts, and information should be requested for the data room. This information should be directed to the target organization.
  2. IT leadership may or may not be asked to enter the data room directly. Therefore, it’s important that you clearly identify these artifacts.
  3. List each question or concern, select the associated workstream in the M&A Buy Playbook, and update the status of the information retrieval.
  4. Use the comments section to document your discoveries or concerns.

Record the results in the M&A Buy Playbook.

Critical domains

Understand the key stakeholders and outputs for each domain

Each critical domain will likely have different stakeholders who know that domain best. Communicate with these stakeholders throughout the M&A process to make sure you are getting accurate information and interpreting it correctly.

Domain

Stakeholders

Key Artifacts

Key Information to request

Business
  • Enterprise Architecture
  • Business Relationship Manager
  • Business Process Owners
  • Business capability map
  • Capability map (the M&A team should be taking care of this, but make sure it exists)
  • Business satisfaction with various IT systems and services
Leadership/IT Executive
  • CIO
  • CTO
  • CISO
  • IT budgets
  • IT capital and operating budgets (from current year and previous year)
Data & Analytics
  • Chief Data Officer
  • Data Architect
  • Enterprise Architect
  • Master data domains, system of record for each
  • Unstructured data retention requirements
  • Data architecture
  • Master data domains, sources, and storage
  • Data retention requirements
Applications
  • Applications Manager
  • Application Portfolio Manager
  • Application Architect
  • Applications map
  • Applications inventory
  • Applications architecture
  • Copy of all software license agreements
  • Copy of all software maintenance agreements
Infrastructure
  • Head of Infrastructure
  • Enterprise Architect
  • Infrastructure Architect
  • Infrastructure Manager
  • Infrastructure map
  • Infrastructure inventory
  • Network architecture (including which data centers host which infrastructure and applications)
  • Inventory (including integration capabilities of vendors, versions, switches, and routers)
  • Copy of all hardware lease or purchase agreements
  • Copy of all hardware maintenance agreements
  • Copy of all outsourcing/external service provider agreements
  • Copy of all service-level agreements for centrally provided, shared services and systems
Products and Services
  • Product Manager
  • Head of Customer Interactions
  • Product lifecycle
  • Product inventory
  • Customer market strategy

Critical domains (continued)

Understand the key stakeholders and outputs for each domain

Domain

Stakeholders

Key Artifacts

Key Information to request

Operations
  • Head of Operations
  • Service catalog
  • Service overview
  • Service owners
  • Access policies and procedures
  • Availability and service levels
  • Support policies and procedures
  • Costs and approvals (internal and customer costs)
IT Processes
  • CIO
  • IT Management
  • VP of IT Governance
  • VP of IT Strategy
  • IT process flow diagram
  • Processes in place and productivity levels (capacity)
  • Critical processes/processes the organization feels they do particularly well
IT People
  • CIO
  • VP of Human Resources
  • IT organizational chart
  • Competency & capacity assessment
  • IT organizational structure (including resources from external service providers such as contractors) with appropriate job descriptions or roles and responsibilities
  • IT headcount and location
Security
  • CISO
  • Security Architect
  • Security posture
  • Information security staff
  • Information security service providers
  • Information security tools
  • In-flight information security projects
Projects
  • Head of Projects
  • Project portfolio
  • List of all future, ongoing, and recently completed projects
Vendors
  • Head of Vendor Management
  • License inventory
  • Inventory (including what will and will not be transitioning, vendors, versions, number of licenses)

Assess the target organization’s technical debt

The other organization could be costly to purchase if not yet modernizing.

  • Consider the potential costs that your business will have to spend to get the other IT organization modernized or even digital.
  • This will be highly affected by your planned integration strategy.
  • A best-of-breed strategy might simply mean there's little to bring over from the other organization’s environment.
  • It’s often challenging to identify a direct financial cost for technical debt. Consider direct costs but also assess categories of impact that can have a long-term effect on your business: lost customer, staff, or business partner goodwill; limited flexibility and resilience; and health, safety, and compliance impacts.
  • Use more objective measures to track subjective impact. For example, consider the number of customers who could be significantly affected by each tech debt in the next quarter.

Focus on solving the problems you need to address.

Analyzing technical debt has value in that the analysis can help your organization make better risk management and resource allocation decisions.

Review these examples of technical debt

Do you have any of these challenges?

Applications
  • Inefficient or incomplete code
  • Fragile or obsolete systems of record that limit the implementation of new functionality
  • Out-of-date IDEs or compilers
  • Unsupported applications
Data & Analytics
  • Data presented via API that does not conform to chosen standards (EDI, NRF-ARTS, etc.)
  • Poor data governance
  • No transformation between OLTP and the data warehouse
  • Heavy use of OLTP for reporting
  • Lack of AI model and decision governance, maintenance
End-User Computing
  • Aging and slow equipment
  • No configuration management
  • No MDM/UEM
Security
  • Unpatched/unpatchable systems
  • Legacy firewalls
  • No data classification system
  • “Perimeter” security architecture
  • No documented security incident response
  • No policies, or unenforced policies
Operations
  • Incomplete, ineffective, or undocumented business continuity and disaster recovery plans
  • Insufficient backups or archiving
  • Inefficient MACD processes
  • Application sprawl with no record of installed applications or licenses
  • No ticketing or ITSM system
  • No change management process
  • No problem management process
  • No event/alert management
Infrastructure
  • End-of-life/unsupported equipment
  • Aging power or cooling systems
  • Water- or halon-based data center fire suppression systems
  • Out-of-date firmware
  • No DR site
  • Damaged or messy cabling
  • Lack of system redundancy
  • Integrated computers on business equipment (e.g. shop floor equipment, medical equipment) running out-of-date OS/software
Project & Portfolio Management
  • No project closure process
  • Ineffective project intake process
  • No resource management practices

“This isn’t a philosophical exercise. Knowing what you want to get out of this analysis informs the type of technical debt you will calculate and the approach you will take.” (Scott Buchholz, CTO, Deloitte Government & Public Services Practice, The Wall Street Journal, 2015)

3.1.3 Assess technical debt

1-2 hours

Input: Participant views on organizational tech debt, Five to ten key technical debts, Business impact scoring scales, Reasonable next-quarter scenarios for each technical debt, Technical debt business impact analysis

Output: Initial list of tech debt for the target organization

Materials: Whiteboard, Sticky notes, Technical Debt Business Impact Analysis Tool, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Business leaders, Transition team

The purpose of this activity is to assess the technical debt of the other IT organization. Taking on unnecessary technical debt is one of the biggest risks to the IT environment

  1. This activity can be completed by leveraging the blueprint Manage Your Technical Debt, specifically the Technical Debt Business Impact Analysis Tool. Complete the following activities in the blueprint:
    • 1.2.1 Identify your technical debt
    • 1.2.2 Select tech debt for your impact analysis
    • 2.2.2 Estimate tech debt impact
    • 2.2.3 Identify the most-critical technical debts
  2. Review examples of technical debt in the previous slide to assist you with this activity.
  3. Document the results from tab 3, Impact Analysis, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.

Record the results in the M&A Buy Playbook.

How to valuate an IT environment

And why it matters so much

  • Valuating the target organization’s IT environment is a critical step to fully understand what it might be worth. Business partners are often not in the position to valuate the IT aspects to the degree that you would be.
  • The business investments in IT can be directly translated to a value amount. Meaning for every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
  • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT can be so critical.
  • There are three ways a business or asset can be valuated:
    • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
    • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
    • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.

The IT valuation conducted during due diligence can have a significant impact on the final financials of the transaction for the business.

3.1.4 Valuate the target IT organization

1 day

Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

Output: Valuation of target organization’s IT

Materials: Relevant templates/tools, Capital budget, Operating budget, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Prospective IT organization

The purpose of this activity is to valuate the other IT organization.

  1. Review each of slides 42 to 45 to generate a valuation of IT’s data, applications, infrastructure, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount. For more information on this activity, review Activity 1.2.1 from the Proactive phase.
  2. Identify financial amounts for each critical area and add the financial output to the summary slide in the M&A Buy Playbook.
  3. Compare this information against your own IT organization’s valuation.
    1. Does it add value to your IT organization?
    2. Is there too much risk to accept if this transaction goes through?

Info-Tech Insight

Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

Record the results in the M&A Buy Playbook.

Culture should not be overlooked, especially as it relates to the integration of IT environments

  • There are three types of culture that need to be considered.
  • Most importantly, this transition is an opportunity to change the culture that might exist in your organization’s IT environment.
  • Make a decision on which type of culture you’d like IT to have post-transition.

Target Organization’s Culture

The culture that the target organization is currently embracing. Their established and undefined governance practices will lend insight into this.

Your Organization’s Culture

The culture that your organization is currently embracing. Examine people’s attitudes and behaviors within IT toward their jobs and the organization.

Ideal Culture

What will the future culture of the IT organization be once integration is complete? Are there aspects that your current organization and the target organization embrace that are worth considering?

Culture categories

Map the results of the IT Culture Diagnostic to an existing framework

Competitive
  • Autonomy
  • Confront conflict directly
  • Decisive
  • Competitive
  • Achievement oriented
  • Results oriented
  • High performance expectations
  • Aggressive
  • High pay for good performance
  • Working long hours
  • Having a good reputation
  • Being distinctive/different
Innovative
  • Adaptable
  • Innovative
  • Quick to take advantage of opportunities
  • Risk taking
  • Opportunities for professional growth
  • Not constrained by rules
  • Tolerant
  • Informal
  • Enthusiastic
Traditional
  • Stability
  • Reflective
  • Rule oriented
  • Analytical
  • High attention to detail
  • Organized
  • Clear guiding philosophy
  • Security of employment
  • Emphasis on quality
  • Focus on safety
Cooperative
  • Team oriented
  • Fair
  • Praise for good performance
  • Supportive
  • Calm
  • Developing friends at work
  • Socially responsible

Culture Considerations

  • What culture category was dominant for each IT organization?
  • Do you share the same dominant category?
  • Is your current dominant culture category the most ideal to have post-integration?

3.1.5 Assess Culture

3-4 hours

Input: Cultural assessments for current IT organization, Cultural assessment for target IT organization

Output: Goal for IT culture

Materials: IT Culture Diagnostic, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, IT employees of current organization, IT employees of target organization, Company M&A team

The purpose of this activity is to assess the different cultures that might exist within the IT environments of both organizations. More importantly, your IT organization can select its desired IT culture for the long term if it does not already exist.

  1. Complete this activity by leveraging the blueprint Fix Your IT Culture, specifically the IT Culture Diagnostic. Fill out the diagnostic for the IT department in your organization:
    1. Answer the 16 questions in tab 2, Diagnostic.
    2. Find out your dominant culture and review recommendations in tab 3, Results.
  2. Document the results from tab 3, Results, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.
  3. Repeat the activity for the target organization.
  4. Leverage the information to determine what the goal for the culture of IT will be post-integration if it will differ from the current culture.

Record the results in the M&A Buy Playbook.

Due Diligence & Preparation

Step 3.2

Prepare to Integrate

Activities

  • 3.2.1 Prioritize integration tasks
  • 3.2.2 Establish the integration roadmap
  • 3.2.3 Identify the needed workforce supply
  • 3.2.4 Estimate integration costs
  • 3.2.5 Create an employee transition plan
  • 3.2.6 Create functional workplans for employees
  • 3.2.7 Align project metrics with identified tasks

This step involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Transition team
  • Company M&A team

Outcomes of Step

Have an established plan of action toward integration across all domains and a strategy toward resources.

Don’t underestimate the importance of integration preparation

Integration is the process of combining the various components of one or more organizations into a single organization.

80% of integration should happen within the first two years. (Source: CIO Dive)

70% of M&A IT integrations fail due to components that could and should be addressed at the beginning. (Source: The Wall Street Journal, 2019)

Info-Tech Insight

Integration is not rationalization. Once the organization has integrated, it can prepare to rationalize the IT environment.

Integration needs

Identify your domain needs to support the target technology environment

Set up a meeting with your IT due diligence team to:

  • Address data, applications, infrastructure, and other domain gaps.
  • Discuss the people and processes necessary to achieve the target technology environment and support M&A business objectives.

Use this opportunity to:

  • Identify data and application complexities between your organization and the target organization.
  • Identify the IT people and process gaps, redundancies, and initiatives.
  • Determine your infrastructure needs and identify redundancies.
    • Does IT have the infrastructure to support the applications and business capabilities of the resultant enterprise?
    • Identify any gaps between the current infrastructure in both organizations and the infrastructure required in the resultant enterprise.
    • Identify any redundancies.
    • Determine the appropriate IT integration strategies.
  • Document your gaps, redundancies, initiatives, and assumptions to help you track and justify the initiatives that must be undertaken and help estimate the cost of integration.

Integration implications

Understand the implications for integration with respect to each target technology environment

Domain

Independent Models

Create Links Between Critical Systems

Move Key Capabilities to Common Systems

Adopt One Model

Data & Analytics

  • Consider data sources that might need to be combined (e.g. financials, email lists, internet).
  • Understand where each organization will warehouse its data and how it will be managed in a cost-effective manner.
  • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
  • Analyze whether or not the data types are compatible between companies.
  • Understand the critical data needs and the complexity of integration activities.
  • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
  • Focus on the master data domains that represent the core of your business.
  • Assess the value, size, location, and cleanliness of the target organization’s data sets.
  • Determine the data sets that will be migrated to capture expected synergies and drive core capabilities while addressing how other data sets will be maintained and managed.
  • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
  • Establish interim linkages and common interfaces for applications while major migrations occur.

Applications

  • Establish whether or not there are certain critical applications that still need to be linked (e.g. email, financials).
  • Leverage the unique strengths and functionalities provided by the applications used by each organization.
  • Confirm that adequate documentation and licensing exists.
  • Decide which critical applications need to be linked versus which need to be kept separate to drive synergies. For example, financial, email, and CRM may need to be linked, while certain applications may remain distinct.
  • Pay particular attention to the extent to which systems relating to customers, products, orders, and shipments need to be integrated.
  • Determine the key capabilities that require support from the applications identified by business process owners.
  • Assess which major applications need to be adopted by both organizations, based on the M&A goals.
  • Establish interim linkages and common interfaces for applications while major migrations occur.
  • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
  • Establish interim linkages and common interfaces for applications while major migrations occur.

Integration implications (continued)

Understand the implications for integration with respect to each target technology environment

Domain

Independent Models

Create Links Between Critical Systems

Move Key Capabilities to Common Systems

Adopt One Model

Infrastructure

  • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
  • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
  • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
  • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
  • Evaluate whether certain infrastructure components, such as data centers, can be consolidated to support the new model while also eliminating redundancies. This will help reduce costs.
  • Assess which infrastructure components need to be kept versus which need to be terminated to support the new application portfolio. Keep in mind that increasing the transaction volume on a particular application increases the infrastructure capacity that is required for that application.
  • Extend the network to integrate additional locations.

IT People & Processes

  • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
  • Consider whether there are redundancies in staffing that could be eliminated.
  • The IT processes of each organization will most likely remain separate.
  • Consider the impact of the target organization on your IT processes.
  • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
  • Consider whether there are redundancies in staffing that could be eliminated.
  • Consider how critical IT processes of the target organization fit with your current IT processes.
  • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the common systems.
  • If there is overlap with the IT processes in both organizations, you may wish to map out both processes to get a sense for how they might work together.
  • Assess what processes will be prioritized to support IT strategies.
  • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the prioritized IT processes.

Integration implications (continued)

Understand the implications for integration with respect to each target technology environment

Domain

Independent Models

Create Links Between Critical Systems

Move Key Capabilities to Common Systems

Adopt One Model

Leadership/IT Executive

  • Have insight into the goals and direction of the organization’s leadership. Make sure that a communication path has been established to receive information and provide feedback.
  • The decentralized model will require some form of centralization and strong governance processes to enable informed decisions.
  • Ensure that each area can deliver on its needs while not overstepping the goals and direction of the organization.
  • This will help with integration in the sense that front-line employees can see a single organization beginning to form.
  • In this model, there is the opportunity to select elements of each leadership style and strategy that will work for the larger organization.
  • Leadership can provide a single and unified approach to how the strategic goals will be executed.
  • More often than not, this would be the acquiring organization’s strategic direction.

Vendors

  • Determine which contracts the target organization currently has in place.
  • Having different vendors in place will not be a bad model if it makes sense.
  • Spend time reviewing the contracts and ensuring that each organization has the right contracts to succeed.
  • Identify what redundancies might exist (ERPs, for example) and determine if the vendor would be willing to terminate one contract or another.
  • Through integration, it might be possible to engage in one set of contract negotiations for a single application or technology.
  • Identify whether there are opportunities to combine contracts or if they must remain completely separated until the end of the term.
  • In an effort to capitalize on the contracts working well, reduce the contracts that might be hindering the organization.
  • Speak to the vendor offering the contract.
  • Going forward, ensure the contracts are negotiated to include clauses to allow for easier and more cost-effective integration.

Integration implications (continued)

Understand the implications for integration with respect to each target technology environment

Domain

Independent Models

Create Links Between Critical Systems

Move Key Capabilities to Common Systems

Adopt One Model

Security

  • Both organizations would need to have a process for securing their organization.
  • Sharing and accessing information might be more difficult, as each organization would need to keep the other organization separate to ensure the organization remains secure.
  • Creating standard policies and procedures that each organization must adhere to would be critical here (for example, multifactor authentication).
  • Establish a single path of communication between the two organizations, ensuring reliable and secure data and information sharing.
  • Leverage the same solutions to protect the business as a whole from internal and external threats.
  • Identify opportunities where there might be user points of failure that could be addressed early in the process.
  • Determine what method of threat detection and response will best support the business and select that method to apply to the entire organization, both original and newly acquired.

Projects

  • Projects remain ongoing as they were prior to the integration.
  • Some projects might be made redundant after the initial integration is over.
  • Re-evaluate the projects after integration to ensure they continue to deliver on the business’ strategic direction.
  • Determine which projects are similar to one another and identify opportunities to leverage business needs and solutions for each organization where possible.
  • Review project histories to determine the rationale for and success of projects that could be reused in either organization going forward.
  • Determine which projects should remain ongoing and which projects could wait to be implemented or could be completely stopped.
  • There might be certain modernization projects ongoing that cannot be stopped.
  • However, for all other projects, embrace a single portfolio.
  • Completely reduce or remove all ongoing projects from the one organization and continue with only the projects of the other organization.
  • Add in new projects when they arise as needed.

3.2.1 Prioritize integration tasks

2 hours

Input: Integration tasks, Transition team, M&A RACI

Output: Prioritized integration list

Materials: Integration task checklist, Integration roadmap

Participants: IT executive/CIO, IT senior leadership, Company M&A team

The purpose of this activity is to prioritize the different integration tasks that your organization has identified as necessary to this transaction. Some tasks might not be relevant for this particular transaction, and others might be critical.

  1. Download the SharePoint or Excel version of the M&A Integration Project Management Tool. Identify which integration tasks you want as part of your project plan. Alter or remove any tasks that are irrelevant to your organization. Add in tasks you think are missing.
  2. When deciding criticality of the task, consider the effect on stakeholders, those who are impacted or influenced in the process of the task, and dependencies (e.g. data strategy needs to be addressed first before you can tackle its dependencies, like data quality).
  3. Feel free to edit the way you measure criticality. The standard tool leverages a three-point scale. At the end, you should have a list of tasks in priority order based on criticality.

Record the updates in the M&A Integration Project Management Tool (SharePoint).

Record the updates in the M&A Integration Project Management Tool (Excel).

Integration checklists

Prerequisite Checklist
  • Build the project plan for integration and prioritize activities
    • Plan first day
    • Plan first 30/100 days
    • Plan first year
  • Create an organization-aligned IT strategy
  • Identify critical stakeholders
  • Create a communication strategy
  • Understand the rationale for the acquisition or purchase
  • Develop IT's purchasing strategy
  • Determine goal opportunities
  • Create the mission and vision statements
  • Create the guiding principles
  • Create program metrics
  • Consolidate reports from due diligence/data room
  • Conduct culture assessment
  • Create a transaction team
  • Assess workforce demand and supply
  • Plan and communicate potential layoffs
  • Create an employee transition plan
  • Identify the IT investment
Business
  • Design an enterprise architecture
  • Document your business architecture
  • Identify and assess all of IT's risks
Leadership/IT Executive
  • Build an IT budget
  • Structure operating budget
  • Structure capital budget
  • Identify the needed workforce demand vs. capacity
  • Establish and monitor key metrics
  • Communicate value realized/cost savings
Data
  • Confirm data strategy
  • Confirm data governance
  • Data architecture
  • Data sources
  • Data storage (on-premises vs. cloud)
  • Enterprise content management
  • Compatibility of data types between organizations
  • Cleanliness/usability of target organization data sets
  • Identify data sets that need to be combined to capture synergies/drive core capabilities
  • Reporting and analytics capabilities
Applications
  • Prioritize and address critical applications
    • ERP
    • CRM
    • Email
    • HRIS
    • Financial
    • Sales
    • Risk
    • Security
  • Leverage application rationalization framework to determine applications to keep, terminate, or create
  • Develop method of integrating applications
  • Model critical applications that have dependencies on one another
  • Identify the infrastructure capacity required to support critical applications
Operations
  • Communicate helpdesk/service desk information
  • Manage sales access to customer data
  • Determine locations and hours of operation
  • Consolidate phone lists and extensions
  • Synchronize email address books

Integration checklists (continued)

Infrastructure
  • Determine single network access
  • Manage organization domains
  • Consolidate data centers
  • Compile inventory of vendors, versions, switches, and routers
  • Review hardware lease or purchase agreements
  • Review outsourcing/service provider agreements
  • Review service-level agreements
  • Assess connectivity linkages between locations
  • Plan to migrate to a single email system if necessary
Vendors
  • Establish a sustainable vendor management office
  • Review vendor landscape
  • Identify warranty options
  • Rationalize vendor services and solutions
  • Identify opportunities to mature the security architecture
People
  • Design an IT operating model
  • Redesign your IT organizational structure
  • Conduct a RACI
  • Conduct a culture assessment and identify goal IT culture
  • Build an IT employee engagement program
  • Determine critical roles and systems/process/products they support
  • Create a list of employees to be terminated
  • Create employee transition plans
  • Create functional workplans
Projects
  • Stop duplicate or unnecessary target organization projects
  • Communicate project intake process
  • Prioritize projects
Products & Services
  • Ensure customer services requirements are met
  • Ensure customer interaction requirements are met
  • Select a solution for product lifecycle management
Security
  • Conduct a security assessment of target organization
  • Develop accessibility prioritization and schedule
  • Establish an information security strategy
  • Develop a security awareness and training program
  • Develop and manage security governance, risk, and compliance
  • Identify security budget
  • Build a data privacy and classification program
IT Processes
  • Evaluate current process models
  • Determine productivity/capacity levels of processes
  • Identify processes to be terminated
  • Identify process expectations from target organization
  • Establish a communication plan
  • Develop a change management process
  • Establish/review IT policies

3.2.2 Establish the integration roadmap

2 hours

Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

Output: Integration roadmap

Materials: M&A Integration Project Plan Tool (SharePoint), M&A Integration Project Plan Tool (Excel)

Participants: IT executive/CIO, IT senior leadership, Transition team, Company M&A team

The purpose of this activity is to create a roadmap to support IT throughout the integration process. Using the information gathered in previous activities, you can create a roadmap that will ensure a smooth integration.

  1. Leverage our M&A Integration Project Management Tool to track critical elements of the integration project. There are a few options available:
    1. Follow the instructions on the next slide if you are looking to upload our SharePoint project template.
    2. If you cannot or do not want to use SharePoint as your project management solution, download our Excel version of the tool.
      **Remember that this your tool, so customize to your liking.
  2. Identify who will own or be accountable for each of the integration tasks and establish the time frame for when each project should begin and end. This will confirm which tasks should be prioritized.

Record the updates in the M&A Integration Project Management Tool (SharePoint).

Record the updates in the M&A Integration Project Management Tool (Excel).

Integration Project Management Tool (SharePoint Template)

Follow these instructions to upload our template to your SharePoint environment

  1. Create or use an existing SP site.
  2. Download the M&A Integration Project Plan Tool (SharePoint) .wsp file from the Mergers & Acquisitions: The Buy Blueprint landing page.
  3. To import a template into your SharePoint environment, do the following:
    1. Open PowerShell.
    2. Connect-SPO Service (need to install PowerShell module).
    3. Enter in your tenant admin URL.
    4. Enter in your admin credentials.
    5. Set-SPO Site https://YourDomain.sharepoint.com/sites/YourSiteHe... -DenyAddAndCustomizePages 0
    OR
    1. Turn on both custom script features to allow users to run custom
  4. Screenshot of the 'Custom Script' option for importing a template into your SharePoint environment. Feature description reads 'Control whether users can run custom script on personal sites and self-service created sites. Note: changes to this setting might take up to 24 hours to take effect. For more information, see http://go.microsoft.com/fwlink/?LinkIn=397546'. There are options to prevent or allow users from running custom script on personal/self-service created sites.
  5. Enable the SharePoint Server Standard Site Collection features.
  6. Upload the .wsp file in Solutions Gallery.
  7. Deploy by creating a subsite and select from custom options.
    • Allow or prevent custom script
    • Security considerations of allowing custom script
    • Save, download, and upload a SharePoint site as a template
  8. Refer to Microsoft documentation to understand security considerations and what is and isn’t supported:

For more information, check out the SharePoint Template: Step-by-Step Deployment Guide.

Participate in active workforce planning to transition employees

The chosen IT operating model, primary M&A goals, and any planned changes to business strategy will dramatically impact IT staffing and workforce planning efforts.

Visualization of the three aspects of 'IT workforce planning', as listed below.

IT workforce planning

  • Primary M&A goals
    If the goal of the M&A is cost cutting, then workforce planning will be necessary to identify labor redundancies.
  • Changes to business strategy
    If business strategy will change after the merger, then workforce planning will typically be more involved than if business strategy will not change.
  • Integration strategy
    For independent models, workforce planning will typically be unnecessary.
    For connection of essential systems or absorption, workforce planning will likely be an involved, time-consuming process.
  1. Estimate the headcount you will need through the end of the M&A transition period.
  2. Outline the process you will use to assess staff for roles that have more than one candidate.
  3. Review employees in each department to determine the best fit for each role.
  4. Determine whether terminations will happen all together or in waves.

Info-Tech Insight

Don’t be a short-term thinker when it comes to workforce planning! IT teams that only consider the headcount needed on day one of the new entity will end up scrambling to find skilled resources to fill workforce gaps later in the transition period.

3.2.3 Identify the needed workforce supply

3-4 hours

Input: IT strategy, Prioritized integration tasks

Output: A clear indication of how many resources are required for each role and the number of resources that the organization actually has

Materials: Resource Management Supply-Demand Calculator

Participants: IT executive/CIO, IT senior leadership, Target organization employees, Company M&A team, Transition team

The purpose of this activity is to determine the anticipated amount of work that will be required to support projects (like integration), administrative, and keep-the-lights-on activities.

  1. Download the Resource Management Supply-Demand Calculator.
  2. The calculator requires minimal up-front staff participation: You can obtain meaningful results with participation from as few as one person with insight on the distribution of your resources and their average work week or month.
  3. The calculator will yield a report that shows a breakdown of your annual resource supply and demand, as well as the gap between the supply and demand. Further insight on project and non-project supply and demand are provided.
  4. Repeat the tool several times to identify the needs of your IT environment for day one, day 30/100, and year one. Anticipate that these will change over time. Also, do not forget to obtain this information from the target organization. Given that you will be integrating, it’s important to know how many staff they have in which roles.
  5. **For additional information, please review slides starting from slide 44 in Establish Realistic IT Resource Management Practices to see how to use the tool.

Record the results in the Resource Management Supply-Demand Calculator.

Resource Supply-Demand Calculator Output Example

Example of a 'Resource Management Supply-Demand Analysis Report' with charts and tables measuring Annualized Resource Supply and Demand, Resource Capacity Confidence, Project Capacity, and combinations of those metrics.

Resource Capacity Confidence. This figure is based on your confidence in supply confidence, demand stability, and the supply-demand ratio.

Importance of estimating integration costs

Change is the key driver of integration costs

Integration costs are dependent on the following:
  • Meeting synergy targets – whether that be cost saving or growth related.
    • Employee-related costs, licensing, and reconfiguration fees play a huge part in meeting synergy targets.
  • Adjustments related to compliance or regulations – especially if there are changes to legal entities, reporting requirements, or risk-mitigation standards.
  • Governance or third party–related support required to ensure timelines are met and the integration is a success.
Integration costs vary by industry type.
  • Certain industries may have integration costs made up of mostly one type, differing from other industries, due to the complexity and different demands of the transaction. For example:
    • Healthcare integration costs are mostly driven by regulatory, safety, and quality standards, as well as consolidation of the research and development function.
    • Energy and Utilities tend to have the lowest integration costs due to most transactions occurring within the same sector rather than as a cross-sector investment. For example, oil and gas acquisitions tend to be for oil fields and rigs (strategic fixed assets), which can easily be added to the buyer’s portfolio.

Integration costs are more related to the degree of change required than the size of the transaction.

3.2.4 Estimate integration costs

3-4 hours

Input: Integration tasks, Transition team, Valuation of current IT environment, Valuation of target IT environment, Outputs from data room, Technical debt, Employees

Output: List of anticipated costs required to support IT integration

Materials: Integration task checklist, Integration roadmap, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

The purpose of this activity is to estimate the costs that will be associated with the integration. It’s important to ensure a realistic figure is identified and communicated to the larger M&A team within your company as early in the process as possible. This ensures that the funding required for the transaction is secured and budgeted for in the overarching transaction.

  1. On the associated slide in the M&A Buy Playbook, input:
    • Task
    • Domain
    • Cost type
    • Total cost amount
    • Level of certainty around the cost
  2. Provide a copy of the estimated costs to the company’s M&A team. Also provide any additional information identified earlier to help them understand the importance of those costs.

Record the results in the M&A Buy Playbook.

Employee transition planning

Considering employee impact will be a huge component to ensure successful integration

  • Meet With Leadership
  • Plan Individual and Department Redeployment
  • Plan Individual and Department Layoffs
  • Monitor and Manage Departmental Effectiveness
  • For employees, the transition could mean:
    • Changing from their current role to a new role to meet requirements and expectations throughout the transition.
    • Being laid off because the role they are currently occupying has been made redundant.
  • It is important to plan for what the M&A integration needs will be and what the IT operational needs will be.
  • A lack of foresight into this long-term plan could lead to undue costs and headaches trying to retain critical staff, rehiring positions that were already let go, and keeping redundant employees longer then necessary.

Info-Tech Insight

Being transparent throughout the process is critical. Do not hesitate to tell employees the likelihood that their job may be made redundant. This will ensure a high level of trust and credibility for those who remain with the organization after the transaction.

3.2.5 Create an employee transition plan

3-4 hours

Input: IT strategy, IT organizational design, Resource Supply-Demand Calculator output

Output: Employee transition plans

Materials: M&A Buy Playbook, Whiteboard, Sticky notes, Markers

Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

The purpose of this activity is to create a transition plan for employees.

  1. Transition planning can be done at specific individual levels or more broadly to reflect a single role. Consider these four items in the transition plan:
    • Understand the direction of the employee transitions.
    • Identify employees that will be involved in the transition (moved or laid off).
    • Prepare to meet with employees.
    • Meet with employees.
  2. For each employee that will be facing some sort of change in their regular role, permanent or temporary, create a transition plan.
  3. For additional information on transitioning employees, review the blueprint Streamline Your Workforce During a Pandemic.

**Note that if someone’s future role is a layoff, then there is no need to record anything for skills needed or method for skill development.

Record the results in the M&A Buy Playbook.

3.2.6 Create functional workplans for employees

3-4 hours

Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

Output: Employee functional workplans

Materials: M&A Buy Playbook, Learning and development tools

Participants: IT executive/CIO, IT senior leadership, IT management team, Company M&A team, Transition team

The purpose of this activity is to create a functional workplan for the different employees so that they know what their key role and responsibilities are once the transaction occurs.

  1. First complete the transition plan from the previous activity (3.2.5) and the separation roadmap. Have these documents ready to review throughout this process.
  2. Identify the employees who will be transitioning to a new role permanently or temporarily. Creating a functional workplan is especially important for these employees.
  3. Identify the skills these employees need to have to support the separation. Record this in the corresponding slide in the M&A Buy Playbook.
  4. For each employee, identify someone who will be a point of contact for them throughout the transition.

It is recommended that each employee have a functional workplan. Leverage the IT managers to support this task.

Record the results in the M&A Buy Playbook.

Metrics for integration

Valuation & Due Diligence

  • % Defects discovered in production
  • $ Cost per user for enterprise applications
  • % In-house-built applications vs. enterprise applications
  • % Owners identified for all data domains
  • # IT staff asked to participate in due diligence
  • Change to due diligence
  • IT budget variance
  • Synergy target

Execution & Value Realization

  • % Satisfaction with the effectiveness of IT capabilities
  • % Overall end-customer satisfaction
  • $ Impact of vendor SLA breaches
  • $ Savings through cost-optimization efforts
  • $ Savings through application rationalization and technology standardization
  • # Key positions empty
  • % Frequency of staff turnover
  • % Emergency changes
  • # Hours of unplanned downtime
  • % Releases that cause downtime
  • % Incidents with identified problem record
  • % Problems with identified root cause
  • # Days from problem identification to root cause fix
  • % Projects that consider IT risk
  • % Incidents due to issues not addressed in the security plan
  • # Average vulnerability remediation time
  • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
  • # Time (days) to value realization
  • % Projects that realized planned benefits
  • $ IT operational savings and cost reductions that are related to synergies/divestitures
  • % IT staff–related expenses/redundancies
  • # Days spent on IT integration
  • $ Accurate IT budget estimates
  • % Revenue growth directly tied to IT delivery
  • % Profit margin growth

3.2.7 Align project metrics with identified tasks

3-4 hours

Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners, M&A goals

Output: Integration-specific metrics to measure success

Materials: Roadmap template, M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Transition team

The purpose of this activity is to understand how to measure the success of the integration project by aligning metrics to each identified task.

  1. Review the M&A goals identified by the business. Your metrics will need to tie back to those business goals.
  2. Identify metrics that align to identified tasks and measure achievement of those goals. For each metric you consider, ask the following questions:
    • What is the main goal or objective that this metric is trying to solve?
    • What does success look like?
    • Does the metric promote the right behavior?
    • Is the metric actionable? What is the story you are trying to tell with this metric?
    • How often will this get measured?
    • Are there any metrics it supports or is supported by?

Record the results in the M&A Buy Playbook.

By the end of this mid-transaction phase you should:

Have successfully evaluated the target organization’s IT environment, escalated the acquisition risks and benefits, and prepared IT for integration.

Key outcomes from the Due Diligence & Preparation phase
  • Participate in due diligence activities to accurately valuate the target organization(s) and determine if there are critical risks or benefits the current organization should be aware of.
  • Create an integration roadmap that considers the tasks that will need to be completed and the resources required to support integration.
Key deliverables from the Due Diligence & Preparation phase
  • Establish a due diligence charter
  • Create a list of data room artifacts and engage in due diligence
  • Assess the target organization’s technical debt
  • Valuate the target IT organization
  • Assess and plan for culture
  • Prioritize integration tasks
  • Establish the integration roadmap
  • Identify the needed workforce supply
  • Estimate integration costs
  • Create employee transition plans
  • Create functional workplans for employees
  • Align project metrics with identified tasks

M&A Buy Blueprint

Phase 4

Execution & Value Realization

Phase 1Phase 2Phase 3

Phase 4

  • 1.1 Identify Stakeholders and Their Perspective of IT
  • 1.2 Assess IT’s Current Value and Future State
  • 1.3 Drive Innovation and Suggest Growth Opportunities
  • 2.1 Establish the M&A Program Plan
  • 2.2 Prepare IT to Engage in the Acquisition
  • 3.1 Assess the Target Organization
  • 3.2 Prepare to Integrate
  • 4.1 Execute the Transaction
  • 4.2 Reflection and Value Realization

This phase will walk you through the following activities:

  • Rationalize the IT environment
  • Continually update the project plan
  • Confirm integration costs
  • Review IT’s transaction value
  • Conduct a transaction and integration SWOT
  • Review the playbook and prepare for future transactions

This phase involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Vendor management team
  • IT transaction team
  • Company M&A team

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Pre-Work

Day 1

Day 2

Day 3

Engage in Integration

Day 4

Establish the Transaction FoundationDiscover the Motivation for IntegrationPlan the Integration RoadmapPrepare Employees for the TransitionEngage in IntegrationAssess the Transaction Outcomes (Must be within 30 days of transaction date)

Activities

  • 0.1 Understand the rationale for the company's decisions to pursue an acquisition.
  • 0.2 Identify key stakeholders and determine the IT transaction team.
  • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
  • 1.1 Review the business rationale for the acquisition.
  • 1.2 Identify pain points and opportunities tied to the acquisition.
  • 1.3 Establish the integration strategy.
  • 1.4 Prioritize Integration tasks.
  • 2.1 Establish the integration roadmap.
  • 2.2 Establish and align project metrics with identified tasks.
  • 2.3 Estimate integration costs.
  • 3.1 Assess the current culture and identify the goal culture.
  • 3.2 Identify the needed workforce supply.
  • 3.3 Create an employee transition plan.
  • 3.4 Create functional workplans for employees.
  • I.1 Complete the integration by regularly updating the project plan.
  • I.2 Begin to rationalize the IT environment where possible and necessary.
  • 4.1 Confirm integration costs.
  • 4.2 Review IT’s transaction value.
  • 4.3 Conduct a transaction and integration SWOT.
  • 4.4 Review the playbook and prepare for future transactions.

Deliverables

  1. IT strategy
  2. IT operating model
  3. IT governance structure
  4. M&A transaction team
  1. Business context implications for IT
  2. Integration strategy
  1. Integration roadmap and associated resourcing
  1. Culture assessment
  2. Workforce supply identified
  3. Employee transition plan
  1. Rationalized IT environment
  2. Updated integration project plan
  1. SWOT of transaction
  2. M&A Buy Playbook refined for future transactions

What is the Execution & Value Realization phase?

Post-transaction state

Once the transaction comes to a close, it’s time for IT to deliver on the critical integration tasks. Set the organization up for success by having an integration roadmap. Retaining critical IT staff throughout this process will also be imperative to the overall transaction success.

Throughout the integration process, roadblocks will arise and need to be addressed. However, by ensuring that employees, technology, and processes are planned for ahead of the transaction, you as IT will be able to weather those unexpected concerns with greater ease.

Now that you as an IT leader have engaged in an acquisition, demonstrating the value IT was able to provide to the process is critical to establishing a positive and respected relationship with other senior leaders in the business. Be prepared to identify the positives and communicate this value to advance the business’ perception of IT.

Goal: To carry out the planned integration activities and deliver the intended value to the business

Execution Prerequisite Checklist

Before coming into the Execution & Value Realization phase, you must have addressed the following:

  • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
  • Identify the key roles for the transaction team.
  • Identify the M&A governance.
  • Determine target metrics and align to project tasks.
  • Select an integration strategy framework.
  • Conduct a RACI for key transaction tasks for the transaction team.
  • Create a list of data room artifacts and engage in due diligence (directly or indirectly).
  • Prioritize integration tasks.
  • Establish the integration roadmap.
  • Identify the needed workforce supply.
  • Create employee transition plans.

Before coming into the Execution & Value Realization phase, we recommend addressing the following:

  • Create vision and mission statements.
  • Establish guiding principles.
  • Create a future-state operating model.
  • Identify the M&A operating model.
  • Document the communication plan.
  • Examine the business perspective of IT.
  • Identify key stakeholders and outline their relationship to the M&A process.
  • Be able to valuate the IT environment and communicate IT's value to the business.
  • Establish a due diligence charter.
  • Assess the target organization’s technical debt.
  • Valuate the target IT organization.
  • Assess and plan for culture.
  • Estimate integration costs.
  • Create functional workplans for employees.

Integration checklists

Prerequisite Checklist
  • Build the project plan for integration and prioritize activities
    • Plan first day
    • Plan first 30/100 days
    • Plan first year
  • Create an organization-aligned IT strategy
  • Identify critical stakeholders
  • Create a communication strategy
  • Understand the rationale for the acquisition or purchase
  • Develop IT's purchasing strategy
  • Determine goal opportunities
  • Create the mission and vision statements
  • Create the guiding principles
  • Create program metrics
  • Consolidate reports from due diligence/data room
  • Conduct culture assessment
  • Create a transaction team
  • Assess workforce demand and supply
  • Plan and communicate potential layoffs
  • Create an employee transition plan
  • Identify the IT investment
Business
  • Design an enterprise architecture
  • Document your business architecture
  • Identify and assess all of IT's risks
Leadership/IT Executive
  • Build an IT budget
  • Structure operating budget
  • Structure capital budget
  • Identify the needed workforce demand vs. capacity
  • Establish and monitor key metrics
  • Communicate value realized/cost savings
Data
  • Confirm data strategy
  • Confirm data governance
  • Data architecture
  • Data sources
  • Data storage (on-premises vs. cloud)
  • Enterprise content management
  • Compatibility of data types between organizations
  • Cleanliness/usability of target organization data sets
  • Identify data sets that need to be combined to capture synergies/drive core capabilities
  • Reporting and analytics capabilities
Applications
  • Prioritize and address critical applications
    • ERP
    • CRM
    • Email
    • HRIS
    • Financial
    • Sales
    • Risk
    • Security
  • Leverage application rationalization framework to determine applications to keep, terminate, or create
  • Develop method of integrating applications
  • Model critical applications that have dependencies on one another
  • Identify the infrastructure capacity required to support critical applications
Operations
  • Communicate helpdesk/service desk information
  • Manage sales access to customer data
  • Determine locations and hours of operation
  • Consolidate phone lists and extensions
  • Synchronize email address books

Integration checklists (continued)

Infrastructure
  • Determine single network access
  • Manage organization domains
  • Consolidate data centers
  • Compile inventory of vendors, versions, switches, and routers
  • Review hardware lease or purchase agreements
  • Review outsourcing/service provider agreements
  • Review service-level agreements
  • Assess connectivity linkages between locations
  • Plan to migrate to a single email system if necessary
Vendors
  • Establish a sustainable vendor management office
  • Review vendor landscape
  • Identify warranty options
  • Rationalize vendor services and solutions
  • Identify opportunities to mature the security architecture
People
  • Design an IT operating model
  • Redesign your IT organizational structure
  • Conduct a RACI
  • Conduct a culture assessment and identify goal IT culture
  • Build an IT employee engagement program
  • Determine critical roles and systems/process/products they support
  • Create a list of employees to be terminated
  • Create employee transition plans
  • Create functional workplans
Projects
  • Stop duplicate or unnecessary target organization projects
  • Communicate project intake process
  • Prioritize projects
Products & Services
  • Ensure customer services requirements are met
  • Ensure customer interaction requirements are met
  • Select a solution for product lifecycle management
Security
  • Conduct a security assessment of target organization
  • Develop accessibility prioritization and schedule
  • Establish an information security strategy
  • Develop a security awareness and training program
  • Develop and manage security governance, risk, and compliance
  • Identify security budget
  • Build a data privacy and classification program
IT Processes
  • Evaluate current process models
  • Determine productivity/capacity levels of processes
  • Identify processes to be terminated
  • Identify process expectations from target organization
  • Establish a communication plan
  • Develop a change management process
  • Establish/review IT policies

Execution & Value Realization

Step 4.1

Execute the Transaction

Activities

  • 4.1.1 Rationalize the IT environment
  • 4.1.2 Continually update the project plan

This step involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Vendor management team
  • IT transaction team
  • Company M&A team

Outcomes of Step

Successfully execute on the integration and strategize how to rationalize the two (or more) IT environments and update the project plan, strategizing against any roadblocks as they might come.

Compile –› Assess –› Rationalize

Access to critical information often does not happen until day one

  • As the transaction comes to a close and the target organization becomes the acquired organization, it’s important to start working on the rationalization of your organization.
  • One of the most important elements will be to have a complete understanding of the acquired organization’s IT environment. Specifically, assess the technology, people, and processes that might exist.
  • This rationalization will be heavily dependent on your planned integration strategy determined in the Discovery & Strategy phase of the process.
  • If your IT organization was not involved until after that phase, then determine whether your organization plans on remaining in its original state, taking on the acquired organization’s state, or forming a best-of-breed state by combining elements.
  • To execute on this, however, a holistic understanding of the new IT environment is required.

Some Info-Tech resources to support this initiative:

  • Reduce and Manage Your Organization’s Insider Threat Risk
  • Build an Application Rationalization Framework
  • Rationalize Your Collaboration Tools
  • Consolidate IT Asset Management
  • Build Effective Enterprise Integration on the Back of Business Process
  • Consolidate Your Data Centers

4.1.1 Rationalize the IT environment

6-12 months

Input: RACI chart, List of critical applications, List of vendor contracts, List of infrastructure assets, List of data assets

Output: Rationalized IT environment

Materials: Software Terms & Conditions Evaluation Tool

Participants: IT executive/CIO, IT senior leadership, Vendor management

The purpose of this activity is to rationalize the IT environment to reduce and eliminate redundant technology.

  1. Compile a list of the various applications and vendor contracts from the acquired organization and the original organization.
  2. Determine where there is repetition. Have a member of the vendor management team review those contracts and identify cost-saving opportunities.

This will not be a quick and easy activity to complete. It will require strong negotiation on the behalf of the vendor management team.

For additional information and support for this activity, see the blueprint Master Contract Review and Negotiations for Software Agreements.

4.1.2 Continually update the project plan

Reoccurring basis following transition

Input: Prioritized integration tasks, Integration RACI, Activity owners

Output: Updated integration project plan

Materials: M&A Integration Project Management Tool

Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

The purpose of this activity is to ensure that the project plan is continuously updated as your transaction team continues to execute on the various components outlined in the project plan.

  1. Set a regular cadence for the transaction team to meet, update and review the status of the various integration task items, and strategize how to overcome any roadblocks.
  2. Employ governance best practices in these meetings to ensure decisions can be made effectively and resources allocated strategically.

Record the updates in the M&A Integration Project Management Tool (SharePoint).

Record the updates in the M&A Integration Project Management Tool (Excel).

Execution & Value Realization

Step 4.2

Reflection and Value Realization

Activities

  • 4.2.1 Confirm integration costs
  • 4.2.2 Review IT’s transaction value
  • 4.2.3 Conduct a transaction and integration SWOT
  • 4.2.4 Review the playbook and prepare for future transactions

This step involves the following participants:

  • IT executive/CIO
  • IT senior leadership
  • Transition team
  • Company M&A team

Outcomes of Step

Review the value that IT was able to generate around the transaction and strategize on how to improve future acquisition transactions.

4.2.1 Confirm integration costs

3-4 hours

Input: Integration tasks, Transition team, Previous RACI, Estimated costs

Output: Actual integration costs

Materials: M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

The purpose of this activity is to confirm the associated costs around integration. While the integration costs would have been estimated previously, it’s important to confirm the costs that were associated with the integration in order to provide an accurate and up-to-date report to the company’s M&A team.

  1. Taking all the original items identified previously in activity 3.2.4, identify if there were changes in the estimated costs. This can be an increase or a decrease.
  2. Ensure that each cost has a justification for why the cost changed from the original estimation.

Record the results in the M&A Buy Playbook.

Track synergy capture through the IT integration

The ultimate goal of the M&A is to achieve and deliver deal objectives. Early in the M&A, IT must identify, prioritize, and execute upon synergies that deliver value to the business and its shareholders. Continue to measure IT’s contribution toward achieving the organization’s M&A goals throughout the integration by keeping track of cost savings and synergies that have been achieved. When these achievements happen, communicate them and celebrate success.

  1. Define Synergy Metrics: Select metrics to track synergies through the integration.
    1. You can track value by looking at percentages of improvement in process-level metrics depending on the synergies being pursued.
    2. For example, if the synergy being pursued is increasing asset utilization, metrics could range from capacity to revenue generated through increased capacity.
  2. Prioritize Synergistic Initiatives: Estimate the cost and benefit of each initiative's implementation to compare the amount of business value to the cost. The benefits and costs should be illustrated at a high level. Estimating the exact dollar value of fulfilling a synergy can be difficult and misleading.
      Steps
    • Determine the benefits that each initiative is expected to deliver.
    • Determine the high-level costs of implementation (capacity, time, resources, effort).
  3. Track Synergy Captures: Develop a detailed workplan to resource the roadmap and track synergy captures as the initiatives are undertaken.

Once 80% of the necessary synergies are realized, executive pressure will diminish. However, IT must continue to work toward the technology end state to avoid delayed progression.

4.2.2 Review IT’s transaction value

3-4 hours

Input: Prioritized integration tasks, Integration RACI, Activity owners, M&A company goals

Output: Transaction value

Materials: M&A Buy Playbook

Participants: IT executive/CIO, IT senior leadership, Company's M&A team

The purpose of this activity is to track how your IT organization performed against the originally identified metrics.

  1. If your organization did not have the opportunity to identify metrics earlier, determine from the company M&A team what those metrics might be. Review activity 3.2.7 for more information on metrics.
  2. Identify whether the metric (which should be used to support a goal) was at, below, or above the original target metric. This is a very critical task for IT to complete because it allows IT to confirm that they were successful engaging in the transaction and that the business can count on them in future transactions.
  3. Be sure to record accurate and relevant information on why the outcomes (good or bad) are supporting the M&A goals that were set out by the business.

Record the results in the M&A Buy Playbook.

4.2.3 Conduct a transaction and integration SWOT

2 hours

Input: Integration costs, Retention rates, Value IT contributed to the transaction

Output: Strengths, weaknesses, opportunities, and threats

Materials: Flip charts, Markers, Sticky notes

Participants: IT executive/CIO, IT senior leadership, Business transaction team

The purpose of this activity is to assess the positive and negative elements of the transaction.

  1. Consider the various internal and external elements that could have impacted the outcome of the transaction.
    • Strengths. Internal characteristics that are favorable as they relate to your development environment.
    • Weaknesses Internal characteristics that are unfavorable or need improvement.
    • Opportunities External characteristics that you may use to your advantage.
    • Threats External characteristics that may be potential sources of failure or risk.

Record the results in the M&A Buy Playbook.

M&A Buy Playbook review

With an acquisition complete, your IT organization is now more prepared then ever to support the business through future M&As

  • Now that the transaction is more than 80% complete, take the opportunity to review the key elements that worked well and the opportunities for improvement in future transactions.
  • Critically examine the M&A Buy Playbook your IT organization created and identify what worked well to help the transaction and where your organization could adjust to do better in future transactions.
  • If your organization were to engage in another acquisition under your IT leadership, how would you go about the transaction to make sure the company meets its goals?

4.2.4 Review the playbook and prepare for future transactions

4 hours

Input: Transaction and integration SWOT

Output: Refined M&A playbook

Materials: M&A Buy Playbook

Participants: IT executive/CIO

The purpose of this activity is to revise the playbook and ensure it is ready to go for future transactions.

  1. Using the outputs from the previous activity, 4.2.3, determine what strengths and opportunities there were that should be leveraged in the next transaction.
  2. Likewise, determine which threats and weaknesses could be avoided in the future transactions.
    Remember, this is your M&A Buy Playbook, and it should reflect the most successful outcome for you in your organization.

Record the results in the M&A Buy Playbook.

By the end of this post-transaction phase you should:

Have completed the integration post-transaction and be fluidly delivering the critical value that the business expected of IT.

Key outcomes from the Execution & Value Realization phase
  • Ensure the integration tasks are being completed and that any blockers related to the transaction are being removed.
  • Determine where IT was able to realize value for the business and demonstrate IT’s involvement in meeting target goals.
Key deliverables from the Execution & Value Realization phase
  • Rationalize the IT environment
  • Continually update the project plan for completion
  • Confirm integration costs
  • Review IT’s transaction value
  • Conduct a transaction and integration SWOT
  • Review the playbook and prepare for future transactions

Summary of Accomplishment

Problem Solved

Congratulations, you have completed the M&A Buy Blueprint!

Rather than reacting to a transaction, you have been proactive in tackling this initiative. You now have a process to fall back on in which you can be an innovative IT leader by suggesting how and why the business should engage in an acquisition. You now have:

  • Created a standardized approach for how your IT organization should address acquisitions.
  • Evaluated the target organizations successfully and established an integration project plan.
  • Delivered on the integration project plan successfully and communicated IT’s transaction value to the business.

Now that you have done all of this, reflect on what went well and what can be improved in case if you have to do this all again in a future transaction.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information
workshops@infotech.com 1-888-670-8899

Research Contributors and Experts

Ibrahim Abdel-Kader
Research Analyst | CIO
Info-Tech Research Group
Brittany Lutes
Senior Research Analyst | CIO
Info-Tech Research Group
John Annand
Principal Research Director | Infrastructure
Info-Tech Research Group
Scott Bickley
Principal Research Director | Vendor Management
Info-Tech Research Group
Cole Cioran
Practice Lead | Applications
Info-Tech Research Group
Dana Daher
Research Analyst | Strategy & Innovation
Info-Tech Research Group
Eric Dolinar
Manager | M&A Consulting
Deloitte Canada
Christoph Egel
Director, Solution Design & Deliver
Cooper Tire & Rubber Company
Nora Fisher
Vice President | Executive Services Advisory
Info-Tech Research Group
Larry Fretz
Vice President | Industry
Info-Tech Research Group

Research Contributors and Experts

David Glazer
Vice President of Analytics
Kroll
Jack Hakimian
Senior Vice President | Workshops and Delivery
Info-Tech Research Group
Gord Harrison
Senior Vice President | Research & Advisory
Info-Tech Research Group
Valence Howden
Principal Research Director | CIO
Info-Tech Research Group
Jennifer Jones
Research Director | Industry
Info-Tech Research Group
Nancy McCuaig
Senior Vice President | Chief Technology and Data Office
IGM Financial Inc.
Carlene McCubbin
Practice Lead | CIO
Info-Tech Research Group
Kenneth McGee
Research Fellow | Strategy & Innovation
Info-Tech Research Group
Nayma Naser
Associate
Deloitte
Andy Neill
Practice Lead | Data & Analytics, Enterprise Architecture
Info-Tech Research Group

Research Contributors and Experts

Rick Pittman
Vice President | Research
Info-Tech Research Group
Rocco Rao
Research Director | Industry
Info-Tech Research Group
Mark Rosa
Senior Vice President & Chief Information Officer
Mohegan Gaming and Entertainment
Tracy-Lynn Reid
Research Lead | People & Leadership
Info-Tech Research Group
Jim Robson
Senior Vice President | Shared Enterprise Services (retired)
Great-West Life
Steven Schmidt
Senior Managing Partner Advisory | Executive Services
Info-Tech Research Group
Nikki Seventikidis
Senior Manager | Finance Initiative & Continuous Improvement
CST Consultants Inc.
Allison Straker
Research Director | CIO
Info-Tech Research Group
Justin Waelz
Senior Network & Systems Administrator
Info-Tech Research Group
Sallie Wright
Executive Counselor
Info-Tech Research Group

Bibliography

“5 Ways for CIOs to Accelerate Value During Mergers and Acquisitions.” Okta, n.d. Web.

Altintepe, Hakan. “Mergers and acquisitions speed up digital transformation.” CIO.com, 27 July 2018. Web.

“America’s elite law firms are booming.” The Economist, 15 July 2021. Web.

Barbaglia, Pamela, and Joshua Franklin. “Global M&A sets Q1 record as dealmakers shape post-COVID world.” Nasdaq, 1 April 2021. Web.

Boyce, Paul. “Mergers and Acquisitions Definition: Types, Advantages, and Disadvantages.” BoyceWire, 8 Oct. 2020. Web.

Bradt, George. “83% Of Mergers Fail -- Leverage A 100-Day Action Plan For Success Instead.” Forbes, 27 Jan. 2015. Web.

Capgemini. “Mergers and Acquisitions: Get CIOs, IT Leaders Involved Early.” Channel e2e, 19 June 2020. Web.

Chandra, Sumit, et al. “Make Or Break: The Critical Role Of IT In Post-Merger Integration.” IMAA Institute, 2016. Web.

Deloitte. “How to Calculate Technical Debt.” The Wall Street Journal, 21 Jan. 2015. Web.

Ernst & Young. “IT As A Driver Of M&A Success.” IMAA Institute, 2017. Web.

Fernandes, Nuno. “M&As In 2021: How To Improve The Odds Of A Successful Deal.” Forbes, 23 March 2021. Web.

“Five steps to a better 'technology fit' in mergers and acquisitions.” BCS, 7 Nov. 2019. Web.

Fricke, Pierre. “The Biggest Opportunity You’re Missing During an M&Aamp; IT Integration.” Rackspace, 4 Nov. 2020. Web.

Garrison, David W. “Most Mergers Fail Because People Aren't Boxes.” Forbes, 24 June 2019. Web.

Harroch, Richard. “What You Need To Know About Mergers & Acquisitions: 12 Key Considerations When Selling Your Company.” Forbes, 27 Aug. 2018. Web.

Hope, Michele. “M&A Integration: New Ways To Contain The IT Cost Of Mergers, Acquisitions And Migrations.” Iron Mountain, n.d. Web.

“How Agile Project Management Principles Can Modernize M&A.” Business.com, 13 April 2020. Web.

Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 Jan. 2013. Web.

Kanter, Rosabeth Moss. “What We Can Learn About Unity from Hostile Takeovers.” Harvard Business Review, 12 Nov. 2020. Web.

Koller, Tim, et al. “Valuation: Measuring and Managing the Value of Companies, 7th edition.” McKinsey & Company, 2020. Web.

Labate, John. “M&A Alternatives Take Center Stage: Survey.” The Wall Street Journal, 30 Oct. 2020. Web.

Lerner, Maya Ber. “How to Calculate ROI on Infrastructure Automation.” DevOps.com, 1 July 2020. Web.

Loten, Angus. “Companies Without a Tech Plan in M&A Deals Face Higher IT Costs.” The Wall Street Journal, 18 June 2019. Web.

Low, Jia Jen. “Tackling the tech integration challenge of mergers today” Tech HQ, 6 Jan. 2020. Web.

Lucas, Suzanne. “5 Reasons Turnover Should Scare You.” Inc. 22 March 2013. Web.

“M&A Trends Survey: The future of M&A. Deal trends in a changing world.” Deloitte, Oct. 2020. Web.

Maheshwari, Adi, and Manish Dabas. “Six strategies tech companies are using for successful divesting.” EY, 1 Aug. 2020. Web.

Majaski, Christina. “Mergers and Acquisitions: What's the Difference?” Investopedia, 30 Apr. 2021.

“Mergers & Acquisitions: Top 5 Technology Considerations.” Teksetra, 21 Jul. 2020. Web.

“Mergers Acquisitions M&A Process.” Corporate Finance Institute, n.d. Web.

“Mergers and acquisitions: A means to gain technology and expertise.” DLA Piper, 2020. Web.

Nash, Kim S. “CIOs Take Larger Role in Pre-IPO Prep Work.” The Wall Street Journal, 5 March 2015. Web.

Paszti, Laila. “Canada: Emerging Trends In Information Technology (IT) Mergers And Acquisitions.” Mondaq, 24 Oct. 2019. Web.

Patel, Kiison. “The 8 Biggest M&A Failures of All Time” Deal Room, 9 Sept. 2021. Web.

Peek, Sean, and Paula Fernandes. “What Is a Vision Statement?” Business News Daily, 7 May 2020. Web.

Ravid, Barak. “Tech execs focus on growth amid increasingly competitive M&A market.” EY, 28 April 2021. Web.

Resch, Scott. “5 Questions with a Mergers & Acquisitions Expert.” CIO, 25 June 2019. Web.

Salsberg, Brian. “Four tips for estimating one-time M&A integration costs.” EY, 17 Oct. 2019. Web.

Samuels, Mark. “Mergers and acquisitions: Five ways tech can smooth the way.” ZDNet, 15 Aug. 2018. Web.

“SAP Divestiture Projects: Options, Approach and Challenges.” Cognizant, May, 2014. Web.

Steeves, Dave. “7 Rules for Surviving a Merger & Acquisition Technology Integration.” Steeves and Associates, 5 Feb. 2020. Web.

Tanaszi, Margaret. “Calculating IT Value in Business Terms.” CSO, 27 May 2004. Web.

“The CIO Playbook. Nine Steps CIOs Must Take For Successful Divestitures.” SNP, 2016. Web.

“The Role of IT in Supporting Mergers and Acquisitions.” Cognizant, Feb. 2015. Web.

Torres, Roberto. “M&A playbook: How to prepare for the cost, staff and tech hurdles.” CIO Dive, 14 Nov. 2019. Web.

“Valuation Methods.” Corporate Finance Institute, n.d. Web.

Weller, Joe. “The Ultimate Guide to the M&A Process for Buyers and Sellers.” Smartsheet, 16 May 2019. Web.

Reduce Time to Consensus With an Accelerated Business Case

  • Buy Link or Shortcode: {j2store}286|cart{/j2store}
  • member rating overall impact: 9.5/10 Overall Impact
  • member rating average dollars saved: $12,999 Average $ Saved
  • member rating average days saved: 5 Average Days Saved
  • Parent Category Name: Business Analysis
  • Parent Category Link: /business-analysis
  • Enterprise application initiatives are complex, expensive, and require a significant amount of planning before initiation.
  • A financial business case is sometimes used to justify these initiatives.
  • Once the business case (and benefits therein) are approved, the case is forgotten, eliminating a critical check and balance of benefit realization.

Our Advice

Critical Insight

1. Frame the conversation.

Understand the audience and forum for the business case to best frame the conversation.

2. Time-box the process of building the case.

More time should be spent on performing the action rather than building the case.

3. The business case is a living document.

The business case creates the basis for review of the realization of the proposed business benefits once the procurement is complete.

Impact and Result

  • Understand the drivers for decision making in your organization, and the way initiatives are evaluated.
  • Compile a compelling business case that provides decision makers with sufficient information to make decisions confidently.
  • Evaluate proposed enterprise application initiatives “apples-to-apples” using a standardized and repeatable methodology.
  • Provide a mechanism for tracking initiative performance during and after implementation.

Reduce Time to Consensus With an Accelerated Business Case Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a business case for enterprise application investments, review Info-Tech’s methodology, and understand how we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Gather the required information

Complete the necessary preceding tasks to building the business case. Rationalize the initiative under consideration, determine the organizational decision flow following a stakeholder assessment, and conduct market research to understand the options.

  • Reduce Time to Consensus With an Accelerated Business Case – Phase 1: Gather the Required Information
  • Business Case Readiness Checklist
  • Business Case Workbook
  • Request for Information Template
  • Request for Quotation Template

2. Conduct the business case analysis

Conduct a thorough assessment of the initiative in question. Define the alternatives under consideration, identify tangible and intangible benefits for each, aggregate the costs, and highlight any risks.

  • Reduce Time to Consensus With an Accelerated Business Case – Phase 2: Conduct the Business Case Analysis

3. Make the case

Finalize the recommendation based on the analysis and create a business case presentation to frame the conversation for key stakeholders.

  • Reduce Time to Consensus With an Accelerated Business Case – Phase 3: Make the Case
  • Full-Form Business Case Presentation Template
  • Summary Business Case Presentation Template
  • Business Case Change Log
  • Business Case Close-Out Form
[infographic]

Workshop: Reduce Time to Consensus With an Accelerated Business Case

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Plan for Business Case Development

The Purpose

Complete the necessary preceding tasks to building a strong business case.

Key Benefits Achieved

Alignment with business objectives.

Stakeholder buy-in.

Activities

1.1 Map the decision flow in your organization.

1.2 Define the proposed initiative.

1.3 Define the problem/opportunity statement.

1.4 Clarify goals and objectives expected from the initiative.

Outputs

Decision traceability

Initiative summary

Problem/opportunity statement

Business objectives

2 Build the Business Case Model

The Purpose

Put together the key elements of the business case including alternatives, benefits, and costs.

Key Benefits Achieved

Rationalize the business case.

Activities

2.1 Design viable alternatives.

2.2 Identify the tangible and intangible benefits.

2.3 Assess current and future costs.

2.4 Create the financial business case model.

Outputs

Shortlisted alternatives

Benefits tracking model

Total cost of ownership

Impact analysis

3 Enhance the Business Case

The Purpose

Determine more integral factors in the business case such as ramp-up time for benefits realization as well as risk assessment.

Key Benefits Achieved

Complete a comprehensive case.

Activities

3.1 Determine ramp-up times for costs and benefits.

3.2 Identify performance measures and tracking.

3.3 Assess initiative risk.

Outputs

Benefits realization schedule

Performance tracking framework

Risk register

4 Prepare the Business Case

The Purpose

Finalize the recommendation and formulate the business case summary and presentation.

Key Benefits Achieved

Prepare the business case presentation.

Activities

4.1 Choose the alternative to be recommended.

4.2 Create the detailed and summary business case presentations.

4.3 Present and incorporate feedback.

4.4 Monitor and close out.

Outputs

Final recommendation

Business case presentation

Final sign-off

Effectively Manage CxO Relations

  • Buy Link or Shortcode: {j2store}384|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Manage Business Relationships
  • Parent Category Link: /manage-business-relationships

With the exponential pace of technological change, an organization's success will depend largely on how well CIOs can evolve from technology evangelists to strategic business partners. This will require CIOs to effectively broker relationships to improve IT's effectiveness and create business value. A confidential journal can help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

Our Advice

Critical Insight

Highly effective executives have in common the ability to successfully balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demands on your time and unpredictable shifts in the organization’s strategy require a personal game plan to deliver business value. Rather than managing stakeholders one IT project at a time, you need an action plan that is tailored for unique work styles.

Impact and Result

A personal relationship journal will help you:

  • Understand the context in which key stakeholders operate.
  • Identify the best communication approach to engage with different workstyles.
  • Stay committed to fostering relationships through difficult periods.

Effectively Manage CxO Relations Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Effectively Manage CxO Relations Storyboard – A guide to creating a personal action plan to help effectively manage relationships across key stakeholders.

Use this research to create a personal relationship journal in four steps:

  • Effectively Manage CxO Relations Storyboard

2. Personal Relationship Management Journal Template – An exemplar to help you build your personal relationship journal.

Use this exemplar to build a journal that is readily accessible, flexible, and easy to maintain.

  • Personal Relationship Management Journal Template

Infographic

Further reading

Effectively Manage CxO Relations

Make relationship management a daily habit with a personalized action plan.

Analyst Perspective

"Technology does not run an enterprise, relationships do." – Patricia Fripp

As technology becomes increasingly important, an organization's success depends on the evolution of the modern CIO from a technology evangelist to a strategic business leader. The modern CIO will need to leverage their expansive partnerships to demonstrate the value of technology to the business while safeguarding their time and effort on activities that support their strategic priorities. CIOs struggling to transition risk obsolescence with the emergence of new C-suite roles like the Digital Transformation Officer, Chief Digital Officer, Chief Data Officer, and so on.

CIOs will need to flex new social skills to accommodate diverse styles of work and better predict dynamic situations. This means expanding beyond their comfort level to acquire new social skills. Having a clear understanding of one's own work style (preferences, natural tendencies, motivations, and blind spots) is critical to identify effective communication and engagement tactics.

Building trust is an art. Striking a balance between fulfilling your own goals and supporting others will require a carefully curated approach to navigate the myriad of personalities and work styles. A personal relationship journal will help you stay committed through these peaks and troughs to foster productive partnerships and expand your sphere of influence over the long term.

Photo of Joanne Lee
Joanne Lee
Principal, Research Director, CIO Advisory
Info-Tech Research Group

Executive Summary

Your Challenge

In today's unpredictable markets and rapid pace of technological disruptions, CIOs need to create business value by effectively brokering relationships to improve IT's performance. Challenges they face:

  • Operate in silos to run the IT factory.
  • Lack insights into their stakeholders and the context in which they operate.
  • Competing priorities and limited time to spend on fostering relationships.
  • Relationship management programs are narrowly focused on associated change management in IT project delivery.

Common Obstacles

Limited span of influence.

Mistaking formal roles in organizations for influence.

Understanding what key individuals want and, more importantly, what they don't want.

Lack of situational awareness to adapt communication styles to individual preferences and context.

Leveraging different work styles to create a tangible action plan.

Perceiving relationships as "one and done."

Info-Tech's Approach

A personal relationship journal will help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

  • Identify your key stakeholders.
  • Understand the context in which they operate to define a profile of their mandate, priorities, commitments, and situation.
  • Choose the most effective engagement and communication strategies for different work styles.
  • Create an action plan to monitor and measure your progress.

Info-Tech Insight

Highly effective executives have in common the ability to balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demand on your time and unpredictable shifts in the organization's strategy will require a personal game plan to deliver business value. This will require more than managing stakeholders one IT project at a time: It requires an action plan that fosters relationships over the long term.

Key Concepts

Stakeholder Management
A common term used in project management to describe the successful delivery of any project, program, or activity that is associated with organizational change management. The goal of stakeholder management is intricately tied to the goals of the project or activity with a finite end. Not the focus of this advisory research.

Relationship Management
A broad term used to describe the relationship between two parties (individuals and/or stakeholder groups) that exists to create connection, inclusion, and influence. The goals are typically associated with the individual's personal objectives and the nature of the interaction is seen as ongoing and long-term.

Continuum of Commitment
Info-Tech's framework that illustrates the different levels of commitment in a relationship. It spans from active resistance to those who are committed to actively supporting your personal priorities and objectives. This can be used to baseline where you are today and where you want the relationship to be in the future.

Work Style
A reference to an individual's natural tendencies and expectations that manifest itself in their communication, motivations, and leadership skills. This is not a behavior assessment nor a commentary on different personalities but observable behaviors that can indicate different ways people communicate, interact, and lead.

Glossary
CDxO: Chief Digital Officer
CDO: Chief Data Officer
CxO: C-Suite Executives

The C-suite is getting crowded, and CIOs need to foster relationships to remain relevant

The span of influence and authority for CIOs is diminishing with the emergence of Chief Digital Officers and Chief Data Officers.

63% of CDxOs report directly to the CEO ("Rise of the Chief Digital Officer," CIO.com)

44% of organizations with a dedicated CDxO in place have a clear digital strategy versus 22% of those without a CDxO (KPMG/Harvey Nash CIO Survey)

The "good news": CIOs tend to have a longer tenure than CDxOs.

A diagram that shows the average tenure of C-Suites in years.
Source: "Age and Tenure of C-Suites," Korn Ferry

The "bad news": The c-suite is getting overcrowded with other roles like Chief Data Officer.

A diagram that shows the number of CDOs hired from 2017 to 2021.
Source: "Chief Data Officer Study," PwC, 2022

An image of 7 lies technology executives tell ourselves.

Info-Tech Insight

The digital evolution has created the emergence of new roles like the Chief Digital Officer and Chief Data Officer. They are a response to bridge the skill gap that exists between the business and technology. CIOs need to focus on building effective partnerships to better communicate the business value generated by technology or they risk becoming obsolete.

Create a relationship journal to effectively manage your stakeholders

A diagram of relationship journal

Info-Tech's approach

From managing relationships with friends to key business partners, your success will come from having the right game plan. Productive relationships are more than managing stakeholders to support IT initiatives. You need to effectively influence those who have the potential to champion or derail your strategic priorities. Understanding differences in work styles is fundamental to adapting your communication approach to various personalities and situations.

A diagram that shows from 1.1 to 4.1

A diagram of business archetypes

Summary of Insights

Insight 1: Expand your sphere of influence
It's not just about gaining a volume of acquaintances. Figure out where you want to spend your limited time, energy, and effort to develop a network of professional allies who will support and help you achieve your strategic priorities.

Insight 2: Know thyself first and foremost
Healthy relationships start with understanding your own working style, preferences, and underlying motivations that drive your behavior and ultimately your expectations of others. A win/win scenario emerges when both parties' needs for inclusion, influence, and connection are met or mutually conceded.

Insight 3: Walk a mile in their shoes
If you want to build successful partnerships, you need to understand the context in which your stakeholder operates: their motivations, desires, priorities, commitments, and challenges. This will help you adapt as their needs shift and, moreover, leverage empathy to identify the best tactics for different working styles.

Insight 4: Nurturing relationships is a daily commitment
Building, fostering, and maintaining professional relationships requires a daily commitment to a plan to get through tough times, competing priorities, and conflicts to build trust, respect, and a shared sense of purpose.

Related Info-Tech Research

Supplement your CIO journey with these related blueprints.

Photo of First 100 Days as CIO

First 100 Days as CIO

Photo of Become a Strategic CIO

Become a Strategic CIO

Photo of Improve IT Team Effectiveness

Improve IT Team Effectiveness

Photo of Become a Transformational CIO

Become a Transformational CIO

Executive Brief Case Study

Logo of Multicap Limited

  • Industry: Community Services
  • Source: Scott Lawry, Head of Digital

Conversation From Down Under

What are the hallmarks of a healthy relationship with your key stakeholders?
"In my view, I work with partners like they are an extension of my team, as we rely on each other to achieve mutual success. Partnerships involve a deeper, more intimate relationship, where both parties are invested in the long-term success of the business."

Why is it important to understand your stakeholder's situation?
"It's crucial to remember that every IT project is a business project, and vice versa. As technology leaders, our role is to demystify technology by focusing on its business value. Empathy is a critical trait in this endeavor, as it allows us to see a stakeholder's situation from a business perspective, align better with the business vision and goals, and ultimately connect with people, rather than just technology."

How do you stay committed during tough times?
"I strive to leave emotions at the door and avoid taking a defensive stance. It's important to remain neutral and not personalize the issue. Instead, stay focused on the bigger picture and goals, and try to find a common purpose. To build credibility, it's also essential to fact-check assumptions regularly. By following these principles, I approach situations with a clear mind and better perspective, which ultimately helps achieve success."

Photo of Scott Lawry, Head Of Digital at Multicap Limited

Key Takeaways

In a recent conversation with a business executive about the evolving role of CIOs, she expressed: "It's the worst time to be perceived as a technology evangelist and even worse to be perceived as an average CIO who can't communicate the business value of technology."

This highlights the immense pressure many CIOs face when evolving beyond just managing the IT factory.

The modern CIO is a business leader who can forge relationships and expand their influence to transform IT into a core driver of business value.

Stakeholder Sentiment

Identify key stakeholders and their perception of IT's effectiveness

1.1 Identify Key Stakeholders

A diagram of Identify Key Stakeholders

Identify and prioritize your key stakeholders. Be diligent with stakeholder identification. Use a broad view to identify stakeholders who are known versus those who are "hidden." If stakeholders are missed, then so are opportunities to expand your sphere of influence.

1.2 Understand Stakeholder's Perception of IT

A diagram that shows Info-Tech's Diagnostic Reports and Hospital Authority XYZ

Assess stakeholder sentiments from Info-Tech's diagnostic reports and/or your organization's satisfaction surveys to help identify individuals who may have the greatest influence to support or detract IT's performance and those who are passive observers that can become your greatest allies. Determine where best to focus your limited time amid competing priorities by focusing on the long-term goals that support the organization's vision.

Info-Tech Insight

Understand which individuals can directly or indirectly influence your ability to achieve your priorities. Look inside and out, as you may find influencers beyond the obvious peers or executives in an organization. Influence can result from expansive connections, power of persuasion, and trust to get things done.

Visit Info-Tech's Diagnostic Programs

Activity: Identify and Prioritize Stakeholders

30-60 minutes

1.1 Identify Key Stakeholders

Start with the key stakeholders that are known to you. Take a 360-degree view of both internal and external connections. Leverage external professional & network platforms (e.g. LinkedIn), alumni connections, professional associations, forums, and others that can help flush out hidden stakeholders.

1.2 Prioritize Key Stakeholders

Use stakeholder satisfaction surveys like Info-Tech's Business Vision diagnostic as a starting point to identify those who are your allies and those who have the potential to derail IT's success, your professional brand, and your strategic priorities. Review the results of the diagnostic reports to flush out those who are:

  • Resisters: Vocal about their dissatisfaction with IT's performance and actively sabotage or disrupt
  • Skeptics: Disengaged, passive observers
  • Ambassadors: Aligned but don't proactively support
  • Champions: Actively engaged and will proactively support your success

Consider the following:

  • Influencers may not have formal authority within an organization but have relationships with your stakeholders.
  • Influencers may be hiding in many places, like the coach of your daughter's soccer team who rows with your CEO.
  • Prioritize, i.e. three degrees of separation due to potential diverse reach of influence.

Key Output: Create a tab for your most critical stakeholders.

A diagram that shows profile tabs

Download the Personal Relationship Management Journal Template.

Understand stakeholders' business

Create a stakeholder profile to understand the context in which stakeholders operate.

2.1 Create individual profile for each stakeholder

A diagram that shows different stakeholder questions

Collect and analyze key information to understand the context in which your stakeholders operate. Use the information to derive insights about their mandate, accountabilities, strategic goals, investment priorities, and performance metrics and challenges they may be facing.

Stakeholder profiles can be used to help design the best approach for personal interactions with individuals as their business context changes.

If you are short on time, use this checklist to gather information:

  • Stakeholder's business unit (BU) strategy goals
  • High-level organizational chart
  • BU operational model or capability map
  • Key performance metrics
  • Projects underway and planned
  • Financial budget (if available)
  • Milestone dates for key commitments and events
  • External platforms like LinkedIn, Facebook, Twitter, Slack, Instagram, Meetup, blogs

Info-Tech Insight

Understanding what stakeholders want (and more importantly, what they don't) requires knowing their business and the personal and social circumstances underlying their priorities and behaviors.

Activity: Create a stakeholder profile

30-60 minutes

2.1.0 Understand stakeholder's business context

Create a profile for each of your priority stakeholders to document their business context. Review all the information collected to understand their mandate, core accountability, and business capabilities. The context in which individuals operate is a window into the motivations, pressures, and vested interests that will influence the intersectionality between their expectations and yours.

2.1.1 Document Observable Challenges as Private Notes

Crushing demands and competing priorities can lead to tension and stress as people jockey to safeguard their time. Identify some observable challenges to create greater situational awareness. Possible underlying factors:

  • Sudden shifts/changes in mandate
  • Performance (operations, projects)
  • Finance
  • Resource and talent gaps
  • Politics
  • Personal circumstances
  • Capability gaps/limitations
  • Capacity challenges

A diagram that shows considerations of this activity.

Analyze Stakeholder's Work Style

Adapt communication styles to the situational context in which your stakeholders operate

2.2 Determine the ideal approach for engaging each stakeholder

Each stakeholder has a preferred modality of working which is further influenced by dynamic situations. Some prefer to meet frequently to collaborate on solutions while others prefer to analyze data in solitude before presenting information to substantiate recommendations. However, fostering trust requires:

  1. Understanding your preferred default when engaging others.
  2. Knowing where you need to expand your skills.
  3. Identifying which skills to activate for different professional scenarios.

Adapting your communication style to create productive interactions will require a diverse arsenal of interpersonal skills that you can draw upon as situations shift. The ability to adapt your work style to dial any specific trait up or down will help to increase your powers of persuasion and influence.

"There are only two ways to influence human behavior: you can manipulate it, or you can inspire it." – Simon Sinek

Activity: Identify Engagement Strategies

30 minutes

2.2.0 Establish work styles

Every individual has a preferred style of working. Determine work styles starting with self-awareness:

  • Express myself - How you communicate and interact with others
  • Expression by others - How you want others to communicate and interact with you

Through observation and situational awareness, we can make inferences about people's work style.

  • Observations - Observable traits of other people's work style
  • Situations - Personal and professional circumstances that influence how we communicate and interact with one another

Where appropriate and when opportunities arise, ask individuals directly about their preferred work styles and method for communication. What is their preferred method of communication? During a normal course of interaction vs. for urgent priorities?

2.2.1 Brainstorm possible engagement strategies

Consider the following when brainstorming engagement strategies for different work styles.

A table of involvement, influence, and connection.

Think engagement strategies in different professional scenarios:

  • Meetings - Where and how you connect
  • Communicating - How and what you communicate to create connection
  • Collaborating - What degree of involved in shared activities
  • Persuading - How you influence or direct others to get things done

Expand New Interpersonal Skills

Use the Business Archetypes to brainstorm possible approaches for engaging with different work styles. Additional communication and engagement tactics may need to be considered based on circumstances and changing situations.

A diagram that shows business archetypes and engagement strategies.

Communicate Effectively

Productive communication is a dialogue that requires active listening, tailoring messages to fluid situations, and seeking feedback to adapt.

A diagram of elements that contributes to better align intention and impact

Be Relevant

  • Understand why you need to communicate
  • Determine what you need to convey
  • Tailor your message to what matters to the audience and their context
  • Identify the most appropriate medium based on the situation

Be Consistent and Accurate

  • Say what you mean and mean what you say to avoid duplicity
  • Information should be accurate and complete
  • Communicate truthfully; do not make false promises or hide bad news
  • Don't gossip

Be Clear and Concise

  • Keep it simple and avoid excessive jargon
  • State asks upfront to set intention and transparency
  • Avoid ambiguity and focus on outcomes over details
  • Be brief and to the point or risk losing stakeholder's attention

Be Attentive and Authentic

  • Stay engaged and listen actively
  • Be curious and inquire for clarification or explanation
  • Be flexible to adapt to both verbal and non-verbal cues
  • Be authentic in your approach to sharing yourself
  • Avoid "canned" approaches

A diagram of listen, observe, reflect.


"Good communication is the bridge between confusion and clarity."– Nat Turner (LinkedIn, 2020)

Exemplar: Engaging With Jane

A diagram that shows Exemplar: Engaging With Jane

Exemplar: Engaging With Ali

A diagram that shows Exemplar: Engaging With Ali

Develop an Action Plan

Moving from intent to action requires a plan to ensure you stay committed through the peaks and troughs.

Create Your 120-Day Plan

An action plan example

Key elements of the action plan:

  • Strategic priorities – Your top focus
  • Objective – Your goals
  • 30-60-90-120 Day Topics – Key agenda items
  • Meeting Progress Notes – Key takeaways from meetings
  • Private Notes – Confidential observations

Investing in relationships is a long-term process. You need to accumulate enough trust to trade or establish coalitions to expand your sphere of influence. Even the strongest of professional ties will have their bouts of discord. To remain committed to building the relationship during difficult periods, use an action plan that helps you stay grounded around:

  • Shared purpose
  • Removing emotion from the situation
  • Continuously learning from every interaction

Photo of Angela Diop
"Make intentional actions to set intentionality. Plans are good to keep you grounded and focused especially when relationship go through ups and down and there are changes: to new people and new relationships."
– Angela Diop, Senior Director, Executive Services, Info-Tech & former VP of Information Services with Unity Health Care

Activity: Design a Tailored Action Plan

30-60 minutes

3.1.0 Determine your personal expectations

Establish your personal goals and expectations around what you are seeking from the relationship. Determine the strength of your current connection and identify where you want to move the relationship across the continuum of commitment.

Use insights from your stakeholder's profile to explore their span of influence and degree of interest in supporting your strategic priorities.

3.1.1 Determine what you want from the relationship

Based on your personal goals, identify where you want to move the relationship across the continuum of commitment: What are you hoping to achieve from the relationship? How will this help create a win/win situation for both you and the key stakeholder?

A diagram of Continuum of Commitment.

3.1.2 Identify your metrics for progress

Fostering relationships take time and commitment. Utilizing metrics or personal success criteria for each of your focus areas will help you stay on track and find opportunities to make each engagement valuable instead of being transactional.

A graph that shows influence vs interest.

Make your action plan impactful

Level of Connection

The strength of the relationship will help inform the level of time and effort needed to achieve your goals.

  • Is this a new or existing relationship?
  • How often do you connect with this individual?
  • Are the connections driven by a shared purpose or transactional as needs arise?

Focus on Relational Value

Cultivate your network and relationship with the goal of building emotional connection, understanding, and trust around your shared purpose and organization's vision through regular dialogue. Be mindful of transactional exchanges ("quid pro quo") to be strategic about its use. Treat every interaction as equally important regardless of agenda, duration, or channel of communication.

Plan and Prepare

Everyone's time is valuable, and you need to come prepared with a clear understanding of why you are engaging. Think about the intentionality of the conversation:

  • Gain buy-in
  • Create transparency
  • Specific ask
  • Build trust and respect
  • Provide information to clarify, clear, or contain a situation

Non-Verbal Communication Matters

Communication is built on both overt expressions and subtext. While verbal communication is the most recognizable form, non-lexical components of verbal communication (i.e. paralanguage) can alter stated vs. intended meaning. Engage with the following in mind:

  • Tone, pitch, speed, and hesitation
  • Facial expressions and gestures
  • Choice of channel for engagement

Exemplar: Action Plan for VP, Digital

A diagram that shows Exemplar: Action Plan for VP, Digital

Make Relationship Management a Daily Habit

Management plans are living documents and need to be flexible to adapt to changes in stakeholder context.

Monitor and Adjust to Communicate Strategically

A diagram that shows Principles for Effective Communication and Key Measures

Building trust takes time and commitment. Treat every conversation with your key stakeholders as an investment in building the social capital to expand your span of influence when and where you need it to go. This requires making relationship management a daily habit. Action plans need to be a living document that is your personal journal to document your observations, feelings, and actions. Such a plan enables you to make constant adjustments along the relationship journey.

"Without involvement, there is no commitment. Mark it down, asterisk it, circle it, underline it."– Stephen Convey (LinkedIn, 2016)

Capture some simple metrics

If you can't measure your actions, you can't manage the relationship.

An example of measures: what, why, how - metrics, and intended outcome.

While a personal relationship journal is not a formal performance management tool, identifying some tangible measures will improve the likelihood of aligning your intent with outcomes. Good measures will help you focus your efforts, time, and resources appropriately.

Keep the following in mind:

  1. WHAT are you trying to measure?
    Specific to the situation or scenario
  2. WHY is this important?
    Relevant to your personal goals
  3. HOW will you measure?
    Achievable and quantifiable
  4. WHAT will the results tell you?
    Intended outcome that is directional

Summary of accomplishments

Knowledge Gained

  • Relationship management is critical to a CIO's success
  • A personal relationship journal will help build:
    • Customized approach to engaging stakeholders
    • New communication skills to adapt to different work styles

New Concepts

  • Work style assessment framework and engagement strategies
  • Effective communication strategies
  • Continuum of commitment to establish personal goals

Approach to Creating a Personal Journal

  • Step-by-step approach to create a personal journal
  • Key elements for inclusion in a journal
  • Exemplar and recommendations

Related Info-Tech Research

Photo of Tech Trends and Priorities Research Centre

Tech Trends and Priorities Research Centre

Access Info-Tech's Tech Trend reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the role of IT within it.

Photo of Embed Business Relationship Management in IT

Embed Business Relationship Management in IT

Create a business relationship management (BRM) function in your program to foster a more effective partnership with the business and drive IT's value to the organization.

Photo of Become a Transformational CIO

Become a Transformational CIO

Collaborate with the business to lead transformation and leave behind a legacy of growth.

Appendix: Framework

Content:

  • Adaptation of DiSC profile assessment
  • DiSC Profile Assessment
  • FIRO-B Framework
  • Experience Cube

Info-Tech's Adaption of DiSC Assessment

A diagram of business archetypes

Info-Tech's Business Archetypes was created based on our analysis of the DiSC Profile and Myers-Briggs FIRO-B personality assessment tools that are focused on assessing interpersonal traits to better understand personalities.

The adaptation is due in part to Info-Tech's focus on not designing a personality assessment tool as this is neither the intent nor the expertise of our services. Instead, the primary purpose of this adaptation is to create a simple framework for our members to base their observations of behavioral cues to identify appropriate communication styles to better interact with key stakeholders.

Cautionary note:
Business archetypes are personas and should not be used to label, make assumptions and/or any other biased judgements about individual personalities. Every individual has all elements and aspects of traits across various spectrums. This must always remain at the forefront when utilizing any type of personality assessments or frameworks.

Click here to learn about DiSC Profile
Click here learn about FIRO-B
Click here learn about Experience Cube

DiSC Profile Assessment

A photo of DiSC Profile Assessment

What is DiSC?

DisC® is a personal assessment tool that was originally developed in 1928 by psychologist William Moulton Marston, who designed it to predict job performance. The tool has evolved and is now widely used by thousands of organizations around the world, from large government agencies and Fortune 500 companies to nonprofit and small businesses, to help improve teamwork, communication, and productivity in the workplace. The tool provides a common language people can use to better understand themselves and those they interact with - and use this knowledge to reduce conflict and improve working relationships.

What does DiSC mean?

DiSC is an acronym that stands for the four main personality profiles described in the Everything DiSC model: (D)ominance, (i)nfluence, (S)teadiness, (C)onscientiousness

People with (D) personalities tend to be confident and emphasize accomplishing bottom-line results.
People with (i) personalities tend to be more open and emphasize relationships and influencing or persuading others.
People with (S) personalities tend to be dependable and emphasize cooperation and sincerity.
People with (C) personalities tend to emphasize quality, accuracy, expertise, and competency.

Go to this link to explore the DiSC styles

FIRO-B® – Interpersonal Assessment

A diagram of FIRO framework

What is FIRO workplace relations?

The Fundamental Interpersonal Relations Orientation Behavior (FIRO-B®) tool has been around for forty years. The tool assesses your interpersonal needs and the impact of your behavior in the workplace. The framework reveals how individuals can shape and adapt their individual behaviors, influence others effectively, and build trust among colleagues. It has been an excellent resource for coaching individuals and teams about the underlying drivers behind their interactions with others to effectively build successful working relationships.

What does the FIRO framework measure?

The FIRO framework addresses five key questions that revolve around three interpersonal needs. Fundamentally, the framework focuses on how you want to express yourself toward others and how you want others to behave toward you. This interaction will ultimately result in the universal needs for (a) inclusion, (b) control, and (c) affection. The insights from the results are intended to help individuals adjust their behavior in relationships to get what they need while also building trust with others. This will allow you to better predict and adapt to different situations in the workplace.

How can FIRO influence individual and team performance in the workplace?

FIRO helps people recognize where they may be giving out mixed messages and prompts them to adapt their exhibited behaviors to build trust in their relationships. It also reveals ways of improving relationships by showing individuals how they are seen by others, and how this external view may differ from how they see themselves. Using this lens empowers people to adjust their behavior, enabling them to effectively influence others to achieve high performance.

In team settings, it is a rich source of information to explore motivations, underlying tensions, inconsistent behaviors, and the mixed messages that can lead to mistrust and derailment. It demonstrates how people may approach teamwork differently and explains the potential for inefficiencies and delays in delivery. Through the concept of behavioral flexibility, it helps defuse cultural stereotypes and streamline cross-cultural teams within organizations.

Go to this link to explore FIRO-B for Business

Experience Cube

A diagram of experience cube model.

What is an experience cube?

The Experience Cube model was developed by Gervase Bushe, a professor of Leadership and Organization at the Simon Fraser University's school of Business and a thought leader in the field of organizational behavior. The experience cube is intended as a tool to plan and manage conversations to communicate more effectively in the moment. It does this by promoting self-awareness to better reduce anxiety and adapt to evolving and uncertain situations.

How does the experience cube work?

Using the four elements of the experience cube (Observations, Thoughts, Feelings, and Wants) helps you to separate your experience with the situation from your potential judgements about the situation. This approach removes blame and minimizes defensiveness, facilitating a positive discussion. The goal is to engage in a continuous internal feedback loop that allows you to walk through all four quadrants in the moment to help promote self-awareness. With heightened self-awareness, you may (1) remain curious and ask questions, (2) check-in for understanding and clarification, and (3) build consensus through agreement on shared purpose and next steps.

Observations: Sensory data (information you take in through your senses), primarily what you see and hear. What a video camera would record.

Thoughts: The meaning you add to your observations (i.e. the way you make sense of them, including your beliefs, expectations, assumptions, judgments, values, and principles). We call this the "story you make up."

Feelings: Your emotional or physiological response to the thoughts and observations. Feelings words such as sad, mad, glad, scared, or a description of what is happening in your body.

Wants: Clear description of the outcome you seek. Wants go deeper than a simple request for action. Once you clearly state what you want, there may be different ways to achieve it.

Go to this link to explore more: Experience Cube

Research Contributors and Experts

Photo of Joanne Lee
Joanne Lee
Principal, Research Director, CIO Advisory
Info-Tech Research Group

Joanne is a professional executive with over twenty-five years of experience in digital technology and management consulting spanning healthcare, government, municipal, and commercial sectors across Canada and globally. She has successfully led several large, complex digital and business transformation programs. A consummate strategist, her expertise spans digital and technology strategy, organizational redesign, large complex digital and business transformation, governance, process redesign, and PPM. Prior to joining Info-Tech Research Group, Joanne was a Director with KPMG's CIO Advisory management consulting services and the Digital Health practice lead for Western Canada. She brings a practical and evidence-based approach to complex problems enabled by technology.

Joanne holds a Master's degree in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.



Photo of Gord Harrison
Gord Harrison
Senior Vice President, Research and Advisory
Info-Tech Research Group

Gord Harrison, SVP, Research and Consulting, has been with Info-Tech Research Group since 2002. In that time, Gord leveraged his experience as the company's CIO, VP Research Operations, and SVP Research to bring the consulting and research teams together under his current role, and to further develop Info-Tech's practical, tactical, and value-oriented research product to the benefit of both organizations.

Prior to Info-Tech, Gord was an IT consultant for many years with a focus on business analysis, software development, technical architecture, and project management. His background of educational game software development, and later, insurance industry application development gave him a well-rounded foundation in many IT topics. Gord prides himself on bringing order out of chaos and his customer-first, early value agile philosophy keeps him focused on delivering exceptional experiences to our customers.



Photo of Angela Diop
Angela Diop
Senior Director, Executive Services
Info-Tech Research Group

Angela has over twenty-five years of experience in healthcare, as both a healthcare provider and IT professional. She has spent over fifteen years leading technology departments and implementing, integrating, managing, and optimizing patient-facing and clinical information systems. She believes that a key to a healthcare organization's ability to optimize health information systems and infrastructure is to break the silos that exist in healthcare organizations.

Prior to joining Info-Tech, Angela was the Vice President of Information Services with Unity Health Care. She has demonstrated leadership and success in this area by fostering environments where business and IT collaborate to create systems and governance that are critical to providing patient care and sustaining organizational health.

Angela has a Bachelor of Science in Systems Engineering and Design from the University of Illinois and a Doctorate of Naturopathic Medicine from Bastyr University. She is a Certified CIO with the College of Healthcare Information Management Executives. She is a two-time Health Information Systems Society (HIMSS) Davies winner.



Photo of Edison Barreto
Edison Barreto
Senior Director, Executive Services
Info-Tech Research Group

Edison is a dynamic technology leader with experience growing different enterprises and changing IT through creating fast-paced organizations with cultural, modernization, and digital transformation initiatives. He is well versed in creating IT and business cross-functional leadership teams to align business goals with IT modernization and revenue growth. Over twenty-five years of Gaming, Hospitality, Retail, and F&B experience has given him a unique perspective on guiding and coaching the creation of IT department roadmaps to focus on business needs and execute successful changes.

Edison has broad business sector experience, including:
Hospitality, Gaming, Sports and Entertainment, IT policy and oversight, IT modernization, Cloud first programs, R&D, PCI, GRDP, Regulatory oversight, Mergers acquisitions and divestitures.



Photo of Mike Tweedie
Mike Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group

Michael Tweedie is the Practice Lead, CIO – IT Strategy at Info-Tech Research Group, specializing in creating and delivering client-driven, project-based, practical research, and advisory. He brings more than twenty-five years of experience in technology and IT services as well as success in large enterprise digital transformations.

Prior to joining Info-Tech, Mike was responsible for technology at ADP Canada. In that role, Mike led several large transformation projects that covered core infrastructure, applications, and services and worked closely with and aligned vendors and partners. The results were seamless and transparent migrations to current services, like public cloud, and a completely revamped end-user landscape that allowed for and supported a fully remote workforce.

Prior to ADP, Mike was the North American Head of Engineering and Service Offerings for a large French IT services firm, with a focus on cloud adoption and complex ERP deployment and management; he managed large, diverse global teams and had responsibilities for end-to-end P&L management.

Mike holds a Bachelor's degree in Architecture from Ryerson University.



Photo of Carlene McCubbin
Carlene McCubbin
Practice Lead, People and Leadership
Info-Tech Research Group

Carlene McCubbin is a Research Lead for the CIO Advisory Practice at Info-Tech Research Group covering key topics in operating models & design, governance, and human capital development.

During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.

Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management. Her education honed her abilities in rigorous research, data analysis, writing, and understanding the organization holistically, which has served her well in the business IT world.



Photo of Anubhav Sharma
Anubhav Sharma
Research Director, CIO Strategy
Info-Tech Research Group

Anubhav is a digital strategy and execution professional with extensive experience in leading large-scale transformation mandates for organizations both in North America and globally, including defining digital strategies for leading banks and spearheading a large-scale transformation project for a global logistics pioneer across ten countries. Prior to joining Info-Tech Research Group, he held several industry and consulting positions in Fortune 500 companies driving their business and technology strategies. In 2023, he was recognized as a "Top 50 Digital Innovator in Banking" by industry peers.

Anubhav holds an MBA in Strategy from HEC Paris, a Master's degree in Finance from IIT-Delhi, and a Bachelor's degree in Engineering.



Photo of Kim Osborne-Rodriguez
Kim Osborne-Rodriguez
Research Director, CIO Strategy
Info-Tech Research Group

Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.



Photo of Amanda Mathieson
Amanda Mathieson
Research Director, People and Leadership
Info-Tech Research Group

Amanda joined Info-Tech Research Group in 2019 and brings twenty years of expertise working in Canada, the US, and globally. Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.

Amanda has a Bachelor of Commerce degree and Master of Arts in Organization and Leadership Development from Fielding Graduate University, as well as a post-graduate diploma in Adult Learning Methodologies from St. Francis Xavier University. She also has certifications in Emotional Intelligence – EQ-i 2.0 & 360, Prosci ADKAR® Change Management, and Myers-Briggs Type Indicator Step I and II.

Bibliography

Bacey, Christopher. "KPMG/Harvey Nash CIO Survey finds most organizations lack enterprise-wide digital strategy." Harvey Nash/KPMG CIO Survey. Accessed Jan. 6, 2023. KPMG News Perspective - KPMG.us.com

Calvert, Wu-Pong Susanna. "The Importance of Rapport. Five tips for creating conversational reciprocity." Psychology Today Magazine. June 30, 2022. Accessed Feb. 10, 2023. psychologytoday.com/blog

Coaches Council. "14 Ways to Build More Meaningful Professional Relationships." Forbes Magazine. September 16, 2020. Accessed Feb. 20, 2023. forbes.com/forbescoachescouncil

Council members. "How to Build Authentic Business Relationships." Forbes Magazine. June 15, 2021. Accessed Jan. 15, 2023. Forbes.com/business council

Deloitte. "Chief Information Officer (CIO) Labs. Transform and advance the role of the CIO." The CIO program. Accessed Feb. 5, 2021.

Dharsarathy, Anusha et al. "The CIO challenge: Modern business needs a new kind of tech leader." McKinsey and Company. January 27, 2020. Accessed Feb 2023. Mckinsey.com

DiSC profile. "What is DiSC?" DiSC Profile Website. Accessed Feb. 5, 2023. discprofile.com

FIRO Assessment. "Better working relationships". Myers Brigg Website. Resource document downloaded Feb. 10, 2023. myersbriggs.com/article

Fripp, Patricia. "Frippicisms." Website. Accessed Feb. 25, 2023. fripp.com

Grossman, Rhys. "The Rise of the Chief Digital Officer." Russell Reynolds Insights, January 1, 2012. Accessed Jan. 5, 2023. Rise of the Chief Digital Officer - russellreynolds.com

Kambil, Ajit. "Influencing stakeholders: Persuade, trade, or compel." Deloitte Article. August 9, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

Kambil, Ajit. "Navigating the C-suite: Managing Stakeholder Relationships." Deloitte Article. March 8, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

Korn Ferry. "Age and tenure in the C-suite." Kornferry.com. Accessed Jan. 6, 2023. Korn Ferry Study Reveals Trends by Title and Industry

Kumthekar, Uday. "Communication Channels in Project". Linkedin.com, 3 March 2020. Accessed April 27, 2023. Linkedin.com/Pulse/Communication Channels

McWilliams, Allison. "Why You Need Effective Relationships at Work." Psychology Today Magazine. May 5, 2022. Accessed Feb. 11, 2023. psychologytoday.com/blog

McKinsey & Company. "Why do most transformations fail? A conversation with Harry Robinson." Transformation Practice. July 2019. Accessed Jan. 10, 2023. Mckinsey.com

Mind Tools Content Team. "Building Good Work Relationships." MindTools Article. Accessed Feb. 11, 2023. mindtools.com/building good work relationships

Pratt, Mary. "Why the CIO-CFO relationship is key to digital success." TechTarget Magazine. November 11, 2021. Accessed Feb. 2023. Techtarget.com

LaMountain, Dennis. "Quote of the Week: No Involvement, No Commitment". Linkedin.com, 3 April 2016. Accessed April 27, 2023. Linkedin.com/pulse/quote-week-involvement

PwC Pulse Survey. "Managing Business Risks". PwC Library. 2022. Accessed Jan. 30, 2023. pwc.com/pulse-survey

Rowell, Darin. "3 Traits of a Strong Professional Relationship." Harvard Business Review. August 8, 2019. Accessed Feb. 20, 2023. hbr.org/2019/Traits of a strong professional relationship

Sinek, Simon. "The Optimism Company from Simon Sinek." Website. Image Source. Accessed, Feb. 21, 2023. simonsinek.com

Sinek, Simon. "There are only two ways to influence human behavior: you can manipulate it or you can inspire it." Twitter. Dec 9, 2022. Accessed Feb. 20, 2023. twitter.com/simonsinek

Whitbourne, Susan Krauss. "10 Ways to Measure the Health of Relationship." Psychology Today Magazine. Aug. 7, 2021. Accessed Jan. 30, 2023. psychologytoday.com/blog

Generative AI: Market Primer

  • Buy Link or Shortcode: {j2store}349|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Data Management
  • Parent Category Link: /data-management
  • Much of the organization remains in the dark for understanding what Gen AI is, complicated by ambiguous branding from vendors claiming to provide Gen AI solutions.
  • Searching the market for a Gen AI platform is nearly impossible, owing to the sheer number of vendors.
  • The evaluative criteria for selecting a Gen AI platform are unclear.

Our Advice

Critical Insight

  • You cannot rush Gen AI selection and implementation. Organizations with (1) FTEs devoted to making Gen AI work (including developers and business intelligence analysts), (2) trustworthy and regularly updated data, and (3) AI governance are just now reaching PoC testing.
  • Gen AI is not a software category – it is an umbrella concept. Gen AI platforms will be built on different foundational models, be trained in different ways, and provide varying modalities. Do not expect Gen AI platforms to be compared against the same parameters in a vendor quadrant.
  • Bad data is the tip of the iceberg for Gen AI risks. While Gen AI success will be heavily reliant on the quality of data it is fine-tuned on, there are independent risks organizations must prepare for, from Gen AI hallucinations and output reliability to infrastructure feasibility and handling high-volume events.
  • Prepare for ongoing instability in the Gen AI market. If your organization is unsure about where to start with Gen AI, the secure route is to examine what your enterprise providers are offering. Use this as a learning platform to confidently navigate which specialized Gen AI provider will be viable for meeting your use cases.

Impact and Result

  • Consensus on Gen AI scope and key Gen AI capabilities
  • Identification of your readiness to leverage Gen AI applications
  • Agreement on Gen AI evaluative criteria
  • Knowledge of vendor viability

Generative AI: Market Primer Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Generative AI: Market Primer – Contextualize the marketspace and prepare for generative AI selection.

Use Info-Tech’s best practices for setting out a selection roadmap and evaluative criteria for narrowing down vendors – both enterprise and specialized providers.

  • Generative AI: Market Primer Storyboard
  • Data Governance Policy
  • AI Governance Storyboard
  • AI Architecture Assessment and Project Planning Tool
  • AI Architecture Assessment and Project Planning Tool – Sample
  • AI Architecture Templates
[infographic]

Further reading

Generative AI: Market Primer

Cut through Gen AI buzzwords to achieve market clarity.

Analyst Perspective

The generative AI (Gen AI) marketspace is complex, nascent, and unstable.

Organizations need to get clear on what Gen AI is, its infrastructural components, and the governance required for successful platform selection.

Thomas Randall

The urge to be fast-moving to leverage the potential benefits of Gen AI is understandable. There are plenty of opportunities for Gen AI to enrich an organization’s use cases – from commercial to R&D to entertainment. However, there are requisites an organization needs to get right before Gen AI can be effectively applied. Part of this is ensuring data and AI governance is well established and mature within the organization. The other part is contextualizing Gen AI to know what components of this market the organization needs to invest in.

Owing to its popularity surge, OpenAI’s ChatGPT has become near synonymous with Gen AI. However, Gen AI is an umbrella concept that encompasses a variety of infrastructural architecture. Organizations need to ask themselves probing questions if they are looking to work with OpenAI: Does ChatGPT rest on the right foundational model for us? Does ChatGPT offer the right modalities to support our organization’s use cases? How much fine-tuning and prompt engineering will we need to perform? Do we require investment in on-premises infrastructure to support significant data processing and high-volume events? And do we require FTEs to enable all this infrastructure?

Use this market primer to quickly get up to speed on the elements your organization might need to make the most of Gen AI.

Thomas Randall

Advisory Director, Info-Tech Research Group

Executive Summary

Your Challenge

  • Much of the organization remains in the dark for understanding what Gen AI is, complicated by ambiguous branding from vendors claiming to provide Gen AI solutions.
  • Searching the market for a Gen AI platform is near impossible, owing to the sheer number of vendors.
  • The evaluative criteria for selecting a Gen AI platform is unclear.

Common Obstacles

  • Data governance is immature within the organization. There is no source of truth or regularly updated organizational process assets.
  • AI functionality is not well understood within the organization; there is little AI governance for monitoring and controlling its use.
  • The extent of effort and resources required to make Gen AI a success remains murky.

Info-Tech's Solution

This market primer for Gen AI will help you:

  1. Contextualize the Gen AI market: Learn what components of Gen AI an organization should consider to make Gen AI a success.
  2. Prepare for Gen AI selection: Use Info-Tech’s best practices for setting out a selection roadmap and evaluative criteria for narrowing down vendors – both enterprise and specialized providers.

“We are entering the era of generative AI.
This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive with co-pilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduces risks that need to be planned for.”

Bill Wong, Principal Research Director – Data and BI, Info-Tech Research Group

Who benefits from this project?

This research is designed for:

  • Senior IT, developers, data staff, and project managers who:
    • Have received a mandate from their executives to begin researching the Gen AI market.
    • Need to quickly get up to speed on the state of the Gen AI market, given no deep prior knowledge of the space.
    • Require an overview of the different components to Gen AI to contextualize how vendor comparisons and selections can be made.
    • Want to gain an understanding of key trends, risks, and evaluative criteria to consider in their selection process.

This research will help you:

  • Articulate the potential business value of Gen AI to your organization.
  • Establish which high-value use cases could be enriched by Gen AI functionality.
  • Assess vendor viability for enterprise and specialized software providers in the Gen AI marketspace.
  • Collect information on the prerequisites for implementing Gen AI functionality.
  • Develop relevant evaluative criteria to assist differentiating between shortlisted contenders.

This research will also assist:

  • Executives, business analysts, and procurement teams who are stakeholders in:
    • Contextualizing the landscape for learning opportunities.
    • Gathering and documenting requirements.
    • Building deliverables for software selection projects.
    • Managing vendors, especially managing the relationships with incumbent enterprise software providers.

This research will help you:

  • Identify examples of how Gen AI applications could be leveraged for your organization’s core use cases.
  • Verify the extent of Gen AI functionality an incumbent enterprise provider has.
  • Validate accuracy of Gen AI language and architecture referenced in project deliverables.

Insight Summary

You cannot speedrun Gen AI selection and implementation.

Organizations with (1) FTEs devoted to making Gen AI work (including developers and business intelligence analysts), (2) trustworthy and regularly updated data, and (3) AI governance are just now reaching PoC testing.

Gen AI is not a software category – it is an umbrella concept.

Gen AI platforms will be built on different foundational models, be trained in different ways, and provide varying modalities. Do not expect to compare Gen AI platforms to the same parameters in a vendor quadrant.

Bad data is the tip of the iceberg for Gen AI risks.

While Gen AI success will be heavily reliant on the quality of data it is fine-tuned on, there are independent risks organizations must prepare for: from Gen AI hallucinations and output reliability to infrastructure feasibility to handle high-volume events.

Gen AI use may require changes to sales incentives.

If you plan to use Gen AI in a commercial setting, review your sales team’s KPIs. They are rewarded for sales velocity; if they are the human-in-the-loop to check for hallucinations, you must change incentives to ensure quality management.

Prepare for ongoing instability in the Gen AI market.

If your organization is unsure about where to start with Gen AI, the secure route is to examine what your enterprise providers are offering. Use this as a learning platform to confidently navigate which specialized Gen AI provider will be viable for meeting your use cases.

Brace for a potential return of on-premises infrastructure to power Gen AI.

The market trend has been for organizations to move to cloud-based products. Yet, for Gen AI, effective data processing and fine-tuning may call for organizations to invest in on-premises infrastructure (such as more GPUs) to enable their Gen AI to function effectively.

Info-Tech’s methodology for understanding the Gen AI marketspace

Phase Steps

1. Contextualize the Gen AI marketplace

  1. Define Gen AI and its components.
  2. Explore Gen AI trends.
  3. Begin deriving Gen AI initiatives that align with business capabilities.

2. Prepare for and understand Gen AI platform offerings

  1. Review Gen AI selection best practices and requisites for effective procurement.
  2. Determine evaluative criteria for Gen AI solutions.
  3. Explore Gen AI offerings with enterprise and specialized providers.
Phase Outcomes
  1. Achieve consensus on Gen AI scope and key Gen AI capabilities.
  2. Identify your readiness to leverage Gen AI applications.
  3. Hand off to Build Your Generative AI Roadmap to complete pre-requisites for selection.
  1. Determine whether deeper data and AI governance is required; if so, hand off to Create an Architecture for AI.
  2. Gain consensus on Gen AI evaluative criteria.
  3. Understand vendor viability.

Guided Implementation

Phase 1

Phase 2

  • Call #1: Discover if Gen AI is right for your organization. Understand what a Gen AI platform is and discover the art of the possible.
  • Call #2: To take advantage of Gen AI, perform a business capabilities analysis to begin deriving Gen AI initiatives.
  • Call #3: Explore whether Gen AI initiatives can be achieved either with incumbent enterprise players or via procurement of specialized solutions.
  • Call #4: Evaluate vendors and perform final due diligence.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

The Gen AI market evaluation process should be broken into segments:

  1. Gen AI market education with this primer
  2. Structured approach to selection
  3. Evaluation and final due diligence

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful"

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Software selection engagement

Five advisory calls over a five-week period to accelerate your selection process

  • Receive expert analyst guidance over five weeks (on average) to select and negotiate software.
  • Save money, align stakeholders, speed up the process, and make better decisions.
  • Use a repeatable, formal methodology to improve your application selection process.
  • Get better, faster results guaranteed, included in membership.
Software selection process timeline. Week 1: Awareness - 1 hour call, Week 2: Education & Discovery - 1 hour call, Week 3: Evaluation - 1 hour call, Week 4: Selection - 1 hour call, Week 5: Negotiation & Configuration - 1 hour call.

Click here to book your selection engagement.

Software selection workshops

40 hours of advisory assistance delivered online.

Select better software, faster.

  • 40 hours of expert analyst guidance
  • Project and stakeholder management assistance
  • Save money, align stakeholders, speed up the process, and make better decisions
  • Better, faster results guaranteed; 25K standard engagement fee
Software selection process timeline. Week 1: Awareness - 5 hours of Assistance, Week 2: Education & Discovery - 10 hours of assistance, Week 3: Evaluation - 10 hours of assistance, Week 4: Selection - 10 hours of assistance, Week 5: Negotiation & Configuration - 10 hours of assistance.

Click here to book your workshop engagement.

The latest burning platform: Exit Plans in a shifting world

  • Large vertical image:
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A

The current global situation, marked by significant trade tensions and retaliatory measures between major economic powers, has elevated the importance of more detailed, robust, and executable exit plans for businesses in nearly all industries. The current geopolitical headwinds create an unpredictable environment that can severely impact supply chains, technology partnerships, and overall business operations. What was once a prudent measure is now a critical necessity – a “burning platform” – for ensuring business continuity and resilience.

Here I will delve deeper into the essential components of an effective exit plan, outline the practical steps for its implementation, and explain the crucial role of testing in validating its readiness.

exit plan

Continue reading

Tame the Project Backlog

  • Buy Link or Shortcode: {j2store}439|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Portfolio Management
  • Parent Category Link: /portfolio-management
  • Unmanaged project backlogs can become the bane of IT departments, tying IT leaders and PMO staff down to an ever-growing receptacle of project ideas that provides little by way of strategic value and that typically represents a lack of project intake and approval discipline.
  • Decision makers frequently use the backlog to keep the peace. Lacking the time to assess the bulk of requests, or simply wanting to avoid difficult conversations with stakeholders, they “approve” everything and leave it to IT to figure it out.
  • As IT has increasing difficulty assessing – let alone starting – any of the projects in the backlog, stakeholder relations suffer. Requestors view inclusion in the backlog as a euphemism for “declined,” and often characterize the backlog as the place where good project ideas go to die.
  • Faced with these challenges, you need to make your project backlog more useful and reliable. The backlog may contain projects worth doing, but in its current untamed state, you have difficulty discerning, let alone capitalizing upon, those instances of value.

Our Advice

Critical Insight

  • Project backlogs are an investment and need to be treated as such. Incurring a cost impact that can be measured in terms of time and money, the backlog needs to be actively managed to ensure that you’re investing wisely and getting a good return in terms of strategic value and project throughput.
  • Unmanageable project backlogs are rooted in bad habits and poorly-defined processes. Identifying the sources that fuel backlog growth is key to long-term success. Unless the problem is addressed at the root, any gains made in the near-term will simply fade away as old, unhealthy habits re-emerge and take hold.
  • Backlog management should facilitate executive awareness about the status of backlog items as new work is being approved. In the long run, this ongoing executive engagement will not only help to keep the backlog manageable, but it will also help to bring more even workloads to IT project staff.

Impact and Result

  • Keep the best, forget the rest. Develop a near-term approach to limit the role of the backlog to include only those items that add value to the business.
  • Shine a light. Improve executive visibility into the health and status of the backlog so that the backlog is taken into account when decision makers approve new work.
  • Evolve the organizational culture. Effectively employ organizational change management practices to evolve the culture that currently exists around the project backlog in order to ensure customer-service needs are more effectively addressed.
  • Ensure long-term sustainability. Institute processes to make sure that your list of pending projects – should you still require one after implementing this blueprint – remains minimal, maintainable, and of high value.

Tame the Project Backlog Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how a more disciplined approach to managing your project backlog can help you realize increased value and project throughput.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Create a project backlog battle plan

Calculate the cost of the project backlog and assess the root causes of its unmanageability.

  • Tame the Project Backlog – Phase 1: Create a Backlog Battle Plan
  • Project Backlog ROI Calculator

2. Execute a near-term backlog cleanse

Increase the manageability of the backlog by updating stale requests and removing dead weight.

  • Tame the Project Backlog – Phase 2: Execute a Near-Term Backlog Cleanse
  • Project Backlog Management Tool
  • Project Backlog Stakeholder Communications Template

3. Ensure long-term backlog manageability

Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.

  • Tame the Project Backlog – Phase 3: Ensure Long-Term Backlog Manageability
  • Project Backlog Operating Plan Template
  • Project Backlog Manager
[infographic]

Workshop: Tame the Project Backlog

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Create a Project Backlog Battle Plan

The Purpose

Gauge the manageability of your project backlog in its current state.

Calculate the total cost of your project backlog investments.

Determine the root causes that contribute to the unmanageability of your project backlog.

Key Benefits Achieved

An understanding of the organizational need for more disciplined backlog management.

Visibility into the costs incurred by the project backlog.

An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.

Activities

1.1 Calculate the sunk and marginal costs that have gone into your project backlog.

1.2 Estimate the throughput of backlog items.

1.3 Survey the root causes of your project backlog.

Outputs

The total estimated cost of the project backlog.

A project backlog return-on-investment score.

A project backlog root cause analysis.

2 Execute a Near-Term Project Backlog Cleanse

The Purpose

Identify the most organizationally appropriate goals for your backlog cleanse.

Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.

Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance. 

Key Benefits Achieved

An effective, achievable, and organizationally right-sized approach to cleansing the backlog.

Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.

A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick. 

Activities

2.1 Establish roles and responsibilities for the near-term cleanse.

2.2 Determine cleanse scope.

2.3 Develop backlog prioritization criteria.

2.4 Prepare a communication strategy.

Outputs

Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.

Clearly defined and achievable goals.

Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.

A communication strategy to minimize stakeholder friction and resistance.

3 Ensure Long-Term Project Backlog Manageability

The Purpose

Ensure ongoing backlog manageability.

Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.

Customize a best-practice toolkit to help keep the project backlog useful. 

Key Benefits Achieved

A list of pending projects that is minimal, maintainable, and of high value.

Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.

A backlog management tool and processes for ongoing manageability. 

Activities

3.1 Develop a project backlog management operating model.

3.2 Configure a project backlog management solution.

3.3 Assign roles and responsibilities for your long-term project backlog management processes.

3.4 Customize a project backlog management operating plan.

Outputs

An operating model to structure your long-term strategy around.

A right-sized management tool to help enable your processes and executive visibility into the backlog.

Defined accountabilities for executing project backlog management responsibilities.

Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.

Implement a Social Media Program

  • Buy Link or Shortcode: {j2store}560|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Marketing Solutions
  • Parent Category Link: /marketing-solutions
  • IT is being caught in the middle of various business units, all separately attempting to create, staff, implement, and instrument a social media program.
  • Requests for procuring social media tools and integrating with CRM systems are coming from all directions, with no central authority governing a social media program or coordinating business goals.
  • Public Relations and Corporate Communications groups have been acting as the first level of response to social media channels since the company’s first Twitter account went live, but the volume of inquiries received through social channels has become too great for these groups to continue in a first responder role.

Our Advice

Critical Insight

  • Social media immaturity is an opportunity for IT leadership. As with so many of the “next new things,” IT has an opportunity to help the business understand social media technologies, trends, and risks, and coordinate efforts to approach social media as a united company.
  • Social media maturity must reach the Social Media Steering Committee stage before major investments in technology can proceed. As with all business initiatives, technology automation decisions cannot be made without respect to organizational and process maturity. Social media strategy stakeholders must join together and form a steering committee to create policies and procedures, govern strategy, develop workflows, and facilitate technology selection processes. IT not only belongs on such a steering committee, but it can also be instrumental in the formation of it.
  • Info-Tech’s research repeatedly indicates that the greatest return from social media investments is in the customer service domain, by reacting to incoming social inquiries and proactively listening to social conversations for product and service inquiry opportunities. This means CRM integration is essential to long-term social media program success.

Impact and Result

  • Assess your organization’s social maturity to know where to begin and where to go in implementation of a social media program.
  • Form a social media steering committee to bring order to chaos among different business units.
  • Develop comprehensive workflows to categorize and prioritize inquiries, and then route them to the appropriate part of the business for resolution.
  • Consider creating one or more physical social media command centers to process large volumes of social inquiries more efficiently and monitor real-time social media metrics to improve critical response times.

Implement a Social Media Program Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Assess your organization's social maturity

Know where to begin and where to go in implementation of a social media program.

  • Storyboard: Implement a Social Media Program
  • Social Media Maturity Assessment Tool

2. Form a social media steering committee

Bring order to chaos among different business units.

  • Social Media Steering Committee Charter Template
  • Social Media Acceptable Use Policy
  • Blogging and Microblogging Guidelines Template

3. Consider creating one or more physical social media command centers

Process large volumes of social inquiries more efficiently, and monitor real-time social media metrics to improve critical response times.

  • Social Media Representative
  • Social Media Manager
[infographic]

Build your service map: What does your company do for your customers?

  • Large vertical image:
  • member rating overall impact: Large Impact
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A

After three decades navigating the complexities of organizational resilience, one truth stands clearer than ever: you cannot truly protect what you do not deeply understand. And for any business, especially in today's dynamic landscape, what you do is ultimately about what you do for your customers. There is something that I see insufficiently matured or missing in many companies: building a comprehensive “service map.”

Think about it. We pour resources into product development, marketing, and sales, yet how often do we collectively pause to articulate, across all departments, exactly what services we provide to our customers? It sounds simple, doesn't it? Yet, the reality is typically a fragmented understanding, siloed information, and a distinct lack of a holistic view, except by a few key people.

Why is this clear view so critical? Because your customers don't interact with your internal departments; they interact with your services. They don't care about your organizational chart; they care about how seamlessly you meet their needs. Without a clear service map, you have blind spots. You miss opportunities for optimization, you introduce friction into customer journeys, and critically, you compromise your ability to recover when things go wrong. Resilience isn't just about bouncing back; it's about understanding what's truly essential to protect your customer relationships.

Let's make this real.


What services do banks offer? It’s far more than just “banking.” They provide:

  • Retail Banking: Current accounts, savings accounts, debit/credit cards, personal loans, mortgages.

  • Investment Services: Wealth management, brokerage, mutual funds, pension products.

  • Business Banking: Corporate loans, treasury services, payroll solutions, trade finance.

  • Digital Services: Online banking platforms, mobile apps, and payment gateways.

  • Advisory Services: Financial planning, retirement planning, and estate planning.

Let's hone in on an often complex offering: a pension savings product where you contribute monthly. This isn't just a “product” on a shelf; it's a living, breathing service with a distinct customer journey.

Imagine the customer journey for this:

  1. Customer Initiates Payment (or Automated Process Triggers): On the designated payment date, a SEPA Direct Debit instruction is initiated, pulling funds from the customer's linked bank account.

  2. Funds Transfer & Clearance: The funds travel through interbank networks, cleared and settled between the customer's bank and the financial institution’s holding accounts.

  3. Internal Reconciliation & Allocation: Upon receipt, the funds are reconciled against the customer's pension account number and allocated to their specific pension product.

  4. Investment Instruction: Based on the product's pre-defined investment strategy (e.g., a balanced fund, equity fund), an instruction is generated to purchase units in the underlying investments.

  5. Market Execution: The instruction is sent to the relevant trading desks or automated systems, which execute the purchase of shares, bonds, or other assets on the stock market at prevailing market prices.

  6. Confirmation & Update: Once the trade is settled, the customer's pension account is updated to reflect the new units purchased and the updated total value, often visible via an online portal or statement.


For every single step in this service, your organization needs robust capabilities to make these steps visible and resilient to all stakeholders who “work around that service.” This isn't just for IT; it's for compliance, operations, customer service, and even marketing.

Let's look at the same for a realtor company specializing in rental properties:

  • Service Map for property owners and landlords:

    • Property Listing & Marketing: Creating professional listings, photography, virtual tours, and advertising on various platforms (online portals, social media, and local networks).

    • Tenant Sourcing & Vetting: Conducting viewings, screening potential tenants (credit checks, employment verification, previous landlord references), and background checks.

    • Lease Agreement Management: Drafting, negotiating, and executing legally compliant rental contracts.

    • Property Maintenance & Repairs Coordination: Arranging routine maintenance, coordinating emergency repairs with vetted contractors, and overseeing work quality.

    • Property Inspections: Conducting periodic property inspections (move-in, routine, move-out) to ensure property condition and compliance with lease terms.

    • Compliance & Legal Guidance: Advising on landlord-tenant laws, health & safety regulations, and handling eviction processes if necessary.

    • Security Deposit Management: Collecting, holding, and returning security deposits in accordance with legal requirements.

  • Services for tenants:

    • Property Search & Matching: Assisting prospective tenants in finding suitable properties based on their needs and budget.

    • Viewing Scheduling: Arranging property viewings and providing access.

    • Application Processing: Guiding tenants through the application process and necessary documentation.

    • Lease Onboarding: Explaining lease terms, facilitating key handover, and conducting move-in inspections.

    • Maintenance Request Handling: A clear process for tenants to report maintenance issues and track resolution.

    • Emergency Support: Providing contact points and procedures for urgent property-related emergencies.

    • Lease Renewal & Move-out Support: Managing lease renewals, providing guidance on move-out procedures, and facilitating security deposit returns.

Many of these will require automated systems. The customer-facing ones even more so. You need to understand the customer journeys for each entry in your service map.

You need:

  • Comprehensive Monitoring & Alerting: Real-time visibility into every step of the journey, flagging anomalies or delays before they become customer-impacting issues. Build monitoring capabilities into the systems and build the operational capability to follow up on alerts and events. There are now products on the market that can do a lot of the heavy lifting for you. Be prepared to open your wallet. This is not cheap. I hear AI already rolling off the tongues: this is not cheap. For smaller service maps and customer journeys, consider using built-in tools and hiring a small team of people that can leverage the next points. For large institutions, let alone manufacturing, automation and continuous testing are key.

  • Centralized Knowledge Management: A single source of truth for service definitions, processes, dependencies, and known issues, accessible to everyone who needs it. No more tribal knowledge. For condensed setups, it can be as simple as a folder on a hard drive that contains your knowledge base articles (aka Word documents that explain the process, how it was set up, what you need to operate it etc.). Most businesses will use some form of knowledge management system that is a bit more sophisticated, perhaps even built-in to the IT Operations Management (ITOM) tooling. It's a shame it's called IT ops tooling, because you can equally use this for business process documentation. Just remember the last bullet below: DR and BCP. Your knowledge system is useless if you cannot get to it!   

  • Robust Development & Operations Processes: Seamless collaboration between development, operations, and business teams to make sure services are built, tested, deployed, and managed efficiently and reliably. It does not really matter if you want to use DevOps, or change/run, or scrum and squads, or anything in between. Pick what works in your culture. Also, it is not one-size-fits-all. Some systems are core and require a more strict regimen; others must be able to turn on a dime. But whatever you use: keep your service and the customer journey through it front and center. Build it so that you have clearly separated “stations” where something is done to fulfill the system. Make the mental analogy with a factory. It will keep each station atomic, so that when the time comes to make changes, you can do so without having to re-invent large parts of the value delivery chain. 

  • End-to-End Security Protocols: Protect sensitive customer data and financial transactions at every touchpoint throughout the journey. I mean, duh. You must. This is non-negotiable. This includes your backups. Large or small company, you must maintain backups. Use the 321 method: 3 copies of your data and setups on 2 different platforms or data storage carriers and 1 offsite. Your backups should include at least 1 immutable copy. That is a copy that cannot be altered. Large firms partner with their hosting companies to include that in the service offering; small companies have cheap options. I use 2 separate backup providers (total cost around €100/month at the time of writing in 2025) and my own disconnected storage carriers. I even use a backup provider and disconnected storage for my family's data (around €25/month).

  • Effective Disaster Recovery (DR) & Business Continuity Planning (BCP) Capabilities: Understanding critical service components, their recovery time objectives (RTOs), and recovery point objectives (RPOs) to ensure rapid restoration of service even after major disruptions. This isn't a theoretical exercise; it needs to be tested and proven. Your expectations also need to be realistic. 

There are more elements to consider when building your service map and the customer journeys when it comes to resilience. Things like performance metrics, scalability, peak usage management, and so on. McKinsey wrote years ago, design for the storm, not the sunny days. That is right, but keep the design within the commercial service parameters. It is equally bad to overbuild to a $5 million system, if your expected revenue is less than $100,000 a year, than it is to use a $10,000 system to support a $5 million revenue stream. (I remember the Excel sheet from hell that actually supported a macro-economist at a large brokerage.) 

Start mapping your services today. Start with what you feel are the most critical ones. You'll uncover inefficiencies, mitigate risks, and strengthen the very foundation of your customer relationships. You may even save some money.

Create a Service Management Roadmap

  • Buy Link or Shortcode: {j2store}394|cart{/j2store}
  • member rating overall impact: 8.9/10 Overall Impact
  • member rating average dollars saved: $71,003 Average $ Saved
  • member rating average days saved: 24 Average Days Saved
  • Parent Category Name: Service Management
  • Parent Category Link: /service-management
  • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
  • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

Our Advice

Critical Insight

  • Having effective service management practices in place will allow you to pursue activities, such as innovation, and drive the business forward.
  • Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value.
  • Providing consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

Impact and Result

  • Understand the foundational and core elements that allow you to build a successful service management practice focused on outcomes.
  • Use Info-Tech’s advice and tools to perform an assessment of your organization’s current state, identify the gaps, and create a roadmap for success.
  • Increase business and customer satisfaction by delivering services focused on creating business value.

Create a Service Management Roadmap Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why many service management maturity projects fail to address foundational and core elements, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Launch the project

Kick-off the project and complete the project charter.

  • Create a Service Management Roadmap – Phase 1: Launch Project
  • Service Management Roadmap Project Charter

2. Assess the current state

Determine the current state for service management practices.

  • Create a Service Management Roadmap – Phase 2: Assess the Current State
  • Service Management Maturity Assessment Tool
  • Organizational Change Management Capability Assessment Tool
  • Service Management Roadmap Presentation Template

3. Build the roadmap

Build your roadmap with identified initiatives.

  • Create a Service Management Roadmap – Phase 3: Identify the Target State

4. Build the communication slide

Create the communication slide that demonstrates how things will change, both short and long term.

  • Create a Service Management Roadmap – Phase 4: Build the Roadmap
[infographic]

Workshop: Create a Service Management Roadmap

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Understand Service Management

The Purpose

Understand service management.

Key Benefits Achieved

Gain a common understanding of service management, the forces that impact your roadmap, and the Info-Tech Service Management Maturity Model.

Activities

1.1 Understand service management.

1.2 Build a compelling vision and mission.

Outputs

Constraints and enablers chart

Service management vision, mission, and values

2 Assess the Current State of Service Management

The Purpose

Assess the organization’s current service management capabilities.

Key Benefits Achieved

Understand attitudes, behaviors, and culture.

Understand governance and process ownership needs.

Understand strengths, weaknesses, opportunities, and threats.

Defined desired state.

Activities

2.1 Assess cultural ABCs.

2.2 Assess governance needs.

2.3 Perform SWOT analysis.

2.4 Define desired state.

Outputs

Cultural improvements action items

Governance action items

SWOT analysis action items

Defined desired state

3 Continue Current-State Assessment

The Purpose

Assess the organization’s current service management capabilities.

Key Benefits Achieved

Understand the current maturity of service management processes.

Understand organizational change management capabilities.

Activities

3.1 Perform service management process maturity assessment.

3.2 Complete OCM capability assessment.

3.3 Identify roadmap themes.

Outputs

Service management process maturity activities

OCM action items

Roadmap themes

4 Build Roadmap and Communication Tool

The Purpose

Use outputs from previous steps to build your roadmap and communication one-pagers.

Key Benefits Achieved

Easy-to-understand roadmap one-pager

Communication one-pager

Activities

4.1 Build roadmap one-pager.

4.2 Build communication one-pager.

Outputs

Service management roadmap

Service management roadmap – Brought to Life communication slide

Further reading

Create a Service Management Roadmap

Implement service management in an order that makes sense.

ANALYST PERSPECTIVE

"More than 80% of the larger enterprises we’ve worked with start out wanting to develop advanced service management practices without having the cultural and organizational basics or foundational practices fully in place. Although you wouldn’t think this would be the case in large enterprises, again and again IT leaders are underestimating the importance of cultural and foundational aspects such as governance, management practices, and understanding business value. You must have these fundamentals right before moving on."

Tony Denford,

Research Director – CIO

Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

  • CIO
  • Senior IT Management

This Research Will Help You:

  • Create or maintain service management (SM) practices to ensure user-facing services are delivered seamlessly to business users with minimum interruption.
  • Increase the level of reliability and availability of the services provided to the business and improve the relationship and communication between IT and the business.

This Research Will Also Assist

  • Service Management Process Owners

This Research Will Help Them:

  • Formalize, standardize, and improve the maturity of service management practices.
  • Identify new service management initiatives to move IT to the next level of service management maturity.

Executive summary

Situation

  • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
  • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

Complication

  • IT organizations want to be seen as strategic partners, but they fail to address the cultural and organizational constraints.
  • Without alignment with the business goals, services often fail to provide the expected value.
  • Traditional service management approaches are not adaptable for new ways of working.

Resolution

  • Follow Info-Tech’s methodology to create a service management roadmap that will help guide the optimization of your IT services and improve IT’s value to the business.
  • The blueprint will help you right-size your roadmap to best suit your specific needs and goals and will provide structure, ownership, and direction for service management.
  • This blueprint allows you to accurately identify the current state of service management at your organization. Customize the roadmap and create a plan to achieve your target service management state.

Info-Tech Insight

Having effective service management practices in place will allow you to pursue activities such as innovation and drive the business forward. Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value. Consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

Poor service management manifests in many different pains across the organization

Immaturity in service management will not result in one pain – rather, it will create a chaotic environment for the entire organization, crippling IT’s ability to deliver and perform.

Low Service Management Maturity

These are some of the pains that can be attributed to poor service management practices.

  • Frequent service-impacting incidents
  • Low satisfaction with the service desk
  • High % of failed deployments
  • Frequent change-related incidents
  • Frequent recurring incidents
  • Inability to find root cause
  • No communication with the business
  • Frequent capacity-related incidents

And there are many more…

Mature service management practices are a necessity, not a nice-to-have

Immature service management practices are one of the biggest hurdles preventing IT from reaching its true potential.

In 2004, PwC published a report titled “IT Moves from Cost Center to Business Contributor.” However, the 2014-2015 CSC Global CIO Survey showed that a high percentage of IT is still considered a cost center.

And low maturity of service management practices is inhibiting activities such as agility, DevOps, digitalization, and innovation.

A pie chart is shown that is titled: Where does IT sit? The chart has 3 sections. One section represents IT and the business have a collaborative partnership 28%. The next section represents at 33% where IT has a formal client/service provider relationship with the business. The last section has 39% where IT is considered as a cost center.
Source: CSC Global CIO Survey: 2014-2015 “CIOs Emerge as Disruptive Innovators”

39%: Resources are primarily focused on managing existing IT workloads and keeping the lights on.

31%: Too much time and too many resources are used to handle urgent incidents and problems.

There are many misconceptions about what service management is

Misconception #1: “Service management is a process”

Effective service management is a journey that encompasses a series of initiatives that improves the value of services delivered.

Misconception #2: “Service Management = Service Desk”

Service desk is the foundation, since it is the main end-user touch point, but service management is a set of people and processes required to deliver business-facing services.

Misconception #3: “Service management is about the ITSM tool”

The tool is part of the overall service management program, but the people and processes must be in place before implementing.

Misconception #4: “Service management development is one big initiative”

Service management development is a series of initiatives that takes into account an organization’s current state, maturity, capacities, and objectives.

Misconception #5: “Service management processes can be deployed in any order, assuming good planning and design”

A successful service management program takes into account the dependencies of processes.

Misconception #6: “Service management is resolving incidents and deploying changes”

Service management is about delivering high-value and high-quality services.

Misconception #7: “Service management is not the key determinant of success”

As an organization progresses on the service management journey, its ability to deliver high-value and high-quality services increases.

Misconception #8: “Resolving Incidents = Success”

Preventing incidents is the name of the game.

Misconception #9: “Service Management = Good Firefighter”

Service management is about understanding what’s going on with user-facing services and proactively improving service quality.

Misconception #10: “Service management is about IT and technical services (e.g. servers, network, database)”

Service management is about business/user-facing services and the value the services provide to the business.

Service management projects often don’t succeed because they are focused on process rather than outcomes

Service management projects tend to focus on implementing process without ensuring foundational elements of culture and management practices are strong enough to support the change.

  1. Aligning your service management goals with your organizational objectives leads to better understanding of the expected outcomes.
  2. Understand your customers and what they value, and design your practices to deliver this value.

  3. IT does not know what order is best when implementing new practices or process improvements.
  4. Don't run before you can walk. Fundamental practices must reach the maturity threshold before developing advanced practices. Implement continuous improvement on your existing processes so they continue to support new practices.

  5. IT does not follow best practices when implementing a practice.
  6. Our best-practice research is based on extensive experience working with clients through advisory calls and workshops.

Info-Tech can help you create a customized, low-effort, and high-value service management roadmap that will shore up any gaps, prove IT’s value, and achieve business satisfaction.

Info-Tech’s methodology will help you customize your roadmap so the journey is right for you

With Info-Tech, you will find out where you are, where you want to go, and how you will get there.

With our methodology, you can expect the following:

  • Eliminate or reduce rework due to poor execution.
  • Identify dependencies/prerequisites and ensure practices are deployed in the correct order, at the correct time, and by the right people.
  • Engage all necessary resources to design and implement required processes.
  • Assess current maturity and capabilities and design the roadmap with these factors in mind.

Doing it right the first time around

You will see these benefits at the end

    ✓ Increase the quality of services IT provides to the business.

    ✓ Increase business satisfaction through higher alignment of IT services.

    ✓ Lower cost to design, implement, and manage services.

    ✓ Better resource utilization, including staff, tools, and budget.

Focus on a strong foundation to build higher value service management practices

Info-Tech Insight

Focus on behaviors and expected outcomes before processes.

Foundational elements

  • Operating model facilitates service management goals
  • Culture of service delivery
  • Governance discipline to evaluate, direct, and monitor
  • Management discipline to deliver

Stabilize

  • Deliver stable, reliable IT services to the business
  • Respond to user requests quickly and efficiently
  • Resolve user issues in a timely manner
  • Deploy changes smoothly and successfully

Proactive

  • Avoid/prevent service disruptions
  • Improve quality of service (performance, availability, reliability)

Service Provider

  • Understand business needs
  • Ensure services are available
  • Measure service performance, based on business-oriented metrics

Strategic Partner

  • Fully aligned with business
  • Drive innovation
  • Drive measurable value

Info-Tech Insight

Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

Follow our model and get to your target state

A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The canopy of the tree are labelled strategic partner.

Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

Each step along the way, Info-Tech has the tools to help you

Phase 1: Launch the Project

Assemble a team with the right talent and vision to increase the chances of project success.

Phase 2: Assess Current State

Understand where you are currently on the service management journey using the maturity assessment tool.

Phase 3: Build Roadmap

Based on the assessments, build a roadmap to address areas for improvement.

Phase 4: Build Communication slide

Based on the roadmap, define the current state, short- and long-term visions for each major improvement area.

Info-Tech Deliverables:

  • Project Charter
  • Assessment Tools
  • Roadmap Template
  • Communication Template

CIO call to action

Improving the maturity of the organization’s service management practice is a big commitment, and the project can only succeed with active support from senior leadership.

Ideally, the CIO should be the project sponsor, even the project leader. At a minimum, the CIO needs to perform the following activities:

  1. Walk the talk – demonstrate personal commitment to the project and communicate the benefits of the service management journey to IT and the steering committee.
  2. Improving or adopting any new practice is difficult, especially for a project of this size. Thus, the CIO needs to show visible support for this project through internal communication and dedicated resources to help complete this project.

  3. Select a senior, capable, and results-driven project leader.
  4. Most likely, the implementation of this project will be lengthy and technical in some nature. Therefore, the project leader must have a good understanding of the current IT structure, senior standing within the organization, and the relationship and power in place to propel people into action.

  5. Help to define the target future state of IT’s service management.
  6. Determine a realistic target state for the organization based on current capability and resource/budget restraints.

  7. Conduct periodic follow-up meetings to keep track of progress.
  8. Reinforce or re-emphasize the importance of this project to the organization through various communication channels if needed.

Stabilizing your environment is a must before establishing any more-mature processes

CASE STUDY

Industry: Manufacturing

Source: Engagement

Challenge

  • The business landscape was rapidly changing for this manufacturer and they wanted to leverage potential cost savings from cloud-first initiatives and consolidate multiple, self-run service delivery teams that were geographically dispersed.

Solution

Original Plan

  • Consolidate multiple service delivery teams worldwide and implement service portfolio management.

Revised Plan with Service Management Roadmap:

  • Markets around the world had very different needs and there was little understanding of what customers value.
  • There was also no understanding of what services were currently being offered within each geography.

Results

  • Plan was adjusted to understand customer value and services offered.
  • Services were then stabilized and standardized before consolidation.
  • Team also focused on problem maturity and drove a continuous improvement culture and increasing transparency.

MORAL OF THE STORY:

Understanding the value of each service allowed the organization to focus effort on high-return activities rather than continuous fire fighting.

Understand the processes involved in the proactive phase

CASE STUDY

Industry: Manufacturing

Source: Engagement

Challenge

  • Services were fairly stable, but there were significant recurring issues for certain services.
  • The business was not satisfied with the service quality for certain services, due to periodic availability and reliability issues.
  • Customer feedback for the service desk was generally good.

Solution

Original Plan

  • Review all service desk and incident management processes to ensure that service issues were handled in an effective manner.

Revised Plan with Service Management Roadmap:

  • Design and deploy a rigorous problem management process to determine the root cause of recurring issues.
  • Monitor key services for events that may lead to a service outage.

Results

  • Root cause of recurring issues was determined and fixes were deployed to resolve the underlying cause of the issues.
  • Service quality improved dramatically, resulting in high customer satisfaction.

MORAL OF THE STORY:

Make sure that you understand which processes need to be reviewed in order to determine the cause for service instability. Focusing on the proactive processes was the right answer for this company.

Have the right culture and structure in place before you become a service provider

CASE STUDY

Industry: Healthcare

Source:Journal of American Medical Informatics Association

Challenge

  • The IT organization wanted to build a service catalog to demonstrate the value of IT to the business.
  • IT was organized in technology silos and focused on applications, not business services.
  • IT services were not aligned with business activities.
  • Relationships with the business were not well established.

Solution

Original Plan

  • Create and publish a service catalog.

Revised Plan: with Service Management Roadmap:

  • Establish relationships with key stakeholders in the business units.
  • Understand how business activities interface with IT services.
  • Lay the groundwork for the service catalog by defining services from the business perspective.

Results

  • Strong relationships with the business units.
  • Deep understanding of how business activities map to IT services.
  • Service definitions that reflect how the business uses IT services.

MORAL OF THE STORY:

Before you build and publish a service catalog, make sure that you understand how the business is using the IT services that you provide.

Calculate the benefits of using Info-Tech’s methodology

To measure the value of developing your roadmap using the Info-Tech tools and methodology, you must calculate the effort saved by not having to develop the methods.

A. How much time will it take to develop an industry-best roadmap using Info-Tech methodology and tools?

Using Info-Tech’s tools and methodology you can accurately estimate the effort to develop a roadmap using industry-leading research into best practice.

B. What would be the effort to develop the insight, assess your team, and develop the roadmap?

This metric represents the time your team would take to be able to effectively assess themselves and develop a roadmap that will lead to service management excellence.

C. Cost & time saving through Info-Tech’s methodology

Measured Value

Step 1: Assess current state

Cost to assess current state:

  • 5 Directors + 10 Managers x 10 hours at $X an hour = $A

Step 2: Build the roadmap

Cost to create service management roadmap:

  • 5 Directors + 10 Managers x 8 hours at $X an hour = $B

Step 3: Develop the communication slide

Cost to create roadmaps for phases:

  • 5 Directors + 10 Managers x 6 hours at $X an hour = $C

Potential financial savings from using Info-Tech resources:

Estimated cost to do “B” – (Step 1 ($A) + Step 2 ($B) + Step 3 ($C)) = $Total Saving

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Create a Service Management Roadmap – project overview


Launch the project

Assess the current state

Build the roadmap

Build communication slide

Best-Practice Toolkit

1.1 Create a powerful, succinct mission statement

1.2 Assemble a project team with representatives from all major IT teams

1.3 Determine project stakeholders and create a communication plan

1.4 Establish metrics to track the success of the project

2.1 Assess impacting forces

2.2 Build service management vision, mission, and values

2.3 Assess attitudes, behaviors, and culture

2.4 Assess governance

2.5 Perform SWOT analysis

2.6 Identify desired state

2.7 Assess SM maturity

2.8 Assess OCM capabilities

3.1 Document overall themes

3.2 List individual initiatives

4.1 Document current state

4.2 List future vision

Guided Implementations

  • Kick-off the project
  • Build the project team
  • Complete the charter
  • Understand current state
  • Determine target state
  • Build the roadmap based on current and target state
  • Build short- and long-term visions and initiative list

Onsite Workshop

Module 1: Launch the project

Module 2: Assess current service management maturity

Module 3: Complete the roadmap

Module 4: Complete the communication slide

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information

Workshop Day 1

Workshop Day 2

Workshop Day 3

Workshop Day 4

Activities

Understand Service Management

1.1 Understand the concepts and benefits of service management.

1.2 Understand the changing impacting forces that affect your ability to deliver services.

1.3 Build a compelling vision and mission for your service management program.

Assess the Current State of Your Service Management Practice

2.1 Understand attitudes, behaviors, and culture.

2.2 Assess governance and process ownership needs.

2.3 Perform SWOT analysis.

2.4 Define the desired state.

Complete Current-State Assessment

3.1 Conduct service management process maturity assessment.

3.2 Identify organizational change management capabilities.

3.3 Identify themes for roadmap.

Build Roadmap and Communication Tool

4.1 Build roadmap one-pager.

4.2 Build roadmap communication one-pager.

Deliverables

  1. Constraints and enablers chart
  2. Service management vision, mission, and values
  1. Action items for cultural improvements
  2. Action items for governance
  3. Identified improvements from SWOT
  4. Defined desired state
  1. Service Management Process Maturity Assessment
  2. Organizational Change Management Assessment
  1. Service management roadmap
  2. Roadmap Communication Tool in the Service Management Roadmap Presentation Template

PHASE 1

Launch the Project

Launch the project

This step will walk you through the following activities:

  • Create a powerful, succinct mission statement based on your organization’s goals and objectives.
  • Assemble a project team with representatives from all major IT teams.
  • Determine project stakeholders and create a plan to convey the benefits of this project.
  • Establish metrics to track the success of the project.

Step Insights

  • The project leader should have a strong relationship with IT and business leaders to maximize the benefit of each initiative in the service management journey.
  • The service management roadmap initiative will touch almost every part of the organization; therefore, it is important to have representation from all impacted stakeholders.
  • The communication slide needs to include the organizational change impact of the roadmap initiatives.

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Launch the Project

Step 1.1 – Kick-off the Project

Start with an analyst kick-off call:

  • Identify current organization pain points relating to poor service management practices
  • Determine high-level objectives
  • Create a mission statement

Then complete these activities…

  • Identify potential team members who could actively contribute to the project
  • Identify stakeholders who have a vested interest in the completion of this project

With these tools & templates:

  • Service Management Roadmap Project Charter

Step 1.2 – Complete the Charter

Review findings with analyst:

  • Create the project team; ensure all major IT teams are represented
  • Review stakeholder list and identify communication messages

Then complete these activities…

  • Establish metrics to complete project planning
  • Complete the project charter

With these tools & templates:

  • Service Management Roadmap Project Charter

Use Info-Tech’s project charter to begin your initiative

1.1 Service Management Roadmap Project Charter

The Service Management Roadmap Project Charter is used to govern the initiative throughout the project. It provides the foundation for project communication and monitoring.

The template has been pre-populated with sample information appropriate for this project. Please review this sample text and change, add, or delete information as required.

The charter includes the following sections:

  • Mission Statement
  • Goals & Objectives
  • Project Team
  • Project Stakeholders
  • Current State (from phases 2 & 3)
  • Target State (from phases 2 & 3)
  • Target State
  • Metrics
  • Sponsorship Signature
A screenshot of Info-Tech's Service Management Roadmap Project Charter is shown.

Use Info-Tech’s ready-to-use deliverable to customize your mission statement

Adapt and personalize Info-Tech’s Service Management Roadmap Mission Statement and Goals & Objectives below to suit your organization’s needs.

Goals & Objectives

  • Create a plan for implementing service management initiatives that align with the overall goals/objectives for service management.
  • Identify service management initiatives that must be implemented/improved in the short term before deploying more advanced initiatives.
  • Determine the target state for each initiative based on current maturity and level of investment available.
  • Identify service management initiatives and understand dependencies, prerequisites, and level of effort required to implement.
  • Determine the sequence in which initiatives should be deployed.
  • Create a detailed rollout plan that specifies initiatives, time frames, and owners.
  • Engage the right teams and obtain their commitment throughout both the planning and assessment of roadmap initiatives.
  • both the planning and assessment of roadmap initiatives. Obtain support for the completed roadmap from executive stakeholders.

Example Mission Statement

To help [Organization Name] develop a set of service management practices that will better address the overarching goals of the IT department.

To create a roadmap that sequences initiatives in a way that incorporates best practices and takes into consideration dependencies and prerequisites between service management practices.

To garner support from the right people and obtain executive buy-in for the roadmap.

Create a well-balanced project team

The project leader should be a member of your IT department’s senior executive team with goals and objectives that will be impacted by service management implementation. The project leader should possess the following characteristics:

Leader

  • Influence and impact
  • Comprehensive knowledge of IT and the organization
  • Relationship with senior IT management
  • Ability to get things done

Team Members

Identify

The project team members are the IT managers and directors whose day-to-day lives will be impacted by the service management roadmap and its implementation. The service management initiative will touch almost every IT staff member in the organization; therefore, it is important to have representatives from every single group, including those that are not mentioned. Some examples of individuals you should consider for your team:

  • Service Delivery Managers
  • Director/Manager of Applications
  • Director/Manager of Infrastructure
  • Director/Manager of Service Desk
  • Business Relationship Managers
  • Project Management Office

Engage & Communicate

You want to engage your project participants in the planning process as much as possible. They should be involved in the current-state assessment, the establishment of goals and objectives, and the development of your target state.

To sell this project, identify and articulate how this project and/or process will improve the quality of their job. For example, a formal incident management process will benefit people working at the service desk or on the applications or infrastructure teams. Helping them understand the gains will help to secure their support throughout the long implementation process by giving them a sense of ownership.

The project stakeholders should also be project team members

When managing stakeholders, it is important to help them understand their stake in the project as well as their own personal gain that will come out of this project.

For many of the stakeholders, they also play a critical role in the development of this project.

Role & Benefits

  • CIO
  • The CIO should be actively involved in the planning stage to help determine current and target stage.

    The CIO also needs to promote and sell the project to the IT team so they can understand that higher maturity of service management practices will allow IT to be seen as a partner to the business, giving IT a seat at the table during decision making.

  • Service Delivery Managers/Process Owners
  • Service Delivery Managers are directly responsible for the quality and value of services provided to the business owners. Thus, the Service Delivery Managers have a very high stake in the project and should be considered for the role of project leader.

    Service Delivery Managers need to work closely with the process owners of each service management process to ensure clear objectives are established and there is a common understanding of what needs to be achieved.

  • IT Steering Committee
  • The Committee should be informed and periodically updated about the progress of the project.

  • Manager/Director – Service Desk
  • The Manager of the Service Desk should participate closely in the development of fundamental service management processes, such as service desk, incident management, and problem management.

    Having a more established process in place will create structure, governance, and reduce service desk staff headaches so they can handle requests or incidents more efficiently.

  • Manager/Director –Applications & Infrastructure
  • The Manager of Applications and Infrastructure should be heavily relied on for their knowledge of how technology ties into the organization. They should be consulted regularly for each of the processes.

    This project will also benefit them directly, such as improving the process to deploy a fix into the environment or manage the capacity of the infrastructure.

  • Business Relationship Manager
  • As the IT organization moves up the maturity ladder, the Business Relationship Manager will play a fundamental role in the more advanced processes, such as business relationship management, demand management, and portfolio management.

    This project will be an great opportunity for the Business Relationship Manager to demonstrate their value and their knowledge of how to align IT objectives with business vision.

Ensure you get the entire IT organization on board for the project with a well-practiced change message

Getting the IT team on board will greatly maximize the project’s chance of success.

One of the top challenges for organizations embarking on a service management journey is to manage the magnitude of the project. To ensure the message is not lost, communicate this roadmap in two steps.

1. Communicate the roadmap initiative

The most important message to send to the IT organization is that this project will benefit them directly. Articulate the pains that IT is currently experiencing and explain that through more mature service management, these pains can be greatly reduced and IT can start to earn a place at the table with the business.

2. Communicate the implementation of each process separately

The communication of process implementation should be done separately and at the beginning of each implementation. This is to ensure that IT staff do not feel overwhelmed or overloaded. It also helps to keep the project more manageable for the project team.

Continuously monitor feedback and address concerns throughout the entire process

  • Host lunch and learns to provide updates on the service management initiative to the entire IT team.
  • Understand if there are any major roadblocks and facilitate discussions on how to overcome them.

Articulate the service management initiative to the IT organization

Spread the word and bring attention to your change message through effective mediums and organizational changes.

Key aspects of a communication plan

The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

In addition, it is important to know who will deliver the message (delivery strategy). You need IT executives to deliver the message – work hard on obtaining their support as they are the ones communicating to their staff and should be your project champions.

Anticipate organizational changes

The implementation of the service management roadmap will most likely lead to organizational changes in terms of structure, roles, and responsibilities. Therefore, the team should be prepared to communicate the value that these changes will bring.

Communicating Change

  • What is the change?
  • Why are we doing it?
  • How are we going to go about it?
  • What are we trying to achieve?
  • How often will we be updated?

The Qualities of Leadership: Leading Change

Create a project communication plan for your stakeholders

This project cannot be successfully completed without the support of senior IT management.

  1. After the CIO has introduced this project through management meetings or informal conversation, find out how each IT leader feels about this project. You need to make sure the directors and managers of each IT team, especially the directors of application and infrastructure, are on board.
  2. After the meeting, the project leader should seek out the major stakeholders (particularly the heads of applications and infrastructure) and validate their level of support through formal or informal meetings. Create a list documenting the major stakeholders, their level of support, and how the project team will work to gain their approval.
  3. For each identified stakeholder, create a custom communication plan based on their role. For example, if the director of infrastructure is not a supporter, demonstrate how this project will enable them to better understand how to improve service quality. Provide periodic reporting or meetings to update the director on project progress.

INPUT

  • A collaborative discussion between team members

OUTPUT

  • Thorough briefing for project launch
  • A committed team

Materials

  • Communication message and plan
  • Metric tracking

Participants

  • Project leader
  • Core project team

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

Photo of an Info-Tech analyst is shown.
  • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
  • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
  • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.1

A screenshot of activity 1.1 is shown.

Create a powerful, succinct mission statement

Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

1.2

A screenshot of activity 1.2 is shown.

Assemble the project team

Create a project team with representatives from all major IT teams. Engage and communicate to the project team early and proactively.

1.3

A screenshot of activity 1.3 is shown.

Identify project stakeholders and create a communication plan

Info-Tech will help you identify key stakeholders who have a vested interest in the success of the project. Determine the communication message that will best gain their support.

1.4

A screenshot of activity 1.4 is shown.

Use metrics to track the success of the project

The onsite analyst will help the project team determine the appropriate metrics to measure the success of this project.

PHASE 2

Assess Your Current Service Management State

Assess your current state

This step will walk you through the following activities:

  • Use Info-Tech’s Service Management Maturity Assessment Tool to determine your overall practice maturity level.
  • Understand your level of completeness for each individual practice.
  • Understand the three major phases involved in the service management journey; know the symptoms of each phase and how they affect your target state selection.

Step Insights

  • To determine the real maturity of your service management practices, you should focus on the results and output of the practice, rather than the activities performed for each process.
  • Focus on phase-level maturity as opposed to the level of completeness for each individual process.

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Determine Your Service Management Current State

Step 2.1 – Assess Impacting Forces

Start with an analyst kick-off call:

  • Discuss the impacting forces that can affect the success of your service management program
  • Identify internal and external constraints and enablers
  • Review and interpret how to leverage or mitigate these elements

Then complete these activities…

  • Present the findings of the organizational context
  • Facilitate a discussion and create consensus amongst the project team members on where the organization should start

With these tools & templates:

Service Management Roadmap Presentation Template

Step 2.2 – Build Vision, Mission, and Values

Review findings with analyst:

  • Review your service management vision and mission statement and discuss the values

Then complete these activities…

  • Socialize the vision, mission, and values to ensure they are aligned with overall organizational vision. Then, set the expectations for behavior aligned with the vision, mission, and values

With these tools & templates:

Service Management Roadmap Presentation Template

Step 2.3 – Assess Attitudes, Behaviors, and Culture

Review findings with analyst:

  • Discuss tactics for addressing negative attitudes, behaviors, or culture identified

Then complete these activities…

  • Add items to be addressed to roadmap

With these tools & templates:

Service Management Roadmap Presentation Template

Step 2.4 – Assess Governance Needs

Review findings with analyst:

  • Understand the typical types of governance structure and the differences between management and governance
  • Choose the management structure required for your organization

Then complete these activities…

  • Determine actions required to establish an effective governance structure and add items to be addressed to roadmap

With these tools & templates:

Service Management Roadmap Presentation Template

Step 2.5 – Perform SWOT Analysis

Review findings with analyst:

  • Discuss SWOT analysis results and tactics for addressing within the roadmap

Then complete these activities…

  • Add items to be addressed to roadmap

With these tools & templates:

Service Management Roadmap Presentation Template

Step 2.6 – Identify Desired State

Review findings with analyst:

  • Discuss desired state and commitment needed to achieve aspects of the desired state

Then complete these activities…

  • Use the desired state to critically assess the current state of your service management practices and whether they are achieving the desired outcomes
  • Prep for the SM maturity assessment

With these tools & templates:

Service Management Roadmap Presentation Template

Step 2.7 – Perform SM Maturity Assessment

Review findings with analyst:

  • Review and interpret the output from your service management maturity assessment

Then complete these activities…

  • Add items to be addressed to roadmap

With these tools & templates:

Service Management Roadmap Presentation Template

Service Management Maturity Assessment

Step 2.8 – Review OCM Capabilities

Review findings with analyst:

  • Review and interpret the output from your organizational change management maturity assessment

Then complete these activities…

  • Add items to be addressed to roadmap

With these tools & templates:

Service Management Roadmap Presentation Template

Organizational Change Management Assessment

Understand and assess impacting forces – constraints and enablers

Constraints and enablers are organizational and behavioral triggers that directly impact your ability and approach to establishing Service Management practices.

A model is shown to demonstrate the possibe constraints and enablers on your service management program. It incorporates available resources, the environment, management practices, and available technologies.

Effective service management requires a mix of different approaches and practices that best fit your organization. There’s not a one-size-fits-all solution. Consider the resources, environment, emerging technologies, and management practices facing your organization. What items can you leverage or use to mitigate to move your service management program forward?

Use Info-Tech’s “Organizational Context” template to list the constraints and enablers affecting your service management

The Service Management Roadmap Presentation Template will help you understand the business environment you need to consider as you build out your roadmap.

Discuss and document constraints and enablers related to the business environment, available resources, management practices, and emerging technologies. Any constraints will need to be addressed within your roadmap and enablers should be leveraged to maximize your results.


Screenshot of Info-Tech's Service Management Roadmap Presentation Template is shown.

Document constraints and enablers

  1. Discuss and document the constrains and enablers for each aspect of the management mesh: environment, resources, management practices, or technology.
  2. Use this as a thought provoker in later exercises.

INPUT

  • A collaborative discussion

OUTPUT

  • Organizational context constraints and enablers

Materials

  • Whiteboards or flip charts

Participants

  • All stakeholders

Build compelling vision and mission statements to set the direction of your service management program

While you are articulating the vision and mission, think about the values you want the team to display. Being explicit can be a powerful tool to create alignment.

A vision statement describes the intended state of your service management organization, expressed in the present tense.

A mission statement describes why your service management organization exists.

Your organizational values state how you will deliver services.

Use Info-Tech’s “Vision, Mission, and Values” template to set the aspiration & purpose of your service management practice

The Service Management Roadmap Presentation Template will help you document your vision for service management, the purpose of the program, and the values you want to see demonstrated.

If the team cannot gain agreement on their reason for being, it will be difficult to make traction on the roadmap items. A concise and compelling statement can set the direction for desired behavior and help team members align with the vision when trying to make ground-level decisions. It can also be used to hold each other accountable when undesirable behavior emerges. It should be revised from time to time, when the environment changes, but a well-written statement should stand the test of time.

A screenshot of the Service Management Roadmap Presentation Temaplate is shown. Specifically it is showing the section on the vision, mission, and values results.

Document your organization’s vision, mission , and values

  1. Vision: Identify your desired target state, consider the details of that target state, and create a vision statement.
  2. Mission: Consider the fundamental purpose of your SM program and craft a statement of purpose.
  3. Values: As you work through the vision and mission, identify values that your organization prides itself in or has the aspiration for.
  4. Discuss common themes and then develop a concise vision statement and mission statement that incorporates the group’s ideas.

INPUT

  • A collaborative discussion

OUTPUT

  • Vision statement
  • Mission statement
  • Organizational values

Materials

  • Whiteboards or flip charts
  • Sample vision and mission statements

Participants

  • All stakeholders
  • Senior leadership

Understanding attitude, behavior, and culture

Attitude

  • What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users.

Any form of organizational change involves adjusting people’s attitudes, creating buy-in and commitment. You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive. It must be made visible and related to your desired behavior.

Behaviour

  • What people do. This is influenced by attitude and the culture of the organization.

To implement change within IT, especially at a tactical level, both IT and organizational behavior needs to change. This is relevant because people don’t like to change and will resist in an active or passive way unless you can sell the need, value, and benefit of changing their behavior.

Culture

  • The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources.

The organizational or corporate “attitude,” the impact on employee behavior and attitude is often not fully understood. Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed any organizational change or strategy.

Culture is a critical and under-addressed success factor

43% of CIOs cited resistance to change as the top impediment to a successful digital strategy.

CIO.com

75% of organizations cannot identify or articulate their culture or its impact.

Info-Tech

“Shortcomings in organizational culture are one of the main barriers to company success in the digital age.”

McKinsey – “Culture for a digital age”

Examples of how they apply

Attitude

  • “I’ll believe that when I see it”
  • Positive outlook on new ideas and changes

Behaviour

  • Saying you’ll follow a new process but not doing so
  • Choosing not to document a resolution approach or updating a knowledge article, despite being asked

Culture

  • Hero culture (knowledge is power)
  • Blame culture (finger pointing)
  • Collaborative culture (people rally and work together)

Why have we failed to address attitude, behavior, and culture?

    ✓ While there is attention and better understanding of these areas, very little effort is made to actually solve these challenges.

    ✓ The impact is not well understood.

    ✓ The lack of tangible and visible factors makes it difficult to identify.

    ✓ There is a lack of proper guidance, leadership skills, and governance to address these in the right places.

    ✓ Addressing these issues has to be done proactively, with intent, rigor, and discipline, in order to be successful.

    ✓ We ignore it (head in the sand and hoping it will fix itself).

Avoidance has been a common strategy for addressing behavior and culture in organizations.

Use Info-Tech’s “Culture and Environment” template to identify cultural constraints that should be addressed in roadmap

The Service Management Roadmap Presentation Template will help you document attitude, behavior, and culture constraints.

Discuss as a team attitudes, behaviors, and cultural aspects that can either hinder or be leveraged to support your vision for the service management program. Capture all items that need to be addressed in the roadmap.

A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically showing the culture and environment slide.

Document your organization’s attitudes, behaviors, and culture

  1. Discuss and document positive and negative aspects of attitude, behavior, or culture within your organization.
  2. Identify the items that need to be addressed as part of your roadmap.

INPUT

  • A collaborative discussion

OUTPUT

  • Culture and environment worksheet

Materials

  • Whiteboards or flip charts

Participants

  • All stakeholders

The relationship to governance

Attitude, behavior, and culture are still underestimated as core success factors in governance and management.

Behavior is a key enabler of good governance. Leading by example and modeling behavior has a cascading impact on shifting culture, reinforcing the importance of change through adherence.

Executive leadership and governing bodies must lead and support cultural change.

Key Points

  • Less than 25% of organizations have formal IT governance in place (ITSM Tools).
  • Governance tends to focus on risk and compliance (controls), but forgets the impact of value and performance.

Lack of oversight often limits the value of service management implementations

Organizations often fail to move beyond risk mitigation, losing focus of the goals of their service management practices and the capabilities required to produce value.

Risk Mitigation

  • Stabilize IT
  • Service Desk
  • Incident Management
  • Change Management

Gap

  • Organizational alignment through governance
  • Disciplined focus on goals of SM

Value Production

  • Value that meets business and consumer needs

This creates a situation where service management activities and roadmaps focus on adjusting and tweaking process areas that no longer support how the organization needs to work.

How does establishing governance for service management provide value?

Governance of service management is a gap in most organizations, which leads to much of the failure and lack of value from service management processes and activities.

Once in place, effective governance enables success for organizations by:

  1. Ensuring service management processes improve business value
  2. Measuring and confirming the value of the service management investment
  3. Driving a focus on outcome and impact instead of simply process adherence
  4. Looking at the integrated impact of service management in order to ensure focused prioritization of work
  5. Driving customer-experience focus within organizations
  6. Ensuring quality is achieved and addressing quality impacts and dependencies between processes

Four common service management process ownership models

Your ownership structure largely defines how processes will need to be implemented, maintained, and improved. It has a strong impact on their ability to integrate and how other teams perceive their involvement.

An organizational structure is shown. In the image is an arrow, with the tip facing in the right direction. The left side of the arrow is labelled: Traditional, and the right side is labelled: Complex. The four models are noted along the arrow. Starting on the left side and going to the right are: Distributed Process Ownership, Centralized Process Ownership, Federated Process Ownership, and Service Management Office.

Most organizations are somewhere within this spectrum of four core ownership models, usually having some combination of shared traits between the two models that are closest to them on the scale.

Info-Tech Insight

The organizational structure that is best for you depends on your needs, and one is not necessarily better than another. The next four slides describe when each ownership level is most appropriate.

Distributed process ownership

Distributed process ownership is usually evident when organizations initially establish their service management practices. The processes are assigned to a specific group, who assumes some level of ownership over its execution.

The distributed process ownership model is shown. CIO is listed at the top with four branches leading out from below it. The four branches are labelled: Service Desk, Operations, Applications, and Security.

Info-Tech Insight

This model is often a suitable approach for initial implementations or where it may be difficult to move out of siloes within the organization’s structure or culture.

Centralized process ownership

Centralized process ownership usually becomes necessary for organizations as they move into a more functional structure. It starts to drive management of processes horizontally across the organization while still retaining functional management control.

A centralized process ownership model is shown. The CIO is at the top and the following are branches below it: Service Manager, Support, Middleware, Development, and Infrastructure.

Info-Tech Insight

This model is often suitable for maturing organizations that are starting to look at process integration and shared service outcomes and accountability.

Federated process ownership

Federated process ownership allows for global control and regional variation, and it supports product orientation and Agile/DevOps principles

A federated process ownership model is shown. The Sponsor/CIO is at the top, with the ITSM Executive below it. Below that level is the: Process Owner, Process Manager, and Process Manager.

Info-Tech Insight

Federated process ownership is usually evident in organizations that have an international or multi-regional presence.

Service management office (SMO)

SMO structures tend to occur in highly mature organizations, where service management responsibility is seen as an enterprise accountability.

A service management office model is shown. The CIO is at the top with the following branches below it: SMO, End-User Services, Infra., Apps., and Architecture.

Info-Tech Insight

SMOs are suitable for organizations with a defined IT and organizational strategy. A SMO supports integration with other enterprise practices like enterprise architecture and the PMO.

Determine which process ownership and governance model works best for your organization

The Service Management Roadmap Presentation Template will help you document process ownership and governance model

Example:

Key Goals:

    ☐ Own accountability for changes to core processes

    ☐ Understand systemic nature and dependencies related to processes and services

    ☐ Approve and prioritize improvement and CSI initiatives related to processes and services

    ☐ Evaluate success of initiative outcomes based on defined benefits and expectations

    ☐ Own Service Management and Governance processes and policies

    ☐ Report into ITSM executive or equivalent body

Membership:

    ☐ Process Owners, SM Owner, Tool Owner/Liaison, Audit

Discuss as a team which process ownership model works for your organization. Determine who will govern the service management practice. Determine items that should be identified in your roadmap to address governance and process ownership gaps.

Use Info-Tech’s “SWOT” template to identify strengths, weaknesses, opportunities & threats that should be addressed

The Service Management Roadmap Presentation Template will help you document items from your SWOT analysis.

A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically the SWOT section is shown.

Brainstorm the strengths, weaknesses, opportunities, and threats related to resources, environment, technology, and management practices. Add items that need to be addressed to your roadmap.

Perform a SWOT analysis

  1. Brainstorm each aspect of the SWOT with an emphasis on:
  • Resources
  • Environment
  • Technologies
  • Management Practices
  • Record your ideas on a flip chart or whiteboard.
  • Add items to be addressed to the roadmap.
  • INPUT

    • A collaborative discussion

    OUTPUT

    • SWOT analysis
    • Priority items identified

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Indicate desired maturity level for your service management program to be successful

    Discuss the various maturity levels and choose a desired level that would meet business needs.

    The desired maturity model is depicted.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Desired state of service management maturity

    Materials

    • None

    Participants

    • All stakeholders

    Use Info-Tech’s Service Management Process Maturity Assessment Tool to understand your current state

    The Service Management Process Maturity Assessment Tool will help you understand the true state of your service management.

    A screenshot of Info-Tech's Service Management Process Assessment Tool is shown.

    Part 1, Part 2, and Part 3 tabs

    These three worksheets contain questions that will determine the overall maturity of your service management processes. There are multiple sections of questions focused on different processes. It is very important that you start from Part 1 and continue the questions sequentially.

    Results tab

    The Results tab will display the current state of your service management processes as well as the percentage of completion for each individual process.

    Complete the service management process maturity assessment

    The current-state assessment will be the foundation of building your roadmap, so pay close attention to the questions and answer them truthfully.

    1. Start with tab 1 in the Service Management Process Maturity Assessment Tool. Remember to read the questions carefully and always use the feedback obtained through the end-user survey to help you determine the answer.
    2. In the “Degree of Process Completeness” column, use the drop-down menu to input the results solicited from the goals and objectives meeting you held with your project participants.
    3. A screenshot of Info-Tech's Service Management Process Assessment Tool is shown. Tab 1 is shown.
    4. Host a meeting with all participants following completion of the survey and have them bring their results. Discuss in a round-table setting, keeping a master sheet of agreed upon results.

    INPUT

    • Service Management Process Maturity Assessment Tool questions

    OUTPUT

    • Determination of current state

    Materials

    • Service Management Process Maturity Assessment Tool

    Participants

    • Project team members

    Review the results of your current-state assessment

    At the end of the assessment, the Results tab will have action items you could perform to close the gaps identified by the process assessment tool.

    A screenshot of Info-Tech's Service Management Process Maturity Assessment Results is shown.

    INPUT

    • Maturity assessment results

    OUTPUT

    • Determination of overall and individual practice maturity

    Materials

    • Service Management Maturity Assessment Tool

    Participants

    • Project team members

    Use Info-Tech’s OCM Capability Assessment tool to understand your current state

    The Organizational Change Management Capabilities Assessment tool will help you understand the true state of your organizational change management capabilities.

    A screenshot of Info-Tech's Organizational Change Management Capabilities Assessment

    Complete the Capabilities tab to capture the current state for organizational change management. Review the Results tab for interpretation of the capabilities. Review the Recommendations tab for actions to address low areas of maturity.

    Complete the OCM capability assessment

    1. Open Organizational Change Management Capabilities Assessment tool.
    2. Come to consensus on the most appropriate answer for each question. Use the 80/20 rule.
    3. Review result charts and discuss findings.
    4. Identify roadmap items based on maturity assessment.

    INPUT

    • A collaborative discussion

    OUTPUT

    • OCM Assessment tool
    • OCM assessment results

    Materials

    • OCM Capabilities Assessment tool

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    2.2

    A screenshot of activity 2.2 is shown.

    Complete the assessment

    With the project team in the room, go through all three parts of the assessment with consideration of the feedback received from the business.

    2.3

    A screenshot of activity 2.3 is shown.

    Interpret the results of the assessment

    The Info-Tech onsite analyst will facilitate a discussion on the overall maturity of your service management practices and individual process maturity. Are there any surprises? Are the results reflective of current service delivery maturity?

    PHASE 3

    Build Your Service Management Roadmap

    Build Roadmap

    This step will walk you through the following activities:

    • Document your vision and mission on the roadmap one-pager.
    • Using the inputs from the current-state assessments, identify the key themes required by your organization.
    • Identify individual initiatives needed to address key themes.

    Step Insights

    • Using the Info-Tech thought model, address foundational gaps early in your roadmap and establish the management methods to continuously make them more robust.
    • If any of the core practices are not meeting the vision for your service management program, be sure to address these items before moving on to more advanced service management practices or processes.
    • Make sure the story you are telling with your roadmap is aligned to the overall organizational goals.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Determine Your Service Management Target State

    Step 3.1 – Document the Overall Themes

    Start with an analyst kick-off call:

    • Review the outputs from your current-state assessments to identify themes for areas that need to be included in your roadmap

    Then complete these activities…

    • Ensure foundational elements are solid by adding any gaps to the roadmap
    • Identify any changes needed to management practices to ensure continuous improvement

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 3.2 – Determine Individual Initiatives

    Review findings with analyst:

    • Determine the individual initiatives needed to close the gaps between the current state and the vision

    Then complete these activities…

    • Finalize and document roadmap for executive socialization

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Identify themes that can help you build a strong foundation before moving to higher level practices

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The top most branches of the tree is labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Use Info-Tech’s “Service Management Roadmap” template to document your vision, themes and initiatives

    The Service Management Roadmap Presentation Template contains a roadmap template to help communicate your vision, themes to be addressed, and initiatives

    A screenshot of Info-Tech's Service Management Roadmap template is shown.

    Working from the lower maturity items to the higher value practices, identify logical groupings of initiatives into themes. This will aid in communicating the reasons for the needed changes. List the individual initiatives below the themes. Adding the service management vision and mission statements can help readers understand the roadmap.

    Document your service management roadmap

    1. Document the service management vision and mission on the roadmap template.
    2. Identify, from the assessments, areas that need to be improved or implemented.
    3. Group the individual initiatives into logical themes that can ease communication of what needs to happen.
    4. Document the individual initiatives.
    5. Document in terms that business partners and executive sponsors can understand.

    INPUT

    • Current-state assessment outputs
    • Maturity model

    OUTPUT

    • Service management roadmap

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of activity 3.1 is shown.

    Identify themes to address items from the foundational level up to higher value service management practices

    Identify easily understood themes that will help others understand the expected outcomes within your organization.

    A screenshot of activity 3.2 is shown.

    Document individual initiatives that contribute to the themes

    Identify specific activities that will close gaps identified in the assessments.

    PHASE 2

    Build Communication Slide

    Complete your service management roadmap

    This step will walk you through the following activities:

    • Use the current-state assessment exercises to document the state of your service management practices. Document examples of the behaviors that are currently seen.
    • Document the expected short-term gains. Describe how you want the behaviors to change.
    • Document the long-term vision for each item and describe the benefits you expect to see from addressing each theme.

    Step Insights

    • Use the communication template to acknowledge the areas that need to be improved and paint the short- and long-term vision for the improvements to be made through executing the roadmap.
    • Write it in business terms so that it can be used widely to gain acceptance of the upcoming changes that need to occur.
    • Include specific areas that need to be fixed to make it more tangible.
    • Adding the values from the vision, mission, and values exercise can also help you set expectations about how the team will behave as they move towards the longer-term vision.

    Phase 4 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build the Service Management Roadmap

    Step 4.1: Document the Current State

    Start with an analyst kick-off call:

    • Review the pain points identified from the current state analysis
    • Discuss tactics to address specific pain points

    Then complete these activities…

    • Socialize the pain points within the service delivery teams to ensure nothing is being misrepresented
    • Gather ideas for the future state

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 4.2: List the Future Vision

    Review findings with analyst:

    • Review short- and long-term vision for improvements for the pain points identified in the current state analysis

    Then complete these activities…

    • Prepare to socialize the roadmap
    • Ensure long-term vision is aligned with organizational objectives

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Use Info-Tech’s “Service Management Roadmap – Brought to Life” template to paint a picture of the future state

    The Service Management Roadmap Presentation Template contains a communication template to help communicate your vision of the future state

    A screenshot of Info-Tech's Service Management Roadmap - Brought to Life template

    Use this template to demonstrate how existing pain points to delivering services will improve over time by painting a near- and long-term picture of how things will change. Also list specific initiatives that will be launched to affect the changes. Listing the values identified in the vision, mission, and values exercise will also demonstrate the team’s commitment to changing behavior to create better outcomes.

    Document your current state and list initiatives to address them

    1. Use the previous assessments and feedback from business or customers to identify current behaviors that need addressing.
    2. Focus on high-impact items for this document, not an extensive list.
    3. An example of step 1 and 2 are shown.
    4. List the initiatives or actions that will be used to address the specific pain points.

    An example of areas for improvement.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    Document your future state

    An example of document your furture state is shown.

    1. For each pain point document the expected behaviors, both short term and longer term.
    2. Write in terms that allow readers to understand what to expect from your service management practice.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation Template

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is shown.

    Identify the pain points and initiatives to address them

    Identify items that the business can relate to and initiatives or actions to address them.

    4.2

    A screenshot of activity 4.2 is shown.

    Identify short- and long-term expectations for service management

    Communicate the benefits of executing the roadmap both short- and long-term gains.

    Research contributors and experts

    Photo of Valence Howden

    Valence Howden, Principal Research Director, CIO Practice

    Info-Tech Research Group

    Valence helps organizations be successful through optimizing how they govern, design, and execute strategies, and how they drive service excellence in all work. With 30 years of IT experience in the public and private sectors, he has developed experience in many information management and technology domains, with focus in service management, enterprise and IT governance, development and execution of strategy, risk management, metrics design and process design, and implementation and improvement.

    Photo of Graham Price

    Graham Price, Research Director, CIO Practice

    Info-Tech Research Group

    Graham has an extensive background in IT service management across various industries with over 25 years of experience. He was a principal consultant for 17 years, partnering with Fortune 500 clients throughout North America, leveraging and integrating industry best practices in IT service management, service catalog, business relationship management, IT strategy, governance, and Lean IT and Agile.

    Photo of Sharon Foltz

    Sharon Foltz, Senior Workshop Director

    Info-Tech Research Group

    Sharon is a Senior Workshop Director at Info-Tech Research Group. She focuses on bringing high value to members via leveraging Info-Tech’s blueprints and other resources enhanced with her breadth and depth of skills and expertise. Sharon has spent over 15 years in various IT roles in leading companies within the United States. She has strong experience in organizational change management, program and project management, service management, product management, team leadership, strategic planning, and CRM across various global organizations.

    Related Info-Tech Research

    Build a Roadmap for Service Management Agility

    Extend the Service Desk to the Enterprise

    Bibliography

    • “CIOs Emerge as Disruptive Innovators.” CSC Global CIO Survey: 2014-2015. Web.
    • “Digital Transformation: How Is Your Organization Adapting?” CIO.com, 2018. Web.
    • Goran, Julie, Laura LaBerge, and Ramesh Srinivasan. “Culture for a digital age.” McKinsey, July 2017. Web.
    • The Qualities of Leadership: Leading Change. Cornelius & Associates, 14 April 2012.
    • Wilkinson, Paul. “Culture, Ethics, and Behavior – Why Are We Still Struggling?” ITSM Tools, 5 July 2018. Web.

    Develop a COVID-19 Pandemic Response Plan

    • Buy Link or Shortcode: {j2store}420|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • IT departments are being asked to rapidly ramp up work-from-home capabilities and other business process workarounds.
    • Crisis managers are experiencing a pandemic more severe than what they’ve managed in the past.
    • Organizations are scrambling to determine how they can keep their businesses running through this pandemic.

    Our Advice

    Critical Insight

    • Obstacles to working from home go beyond internet speed and needing a laptop. Business input is critical to uncover unexpected obstacles.
    • IT needs to address a range of issues from security risk to increased service desk demand from users who don’t normally work from home.
    • Resist the temptation to bypass IT processes – your future-self will thank you for tracking all those assets about to go out the door.

    Impact and Result

    • Start with crisis management fundamentals – identify crisis management roles and exercise appropriate crisis communication.
    • Prioritize business processes and work-from-home requirements. Not everyone can be set up on day one.
    • Don’t over-complicate your work-from-home deployment plan. A simple spreadsheet (see the Work-from-Home Requirements Tool) to track requirements can be very effective.

    Develop a COVID-19 Pandemic Response Plan Research & Tools

    Start here

    Stay up to date on COVID-19 and the resources available to you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop a COVID-19 Pandemic Response Plan Storyboard

    1. Manage the pandemic crisis

    Identify key roles and immediate steps to manage this crisis.

    • Pandemic Response Plan Example

    2. Create IT’s plan to support the pandemic response plan

    Plan the deployment of a work-from-home initiative.

    • Work-From-Home Requirements Tool
    [infographic]

    Prepare for the Upgrade to Windows 11

    • Buy Link or Shortcode: {j2store}166|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Windows 10 is going EOL in 2025.That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Our Advice

    Critical Insight

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system. Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    Impact and Result

    Windows 11 hardware requirements will result in devices that are not eligible for the upgrade. Companies will be left to spend money on replacement devices. Following the Info-Tech guidance will help clients properly budget for hardware replacements before Windows 10 is no longer supported by Microsoft. Eligible devices can be upgraded, but Info-Tech guidance can help clients properly plan the upgrade using the upgrade ring approach.

    Prepare for the Upgrade to Windows 11 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for the Upgrade to Windows 11 Deck – A look into some of the pros and cons of Microsoft’s latest desktop operating system, along with guidance on moving forward with this inevitable upgrade.

    Discover the reason for the release of Windows 11, what you require to be eligible for the upgrade, what features were added or updated, and what features were removed. Our guidance will assist you with a planned and controlled rollout of the Windows 11 upgrade. We also provide guidance on how to approach a device refresh plan if some devices are not eligible for Windows 11. The upgrade is inevitable, but you have time, and you have options.

    • Prepare for the Upgrade to Windows 11 Storyboard

    2. What Are My Options If My Devices Cannot Upgrade to Windows 11? – Build a Windows 11 Device Replacement budget with our Hardware Asset Management Budgeting Tool.

    This tool will help you budget for a hardware asset refresh and to adjust the budget as necessary to accommodate any unexpected changes. The tool can easily be modified to assist in developing and justifying the budget for hardware assets for a Windows 11 project. Follow the instructions on each tab and feel free to play with the HAM budgeting tool to fit your needs.

    • HAM Budgeting Tool
    [infographic]

    Further reading

    Prepare for the Upgrade to Windows 11

    The upgrade is inevitable, but you have time, and you have options.

    Analyst Perspective

    Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    “You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

    The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

    There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    It is inevitable!

    P.J. Ryan

    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Windows 10 is going EOL in 2025. That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Common Obstacles

    • The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
    • The cost of upgrading devices just to be eligible for Windows 11 is high.
    • Your end users don’t like change. This is not going to go over well!

    Info-Tech's Approach

    • Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
    • Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
    • Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

    Info-Tech Insight

    There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

    Insight summary

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    Many organizations will have to spend capital on endpoint upgrades.

    Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

    Windows 11 is a virtualization challenge for some providers.

    The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

    Windows 10 will be supported by Microsoft until October 2025.

    That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

    New look and feel, and a center screen taskbar.

    Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

    The education industry gets extra attention with the release of Windows 11.

    Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

    Why Windows 11?

    Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

    Maybe. It depends who you ask.

    Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

    Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

    Nope.

    Windows 11 is a free upgrade or is included with any new computer purchase.

    Market share challenges?

    Doubtful.

    It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

    In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

    Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

    The market share is worth noting for Microsoft but it hardly warrants a new operating system.

    New look and feel?

    Unlikely

    New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

    Security?

    Likely the main reason.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    The features are available on all Windows 11 physical devices, due to the common hardware requirements.

    Windows 11 hardware-based security

    These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

    Feature What it is How it works
    TPM 2.0 (Trusted Platform Module) Chip TPM is a chip on the motherboard of the computer. It is used to store encryption keys, certificates, and passwords. TPM does this securely with tamper-proof prevention. It can also generate encryption keys and it includes its own unique encryption key that cannot be altered (helpdeskgeek.com). You do not need to enter your password once you setup Windows Hello, so the password is no longer easy to capture and steal. It is set up on a device per device basis, meaning if you go to a different device to sign in, your Windows Hello authentication will not follow you and you must set up your Hello pin or facial recognition again on that particular device. TPM (Trusted Platform Module) can store the credentials used by Windows Hello and encrypt them on the module.
    Windows Hello Windows Hello is an alternative to using a password for authentication. Users can use a pin, a fingerprint, or facial recognition to authenticate.
    Device Encryption Device encryption is only on when your device is off. It scrambles the data on your disk to make it unreadable unless you have the key to unscramble it. If your endpoint is stolen, the contents of the hard drive will remain encrypted and cannot be accessed by anyone unless they can properly authenticate on the device and allow the system to unscramble the encrypted data.
    UEFI Secure Boot Capable UEFI is an acronym for Unified Extensible Firmware Interface. It is an interface between the operating system and the computer firmware. Secure Boot, as part of the firmware interface, ensures that only unchangeable and approved software and drivers are loaded at startup and not any malware that may have infiltrated the system (Lumunge). UEFI, with Secure Boot, references a database containing keys and signatures of drivers and runtime code that is approved as well as forbidden. It will not let the system boot up unless the signature of the driver or run-time code that is trying to execute is approved. This UEFI Secure boot recognition process continues until control is handed over to the operating system.
    Virtualization Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) VBS is security based on virtualization capabilities. It uses the virtualization features of the Windows operating system, specifically the Hyper-V hypervisor, to create and isolate a small chunk of memory that is isolated from the operating system. HVCI checks the integrity of code for violations. The Code Integrity check happens in the isolated virtual area of memory protected by the hypervisor, hence the acronym HVCI (Hypervisor Protected Code Integrity) (Murtaza). In the secure, isolated region of memory created by VBS with the hypervisor, Windows will run checks on the integrity of the code that runs various processes. The isolation protects the stored item from tampering by malware and similar threats. If they run incident free, they are released to the operating system and can run in the standard memory space. If issues are detected, the code will not be released, nor will it run in the standard memory space of the operating system, and damage or compromise will be prevented.

    How do all the hardware-based security features work?

    This scenario explains how a standard boot up and login should happen.

    You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

    Now imagine the same process with various compromised scenarios.

    You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

    You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

    You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

    TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

    “Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

    “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

    Can any device upgrade to Windows 11?

    In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

    Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

    Software Requirement

    You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

    Complete hardware requirements for Windows 11

    • 1 GHz (or faster) compatible 64-bit processor with two or more cores
    • 4 GB RAM
    • 64 GB or more of storage space
    • Compatible with DirectX 12 or later with WDDM 2.0 driver
      • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
      • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
      • Version 2.0 of WDDM is required for Windows 11.
    • 720p display greater than 9" diagonally with 8 bits per color channel
    • UEFI Secure Boot capable
    • TPM 2.0 chip
    • (“Windows 11 Requirements”)

    Windows 11 may challenge your virtual environment

    When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

    The Challenge

    The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

    The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

    Short-Term Solutions

    VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

    Additional Insight

    According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

    • It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
    • 64 GB of storage or greater
    • Secure Boot capable with the virtual TPM enabled
    • 4 GB of memory or greater
    • 2 or more virtual processors
    • The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

    What’s new or updated in Windows 11?

    The following two slides highlight some of the new and updated features in Windows 11.

    Security

    The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

    Taskbar

    The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

    Updated Apps

    Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

    User Interface

    The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

    Microsoft Teams

    Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

    What’s new or updated in Windows 11?

    Snap Layouts

    Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

    Widgets

    Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

    Android Apps

    Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

    Docking

    Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

    This is not intended to be an inclusive list but does cover some of the more prominent features.

    What’s missing from Windows 11?

    The following features are no longer found in Windows 11:

    • Backward compatibility
      • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
    • Internet Explorer
      • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
    • Tablet mode
      • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
    • Semi-annual updates
      • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
    • Specific apps
      • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
        • OneNote for Windows 10
        • 3D Viewer
        • Paint 3D
        • Skype
    • Cortana (by default)
      • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

    Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

    Windows 11 editions

    • Windows 11 is offered in several editions:
      • Windows 11 Home
      • Windows 11 Pro
      • Windows 11 Pro for Workstations
      • Windows 11 Enterprise Windows 11 for Education
      • Windows 11 SE for Education
    • Windows 11 hardware requirements and security features are common throughout all editions.
    • The new look and feel along with all the features mentioned previously are common to all editions as well.
    • Windows Home
      • Standard offering for home users
    • Pro versus Pro for Workstations
      • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
      • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
      • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
      • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
    • Enterprise Offerings
      • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
      • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
      • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

    Windows 11 Education Editions

    With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

    “40 Million Chromebooks in Use in Education” (Thurrott)

    “The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

    “Chromebooks Gain Market Share as Education Goes Online” (Hruska)

    “Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

    “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

    • Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
    • Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
    • The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
    • Windows 11 SE for Education:
      • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
      • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
      • Windows 11 SE requires Intune for Education and only IT admins can install applications.
    • Microsoft and others have come out with Windows SE specific devices at a low price point.
      • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
      • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

    Initial Reactions

    Below you can find some actual initial reactions to Windows 11.

    Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

    The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

    The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

    “My 91-year-old Mum has found it easy!” Binns, Paul ITRG

    “It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

    “It makes me feel more like a Mac user.” Chang, Ben Info-Tech

    “At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

    “Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

    “I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

    “A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

    “The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

    “No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

    “The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

    How do I upgrade to Windows 11?

    The process is very similar to applying updates in Windows 10.

    • Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
      • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
    • A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
    • Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
    • WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
    • Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
    • Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
    • Other modern endpoint management solutions may also allow for a controlled deployment.

    Info-Tech Insight

    The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

    When can I upgrade to Windows 11?

    You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

    • Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
      • Deploy the initial update to your test environment.
      • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
      • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
      • Increase the size of each ring as you progress.
    • Always back up your data before any upgrade.

    Deployment Ring Example

    Pilot Ring - Individuals from all departments - 10 users

    Ring #1 - Dev, Finance - 20 Users

    Ring #2 - Research - 100 Users

    Ring #3 - Sales, IT, Marketing - 500 Users

    Upgrade your eligible devices and users to Windows 11

    Build Windows 11 Deployment Rings

    Instructions:

    1. Identify who will be in the pilot group. Use individuals instead of user groups.
    2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
    3. Map groups to rings. Define which user groups will be in each ring.
    4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
    5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.
    Ring Department or Group Total Users Delay Time Before Next Group
    Pilot Ring Individuals from all departments 10 Three weeks
    Ring 1 Dev Finance 20 Two weeks
    Ring 2 Research 100 One week
    Ring 3 Sales, IT Marketing 500 N/A

    What are my options if my devices cannot upgrade to Windows 11?

    Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

    Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

    • Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
    • Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
    • Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
    • Determine the cost for replacement devices:
      • Compare vendor offerings using an RFP process.
    • Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

    Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

    New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

    New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    Build a Windows 11 Device Replacement Budget

    The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

    A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

    HAM Budgeting Tool

    Windows 11 Replacement Schedule
    2022 2023 2024 2025
    Department Total to replace Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Left to allocate
    Finance 120 20 20 20 10 10 20 20 0
    HR 28 15 13 0
    IT 30 15 15 0
    Research 58 8 15 5 20 5 5 0
    Planning 80 10 15 15 10 15 15 0
    Other 160 5 30 5 15 15 30 30 30 0
    Totals 476 35 38 35 35 35 35 38 35 50 35 35 35 35 0

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Implement Hardware Asset Management

    This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Bibliography

    aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

    Binns, Paul. Personal interview. 07 June 2022.

    Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

    Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

    Chang, Ben. Personal interview. 26 May 2022.

    Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

    Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

    “Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

    “Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

    Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

    Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

    Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

    Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

    Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

    Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

    Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

    Bibliography

    Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

    Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

    Roberts, Jeremy. Personal interview. 27 May 2022.

    Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

    Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    “The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

    Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

    Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

    “Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

    “What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

    “Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

    “Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

    Build a Vendor Security Assessment Service

    • Buy Link or Shortcode: {j2store}318|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $17,501 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vendor security risk management is a growing concern for many organizations. Whether suppliers or business partners, we often trust them with our most sensitive data and processes.
    • More and more regulations require vendor security risk management, and regulator expectations in this area are growing.
    • However, traditional approaches to vendor security assessments are seen by business partners and vendors as too onerous and are unsustainable for information security departments.

    Our Advice

    Critical Insight

    • An efficient and effective assessment process can only be achieved when all stakeholders are participating.
    • Security assessments are time-consuming for both you and your vendors. Maximize the returns on your effort with a risk-based approach.
    • Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic re-assessments.

    Impact and Result

    • Develop an end-to-end security risk management process that includes assessments, risk treatment through contracts and monitoring, and periodic re-assessments.
    • Base your vendor assessments on the actual risks to your organization to ensure that your vendors are committed to the process and you have the internal resources to fully evaluate assessment results.
    • Understand your stakeholder needs and goals to foster support for vendor security risk management efforts.

    Build a Vendor Security Assessment Service Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a vendor security assessment service, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define governance and process

    Determine your business requirements and build your process to meet them.

    • Build a Vendor Security Assessment Service – Phase 1: Define Governance and Process
    • Vendor Security Policy Template
    • Vendor Security Process Template
    • Vendor Security Process Diagram (Visio)
    • Vendor Security Process Diagram (PDF)

    2. Develop assessment methodology

    Develop the specific procedures and tools required to assess vendor risk.

    • Build a Vendor Security Assessment Service – Phase 2: Develop Assessment Methodology
    • Service Risk Assessment Questionnaire
    • Vendor Security Questionnaire
    • Vendor Security Assessment Inventory

    3. Deploy and monitor process

    Implement the process and develop metrics to measure effectiveness.

    • Build a Vendor Security Assessment Service – Phase 3: Deploy and Monitor Process
    • Vendor Security Requirements Template
    [infographic]

    Workshop: Build a Vendor Security Assessment Service

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Governance and Process

    The Purpose

    Understand business and compliance requirements.

    Identify roles and responsibilities.

    Define the process.

    Key Benefits Achieved

    Understanding of key goals for process outcomes.

    Documented service that leverages existing processes.

    Activities

    1.1 Review current processes and pain points.

    1.2 Identify key stakeholders.

    1.3 Define policy.

    1.4 Develop process.

    Outputs

    RACI Matrix

    Vendor Security Policy

    Defined process

    2 Define Methodology

    The Purpose

    Determine methodology for assessing procurement risk.

    Develop procedures for performing vendor security assessments.

    Key Benefits Achieved

    Standardized, repeatable methodologies for supply chain security risk assessment.

    Activities

    2.1 Identify organizational security risk tolerance.

    2.2 Develop risk treatment action plans.

    2.3 Define schedule for re-assessments.

    2.4 Develop methodology for assessing service risk.

    Outputs

    Security risk tolerance statement

    Risk treatment matrix

    Service Risk Questionnaire

    3 Continue Methodology

    The Purpose

    Develop procedures for performing vendor security assessments.

    Establish vendor inventory.

    Key Benefits Achieved

    Standardized, repeatable methodologies for supply chain security risk assessment.

    Activities

    3.1 Develop vendor security questionnaire.

    3.2 Define procedures for vendor security assessments.

    3.3 Customize the vendor security inventory.

    Outputs

    Vendor security questionnaire

    Vendor security inventory

    4 Deploy Process

    The Purpose

    Define risk treatment actions.

    Deploy the process.

    Monitor the process.

    Key Benefits Achieved

    Understanding of how to treat different risks according to the risk tolerance.

    Defined implementation strategy.

    Activities

    4.1 Define risk treatment action plans.

    4.2 Develop implementation strategy.

    4.3 Identify process metrics.

    Outputs

    Vendor security requirements

    Understanding of required implementation plans

    Metrics inventory

    Build a Zero Trust Roadmap

    • Buy Link or Shortcode: {j2store}253|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $48,932 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
    • The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.
    • Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
    • Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

    Our Advice

    Critical Insight

    Apply zero trust to key protect surfaces. A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

    Impact and Result

    Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined. Our unique approach:

    • Assess resources and determine zero trust readiness.
    • Prioritize initiatives and build out roadmap.
    • Deploy zero trust and monitor with zero trust progress metrics.

    Build a Zero Trust Roadmap Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Zero Trust Roadmap Deck – The purpose of the storyboard is to provide a detailed description of the steps involving in building a roadmap for implementing zero trust.

    The storyboard contains five easy-to-follow steps on building a roadmap for implementing zero trust, from aligning initiatives to business goals to establishing metrics for measuring the progress and effectiveness of a zero trust implementation.

    • Build a Zero Trust Roadmap – Phases 1-5

    2. Zero Trust Protect Surface Mapping Tool – A tool to identify key protect surfaces and map them to business goals.

    Use this tool to develop your zero trust strategy by having it focus on key protect surfaces that are aligned to the goals of the business.

    • Zero Trust Protect Surface Mapping Tool

    3. Zero Trust Program Gap Analysis Tool – A tool to perform a gap analysis between the organization's current implementation of zero trust controls and its desired target state and to build a roadmap to achieve the target state.

    Use this tool to develop your zero trust strategy by creating a roadmap that is aligned with the current state of the organization when it comes to zero trust and its desired target state.

    • Zero Trust Program Gap Analysis Tool

    4. Zero Trust Candidate Solutions Selection Tool – A tool to identify and evaluate solutions for identified zero trust initiatives.

    Use this tool to develop your zero trust strategy by identifying the best solutions for zero trust initiatives.

    • Zero Trust Candidate Solutions Selection Tool

    5. Zero Trust Progress Monitoring Tool – A tool to identify metrics to measure the progress and efficiency of the zero trust implementation.

    Use this tool to develop your zero trust strategy by identifying metrics that will allow the organization to monitor how the zero trust implementation is progressing, and whether it is proving to be effective.

    • Zero Trust Progress Monitoring Tool

    6. Zero Trust Communication Deck – A template to present the zero trust template to key stakeholders.

    Use this template to present the zero trust strategy and roadmap to ensure all key elements are captured.

    • Zero Trust Communication Deck

    Infographic

    Workshop: Build a Zero Trust Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Goals and Protect Surfaces

    The Purpose

    Align business goals to protect surfaces.

    Key Benefits Achieved

    A better understanding of how business goals can map to key protect surfaces and their associated DAAS elements.

    Activities

    1.1 Understand business and IT strategy and plans.

    1.2 Define business goals.

    1.3 Identify five critical protect surfaces and their associated DAAS elements.

    1.4 Map business goals and protect surfaces.

    Outputs

    Mapping of business goals to key protect surfaces and their associated DAAS elements.

    2 Begin Gap Analysis

    The Purpose

    Identify and define zero trust initiatives.

    Key Benefits Achieved

    A list of zero trust initiatives to be prioritized and set into a roadmap.

    Activities

    2.1 Assess current security capabilities and define the zero trust target state for a set of controls.

    2.2 Identify tasks to close maturity gaps.

    2.3 Assign tasks to zero trust initiatives.

    Outputs

    Security capabilities current state assessment

    Zero trust target state

    Tasks to address maturity gaps

    3 Complete Gap Analysis

    The Purpose

    Complete the zero trust gap analysis and prioritize zero trust initiatives.

    Key Benefits Achieved

    A prioritized list of zero trust initiatives aligned to business goals and key protect surfaces.

    Activities

    3.1 Align initiatives to business goals and key protect surfaces.

    3.2 Conduct cost/benefit analysis on zero trust initiatives.

    3.3 Prioritize initiatives.

    Outputs

    Zero trust initiative list mapped to business goals and key protect surfaces

    Prioritization of zero trust initiatives

    4 Finalize Roadmap and Formulate Policies

    The Purpose

    Finalize the zero trust roadmap and begin to formulate zero trust policies for roadmap initiatives.

    Key Benefits Achieved

    A zero trust roadmap of prioritized initiatives.

    Activities

    4.1 Define solution criteria.

    4.2 Identify candidate solutions.

    4.3 Evaluate candidate solutions.

    4.4 Finalize roadmap.

    4.5 Formulate policies for critical DAAS elements.

    4.6 Establish metrics for high-priority initiatives.

    Outputs

    Zero trust roadmap

    Zero trust policies for critical protect surfaces

    Method for defining zero trust policies for candidate solutions

    Metrics for high-priority initiatives

    Further reading

    Build a Zero Trust Roadmap

    Leverage an iterative and repeatable process to apply zero trust to your organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    Internet is the new corporate network.

    For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

    The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

    Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

    Victor Okorie
    Senior Research Analyst, Security and Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
    • The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

    Common Obstacles

    • Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
    • Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

    Info-Tech’s Approach

    • Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
    • Our unique approach:
      • Assess resources and determine zero trust readiness.
      • Address barriers and identify enablers.
      • Prioritize initiatives and build out roadmap.
      • Identify most appropriate vendors via vendor selection framework.
      • Deploy zero trust and monitor with zero trust progress metrics.

    Info-Tech Insight

    A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

    Your challenge

    This research is designed to help organizations:

    • Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
    • Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

    On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

    Top three reasons for building a zero trust strategy

    44%

    Reduce attacker’s ability to move laterally

    44%

    Enforce least privilege access to critical resources

    41%

    Reduce enterprise attack surface

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
      • To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
    • Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
      • To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

    43%

    Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
    (Source: Teramind, 2021)

    96%

    Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
    (Source: Microsoft, 2021)

    What is zero trust?

    It depends on who you ask…

    • Vendors use zero trust as a marketing buzzword.
    • Organizations try to comprehend zero trust in their own limited views.
    • Zero trust regulations/standards are still developing.

    “A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

    Source: NIST, SP 800-207: Zero Trust Architecture, 2020

    “An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

    Source: DOD, Zero Trust Reference Architecture, 2021

    “A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

    Source: NSA, Embracing a Zero Trust Security Model, 2021

    “Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

    Source: CISA, Zero Trust Maturity Model, 2021

    “The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

    Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

    What is zero trust?

    From Theoretical to Practical

    Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

    In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

    Zero Trust; Identity; Workloads & Applications; Network; Devices; Data

    Info-Tech Insight

    Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

    Zero trust business benefits

    Reduce business and organizational risk

    Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

    36% of data breaches involved internal actors.
    Source: Verizon, 2021

    Reduce CapEx and OpEx

    Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
    Source: SecurityBrief - Australia, 2020.

    Reduce scope and cost of compliance

    Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

    Scope of compliance reduced due to segmentation.

    Reduce risk of data breach

    Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

    10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
    Source: IBM, 2021

    This is an image of a thought map detailing Info-Tech's Build A Zero Trust Roadmap.  The main headings are: Define; Design; Develop; Monitor

    Info-Tech’s methodology for Building a Zero Trust Roadmap

    1. Define Business Goals and Protect Surfaces

    2. Assess Key Capabilities and Identify Zero Trust Initiatives

    3. Evaluate Candidate Solutions and Finalize Roadmap

    4. Formulate Policies for Roadmap Initiatives

    5. Monitor the Zero Trust Roadmap Deployment

    Phase Steps

    Define business goals

    Identify critical DAAS elements

    Map business goals to critical DAAS elements

    1. Review the Info-Tech framework
    2. Assess current capabilities and define the zero trust target state
    3. Identify tasks to close gaps
    4. Define tasks and initiatives
    5. Align initiatives to business goals and protect surfaces
    1. Define solution criteria
    2. Identify candidate solutions
    3. Evaluate candidate solutions
    4. Perform cost/benefit analysis
    5. Prioritize initiatives
    6. Finalize roadmap
    1. Formulate policies for critical DAAS elements
    2. Formulate policies to secure a path to access critical DAAS elements
    1. Establish metrics for roadmap tasks
    2. Track and report metrics
    3. Build a communication deck

    Phase Outcomes

    Mapping of business goals to protect surfaces

    Gap analysis of security capabilities

    Evaluation of candidate solutions and a roadmap to close gaps

    Method for defining zero trust policies for candidate solutions

    Metrics for measuring the progress and efficiency of the zero trust implementation

    Protect what is relevant

    Apply zero trust to key protect surfaces

    A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

    Align protect surfaces to business objectives

    Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

    Identify zero trust capabilities

    Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

    Roadmap first, not solution first

    Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

    Create enforceable policies

    The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

    Success should benefit the organization

    To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Zero Trust Communication Deck

    Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

    Zero Trust Protect Surface Mapping Tool

    Identify critical and vulnerable DAAS elements to protect and align them to business goals.

    Zero Trust Program Gap Analysis Tool

    Perform a gap analysis between current and target states to build a zero trust roadmap.

    Zero Trust Candidate Solutions Selection Tool

    Determine and evaluate candidate solutions based on defined criteria.

    Zero Trust Progress Monitoring Tool

    Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

    Blueprint benefits

    IT Benefits

    • A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
    • Improved security posture across the digital attack surface while focusing on the protect surface.
    • An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

    Business Benefits

    • Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
    • Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
    • Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
    • Reduced risk of data breach in any instance of a malicious attack.

    Measure the value of this blueprint

    Save an average of $1.76 million dollars in the event of a data breach

    • This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
    • Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

    43%

    Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
    Source: IBM, 2021

    In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

    In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

    This image contains a screenshot info-tech's methodology for building a zero-trust roadmap, discussed earlier in this blueprint

    Executive Brief Case Study

    National Aeronautics and Space Administration (NASA)

    INDUSTRY: Government

    SOURCE: Zero Trust Architecture Technical Exchange Meeting

    NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

    The lessons learned in adapting zero trust were:

    • Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
    • Provide support for mobile and external partners.
    • Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
    • Develop a zero trust strategy that aligns with mission objectives.

    Results

    NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
    Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
    Call #1:
    Scope requirements, objectives, and your specific challenges.

    Call #3:
    Define current security capabilities and zero trust target state.

    Call #5:

    Identify and evaluate solution criteria.

    Call #7:
    Create a process for formulating zero trust policies.

    Call #8:
    Establish metrics for assessing the implementation and effectiveness of zero trust.

    Call #2:
    Identify business goals and protect surfaces.

    Call #4:
    Identify gap-closing tasks and assign to zero trust initiatives.

    Call #6:
    Prioritize zero trust initiatives.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

    Workshop Overview

    Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Define Business Goals and Protect Surfaces

    Begin Gap Analysis

    Complete Gap Analysis

    Finalize Roadmap and Formulate Policies

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Understand business and IT strategy and plans.

    1.2 Define business goals.

    1.3 Identify five critical protect surfaces and their associated DAAS elements.

    1.4 Map business goals and protect surfaces.

    2.1 Assess current security capabilities and define the zero Trust target state for a set of controls.

    2.2 Identify tasks to close maturity gaps.

    2.3 Assign tasks to zero trust initiatives.

    3.1 Align initiatives to business goals and key protect surfaces.

    3.2 Conduct cost/benefit analysis on zero trust initiatives.

    3.3 Prioritize initiatives.

    4.1 Define solution criteria.

    4.2 Identify candidate solutions.

    4.3 Evaluate candidate solutions.

    4.4 Finalize roadmap.

    4.5 Formulate policies for critical DAAS elements.

    4.6 Establish metrics for high-priority initiatives.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. 1.Mapping of business goals to key protect surfaces and their associated DAAS elements
    1. Security capabilities current state assessment
    2. Zero trust target state
    3. Tasks to address maturity gaps
    1. Zero trust initiative list mapped to business goals and key protect surfaces
    2. Prioritization of zero trust initiatives
    1. Zero trust roadmap
    2. Zero trust policies for critical protect surfaces
    3. Method for defining zero trust policies for candidate solutions
    4. Metrics for high-priority initiatives
    1. Zero trust roadmap documentation
    2. Mapping of Info-Tech resources against individual initiatives

    Phase 1

    Define Business Objectives and Protect Surfaces

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Identify and define the business goals.
    • Identify the critical DAAS elements and protect surface.
    • Align the business goals to the protect surface and critical DAAS elements.

    This phase involves the following participants:

    • Security Team
    • Business Executives
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Analyze your business goals

    Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

    • Security leaders need to understand the direction the business is headed in.
    • Wise security investments depend on aligning your security initiatives to business objectives.
    • Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
      • For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

      Info-Tech Insight

      Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

    1.1 Define your organization’s business goals

    Estimated time 1-3 hours

    1. As a group, brainstorm the business goals of the organization.
    2. Review relevant business and IT strategies.
    3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
    4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

    Input

    • Business and IT strategies

    Output

    • Prioritized list of business objectives

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Zero Trust Protect Surface Mapping Tool

    Info-Tech Insight

    Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

    What does zero trust mean for you?

    For a successful implementation, focus on your zero trust outcome.

    This image describes the Who, What, When, Where, Why, and How for Zero Trust.

    Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

    Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

    Understand protect surface

    Data, Application, Asset, and Services

    A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

    Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

    Components of a protect surface

    • Data
    • Application
    • Asset
    • Services

    Info-Tech Insight

    The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

    Sample Scenario

    INDUSTRY: Healthcare

    SOURCE: Info-Tech Research Group

    Illustration

    A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

    • What is the data that can’t be risked exfiltrated?
    • What application(s) is used to access this data?
    • What assets are used to generate and store the data?
    • What are the services we rely on to be able to access the data?

    DAAS Element

    • The data here is the patient information.
    • The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
    • The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
    • The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

    DAAS and Zero Trust Pillar

    This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

    Shift from attack surface to protect surface

    This image contains a screenshot of the thought map: Shift from attack surface to protect surface.  Go from complex to a micro perimeter approach.

    Info-Tech Insight

    The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

    1.2 Identify critical DAAS elements

    Estimated time 1-3 hours

    1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.
    • Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
    • Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
    • Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
    • Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.
  • Record the critical DAAS elements and protect surface in their respective columns of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary protect surfaces to match with the business goals.
  • Download the Zero Trust Protect Surface Mapping Tool

    Input

    • Critical resources to protect
    • Understanding of how they interoperate or connect

    Output

    • Protect surfaces

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Stakeholders

    1.3 Map business goals to critical DAAS elements

    Estimated time 1-2 hours

    1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.
    • Each protect surface can be tied back to a business objective.
  • Select from the drop-down list of business objectives the option that fits the identified protect surface as it relates to the organization.
    • Type in your business objectives if the drop-down list does not apply.

    Download the Zero Trust Protect Surface Mapping Tool

    This image contains a screenshot from the Zero Trust Protect Surface Mapping Tool, with the following columns highlighted: Business Goal Name; Protect Surface Name

    Phase 2

    Assess Key Capabilities and Identify Zero Trust Initiatives

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Assess the organization’s current capabilities.
    • Define the zero trust target state.
    • Identify tasks to close gaps
    • Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    The Info-Tech Zero Trust Framework

    Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

    • ACT Zero Trust Cybersecurity Current Trends. 2019
    • NIST SP 800-207: Zero Trust Architecture. 2020
    • DOD Zero Trust Reference Architecture. 2021
    • NSA Embracing a Zero Trust Security Model. 2021
    • CISA Zero Trust Maturity Model. 2021
    • Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
    • OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
    • NSTAC Zero Trust and Trusted Identity Management. 2022
    • NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

    Identity

    • Authentication
    • Authorization
    • Privileged Access Management

    Applications

    • Software Defined Compute
    • DevSecOps
    • Software Supply Chain

    Devices

    • Authentication
    • Authorization
    • Compliance

    Networks

    • Software Defined Networking
    • Macro Segmentations
    • Micro Segmentation

    Data

    • Software Defined Storage
    • Data Loss Prevention
    • Data Rights Management

    Info-Tech Insight

    A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

    2.1 Review the Info-Tech framework

    Estimated time 30-60 minutes

    1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
    2. Customize the tool as required using the instructions in tab “2. Setup”:
    • Define costing criteria
    • Define benefits criteria
    • Configure full-time equivalent hours and start year
    • Input business goals as mapped to protect surfaces (see next slide)

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Protect surfaces mapped to business objectives

    Output

    • Customized framework

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    2.1.1 Input business goals as mapped to protect surfaces

    Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

    1. Enter Business Goals.
    2. Enter Protect Surfaces.
    3. Enter Data.
    4. Enter Application.
    5. Enter Assets.
    6. Enter Services.

    This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool.  The Column headings are labeled as follows: 1: Business Goal Name; 2: Protect Surface; 3: DATA; 4: APPLICATION; 5: ASSETS; 6: SERVICES

    Info-Tech Insight

    Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

    2.2 Assess current capabilities and define zero trust target state

    Estimated time 6-12 hours

    1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Protect surfaces mapped to business objectives
    • Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

    Output

    • Current-state and target-state assessment for gap analysis

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management

    Understanding security target states

    Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

    AD HOC 01

    Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

    DEVELOPING 02

    Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

    DEFINED 03

    A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

    MANAGED 04

    Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

    OPTIMIZED 05

    An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

    2.2.1 Conduct current-state assessment

    1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.
    • Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.
  • Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
  • Select the target maturity for the control.
  • This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, with the following column headings highlighted and numbered: 1: Current Maturity; 2: Current State Comments (optional); Target Maturity

    Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

    2.2.2 Review the Gap Analysis Dashboard

    1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
    2. Use the color-coded legend to see the size of the gap between your current and target state.
    3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”
    this image contains a screenshot of Info-tech's Zero-Trust framework discussed earlier in this blueprint, with the addition of a legend demonstrating how to use the gap analysis tool to identify the size of the gap between current and target states

    2.3 Identify tasks to close gaps

    Estimated time 5 hours

    1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Zero trust controls gap information

    Output

    • Gap closure task list

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management

    2.3 Identify tasks to close gaps (cont.)

    1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:
    • Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.
  • Considerations for identifying gap closure tasks:
    • In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
    • The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
    • Not all gaps require their own task. You can enter one task that may address multiple gaps.
    • Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.
    this image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, with the following column heading highlighted and numbered: 1: Gap Closure Tasks

    Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

    2.4 Define tasks and initiatives

    Estimated time 2-4 hours

    1. As a group, review the gap tasks identified in the Gap Analysis tab.
    2. Using the instructions on the following slides, finalize your tab “5. Task List.”
    3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Gap analysis

    Output

    • Refined list of tasks
    • List of zero trust initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    2.4.1 Finalize your task list

    1. Define the gap closure task list in tab “5. Task List”:
      1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
      2. Paste the list into the table in tab “5. Task List,” Task column.
    • Use Paste Values to retain the table formatting.
  • Consolidate tasks into initiatives when:
      • They have costs associated with them.
      • They require initial effort to implement and ongoing effort to maintain.
      • They must be accomplished dependently of other tasks.
    1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”
  • For tasks which are not incorporated into initiatives, enter a task owner and due date for each task.
  • this image contains a screenshot from Info-Tech's Zero Trust Gap analysis Tool with the following column headings highlighted and numbered: 1: Task; 2: Initiative Name; 3: (Task Owner; Due Date)

    Example: Initiative consolidation

    In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

    We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

    This image contains an example of Initiative Consolidation

    Info-Tech Insight

    As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

    2.4.2 Finalize your initiative list

    1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
    2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
      1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
    3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
    4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
      1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

    This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, the following column headings are numbered and highlighted: 1: Initiative Name; 2: Description; 3: Pillar

    If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

    2.5 Align initiatives to business goals and protect surfaces

    Estimated time 30-60 minutes

    1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
    2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • List of zero trust initiatives
    • Protect surfaces mapped to business objectives

    Output

    • List of zero trust initiatives aligned to business goals and protect surfaces

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    2.5.1 Align initiatives to business goals

    1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
      1. Use the legend to determine the most appropriate business goal(s).
    2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
    3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.
    This image contains a screenshot from the Zero Trust Program Gap Analysis Tool, with the following column headings numbered: 1: Selection for Business Goal(s); Business Goals Alignment; 3: Selection for Business Goals

    2.5.2 Align initiatives to protect surfaces

    1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
      1. Use the legend to determine the most appropriate protect surface(s).
    2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
    3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.
    This image contains a screenshot from the Zero Trust Program Gap Analysis Tool, with the following column headings numbered: 1: Description; 2: Protect Surfaces Covered; 3: Selection for Protect Surfaces

    Phase 3

    Evaluate Candidate Solutions and Finalize Roadmap

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Define solution criteria.
    • Identify candidate solutions.
    • Evaluate candidate solutions.
    • Perform cost/benefit analysis.
    • Prioritize initiatives and build roadmap.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    3.1 Define solution criteria

    Estimated time 30-60 minutes

    1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
    2. Customize the tool as required using the instructions on the following slides.

    Info-Tech Insight

    Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

    Download the Zero Trust Candidate Solutions Selection Tool

    Input

    • Zero trust initiative list

    Output

    • Zero trust candidate solutions

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    3.1.1 Define compliance and solution evaluation criteria

    On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

    1. Verify that the Description for each criterion is accurate.
    2. Provide weights for the compliance score and the solution score, which are the overall evaluation:
    • Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
    • Solution score consists of features score, usability score, affordability score, and architecture score.
    This image contains a screenshot from the Zero Trust Candidate Solutions Selection Tool, which demonstrates how to define compliance and solution evaluation criteria.

    3.1.2 Define remaining evaluation criteria

    On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

    1. Verify that the Description for each criterion is accurate.
    2. Provide weights for the remaining evaluation criteria:
    • Tenets: Considers how well each initiative aligns with zero trust principles.
    • Pillars: Considers how well each initiative aligns with zero trust pillars.
    • Threats: Considers what zero trust threats are relevant with the candidate solution.
    • Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
    • Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
    • Deployment Architecture: Considers the solutions deployment architecture capabilities.

    This image contains a screenshot from the Zero Trust Candidate Solutions Selection Tool, and demonstrates where to define additional evaluation data

    Review available candidate solutions

    this image contains a list of available candidate Solutions.  This list includes: Zero Trust Identity; Zero-Trust Application & Workloads; Zero-Trust Networks; Zero-Trust Devices; and Zero-Trust Data

    The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

    Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

    Awareness Education & Discovery Evaluation Selection Negotiation & Configuration
    1.1 Proactively Lead Technology Optimization & Prioritization 2.1 Understand Marketplace Capabilities & Trends 3.1 Gather & Prioritize Requirements & Establish Key Success Metrics 4.1 Create a Weighted Vendor Selection Decision Model 5.1 Initiate Price Negotiation With Top
    1.2 Scope & Define the Selection Process for Each Selection Request Action 2.2 Discover Alternative Solutions & Conduct Market Education 3.2 Conduct a Data-Driven Comparison of Vendor Features & Capabilities 4.2 Conduct Investigative Interviews Focused on Mission Critical Priorities With Top 2-4 Vendors 5.2 Negotiate Contract Terms & Product Configuration Two Vendors Selected
    1.3 Conduct an Accelerated Business Needs Assessment 2.3 Evaluate Enterprise Architecture & Application Portfolio 3.3 Narrow the Field to Four Top Contenders 4.3 Validate Key Issues With Deep Technical Assessments, Trial Configuration & Reference Checks 5.3 Finalize Budget Approval & Project Implementation Timeline
    1.4 Align Stakeholder Calendars to Reduce Elapsed Time & Asynchronous Evaluation 2.4 Validate the Business Case 5.4 Invest in Training & Onboarding Assistance

    Download the Rapid Application Selection Framework research

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    The Data Quadrant Report

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Vendors ranked by their Composite Score

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Emotional Footprint

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Vendors ranked by their Customer Experience (CX) Score

    Sample whiteboard activity

    • Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
    • A sample sticky note is provided below for privileged access management.

    This image contains a screenshot of a sample whiteboard activity which can be done using sticky notes.

    • The PAM solution should support MFA
    • Live session monitoring, audit, and reporting
    • Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

    3.2 Identify candidate solutions

    Estimated time 2 hours

    1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
    2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:
    • Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

    Input

    • Candidate solutions for zero trust tasks and initiatives

    Output

    • Suitability evaluation of candidate solutions

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    Info-Tech Insight

    Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

    Download the Zero Trust Candidate Solutions Selection Tool

    3.2.1 Review candidate solutions

    1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
    2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
    3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.
    this image contains a screenshot of a sample candidate solution, which can be done using Info-Tech's Zero Trust Program Gap Analysis Tool

    3.3 Evaluate candidate solutions

    Estimated time 3 hours

    On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

    Input

    • Candidate solutions

    Output

    • Candidate solutions scored

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    Download the Zero Trust Candidate Solutions Selection Tool

    3.3.3 Evaluate solution scores

    After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

    1. On Features
      1. Enter Coverage.
      2. Enter Quality.
    2. Enter Usability.
    3. On Affordability
      1. Enter Initial Cost.
      2. Enter Ongoing Cost (annual).
    4. Enter Architecture.
    this image contains a screenshot of how you can sort the solution score column in Info-Tech's Zero Trust Program Gap Analysis Tool

    3.4 Perform cost/benefit analysis

    Estimated time 1-2 hours

    1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
    2. Define dependencies or business impacts if they will help with prioritization.

    Input

    • Ranked candidate solutions
    • Gap analysis
    • Initiative list

    Output

    • Completed cost/benefit analysis for initiative list

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.4.1 Complete the cost/benefit analysis

    Use Zero Trust Program Gap Analysis Tool.

    1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
    • Use the result from candidate selection to define the estimated costs.
    • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
  • Enter the estimated benefits, also using the criteria defined earlier.
  • This image contains a screenshot of a cost/benefit analysis table which can be found in the Zero Trust Program Gap Analysis Tool

    The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

    3.4.2 Optionally enter detailed cost estimates

    Use Zero Trust Program Gap Analysis Tool.

    1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
    • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
    • You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
    • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

    This image contains a screenshot of a sample cost/benefit table found in the Zero Trust Program Gap Analysis Tool.

    The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

    3.5 Prioritize initiatives

    Estimated time 2-3 hours

    1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
    • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
    • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
  • Follow step 3.5.1 to create a visual effort map for your organization.
  • Follow step 3.5.2 and 3.5.3 to refine the effort map’s visual output.
  • Input

    • Gap analysis
    • Initiative list
    • Cost/benefit analysis

    Output

    • Prioritized list of initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.5.1 Create a visual effort map for your organization

    1 hour

    An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

    1. Establish the axes and colors for your effort map:
      1. X-axis represents the Benefit value from column J
      2. Y-axis represents the Cost/Effort value from column H
      3. Sticky note color is determined using the Alignment to Business value from column I
    2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
    3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

    this image contains a sample visual effort map which can be found in the Zero Trust Program Gap Analysis Tool.

    Input

    • Outputs from activities 3.4.1 and 3.4.2

    Output

    • High-level prioritization for each of the gap-closing initiatives
    • Visual representation of quantitative values

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    3.5.2 Refine the effort map’s visual output

    1 hour

    Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

    1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
    2. Document these initiatives as Execution Wave 1.

    this image contains a screenshot of a refined visual effort map, which can be done by following the instructions in this section.

    Input

    • Outputs from activity 3.5.1

    Output

    • Prioritization for each of the gap-closing initiatives
    • First execution wave of gap-closing initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Sticky dots
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    3.5.3 Refine the effort map’s visual output

    30 minutes

    1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
    2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
      1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
      2. Leverage the following 0-4 Execution Wave scale:
        1. Underway –Initiatives that are already underway
        2. Must Do – Initiatives that must happen right away
        3. Should Do – Initiatives that should happen but need more time/support
        4. Could Do – Initiatives that are not a priority
        5. Won’t Do – Initiatives that likely won’t be carried out
    3. Indicate the granular level for each execution wave using the a-z scale.
    • Use the lettering to track dependencies between initiatives.
      • If one must take place before another, ensure that its letter comes first alphabetically.
      • If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

    This image depicts the sample output for a refined visual effort map

    Input

    • Outputs from activity 3.5.2

    Output

    • Prioritization for each of the gap-closing initiatives
    • First execution wave of gap-closing initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Sticky dots
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Wave assignment example

    In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

    We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

    We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

    We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

    This image depicts a sample wave assignment output, discussed in this section.

    It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

    3.6 Build roadmap

    Estimated time 2-3 hours

    1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
    2. Review the roadmap for resourcing conflicts and adjust as required.
    3. Review the final cost and effort estimates for the roadmap.

    Input

    • Gap analysis
    • Cost/benefit analysis
    • Prioritized initiative list

    Output

    • Zero trust roadmap

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.6.1 Schedule initiatives using the Gantt chart

    1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
    2. Additionally, enter a start month and year for the initiative and the expected duration in months.
    • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
    • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
    • This Image contains a screenshot of the Gantt Chart, with the following column headings highlighted and numbered: 1: Owner; 2: Expected Duration

    3.6.2 Review your roadmap

    1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
    • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
    • Does your organization have regular change freezes throughout the year that will impact the schedule?
    • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
    • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
    • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

    This image depicts an example roadmap which can be created following the use of the Gantt Chart

    3.6.3 Review your cost/effort estimates table

    1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
    • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
    • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

    This table provides you with the information to have important conversations with management and stakeholders.

    This image contains an example of the Zero Trust Roadmap Cost/Effort Estimates.  The column headings are as follows: Wave; Number of Initiatives; Initial Implementation - Cost; Initial Implementation - Effort; Ongoing Maintenance - Cost; Ongoing Maintenance - Effort.  A separate table is shown with the column heading: Estimated Total Three Year Investment

    Phase 4

    Formulate Policies for Roadmap Initiatives

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Formulate zero trust policies for critical DAAS elements.
    • Formulate zero trust policies to secure a path to access critical DAAS elements.

    This phase involves the following participants:

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    Understand the zero trust policy

    Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
    The policies help to prevent lateral movement.

    Who Who should access a resource? Here, the user ID that identifies the users through the principle of least privilege is allowed access to a particular resource. The authentication policy will be used to verify identity of a user when access request to a resource is made. Who requires MFA?
    What What application is used to access the resource? Application ID to identify applications that are only allowed on the network. Port control policies can be used for the application service.
    When When do users access the resource? Policy that identifies and enforces time schedule when an application accessed by users is used.
    Where Where is the resource located? The location of the destination resource should be added to the policy and, where possible, restrict the source of the traffic either by zone and/or IP address.
    Why Why is the data accessed? Data classification should be done to know why the data needs protection and the type of protection (data filtering).
    How How should you allow access to the resource? This covers the protection of the application traffic. Principle of least privilege access, log all traffic, configure security profiles, NGFW, decryption and encryption, consistent application of policy and threat prevention across all locations for all local and remote users on managed and unmanaged endpoints are ways to apply content-ID.

    Info-Tech Insight

    The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

    4.1.1 Formulate policy

    Estimated time 1-2 hours

    1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
    2. The policy created should be consistent for both cloud and on-prem environments.
    3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.
    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID
    On-Prem Pyxis_Users Pyxis Any Pyxis_server Severe (high value data) Decrypt, Inspect, log traffic
    Cloud Sales Salesforce Working hours Canada Severe (high value data) Decrypt, Inspect, log traffic

    Input

    • Kipling methodology
    • Protect surface

    Output

    • Zero trust policy

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    4.1.2 Apply policy

    1-2 hours

    1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
    2. Name the microperimeter and place it on a firewall.

    Input

    • Kipling methodology
    • Protect surface

    Output

    • Zero trust policy

    Materials

    • Whiteboard/Flip Charts
    • Sticky Notes
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    Microperimeter A
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    Microperimeter B
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    Microperimeter C
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    4.2 Secure a path to access critical DAAS elements

    How should you allow access to the resource?

    This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

    The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

    Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

    These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

    Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

    Conceptualized flow

    With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

    The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

    Who

    (Internet)

    What

    (SAAS)

    When

    Where

    (Public Cloud)

    Why

    How

    (Data Center)

    Method User-ID App-ID Time limit System Object Classification Content-ID
    On-Prem Pyxis_Users Pyxis Any Pyxis_server Severe (high value data) Decrypt, Inspect, log traffic
    Cloud Sales Salesforce Working hours Canada Severe (high value data) Decrypt, Inspect, log traffic

    Phase 5

    Monitor Zero Trust Roadmap Deployment

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Establish metrics for roadmap tasks.
    • Track metrics for roadmap tasks.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    5.1 Establish metrics for roadmap tasks

    Estimated time 2 hours

    1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
    2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
    3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
    • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
  • Enter the estimated benefits, also using the criteria defined earlier.
  • Input

    • Zero trust roadmap task list

    Output

    • Metrics for measuring zero trust task implementation and efficacy

    Materials

    • Zero Trust Progress Monitoring Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Progress Monitoring Tool

    5.1.1 Identify metrics to measure implementation and efficacy of tasks

    Estimated time 3-4 hours

    1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
    2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.
    • If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

    this image contains a screenshot of tab 2 in the Zero Trust Progress Monitoring Tool

    Info-Tech Insight

    To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

    5.1.2 Document metric metadata

    Estimated time 1-2 hours

    For each metric defined in step 4.1.1:

    1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
    2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).
    • Add more columns under the Audience category if needed.
    • Use “X” to identify if an audience group will be informed of the measurement of the metric.
  • Identify in columns N through P the target for the metric (Metric Target), the effort it takes to collect the metric (Effort to Collect), the frequency with which the organizations plans to collect the metric (Frequency of Collection), and any comments that people should know when collecting, compiling, or presenting metrics.
  • This image contains a screenshot from the Zero Trust Progress Monitoring Tool, with the following column headings numbered: 1: Priority; 2: Roles and Responsibilities; 3: effort to collect; frequency of collection; Metric Target; Comments

    5.2 Track and report metrics

    Estimated time 2 hours

    1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
    2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
    3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

    Input

    • Metrics for measuring zero trust task implementation and efficacy

    Output

    • Metric data and graphs for presenting zero trust implementation metrics to audience groups

    Materials

    • Zero Trust Progress Monitoring Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Progress Monitoring Tool

    5.2.1 Record baseline measurements for metrics

    Estimated time 1-2 hours

    On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

    1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
    2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
    3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
      (e.g. if any metric is being measured monthly, there should be one column per month)
    4. Over time, conduct measurements of your metrics and store them in the table below.
    5. Add notes, as necessary.

    this image contains a screenshot of tab 3 of the Zero Trust Progress Monitoring Tool, with the following column headings numbered: 1: Your Metrics; 2: Collection Frequency; Target; 3: Jan; 4: Metric Measurements; 5: Notes

    5.2.2 Report metric health to audience groups

    Estimated time 1-2 hours

    On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

    1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
    2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
    3. Six different graphic representations of the tracked data for the selected metric will populate.

    Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

    This image contains a screenshot from tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

    5.3 Build a communication deck

    Estimated time 2 hours

    Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

    In this communication deck template, you will find the following sections:

    • Introduction
    • Protect Surfaces
    • Zero Trust Gap Analysis
    • Zero Trust Initiatives & Tasks

    Input

    • Protect surfaces mapped to business goals
    • Zero trust program gap analysis
    • Zero trust roadmap initiatives and tasks
    • Zero trust metrics

    Output

    • Communication deck for zero trust strategy

    Materials

    • Zero Trust Communication Deck

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Communication Deck

    Summary of Accomplishment

    Knowledge Gained

    • Knowledge of protect surfaces and the business goals protecting them supports
    • Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
    • Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
    • A defined set of security metrics assessing zero trust implementation progress and efficacy

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    This is a picture of an Info-Tech Account Representative
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Zero Trust Program Gap Analysis Tool

    This is a screenshot from the Zero Trust Program Gap Analysis Tool

    Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

    Zero Trust Progress Monitoring Tool

    This is a screenshot from the Zero Trust Progress Monitoring Tool

    Identify and track metrics for zero trust tasks and initiatives.

    Research Contributors

    • Aaron Benson, CME Group, Director of IAM Governance
    • Brad Mateski, Zones, Solutions Architect for CyberSecurity
    • Bob Smock, Info-Tech Research Group, Vice President of Consulting
    • Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
    • John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
    • John Zhao, Fonterra, Enterprise Security Architect
    • Rongxing Lu, University of New Brunswick, Associate Professor
    • Sumanta Sarkar, University of Warwick, Assistant Professor
    • Tim Malone, J.B. Hunt Transport, Senior Director Information Security
    • Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

    Related Info-Tech Research

    This is a screenshot from Info-Tech's Build an Information Security Strategy

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

    This is a screenshot from Info-Tech's Determine Your Zero Trust Readiness.

    Determine Your Zero Trust Readiness

    IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

    Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

    This is a screenshot from Info-Tech's Mature Your Identity and Access Management Program

    Mature Your Identity and Access Management Program

    Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

    • Assess identity and access requirements
    • Identify initiatives using the identity lifecycle
    • Prioritize initiatives and build a roadmap

    Bibliography

    • “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
    • “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
    • “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
    • Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
    • “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
    • “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
    • Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
    • “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
    • English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
    • “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
    • “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
    • Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
    • “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
    • Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
    • Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
    • Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
    • National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
    • NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
    • Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
    • “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
    • Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
    • “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
    • “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
    • Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
    • Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
    • Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
    • VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
    • Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
    • “Zero Trust Access.” Fortinet, n.d. Web.
    • “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
    • “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
    • “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.

    Improve Requirements Gathering

    • Buy Link or Shortcode: {j2store}523|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $153,578 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design
    • Poor requirements are the number one reason that projects fail. Requirements gathering and management has been an ongoing issue for IT professionals for decades.
    • If proper due diligence for requirements gathering is not conducted, then the applications that IT is deploying won’t meet business objectives and will fail to deliver adequate business value.
    • Inaccurate requirements definition can lead to significant amounts of project rework and hurt the organization’s financial performance. It will also create significant damage to the working relationship between IT and the business.
    • Often, business analysts haven’t developed the right competencies to successfully execute requirements gathering processes, even when they are in place.

    Our Advice

    Critical Insight

    • To avoid makeshift solutions, an organization needs to gather requirements with the desired future state in mind.
    • Creating a unified set of standard operating procedures is essential for effectively gathering requirements, but many organizations fail to do it.
    • Centralizing governance of requirements processes with a requirements gathering steering committee or requirements gathering center of excellence can bring greater uniformity and cohesion when gathering requirements across projects.
    • Business analysts must be targeted for competency development to ensure that the processes developed above are being successfully executed and the right questions are being asked of project sponsors and stakeholders.

    Impact and Result

    • Enhanced requirements analysis will lead to tangible reductions in cycle time and reduced project overhead.
    • An improvement in requirements analysis will strengthen the relationship between business and IT, as more and more applications satisfy stakeholder needs.
    • More importantly, the applications delivered by IT will meet all of the must-have and at least some of the nice-to-have requirements, allowing end users to successfully execute their day-to-day responsibilities.

    Improve Requirements Gathering Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should invest in optimizing your requirements gathering processes.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the target state for the requirements gathering process

    Capture a clear understanding of the target needs for the requirements process.

    • Build a Strong Approach to Business Requirements Gathering – Phase 1: Build the Target State for the Requirements Gathering Process
    • Requirements Gathering SOP and BA Playbook
    • Requirements Gathering Maturity Assessment
    • Project Level Selection Tool
    • Business Requirements Analyst
    • Requirements Gathering Communication Tracking Template

    2. Define the elicitation process

    Develop best practices for conducting and structuring elicitation of business requirements.

    • Build a Strong Approach to Business Requirements Gathering – Phase 2: Define the Elicitation Process
    • Business Requirements Document Template
    • Scrum Documentation Template

    3. Analyze and validate requirements

    Standardize frameworks for analysis and validation of business requirements.

    • Build a Strong Approach to Business Requirements Gathering – Phase 3: Analyze and Validate Requirements
    • Requirements Gathering Documentation Tool
    • Requirements Gathering Testing Checklist

    4. Create a requirements governance action plan

    Formalize change control and governance processes for requirements gathering.

    • Build a Strong Approach to Business Requirements Gathering – Phase 4: Create a Requirements Governance Action Plan
    • Requirements Traceability Matrix
    [infographic]

    Workshop: Improve Requirements Gathering

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define the Current State and Target State for Requirements Gathering

    The Purpose

    Create a clear understanding of the target needs for the requirements gathering process.

    Key Benefits Achieved

    A comprehensive review of the current state for requirements gathering across people, processes, and technology.

    Identification of major challenges (and opportunity areas) that should be improved via the requirements gathering optimization project.

    Activities

    1.1 Understand current state and document existing requirement process steps.

    1.2 Identify stakeholder, process, outcome, and training challenges.

    1.3 Conduct target state analysis.

    1.4 Establish requirements gathering metrics.

    1.5 Identify project levels 1/2/3/4.

    1.6 Match control points to project levels 1/2/3/4.

    1.7 Conduct project scoping and identify stakeholders.

    Outputs

    Requirements Gathering Maturity Assessment

    Project Level Selection Tool

    Requirements Gathering Documentation Tool

    2 Define the Elicitation Process

    The Purpose

    Create best practices for conducting and structuring elicitation of business requirements.

    Key Benefits Achieved

    A repeatable framework for initial elicitation of requirements.

    Prescribed, project-specific elicitation techniques.

    Activities

    2.1 Understand elicitation techniques and which ones to use.

    2.2 Document and confirm elicitation techniques.

    2.3 Create a requirements gathering elicitation plan for your project.

    2.4 Build the operating model for your project.

    2.5 Define SIPOC-MC for your selected project.

    2.6 Practice using interviews with business stakeholders to build use case models.

    2.7 Practice using table-top testing with business stakeholders to build use case models.

    Outputs

    Project Elicitation Schedule

    Project Operating Model

    Project SIPOC-MC Sub-Processes

    Project Use Cases

    3 Analyze and Validate Requirements

    The Purpose

    Build a standardized framework for analysis and validation of business requirements.

    Key Benefits Achieved

    Policies for requirements categorization, prioritization, and validation.

    Improved project value as a result of better prioritization using the MOSCOW model.

    Activities

    3.1 Categorize gathered requirements for use.

    3.2 Consolidate similar requirements and eliminate redundancies.

    3.3 Practice prioritizing requirements.

    3.4 Build the business process model for the project.

    3.5 Rightsize the requirements documentation template.

    3.6 Present the business requirements document to business stakeholders.

    3.7 Identify testing opportunities.

    Outputs

    Requirements Gathering Documentation Tool

    Requirements Gathering Testing Checklist

    4 Establish Change Control Processes

    The Purpose

    Create formalized change control processes for requirements gathering.

    Key Benefits Achieved

    Reduced interjections and rework – strengthened formal evaluation and control of change requests to project requirements.

    Activities

    4.1 Review existing CR process.

    4.2 Review change control process best practices and optimization opportunities.

    4.3 Build guidelines for escalating changes.

    4.4 Confirm your requirements gathering process for project levels 1/2/3/4.

    Outputs

    Requirements Traceability Matrix

    Requirements Gathering Communication Tracking Template

    5 Establish Ongoing Governance for Requirements Gathering

    The Purpose

    Establish governance structures and ongoing oversight for business requirements gathering.

    Key Benefits Achieved

    Consistent governance and oversight of the requirements gathering process, resulting in fewer “wild west” scenarios.

    Better repeatability for the new requirements gathering process, resulting in less wasted time and effort at the outset of projects.

    Activities

    5.1 Define RACI for the requirements gathering process.

    5.2 Define the requirements gathering steering committee purpose.

    5.3 Define RACI for requirements gathering steering committee.

    5.4 Define the agenda and cadence for the requirements gathering steering committee.

    5.5 Identify and analyze stakeholders for communication plan.

    5.6 Create communication management plan.

    5.7 Build the action plan.

    Outputs

    Requirements Gathering Action Plan

    Further reading

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Analyst Perspective

    A strong process for business requirements gathering is essential for application project success. However, most organizations do not take a strategic approach to optimizing how they conduct business analysis and requirements definition.

    "Robust business requirements are the basis of a successful project. Without requirements that correctly articulate the underlying needs of your business stakeholders, projects will fail to deliver value and involve significant rework. In fact, an Info-Tech study found that of projects that fail over two-thirds fail due to poorly defined business requirements.

    Despite the importance of good business requirements to project success, many organizations struggle to define a consistent and repeatable process for requirements gathering. This results in wasted time and effort from both IT and the business, and generates requirements that are incomplete and of dubious value. Additionally, many business analysts lack the competencies and analytical techniques needed to properly execute the requirements gathering process.

    This research will help you get requirements gathering right by developing a set of standard operating procedures across requirements elicitation, analysis, and validation. It will also help you identify and fine-tune the business analyst competencies necessary to make requirements gathering a success."

    – Ben Dickie, Director, Enterprise Applications, Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • The IT applications director who has accountability for ensuring that requirements gathering procedures are both effective and efficient.
    • The designated business analyst or requirements gathering professional who needs a concrete understanding of how to execute upon requirements gathering SOPs.

    This Research Will Help You:

    • Diagnose your current state and identify (and prioritize) gaps that exist between your target requirements gathering needs and your current capabilities and processes.
    • Build a requirements gathering SOP that prescribes a framework for requirements governance and technology usage, as well as techniques for elicitation, analysis, and validation.

    This Research Will Also Assist:

    • The business partner/stakeholder who is interested in ways to work with IT to improve upon existing procedures for requirements gathering.
    • Systems analysts and developers who need to understand how business requirements are effectively gathered upstream.

    This Research Will Help Them:

    • Understand the significance and importance of business requirements gathering on overall project success and value alignment.
    • Create rules of engagement for assisting IT with the collection of requirements from the right stakeholders in a timely fashion.

    Executive summary

    Situation

    • Strong business requirements are essential to project success – inadequate requirements are the number one reason that projects fail.
    • Organizations need a consistent, repeatable, and prescriptive set of standard operating procedures (SOPs) that dictate how business requirements gathering should be conducted.

    Complication

    • If proper due diligence for requirements gathering is not conducted, then the applications that IT is deploying won’t meet business objectives, and they will fail to deliver adequate business value.
    • Inaccurate requirements definition can lead to significant amounts of project rework and hurt the organization’s financial performance. It will also damage the relationship between IT and the business.

    Resolution

    • To avoid delivering makeshift solutions (paving the cow path), organizations need to gather requirements with the desired future state in mind. Organizations need to keep an open mind when gathering requirements.
    • Creating a unified set of SOPs is essential for effectively gathering requirements; these procedures should cover not just elicitation, analysis, and validation, but also include process governance and documentation.
    • BAs who conduct requirements gathering must demonstrate proven competencies for stakeholder management, analytical techniques, and the ability to speak the language of both the business and IT.
    • An improvement in requirements analysis will strengthen the relationship between business and IT, as more and more applications satisfy stakeholder needs. More importantly, the applications delivered by IT will meet all of the must-have and at least some of the nice-to-have requirements, allowing end users to execute their day-to-day responsibilities.

    Info-Tech Insight

    1. Requirements gathering SOPs should be prescriptive based on project complexity. Complex projects will require more analytical rigor. Simpler projects can be served by more straightforward techniques like user story development.
    2. Business analysts (BA) can make or break the execution of the requirements gathering process. A strong process still needs to be executed well by BAs with the right blend of skills and knowledge.

    Understand what constitutes a strong business requirement

    A business requirement is a statement that clearly outlines the functional capability that the business needs from a system or application. There are several attributes to look at in requirements:

    Verifiable
    Stated in a way that can be easily tested

    Unambiguous
    Free of subjective terms and can only be interpreted in one way

    Complete
    Contains all relevant information

    Consistent
    Does not conflict with other requirements

    Achievable
    Possible to accomplish with budgetary and technological constraints

    Traceable
    Trackable from inception through to testing

    Unitary
    Addresses only one thing and cannot be decomposed into multiple requirements

    Agnostic
    Doesn’t pre-suppose a specific vendor or product

    Not all requirements will meet all of the attributes.

    In some situations, an insight will reveal new requirements. This requirement will not follow all of the attributes listed above and that’s okay. If a new insight changes the direction of the project, re-evaluate the scope of the project.

    Attributes are context specific.

    Depending on the scope of the project, certain attributes will carry more weight than others. Weigh the value of each attribute before elicitation and adjust as required. For example, verifiable will be a less-valued attribute when developing a client-facing website with no established measuring method/software.

    Build a firm foundation: requirements gathering is an essential step in any project, but many organizations struggle

    Proper requirements gathering is critical for delivering business value from IT projects, but it remains an elusive and perplexing task for most organizations. You need to have a strategy for end-to-end requirements gathering, or your projects will consistently fail to meet business expectations.

    50% of project rework is attributable to problems with requirements. (Info-Tech Research Group)

    45% of delivered features are utilized by end users. (The Standish Group)

    78% of IT professionals believe the business is “usually” or “always” out of sync with project requirements. (Blueprint Software Systems)

    45% of IT professionals admit to being “fuzzy” about the details of a project’s business objectives. (Blueprint Software Systems)

    Requirements gathering is truly an organization-spanning issue, and it falls directly on the IT directors who oversee projects to put prudent SOPs in place for managing the requirements gathering process. Despite its importance, the majority of organizations have challenges with requirements gathering.

    What happens when requirements are no longer effective?

    • Poor requirements can have a very visible and negative impact on deployed apps.
    • IT receives the blame for any project shortcomings or failures.
    • IT loses its credibility and ability to champion future projects.
    • Late projects use IT resources longer than planned.

    Requirements gathering is a core component of the overall project lifecycle that must be given its due diligence

    PMBOK’s Five Phase Project Lifecycle

    Initiate – Plan: Requirements Gathering Lives Here – Execute – Control – Close

    Inaccurate requirements is the 2nd most common cause of project failure (Project Management Institute ‒ Smartsheet).

    Requirements gathering is a critical stage of project planning.

    Depending on whether you take an Agile or Waterfall project management approach, it can be extended into the initiate and execute phases of the project lifecycle.

    Strong stakeholder satisfaction with requirements gathering results in higher satisfaction in other areas

    Organizations that had high satisfaction with requirements gathering were more likely to be highly satisfied with the other areas of IT. In fact, 72% of organizations that had high satisfaction with requirements gathering were also highly satisfied with the availability of IT capacity to complete projects.

    A bar graph measuring % High Satisfaction when projects have High Requirements Gathering vs. Not High Requirements Gathering. The graph shows a substantially higher percentage of high satisfaction on projects with High Requirements Gathering

    Note: High satisfaction was classified as organizations with a score greater or equal to 8. Not high satisfaction was every other organization that scored below 8 on the area questions.

    N=395 organizations from Info-Tech’s CIO Business Vision diagnostic

    Requirements gathering efforts are filled with challenges; review these pitfalls to avoid in your optimization efforts

    The challenges that afflict requirements gathering are multifaceted and often systemic in nature. There isn’t a single cure that will fix all of your requirements gathering problems, but an awareness of frequently encountered challenges will give you a basis for where to consider establishing better SOPs. Commonly encountered challenges include:

    Process Challenges

    • Requirements may be poorly documented, or not documented at all.
    • Elicitation methods may be inappropriate (e.g. using a survey when collaborative whiteboarding is needed).
    • Elicitation methods may be poorly executed.
    • IT and business units may not be communicating requirements in the same terms/language.
    • Requirements that conflict with one another may not be identified during analysis.
    • Requirements cannot be traced from origin to testing.

    Stakeholder Challenges

    • Stakeholders may be unaware of the requirements needed for the ideal solution.
    • Stakeholders may have difficulty properly articulating their desired requirements.
    • Stakeholders may have difficulty gaining consensus on the ideal solution.
    • Relevant stakeholders may not be consulted on requirements.
    • Sign-off may not be received from the proper stakeholders.

    70% of projects fail due to poor requirements. (Info-Tech Research Group)

    Address the root cause of poor requirements to increase project success

    Root Causes of Poor Requirements Gathering:

    • Requirements gathering procedures don’t exist.
    • Requirements gathering procedures exist but aren’t followed.
    • There isn't enough time allocated to the requirements gathering phase.
    • There isn't enough involvement or investment secured from business partners.
    • There is no senior leadership involvement or mandate to fix requirements gathering.
    • There are inadequate efforts put towards obtaining and enforcing sign-off.

    Outcomes of Poor Requirements Gathering:

    • Rework due to poor requirements leads to costly overruns.
    • Final deliverables are of poor quality.
    • Final deliverables are implemented late.
    • Predicted gains from deployed applications are not realized.
    • There are low feature utilization rates by end users.
    • There are high levels of end-user dissatisfaction.
    • There are high levels of project sponsor dissatisfaction.

    Info-Tech Insight

    Requirements gathering is the number one failure point for most development or procurement projects that don’t deliver value. This has been and continues to be the case as most organizations still don't get requirements gathering right. Overcoming organizational cynicism can be a major obstacle when it is time to optimize the requirements gathering process.

    Reduce wasted project work with clarity of business goals and analysis of requirements

    You can reduce the amount of wasted work by making sure you have clear business goals. In fact, you could see an improvement of as much as 50% by going from a low level of satisfaction with clarity of business goals (<2) to a high level of satisfaction (≥5).

    A line graph demonstrating that as the amount of wasted work increases, clarity of business goals satisfaction decreases.

    Likewise, you could see an improvement of as much as 43% by going from a low level of satisfaction with analysis of requirements (less than 2) to a high level of satisfaction (greater than or equal to 5).

    A line graph demonstrating that as the Amount of Wasted Work decreases, the level of satisfaction with analysis of requirements shifts from low to high.

    Note: Waste is measured by the amount of cancelled projects; suboptimal assignment of resources; analyzing, fixing, and re-deploying; inefficiency, and unassigned resources.

    N=200 teams from the Project Portfolio Management diagnostic

    Effective requirements gathering supports other critical elements of project management success

    Good intentions and hard work aren’t enough to make a project successful. As you proceed with a project, step back and assess the critical success factors. Make sure that the important inputs and critical activities of requirements gathering are supporting, not inhibiting, project success.

    1. Streamlined Project Intake
    2. Strong Stakeholder Management
    3. Defined Project Scope
    4. Effective Project Management
    5. Environmental Analysis

    Don’t improvise: have a structured, end-to-end approach for successfully gathering useful requirements

    Creating a unified SOP guide for requirements elicitation, analysis, and validation is a critical step for requirements optimization; it gives your BAs a common frame of reference for conducting requirements gathering.

    • The key to requirements optimization is to establish a strong set of SOPs that provide direction on how your organization should be executing requirements gathering processes. This SOP guide should be a holistic document that walks your BAs through a requirements gathering project from beginning to end.
    • An SOP that is put aside is useless; it must be well communicated to BAs. It should be treated as the veritable manifesto of requirements management in your organization.

    Info-Tech Insight

    Having a standardized approach to requirements management is critical, and SOPs should be the responsibility of a group. The SOP guide should cover all of the major bases of requirements management. In addition to providing a walk-through of the process, an SOP also clarifies requirements governance.

    Leverage Info-Tech’s proven Requirements Gathering Framework as the basis for building requirements processes

    A graphic with APPLICATIONS THAT DELIVER BUSINESS VALUE written in the middle. Three steps are named: Elicit; Analyze; Validate. Around the outer part of the graphic are 4 arrows arranged in a circle, with the labels: Plan; Monitor; Communicate; Manage.

    Info-Tech’s Requirements Gathering Framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework has been extensively road-tested with our clients to ensure that it balances the needs of IT and business stakeholders to give a holistic, end-to-end approach for requirements gathering. It covers the foundational issues (elicitation, analysis, and validation) and prescribes techniques for planning, monitoring, communicating, and managing the requirements gathering process.

    Don’t forget resourcing: the best requirements gathering process will still fail if you don’t develop BA competencies

    When creating the process for requirements gathering, think about how it will be executed by your BAs, and what the composition of your BA team should look like. A strong BA needs to serve as an effective translator, being able to speak the language of both the business and IT.

    1. To ensure alignment of your BAs to the requirements gathering process, undertake a formal skills assessment to identify areas where analysts are strong, and areas that should be targeted for training and skills development.
    2. Training of BAs on the requirements gathering process and development of intimate familiarity with SOPs is essential; you need to get BAs on the same page to ensure consistency and repeatability of the requirements process.
    3. Consider implementing a formal mentorship and/or job shadowing program between senior and junior BAs. Many of our members report that leveraging senior BAs to bootstrap the competencies of more junior team members is a proven approach to building skillsets for requirements gathering.

    What are some core competencies of a good BA?

    • Strong stakeholder management.
    • Proven track record in facilitating elicitation sessions.
    • Ability to bridge the gulf between IT and the business by speaking both languages.
    • Ability to ask relevant probing questions to uncover latent needs.
    • Experience with creating project operating models and business process diagrams.
    • Ability to set and manage expectations throughout the process.

    Throughout this blueprint, look for the “BA Insight” box to learn how steps in the requirements gathering process relate to the skills needed by BAs to facilitate the process effectively.

    A mid-sized local government overhauls its requirements gathering approach and sees strong results

    CASE STUDY

    Industry

    Government

    Source

    Info-Tech Research Group Workshop

    The Client

    The organization was a local government responsible for providing services to approximately 600,000 citizens in the southern US. Its IT department is tasked with deploying applications and systems (such as HRIS) that support the various initiatives and mandate of the local government.

    The Requirements Gathering Challenge

    The IT department recognized that a strong requirements gathering process was essential to delivering value to its stakeholders. However, there was no codified process in place – each BA unilaterally decided how they would conduct requirements gathering at the start of each project. IT recognized that to enhance both the effectiveness and efficiency of requirements gathering, it needed to put in place a strong, prescriptive set of SOPs.

    The Improvement

    Working with a team from Info-Tech, the IT leadership and BA team conducted a workshop to develop a new set of SOPs that provided clear guidance for each stage of the requirements process: elicitation, analysis, and validation. As a result, business satisfaction and value alignment increased.

    The Requirements Gathering SOP and BA Playbook offers a codified set of SOPs for requirements gathering gave BAs a clear playbook.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Strong Approach to Business Requirements Gathering – project overview

    1. Build the Target State for Requirements Gathering 2. Define the Elicitation Process 3. Analyze and Validate Requirements 4. Create a Requirements Governance Action Plan
    Best-Practice Toolkit

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    Guided Implementations
    • Review Info-Tech’s requirements gathering methodology.
    • Assess current state for requirements gathering – pains and challenges.
    • Determine target state for business requirements gathering – areas of opportunity.
    • Assess elicitation techniques and determine best fit to projects and business environment.
    • Review options for structuring the output of requirements elicitation (i.e. SIPOC).
    • Create policies for requirements categorization and prioritization.
    • Establish best practices for validating the BRD with project stakeholders.
    • Discuss how to handle changes to requirements, and establish a formal change control process.
    • Review options for ongoing governance of the requirements gathering process.
    Onsite Workshop Module 1: Define the Current and Target State Module 2: Define the Elicitation Process Module 3: Analyze and Validate Requirements Module 4: Governance and Continuous Improvement Process
    Phase 1 Results: Clear understanding of target needs for the requirements process. Phase 2 Results: Best practices for conducting and structuring elicitation. Phase 3 Results: Standardized frameworks for analysis and validation of business requirements. Phase 4 Results: Formalized change control and governance processes for requirements.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Define Current State and Target State for Requirements Gathering

    • Understand current state and document existing requirement process steps.
    • Identify stakeholder, process, outcome, and reigning challenges.
    • Conduct target state analysis.
    • Establish requirements gathering metrics.
    • Identify project levels 1/2/3/4.
    • Match control points to project levels 1/2/3/4.
    • Conduct project scoping and identify stakeholders.

    Define the Elicitation Process

    • Understand elicitation techniques and which ones to use.
    • Document and confirm elicitation techniques.
    • Create a requirements gathering elicitation plan for your project.
    • Practice using interviews with business stakeholders to build use case models.
    • Practice using table-top testing with business stakeholders to build use case models.
    • Build the operating model for your project

    Analyze and Validate Requirements

    • Categorize gathered requirements for use.
    • Consolidate similar requirements and eliminate redundancies.
    • Practice prioritizing requirements.
    • Rightsize the requirements documentation template.
    • Present the business requirements document (BRD) to business stakeholders.
    • Identify testing opportunities.

    Establish Change Control Processes

    • Review existing CR process.
    • Review change control process best practices & optimization opportunities.
    • Build guidelines for escalating changes.
    • Confirm your requirements gathering process for project levels 1/2/3/4.

    Establish Ongoing Governance for Requirements Gathering

    • Define RACI for the requirements gathering process.
    • Define the requirements gathering governance process.
    • Define RACI for requirements gathering governance.
    • Define the agenda and cadence for requirements gathering governance.
    • Identify and analyze stakeholders for communication plan.
    • Create communication management plan.
    • Build the action plan.
    Deliverables
    • Requirements gathering maturity assessment
    • Project level selection tool
    • Requirements gathering documentation tool
    • Project elicitation schedule
    • Project operating model
    • Project use cases
    • Requirements gathering documentation tool
    • Requirements gathering testing checklist
    • Requirements traceability matrix
    • Requirements gathering communication tracking template
    • Requirements gathering action plan

    Phase 1: Build the Target State for the Requirements Gathering Process

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Build the Target State

    Proposed Time to Completion: 2 weeks

    Step 1.1: Understand the Benefits of Requirements Optimization

    Start with an analyst kick off call:

    • Review Info-Tech’s requirements gathering methodology.

    Then complete these activities…

    • Hold a fireside chat.

    With these tools & templates:

    Requirements Gathering SOP and BA Playbook

    Step 1.2: Determine Your Target State for Requirements Gathering

    Review findings with analyst:

    • Assess current state for requirements gathering – pains and challenges.
    • Determine target state for business requirements gathering – areas of opportunity.

    Then complete these activities…

    • Identify your business process model.
    • Define project levels.
    • Match control points to project level.
    • Identify and analyze stakeholders.

    With these tools & templates:

    • Requirements Gathering Maturity Assessment
    • Project Level Selection Tool
    • Business Requirements Analyst job description
    • Requirements Gathering Communication Tracking Template

    Phase 1 Results & Insights:

    Clear understanding of target needs for the requirements process.

    Step 1.1: Understand the Benefits of Requirements Optimization

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Identifying challenges with requirements gathering and identifying objectives for the workshop.
    This step involves the following participants:
    • Business stakeholders
    • BAs
    Outcomes of this step
    • Stakeholder objectives identified.

    Requirements optimization is powerful, but it’s not free; gauge the organizational capital you’ll need to make it a success

    Optimizing requirements management is not something that can be done in isolation, and it’s not necessarily going to be easy. Improving your requirements will translate into better value delivery, but it takes real commitment from IT and its business partners.

    There are four “pillars of commitment” that will be necessary to succeed with requirements optimization:

    1. Senior Management Organizational Capital
      • Before organizations can establish revised SOPs for requirements gathering, they’ll need a strong champion in senior management to ensure that updated elicitation and sign-off techniques do not offend people. A powerful sponsor can lead to success, especially if they are in the business.
    2. End-User Organizational Capital
      • To overcome cynicism, you need to focus on convincing end users that there is something to be gained from participating in requirements gathering (and the broader process of requirements optimization). Frame the value by focusing on how good requirements mean better apps (e.g. faster, cheaper, fewer errors, less frustration).
    3. Staff Resourcing
      • You can have a great SOP, but if you don’t have the right resources to execute on it you’re going to have difficulty. Requirements gathering needs dedicated BAs (or equivalent staff) who are trained in best practices and can handle elicitation, analysis, and validation successfully.
    4. Dedicated Cycle Time
      • IT and the business both need to be willing to demonstrate the value of requirements optimization by giving requirements gathering the time it needs to succeed. If these parties are convinced by the concept in theory, but still try to rush moving to the development phase, they’re destined for failure.

    Rethink your approach to requirements gathering: start by examining the business process, then tackle technology

    When gathering business requirements, it’s critical not to assume that layering on technology to a process will automatically solve your problems.

    Proper requirements gathering views projects holistically (i.e. not just as an attempt to deploy an application or technology, but as an endeavor to enable new or re-engineered business processes). Neglecting to see requirements gathering in the context of business process enablement leads to failure.

    • Far too often, organizations automate an existing process without putting much thought into finding a better way to do things.
    • Most organizations focus on identifying a series of small improvements to make to a process and realize limited gains.
    • The best way to generate transformational gains is to reinvent how the process should be performed and work backwards from there.
    • You should take a top-down approach and begin by speaking with senior management about the business case for the project and their vision for the target state.
    • You should elicit requirements from the rank-and-file employees while centering the discussion and requirements around senior management’s target state. Don’t turn requirements gathering into a griping session about deficiencies with a current application.

    Leverage Info-Tech’s proven Requirements Gathering Framework as the basis for building requirements processes

    A graphic with APPLICATIONS THAT DELIVER BUSINESS VALUE written in the middle. Three steps are named: Elicit; Analyze; Validate. Around the outer part of the graphic are 4 arrows arranged in a circle, with the labels: Plan; Monitor; Communicate; Manage.

    Info-Tech’s Requirements Gathering Framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework has been extensively road-tested with our clients to ensure that it balances the needs of IT and business stakeholders to give a holistic, end-to-end approach for requirements gathering. It covers both the foundational issues (elicitation, analysis, and validation) as well as prescribing techniques for planning, monitoring, communicating, and managing the requirements gathering process.

    Requirements gathering fireside chat

    1.1.1 – 45 minutes

    Output
    • Stakeholder objectives
    Materials
    • Whiteboard, markers, sticky notes
    Participants
    • BAs

    Identify the challenges you’re experiencing with requirements gathering, and identify objectives.

    1. Hand out sticky notes to participants, and ask the group to work independently to think of challenges that exist with regards to requirements gathering. (Hint: consider stakeholder challenges, process challenges, outcome challenges, and training challenges.) Ask participants to write their current challenges on sticky notes, and place them on the whiteboard.
    2. As a group, review all sticky notes and group challenges into themes.
    3. For each theme you uncover, work as a group to determine the objective that will overcome these challenges throughout the workshop and write this on the whiteboard.
    4. Discuss how these challenges will be addressed in the workshop.

    Don’t improvise: have a structured, prescriptive end-to-end approach for successfully gathering useful requirements

    Creating a unified SOP guide for requirements elicitation, analysis, and validation is a critical step for requirements optimization; it gives your BAs a common frame of reference for conducting requirements gathering.

    • The key to requirements optimization is to establish a strong set of SOPs that provide direction on how your organization should be executing requirements gathering processes. This SOP guide should be a holistic document that walks your BAs through a requirements gathering project from beginning to end.
    • An SOP that is put aside is useless; it must be well communicated to BAs. It should be treated as the veritable manifesto of requirements management in your organization.

    Info-Tech Insight

    Having a standardized approach to requirements management is critical, and SOPs should be the responsibility of a group. The SOP guide should cover all of the major bases of requirements management. In addition to providing a walk-through of the process, an SOP also clarifies requirements governance.

    Use Info-Tech’s Requirements Gathering SOP and BA Playbook to assist with requirements gathering optimization

    Info-Tech’s Requirements Gathering SOP and BA Playbook template forms the basis of this blueprint. It’s a structured document that you can fill out with defined procedures for how requirements should be gathered at your organization.

    Info-Tech’s Requirements Gathering SOP and BA Playbook template provides a number of sections that you can populate to provide direction for requirements gathering practitioners. Sections provided include: Organizational Context Governance Procedures Resourcing Model Technology Strategy Knowledge Management Elicitation SOPs Analysis SOPs Validation SOPs.

    The template has been pre-populated with an example of requirements management procedures. Feel free to customize it to fit your specific needs.

    Download the Requirements Gathering SOP and BA Playbook template.

    Step 1.2: Determine Your Target State for Requirements Gathering

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Conduct a current and target state analysis.
    • Identify requirements gathering business process model.
    • Establish requirements gathering performance metrics.
    • Define project levels – level 1/2/3/4.
    • Match control points to project level.
    • Conduct initial brainstorming on the project.
    This step involves the following participants:
    • BAs
    Outcomes of this step:
    • Requirements gathering maturity summary.
    • Requirements gathering business process model.
    • Identification of project levels.
    • Identification of control points.

    Plan for requirements gathering

    The image is the Requirements Gathering Framework from earlier slides, but with all parts of the graphic grey-out, except for the arrows containing Plan and Monitor, at the top.

    Establishing an overarching plan for requirements governance is the first step in building an SOP. You must also decide who will actually execute the requirements gathering processes, and what technology they will use to accomplish this. Planning for governance, resourcing, and technology is something that should be done repeatedly and at a higher strategic level than the more sequential steps of elicitation, analysis, and validation.

    Establish your target state for requirements gathering processes to have a cogent roadmap of what needs to be done

    Visualize how you want requirements to be gathered in your organization. Do not let elements of the current process restrict your thinking.

    • First, articulate the impetus for optimizing requirements management and establish clear goals.
    • Use these goals to drive the target state.

    For example:

    • If the goal is to improve the accuracy of requirements, then restructure the validation process.
    • If the goal is to improve the consistency of requirements gathering, then create SOPs or use electronic templates and tools.

    Refrain from only making small changes to improve the existing process. Think about the optimal way to structure the requirements gathering process.

    Define the attributes of a good requirement to help benchmark the type of outputs that you’re looking for

    Attributes of Good Requirements

    Verifiable – It is stated in a way that can be tested.

    Unambiguous – It is free of subjective terms and can only be interpreted in one way.

    Complete – It contains all relevant information.

    Consistent – It does not conflict with other requirements.

    Achievable – It is possible to accomplish given the budgetary and technological constraints.

    Traceable – It can tracked from inception to testing.

    Unitary – It addresses only one thing and cannot be decomposed into multiple requirements.

    Accurate – It is based on proven facts and correct information.

    Other Considerations:

    Organizations can also track a requirement owner, rationale, priority level (must have vs. nice to have), and current status (approved, tested, etc.).

    Info-Tech Insight

    Requirements must be solution agnostic – they should focus on the underlying need rather than the technology required to satisfy the need as it can be really easy to fall into the technology solution trap.

    Use Info-Tech’s Requirements Gathering Maturity Assessment tool to help conduct current and target state analysis

    Use the Requirements Gathering Maturity Assessment tool to help assess the maturity of your requirements gathering function in your organization, and identify the gaps between the current state and the target state. This will help focus your organization's efforts in closing the gaps that represent high-value opportunities.

    • On tab 2. Current State, use the drop-down responses to provide the answer that best matches your organization, where 1= Strongly disagree and 5 = Strongly agree. On tab 3. Target State, answer the same questions in relation to where your organization would like to be.
    • Based on your responses, tab 4. Maturity Summary will display a visual of the gap between the current and target state.

    Conduct a current and target state analysis

    1.2.1 – 1 hour

    Complete the Requirements Gathering Maturity Assessment tool to define your target state, and identify the gaps in your current state.

    Input
    • Current and target state maturity rating
    Output
    • Requirements gathering maturity summary
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    1. For each component of requirements gathering, write out a series of questions to evaluate your current requirements gathering practices. Use the Requirements Gathering Maturity Assessment tool to assist you in drafting questions.
    2. Review the questions in each category, and agree on a rating from 1-5 on their current maturity: 1= Strongly disagree and 5 = Strongly agree. (Note: it will likely be very rare that they would score a 5 in any category, even for the target state.)
    3. Once the assigned categories have been completed, have groups present their assessment to all, and ensure that there is consensus. Once consensus has been reached, input the information into the Current State tab of the tool to reveal the overall current state of maturity score for each category.
    4. Now that the current state is complete, go through each category and define the target state goals.
    5. Document any gaps or action items that need to be addressed.

    Example: Conduct a current and target state analysis

    The Requirements Gathering Maturity Assessment - Target State, with example data inputted.

    Select the project-specific KPIs that will be used to track the value of requirements gathering optimization

    You need to ensure your requirements gathering procedures are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.

    • Without following up on requirements gathering by tracking project metrics and KPIs, organizations will not be able to accurately gauge if the requirements process re-engineering is having a tangible, measurable effect. They will also not be able to determine what changes (if any) need to be made to SOPs based on project performance.
    • This is a crucial step that many organizations overlook. Creating a retroactive list of KPIs is inadequate, since you must benchmark pre-optimization project metrics in order to assess and isolate the value generated by reducing errors and cycle time and increasing value of deployed applications.

    Establish requirements gathering performance metrics

    1.2.2 – 30 minutes

    Input
    • Historical metrics
    Output
    • Target performance metrics
    Materials
    • Whiteboard
    • Markers
    • Paper
    Participants
    • BAs
    1. Identify the following information for the last six months to one year:
      1. Average number of reworks to requirements.
      2. Number of change requests.
      3. Percent of feature utilization by end users.
      4. User adoption rate.
      5. Number of breaches in regulatory requirements.
      6. Percent of final deliverables implemented on time.
      7. End-user satisfaction score (if possible).
    2. As a group, look at each metric in turn and set your target metrics for six months to one year for each of these categories.

    Document the output from this exercise in section 2.2 of the Requirements Gathering SOP and BA Playbook.

    Visualize your current and target state process for requirements gathering with a business process model

    A business process model (BPM) is a simplified depiction of a complex process. These visual representations allow all types of stakeholders to quickly understand a process, how it affects them, and enables more effective decision making. Consider these areas for your model:

    Stakeholder Analysis

    • Identify who the right stakeholders are
    • Plan communication
    • Document stakeholder responsibilities in a RACI

    Elicitation Techniques

    • Get the right information from stakeholders
    • Document it in the appropriate format
    • Define business need
    • Enterprise analysis

    Documentation

    • How are outputs built?
    • Process flows
    • Use cases
    • Business rules
    • Traceability matrix
    • System requirements

    Validation & Traceability

    • Make sure requirements are accurate and complete
    • Trace business needs to requirements

    Managing Requirements

    • Organizing and prioritizing
    • Gap analysis
    • Managing scope
    • Communicating
    • Managing changes

    Supporting Tools

    • Templates to standardize
    • Checklists
    • Software to automate the process

    Your requirements gathering process will vary based on the project level

    It’s important to determine the project levels up front, as each project level will have a specific degree of elicitation, analysis, and validation that will need to be completed. That being said, not all organizations will have four levels.

    Level 4

    • Very high risk and complexity.
    • Projects that result in a transformative change in the way you do business. Level 4 projects affect all lines of business, multiple technology areas, and have significant costs and/or risks.
    • Example: Implement ERP

    Level 3

    • High risk and complexity.
    • Projects that affect multiple lines of business and have significant costs and/or risks.
    • Example: Implement CRM

    Level 2

    • Medium risk and complexity.
    • Projects with broader exposure to the business that present a moderate level of risk to business operations.
    • Example: Deploy Office 365

    Level 1

    • Low risk and complexity.
    • Routine/straightforward projects with limited exposure to the business and low risk of negative business impact.
    • Example: SharePoint Update

    Use Info-Tech’s Project Level Selection Tool to classify your project level and complexity

    1.3 Project Level Selection Tool

    The Project Level Selection Tool will classify your projects into four levels, enabling you to evaluate the risk and complexity of a particular project and match it with an appropriate requirements gathering process.

    Project Level Input

    • Consider the weighting criteria for each question and make any needed adjustments to better reflect how your organization values each of the criterion.
    • Review the option levels 1-4 for each of the six questions, and make any modifications necessary to better suit your organization.
    • Review the points assigned to each of the four buckets for each of the six questions, and make any modifications needed.

    Project Level Selection

    • Use this tab to evaluate the project level of each new project.
    • To do so, answer each of the questions in the tool.

    Define project levels – Level 1/2/3/4

    1.2.3 – 1 hour

    Input
    • Project level assessment criteria
    Output
    • Identification of project levels
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs

    Define the project levels to determine the appropriate requirements gathering process for each.

    1. Begin by asking participants to review the six criteria for assessing project levels as identified in the Project Level Selection Tool. Have participants review the list and ensure agreement around the factors. Create a chart on the board using Level 1, Level 2, Level 3, and Level 4 as column headings.
    2. Create a row for each of the chosen factors. Begin by filling in the chart with criteria for a level 4 project: What constitutes a level 4 project according to these six factors?
    3. Repeat the exercise for Level 3, Level 2, and Level 1. When complete, you should have a chart that defines the four project levels at your organization.
    4. Input this information into the tool, and ask participants to review the weighting factors and point allocations and make modifications where necessary.
    5. Input the details from one of the projects participants had selected prior to the workshop beginning and determine its project level. Discuss whether this level is accurate, and make any changes needed.

    Document the output from this exercise in section 2.3 of the Requirements Gathering SOP and BA Playbook.

    Define project levels

    1.2.3 – 1 hour

    Category Level 4 Level 3 Level 2 Level 1
    Scope of Change Full system update Full system update Multiple modules Minor change
    Expected Duration 12 months + 6 months + 3-6 months 0-3 months
    Impact Enterprise-wide, globally dispersed Enterprise-wide Department-wide Low users/single division
    Budget $1,000,000+ $500,000-1,000,000 $100,000-500,000 $0-100,000
    Services Affected Mission critical, revenue impacting Mission critical, revenue impacting Pervasive but not mission critical Isolated, non-essential
    Confidentiality Yes Yes No No

    Define project levels

    1.2.3 – 1 hour

    The tool is comprised of six questions, each of which is linked to at least one type of project risk.

    Using the answers provided, the tool will calculate a level for each risk category. Overall project level is a weighted average of the individual risk levels, based on the importance weighting of each type of risk set by the project manager.

    This tool is an excerpt from Info-Tech’s exhaustive Project Level Assessment Tool.

    The image shows the Project Level Tool, with example data filled in.

    Build your initial requirements gathering business process models: create different models based on project complexity

    1.2.4 – 30 minutes

    Input
    • Current requirements gathering process flow
    Output
    • Requirements gathering business process model
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs

    Brainstorm the ideal target business process flows for your requirements gathering process (by project level).

    1. As a group, create a process flow on the whiteboard that covers the entire requirements gathering lifecycle, incorporating the feedback from exercise 1.2.1. Draw the process with input from the entire group.
    2. After the process flow is complete, compare it to the best practice process flow on the following slide. You may want to create different process flows based on project level (i.e. a process model for Level 1 and 2 requirements gathering, and a process model for how to collect requirements for Level 3 and 4). As you work through the blueprint, revisit and refine these models – this is the initial brainstorming!

    Document the output from this exercise in section 2.4 of the Requirements Gathering SOP and BA Playbook.

    Example: requirements gathering business process model

    An example of the requirements gathering business process model. The model depicts the various stages of the requirements gathering process.

    Develop your BA team to accelerate collecting, analyzing, and translating requirements

    Having an SOP is important, but it should be the basis for training the people who will actually execute the requirements gathering process. Your BA team is critical for requirements gathering – they need to know the SOPs in detail, and you need to have a plan for recruiting those with an excellent skill set.

    • The designated BA(s) for the project have responsibility for end-to-end requirements management – they are responsible for executing the SOPs outlined in this blueprint, including elicitation, analysis, and validation of requirements during the project.
    • Designated BAs must work collaboratively with their counterparts in the business and IT (e.g. developer teams or procurement professionals) to ensure that the approved requirements are met in a timely and cost-effective manner.

    The ideal candidates for requirements gathering are technically savvy analysts (but not necessarily computer science majors) from the business who are already fluent with the business’ language and cognizant of the day-to-day challenges that take place. Organizationally, these BAs should be in a group that bridges IT and the business (such as an RGCOE or PMO) and be specialists rather than generalists in the requirements management space.

    A BA resourcing strategy is included in the SOP. Customize it to suit your needs.

    "Make sure your people understand the business they are trying to provide the solution for as well if not better than the business folks themselves." – Ken Piddington, CIO, MRE Consulting

    Use Info-Tech’s Business Requirements Analyst job description template for sourcing the right talent

    1.4 Business Requirements Analyst

    If you don’t have a trained group of in-house BAs who can execute your requirements gathering process, consider sourcing the talent from internal candidates or calling for qualified applicants. Our Business Requirements Analyst job description template can help you quickly get the word out.

    • Sometimes, you will have a dedicated set of BAs, and sometimes you won’t. In the latter case, the template covers:
      • Job Title
      • Description of Role
      • Responsibilities
      • Target Job Skills
      • Target Job Qualifications
    • The template is primarily designed for external hiring, but can also be used to find qualified internal candidates.

    Info-Tech Deliverable
    Download the Business Requirements Analyst job description template.

    Standardizing process begins with establishing expectations

    CASE STUDY

    Industry Government

    Source Info-Tech Workshop

    Challenge

    A mid-sized US municipality was challenged with managing stakeholder expectations for projects, including the collection and analysis of business requirements.

    The lack of a consistent approach to requirements gathering was causing the IT department to lose credibility with department level executives, impacting the ability of the team to engage project stakeholders in defining project needs.

    Solution

    The City contracted Info-Tech to help build an SOP to govern and train all BAs on a consistent requirements gathering process.

    The teams first set about establishing a consistent approach to defining project levels, defining six questions to be asked for each project. This framework would be used to assess the complexity, risk, and scope of each project, thereby defining the appropriate level of rigor and documentation required for each initiative.

    Results

    Once the project levels were defined, the team established a formalized set of steps, tools, and artifacts to be created for each phase of the project. These tools helped the team present a consistent approach to each project to the stakeholders, helping improve credibility and engagement for eliciting requirements.

    The project level should set the level of control

    Choose a level of control that facilitates success without slowing progress.

    No control Right-sized control Over-engineered control
    Final deliverable may not satisfy business or user requirements. Control points and communication are set at appropriate stage-gates to allow for deliverables to be evaluated and assessed before proceeding to the next phase. Excessive controls can result in too much time spent on stage-gates and approvals, which creates delays in the schedule and causes milestones to be missed.

    Info-Tech Insight

    Throughout the requirements gathering process, you need checks and balances to ensure that the projects are going according to plan. Now that we know our stakeholder, elicitation, and prioritization processes, we will set up the control points for each project level.

    Plan your communication with stakeholders

    Determine how you want to receive and distribute messages to stakeholders.

    Communication Milestones Audience Artifact Final Goal
    Project Initiation Project Sponsor Project Charter Communicate Goals and Scope of Project
    Elicitation Scheduling Selected Stakeholders (SMEs, Power Users) Proposed Solution Schedule Elicitation Sessions
    Elicitation Follow-Up Selected Stakeholders Elicitation Notes Confirm Accuracy of Notes
    First Pass Validation Selected Stakeholders Consolidated Requirements Validate Aggregated Requirements
    Second Pass Validation Selected Stakeholders Prioritized Requirements Validate Requirements Priority
    Eliminated Requirements Affected Stakeholders Out of Scope Requirements Affected Stakeholders Understand Impact of Eliminated Requirements
    Solution Selection High Authority/Expertise Stakeholders Modeled Solutions Select Solution
    Selected Solution High Authority/Expertise Stakeholders and Project Sponsor Requirements Package Communicate Solution
    Requirements Sign-Off Project Sponsor Requirements Package Obtain Sign-Off

    Setting control points – approvals and sign-offs

    # – Control Point: A decision requiring specific approval or sign-off from defined stakeholders involved with the project. Control points result in accepted or rejected deliverables/documents.

    A – Plan Approval: This control point requires a review of the requirements gathering plan, stakeholders, and elicitation techniques.

    B – Requirements Validation: This control point requires a review of the requirements documentation that indicates project and product requirements.

    C – Prioritization Sign-Off: This requires sign-off from the business and/or user groups. This might be sign-off to approve a document, prioritization, or confirm that testing is complete.

    D – IT or Peer Sign-Off: This requires sign-off from IT to approve technical requirements or confirm that IT is ready to accept a change.

    Match control points to project level and identify these in your requirements business process models

    1.2.5 – 45 minutes

    Input
    • Activity 1.2.4 business process diagram
    Output
    • Identify control points
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • Business stakeholders
    • BAs

    Define all of the key control points, required documentation, and involved stakeholders.

    1. On the board, post the initial business process diagram built in exercise 1.2.4. Have participants suggest appropriate control points. Write the control point number on a sticky note and place it where the control point should be.
    2. Now that we have identified the control points, consider each control point and define who will be involved in each one, who provides the approval to move forward, the documentation required, and the overall goal.

    Document the output from this exercise in section 6.1 of the Requirements Gathering SOP and BA Playbook.

    A savvy BA should clarify and confirm project scope prior to embarking on requirements elicitation

    Before commencing requirements gathering, it’s critical that your practitioners have a clear understanding of the initial business case and rationale for the project that they’re supporting. This is vital for providing the business context that elicitation activities must be geared towards.

    • Prior to commencing the requirements gathering phase, the designated BA should obtain a clear statement of scope or initial project charter from the project sponsor. It’s also advisable for the BA to have an in-person meeting with the project sponsor(s) to understand the overarching strategic or tactical impetus for the project. This initial meeting should be less about eliciting requirements and more about understanding why the project is moving forward, and the business processes it seeks to enable or re-engineer (the target state).
    • During this meeting, the BA should seek to develop a clear understanding of the strategic rationale for why the project is being undertaken (the anticipated business benefits) and why it is being undertaken at this time. If the sponsor has any business process models they can share, this would be a good time to review them.

    During requirements gathering, BAs should steer clear of solutions and focus on capturing requirements. Focus on traceable, hierarchical, and testable requirements. Focusing on solution design means you are out of requirements mode.

    Identify constraints early and often, and ensure that they are adequately communicated to project sponsors and end users

    Constraints come in many forms (i.e. financial, regulatory, and technological). Identifying these constraints prior to entering requirements gathering enables you to remain alert; you can separate what is possible from what is impossible, and set stakeholder expectations accordingly.

    • Most organizations don’t inventory their constraints until after they’ve gathered requirements. This is dangerous, as clients may inadvertently signal to end users or stakeholders that an infeasible requirement is something they will pursue. As a result, stakeholders are disappointed when they don’t see it materialize.
    • Organizations need to put advanced effort into constraint identification and management. Too much time is wasted pursuing requirements that aren't feasible given existing internal (e.g. budgets and system) and external (e.g. legislative or regulatory) constraints.
    • Organizations need to manage diverse stakeholders for requirements analysis. Communication will not always be solely with internal teams, but also with suppliers, customers, vendors, and system integrators.

    Stakeholder management is a critical aspect of the BA’s role. Part of the BA’s responsibility is prioritizing solutions and demonstrating to stakeholders the level of effort required and the value attained.

    A graphic, with an arrow running down the left side, pointing downward, which is labelled Constraint Malleability. On the right side of the arrow are three rounded arrows, stacked. The top arrow is labelled Legal/Regulatory Constraints, the second is labelled System/Technical Constraints and the third is labelled Stakeholder Constraints

    Conduct initial brainstorming on the scope of a selected enterprise application project (real or a sample of your choice)

    1.2.6 – 30 minutes

    Input
    • Project details
    Output
    • Initial project scoping
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Begin the requirements gathering process by conducting some initial scoping on why we are doing the project, the goals, and the constraints.

    1. Share the project intake form/charter with each member of the group, and give them a few minutes to read over the project details.
    2. On the board write the project topic and three sub-topics:
      • Why does the business want this?
      • What do you want customers (end users) to be able to do?
      • What are the constraints?
    3. As a group, brainstorm answers to each of these questions and write them on the board.

    Example: Conduct initial brainstorming on the project

    Image shows an example for initial brainstorming on a project. The image shows the overall idea, Implement CRM, with question bubbles emerging out of it, and space left blank to brainstorm the answers to those questions.

    Identify stakeholders that must be consulted during the elicitation part of the process; get a good spectrum of subject matter experts (SMEs)

    Before you can dive into most elicitation techniques, you need to know who you’re going to speak with – not all stakeholders hold the same value.

    There are two broad categories of stakeholders:

    Customers: Those who ask for a system/project/change but do not necessarily use it. These are typically executive sponsors, project managers, or interested stakeholders. They are customers in the sense that they may provide the funding or budget for a project, and may have requests for features and functionality, but they won’t have to use it in their own workflows.

    Users: Those who may not ask for a system but must use it in their routine workflows. These are your end users, those who will actually interact with the system. Users don’t necessarily have to be people – they can also be other systems that will require inputs or outputs from the proposed solution. Understand their needs to best drive more granular functional requirements.

    "The people you need to make happy at the end of the day are the people who are going to help you identify and prioritize requirements." – Director of IT, Municipal Utilities Provider

    Need a hand with stakeholder identification? Leverage Info-Tech’s Stakeholder Planning Tool to catalog and prioritize the stakeholders your BAs will need to contact during the elicitation phase.

    Exercise: Identify and analyze stakeholders for the application project prior to beginning formal elicitation

    1.2.7 – 45 minutes

    Input
    • List of stakeholders
    Output
    • Stakeholder analysis
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs

    Practice the process for identifying and analyzing key stakeholders for requirements gathering.

    1. As a group, generate a complete list of the project stakeholders. Consider who is involved in the problem and who will be impacted by the solution, and record the names of these stakeholders/stakeholder groups on a sticky note. Categories include:
      1. Who is the project sponsor?
      2. Who are the user groups?
      3. Who are the project architects?
      4. Who are the specialty stakeholders (SMEs)?
      5. Who is your project team?
    2. Now that you’ve compiled a complete list, review each user group and indicate their level of influence against their level of involvement in the project to create a stakeholder power map by placing their sticky on a 2X2 grid.
    3. At the end of the day, record this list in the Requirements Gathering Communication Tracking Template.

    Use Info-Tech’s Requirements Gathering Communication Tracking Template

    1.5 Requirements Gathering Communication Tracking Template

    Use the Requirements Gathering Communication Tracking Template for structuring and managing ongoing communications among key requirements gathering implementation stakeholders.

    An illustration of the Stakeholder Power Map Template tab of the Requirements Gathering Communication Tracking Template

    Use the Stakeholder Power Map tab to:

    • Identify the stakeholder's name and role.
    • Identify their position on the power map using the drop-down menu.
    • Identify their level of support.
    • Identify resisters' reasons for resisting as: unwilling, unable, and/or unknowing.
    • Identify which committees they currently sit on, and which they will sit on in the future state.
    • Identify any key objections the stakeholder may have.

    Use the Communication Management Plan tab to:

    • Identify the vehicle/communication medium (status update, meeting, training, etc.).
    • Identify the audience for the communication.
    • Identify the purpose for communication.
    • Identify the frequency.
    • Identify who is responsible for the communication.
    • Identify how the communication will be distributed, and the level of detail.

    Right-size your investments in requirements management technology; sometimes the “suite spot” isn’t necessary

    Recording and analyzing requirements needs some kind of tool, but don’t overinvest in a dedicated suite if you can manage with a more inexpensive solution (such as Word, Excel, and/or Visio). Top-tier solutions may be necessary for an enterprise ERP deployment, but you can use a low-cost solution for low-level productivity application.

    • Many companies do things in the wrong order. Organizations need to right-size the approach that they take to recording and analyzing requirements. Taking the suite approach isn’t always better – often, inputting the requirements into Word or Excel will suffice. An RM suite won’t solve your problems by itself.
    • If you’re dealing with strategic approach or calculated approach projects, their complexity likely warrants a dedicated RM suite that can trace system dependencies. If you’re dealing with primarily elementary or fundamental approach projects, use a more basic tool.

    Your SOP guide should specify the technology platform that your analysts are expected to use for initial elicitation as well as analysis and validation. You don’t want them to use Word if you’ve invested in a full-out IBM RM solution.

    The graphic shows a pyramid shape next to an arrow, pointing up. The arrow is labelled Project Complexity. The pyramid includes three text boxes, reading (from top to bottom) Dedicated RM Suite; RM Module in PM Software; and Productivity APP (Word/Excel/Visio)

    If you need to opt for a dedicated suite, these vendors should be strong contenders in your consideration set

    Dedicated requirements management suites are a great (although pricey) way to have full control over recording, analysis, and hierarchical categorization of requirements. Consider some of the major vendors in the space if Word, Excel, and Visio aren’t suitable for you.

    • Before you purchase a full-scale suite or module for requirements management, ensure that the following contenders have been evaluated for your requirements gathering technology strategy:
      • Micro Focus Requirements Management
      • IBM Requisite Pro
      • IBM Rational DOORS
      • Blueprint Requirements Management
      • Jama Software
      • Polarion Software (a Siemens Company)

    A mid-sized consulting company overhauls its requirement gathering software to better understand stakeholder needs

    CASE STUDY

    Industry Consulting

    Source Jama Software

    Challenge

    ArcherPoint is a leading Microsoft Partner responsible for providing business solutions to its clients. Its varied customer base now requires a more sophisticated requirements gathering software.

    Its process was centered around emailing Word documents, creating versions, and merging issues. ArcherPoint recognized the need to enhance effectiveness, efficiency, and accuracy of requirements gathering through a prescriptive set of elicitation procedures.

    Solution

    The IT department at ArcherPoint recognized that a strong requirements gathering process was essential to delivering value to stakeholders. It needed more scalable and flexible requirements gathering software to enhance requirements traceability. The company implemented SaaS solutions that included traceability and seamless integration features.

    These features reduced the incidences of repetition, allowed for tracing of requirements relationships, and ultimately led to an exhaustive understanding of stakeholders’ needs.

    Results

    Projects are now vetted upon an understanding of the business client’s needs with a thorough requirements gathering collection and analysis.

    A deeper understanding of the business needs also allows ArcherPoint to better understand the roles and responsibilities of stakeholders. This allows for the implementation of structures and policies which makes the requirements gathering process rigorous.

    There are different types of requirements that need to be gathered throughout the elicitation phase

    Business Requirements

    • Higher-level statements of the goals, objectives, or needs of the enterprise.
    • Describe the reasons why a project has been initiated, the objectives that the project will achieve, and the metrics that will be used to measure its success.
    • Business requirements focus on the needs of the organization as a whole, not stakeholders within it.
    • Business requirements provide the foundation on which all further requirements analysis is based:
      • Ultimately, any detailed requirements must map to business requirements. If not, what business need does the detailed requirement fulfill?

    Stakeholder Requirements

    • Statements of the needs of a particular stakeholder or class of stakeholders, and how that stakeholder will interact with a solution.
    • Stakeholder requirements serve as a bridge between business requirements and the various classes of solution requirements.
    • When eliciting stakeholder requirements, other types of detailed requirements may be identified. Record these for future use, but keep the focus on capturing the stakeholders’ needs over detailing solution requirements.

    Solution options or preferences are not requirements. Be sure to identify these quickly to avoid being forced into untimely discussions and sub-optimal solution decisions.

    Requirement types – a quick overview (continued)

    Solution Requirements: Describe the characteristics of a solution that meet business requirements and stakeholder requirements. They are frequently divided into sub-categories, particularly when the requirements describe a software solution:

    Functional Requirements

    • Describe the behavior and information that the solution will manage. They describe capabilities the system will be able to perform in terms of behaviors or operations, i.e. specific information technology application actions or responses.
    • Functional requirements are not detailed solution specifications; rather, they are the basis from which specifications will be developed.

    Non-Functional Requirements

    • Capture conditions that do not directly relate to the behavior or functionality of the solution, but rather describe environmental conditions under which the solution must remain effective or qualities that the systems must have. These can include requirements related to capacity, speed, security, availability, and the information architecture and presentation of the user interface.
    • Non-functional requirements often represent constraints on the ultimate solution. They tend to be less negotiable than functional requirements.
    • For IT solutions, technical requirements would fit in this category.
    Info-Tech Insight

    Remember that solution requirements are distinct from solution specifications; in time, specifications will be developed from the requirements. Don’t get ahead of the process.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2.1 Conduct current and target state analysis

    An analyst will facilitate a discussion to assess the maturity of your requirements gathering process and identify any gaps in the current state.

    1.2.2 Establish requirements gathering performance metrics

    Speak to an analyst to discuss and determine key metrics for measuring the effectiveness of your requirements gathering processes.

    1.2.4 Identify your requirements gathering business process model

    An analyst will facilitate a discussion to determine the ideal target business process flow for your requirements gathering.

    1.2.3; 1.2.5 Define control levels and match control points

    An analyst will assist you with determining the appropriate requirements gathering approach for different project levels. The discussion will highlight key control points and define stakeholders who will be involved in each one.

    1.2.6; 1.2.7 Conduct initial scoping and identify key stakeholders

    An analyst will facilitate a discussion to highlight the scope of the requirements gathering optimization project as well as identify and analyze key stakeholders in the process.

    Phase 2: Define the Elicitation Process

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Define the Elicitation Process

    Proposed Time to Completion: 2 weeks

    Step 2.1: Determine Elicitation Techniques

    Start with an analyst kick off call:

    • Understand and assess elicitation techniques.
    • Determine best fit to projects and business environment.

    Then complete these activities…

    • Understand different elicitation techniques.
    • Record the approved elicitation techniques.
    Step 2.2: Structure Elicitation Output

    Review findings with analyst:

    • Review options for structuring the output of requirements elicitation.
    • Build the requirements gathering operating model.

    Then complete these activities…

    • Build use case model.
    • Use table-top testing to build use case models.
    • Build the operating model.

    With these tools & templates:

    • Business Requirements Document Template
    • Scrum Documentation Template
    Phase 2 Results & Insights:
    • Best practices for conducting and structuring elicitation.

    Step 2.1: Determine Elicitation Techniques

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:

    • Understand requirements elicitation techniques.

    This step involves the following participants:

    • BAs
    • Business stakeholders

    Outcomes of this step

    • Select and record best-fit elicitation techniques.

    Eliciting requirements is all about effectively creating the initial shortlist of needs the business has for an application

    The image is the Requirements Gathering Framework, shown earlier. All parts of the framework are greyed-out, except for the arrow containing the word Elicit in the center of the image, with three bullet points beneath it that read: Prepare; Conduct; Confirm.

    The elicitation phase is where the BAs actually meet with project stakeholders and uncover the requirements for the application. Major tasks within this phase include stakeholder identification, selecting elicitation techniques, and conducting the elicitation sessions. This phase involves the most information gathering and therefore requires a significant amount of time to be done properly.

    Good requirements elicitation leverages a strong elicitation framework and executes the right elicitation techniques

    A mediocre requirements practitioner takes an order taker approach to elicitation: they elicit requirements by showing up to a meeting with the stakeholder and asking, “What do you want?” This approach frequently results in gaps in requirements, as most stakeholders cannot free-form spit out an accurate inventory of their needs.

    A strong requirements practitioner first decides on an elicitation framework – a mechanism to anchor the discussion about the business requirements. Info-Tech recommends using business process modelling (BPM) as the most effective framework. The BA can now work through several key questions:

    • What processes will this application need to support?
    • What does the current process look like?
    • How could we improve the process?
    • In a target state process map, what are the key functional requirements necessary to support this?

    The second key element to elicitation is using the right blend of elicitation techniques: the tactical approach used to actually collect the requirements. Interviews are the most popular means, but focus groups, JAD sessions, and observational techniques can often yield better results – faster. This section will touch on BPM/BPI as an elicitation framework, then do deep dive on different elicitation techniques.

    The elicitation phase of most enterprise application projects follows a similar four-step approach

    Prepare

    Stakeholders must be identified, and elicitation frameworks and techniques selected. Each technique requires different preparation. For example, brainstorming requires ground rules; focus groups require invitations, specific focus areas, and meeting rooms (perhaps even cameras). Look at each of these techniques and discuss how you would prepare.

    Conduct

    A good elicitor has the following underlying competencies: analytical thinking, problem solving, behavioral characteristics, business knowledge, communication skills, interaction skills, and proficiency in BA tools. In both group and individual elicitation techniques, interpersonal proficiency and strong facilitation is a must. A good BA has an intuitive sense of how to manage the flow of conversations, keep them results-oriented, and prevent stakeholder tangents or gripe sessions.

    Document

    How you document will depend on the technique you use. For example, recording and transcribing a focus group is probably a good idea, but you still need to analyze the results and determine the actual requirements. Use cases demand a software tool – without one, they become cumbersome and unwieldy. Consider how you would document the results before you choose the technique. Some analysts prefer to use solutions like OneNote or Evernote for capturing the raw initial notes, others prefer pen and paper: it’s what works best for the BA at hand.

    Confirm

    Review the documentation with your stakeholder and confirm the understanding of each requirement via active listening skills. Revise requirements as necessary. Circulating the initial notes of a requirements interview or focus group is a great practice to get into – it ensures jargon and acronyms are correctly captured, and that nothing has been lost in the initial translation.

    BPM is an extremely useful framework for framing your requirements elicitation discussions

    What is BPM? (Source: BPMInstitute.org)

    BPMs can take multiple forms, but they are created as visual process flows that depict a series of events. They can be customized at the discretion of the requirements gathering team (swim lanes, legends, etc.) based on the level of detail needed from the input.

    When to use them?

    BPMs can be used as the basis for further process improvement or re-engineering efforts for IT and applications projects. When the requirements gathering process owner needs to validate whether or not a specific step involved in the process is necessary, BPM provides the necessary breakdown.

    What’s the benefit?

    Different individuals absorb information in a variety of ways. Visual representations of a process or set of steps tend to be well received by a large sub-set of individuals, making BPMs an effective analysis technique.

    This related Info-Tech blueprint provides an extremely thorough overview of how to leverage BPM and process improvement approaches.

    Use a SIPOC table to assist with zooming into a step in a BPM to help define requirements

    Build a Sales Report
    • Salesforce
    • Daily sales results
    • Sales by product
    • Sales by account rep
    • Receive customer orders
    • Process invoices
    • GL roll-up
    • Sales by region
    • Sales by rep
    • Director of Sales
    • CEO
    • Report is accurate
    • Report is timely
    • Balance to GL
    • Automated email notification

    Source: iSixSigma

    Example: Extract requirements from a BPM for a customer service solution

    Look at an example for a claims process, and focus on the Record Claim task (event).

    Task Input Output Risks Opportunities Condition Sample Requirements
    Record Claim Customer Email Case Record
    • An agent accidentally misses the email and the case is not submitted.
    • The contents of the email are not properly ported over into the case for the claim.
    • The claim is routed to the wrong recipient within the claims department.
    • There is translation risk when the claim is entered in another language from which it is received.
    • Reduce the time to populate a customer’s claim information into the case.
    • Automate the data capture and routing.
    • Pre-population of the case with the email contents.
    • Suggested routing based on the nature of the case.
    • Multi-language support.

    Business:

    • The system requires email-to-case functionality.

    Non-Functional:

    • The cases must be supported in multiple languages.
    • Case management requires Outlook integration.

    Functional:

    • The case must support the following information:
    • Title; Customer; Subject; Case Origin; Case Type; Owner; Status; Priority
    • The system must pre-populate the claims agent based on the nature of the case.

    The image is an excerpt from a table, with the title Claims Process at the top. The top row is labelled Customer Service, and includes a textbox that reads Record Claim. The bottom row is labelled Claims, and includes a textbox that reads Manage Claim. A downward-pointing arrow connects the two textboxes.

    Identify the preferred elicitation techniques in your requirements gathering SOP: outline order of operations

    Conducting elicitation typically takes the greatest part of the requirements management process. During elicitation, the designated BA(s) should be reviewing documentation, and conducting individual and group sessions with key stakeholders.

    • When eliciting requirements, it’s critical that your designated BAs use multiple techniques; relying only on stakeholder interviews while neglecting to conduct focus groups and joint whiteboarding sessions will lead to trouble.
    • Avoid makeshift solutions by focusing on target state requirements, but don’t forget about the basic user needs. These can often be neglected because one party assumes that the other already knows about them.
    • The SOP guide should provide your BAs with a shortlist of recommended/mandated elicitation techniques based on business scenarios (examples in this section). Your SOP should also suggest the order in which BAs use the techniques for initial elicitation. Generally, document review comes first, followed by group, individual, and observational techniques.

    Elicitation is an iterative process – requirements should be refined in successive steps. If you need more information in the analysis phases, don’t be afraid to go back and conduct more elicitation.

    Understand different elicitation techniques

    2.1.1 – 1 hour

    Input
    • Elicitation techniques
    Output
    • Elicitation technique assessment
    Materials
    • Whiteboard
    • Markers
    • Paper
    Participants
    • BAs
    1. For this exercise, review the following elicitation techniques: observation, document review, surveys, focus groups, and interviews. Use the material in the next slides to brainstorm around the following questions:
      1. What types of information can the technique be used to collect?
      2. Why would you use this technique over others?
      3. How will you prepare to use the technique?
      4. How will you document the technique?
      5. Is this technique suitable for all projects?
      6. When wouldn’t you use it?
    2. Have each group present their findings from the brainstorming to the group.

    Document any changes to the elicitation techniques in section 4.0 of the Requirements Gathering SOP and BA Playbook.

    Understand different elicitation techniques – Interviews

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Structured One-on-One Interview In a structured one-on-one interview, the BA has a fixed list of questions to ask the stakeholder and follows up where necessary. Structured interviews provide the opportunity to quickly home in on areas of concern that were identified during process mapping or group elicitation techniques. They should be employed with purpose, i.e. to receive specific stakeholder feedback on proposed requirements or to help identify systemic constraints. Generally speaking, they should be 30 minutes or less. Low Medium
    Unstructured One-on-One Interview In an unstructured one-on-one interview, the BA allows the conversation to flow free form. The BA may have broad themes to touch on but does not run down a specific question list. Unstructured interviews are most useful for initial elicitation, when brainstorming a draft list of potential requirements is paramount. Unstructured interviews work best with senior stakeholders (sponsors or power users), since they can be time consuming if they’re applied to a large sample size. It’s important for BAs not to stifle open dialogue and allow the participants to speak openly. They should be 60 minutes or less. Medium Low
    Info-Tech Insight

    Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements, as well as allow effective communication around requirements at a later point (i.e. during the analysis and validation phases).

    Understand the diverse approaches for interviews

    Use a clear interview approach to guide the preparation, facilitation styles, participants, and interview schedules you manage for a specific project.

    Depending on your stakeholder audience and interview objectives, apply one or more of the following approaches to interviews.

    Interview Approaches

    • Unstructured
    • Semi-structured
    • Structured

    The Benefits of Interviews

    Fosters direct engagement

    IT is able to hear directly from stakeholders about what they are looking to do with a solution and the level of functionality that they expect from it.

    Offers greater detail

    With interviews, a greater degree of insight can be gained by leveraging information that wouldn’t be collected through traditional surveys. Face-to-face interactions provide thorough answers and context that helps inform requirements.

    Removes ambiguity

    Face-to-face interactions allow opportunities for follow-up around ambiguous answers. Clarify what stakeholders are looking for and expect in a project.

    Enables stakeholder management

    Interviews are a direct line of communication with a project stakeholder. They provide input and insight, and help to maintain alignment, plan next steps, and increase awareness within the IT organization.

    Select an interview structure based on project objectives and staff types

    Consider stakeholder types and characteristics, in conjunction with the best way to maximize time, when selecting which of the three interview structures to leverage during the elicitation phase of requirements gathering.

    Structured Interviews

    • Interviews conducted using this structure are modelled after the typical Q&A session.
    • The interviewer asks the participant a variety of closed-ended questions.
    • The participant’s response is limited to the scope of the question.

    Semi-Structured Interviews

    • The interviewer may prepare a guide, but it acts as more of an outline.
    • The goal of the interview is to foster and develop conversation.
    • Participants have the ability to answer questions on broad topics without compromising the initial guide.

    Unstructured Interviews

    • The interviewer may have a general interview guide filled with open-ended questions.
    • The objective of the questions is to promote discussion.
    • Participants may discuss broader themes and topics.

    Select the best interview approach

    Review the following questions to determine what interview structure you should utilize. If you answer the question with “Yes,” then follow the corresponding recommendations for the interview elements.

    Question Structure Type Facilitation Technique # of Participants
    Do you have to interview multiple participants at once because of time constraints? Semi-structured Discussion 1+
    Does the business or stakeholders want you to ask specific questions? Structured Q&A 1
    Have you already tried an unsuccessful survey to gather information? Semi-structured Discussion 1+
    Are you utilizing interviews to understand the area? Unstructured Discussion 1+
    Do you need to gather requirements for an immediate project? Structured Q&A 1+

    Decisions to make for interviews

    Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements and allow for effective communication around requirements during the analysis and validation stages.

    Who to engage?

    • Individuals with an understanding of the project scope, constraints and considerations, and high-level objectives.
    • Project stakeholders from across different functional units to solicit a varied set of requirement inputs.

    How to engage?

    • Approach selected interview candidate(s) with a verbal invitation to participate in the requirements gathering process for [Project X].
    • Take the initiative to book time in the candidate’s calendar. Include in your calendar invitation a description of the preparation required for the interview, the anticipated outputs, and a brief timeline agenda for the interview itself.

    How to drive participant engagement?

    • Use introductory interview questions to better familiarize yourself with the interviewee and to create an environment in which the individual feels welcome and at ease.
    • Once acclimatized, ensure that you hold the attention of the interviewee by providing further probing, yet applicable, interview questions.

    Manage each point of the interaction in the interview process

    Interviews generally follow the same workflow regardless of which structure you select. You must manage the process to ensure that the interview runs smoothly and results in an effective gathering requirements process.

    1. Prep Schedule
      • Recommended Actions
        • Send an email with a proposed date and time for the meeting.
        • Include an overview of what you will be discussing.
        • Mention if other people will be joining (if group interview).
    2. Meeting Opening
      • Recommended Actions
        • Provide context around the meeting’s purpose and primary focal points.
        • Let interviewee(s) know how long the interview will last.
        • Ask if they have any blockers that may cause the meeting to end early.
    3. Meeting Discussion
      • Recommended Actions
        • Ask questions and facilitate discussion in accordance with the structure you have selected.
        • Ensure that the meeting’s dialogue is being either recorded using written notes (if possible) or a voice recorder.
    4. Meeting Wrap-Up
      • Recommended Actions
        • Provide a summary of the big findings and what was agreed upon.
        • Outline next steps or anything else you will require from the participant.
        • Let the interviewee(s) know that you will follow up with interview notes, and will require feedback from them.
    5. Meeting Follow-Up
      • Recommended Actions
        • Send an overview of what was covered and agreed upon during the interview.
        • Show the mock-ups of your work based on the interview, and solicit feedback.
        • Give the interviewee(s) the opportunity to review your notes or recording and add value where needed.

    Solve the problem before it occurs with interview troubleshooting techniques

    The interview process may grind to a halt due to challenging situations. Below are common scenarios and corresponding troubleshooting techniques to get your interview back on track.

    Scenario Technique
    Quiet interviewee Begin all interviews by asking courteous and welcoming questions. This technique will warm the interviewee up and make them feel more comfortable. Ask prompting questions during periods of silence in the interview. Take note of the answers provided by the interviewee in your interview guide, along with observations and impact statements that occur throughout the duration of the interview process.
    Disgruntled interviewee Avoid creating a hostile environment by eliminating the interviewee’s perception that you are choosing to focus on issues that the interviewee feels will not be resolved. Ask questions to contextualize the issue. For example, ask why they feel a particular way about the issue, and determine whether they have valid concerns that you can resolve.
    Interviewee has issues articulating their answer Encourage the interviewee to use a whiteboard or pen and paper to kick start their thought process. Make sure you book a room with these resources readily available.

    Understand different elicitation techniques – Observation

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Casual Observation The process of observing stakeholders performing tasks where the stakeholders are unaware they are being observed. Capture true behavior through observation of stakeholders performing tasks without informing them they are being observed. This information can be valuable for mapping business process; however, it is difficult to isolate the core business activities from unnecessary actions. Low Medium
    Formal Observation The process of observing stakeholders performing tasks where the stakeholders are aware they are being observed. Formal observation allows BAs to isolate and study the core activities in a business process because the stakeholder is aware they are being observed. Stakeholders may become distrusting of the BA and modify their behavior if they feel their job responsibilities or job security are at risk Low Medium

    Info-Tech Insight

    Observing stakeholders does not uncover any information about the target state. Be sure to use contextual observation in conjunction with other techniques to discover the target state.

    Understand different elicitation techniques – Surveys

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Closed-Response Survey A survey that has fixed responses for each answer. A Likert-scale (or similar measures) can be used to have respondents evaluate and prioritize possible requirements. Closed response surveys can be sent to large groups and used to quickly gauge user interest in different functional areas. They are easy for users to fill out and don’t require a high investment of time. However, their main deficit is that they are likely to miss novel requirements not listed. As such, closed response surveys are best used after initial elicitation or brainstorming to validate feature groups. Low Medium
    Open-Response Survey A survey that has open-ended response fields. Questions are fixed, but respondents are free to populate the field in their own words. Open-response surveys take longer to fill out than closed, but can garner deeper insights. Open-response surveys are a useful supplement (and occasionally replacement) for group elicitation techniques, like focus groups, when you need to receive an initial list of requirements from a broad cross-section of stakeholders. Their primary shortcoming is the analyst can’t immediately follow up on interesting points. However, they are particularly useful for reaching stakeholders who are unavailable for individual one-on-ones or group meetings. Low Medium

    Info-Tech Insight

    Surveys can be useful mechanisms for initial drafting of raw requirements (open-response) and gauging user interest in proposed requirements or feature sets (closed-response). However, they should not be the sole focus of your elicitation program due to lack of interactivity and two-way dialogue with the BA.

    Be aware: Know the implications of leveraging surveys

    What are surveys?

    Surveys take a sample population’s written responses for data collection. Survey respondents can identify themselves or choose to remain anonymous. Anonymity removes the fear of repercussions for giving critical responses to sensitive topics.

    Who needs to be involved?

    Participants of a survey include the survey writer, respondent(s), and results compiler. There is a moderate amount of work that comes from both the writer and compiler, with little work involved on the end of the respondent.

    What are the benefits?

    The main benefit of surveys is their ability to reach large population groups and segments without requiring personal interaction, thus saving money. Surveys are also very responsive and can be created and modified rapidly to address needs as they arise on an on-going basis.

    When is it best to employ a survey method?

    Surveys are most valuable when completed early in the requirements gathering stage.

    Intake and Scoping → Requirements Gathering → Solution Design → Development/ Procurement → Implementation/ Deployment

    When a project is announced, develop surveys to gauge what users consider must-have, should-have, and could-have requirements.

    Use surveys to profile the demand for specific requirements.

    It is often difficult to determine if requirements are must haves or should haves. Surveys are a strong method to assist in narrowing down a wide range of requirements.

    • If all survey respondents list the same requirement, then that requirement is a must have.
    • If no participants mention a requirement, then that requirement is not likely to be important to project success.
    • If the results are scattered, it could be that the organization is unsure of what is needed.

    Are surveys worth the time and effort? Most of the time.

    Surveys can generate insights. However, there are potential barriers:

    • Well-constructed surveys are difficult to make – asking the right questions without being too long.
    • Participants may not take surveys seriously, giving non-truthful or half-hearted answers.

    Surveys should only be done if the above barriers can easily be overcome.

    Scenario: Survey used to gather potential requirements

    Scenario

    There is an unclear picture of the business needs and functional requirements for a solution.

    Survey Approach

    Use open-ended questions to allow respondents to propose requirements they see as necessary.

    Sample questions

    • What do you believe _______ (project) should include to be successful?
    • How can _______ (project) be best made for you?
    • What do you like/dislike about ________ (process that the project will address)?

    What to do with your results

    Take a step back

    If you are using surveys to elicit a large number of requirements, there is probably a lack of clear scope and vision. Focus on scope clarification. Joint development sessions are a great technique for defining your scope with SMEs.

    Moving ahead

    • Create additional surveys. Additional surveys can help narrow down the large list of requirements. This process can be reiterated until there is a manageable number of requirements.
    • Move onto interviews. Speak directly with the users to get a grasp of the importance of the requirements taken from surveys.

    Employ survey design best practices

    Proper survey design determines how valuable the responses will be. Review survey principles released by the University of Wisconsin-Madison.

    Provide context

    Include enough detail to contextualize questions to the employee’s job duties.

    Where necessary:

    • Include conditions
    • Timeline considerations
    • Additional pertinent details

    Give clear instructions

    When introducing a question identify if it should be answered by giving one answer, multiple answers, or a ranking of answers.

    Avoid IT jargon

    Ensure the survey’s language is easily understood.

    When surveying colleagues from the business use their own terms, not IT’s.

    E.g. laptops vs. hardware

    Saying “laptops” is more detailed and is a universal term.

    Use ranges

    Recommended:

    In a month your Outlook fails:

    • 1-3 times
    • 4-7 times
    • 7+ times

    Not Recommended:

    Your Outlook fails:

    • Almost never
    • Infrequently
    • Frequently
    • Almost always

    Keep surveys short

    Improve responses and maintain stakeholder interest by only including relevant questions that have corresponding actions.

    Recommended: Keep surveys to ten or less prompts.

    Scenario: Survey used to narrow down requirements

    Scenario

    There is a large list of requirements and the business is unsure of which ones to further pursue.

    Survey Approach

    Use closed-ended questions to give degrees of importance and rank requirements.

    Sample questions

    • How often do you need _____ (requirement)?
      • 1-3 times a week; 4-6 times a week; 7+ times a week
    • Given the five listed requirements below, rank each requirement in order of importance, with 1 being the most important and 5 being the least important.
    • On a scale from 1-5, how important is ________ (requirement)?
      • 1 – Not important at all; 2 – Would provide minimal benefit; 3 – Would be nice to have; 4 – Would provide substantial benefit; 5 – Crucial to success

    What to do with your results

    Determine which requirements to further explore

    Avoid simply aggregating average importance and using the highest average as the number-one priority. Group the highest average importance requirements to be further explored with other elicitation techniques.

    Moving ahead

    The group of highly important requirements needs to be further explored during interviews, joint development sessions, and rapid development sessions.

    Scenario: Survey used to discover crucial hidden requirements

    Scenario

    The business wanted a closer look into a specific process to determine if the project could be improved to better address process issues.

    Survey Approach

    Use open-ended questions to allow employees to articulate very specific details of a process.

    Sample questions

    • While doing ________ (process/activity), what part is the most frustrating to accomplish? Why?
    • Is there any part of ________ (process/activity) that you feel does not add value? Why?
    • How would you improve _________ (process/activity)?

    What to do with your results

    Set up prototyping

    Prototype a portion with the new requirement to see if it meets the user’s needs. Joint application development and rapid development sessions pair developers and users together to collaboratively build a solution.

    Next steps

    • Use interviews to begin solution mapping. Speak to SMEs and the users that the requirement would affect. Understand how to properly incorporate the discovered requirement(s) into the solution.
    • Create user stories. User stories allow developers to step into the shoes of the users. Document the user’s requirement desires and their reason for wanting it. Give those user stories to the developers.

    Explore mediums for survey delivery

    Online

    Free online surveys offer quick survey templates but may lack customization. Paid options include customizable features. Studies show that most participants find web-based surveys more appealing, as web surveys tend to have a higher rate of completion.

    Potential Services (Not a comprehensive list)

    SurveyMonkey – free and paid options

    Good Forms – free options

    Ideal for:

    • Low complexity surveys
    • High complexity surveys
    • Quick responses
    • Low cost (free survey options)

    Paper

    Paper surveys offer complete customizability. However, paper surveys take longer to distribute and record, and are also more expensive to administer.

    Ideal for:

    • Low complexity surveys
    • High complexity surveys
    • Quick responses
    • Low cost

    Internally-developed

    Internally-developed surveys can be distributed via the intranet or email. Internal surveys offer the most customization. Cost is the creator’s time, but cost can be saved on distribution versus paper and paid online surveys.

    Ideal for:

    • Low complexity surveys
    • High complexity surveys
    • Quick responses
    • Low cost (if created quickly)

    Understand different elicitation techniques – Focus Groups

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Focus Group Focus groups are sessions held between a small group (typically ten individuals or less) and an experienced facilitator who leads the conversation in a productive direction. Focus groups are highly effective for initial requirements brainstorming. The best practice is to structure them in a cross-functional manner to ensure multiple viewpoints are represented, and the conversation doesn’t become dominated by one particular individual. Facilitators must be wary of groupthink in these meetings (i.e. the tendency to converge on a single POV). Medium Medium
    Workshop Workshops are larger sessions (typically ten people or more) that are led by a facilitator, and are dependent on targeted exercises. Workshops may be occasionally decomposed into smaller group sessions. Workshops are highly versatile: they can be used for initial brainstorming, requirement prioritization, constraint identification, and business process mapping. Typically, the facilitator will use exercises or activities (such as whiteboarding, sticky note prioritization, role-playing, etc.) to get participants to share and evaluate sets of requirements. The main downside to workshops is a high time commitment from both stakeholders and the BA. Medium High

    Info-Tech Insight

    Group elicitation techniques are most useful for gathering a wide spectrum of requirements from a broad group of stakeholders. Individual or observational techniques are typically needed for further follow-up and in-depth analysis with critical power users or sponsors.

    Conduct focus groups and workshops

    There are two specific types of group interviews that can be utilized to elicit requirements: focus groups and workshops. Understand each type’s strengths and weaknesses to determine which is better to use in certain situations.

    Focus Groups Workshops
    Description
    • Small groups are encouraged to speak openly about topics with guidance from a facilitator.
    • Larger groups are led by a facilitator to complete target exercises that promote hands-on learning.
    Strengths
    • Highly effective for initial requirements brainstorming.
    • Insights can be explored in depth.
    • Any part of the requirements gathering process can be done in a workshop.
    • Use of activities can increase the learning beyond simple discussions.
    Weaknesses
    • Loudest voice in the room can induce groupthink.
    • Discussion can easily veer off topic.
    • Extremely difficult to bring together such a large group for extended periods of time.
    Facilitation Guidance
    • Make sure the group is structured in a cross-functional manner to ensure multiple viewpoints are represented.
    • If the group is too large, break the members into smaller groups. Try putting together members who would not usually interact.

    Solution mapping and joint review sessions should be used for high-touch, high-rigor BPM-centric projects

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Solution Mapping Session A one-on-one session to outline business processes. BPM methods are used to write possible target states for the solution on a whiteboard and to engineer requirements based on steps in the model. Solution mapping should be done with technically savvy stakeholders with a firm understanding of BPM methodologies and nomenclature. Generally, this type of elicitation method should be done with stakeholders who participated in tier one elicitation techniques who can assist with reverse-engineering business models into requirement lists. Medium Medium
    Joint Requirements Review Session This elicitation method is sometimes used as a last step prior to moving to formal requirements analysis. During the review session, the rough list of requirements is vetted and confirmed with stakeholders. A one-on-one (or small group) requirements review session gives your BAs the opportunity to ensure that what was recorded/transcribed during previous one-on-ones (or group elicitation sessions) is materially accurate and representative of the intent of the stakeholder. This elicitation step allows you to do a preliminary clean up of the requirements list before entering the formal analysis phase. Low Low

    Info-Tech Insight

    Solution mapping and joint requirements review sessions are more advanced elicitation techniques that should be employed after preliminary techniques have been utilized. They should be reserved for technically sophisticated, high-value stakeholders.

    Interactive whiteboarding and joint development sessions should be leveraged for high-rigor BPM-based projects

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Interactive White- boarding A group session where either a) requirements are converted to BPM diagrams and process flows, or b) these flows are reverse engineered to distil requirement sets. While the focus of workshops and focus groups is more on direct requirements elicitation, interactive whiteboarding sessions are used to assist with creating initial solution maps (or reverse engineering proposed solutions into requirements). By bringing stakeholders into the process, the BA benefits from a greater depth of experience and access to SMEs. Medium Medium
    Joint Application Development (JAD) JAD sessions pair end-user teams together with developers (and BA facilitators) to collect requirements and begin mapping and developing prototypes directly on the spot. JAD sessions fit well with organizations that use Agile processes. They are particularly useful when the overall project scope is ambiguous; they can be used for project scoping, requirements definition, and initial prototyping. JAD techniques are heavily dependent on having SMEs in the room – they should preference knowledge power users over the “rank and file.” High High

    Info-Tech Insight

    Interactive whiteboarding should be heavily BPM-centric, creating models that link requirements to specific workflow activities. Joint development sessions are time-consuming but create greater cohesion and understanding between BAs, developers, and SMEs.

    Rapid application development sessions add some Agile aspects to requirements elicitation

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Rapid Application Development A form of prototyping, RAD sessions are akin to joint development sessions but with greater emphasis on back-and-forth mock-ups of the proposed solution. RAD sessions are highly iterative – requirements are gathered in sessions, developers create prototypes offline, and the results are validated by stakeholders in the next meeting. This approach should only be employed in highly Agile-centric environments. High High

    For more information specific to using the Agile development methodology, refer to the project blueprint Implement Agile Practices That Work.

    The role of the BA differs with an Agile approach to requirements gathering. A traditional BA is a subset of the Agile BA, who typically serves as product owner. Agile BAs have elevated responsibilities that include bridging communication between stakeholders and developers, prioritizing and detailing the requirements, and testing solutions.

    Overview of JAD and RDS techniques (Part 1)

    Use the following slides to gain a thorough understanding of both JAD and rapid development sessions (RDS) to decide which fits your project best.

    Joint Application Development Rapid Development Sessions
    Description JAD pairs end users and developers with a facilitator to collect requirements and begin solution mapping to create an initial prototype. RDS is an advanced approach to JAD. After an initial meeting, prototypes are developed and validated by stakeholders. Improvements are suggested by stakeholders and another prototype is created. This process is iterated until a complete solution is created.
    Who is involved? End users, SMEs, developers, and a facilitator (you).
    Who should use this technique? JAD is best employed in an Agile organization. Agile organizations can take advantage of the high amount of collaboration involved. RDS requires a more Agile organization that can effectively and efficiently handle impromptu meetings to improve iterations.
    Time/effort versus value JAD is a time/effort-intensive activity, requiring different parties at the same time. However, the value is well worth it. JAD provides clarity for the project’s scope, justifies the requirements gathered, and could result in an initial prototype. RDS is even more time/effort intensive than JAD. While it is more resource intensive, the reward is a more quickly developed full solution that is more customized with fewer bugs.

    Overview of JAD and RDS techniques (Part 2)

    Joint Application Development

    Timeline

    Projects that use JAD should not expect dramatically quicker solution development. JAD is a thorough look at the elicitation process to make sure that the right requirements are found for the final solution’s needs. If done well, JAD eliminates rework.

    Engagement

    Employees vary in their project engagement. Certain employees leverage JAD because they care about the solution. Others are asked for their expertise (SMEs) or because they perform the process often and understand it well.

    Implications

    JAD’s thorough process guarantees that requirements gathering is done well.

    • All requirements map back to the scope.
    • SMEs are consulted throughout the duration of the process.
    • Prototyping is only done after final solution mapping is complete.

    Rapid Development Sessions

    Timeline

    Projects that use RDS can either expect quicker or slower requirements gathering depending on the quality of iteration. If each iteration solves a requirement issue, then one can expect that the solution will be developed fairly rapidly. If the iterations fail to meet requirements the process will be quite lengthy.

    Engagement

    Employees doing RDS are typically very engaged in the project and play a large role in helping to create the solution.

    Implications

    RDS success is tied to the organization’s ability to collaborate. Strong collaboration will lead to:

    • Fewer bugs as they are eliminated in each iteration.
    • A solution that is highly customized to meet the user’s needs.

    Poor collaboration will lead to RDS losing its full value.

    When is it best to use JAD?

    JAD is best employed in an Agile organization for application development and selection. This technique best serves relatively complicated, large-scale projects that require rapid or sequential iterations on a prototype or solution as a part of requirements gathering elicitation. JAD effectuates each step in the elicitation process well, from initial elicitation to narrowing down requirements.

    When tackling a project type you’ve never attempted

    Most requirement gathering professionals will use their experience with project type standards to establish key requirements. Avoid only relying on standards when tackling a new project type. Apply JAD’s structured approach to a new project type to be thorough during the elicitation phase.

    In tandem with other elicitation techniques

    While JAD is an overarching requirements elicitation technique, it should not be the only one used. Combine the strengths of other elicitation techniques for the best results.

    When is it best to use RDS?

    RDS is best utilized when one, but preferably both, of the below criteria is met.

    When the scope of the project is small to medium sized

    RDS’ strengths lie in being able to tailor-make certain aspects of the solution. If the solution is too large, tailor-made sections are impossible as multiple user groups have different needs or there is insufficient resources. When a project is small to medium sized, developers can take the time to custom make sections for a specific user group.

    When most development resources are readily available

    RDS requires developers spending a large amount of time with users, leaving less time for development. Having developers at the ready to take on users’ improvement maintains the effectiveness of RDS. If the same developer who speaks to users develops the entire iteration, the process would be slowed down dramatically, losing effectiveness.

    Techniques to compliment JAD/RDS

    1. Unstructured conversations

    JAD relies on unstructured conversations to clarify scope, gain insights, and discuss prototyping. However, a structure must exist to guarantee that all topics are discussed and meetings are not wasted.

    2. Solution mapping and interactive white-boarding

    JAD often involves visually illustrating how high-level concepts connect as well as prototypes. Use solution mapping and interactive whiteboarding to help users and participants better understand the solution.

    3. Focus groups

    Having a group development session provides all the benefits of focus groups while reducing time spent in the typically time-intensive JAD process.

    Plan how you will execute JAD

    Before the meeting

    1. Prepare for the meeting

    Email all parties a meeting overview of topics that will be discussed.

    During the meeting

    2. Discussion

    • Facilitate the conversation according to what is needed (e.g. skip scope clarification if it is already well defined).
    • Leverage solution mapping and other visual aids to appeal to all users.
    • Confirm with SMEs that requirements will meet the users’ needs.
    • Discuss initial prototyping.

    After the meeting

    3. Wrap-up

    • Provide a key findings summary and set of agreements.
    • Outline next steps for all parties.

    4. Follow-up

    • Send the mock-up of any agreed upon prototype(s).
    • Schedule future meetings to continue prototyping.

    JAD provides a detail-oriented view into the elicitation process. As a facilitator, take detailed notes to maximize the outputs of JAD.

    Plan how you will execute RDS

    Before the meeting

    1. Prepare for the meeting

    • Email all parties a meeting overview.
    • Ask employees and developers to bring their vision of the solution, regardless of its level of detail.

    During the meeting

    2. Hold the discussion

    • Facilitate the conversation according to what is needed (e.g. skip scope clarification if already well defined).
    • Have both parties explain their visions for the solution.
    • Talk about initial prototype and current iteration.

    After the meeting

    3. Wrap-up

    • Provide a key findings summary and agreements.
    • Outline next steps for all parties.

    4. Follow-up

    • Send the mock-up of any agreed upon prototype(s).
    • Schedule future meeting to continue prototyping.

    RDS is best done in quick succession. Keep in constant contact with both employees and developers to maintain positive momentum from a successful iteration improvement.

    Develop a tailored facilitation guide for JAD and RDS

    JAD/RDS are both collaborative activities, and as with all group activities, issues are bound to arise. Be proactive and resolve issues using the following guidelines.

    Scenario Technique
    Employee and developer visions for the solution don’t match up Focus on what both solutions have in common first to dissolve any tension. Next, understand the reason why both parties have differences. Was it a difference in assumptions? Difference in what is a requirement? Once the answer has been determined, work on bridging the gaps. If there is no resolution, appoint a credible authority (or yourself) to become the final decision maker.
    Employee has difficulty understanding the technical aspect of the developer’s solution Translate the developer’s technical terms into a language that the employee understands. Encourage the employee to ask questions to further their understanding.
    Employee was told that their requirement or proposed solution is not feasible Have a high-level member of the development team explain how the requirement/solution is not feasible. If it’s possible, tell the employee that the requirement can be done in a future release and keep them updated.

    Harvest documentation from past projects to uncover reusable requirements

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Legacy System Manuals The process of reviewing documentation and manuals associated with legacy systems to identify constraints and exact requirements for reuse. Reviewing legacy systems and accompanying documentation is an excellent way to gain a preliminary understanding of the requirements for the upcoming application. Be careful not to overly rely on requirements from legacy systems; if legacy systems have a feature set up one way, this does not mean it should be set up the same way on the upcoming application. If an upcoming application must interact with other systems, it is ideal to understand the integration points early. None High
    Historical Projects The process of reviewing documentation from historical projects to extract reusable requirements. Previous project documentation can be a great source of information and historical lessons learned. Unfortunately, historical projects may not be well documented. Historical mining can save a great deal of time; however, the fact that it was done historically does not mean that it was done properly. None High

    Info-Tech Insight

    Document mining is a laborious process, and as the term “mining” suggests the yield will vary. Regardless of the outcome, document mining must be performed and should be viewed as an investment in the requirements gathering process.

    Extract internal and external constraints from business rules, policies, and glossaries

    Technique Description Assessment and Best Practices Stakeholder Effort BA Effort
    Rules The process of extracting business logic from pre-existing business rules (e.g. explicit or implied workflows). Stakeholders may not be fully aware of all of the business rules or the underlying rationale for the rules. Unfortunately, business rule documents can be lengthy and the number of rules relevant to the project will vary. None High
    Glossary The process of extracting terminology and definitions from glossaries. Terminology and definitions do not directly lead to the generation of requirements. However, reviewing glossaries will allow BAs to better understand domain SMEs and interpret their requirements. None High
    Policy The process of extracting business logic from business policy documents (e.g. security policy and acceptable use). Stakeholders may not be fully aware of the different policies or the underlying rationale for why they were created. Going directly to the source is an excellent way to identify constraints and requirements. Unfortunately, policies can be lengthy and the number of items relevant to the project will vary. None High

    Info-Tech Insight

    Document mining should be the first type of elicitation activity that is conducted because it allows the BA to become familiar with organizational terminology and processes. As a result, the stakeholder facing elicitation sessions will be more productive.

    Review the different types of formal documentation (Part 1)

    1. Glossary

    Extract terminology and definitions from glossaries. A glossary is an excellent source to understand the terminology that SMEs will use.

    2. Policy

    Pull business logic from policy documents (e.g. security policy and acceptable use). Policies generally have mandatory requirements for projects, such as standard compliance requirements.

    3. Rules

    Review and reuse business logic that comes from pre-existing rules (e.g. explicit or implied workflows). Like policies, rules often have mandatory requirements or at least will require significant change for something to no longer be a requirement.

    Review the different types of formal documentation (Part 2)

    4. Legacy System

    Review documents and manuals of legacy systems, and identify reusable constraints and requirements. Benefits include:

    • Gain a preliminary understanding of general organizational requirements.
    • Ease of solution integration with the legacy system if needed.

    Remember to not use all of the basic requirements of a legacy system. Always strive to find a better, more productive solution.

    5. Historical Projects

    Review documents from historical projects to extract reusable requirements. Lessons learned from the company’s previous projects are more applicable than case studies. While historical projects can be of great use, consider that previous projects may not be well documented.

    Drive business alignment as an output from documentation review

    Project managers frequently state that aligning projects to the business goals is a key objective of effective project management; however, it is rarely carried out throughout the project itself. This gap is often due to a lack of understanding around how to create true alignment between individual projects and the business needs.

    Use company-released statements and reports

    Extract business wants and needs from official statements and reports (e.g. press releases, yearly reports). Statements and reports outline where the organization wants to go which helps to unearth relevant project requirements.

    Ask yourself, does the project align to the business?

    Documented requirements should always align with the scope of the project and the business objectives. Refer back frequently to your set of gathered requirements to check if they are properly aligned and ensure the project is not veering away from the original scope and business objectives.

    Don’t just read for the sake of reading

    The largest problem with documentation review is that requirements gathering professionals do it for the sake of saying they did it. As a result, projects often go off course due to not aligning to business objectives following the review sessions.

    • When reading a document, take notes to avoid projects going over time and budget and business dissatisfaction. Document your notes and schedule time to review the set of complete notes with your team following the individual documentation review.

    Select elicitation techniques that match the elicitation scenario

    There is a time and place for each technique. Don’t become too reliant on the same ones. Diversify your approach based on the elicitation goal.

    A chart showing Elicitation Scenarios and Techniques, with each marked for their efficacy.

    This table shows the relative strengths and weaknesses of each elicitation technique compared against the five basic elicitation scenarios.

    A typical project will encounter most of the elicitation scenarios. Therefore, it is important to utilize a healthy mix of techniques to optimize effectiveness.

    Very Strong = Very Effective

    Strong = Effective

    Medium = Somewhat Effective

    Weak = Minimally Effective

    Very Weak = Not Effective

    Record the approved elicitation techniques that your BAs should use

    2.1.2 – 30 minutes

    Input
    • Approved elicitation techniques
    Output
    • Execution procedure
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders
    • BAs

    Record the approved elicitation methods and best practices for each technique in the SOP.

    Identify which techniques should be utilized with the different stakeholder classes.

    Segment the different techniques based by project complexity level.

    Use the following chart to record the approved techniques.

    Stakeholder L1 Projects L2 Projects L3 Projects L4 Projects
    Senior Management Structured Interviews
    Project Sponsor Unstructured Interviews
    SME (Business) Focus Groups Unstructured Interviews
    Functional Manager Focus Groups Structured Interviews
    End Users Surveys; Focus Groups; Follow-Up Interviews; Observational Techniques

    Document the output from this exercise in section 4.0 of the Requirements Gathering SOP and BA Playbook.

    Confirm initial elicitation notes with stakeholders

    Open lines of communication with stakeholders and keep them involved in the requirements gathering process; confirm the initial elicitation before proceeding.

    Confirming the notes from the elicitation session with stakeholders will result in three benefits:

    1. Simple miscommunications can compound and result in costly rework if they aren’t caught early. Providing stakeholders with a copy of notes from the elicitation session will eliminate issues before they manifest themselves in the project.
    2. Stakeholders often require an absorption period after elicitation sessions to reflect on the meeting. Following up with stakeholders gives them an opportunity to clarify, enhance, or change their responses.
    3. Stakeholders will become disinterested in the project (and potentially the finished application) if their involvement in the project ends after elicitation. Confirming the notes from elicitation keeps them involved in the process and transitions stakeholders into the analysis phase.

    This is the Confirm stage of the Confirm, Verify, Approve process.

    “Are these notes accurate and complete?”

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 Understand the different elicitation techniques

    An analyst will walk you through the different elicitation techniques including observations, document reviews, surveys, focus groups, and interviews, and highlight the level of effort required for each.

    2.1.2 Select and record the approved elicitation techniques

    An analyst will facilitate the discussion to determine which techniques should be utilized with the different stakeholder classes.

    Step 2.2: Structure Elicitation Output

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Build use-case models.
    • Practice using elicitation techniques with business stakeholders to build use-case models.
    • Practice leveraging user stories to convey requirements.
    This step involves the following participants:
    • BAs
    • Business stakeholders
    Outcomes of this step
    • Understand the value of use-case models for requirements gathering.
    • Practice different techniques for building use-case models with stakeholders.

    Record and capture requirements in solution-oriented formats

    Unstructured notes for each requirement are difficult to manage and create ambiguity. Using solution-oriented formats during elicitation sessions ensures that the content can be digested by IT and business users.

    This table shows common solution-oriented formats for recording requirements. Determine which formats the development team and BAs are comfortable using and create a list of acceptable formats to use in projects.

    Format Description Examples
    Behavior Diagrams These diagrams describe what must happen in the system. Business Process Models, Swim Lane Diagram, Use Case Diagram
    Interaction Diagrams These diagrams describe the flow and control of data within a system. Sequence Diagrams, Entity Diagrams
    Stories These text-based representations take the perspective of a user and describe the activities and benefits of a process. Scenarios, User Stories

    Info-Tech Insight

    Business process modeling is an excellent way to visually represent intricate processes for both IT and business users. For complex projects with high business significance, business process modeling is the best way to capture requirements and create transformational gains.

    Use cases give projects direction and guidance from the business perspective

    Use Case Creation Process

    Define Use Cases for Each Stakeholder

    • Each stakeholder may have different uses for the same solution. Identify all possible use cases attributed to the stakeholders.
    • All use cases are possible test case scenarios.

    Define Applications for Each Use Case

    • Applications are the engines behind the use cases. Defining the applications to satisfy use cases will pinpoint the areas where development or procurement is necessary.

    Consider the following guidelines:

    1. Don’t involve systems in the use cases. Use cases just identify the key end-user interaction points that the proposed solution is supposed to cover.
    2. Some use cases are dependent on other use cases or multiple stakeholders may be involved in a single use case. Depending on the availability of these use cases, they can either be all identified up front (Waterfall) or created at various iterations (Agile).
    3. Consider the enterprise architecture perspective. Existing enterprise architecture designs can provide a foundation of current requirement mappings and system structure. Reuse these resources to reduce efforts.
    4. Avoid developing use cases in isolation. Reusability is key in reducing designing efforts. By involving multiple departments, requirement clashes can be avoided and the likelihood of reusability increases.

    Develop practical use cases to help drive the development effort in the right direction

    Evaluating the practicality and likelihood of use cases is just as important as developing them.

    Use cases can conflict with each other. In certain situations, specific requirements of these use cases may clash with one another even though they are functionally sound. Evaluate use-case requirements and determine how they satisfy the overall business need.

    Use cases are not necessarily isolated; they can be nested. Certain functionalities are dependent on the results of another action, often in a hierarchical fashion. By mapping out the expected workflows, BAs can determine the most appropriate way to implement.

    Use cases can be functionally implemented in many ways. There could be multiple ways to accomplish the same use case. Each of these needs to be documented so that functional testing and user documentation can be based on them.

    Nested Use Case Examples:

    Log Into Account ← Depends on (Nested) Ordering Products Online
    Enter username and password Complete order form
    Verify user is a real person Process order
    Send user forgotten password message Check user’s account
    Send order confirmation to user

    Build a use-case model

    2.2.1 – 45 minutes

    Input
    • Sub processes
    Output
    • Use case model
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders
    • BAs
    Demonstrate how to use elicitation techniques to build use cases for the project.
    1. Identify a sub-process to build the use-case model. Begin the exercise by giving a brief description of the purpose of the meeting.
    2. For each stakeholder, draw a stick figure on the board. Pose the question “If you need to do X, what is your first step?” Go through the process until the end goal and draw each step. Ensure that you capture triggers, causes, decision points, outcomes, tools, and interactions.
    3. Starting at the beginning of the diagram, go through each step again and check with stakeholders if the step can be broken down into more granular steps.
    4. Ask the stakeholder if there are any alternative flows that people use, or any exceptions to process steps. If there are, map these out on the board.
    5. Go back through each step and ask the stakeholder where the current process is causing them grief, and where modification should be made.
    6. Record this information in the Business Requirements Document Template.

    Build a use-case model

    2.2.1

    Example: Generate Letters

    Inspector: Log into system → Search for case → Identify recipient → Determine letter type → Print letter

    Admin: Receive letter from inspector → Package and mail letter

    Citizen: Receive letter from inspector

    Understand user stories and profiles

    What are they?

    User stories describe what requirement a user wants in the solution and why they want it. The end goal of a user story is to create a simple description of a requirement for developers.

    When to use them

    User stories should always be used in requirements gathering. User stories should be collected throughout the elicitation process. Try to recapture user stories as new project information is released to capture any changes in end-customer needs.

    What’s the benefit?

    User stories help capture target users, customers, and stakeholders. They also create a “face” for individual user requirements by providing user context. This detail enables IT leaders to associate goals and end objectives with each persona.

    Takeaway

    To better understand the characteristics driving user requirements, begin to map objectives to separate user personas that represent each of the project stakeholders.

    Are user stories worth the time and effort?

    Absolutely.

    A user’s wants and needs serve as a constant reminder to developers. Developers can use this information to focus on how a solution needs to accomplish a goal instead of only focusing on what goals need to be completed.

    Create customized user stories to guide or structure your elicitation output

    Instructions

    1. During surveys, interviews, and development sessions, ask participants the following questions:
      • What do you want from the solution?
      • Why do you want that?
    2. Separate the answer into an “I want to” and “So that” format.
      • For users who give multiple “I want to” and “So that” statements, separate them into their respective pairs.
    3. Place each story on a small card that can easily be given to developers.
    As a I want to So that Size Priority
    Developer Learn network and system constraints The churn between Operations and I will be reduced. 1 point Low

    Team member

    Increase the number of demonstrations I can achieve greater alignment with business stakeholders. 3 points High
    Product owner Implement a user story prioritization technique I can delegate stories in my product backlog to multiple Agile teams. 3 points Medium

    How to make an effective and compelling user story

    Keep your user stories short and impactful to ensure that they retain their impact.

    Follow a simple formula:

    As a [stakeholder title], I want to [one requirement] so that [reason for wanting that requirement].

    Use this template for all user stories. Other formats will undermine the point of a user story. Multiple requirements from a single user must be made into multiple stories and given to the appropriate developer. User stories should fit onto a sticky note or small card.

    Example

    As an: I want to: So that:
    Administrator Integrate with Excel File transfer won’t possibly lose information
    X Administrator Integrate with Excel and Word File transfer won’t possibly lose information

    While the difference between the two may be small, it would still undermine the effectiveness of a user story. Different developers may work on the integration of Excel or Word and may not receive this user story.

    Assign user stories a size and priority level

    Designate a size to user stories

    Size is an estimate of how many resources must be dedicated to accomplish the want. Assign a size to each user story to help determine resource allocation.

    Assign business priority to user stories

    Based on how important the requirement is to project success, assign each user story a rating of high, medium, or low. The priority given will dictate which requirements are completed first.

    Example:

    Scope: Design software to simplify financial reporting

    User Story Estimated Size Priority
    As an administrator, I want to integrate with Excel so that file transfer won’t possibly lose information. Low High
    As an administrator, I want to simplify graph construction so that I can more easily display information for stakeholders. High Medium

    Combine both size and priority to decide resource allocation. Low-size, high-priority tasks should always be done first.

    Group similar user stories together to create greater impact

    Group user stories that have the same requirement

    When collecting user stories, many will be centered around the same requirement. Group similar user stories together to show the need for that requirement’s inclusion in the solution.

    Even if it isn’t a must-have requirement, if the number of similar user stories is high enough, it would become the most important should-have requirement.

    Group together user stories such as these:
    As an I want So that
    Administrator To be able to create bar graphs Information can be more easily illustrated
    Accountant To be able to make pie charts Budget information can be visually represented

    Both user stories are about creating charts and would be developed similarly.

    Leave these user stories separate
    As an I want So that
    Administrator The program to auto-save Information won’t be lost during power outages
    Accountant To be able to save to SharePoint My colleagues can easily view and edit my work

    While both stories are about saving documents, the development of each feature is vastly different.

    Create customized user profiles

    User profiles are a way of grouping users based on a significant shared details (e.g. in the finance department, website user).

    Go beyond the user profile

    When creating the profile, consider more than the group’s name. Ask yourself the following questions:

    • What level of knowledge and expertise does this user profile have with this type of software?
    • How much will this user profile interact with the solution?
    • What degree of dependency will this user profile have on the solution?

    For example, if a user profile has low expertise but interacts and depends heavily on the program, a more thorough tutorial of the FAQ section is needed.

    Profiles put developers in user’s shoes

    Grouping users together helps developers put a face to the name. Developers can then more easily empathize with users and develop an end solution that is directly catered to their needs.

    Leverage group activities to break down user-story sizing techniques

    Work in groups to run through the following story-sizing activities.

    Planning Poker: This approach uses the Delphi method where members estimate the size of each user story by revealing numbered cards. These estimates are then discussed and agreed upon as a group.

    • Planning poker generates discussion about variances in estimates but dominant personalities may lead to biased results or groupthink.

    Team Sort: This approach can assist in expediting estimation when you are handling numerous user stories.

    • Bucket your user stories into sizes (e.g. extra-small, small, medium, large, and extra-large) based on an acceptable benchmark that may change from project to project.
    • Collaborate as a team to conclude the final size.
    • Next, translate these sizes into points.

    The graphic shows the two activities described, Planning Poker and Team Sort. In the Planning Poker image, 3 sets of cards are shown, with the numbers 13, 5, and 1 on the top of each set. At the bottom of the image are 7 cards, labelled with: 1, 2, 3, 5, 8, 13, 21. In the Team Sort section, there is an arrow pointing in both directions, representing a spectrum from XS to XL. Each size is assigned a point value: XS is 1; S is 3; M is 5; L is 10; and XL is 20. Cards with User Story # written on them are arranged along the spectrum.

    Create a product backlog to communicate business needs to development teams

    Use the product backlog to capture expected work and create a roadmap for the project by showing what requirements need to be delivered.

    How is the product owner involved?

    • The product owner is responsible for keeping in close contact with the end customer and making the appropriate changes to the product backlog as new ideas, insights, and impediments arise.
    • The product owner should have good communication with the team to make accurate changes to the product backlog depending on technical difficulties and needs for clarification.

    How do I create a product backlog?

    • Write requirements in user stories. Use the format: “As a (user role), I want (function) so that (benefit).” Identify end users and understand their needs.
    • Assign each requirement a priority. Decide which requirements are the most important to deliver. Ask yourself, “Which user story will create the most value?”

    What are the approaches to generate my backlog?

    • Team Brainstorming – The product owner, team, and scrum master work together to write and prioritize user stories in a single or a series of meetings.
    • Business Case – The product owner translates business cases into user stories as per the definition of “development ready.”

    Epics and Themes

    As you begin to take on larger projects, it may be advantageous to organize and group your user stories to simplify your release plan:

    • Epics are collections of similar user stories and are used to describe significant and large development initiatives.
    • Themes are collections of similar epics and are normally used to define high-level business objectives.

    To avoid confusion, the pilot product backlog will be solely composed of user stories.

    Example:

    Theme: Increase user exposure to corporate services through mobile devices
    Epic: Access corporate services through a mobile application Epic: Access corporate services through mobile website
    User Story: As a user, I want to find the closest office so that I can minimize travel time As a user, I want to find the closest office so that I can minimize travel time User Story: As a user, I want to submit a complaint so that I can improve company processes

    Simulate product backlog creation

    Overview

    Leverage Info-Tech’s Scrum Documentation Template, using the Backlog and Planning tab, to help walk you through this activity.

    Instructions

    1. Have your product owner describe the business objectives of the pilot project.
    2. Write the key business requirements as user stories.
    3. Based on your business value drivers, identify the business value of your user stories (high, medium, low).
    4. Have your team review the user stories and question the story’s value, priority, goal, and meaning.
    5. Break down the user stories if the feature or business goal is unclear or too large.
    6. Document the perceived business value of each user story, as well as the priority, goal, and meaning.

    Examples:

    As a citizen, I want to know about road construction so that I can save time when driving. Business Value: High

    As a customer, I want to find the nearest government office so that I can register for benefits. Business Value: Medium

    As a voter, I want to know what each candidate believes in so that I can make an informed decision. Business Value: High

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2.1 Build use-case models

    An analyst will assist in demonstrating how to use elicitation techniques to build use-case models. The analyst will walk you through the table testing to visually map out and design process flows for each use case.

    Phase 3: Analyze and Validate Requirements

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Analyze and Validate Requirements

    Proposed Time to Completion: 1 week
    Step 3.1: Create Analysis Framework

    Start with an analyst kick off call:

    • Create policies for requirements categorization and prioritization.

    Then complete these activities…

    • Create functional requirements categories.
    • Consolidate similar requirements and eliminate redundancies.
    • Prioritize requirements.

    With these tools & templates:

    • Requirements Gathering Documentation Tool
    Step 3.2: Validate Business Requirements

    Review findings with analyst:

    • Establish best practices for validating the BRD with project stakeholders.

    Then complete these activities…

    • Right-size the BRD.
    • Present the BRD to business stakeholders.
    • Translate business requirements into technical requirements.
    • Identify testing opportunities.

    With these tools & templates:

    • Business Requirements Document Template
    • Requirements Gathering Testing Checklist

    Phase 3 Results & Insights:

    • Standardized frameworks for analysis and validation of business requirements

    Step 3.1: Create Analysis Framework

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Categorize requirements.
    • Eliminate redundant requirements.
    This step involves the following participants:
    • BAs
    Outcomes of this step
    • Prioritized requirements list.

    Analyze requirements to de-duplicate them, consolidate them – and most importantly – prioritize them!

    he image is the Requirements Gathering Framework, shown earlier. All parts of the framework are greyed-out, except for the arrow containing the word Analyze in the center of the image, with three bullet points beneath it that read: Organize; Prioritize; Verify

    The analysis phase is where requirements are compiled, categorized, and prioritized to make managing large volumes easier. Many organizations prematurely celebrate being finished the elicitation phase and do not perform adequate diligence in this phase; however, the analysis phase is crucial for a smooth transition into validation and application development or procurement.

    Categorize requirements to identify and highlight requirement relationships and dependencies

    Eliciting requirements is an important step in the process, but turning endless pages of notes into something meaningful to all stakeholders is the major challenge.

    Begin the analysis phase by categorizing requirements to make locating, reconciling, and managing them much easier. There are often complex relationships and dependencies among requirements that do not get noted or emphasized to the development team and as a result get overlooked.

    Typically, requirements are classified as functional and non-functional at the high level. Functional requirements specify WHAT the system or component needs to do and non-functional requirements explain HOW the system must behave.

    Examples

    Functional Requirement: The application must produce a sales report at the end of the month.

    Non-Functional Requirement: The report must be available within one minute after midnight (EST) of the last day of the month. The report will be available for five years after the report is produced. All numbers in the report will be displayed to two decimal places.

    Categorize requirements to identify and highlight requirement relationships and dependencies

    Further sub-categorization of requirements is necessary to realize the full benefit of categorization. Proficient BAs will even work backwards from the categories to drive the elicitation sessions. The categories used will depend on the type of project, but for categorizing non-functional requirements, the Volere Requirements Resources has created an exhaustive list of sub-categories.

    Requirements Category Elements

    Example

    Look & Feel Appearance, Style

    User Experience

    Usability & Humanity Ease of Use, Personalization, Internationalization, Learning, Understandability, Accessibility Language Support
    Performance Speed, Latency, Safety, Precision, Reliability, Availability, Robustness, Capacity, Scalability, Longevity Bandwidth
    Operational & Environmental Expected Physical Environment, Interfacing With Adjacent Systems, Productization, Release Heating and Cooling
    Maintainability & Support Maintenance, Supportability, Adaptability Warranty SLAs

    Security

    Access, Integrity, Privacy, Audit, Immunity Intrusion Prevention
    Cultural & Political Global Differentiation Different Statutory Holidays
    Legal Compliance, Standards Hosting Regulations

    What constitutes good requirements

    Complete – Expressed a whole idea or statement.

    Correct – Technically and legally possible.

    Clear – Unambiguous and not confusing.

    Verifiable – It can be determined that the system meets the requirement.

    Necessary – Should support one of the project goals.

    Feasible – Can be accomplished within cost and schedule.

    Prioritized – Tracked according to business need levels.

    Consistent – Not in conflict with other requirements.

    Traceable – Uniquely identified and tracked.

    Modular – Can be changed without excessive impact.

    Design-independent – Does not pose specific solutions on design.

    Create functional requirement categories

    3.1.1 – 1 hour

    Input
    • Activity 2.2.1
    Output
    • Requirements categories
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs
    Practice the techniques for categorizing requirements.
    1. Divide the list of requirements that were elicited for the identified sub-process in exercise 2.2.1 among smaller groups.
    2. Have groups write the requirements on red, yellow, or green sticky notes, depending on the stakeholder’s level of influence.
    3. Along the top of the whiteboard, write the eight requirements categories, and have each group place the sticky notes under the category where they believe they should fit.
    4. Once each group has posted the requirements, review the board and discuss any requirements that should be placed in another category.

    Document any changes to the requirements categories in section 5.1 of the Requirements Gathering SOP and BA Playbook.

    Create functional requirement categories

    The image depicts a whiteboard with different colored post-it notes grouped into the following categories: Look & Feel; Usability & Humanity; Legal; Maintainability & Support; Operational & Environmental; Security; Cultural & Political; and Performance.

    Consolidate similar requirements and eliminate redundancies

    Clean up requirements and make everyone’s life simpler!

    After elicitation, it is very common for an organization to end up with redundant, complementary, and conflicting requirements. Consolidation will make managing a large volume of requirements much easier.

    Redundant Requirements Owner Priority
    1. The application shall feed employee information into the payroll system. Payroll High
    2. The application shall feed employee information into the payroll system. HR Low
    Result The application shall feed employee information into the payroll system. Payroll & HR High
    Complementary Requirements Owner Priority
    1. The application shall export reports in XLS and PDF format. Marketing High
    2. The application shall export reports in CSV and PDF format. Finance High
    Result The application shall export reports in XLS, CSV, and PDF format. Marketing & Finance High

    Info-Tech Insight

    When collapsing redundant or complementary requirements, it is imperative that the ownership and priority metadata be preserved for future reference. Avoid consolidating complementary requirements with drastically different priority levels.

    Identify and eliminate conflict between requirements

    Conflicting requirements are unavoidable; identify and resolve them as early as possible to minimize rework and grief.

    Conflicting requirements occur when stakeholders have requirements that either partially or fully contradict one another, and as a result, it is not possible or practical to implement all of the requirements.

    Steps to Resolving Conflict:

    1. Notify the relevant stakeholders of the conflict and search for a basic solution or compromise.
    2. If the stakeholders remain in a deadlock, appoint a final decision maker.
    3. Schedule a meeting to resolve the conflict with the relevant stakeholders and the decision maker. If multiple conflicts exist between the same stakeholder groups, try to resolve as many as possible at once to save time and encourage reciprocation.
    4. Give all parties the opportunity to voice their rationale and objectively rate the priority of the requirement. Attempt to reach an agreement, consensus, or compromise.
    5. If the parties remain in a deadlock, encourage the final decision maker to weigh in. Their decision should be based on which party has the greater need for the requirement, the difficulty to implement the requirement, and which requirement better aligns with the project goals.

    Info-Tech Insight

    Resolve conflicts whenever possible during the elicitation phase by using cross-functional workshops to facilitate discussions that address and settle conflicts in the room.

    Consolidate similar requirements and eliminate redundancies

    3.1.2 – 30 minutes

    Input
    • Activity 3.1.1
    Output
    • Requirements categories
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs

    Review the outputs from the last exercise and ensure that the list is mutually exclusive by consolidating similar requirements and eliminating redundancies.

    1. Looking at each category in turn, review the sticky notes and group similar, complementary, and conflicting notes together. Put a red dot on any conflicting requirements to be used in a later exercise.
    2. Have the group start by eliminating the redundant requirements.
    3. Have the group look at the complementary requirements, and consolidate each into a single requirement. Discard originals.
    4. Record this information in the Requirements Gathering Documentation Tool.

    Prioritize requirements to assist with solution modeling

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a separate meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure efforts are targeted towards the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.

    The MoSCoW Model of Prioritization

    The image shows the MoSCoW Model of Prioritization, which is shaped like a pyramid. The sections, from top to bottom (becoming incrementally larger) are: Must Have; Should Have; Could Have; and Won't Have. There is additional text next to each category, as follows: Must have - Requirements must be implemented for the solution to be considered successful.; Should have: Requirements are high priority that should be included in the solution if possible.; Could Have: Requirements are desirable but not necessary and could be included if resources are available.; Won't Have: Requirements won’t be in the next release, but will be considered for the future releases.

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994 (Source: ProductPlan).

    Base your prioritization on the right set of criteria

    Effective Prioritization Criteria

    Criteria

    Description

    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy Compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business Value Significance Give a higher priority to high-value requirements.
    Business Risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of Success Especially in proof-of-concept projects, it is recommended that requirements have good odds.
    Implementation Complexity Give a higher priority to low implementation difficulty requirements.
    Alignment With Strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    Info-Tech Insight

    It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.

    Use the Requirements Gathering Documentation Tool to steer your requirements gathering approach during a project

    3.1 Requirements Gathering Documentation Tool

    Use the Requirements Gathering Documentation Tool to identify and track stakeholder involvement, elicitation techniques, and scheduling, as well as to track categorization and prioritization of requirements.

    • Use the Identify Stakeholders tab to:
      • Identify the stakeholder's name and role.
      • Identify their influence and involvement.
      • Identify the elicitation techniques that you will be using.
      • Identify who will be conducting the elicitation sessions.
      • Identify if requirements were validated post elicitation session.
      • Identify when the elicitation will take place.
    • Use the Categorize & Prioritize tab to:
      • Identify the stakeholder.
      • Identify the core function.
      • Identify the business requirement.
      • Describe the requirement.
      • Identify the categorization of the requirement.
      • Identify the level of priority of the requirement.

    Prioritize requirements

    3.1.3 – 30 minutes

    Input
    • Requirements list
    • Prioritization criteria
    Output
    • Prioritized requirements
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • BAs
    • Business stakeholders

    Using the output from the MoSCoW model, prioritize the requirements according to those you must have, should have, could have, and won’t have.

    1. As a group, review each requirement and decide if the requirement is:
      1. Must have
      2. Should have
      3. Could have
      4. Won’t have
    2. Beginning with the must-have requirements, determine if each has any dependencies. Ensure that each of the dependencies are moved to the must-have category. Group and circle the dependent requirements.
    3. Continue the same exercise with the should-have and could-have options.
    4. Record the results in the Requirements Gathering Documentation Tool.

    Step 1 – Prioritize requirements

    3.1.3

    The image shows a whiteboard, with four categories listed at the top: Must Have; Should Have; Could Have; Won't Have. There are yellow post-it notes under each category.

    Step 2-3 – Prioritize requirements

    This image is the same as the previous image, but with the additions of two dotted line squares under the Must Have category, with arrows pointing to them from post-its in the Should have category.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    3.1.1 Create functional requirements categories

    An analyst will facilitate the discussion to brainstorm and determine criteria for requirements categories.

    3.1.2 Consolidate similar requirements and eliminate redundancies

    An analyst will facilitate a session to review the requirements categories to ensure the list is mutually exclusive by consolidating similar requirements and eliminating redundancies.

    3.1.3 Prioritize requirements

    An analyst will facilitate the discussion on how to prioritize requirements according to the MoSCoW prioritization framework. The analyst will also walk you through the exercise of determining dependencies for each requirement.

    Step 3.2: Validate Business Requirements

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Build the BRD.
    • Translate functional requirements to technical requirements.
    • Identify testing opportunities.

    This step involves the following participants:

    • BAs

    Outcomes of this step

    • Finalized BRD.

    Validate requirements to ensure that they meet stakeholder needs – getting sign-off is essential

    The image is the Requirements Gathering Framework shown previously. In this instance, all aspects of the graphic are greyed out with the exception of the Validate arrow, right of center. Below the arrow are three bullet points: Translate; Allocate; Approve.

    The validation phase involves translating the requirements, modeling the solutions, allocating features across the phased deployment plan, preparing the requirements package, and getting requirement sign-off. This is the last step in the Info-Tech Requirements Gathering Framework.

    Prepare a user-friendly requirements package

    Before going for final sign-off, ensure that you have pulled together all of the relevant documentation.

    The requirements package is a compilation of all of the business analysis and requirements gathering that occurred. The document will be distributed among major stakeholders for review and sign-off.

    Some may argue that the biggest challenge in the validation phase is getting the stakeholders to sign off on the requirements package; however, the real challenge is getting them to actually read it. Often, stakeholders sign the requirements document without fully understanding the scope of the application, details of deployment, and how it affects them.

    Remember, this document is not for the BAs; it’s for the stakeholders. Make the package with the stakeholders in mind. Create multiple versions of the requirements package where the length and level of technical details is tailored to the audience. Consider creating a supplementary PowerPoint version of the requirements package to present to senior management.

    Contents of Requirements Package:

    • Project Charter (if available)
    • Overarching Project Goals
    • Categorized Business Requirements
    • Selected Solution Proposal
    • Rationale for Solution Selection
    • Phased Roll-Out Plan
    • Proposed Schedule/Timeline
    • Signatures Page

    "Sit down with your stakeholders, read them the document line by line, and have them paraphrase it back to you so you’re on the same page." – Anonymous City Manager of IT Project Planning Info-Tech Interview

    Capture requirements in a dedicated BRD

    The BRD captures the original business objectives and high-level business requirements for the system/process. The system requirements document (SRD) captures the more detailed functional and technical requirements.

    The graphic is grouped into two sections, indicated by brackets on the right side, the top section labelled BRD and the lower section labelled as SRD. In the BRD section, a box reads Needs Identified in the Business Case. An arrow points from the bottom of the box down to another box labelled Use Cases. In the SRD section, there are three arrows pointing from the Use Cases box to three boxes in a row. They are labelled Functionality; Usability; and Constraints. Each of these boxes has a plus sign between it and the next in the line. At the bottom of the SRD section is a box with text that reads: Quality of Service Reliability, Supportability, and Performance

    Use Info-Tech’s Business Requirements Document Template to specify the business needs and expectations

    3.2 Business Requirements Document Template

    The Business Requirements Document Template can be used to record the functional, quality, and usability requirements into formats that are easily consumable for future analysis, architectural and design activities, and most importantly in a format that is understandable by all business partners.

    The BRD is designed to take the reader from a high-level understanding of the business processes down to the detailed automation requirements. It should capture the following:

    • Project summary and background
    • Operating model
    • Business process model
    • Use cases
    • Requirements elicitation techniques
    • Prioritized requirements
    • Assumptions and constraints

    Rightsize the BRD

    3.2.1 – 30 minutes

    Input
    • Project levels
    • BRD categories
    Output
    • BRD
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Business stakeholders

    Build the required documentation for requirements gathering.

    1. On the board, write out the components of the BRD. As a group, review the headings and decide if all sections are needed for level 1 & 2 and level 3 & 4 projects. Your level 3-4 project business cases will have the most detailed business cases; consider your level 1-2 projects, and remove any categories you don’t believe are necessary for the project level.
    2. Now that you have a right-sized template, break the team into two groups and have each group complete one section of the template for your selected project.
      1. Project overview
      2. Implementation considerations
    3. Once complete, have each group present its section, and allow the group to make additions and modifications to each section.

    Document the output from this exercise in section 6 of the Requirements Gathering SOP and BA Playbook.

    Present the BRD to business stakeholders

    3.2.2 – 1 hour

    Input
    • Activity 3.2.1
    Output
    • BRD presentation
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Practice presenting the requirements document to business stakeholders.

    1. Hold a meeting with a group of selected stakeholders, and have a representative present each section of the BRD for your project.
    2. Instruct participants that they should spend the majority of their time on the requirements section, in particular the operating model and the requirements prioritization.
    3. At the end of the meeting, have the business stakeholders validate the requirements, and approve moving forward with the project or indicate where further requirements gathering must take place.

    Example:

    Typical Requirements Gathering Validation Meeting Agenda
    Project overview 5 minutes
    Project operating model 10 minutes
    Prioritized requirements list 5 minutes
    Business process model 30 minutes
    Implementation considerations 5 minutes

    Translate business requirements into technical requirements

    3.2.3 – 30 minutes

    Input
    • Business requirements
    Output
    • BRD presentation
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders
    • BAs
    • Developers

    Practice translating business requirements into system requirements.

    1. Bring in representatives from the development team, and have a representative walk them through the business process model.
    2. Present a detailed account of each business requirement, and work with the IT team to build out the system requirements for each.
    3. Document the system requirements in the Requirements Gathering Documentation Tool.

    For requirements traceability, ensure you’re linking your requirements management back to your test strategy

    After a solution has been fully deployed, it’s critical to create a strong link between your software testing strategy and the requirements that were collected. User acceptance testing (UAT) is a good approach for requirement verification.

    • Many organizations fail to create an explicit connection between their requirements gathering and software testing strategies. Don’t follow their example!
    • When conducting UAT, structure exercises in the context of the requirements; run through the signed-off list and ask users whether or not the deployed functionality was in line with the expectations outlined in the finalized requirements documentation.
    • If not – determine whether it was a miscommunication on the requirements management side or a failure of the developers (or procurement team) to meet the agreed-upon requirements.

    Download the Requirements Gathering Testing Checklist template.

    Identify the testing opportunities

    3.2.4 – 30 minutes

    Input
    • List of requirements
    Output
    • Requirements testing process
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Developers

    Identify how to test the effectiveness of different requirements.

    1. Ask the group to review the list of requirements and identify:
      1. Which kinds of requirements enable constructive testing efforts?
      2. Which kinds of requirements enable destructive testing efforts?
      3. Which kinds of requirements support end-user acceptance testing?
      4. What do these validation-enabling objectives mean in terms of requirement specificity?
    2. For each, identify who will do the testing and at what stage.

    Verify that the requirements still meet the stakeholders’ needs

    Keep the stakeholders involved in the process in between elicitation and sign-off to ensure that nothing gets lost in transition.

    After an organization’s requirements have been aggregated, categorized, and consolidated, the business requirements package will begin to take shape. However, there is still a great deal of work to complete. Prior to proceeding with the process, requirements should be verified by domain SMEs to ensure that the analyzed requirements continue to meet their needs. This step is often overlooked because it is laborious and can create additional work; however, the workload associated with verification is much less than the eventual rework stemming from poor requirements.

    All errors in the requirements gathering process eventually surface; it is only a matter of time. Control when these errors appear and minimize costs by soliciting feedback from stakeholders early and often.

    This is the Verify stage of the Confirm, Verify, Approve process.

    “Do these requirements still meet your needs?”

    Put it all together: obtain final requirements sign-off

    Use the sign-off process as one last opportunity to manage expectations, obtain commitment from the stakeholders, and minimize change requests.

    Development or procurement of the application cannot begin until the requirements package has been approved by all of the key stakeholders. This will be the third time that the stakeholders are asked to review the requirements; however, this will be the first time that the stakeholders are asked to sign off on them.

    It is important that the stakeholders understand the significance of their signatures. This is their last opportunity to see exactly what the solution will look like and to make change requests. Ensure that the stakeholders also recognize which requirements were omitted from the solution that may affect them.

    The sign-off process needs to mean something to the stakeholders. Once a signature is given, that stakeholder must be accountable for it and should not be able to make change requests. Note that there are some requests from senior stakeholders that can’t be refused; use discretion when declining requests.

    This is the Approve stage of the Confirm, Verify, Approve process.

    "Once requirements are signed off, stay firm on them!" – Anonymous Hospital Business Systems Analyst Info-Tech Interview

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with out Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2.1; 3.2.2 Rightsize the BRD and present it to business stakeholders

    An analyst will facilitate the discussion to gather the required documentation for building the BRD. The analyst will also assist with practicing the presenting of each section of the document to business stakeholders.

    3.2.3; 3.2.4 Translate business requirements into technical requirements and identify testing opportunities

    An analyst will facilitate the session to practice translating business requirements into testing requirements and assist in determining how to test the effectiveness of different requirements.

    Phase 4: Create a Requirements Governance Action Plan

    Phase 4 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Create a Requirements Governance Action Plan

    Proposed Time to Completion: 3 weeks

    Step 4.1: Create Control Processes for Requirements Changes

    Start with an analyst kick off call:

    • Discuss how to handle changes to requirements and establish a formal change control process.

    Then complete these activities…

    • Develop a change control process.
    • Build the guidelines for escalating changes.
    • Confirm your requirements gathering process.
    • Define RACI for the requirements gathering process.

    With these tools & templates:

    • Requirements Traceability Matrix
    Step 4.2: Build Requirements Governance and Communication Plan

    Review findings with analyst:

    • Review options for ongoing governance of the requirements gathering process.

    Then complete these activities…

    • Define the requirements gathering steering committee purpose.
    • Define the RACI for the RGSC.
    • Define procedures, cadence, and agenda for the RGSC.
    • Identify and analyze stakeholders.
    • Create a communications management plan.
    • Build the requirements gathering process implementation timeline.

    With these tools & templates:

    Requirements Gathering Communication Tracking Template

    Phase 4 Results & Insights:
    • Formalized change control and governance processes for requirements.

    Step 4.1: Create Control Processes for Requirements Changes

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:
    • Develop change control process.
    • Develop change escalation process.
    This step involves the following participants:
    • BAs
    • Business stakeholders
    Outcomes of this step
    • Requirements gathering process validation.
    • RACI completed.

    Manage, communicate, and test requirements

    The image is the Requirement Gathering Framework graphic from previous sections. In this instance, all parts of the image are greyed out, with the exception of the arrows labelled Communicate and Manage, located at the bottom of the image.

    Although the manage, communicate, and test requirements section chronologically falls as the last section of this blueprint, that does not imply that this section is to be performed only at the end. These tasks are meant to be completed iteratively throughout the project to support the core requirements gathering tasks.

    Prevent requirements scope creep

    Once the stakeholders sign off on the requirements document, any changes need to be tracked and managed. To do that, you need a change control process.

    Thoroughly validating requirements should reduce the amount of change requests you receive. However, eliminating all changes is unavoidable.

    The BAs, sponsor, and stakeholders should have agreed upon a clearly defined scope for the project during the planning phase, but there will almost always be requests for change as the project progresses. Even a high number of small changes can negatively impact the project schedule and budget.

    To avoid scope creep, route all changes, including small ones, through a formal change control process that will be adapted depending on the level of project and impact of the change.

    Linking change requests to requirements is essential to understanding relevance and potential impact

    1. Receive project change request.
    2. Refer to requirements document to identify requirements associated with the change.
      • Matching requirement is found: The change is relevant to the project.
      • Multiple requirements are associated with the proposed change: The change has wider implications for the project and will require closer analysis.
      • The request involves a change or new business requirements: Even if the change is within scope, time, and budget, return to the stakeholder who submitted the request to identify the potentially new requirements that relate to this change. If the sponsor agrees to the new requirements, you may be able to approve the change.
    3. Findings influence decision to escalate/approve/reject change request.

    Develop a change control process

    4.1.1 – 45 minutes

    Input
    • Current change control process
    Output
    • Updated change control process
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Developers
    1. Ask the team to consider their current change control process. It might be helpful to discuss a project that is currently underway, or already completed, to provide context. Draw the process on the whiteboard through discussion with the team.
    2. If necessary, provide some cues. Below are some change control process activities:
      • Submit project change request form.
      • PM assesses change.
      • Project sponsor assesses change.
      • Bring request to project steering committee to assess change.
      • Approve/reject change.
    3. Ask participants to brainstorm a potential separate process for dealing with small changes. Add a new branch for minor changes, which will allow you to make decisions on when to bundle the changes versus implementing directly.

    Document any changes from this exercise in section 7.1 of the Requirements Gathering SOP and BA Playbook.

    Example change control process

    The image is an example of a change control process, depicted via a flowchart.

    Build guidelines for escalating changes

    4.1.2 – 1 hour

    Input
    • Current change control process
    Output
    • Updated change control process
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs
    • Developers

    Determine how changes will be escalated for level 1/2/3/4 projects.

    1. Write down the escalation options for level 3 & 4 projects on the whiteboard:
      • Final decision rests with project manager.
      • Escalate to sponsor.
      • Escalate to project steering committee.
      • Escalate to change control board.
    2. Brainstorm categories for assessing the impact of a change and begin creating a chart on the whiteboard by listing these categories in the far left column. Across the top, list the escalation options for level 3 & 4 projects.
    3. Ask the team to agree on escalation conditions for each escalation option. For example, for the final decision to rest with the project manager one condition might be:
      • Change is within original project scope.
    4. Review the output from exercise 4.1.1 and tailor the process model to meet level 3 & 4 escalation models.
    5. Repeat steps 1-4 for level 1 & 2 projects.

    Document any changes from this exercise in section 7.2 of the Requirements Gathering SOP and BA Playbook.

    Example: Change control process – Level 3 & 4

    Impact Category Final Decision Rests With Project Manager If: Escalate to Steering Committee If: Escalate to Change Control Board If: Escalate to Sponsor If:
    Scope
    • Change is within original project scope.
    • Change is out of scope.
    Budget
    • Change can be absorbed into current project budget.
    • Change will require additional funds exceeding any contingency reserves.
    • Change will require the release of contingency reserves.
    Schedule
    • Change can be absorbed into current project schedule.
    • Change will require the final project close date to be delayed.
    • Change will require a delay in key milestone dates.
    Requirements
    • Change can be linked to an existing business requirement.
    • Change will require a change to business requirements, or a new business requirement.

    Example: Change control process – Level 1 & 2

    Impact CategoryFinal Decision Rests With Project Manager If:Escalate to Steering Committee If:Escalate to Sponsor If:
    Scope
    • Change is within original project scope.
    • Change is out of scope.
    Budget
    • Change can be absorbed into current project budget, even if this means releasing contingency funds.
    • Change will require additional funds exceeding any contingency reserves.
    Schedule
    • Change can be absorbed into current project schedule, even if this means moving milestone dates.
    • Change will require the final project close date to be delayed.
    Requirements
    • Change can be linked to an existing business requirement.
    • Change will require a change to business requirements, or a new business requirement.

    Leverage Info-Tech’s Requirements Traceability Matrix to help create end-to-end traceability of your requirements

    4.1 Requirements Traceability Matrix

    Even if you’re not using a dedicated requirements management suite, you still need a way to trace requirements from inception to closure.
    • Ensuring traceability of requirements is key. If you don’t have a dedicated suite, Info-Tech’s Requirements Traceability Matrix can be used as a form of documentation.
    • The traceability matrix covers:
      • Association ID
      • Technical Assumptions and Needs
      • Functional Requirement
      • Status
      • Architectural Documentation
      • Software Modules
      • Test Case Number

    Info-Tech Deliverable
    Take advantage of Info-Tech’s Requirements Traceability Matrix to track requirements from inception through to testing.

    You can’t fully validate what you don’t test; link your requirements management back to your test strategy

    Create a repository to store requirements for reuse on future projects.

    • Reuse previously documented requirements on future projects to save the organization time, money, and grief. Well-documented requirements discovered early can even be reused in the same project.
    • If every module of the application must be able to save or print, then the requirement only needs to be written once. The key is to be able to identify and isolate requirements with a high likelihood of reuse. Typically, requirements pertaining to regulatory and business rule compliance are prime candidates for reuse.
    • Build and share a repository to store historical requirement documentation. The repository must be intuitive and easy to navigate, or users will not take advantage of it. Plan the information hierarchy in advance. Requirements management software suites have the ability to create a repository and easily migrate requirements over from past projects.
    • Assign one person to manage the repository to create consistency and accountability. This person will maintain the master requirements document and ensure the changes that take place during development are reflected in the requirements.

    Confirm your requirements gathering process

    4.1.3 – 45 minutes

    Input
    • Activity 1.2.4
    Output
    • Requirements gathering process model
    Materials
    • Whiteboard
    • Markers
    Participants
    • BAs

    Review the requirements gathering process and control levels for project levels 1/2/3/4 and add as much detail as possible to each process.

    1. Draw out the requirements gathering process for a level 4 project as created in exercise 1.2.4 on a whiteboard.
    2. Review each process step as a group, and break down each step so that it is at its most granular. Be sure to include each decision point, key documentation, and approvals.
    3. Once complete, review the process for level 3, 2 & 1. Reduce steps as necessary. Note: there may not be a lot of differentiation between your project level 4 & 3 or level 2 & 1 processes. You should see differentiation in your process between 2 and 3.

    Document the output from this exercise in section 2.4 of the Requirements Gathering SOP and BA Playbook.

    Example: Confirm your requirements gathering process

    The image is an example of a requirements gathering process, representing in the format of a flowchart.

    Define RACI for the requirements gathering process

    4.1.4 – 45 minutes

    Input
    • List of stakeholders
    Output
    • RACI matrix
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Understand who is responsible, accountable, consulted, and informed for key elements of the requirements gathering process for project levels 1/2/3/4.

    1. As a group, identify the key stakeholders for requirements gathering and place those names along the top of the board.
    2. On the left side of the board, list the process steps and control points for a level 4 project.
    3. For each process step, identify who is responsible, accountable, informed, and consulted.
    4. Repeat this process for project levels 3, 2 & 1.

    Example: RACI for requirements gathering

    Project Requestor Project Sponsor Customers Suppliers Subject Matter Experts Vendors Executives Project Management IT Management Developer/ Business Analyst Network Services Support
    Intake Form A C C I R
    High-Level Business Case R A C C C C I I C
    Project Classification I I C I R A R
    Project Approval R R I I I I I I A I I
    Project Charter R C R R C R I A I R C C
    Develop BRD R I R C C C R A C C
    Sign-Off on BRD/ Project Charter R A R R R R
    Develop System Requirements C C C R I C A R R
    Sign-Off on SRD R R R I A R R
    Testing/Validation A I R C R C R I R R
    Change Requests R R C C A I R C
    Sign-Off on Change Request R A R R R R
    Final Acceptance R A R I I I I R R R I I

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    4.1.1; 4.1.2 Develop a change control process and guidelines for escalating changes

    An analyst will facilitate the discussion on how to improve upon your organization’s change control processes and how changes will be escalated to ensure effective tracking and management of changes.

    4.1.3 Confirm your requirements gathering process

    With the group, an analyst will review the requirements gathering process and control levels for the different project levels.

    4.1.4 Define the RACI for the requirements gathering process

    An analyst will facilitate a whiteboard exercise to understand who is responsible, accountable, informed, and consulted for key elements of the requirements gathering process.

    Step 4.2: Build Requirements Governance and Communication Plan

    Phase 1

    1.1 Understand the Benefits of Requirements Optimization

    1.2 Determine Your Target State for Requirements Gathering

    Phase 2

    2.1 Determine Elicitation Techniques

    2.2 Structure Elicitation Output

    Phase 3

    3.1 Create Analysis Framework

    3.2 Validate Business Requirements

    Phase 4

    4.1 Create Control Processes for Requirements Changes

    4.2 Build Requirements Governance and Communication Plan

    This step will walk you through the following activities:

    • Developing a requirements gathering steering committee.
    • Identifying and analyzing stakeholders for requirements governance.
    • Creating a communication management plan.

    This step involves the following participants:

    • Business stakeholders
    • BAs

    Outcomes of this step

    • Requirements governance framework.
    • Communication management plan.

    Establish proper governance for requirements gathering that effectively creates and communicates guiding principles

    If appropriate governance oversight doesn’t exist to create and enforce operating procedures, analysts and developers will run amok with their own processes.

    • One of the best ways to properly govern your requirements gathering process is to establish a working committee within the framework of your existing IT steering committee. This working group should be given the responsibility of policy formulation and oversight for requirements gathering operating procedures. The governance group should be comprised of both business and IT sponsors (e.g. a director, BA, and “voice of the business” line manager).
    • The governance team will not actually be executing the requirements gathering process, but it will be deciding upon which policies to adopt for elicitation, analysis, and validation. The team will also be responsible for ensuring – either directly or indirectly through designated managers – that BAs or other requirements gathering processionals are following the approved steps.

    Requirements Governance Responsibilities

    1. Provide oversight and review of SOPs pertaining to requirements elicitation, analysis, and validation.

    2. Establish corporate policies with respect to requirements gathering SOP training and education of analysts.

    3. Prioritize efforts for requirements optimization.

    4. Determine and track metrics that will be used to gauge the success (or failure) of requirements optimization efforts and make process and policy changes as needed.

    Right-size your governance structure to your organization’s complexity and breadth of capabilities

    Not all organizations will be best served by a formal steering committee for requirements gathering. Assess the complexity of your projects and the number of requirements gathering practitioners to match the right governance structure.

    Level 1: Working Committee
    • A working committee is convened temporarily as required to do periodic reviews of the requirements process (often annually, or when issues are surfaced by practitioners). This governance mechanism works best in small organizations with an ad hoc culture, low complexity projects, and a small number of practitioners.
    Level 2: IT Steering Committee Sub-Group
    • For organizations that already have a formal IT steering committee, a sub-group dedicated to managing the requirements gathering process is desirable to a full committee if most projects are complexity level 1 or 2, and/or there are fewer than ten requirements gathering practitioners.
    Level 3: Requirements Gathering Steering Committee
    • If your requirements gathering process has more than ten practitioners and routinely deals with high-complexity projects (like ERP or CRM), a standing formal committee responsible for oversight of SOPs will provide stronger governance than the first two options.
    Level 4: Requirements Gathering Center of Excellence
    • For large organizations with multiple business units, matrix organizations for BAs, and a very large number of requirements gathering practitioners, a formal center of excellence can provide both governance as well as onboarding and training for requirements gathering.

    Identify and analyze stakeholders

    4.2.1A – 1 hour

    Input
    • Number of practitioners, project complexity levels
    Output
    • Governance structure selection
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    Use a power map to determine which governance model best fits your organization.

    The image is a square, split into four equal sections, labelled as follows from top left: Requirements Steering Committee; Requirements Center of Excellence; IT Steering Committee Sub-Group; Working Committee. The left and bottom edges of the square are labelled as follows: on the left, with an arrow pointing upwards, Project Complexity; on the bottom, with arrow pointing right, # of Requirements Practitioners.

    Define your requirements gathering governance structure(s) and purpose

    4.2.1B – 30 minutes

    Input
    • Requirements gathering elicitation, analysis, and validation policies
    Output
    • Governance mandate
    Materials
    • Whiteboard
    • Markers
    Participants
    • Business stakeholders

    This exercise will help to define the purpose statement for the applicable requirements gathering governance team.

    1. As a group, brainstorm key words that describe the unique role the governance team will play. Consider value, decisions, and authority.
    2. Using the themes, come up with a set of statements that describe the overall purpose statement.
    3. Document the outcome for the final deliverable.

    Example:

    The requirements gathering governance team oversees the procedures that are employed by BAs and other requirements gathering practitioners for [insert company name]. Members of the team are appointed by [insert role] and are accountable to [typically the chair of the committee].

    Day-to-day operations of the requirements gathering team are expected to be at the practitioner (i.e. BA) level. The team is not responsible for conducting elicitation on its own, although members of the team may be involved from a project perspective.

    Document the output from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.

    A benefits provider established a steering committee to provide consistency and standardization in requirements gathering

    CASE STUDY

    Industry Not-for-Profit

    Source Info-Tech Workshop

    Challenge

    This organization is a not-for-profit benefits provider that offers dental coverage to more than 1.5 million people across three states.

    With a wide ranging application portfolio that includes in-house, custom developed applications as well as commercial off-the-shelf solutions, the company had no consistent method of gathering requirements.

    Solution

    The organization contracted Info-Tech to help build an SOP to put in place a rigorous and efficient methodology for requirements elicitation, analysis, and validation.

    One of the key realizations in the workshop was the need for governance and oversight over the requirements gathering process. As a result, the organization developed a Requirements Management Steering Committee to provide strategic oversight and governance over requirements gathering processes.

    Results

    The Requirements Management Steering Committee introduced accountability and oversight into the procedures that are employed by BAs. The Committee’s mandate included:

    • Provide oversight and review SOPs pertaining to requirements elicitation, analysis, and validation.
    • Establish corporate policies with respect to training and education of analysts on requirements gathering SOPs.
    • Prioritize efforts for requirements optimization.
    • Determine metrics that can be used to gauge the success of requirements optimization efforts.

    Authority matrix – RACI

    There needs to be a clear understanding of who is accountable, responsible, consulted, and informed about matters brought to the attention of the requirements gathering governance team.

    • An authority matrix is often used within organizations to indicate roles and responsibilities in relation to processes and activities.
    • Using the RACI model as an example, there is only one person accountable for an activity, although several people may be responsible for executing parts of the activity.
    • In this model, accountable means end-to-end accountability for the process. Accountability should remain with the same person for all activities of a process.

    RResponsible

    The one responsible for getting the job done.

    A – Accountable

    Only one person can be accountable for each task.

    C – Consulted

    Involvement through input of knowledge and information.

    I – Informed

    Receiving information about process execution and quality.

    Define the RACI for effective requirements gathering governance

    4.2.2 – 30 minutes

    Input
    • Members’ list
    Output
    • Governance RACI
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • Governance team members

    Build the participation list and authority matrix for the requirements gathering governance team.

    1. Have each participant individually consider the responsibilities of the governance team, and write five participant roles they believe should be members of the governance team.
    2. Have each participant place the roles on the whiteboard, group participants, and agree to five participants who should be members.
    3. On the whiteboard, write the responsibilities of the governance team in a column on the left, and place the sticky notes of the participant roles along the top of the board.
    4. Under the appropriate column for each activity, identify who is the “accountable,” “responsible,” “consulted,” and “informed” role for each activity.
    5. Agree to a governance chair.

    Document any changes from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.

    Example: Steps 2-5: Build the governance RACI

    The image shows an example governance RACI, with the top of the chart labelled with Committee Participants, and the left hand column labelled Committee Responsibilities. Some of the boxes have been filled in.

    Define your requirements gathering governance team procedures, cadence, and agenda

    4.2.3 – 30 minutes

    Input
    • Governance responsibilities
    Output
    • Governance procedures and agenda
    Materials
    • Whiteboard
    • Markers
    Participants
    • Steering committee members

    Define your governance team procedures, cadence, and agenda.

    1. Review the format of a typical agenda as well as the list of responsibilities for the governance team.
    2. Consider how you will address each of these responsibilities in the meeting, who needs to present, and how long each presentation should be.
    3. Add up the times to define the meeting duration.
    4. Consider how often you need to meet to discuss the information: monthly, quarterly, or annually? Are there different actions that need to be taken at different points in the year?
    5. As a group, decide how the governance team will approve changes and document any voting standards that should be included in the charter. Will a vote be taken during or prior to the meeting? Who will have the authority to break a tie?
    6. As a group, decide how the committee will review information and documentation. Will members commit to reviewing associated documents before the meeting? Can associated documentation be stored in a knowledge repository and/or be distributed to members prior to the meeting? Who will be responsible for this? Can a short meeting/conference call be held with relevant reviewers to discuss documentation before the official committee meeting?

    Review the format of a typical agenda

    4.2.3 – 30 minutes

    Meeting call to order [Committee Chair] [Time]
    Roll call [Committee Chair] [Time]
    Review of SOPs
    A. Requirements gathering dashboard review [Presenters, department] [Time]
    B. Review targets [Presenters, department] [Time]
    C. Policy Review [Presenters, department] [Time]

    Define the governance procedures and cadence

    4.2.3 – 30 minutes

    • The governance team or committee will be chaired by [insert role].
    • The team shall meet on a [insert time frame (e.g. monthly, semi-annual, annual)] basis. These meetings will be scheduled by the team or committee chair or designated proxy.
    • Approval for all SOP changes will be reached through a [insert vote consensus criteria (majority, uncontested, etc.)] vote of the governance team. The vote will be administered by the governance chair. Each member of the committee shall be entitled to one vote, excepting [insert exceptions].
    • The governance team has the authority to reject any requirements gathering proposal which it deems not to have made a sufficient case or which does not significantly contribute to the strategic objectives of [insert company name].
    • [Name of individual] will record and distribute the meeting minutes and documentation of business to be discussed in the meeting.

    Document any changes from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.

    Changing the requirements gathering process can be disruptive – be successful by gaining business support

    A successful communication plan involves making the initiative visible and creating staff awareness around it. Educate the organization on how the requirements gathering process will differ.

    People can be adverse to change and may be unreceptive to being told they must “comply” to new policies and procedures. Demonstrate the value in requirements gathering and show how it will assist people in their day-to-day activities.

    By demonstrating how an improved requirements gathering process will impact staff directly, you create a deeper level of understanding across lines-of-business, and ultimately a higher level of acceptance for new processes, rules, and guidelines.

    A proactive communication plan will:
    • Assist in overcoming issues with prioritization, alignment resourcing, and staff resistance.
    • Provide a formalized process for implementing new policies, rules, and guidelines.
    • Detail requirements gathering ownership and accountability for the entirety of the process.
    • Encourage acceptance and support of the initiative.

    Identify and analyze stakeholders to communicate the change process

    Who are the requirements gathering stakeholders?

    Stakeholder:

    • A stakeholder is any person, group, or organization who is the end user, owner, sponsor, or consumer of an IT project, change, or application.
    • When assessing an individual or group, ask whether they can impact or be impacted by any decision, change, or activity executed as part of the project. This might include individuals outside of the organization.

    Key Stakeholder:

    • Someone in a management role or someone with decision-making power who will be able to influence requirements and/or be impacted by project outcomes.

    User Group Representatives:

    • For impacted user groups, follow best practice and engage an individual to act as a representative. This individual will become the primary point of contact when making decisions that impact the group.

    Identify the reasons for resistance to change

    Stakeholders may resist change for a variety of reasons, and different strategies are necessary to address each.

    Unwilling – Individuals who are unwilling to change may need additional encouragement. For these individuals, you’ll need to reframe the situation and emphasize how the change will benefit them specifically.

    Unable – All involved requirements gathering will need some form of training on the process, committee roles, and responsibilities. Be sure to have training and support available for employees who need it and communicate this to staff.

    Unaware – Until people understand exactly what is going on, they will not be able to conform to the process. Communicate change regularly at the appropriate detail to encourage stakeholder support.

    Info-Tech Insight

    Resisters who have influence present a high risk to the implementation as they may encourage others to resist as well. Know where and why each stakeholder is likely to resist to mitigate risk. A detailed plan will ensure you have the needed documentation and communications to successfully manage stakeholder resistance.

    Identify and analyze stakeholders

    4.2.4 – 1 hour

    Input
    • Requirements gathering stakeholders list
    Output
    • Stakeholder power map
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • RGSC members

    Identify the impact and level of resistance of all stakeholders to come up with the right communication plan.

    1. Through discussion, generate a complete list of stakeholders for requirements gathering and record the names on the whiteboard or flip chart. Group related stakeholders together.
    2. Using the template on the next slide, draw the stakeholder power map.
    3. Evaluate each stakeholder on the list based on:
      1. Influence: To what degree can this stakeholder impact progress?
      2. Involvement: How involved is the stakeholder already?
      3. Support: Label supporters with green sticky notes, resisters with red notes, and the rest with a third color.
    4. Based on the assessment, write the stakeholder’s name on a green, red, or other colored sticky note, and place the sticky note in the appropriate place on the power map.
    5. For each of the stakeholders identified as resisters, determine why you think they would be resistant. Is it because they are unwilling, unable, and/or unknowing?
    6. Document changes to the stakeholder analysis in the Requirements Gathering Communication Tracking Template.

    Identify and analyze stakeholders

    4.2.4 – 1 hour

    Use a power map to plot key stakeholders according to influence and involvement.

    The image shows a power map, which is a square divided into 4 equally-sized sections, labelled from top left: Focused Engagement; Key Players; Keep Informed; Minimal Engagement. On the left side of the square, there is an arrow pointing upwards labelled Influence; at the bottom of the square, there is an arrow pointing right labelled Involvement. On the right side of the image, there is a legend indicating that a green dot indicates a Supporter; a grey dot indicated Neutral; and a red dot indicates a Resister.

    Example: Identify and analyze stakeholders

    Use a power map to plot key stakeholders according to influence and involvement.

    The image is the same power map image from the previous section, with some additions. A red dot is located at the top left, with a note: High influence with low involvement? You need a strategy to increase engagement. A green dot is located mid-high on the right hand side. Grey dots are located left and right in the bottom of the map. The bottom right grey dot has the note: High involvement with lower influence? Make sure to keep these stakeholders informed at regular intervals and monitor engagement.

    Stakeholder analysis: Reading the power map

    High Risk:

    Stakeholders with high influence who are not as involved in the project or are heavily impacted by the project are less likely to give feedback throughout the project lifecycle and need to be engaged. They are not as involved but have the ability to impact project success, so stay one step ahead.

    Do not limit your engagement to kick-off and close – you need to continue seeking input and support at all stages of the project.

    Mid Risk:

    Key players have high influence, but they are also more involved with the project or impacted by its outcomes and are thus easier to engage.

    Stakeholders who are heavily impacted by project outcomes will be essential to your organizational change management strategy. Do not wait until implementation to engage them in preparing the organization to accept the project – make them change champions.

    Low Risk:

    Stakeholders with low influence who are not impacted by the project do not pose as great of a risk, but you need to keep them consistently informed of the project and involve them at the appropriate control points to collect feedback and approval.

    Inputs to the communications plan

    Stakeholder analysis should drive communications planning.

    Identify Stakeholders
    • Who is impacted by this project?
    • Who can affect project outcomes?
    Assess Stakeholders
    • Influence
    • Involvement
    • Support
    Stakeholder Change Impact Assessment
    • Identify change supporters/resistors and craft change messages to foster acceptance.
    Stakeholder Register
    • Record assessment results and preferred methods of communication.
    The Communications Management Plan:
    • Who will receive information?
    • What information will be distributed?
    • How will information be distributed?
    • What is the frequency of communication?
    • What will the level of detail be?
    • Who is responsible for distributing information?

    Communicate the reason for the change and stay on message throughout the change

    Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.

    The change message should:

    • Explain why the change is needed.
    • Summarize the things that will stay the same.
    • Highlight the things that will be left behind.
    • Emphasize the things that are being changed.
    • Explain how the change will be implemented.
    • Address how the change will affect the various roles in the organization.
    • Discuss staff’s role in making the change successful.

    The five elements of communicating the reason for the change:

    COMMUNICATING THE CHANGE

    What is the change?

    Why are we doing it?

    How are we going to go about it?

    How long will it take us?

    What will the role be for each department and individual?

    Create a communications management plan

    4.2.5 – 45 minutes

    Input
    • Exercise 4.1.1
    Output
    • Communications management plan
    Materials
    • Whiteboard
    • Markers
    Participants
    • RGSC members

    Build the communications management plan around your stakeholders’ needs.

    1. Build a chart on the board using the template on the next slide.
    2. Using the list from exercise 4.1.1, brainstorm a list of communication vehicles that will need to be used as part of the rollout plan (e.g. status updates, training).
    3. Through group discussion, fill in all these columns for at least three communication vehicles:
      • (Target) audience
      • Purpose (description)
      • Frequency (of the communication)
        • The method, frequency, and content of communication vehicles will change depending on the stakeholder involved. This needs to be reflected by your plan. For example, you may have several rows for “Status Report” to cover the different stakeholders who will be receiving it.
      • Owner (of the message)
      • Distribution (method)
      • (Level of) details
        • High/medium/low + headings
    4. Document your stakeholder analysis in the Requirements Gathering Communication Tracking Template.

    Communications plan template

    4.2.5 – 45 minutes

    Sample communications plan: Status reports

    Vehicle Audience Purpose Frequency Owner Distribution Level of Detail
    Communications Guidelines
    • Regardless of complexity, it is important not to overwhelm stakeholders with information that is not relevant to them. Sending more detailed information than is necessary might mean that it does not get read.
    • Distributing reports too widely may lead to people assuming that someone else is reading it, causing them to neglect reading it themselves.
    • Only distribute reports to the stakeholders who need the information. Think about what information that stakeholder requires to feel comfortable.

    Example: Identify and analyze stakeholders

    Sample communications plan: Status reports

    Vehicle Audience Purpose Frequency Owner Distribution Level of Detail
    Status Report Sponsor Project progress and deliverable status Weekly Project Manager Email

    Details for

    • Milestones
    • Deliverables
    • Budget
    • Schedule
    • Issues
    Status Report Line of Business VP Project progress Monthly Project Manager Email

    High Level for

    • Major milestone update

    Build your requirements gathering process implementation timeline

    4.2.6 – 45 minutes

    Input
    • Parking lot items
    Output
    • Implementation timeline
    Materials
    • Whiteboard
    • Markers
    • Sticky notes
    Participants
    • RGSC members

    Build a high-level timeline for the implementation.

    1. Collect the action items identified throughout the week in the “parking lot.”
    2. Individually or in groups, brainstorm any additional action items. Consider communication, additional training required, approvals, etc.
      • Write these on sticky notes and add them to the parking lot with the others.
    3. As a group, start organizing these notes into logical groupings.
    4. Assign each of the tasks to a person or group.
    5. Identify any risks or dependencies.
    6. Assign each of the tasks to a timeline.
    7. Following the exercise, the facilitator will convert this into a Gantt chart using the roadmap for requirements gathering action plan.

    Step 3: Organize the action items into logical groupings

    4.2.6 – 45 minutes

    The image shows a board with 5 categories: Documentation, Approval, Communication, Process, and Training. There are groups of post-it notes under each category title.

    Steps 4-6: Organize the action items into logical groupings

    4.2.6 – 45 minutes

    This image shows a chart with Action Items to be listed in the left-most column, Person or Group Responsible in the next column, Risks/Dependencies in the next columns, and periods of time (i.e. 1-3 months, 2-6 months, etc.) in the following columns. The chart has been partially filled in as an exemplar.

    Recalculate the selected requirements gathering metrics

    Measure and monitor the benefits of requirements gathering optimization.

    • Reassess the list of selected and captured requirements management metrics.
    • Recalculate the metrics and analyze any changes. Don’t expect a substantial result after the first attempt. It will take a while for BAs to adjust to the Info-Tech Requirements Gathering Framework. After the third project, results will begin to materialize.
    • Understand that the project complexity and business significance will also affect how long it takes to see results. The ideal projects to beta the process on would be of low complexity and high business significance.
    • Realize that poor requirements gathering can have negative effects on the morale of BAs, IT, and project managers. Don’t forget to capture the impact of these through surveys.

    Major KPIs typically used for benchmarking include:

    • Number of application bugs/defects (for internally developed applications).
    • Number of support requests or help desk tickets for the application, controlled for user deployment levels.
    • Overall project cycle time.
    • Overall project cost.
    • Requirements gathering as a percentage of project time.

    Revisit the requirements gathering metrics selected in the planning phase and recalculate them after requirements gathering optimization has been attempted.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.2.1; 4.2.2; 4.2.3 – Build a requirements gathering steering committee

    The analyst will facilitate the discussion to define the purpose statement of the steering committee, build the participation list and authority matrix for its members, and define the procedures and agenda.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    4.2.4 Identify and analyze stakeholders

    An analyst will facilitate the discussion on how to identify the impact and level of resistance of all stakeholders to come up with the communication plan.

    4.2.5 Create a communications management plan

    An analyst will assist the team in building the communications management plan based on the stakeholders’ needs that were outlined in the stakeholder analysis exercise.

    4.2.6 Build a requirements gathering implementation timeline

    An analyst will facilitate a session to brainstorm and document any action items and build a high-level timeline for implementation.

    Insight breakdown

    Requirements gathering SOPs should be prescriptive based on project complexity.

    • Complex projects will require more analytical rigor. Simpler projects can be served by more straightforward techniques such as user stories.

    Requirements gathering management tools can be pricy, but they can also be beneficial.

    • Requirements gathering management tools are a great way to have full control over recording, analyzing, and categorizing requirements over complex projects.

    BAs can make or break the execution of the requirements gathering process.

    • A strong process still needs to be executed well by BAs with the right blend of skills and knowledge.

    Summary of accomplishment

    Knowledge Gained

    • Best practices for each stage of the requirements gathering framework:
      • Elicitation
      • Analysis
      • Validation
    • A clear understanding of BA competencies and skill sets necessary to successfully execute the requirements gathering process.

    Processes Optimized

    • Stakeholder identification and management.
    • Requirements elicitation, analysis, and validation.
    • Requirements gathering governance.
    • Change control processes for new requirements.
    • Communication processes for requirements gathering.

    Deliverables Completed

    • SOPs for requirements gathering.
    • Project level selection framework.
    • Communications framework for requirements gathering.
    • Requirements documentation standards.

    Organizations and experts who contributed to this research

    Interviews

    • Douglas Van Gelder, IT Manager, Community Development Commission of the County of Los Angeles
    • Michael Lyons, Transit Management Analyst, Metropolitan Transit Authority
    • Ken Piddington, CIO, MRE Consulting
    • Thomas Dong, Enterprise Software Manager, City of Waterloo
    • Chad Evans, Director of IT, Ontario Northland
    • Three anonymous contributors

    Note: This research also incorporates extensive insights and feedback from our advisory service and related research projects.

    Bibliography

    “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint Software Systems, 2012. Web.

    “BPM Definition.” BPMInstitute.org, n.d. Web.

    “Capturing the Value of Project Management.” PMI’s Pulse of the Profession, 2015. Web.

    Eby, Kate. “Demystifying the 5 Phases of Project Management.” Smartsheet, 29 May 2019. Web.

    “Product Management: MoSCoW Prioritization.” ProductPlan, n.d. Web.

    “Projects Delivered on Time & on Budget Result in Larger Market Opportunities.” Jama Software, 2015. Web.

    “SIPOC Table.” iSixSigma, n.d. Web.

    “Survey Principles.” University of Wisconsin-Madison, n.d. Web.

    “The Standish Group 2015 Chaos Report.” The Standish Group, 2015. Web.

    Applications Priorities 2023

    • Buy Link or Shortcode: {j2store}186|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.
    • These tools and technologies must meet the top business goals of CXOs: ensure service continuity, improve customer experience, and make data-driven decisions.
    • While today’s business applications are good and well received, there is still room for improvement. The average business application satisfaction score among IT leadership was 72% (n=1582, CIO Business Vision).

    Our Advice

    Critical Insight

    • Applications are critical components in any business strategic plan. They can directly influence an organization’s internal and external brand and reputation, such as their uniqueness, competitiveness and innovativeness in the industry
    • Business leaders are continuously looking for innovative ways to better position their application portfolio to satisfy their goals and objectives, i.e., application priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfies the different needs very different customers, stakeholders, and users.
    • Unfortunately, expectations on your applications team have increased while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

    Impact and Result

    Learn and explore the technology and practice initiatives in this report to determine which initiatives should be prioritized in your application strategy and align to your business organizational objectives:

    • Optimize the effectiveness of the IT organization.
    • Boost the productivity of the enterprise.
    • Enable business growth through technology.

    Applications Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Applications Priorities Report 2023 – A report that introduces and describes five opportunities to prioritize in your 2023 application strategy.

    In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the ambitions of your organization.

    • Applications Priorities 2023 Report

    Infographic

    Further reading

    Applications Priorities 2023

    Applications are the engine of the business: keep them relevant and modern

    What we are facing today is transforming the ways in which we work, live, and relate to one another. Applications teams and portfolios MUST change to meet this reality.

    Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.

    As organizations continue to strengthen business continuity, disaster recovery, and system resilience, activities to simply "keep the lights on" are not enough. Be pragmatic in the prioritization and planning of your applications initiatives, and use your technologies as a foundation for your growth.

    Your applications must meet the top business goals of your CXOs

    • Ensure service continuity
    • Improve customer experience
    • Make data-driven decisions
    • Maximize stakeholder value
    • Manage risk

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

    Select and align your applications priorities to your business goals and objectives

    Applications are critical components in any business strategic plan. They can directly influence an organization's internal and external brand and reputation, such as their:

    • Uniqueness, competitiveness, and innovativeness in the industry.
    • Ability to be dynamic, flexible, and responsive to changing expectations, business conditions, and technologies.

    Therefore, business leaders are continuously looking for innovative ways to better position their application portfolios to satisfy their goals and objectives, i.e. applications priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfy
    the different needs of very different customers, stakeholders, and users.

    Today's business applications are good but leave room for improvement

    72%
    Average business application satisfaction score among IT leadership in 1582 organizations.

    Source: CIO Business Vision, August 2021 to July 2022, N=190.

    Five Applications Priorities for 2023

    In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the Ambitions of your organization.

    this is an image of the Five Applications Priorities for which will be addressed in this blueprint.

    Strengthen your foundations to better support your applications priorities

    These key capabilities are imperative to the success of your applications strategy.

    KPI and Metrics

    Easily attainable and insightful measurements to gauge the progress of meeting strategic objectives and goals (KPIs), and the performance of individual teams, practices and processes (metrics).

    BUSINESS ALIGNMENT

    Gain an accurate understanding and interpretation of stakeholder, end-user, and customer expectations and priorities. These define the success of business products and services considering the priorities of individual business units and teams.

    EFFICIENT DELIVERY & SUPPORT PRACTICE

    Software delivery and support roles, processes, and tools are collaborative, well equipped and resourced, and optimized to meet changing stakeholder expectations.

    Data Management & Governance

    Ensuring data is continuously reliable and trustworthy. Data structure and integrations are defined, governed, and monitored.

    Product & Service Ownership

    Complete inventory and rationalization of the product and service portfolio, prioritized backlogs, roadmaps, and clear product and service ownership with good governance. This helps ensure this portfolio is optimized to meet its goals and objectives.

    Strengthen your foundations to better support your applications priorities (cont'd)

    These key capabilities are imperative to the success of your applications strategy.

    Organizational Change Management

    Manage the adoption of new and modified processes and technologies considering reputational, human, and operational concerns.

    IT Operational Management

    Continuous monitoring and upkeep of products and services to assure business continuity, and system reliability, robustness and disaster recovery.

    Architectural Framework

    A set of principles and standards that guides the consistent, sustainable and scalable growth of enterprise technologies. Changes to the architecture are made in collaboration with affected parties, such as security and infrastructure.

    Application Security

    The measures, controls, and tactics at the application layer that prevent vulnerabilities against external and internal threats and ensure compliance to industry and regulatory security frameworks and standards.

    There are many factors that can stand in your team's way

    Expectations on your applications team have increased, while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

    1. Attracting and retaining talent
    2. Maximizing the return on technology
    3. Confidently shifting to digital
    4. Addressing competing priorities
    5. Fostering a collaborative culture
    6. Creating high-throughput teams

    CIOs agree that at least some improvement is needed across key IT activities

    A bar graph is depicted which shows the proportion of CIOs who believe that some, or significant improvement is necessary for the following categories: Measure IT Project Success; Align IT Budget; Align IT Project Approval Process; Measure Stakeholder Satisfaction With IT; Define and Align IT Strategy; Understand Business Goals

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

    Pressure Point 1:
    Attracting and Retaining Talent

    Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

    Address the underlying challenges

    • Lack of employee empowerment and few opportunities for learning and development.
    • Poor coworker and manager relationships.
    • Compensation and benefits are inadequate to maintain desired quality of life.
    • Unproductive work environment and conflicting balance of work and life.
    • Unsatisfactory employee experience, including lack of employee recognition
      and transparency of organizational change.

    While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing.
    62% of organizations reported increased working hours, while 80% reported an increase in flexibility.
    Source: McLean & Company, 2022; n=394.

    Be strategic in how you fill and train key IT skills and capabilities

    • Cybersecurity
    • Big Data/Analytics
    • Technical Architecture
    • DevOps
    • Development
    • Cloud

    Source: Harvey Nash Group, 2021; n=2120.

    Pressure Point 2:
    Maximizing the Return of Technology

    Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

    Address the underlying challenges

    • Inability to analyze, propose, justify, and communicate modernization solutions in language the stakeholders understand and in a way that shows they clearly support business priorities and KPIs and mitigate risks.
    • Little interest in documenting and rationalizing products and services through business-IT collaboration.
    • Lack of internal knowledge of the system and loss of vendor support.
    • Undefined, siloed product and service ownership and governance, preventing solutions from working together to collectively deliver more value.
    • Little stakeholder appetite to invest in activities beyond "keeping the lights on."

    Only 64% of applications were identified as effective by end users.
    Effective applications are identified as at least highly important and have high feature and usability satisfaction.
    Source: Application Portfolio Assessment, August 2021 to July 2022; N=315.

    "Regardless of the many definitions of modernization floating around, the one characteristic that we should be striving for is to ensure our applications do an outstanding job of supporting the users and the business in the most effective and efficient manner possible."
    Source: looksoftware.

    Pressure Point 3:
    Confidently Shifting to Digital

    "Going digital" reshapes how the business operates and drives value by optimizing how digital and traditional technologies and tactics work together. This shift often presents significant business and technical risks to business processes, enterprise data, applications, and systems which stakeholders and teams are not aware of or prepared to accommodate.

    Address the underlying challenges

    • Differing perspectives on digital can lead to disjointed transformation initiatives, oversold benefits, and a lack of synergy among digital technologies and processes.
    • Organizations have difficulty adapting to new technologies or rethinking current business models, processes, and ways of working because of the potential human, ethical, and reputational impacts and restrictions from legacy systems.
    • Management lacks a framework to evaluate how their organization manages and governs business value delivery.
    • IT is not equipped or resourced to address these rapidly changing business, customer, and technology needs.
    • The wrong tools and technologies were chosen to support the shift to digital.

    The shift to digital processes is starting, but slowly.
    62% of respondents indicated that 1-20% of their processes were digitized during the past year.
    Source: Tech Trends and Priorities 2023; N=500

    Resistance to change and time/budget constraints are top barriers preventing companies from modernizing their applications.
    Source: Konveyor, 2022; n=600.

    Pressure Point 4:
    Addressing Competing Priorities

    Enterprise products and services are not used, operated, or branded in isolation. The various parties involved may have competing priorities, which often leads to disagreements on when certain business and technology changes should be made and how resources, budget, and other assets should be allocated. Without a broader product vision, portfolio vision, and roadmap, the various dependent or related products and services will not deliver the same level of value as if they were managed collectively.

    Address the underlying challenges

    • Undefined product and service ownership and governance, including escalation procedures when consensus cannot be reached.
    • Lack of a unified and grounded set of value and quality definitions, guiding principles, prioritization standards, and broad visibility across portfolios, business capabilities, and business functions.
    • Distrust between business units and IT teams, which leads to the scaling of unmanaged applications and fragmented changes and projects.
    • Decisions are based on opinions and experiences without supporting data.

    55% of CXOs stated some improvement is necessary in activities to understand business goals.
    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    CXOs are moderately satisfied with IT's performance as a business partner (average score of 69% among all CXOs). This sentiment is similarly felt among CIOs (64%).
    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    Pressure Point 5:
    Fostering a Collaborative Culture

    Culture impacts business results, including bottom-line revenue and productivity metrics. Leaders appreciate the impact culture can have on applications initiatives and wish to leverage this. How culture translates from an abstract concept to something that is measurable and actionable is not straightforward. Executives need to clarify how the desired culture will help achieve their applications strategy and need to focus on the items that will have the most impact.

    Address the underlying challenges

    • Broad changes do not consider the unique subcultures, personalities, and behaviors of the various teams and individuals in the organization.
    • Leaders mandate cultural changes without alleviating critical barriers and do not embody the principles of the target state.
    • Bureaucracy and politics restrict changes and encourage the status quo.
    • Industry standards, technologies, and frameworks do not support or cannot be tailored to fit the desired culture.
    • Some teams are deliberately excluded from the scoping, planning, and execution of key product and service delivery and management activities.

    Agile does not solve team culture challenges.
    43% of organizations cited organizational culture as a significant barrier to adopting and scaling Agile practices.
    Source: Digital.ai, 2021.

    "Providing a great employee experience" as the second priority (after recruiting) highlights the emphasis organizations are placing on helping employees adjust after having been forced to change the way work gets done.
    Source: McLean & Company, 2022; N=826.

    Use your applications priorities to help address your pressure points

    Success can be dependent on your ability to navigate around or alleviate your pressure points. Design and market your applications priorities to bring attention to your pressure points and position them as key risk factors to their success.

    Applications Priorities
    Digital Experience (DX) Intelligent Automation Proactive Application Management Multisource Systems Digital Organization as a Platform
    Attracting and Retaining Talent Enhance the employee experience Be transparent and support role changes Shift focus from maintenance to innovation Enable business-managed applications Promote and showcase achievements and successes
    Maximizing the Return on Technology Modernize or extend the use of existing investments Automate applications across multiple business functions Improve the reliability of mission-critical applications Enhance the functionality of existing applications Increase visibility of underused applications
    Confidently Shifting to Digital Prioritize DX in your shift to digital Select the capabilities that will benefit most from automation Prepare applications to support digital tools and technologies Use best-of-breed tools to meet specific digital needs Bring all applications up to a common digital standard
    Addressing Competing Priorities Ground your digital vision, goals, and objectives Recognize and evaluate the architectural impact Rationalize the health of the applications Agree on a common philosophy on system composition Map to a holistic platform vision, goals, and objectives
    Fostering a Collaborative Culture Involve all perspectives in defining and delivering DX Involve the end user in the delivery and testing of the automated process Include the technical perspective in the viability of future applications plans Discuss how applications can work together better in an ecosystem Ensure the platform is configured to meet the individual needs of the users
    Creating High-Throughput Teams Establish delivery principles centered on DX Remove manual, error-prone, and mundane tasks Simplify applications to ease delivery and maintenance Alleviate delivery bottlenecks and issues Abstract the enterprise system to expedite delivery

    Digital Experience (DX)

    PRIORITY 1

    • Deliver Valuable User, Customer, Employee, and Brand Experiences

    Delivering valuable digital experiences requires the adoption of good management, governance, and operational practices to accommodate stakeholder, employee, customer, and end-user expectations of digital experiences (e.g. product management, automation, and iterative delivery). Technologies are chosen based on what best enables, delivers, and supports these expectations.

    Introduction

    Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

    What is digital experience (DX)?

    Digital experience (DX) refers to the interaction between a user and an organization through digital products and services. Digital products and services are tools, systems, devices, and resources that gather, store, and process data; are continuously modernized; and embody eight key attributes that are described on the following slide. DX is broken down into four distinct perspectives*:

    • Customer Experience – The immediate perceptions of transactions and interactions experienced through a customer's journey in the use of the organization's digital
      products and services.
    • End-User Experience – Users' emotions, beliefs, and physical and psychological responses
      that occur before, during, or after interacting with a digital product or service.
    • Brand Experience – The broader perceptions, emotions, thoughts, feelings and actions the public associate with the organization's brand and reputation or its products and services. Brand experience evolves over time as customers continuously engage with the brand.
    • Employee Experience – The satisfaction and experience of an employee through their journey with the organization, from recruitment and hiring to their departure. How an employee embodies and promotes the organization brand and culture can affect their performance, trust, respect, and drive to innovate and optimize.
    Digital Products and Services
    Customer Experience Brand Experience Employee Experience End-User Experience

    Digital products and services have a common set of attributes

    Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

    • Digital products and services must keep pace with changing business and end-user needs as well as tightly supporting your maturing business model with continuous modernization. Focus your continuous modernization on the key characteristics that drive business value.
    • Fit for purpose: Functionalities are designed and implemented for the purpose of satisfying the end user's needs and solving their problems.
    • User-centric: End users see the product as rewarding, engaging, intuitive, and emotionally satisfying. They want to come back to it.
    • Adaptable: The product can be quickly tailored to meet changing end-user and technology needs with reusable and customizable components.
    • Accessible: The product is available on demand and on the end user's preferred interface.
      End users have a seamless experience across all devices.
    • Private and secured: The end user's activity and data are protected from unauthorized access.
    • Informative and insightful: The product delivers consumable, accurate, and trustworthy real-time data that is important to the end user.
    • Seamless application connection: The product facilitates direct interactions with one or more other products through an uninterrupted user experience.
    • Relationship and network building: The product enables and promotes the connection and interaction of people.

    The Business Value cycle of continuous modernization.

    Signals

    DX is critical for business growth and maturity, but the organization may not be ready

    A good DX has become a key differentiator that gives organizations an advantage over their competition and peers. Shifts in working environments; employee, customer, and stakeholder expectations; and the advancements in modern technologies have raised the importance of adopting and transitioning to digital processes and tools to stay relevant and responsive to changing business and technology conditions.

    Applications teams are critical to ensuring the successful delivery and operation of these digital processes and tools. However, they are often under-resourced and challenged to meet their DX goals.

    • 7% of both business and IT respondents think IT has the resources needed to keep up with digital transformation initiatives and meet deadlines (Cyara, 2021).
    • 43% of respondents said that the core barrier to digital transformation is a lack of skilled resources (Creatio, 2021).
    A circle graph is shown with 91% of the circle coloured in dark blue, with the number 91% in the centre.

    of organizations stated that at least 1% of processes were shifted from being manually completed to digitally completed in the last year. 29% of organizations stated at least 21% were shifted.

    Source: Tech Trends and Priorities 2023; N=500.

    A circle graph is shown with 98% of the circle coloured in dark blue, with the number 98% in the centre.

    of organizations recognized digital transformation is important for competitive advantage. 94% stated it is important to enhance customer experience, and 91% stated it will have a positive impact on revenue.

    Source: Cyara, 2021.

    Drivers

    Brand and reputation

    Customers are swayed by the innovations and advancements in digital technologies and expect your applications team to deliver and support them. Your leaders recognize the importance of these expectations and are integrating them into their business strategy and brand (how the organization presents itself to its customers, employees and the public). They hope that their actions will improve and shape the company's reputation (public perception of the company) as effective, customer-focused, and forward-thinking.

    Worker productivity

    As you evolve and adopt more complex tools and technology, your stakeholders will expect more from business units and IT teams. Unfortunately, teams employing manual processes and legacy systems will struggle to meet these expectations. Digital products and services promote the simplification of complex operations and applications and help the business and your teams better align operational practices with strategic goals and deliver valuable DX.

    Organization modernization

    Legacy processes, systems, and ways of working are no longer suitable for meeting the strategic digital objectives and DX needs stakeholders expect. They drive up operational costs without increased benefits, impede business growth and innovation, and consume scarce budgets that could be used for other priorities. Shifting to digital tools and technologies will bring these challenges to light and demonstrate how modernization is an integral part of DX success.

    Benefits & Risks

    Benefits

    • Flexibility & Satisfaction
    • Adoption
    • Reliability

    Employees and customers can choose how they want to access, modify, and consume digital products and services. They can be tailored to meet the specific functional needs, behaviors, and habits of the end user.

    The customer, end user, brand, and employee drive selection, design, and delivery of digital products and services. Even the most advanced technologies will fail if key roles do not see the value in their use.

    Digital products and services are delivered with technical quality built into them, ensuring they meet the industry, regulatory, and company standards throughout their lifespan and in various conditions.

    Risks

    • Legacy & Lore
    • Bureaucracy & Politics
    • Process Inefficiencies
    • No Quality Standards

    Some stakeholders may not be willing to change due to their familiarity and comfort of business practices.

    Competing and conflicting priorities of strategic products and services undermine digital transformation and broader modernization efforts.

    Business processes are often burdened by wasteful activities. Digital products and services are only as valuable as the processes they support.

    The performance and support of your digital products and services are hampered due to unmanageable technical debt because of a deliberate decision to bypass or omit quality good practices.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Enhance the employee experience.

    Design the digital processes, tools, and technologies to meet the individual needs of the employee.

    Maximizing the Return on Technology

    Modernize or extend the use of existing investments.

    Drive higher adoption of applications and higher user value and productivity by implementing digital capabilities to the applications that will gain the most.

    Confidently Shifting to Digital

    Prioritize DX in your shift to digital. Include DX as part of your definition of success.

    Your products and services are not valuable if users, customers, and employees do not use them.

    Addressing Competing Priorities

    Ground your digital vision, goals, and objectives

    Establish clear ownership of DX and digital products and services with a cross-functional prioritization framework.

    Fostering a Collaborative Culture

    Involve all perspectives in defining and delivering DX.

    Maintain a committee of owners, stakeholders, and delivery teams to ensure consensus and discuss how to address cross-functional opportunities and risks.

    Creating High-Throughput Teams

    Establish delivery principles centered on DX.

    Enforce guiding principles to streamline and simplify DX delivery, such as plug-and-play architecture and quality standards.

    Recommendations

    Build a digital business strategy

    A digital business strategy clearly articulates the goals and ambitions of the business to adopt digital practices, tools, and technologies. This document:

    • Looks for ways to transform the business by identifying what technologies to embrace, what processes to automate, and what new business models to create.
    • Unifies digital possibilities with your customer experiences.
    • Establishes accountability with the executive leadership.
    • States the importance of cross-functional participation from senior management across the organization.

    Related Research:

    Learn, understand, and empathize with your users, employees, and customers

    • To create a better product, solution, or service, understanding those who use it, their needs, and their context is critical.
    • A great experience design practice can help you balance those goals so that they are in harmony with those of your users.
    • IT leaders must find ways to understand the needs of the business and develop empathy on a much deeper level. This empathy is the foundation for a thriving business partnership.

    Related Research:

    Recommendations

    Center product and service delivery decisions and activities on DX and quality

    User, customer, employee, and brand are integral perspectives on the software development lifecycle (SDLC) and the management and governance practices supporting digital products and services. It ensures quality standards and controls are consistently upheld while maintaining alignment with various needs and priorities. The goal is to come to a consensus on a universal definition and approach to embed quality and DX-thinking throughout the delivery process.

    Related Research:

    Instill collaborative delivery practices

    Today's rapidly scaling and increasingly complex digital products and services create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality. This pressure is further compounded by the competing priorities of individual stakeholders and the nuances among different personas of digital products and services.

    A collaborative delivery practice sets the activities, channels, and relationships needed to deliver a valuable and quality product or service with cross-functional awareness, accountability, and agreement.

    Related Research:

    Recommendations

    Continuously monitor and modernize your digital products and services

    Today's modern digital products and services are tomorrow's shelfware. They gradually lose their value, and the supporting technologies will become obsolete. Modernization is a continuous need.

    Data-driven insights help decision makers decide which products and services to retire, upgrade, retrain on, or maintain to meet the demands of the business.

    Enhancements focusing on critical business capabilities strengthen the case for investment and build trust with all stakeholders.

    Related Research:

    CASE STUDY
    Mastercard in Asia

    Focus on the customer journey

    Chief Marketing Officer M.V. Rajamannar (Raja) wanted to change Mastercard's iconic "Priceless" ad campaign (with the slogan "There are some things money can't buy. For everything else there's Mastercard."). The main reasons were that the campaign relied on one-way communication and targeted end customers, even though Mastercard doesn't issue cards directly to customers; partner banks do. To drive the change in campaign, Raja and his team created a digital engine that leveraged digital and social media. Digital engine is a seven-step process based on insights gleaned from data and real-time optimization.

    1. Emotional spark: Using data to understand customers' passion points, Mastercard builds videos and creatives to ignite an emotional spark and give customers a reason to engage. For example, weeks before New Year's Eve, Mastercard produced a video with Hugh Jackman to encourage customers to submit a story about someone who deeply mattered to them. The authors of the winning story would be flown to reunite with those both distant and dear.
    2. Engagement: Mastercard targets the right audience with a spark video through social media to encourage customers to share their stories.
    3. Offers: To help its partner banks and merchants in driving their business, the company identifies the best offers to match consumers' interests. In the above campaign, Mastercard's Asia-Pacific team found that Singapore was a favorite destination for Indian customers, so they partnered with Singapore's Resorts World Sentosa with an attractive offer.
    4. Real-time optimization: Mastercard optimizes, in real time, a portfolio of several offers through A/B testing and other analysis.
    5. Amplification: Real-time testing provides confidence to Mastercard about the potential success of these offers and encourages its bank and merchant partners to co-market and co-fund these campaigns.
    6. Network effects: A few weeks after consumers submitted their stories about distant loved ones, Mastercard selected winners, produced videos of them surprising their friends and families, and used these videos in social media to encourage sharing.
    7. Incremental transactions: These programs translate into incremental business for banks who issue cards, for merchants where customers spend money, and for Mastercard, which gets a portion of every transaction.

    Source: Harvard Business Review Press

    CASE STUDY
    Mastercard in Asia (cont'd)

    Focus on the customer journey

    1. Emotional Spark
      Drives genuine personal stories
    2. Engagement
      Through Facebook
      and social media
    3. Offers
      From merchants
      and Mastercard assets
    4. Optimization
      Real-time testing of offers and themes
    5. Amplification
      Paid and organic programmatic buying
    6. Network Effects
      Sharing and
      mass engagement
    7. Incremental Transactions
      Win-win for all parties

    CASE STUDY
    Mastercard in Asia (cont'd)

    The Mastercard case highlights important lessons on how to engage customers:

    • Have a broad message. Brands need to connect with consumers over how they live and spend their time. Organizations need to go beyond the brand or product message to become more relevant to consumers' lives. Dove soap was very successful in creating a conversation among consumers with its "Real Beauty" campaign, which focused not on the brand or even the product category, but on how women and society view beauty.
    • Shift from storytelling to story making. To break through the clutter of advertising, companies need to move from storytelling to story making. A broader message that is emotionally engaging allows for a two-way conversation.
    • Be consistent with the brand value. The brand needs to stand for something, and the content should be relevant to and consistent with the image of the brand. Pepsi announced an award of $20 million in grants to individuals, businesses, and nonprofits that promote a new idea to make a positive impact on community. A large number of submissions were about social causes that had nothing to do with Pepsi, and some, like reducing obesity, were in conflict with Pepsi's product.
    • Create engagement that drives business. Too much entertainment in ads may engage customers but detract from both communicating the brand message and increasing sales. Simply measuring the number of video views provides only a partial picture of a program's success.

    Intelligent Automation

    PRIORITY 2

    • Extend Automation Practices with AI and ML

    AI and ML are rapidly growing. Organizations see the value of machines intelligently executing high-performance and dynamic tasks such as driving cars and detecting fraud. Senior leaders see AI and ML as opportunities to extend their business process automation investments.

    Introduction

    Intelligent automation is the next step in your business process automation journey

    What is intelligent automation (IA)?

    Intelligent automation (IA) is the combination of traditional automation technologies, such as business process management (BPM) and robotic process automation (RPA), with AI and ML. The goal is to further streamline and scale decision making across various business processes by:

    • Removing human interactions.
    • Addressing decisions that involve complex variables.
    • Automatically adapting processes to changing conditions.
    • Bridging disparate automation technologies into an integrated end-to-end value delivery pipeline.

    "For IA to succeed, employees must be involved in the transformation journey so they can experience firsthand the benefits of a new way of working and creating business value," (Cognizant).

    What is the difference between IA and hyperautomation?

    "Hyperautomation is the act of automating everything in an organization that can be automated. The intent is to streamline processes across an organization using intelligent automation, which includes AI, RPA and other technologies, to run without human intervention. … Hyperautomation is a business-driven, disciplined approach that organizations use to rapidly identify, vet, and automate as many business and IT processes as possible" (IBM, 2021).

    Note that hyperautomation often enables IA, but teams solely adopting IA do not need to abide to its automation-first principles.

    IA is a combination of various tools and technologies

    What tools and technologies are involved in IA?

    • Artificial intelligence (AI) & Machine Learning (ML) – AI systems perform tasks mimicking human intelligence such as learning from experience and problem solving. AI is making its own decisions without human intervention. Machine learning systems learn from experience and without explicit instructions. They learn patterns from data then analyze and make predictions based on past behavior and the patterns learned. AI is a combination of technologies and can include machine learning.
    • Intelligent Business Process Management System (iBPMS) – Combination of BPM tools with AI and other intelligence capabilities.
    • Robotic Process Automation (RPA) – Robots leveraging an application's UI rather than programmatic access. Automate rules-based, repetitive tasks performed by human workers with AI/ML.
    • Process Mining & Discovery – Process mining involves reading system event logs and application transactions and applying algorithmic analysis to automatically identify and map inferred business processes. Process discovery involves unintrusive virtual agents that sit on a user's desktop and record and monitor how they interact with applications to perform tasks and processes. Algorithms are then used to map and analyze the processes.
    • Intelligent Document Processing – The conversion of physical or unstructured documents into a structured, digital format that can be used in automation solutions. Optical character recognition (OCR) and natural language processing (NPL) are common tools used to enable this capability.
    • Advanced Analytics – The gathering, synthesis, transformation, and delivery of insightful and consumable information that supports data-driven decision making. Data is queried from various disparate sources and can take on a variety of structured and unstructured formats.

    The cycle of IA technologies

    Signals

    Process automation is an executive priority and requires organizational buy-in

    Stakeholders recognize the importance of business process automation and AI and are looking for ways to deliver more value using these technologies.

    • 90% of executives stated automating business workflows post-COVID-19 will ensure business continuity (Kofax, 2022).
    • 88% of executives stated they need to fast-track their end-to-end digital transformation (Kofax, 2022).

    However, the advertised benefits to vendors of enabling these desired automations may not be easily achievable because of:

    • Manual and undocumented business processes.
    • Fragmented and inaccessible systems.
    • Poor data quality, insights, and security.
    • The lack of process governance and management practice.
    A circle graph is shown with 49% of the circle coloured in dark blue, with the number 49% in the centre.

    of CXOs stated staff sufficiency, skill and engagement issues as a minor IT pain point compared to 51% of CIOs stated this issue as a major pain point.

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    A circle graph is shown with 36% of the circle coloured in dark blue, with the number 36% in the centre.

    of organizations have already invested in AI or machine learning.

    Source: Tech Trends and Priorities 2023; N=662

    Drivers

    Quality & throughput

    Products and services delivered through an undefined and manual process risk the creation of preventable and catchable defects, security flaws and holes, missing information, and other quality issues. IA solutions consistently reinforce quality standards the same way across all products and services while tailoring outputs to meet an individual's specific needs. Success is dependent on the accurate interpretation and application of quality standards and the user's expectations.

    Worker productivity

    IA removes the tedious, routine, and mundane tasks that distract and restrict employees from doing more valuable, impactful, and cognitively focused activities. Practical insights can also be generated through IA tools that help employees make data-driven decisions, evaluate problems from different angles, and improve the usability and value of the products and services they produce.

    Good process management practices

    Automation magnifies existing inefficiencies of a business process management practice, such as unclear and outdated process documentation and incorrect assumptions. IA reinforces the importance of good business process optimization practices, such as removing waste and inefficiencies in a thoughtful way, choosing the most appropriate automation solution, and configuring the process in the right way to maximize the solution's value.

    Benefits & Risks

    Benefits

    • Documentation
    • Hands-Off
    • Reusability

    All business processes must be mapped and documented to be automated, including business rules, data entities, applications, and control points.

    IA can be configured and orchestrated to automatically execute when certain business, process, or technology conditions are met in an unattended or attended manner.

    IA is applicable in use cases beyond traditional business processes, such as automated testing, quality control, audit, website scraping, integration platform, customer service, and data transfer.

    Risks

    • Data Quality & Bias
    • Ethics
    • Recovery & Security
    • Management

    The accuracy and relevance of the decisions IA makes are dependent on the overall quality of the data
    used to train it.

    Some decisions can have significant reputational, moral, and ethical impacts if made incorrectly.
    The question is whether it is appropriate for a non-human to make that decision.

    IA is composed of technologies that can be compromised or fail. Without the proper monitoring, controls,
    and recovery protocols, impacted IA will generate significant business and IT costs and can potentially harm customers, employees, and the organization.

    Low- and no-code capabilities ease and streamline IA development, which makes it susceptible to becoming unmanageable. Discipline is needed to ensure IA owners are aware of the size and health of the IA portfolio.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Be transparent and support role changes.

    Plan to address the human sentiment with automation (e.g. job security) and the transition of the role to other activities.

    Maximizing the Return on Technology

    Automate applications across multiple business functions.

    Recognize the value opportunities of improving and automating the integration of cross-functional processes.

    Confidently Shifting to Digital

    Maximize the learning of automation fit.

    Select the right capabilities to demonstrate the value of IA while using lessons learned to establish the appropriate support.

    Addressing Competing Priorities

    Recognize automation opportunities with capability maps.

    Use a capability diagram to align strategic IA objectives with tactical and technical IA initiatives.

    Fostering a Collaborative Culture

    Involve the user in the delivery process.

    Maximize automation adoption by ensuring the user finds value in its use before deployment.

    Creating High-Throughput Teams

    Remove manual, error-prone, and mundane tasks.

    Look for ways to improve team throughput by removing wasteful activities, enforcing quality, and automating away tasks driving down productivity.

    Recommendations

    Build your business process automation playbook and practice

    Formalize your business process automation practice with a good toolkit and a repeatable set of tactics and techniques.

    • Clarify the problem being solved with IA.
    • Optimate your processes. Apply good practices to first optimize (opti-) and then automate (-mate) key business processes.
    • Deliver minimum viable automations (MVAs). Maximize the learning of automation solutions and business operational changes through small, strategic automation use cases.

    Related Research:

    Explore the various IA tooling options

    Each IA tool will address a different problem. Which tool to choose is dependent on a variety of factors, such as functional suitability, technology suitability, delivery and support capabilities, alignment to strategic business goals, and the value it is designed to deliver.

    Related Research:

    Recommendations

    Introduce AI and ML thoughtfully and with a plan

    Despite the many promises of AI, organizations are struggling to fully realize its potential. The reasons boil down to a lack of understanding of when these technologies should and shouldn't be used, as well as a fear of the unknown. The plan to adopt AI should include:

    • Understanding of what AI really means in practice.
    • Identifying specific applications of AI in the business.
    • Understanding the type of AI applicable for the situation.

    Related Research:

    Mitigate AI and ML bias

    Biases can be introduced into an IA system at any stage of the development process, from the data you collect, to the way you collect it, to which algorithms are used and what assumptions were made. In most cases, AI and ML bias is a is a social, political, and business problem.

    While bias may not be intentional nor completely prevented or eliminated, early detection, good design, and other proactive preventative steps can be taken to minimize its scope and impact.

    Related Research:

    CASE STUDY
    University Hospitals

    Challenge

    University Hospitals Cleveland (UH) faces the same challenge that every major hospital confronts regarding how to deliver increasingly complex, high-quality healthcare to a diverse population efficiently and economically. In 2017, UH embarked on a value improvement program aiming to improve quality while saving $400 million over a five-year period.

    In emergency department (ED) and inpatient units, leaders found anticipating demand difficult, and consequently units were often over-staffed when demand was low and under-staffed when demand was high. Hospital leaders were uncertain about how to reallocate resources based on capacity needs.

    Solution

    UH turned to Hospital IQ's Census Solution to proactively manage capacity, staff, and flow in the ED and inpatient areas.

    By applying AI, ML, and external data (e.g. weather forecasts) to the hospital's own data (including EMR data and hospital policies), the solution helped UH make two-day census forecasts that managers used to determine whether to open or close in-patient beds and, when necessary, divert low-acuity patients to other hospitals in the system to handle predicted patient volume.

    Source: University Hospitals

    Results

    ED boarding hours have declined by 10% and the hospital has seen a 50% reduction in the number of patients who leave the hospital without
    being seen.

    UH also predicts in advance patients ready for discharge and identifies roadblocks, reducing the average length of stay by 15%. UH is able to better manage staff, reducing overtime and cutting overall labor costs.

    The hospital has also increased staff satisfaction and improved patient safety by closing specific units on weekends and increasing the number of rooms that can be sterilized.

    Proactive Application Management

    PRIORITY 3

    • Strengthen Applications to Prevent and Minimize the Impact of Future Issues

    Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on application management when it becomes a problem. The lack of governance and practice accountability leaves this practice in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated. As a result, application management is often reactive and brushed aside for new development.

    Introduction

    What is application management?

    Application management ensures valuable software is successfully delivered and is maintained for continuous and sustainable business operations. It contains a repeatable set of activities needed to rationalize and roadmap products and services while balancing priorities of new features and maintenance tasks.

    Unfortunately, application management is commonly perceived as a practice that solely addresses issues, updates, and incidents. However, application management teams are also tasked with new value delivery that was not part of the original release.

    Why is an effective application maintenance (reactive) practice not good enough?

    Application maintenance is the "process of modifying a software system or its components after delivery to correct faults, improve performance or other attributes, or adapt to a changed environment or business process," (IEEE, 1998). While it is critical to quickly fix defects and issues when they occur, reactively addressing them is more expensive than discovering them early and employing the practices to prevent them.

    Even if an application is working well, its framework, architecture, and technology may not be compatible with the possible upcoming changes stakeholders and vendors may want to undertake. Applications may not be problems now, but they soon can be.

    What motivates proactive application changes?

    This image shows the motivations for proactive application changes, sorted by external and internal sources.

    Proactive application management must be disciplined and applied strategically

    Proactive application management practices are critical to maintaining business continuity. They require continuous review and modification so that applications are resilient and can address current and future scenarios. Depending on the value of the application, its criticality to business operations, and its susceptibility to technology change, a more proactive management approach may be warranted. Stakeholders can then better manage resources and budget according to the needs of specific products.

    Reactive Management

    Run-to-Failure

    Fix and enhance the product when it breaks. In most cases, a plan is in place ahead of a failure, so that the problem can be addressed without significant disruption and costs.

    Preventive

    Regularly inspect and optimize the product to reduce the likelihood that it will fail in the future. Schedule inspections based on a specific timeframe or usage threshold.

    Predictive

    Predict failures before they happen using performance and usage data to alert teams when products are at risk of failure according to specified conditions.

    Reliability and Risk Based

    Analyze all possible failure scenarios for each component of the product and create tailored delivery plans to improve the stability, reliability, and value of each product.

    Proactive Management

    Signals

    Applications begin to degrade as soon as they are used

    Today's applications are tomorrow's shelfware. They gradually lose their value, stability, robustness, and compatibility with other enterprise technologies. The longer these applications are left unattended or simply "keeping the lights on," the more risks they will bring to the application portfolio, such as:

    • Discovery and exploitation of security flaws and gaps.
    • Increasing the lock-in to specific vendor technologies.
    • Inconsistent application performance across various workloads.

    These impacts are further compounded by the continuous work done on a system burdened with technical debt. Technical debt describes the result of avoided costs that, over time, cause ongoing business impacts. Left unaddressed, technical debt can become an existential threat that risks your organization's ability to effectively compete and serve its customers. Unfortunately, most organizations have a significant, growing, unmanageable technical debt portfolio.

    A circle graph is shown with 60% of the circle coloured in dark green, with the number 60% in the centre.

    of respondents stated they saw an increase in perceived change in technical debt during the past three years. A quarter of respondents indicated that it stayed the same.

    Source: McKinsey Digital, 2020.

    US
    $4.35
    Million

    is the average cost of a data breach in 2022. This figure represents a 2.6% increase from last year. The average cost has climbed 12.7% since 2020.

    Source: IBM, 2022; N=537.

    Drivers

    Technical debt

    Historical decisions to meet business demands by deferring key quality, architectural, or other software delivery activities often lead to inefficient and incomplete code, fragile legacy systems, broken processes, data quality problems, and the other contributors to technical debt. The impacts for this challenge is further heightened if organizations are not actively refactoring and updating their applications behind the scenes. Proactive application management is intended to raise awareness of application fragility and prioritize comprehensive refactoring activities alongside new feature development.

    Long-term application value

    Applications are designed, developed, and tested against a specific set of parameters which may become less relevant over time as the business matures, technology changes, and user behaviors and interactions shift. Continuous monitoring of the application system, regular stakeholder and user feedback, and active technology trend research and vendor engagement will reveal tasks to prepare an application for future value opportunities or stability and resilience concerns.

    Security and resiliency

    Innovative approaches to infiltrating and compromising applications are becoming prevailing stakeholder concerns. The loopholes and gaps in existing application security protocols, control points, and end-user training are exploited to gain the trust of unsuspecting users and systems. Proactive application management enforces continuous security reviews to determine whether applications are at risk. The goal is to prevent an incident from happening by hardening or complementing measures already in place.

    Benefits & Risks

    Benefits

    • Consistent Performance
    • Robustness
    • Operating Costs

    Users expect the same level of performance and experience from their applications in all scenarios. A proactive approach ensures the configurations meet the current needs of users and dependent technologies.

    Proactively managed applications are resilient to the latest security concerns and upcoming trends.

    Continuous improvements to the underlying architecture, codebase, and interfaces can minimize the cost to maintain and operate the application, such as the transition to a loosely coupled architecture and the standardization of REST APIs.

    Risks

    • Stakeholder Buy-In
    • Delayed Feature Releases
    • Team Capacity
    • Discipline

    Stakeholders may not see the association between the application's value and its technical quality.

    Updates and enhancements are system changes much like any application function. Depending
    on the priority of these changes, new functions may be pushed off to a future release cycle.

    Applications teams require dedicated capacity to proactively manage applications, but they are often occupied meeting other stakeholder demands.

    Overinvesting in certain application management activities (such as refactoring, re-architecture, and redesign) can create more challenges. Knowing how much to do is important.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Shift focus from maintenance to innovation.

    Work on the most pressing and critical requests first, with a prioritization framework reflecting cross-functional priorities.

    Maximizing the Return on Technology

    Improve the reliability of mission-critical applications.

    Regularly verify and validate applications are up to date with the latest patches and fixes and comply with industry good practices and regulations.

    Confidently Shifting to Digital

    Prepare applications to support digital tools and technologies.

    Focus enhancements on the key components required to support the integration, performance, and security needs of digital.

    Addressing Competing Priorities

    Rationalize the health of the applications.

    Use data-driven, compelling insights to justify the direction and prioritization of applications initiatives.

    Fostering a Collaborative Culture

    Include the technical perspective in the viability of future applications plans.

    Demonstrate how poorly maintained applications impede the team's ability to deliver confidently and quickly.

    Creating High-Throughput Teams

    Simplify applications to ease delivery and maintenance.

    Refactor away application complexities and align the application portfolio to a common quality standard to reduce the effort to deliver and test changes.

    Recommendations

    Reinforce your application maintenance practice

    Maintenance is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on maintenance when it becomes a problem.

    • Justify the necessity of streamlined maintenance.
    • Strengthen triaging and prioritization practices.
    • Establish and govern a repeatable process.

    Ensure product issues, incidents, defects, and change requests are promptly handled to minimize business and IT risks.

    Related Research:

    Build an application management practice

    Apply the appropriate management approaches to maintain business continuity and balance priorities and commitments among maintenance and new development requests.

    This practice serves as the foundation for creating exceptional customer experience by emphasizing cross-functional accountability for business value and product and service quality.

    Related Research:

    Recommendations

    Manage your technical debt

    Technical debt is a type of technical risk, which in turn is business risk. It's up to the business to decide whether to accept technical debt or mitigate it. Create a compelling argument to stakeholders as to why technical debt should be a business priority rather than just an IT one.

    • Define and identify your technical debt.
    • Conduct a business impact analysis.
    • Identify opportunities to better manage technical debt.

    Related Research:

    Gauge your application's health

    Application portfolio management is nearly impossible to perform without an honest and thorough understanding of your portfolio's alignment to business capabilities, business value, total cost of ownership, end-user reception and satisfaction, and technical health.

    Develop data-driven insights to help you decide which applications to retire, upgrade, retrain on, or maintain to meet the demands of the business.

    Related Research:

    Recommendations

    Adopt site reliability engineering (SRE) and DevOps practices

    Site reliability engineering (SRE) is an operational model for running online services more reliably by a team of dedicated reliability-focused engineers.

    DevOps, an operational philosophy promoting development and operations collaboration, can bring the critical insights to make application management practices through SRE more valuable.

    Related Research:

    CASE STUDY
    Government Agency

    Goal

    A government agency needed to implement a disciplined, sustainable application delivery, planning, and management process so their product delivery team could deliver features and changes faster with higher quality. The goal was to ensure change requests, fixes, and new features would relieve requester frustrations, reduce regression issues, and allow work to be done on agreeable and achievable priorities organization-wide. The new model needed to increase practice efficiency and visibility in order to better manage technical debt and focus on value-added solutions.

    Solution

    This organization recognized a number of key challenges that were inhibiting its team's ability to meet its goals:

    • The product backlog had become too long and unmanageable.
    • Delivery resources were not properly allocated to meet the skills and capabilities needed to successfully meet commitments.
    • Quality wasn't defined or enforced, which generated mounting technical debt.
    • There was a lack of clear metrics and defined roles and responsibilities.
    • The business had unrealistic and unachievable expectations.

    Source: Info-Tech Workshop

    Key practices implemented

    • Schedule quarterly business satisfaction surveys.
    • Structure and facilitate regular change advisory board meetings.
    • Define and enforce product quality standards.
    • Standardize a streamlined process with defined roles.
    • Configure management tools to better handle requests.

    Multisource Systems

    PRIORITY 4

    • Manage an Ecosystem Composed of In-House and Outsourced Systems

    Various market and company factors are motivating a review on resource and system sourcing strategies. The right sourcing model provides key skills, resources, and capabilities to meet innovation, time to market, financial, and quality goals of the business. However, organizations struggle with how best to support sourcing partners and to allocate the right number of resources to maximize success.

    Introduction

    A multisource system is an ecosystem of integrated internally and externally developed applications, data, and infrastructure. These technologies can be custom developed, heavily configured vendor solutions, or they may be commercial off-the-shelf (COTS) solutions. These systems can also be developed, supported, and managed by internal staff, in partnership with outsourced contractors, or be completely outsourced. Multisource systems should be configured and orchestrated in a way that maximizes the delivery of specific value drivers for the targeted audience.

    Successfully selecting a sourcing approach is not a simple RFP exercise to choose the lowest cost

    Defining and executing a sourcing approach can be a significant investment and risk because of the close interactions third-party services and partners will have with internal staff, enterprise applications and business capabilities. A careful selection and design is necessary.

    The selection of a sourcing partner is not simple. It involves the detailed inspection and examination of different candidates and matching their fit to the broader vision of the multisource system. In cases where control is critical, technology stack and resource sourcing consolidation to a few vendors and partners is preferred. In other cases, where worker productivity and system flexibility are highly prioritized, a plug-and-play best-of-breed approach is preferred.

    Typical factors involved in sourcing decisions.

    Sourcing needs to be driven by your department and system strategies

    How does the department want to be perceived?

    The image that your applications department and teams want to reflect is frequently dependent on the applications they deliver and support, the resources they are composed of, and the capabilities they provide.

    Therefore, choosing the right sourcing approach should be driven by understanding who the teams are and want to be (e.g. internal builder, an integrator, a plug-in player), what they can or want to do (e.g. custom-develop or implement), and what they can deliver or support (e.g. cloud or on-premises) must be established.

    What value is the system delivering?

    Well-integrated systems are the lifeblood of your organization. They provide the capabilities needed to deliver value to customers, employees, and stakeholders. However, underlying system components may not be sourced under a unified strategy, which can lead to duplicate vendor services and high operational costs.

    The right sourcing approach ensures your partners address key capabilities in your system's delivery and support, and that they are positioned to maximize the value of critical and high-impact components.

    Signals

    Business demand may outpace what vendors can support or offer

    Outsourcing and shifting to a buy-over-build applications strategy are common quick fixes to dealing with capacity and skills gaps. However, these quick fixes often become long-term implementations that are not accounted for in the sourcing selection process. Current application and resource sourcing strategies must be reviewed to ensure that vendor arrangements meet the current and upcoming demands and challenges of the business, customers, and enterprise technologies, such as:

    • Pressure from stakeholders to lower operating costs while maintaining or increasing quality and throughput.
    • Technology lock-in that addresses short-term needs but inhibits long-term growth and maturity.
    • Team capacity and talent acquisition not meeting the needs of the business.
    A circle graph is shown with 42% of the circle coloured in dark brown, with the number 42% in the centre.

    of respondents stated they outsourced software development fully or partly in the last 12 months (2021).

    Source: Coding Sans, 2021.

    A circle graph is shown with 65% of the circle coloured in dark brown, with the number 65% in the centre.

    of respondents stated they were at least somewhat satisfied with the result of outsourcing software development.

    Source: Coding Sans, 2021.

    Drivers

    Business-managed applications

    Employees are implementing and building applications without consulting, notifying, or heeding the advice of IT. IT is often ill-equipped and under-resourced to fight against shadow IT. Instead, organizations are shifting the mindset of "fight shadow IT" to "embrace business-managed applications," using good practices in managing multisource systems. A multisource approach strikes the right balance between user empowerment and centralized control with the solutions and architecture that can best enable it.

    Unique problems to solve

    Point solutions offer features to address unique use cases in uncommon technology environments. However, point solutions are often deployed in siloes with limited integration or overlap with other solutions. The right sourcing strategy accommodates the fragmented nature of point solutions into a broader enterprise system strategy, whether that be:

    • Multisource best of breed – integrate various technologies that provide subsets of the features needed for supporting business functions.
    • Multisource custom – integrate systems built in-house with technologies developed by external organizations.
    • Vendor add-ons and integrations – enhance an existing vendor's offering by using their system add-ons as upgrades, new add-ons, or integrations.

    Vendor services

    Some vendor services in a multisource environment may be redundant, conflicting, or incompatible. Given that multisource systems are regularly changing, it is difficult to identify what services are affected, what would be needed to fill the gap of the removed solution, or which redundant services should be removed.

    A multisource approach motivates the continuous rationalization of your vendor services and partners to determine the right mixture of in-house and outsourced resources, capabilities, and technologies.

    Benefits & Risks

    Benefits

    • Business-Focused Solution
    • Flexibility
    • Cost Optimization

    Multisource systems can be designed to support an employee's ability to select the tools they want and need.

    The environment is architected in a loosely coupled approach to allow applications to be easily added, removed, and modified with minimized impact to other integrated applications.

    Rather than investing in large solutions upfront, applications are adopted when they are needed and are removed when little value is gained. Disciplined application portfolio management is necessary to see the full value of this benefit.

    Risks

    • Manageable Sprawl
    • Policy Adherence
    • Integration & Compatibility

    The increased number and diversity of applications in multisource system environments can overwhelm system managers who do not have an effective application portfolio management practice.

    Fragmented application implementations risk inconsistent adherence to security and other quality policies, especially in situations where IT is not involved.

    Application integration can quickly become tangled, untraceable, and unmanageable because of varying team and vendor preferences for specific integration technologies and techniques.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Enable business-managed applications.

    Create the integrations to enable the easy connection of desired tools to enterprise systems with the appropriate guardrails.

    Maximizing the Return on Technology

    Enhance the functionality of existing applications.

    Complement current application capability gaps with data, features, and services from third-party applications.

    Confidently Shifting to Digital

    Use best-of-breed tools to meet specific digital needs.

    Select the best tools to meet the unique and special functional needs of the digital vision.

    Addressing Competing Priorities

    Agree on a common philosophy on system composition.

    Establish an owner of the multisource system to guide how the system should mature as the organization grows.

    Fostering a Collaborative Culture

    Discuss how applications can work together better in an ecosystem.

    Build committees to discuss how applications can better support each other and drive more value.

    Creating High-Throughput Teams

    Alleviate delivery bottlenecks and issues.

    Leverage third-party sources to fill skills and capacity gaps until a long-term solution can be implemented.

    Recommendations

    Define the goals of your applications department and product vision

    Understanding the applications team's purpose and image is critical in determining how the system they are managing and the skills and capacities they need should be sourced.

    Changing and conflicting definitions of value and goals make it challenging to convey an agreeable strategy of the multisource system. An achievable vision and practical tactics ensure all parties in the multisource system are moving in the same direction.

    Related Research:

    Develop a sourcing partner strategy

    Almost half of all sourcing initiatives do not realize projected savings, and the biggest reason is the choice of partner (Zhang et al., 2018). Making the wrong choice means inferior products, higher costs and the loss of both clients and reputation.

    Choosing the right sourcing partner involves understanding current skills and capacities, finding the right matching partner based on a desired profile, and managing a good working relationship that sees short-term gains and supports long-term goals.

    Related Research:

    Recommendations

    Strengthen enterprise integration practices

    Integration strategies that are focused solely on technology are likely to complicate rather than simplify because little consideration is given on how other systems and processes will be impacted. Enterprise integration needs to bring together business process, applications, and data – in that order.

    Kick-start the process of identifying opportunities for improvement by mapping how applications and data are coordinated to support business activities.

    Related Research:

    Manage your solution architecture and application portfolio

    Haphazardly implementing and integrating applications can generate significant security, performance, and data risks. A well-thought-through solution architecture is essential in laying the architecture quality principles and roadmap on how the multisource system can grow and evolve in a sustainable and maintainable way.

    Good application portfolio management complements the solution architecture as it indicates when low-value and unused applications should be removed to reduce system complexity.

    Related Research:

    Recommendations

    Embrace business-managed applications

    Multisource systems bring a unique opportunity to support the business and end users' desire to implement and develop their own applications. However, traditional models of managing applications may not accommodate the specific IT governance and management practices required to operate business-managed applications:

    • A collaborative and trusting business-IT relationship is key.
    • The role of IT must be reimagined.
    • Business must be accountable for its decisions.

    Related Research:

    CASE STUDY
    Cognizant

    Situation

    • Strives to be primarily an industry-aligned organization that delivers multiple service lines in multiple geographies.
    • Cognizant seeks to carefully consider client culture to create a one-team environment.
    • Value proposition is a consultative approach bringing thought leadership and mutually adding value to the relationship vs. the more traditional order-taker development partner.
    • Wants to share in solution development to facilitate shared successes. Geographic alignment drives knowledge of the client and their challenges, not just about time zone and supportability.
    • Offers one of the largest offshore capabilities in the world, supported by local and nearshore resources to drive local knowledge.
    • Today's clients don't typically want a black box, they are sophisticated and want transparency around the process and solution, to have a partner.
    • Clients do want to know where the work is being delivered from, how it's being done.

    Source: interview with Jay MacIsaac, Cognizant.

    Approach

    • Best relationship comes where teams operate as one.
    • Clients are seeking value, not a development black box.
    • Clients want to have a partner they can engage with, not just an order taker.
    • Want to build a one-team culture with shared goals and deliver business value.
    • Seek a partner that will add to their thinking not echo it.

    Results

    • Cognizant is continuing to deliver double-digit growth and continues to strive for top quartile performance.
    • Growth in the client base has seen the company grow to over 340,000 associates worldwide.

    Digital Organization as a Platform

    PRIORITY 5

    • Create a Common Digital Interface to Access All Products and Services

    A digital platform enables organizations to leverage a flexible, reliable, and scalable foundation to create a valuable DX, ease delivery and management efforts, maximize existing investments, and motivate the broader shift to digital. This approach provides a standard to architect, integrate, configure, and modernize the applications that compose the platform.

    Introduction

    What is digital organization as a platform (DOaaP)?

    Digital organization as a platform (DOaaP) is a collection of integrated digital services, products, applications, and infrastructure that is used as a vehicle to meet and exceed an organization's digital strategies. It often serves as an accessible "place for exchanges of information, goods, or services to occur between producers and consumers as well as the community that interacts
    with said platform" (Watts, 2020).

    DOaaP involves a strategy that paves the way for organizations to be digital. It helps organizations use their assets (e.g. data, processes, products, services) in the most effective ways and become more open to cooperative delivery, usage, and management. This opens opportunities for innovation and cross-department collaborations.

    How is DOaaP described?

    1. Open and Collaborative
      • Open organization: open data, open APIs, transparency, and user participation.
      • Collaboration, co-creation, crowdsourcing, and innovation
    2. Accessible and Connected
      • Digital inclusion
      • Channel ubiquity
      • Integrity and interoperability
      • Digital marketplace
    3. Digital and Programmable
      • Digital identity
      • Policies and processes as code
      • Digital products and services
      • Enabling digital platforms

    Digital organizations follow a common set of principles and practices

    Customer-centricity

    Digital organizations are driven by customer focus, meeting and exceeding customer expectations. It must design its services with a "digital first" principle, providing access through every expected channel and including seamless integration and interoperability with various departments, partners, and third-party services. It also means creating trust in its ability to provide secure services and to keep privacy and ethics as core pillars.

    Leadership, management, and strategies

    Digital leadership brings customer focus to the enterprise and its structures and organizes efficient networks and ecosystems. Accomplishing this means getting rid of silos and a siloed mentality and aligning on a digital vision to design policies and services that are efficient, cost-effective, and provide maximum benefit to the user. Asset sharing, co-creation, and being open and transparent become cornerstones of a digital organization.

    Infrastructure

    Providing digital services across demographics and geographies requires infrastructure, and that in turn requires long-term vision, smart investments, and partnerships with various source partners to create the necessary foundational infrastructure upon which to build digital services.

    Digitization and automation

    Automation and digitization of processes and services, as well as creating digital-first products, lead to increased efficiency and reach of the organization across demographics and geographies. Moreover, by taking a digital-first approach, digital organizations future-proof their services and demonstrate their commitment to stakeholders.

    Enabling platforms

    DOaaP embraces open standards, designing and developing organizational platforms and ecosystems with a cloud-first mindset and sound API strategies. Developer experience must also take center stage, providing the necessary tools and embracing Agile and DevOps practices and culture become prerequisites. Cybersecurity and privacy are central to the digital platform; hence they must be part of the design and development principles and practices.

    Signals

    The business expects support for digital products and services

    Digital transformation continues to be a high-priority initiative for many organizations, and they see DOaaP as an effective way to enable and exploit digital capabilities. However, DOaaP unleashes new strategies, opportunities, and challenges that are elusive or unfamiliar to business leaders. Barriers in current business operating models may limit DOaaP success, such as:

    • Department and functional silos
    • Dispersed, fragmented and poor-quality data
    • Ill-equipped and under-skilled resources to support DOaaP adoption
    • System fragmentation and redundancies
    • Inconsistent integration tactics employed across systems
    • Disjointed user experience leading to low engagement and adoption

    DOaaP is not just about technology, and it is not the sole responsibility of either IT or business. It is the collective responsibility of the organization.

    A circle graph is shown with 47% of the circle coloured in dark blue, with the number 47% in the centre.

    of organizations plan to unlock new value through digital. 50% of organizations are planning major transformation over the next three years.

    Source: Nash Squared, 2022.

    A circle graph is shown with 70% of the circle coloured in dark blue, with the number 70% in the centre.

    of organizations are undertaking digital expansion projects focused on scaling their business with technology. This result is up from 57% in 2021.

    Source: F5 Inc, 2022.

    Drivers

    Unified brand and experience

    Users should have the same experience and perception of a brand no matter what product or service they use. However, fragmented implementation of digital technologies and inconsistent application of design standards makes it difficult to meet this expectation. DOaaP embraces a single design and DX standard for all digital products and services, which creates a consistent perception of your organization's brand and reputation irrespective of what products and services are being used and how they are accessed.

    Accessibility

    Rapid advancement of end-user devices and changes to end-user behaviors and expectations often outpace an organization's ability to meet these requirements. This can make certain organization products and services difficult to find, access and leverage. DOaaP creates an intuitive and searchable interface to all products and services and enables the strategic combination of technologies to collectively deliver more value.

    Justification for modernization

    Many opportunities are left off the table when legacy systems are abstracted away rather than modernized. However, legacy systems may not justify the investment in modernization because their individual value is outweighed by the cost. A DOaaP initiative motivates decision makers to look at the entire system (i.e. modern and legacy) to determine which components need to be brought up to a minimum digital state. The conversation has now changed. Legacy systems should be modernized to increase the collective benefit of the entire DOaaP.

    Benefits & Risks

    Benefits

    • Look & Feel
    • User Adoption
    • Shift to Digital

    A single, modern, customizable interface enables a common look and feel no matter what and how the platform is being accessed.

    Organizations can motivate and encourage the adoption and use of all products and services through the platform and increase the adoption of underused technologies.

    DOaaP motivates and supports the modernization of data, processes, and systems to meet the goals and objectives outlined in the broader digital transformation strategy.

    Risks

    • Data Quality
    • System Stability
    • Ability to Modernize
    • Business Model Change

    Each system may have a different definition of commonly used entities (e.g. customer), which can cause data quality issues when information is shared among these systems.

    DOaaP can stress the performance of underlying systems due to the limitations of some systems to handle increased traffic.

    Some systems cannot be modernized due to cost constraints, business continuity risks, vendor lock-in, legacy and lore, or other blocking factors.

    Limited appetite to make the necessary changes to business operations in order to maximize the value of DOaaP technologies.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent Promote and showcase achievements and successes. Share the valuable and innovative work of your teams across the organization and with the public.
    Maximizing the Return on Technology Increase visibility of underused applications. Promote the adoption and use of all products and services through the platform and use the lessons learned to justify removal, updates or modernizations.
    Confidently Shifting to Digital Bring all applications up to a common digital standard. Define the baseline digital state all applications, data, and processes must be in to maximize the value of the platform.
    Addressing Competing Priorities Map to a holistic platform vision, goals and objectives. Work with relevant stakeholders, teams and end users to agree on a common directive considering all impacted perspectives.
    Fostering a Collaborative Culture Ensure the platform is configured to meet the individual needs of the users. Tailor the interface and capabilities of the platform to address users' functional and personal concerns.
    Creating High-Throughput Teams Abstract the enterprise system to expedite delivery. Use the platform to standardize application system access to simplify platform changes and quicken development and testing.

    Recommendations

    Define your platform vision

    Organizations realize that a digital model is the way to provide more effective services to their customers and end users in a cost-effective, innovative, and engaging fashion. DOaaP is a way to help support this transition.

    However, various platform stakeholders will have different interpretations of and preferences for what this platform is intended to solve, what benefits it is supposed to deliver, and what capabilities it will deliver. A grounded vision is imperative to steer the roadmap and initiatives.

    Related Research:

    Assess and modernize your applications

    Certain applications may not sufficiently support the compatibility, flexibility, and efficiency requirements of DOaaP. While workaround technologies and tactics can be employed to overcome these application challenges, the full value of the DOaaP may not be realized.

    Reviewing the current state of the application portfolio will indicate the functional and value limitations of what DOaaP can provide and an indication of the scope of investment needed to bring applications up to a minimum state.

    Related Research:

    Recommendations

    Understand and evaluate end-user needs

    Technology has reached a point where it's no longer difficult for teams to build functional and valuable digital platforms. Rather, the difficulty lies in creating an interface and platform that people want to use and use frequently.

    While it is important to increase the access and promotion of all products and services, orchestrating and configuring them in a way to deliver a satisfying experience is even more important. Applications teams must first learn about and empathize with the needs of end users.

    Related Research:

    Architect your platform

    Formalizing and constructing DOaaP just for the sake of doing so often results in an initiative that is lengthy and costly and ends up being considered a failure.

    The build and optimization of the platform must be predicated on a thorough understanding of the DOaaP's goals, objectives, and priorities and the business capabilities and process they are meant to support and enable. The appropriate architecture and delivery practices can then be defined and employed.

    Related Research:

    CASE STUDY
    e-Estonia

    Situation

    The digital strategy of Estonia resulted in e-Estonia, with the vision of "creating a society with more transparency, trust, and efficiency." Estonia has addressed the challenge by creating structures, organizations, and a culture of innovation, and then using the speed and efficiency of digital infrastructure, apps, and services. This strategy can reduce or eliminate bureaucracy through transparency and automation.

    Estonia embarked on its journey to making digital a priority in 1994-1996, focusing on a committed investment in infrastructure and digital literacy. With that infrastructure in place, they started providing digital services like an e-banking service (1996), e-tax and mobile parking (2002), and then went full steam ahead with a digital information interoperability platform in 2001, digital identity in 2002, e-health in 2008, and e-prescription in 2010. The government is now strategizing for AI.

    Results

    This image contains the results of the e-Estonia case study results

    Source: e-Estonia

    Practices employed

    The e-Estonia digital government model serves as a reference for governments across the world; this is acknowledged by the various awards it has received, like #2 in "internet freedom," awarded by Freedom House in 2019; #1 on the "digital health index," awarded by the Bertelsmann Foundation in 2019; and #1 on "start-up friendliness," awarded by Index Venture in 2018.

    References

    "15th State of Agile Report." Digital.ai, 2021. Web.
    "2022 HR Trends Report." McLean & Company, 2022.
    "2022: State of Application Strategy Report." F5 Inc, 2022.
    "Are Executives Wearing Rose-Colored Glasses Around Digital Transformation?" Cyara, 2021. Web.
    "Cost of a Data Breach Report 2022." IBM, 2022. Web.
    Dalal, Vishal, et al. "Tech Debt: Reclaiming Tech Equity." McKinsey Digital, Oct. 2020. Web.
    "Differentiating Between Intelligent Automation and Hyperautomation." IBM, 15 October 2021. Web.
    "Digital Leadership Report 2021." Harvey Nash Group, 2021.
    "Digital Leadership Report 2022: The State of Digital." Nash Squared, 2022. Web.
    Gupta, Sunil. "Driving Digital Strategy: A Guide to Reimagining Your Business." Harvard Business Review Press, 2018. Web.
    Haff, Gordon. "State of Application Modernization Report 2022." Konveyor, 2022. Web.
    "IEEE Standard for Software Maintenance: IEEE Std 1219-1998." IEEE Standard for Software Maintenance, 1998. Accessed Dec. 2015.
    "Intelligent Automation." Cognizant, n.d. Web.
    "Kofax 2022: Intelligent Automation Benchmark Study". Kofax, 2021. Web.
    McCann, Leah. "Barco's Virtual Classroom at UCL: A Case Study for the Future of All University Classrooms?" rAVe, 2 July 2020, Web.
    "Proactive Staffing and Patient Prioritization to Decompress ED and Reduce Length of Stay." University Hospitals, 2018. Web.
    "Secrets of Successful Modernization." looksoftware, 2013. Web.
    "State of Software Development." Coding Sans, 2021. Web.
    "The State of Low-Code/No-Code." Creatio, 2021. Web.
    "We Have Built a Digital Society and We Can Show You How." e-Estonia. n.d. Web.
    Zanna. "The 5 Types of Experience Series (1): Brand Experience Is Your Compass." Accelerate in Experience, 9 February 2020. Web.
    Zhang, Y. et al. "Effects of Risks on the Performance of Business Process Outsourcing Projects: The Moderating Roles of Knowledge Management Capabilities." International Journal of Project Management, 2018, vol. 36 no. 4, 627-639.

    Research Contributors and Experts

    This is a picture of Chris Harrington

    Chris Harrington
    Chief Technology Officer
    Carolinas Telco Federal Credit Union

    Chris Harrington is Chief Technology Officer (CTO) of Carolinas Telco Federal Credit Union. Harrington is a proven leader with over 20 years of experience developing and leading information technology and cybersecurity strategies and teams in the financial industry space.

    This is a picture of Benjamin Palacio

    Benjamin Palacio
    Senior Information Technology Analyst County of Placer

    Benjamin Palacio has been working in the application development space since 2007 with a strong focus on system integrations. He has seamlessly integrated applications data across multiple states into a single reporting solution for management teams to evaluate, and he has codeveloped applications to manage billions in federal funding. He is also a CSAC-credentialed IT Executive (CA, USA).

    This is a picture of Scott Rutherford

    Scott Rutherford
    Executive Vice President, Technology
    LGM Financial Services Inc.

    Scott heads the Technology division of LGM Financial Services Inc., a leading provider of warranty and financing products to automotive OEMs and dealerships in Canada. His responsibilities include strategy and execution of data and analytics, applications, and technology operations.

    This is a picture of Robert Willatts

    Robert Willatts
    IT Manager, Enterprise Business Solutions and Project Services
    Town of Newmarket

    Robert is passionate about technology, innovation, and Smart City Initiatives. He makes customer satisfaction as the top priority in every one of his responsibilities and accountabilities as an IT manager, such as developing business applications, implementing and maintaining enterprise applications, and implementing technical solutions. Robert encourages communication, collaboration, and engagement as he leads and guides IT in the Town of Newmarket.

    This is a picture of Randeep Grewal

    Randeep Grewal
    Vice President, Enterprise Applications
    Red Hat

    Randeep has over 25 years of experience in enterprise applications, advanced analytics, enterprise data management, and consulting services, having worked at numerous blue-chip companies. In his most recent role, he is the Vice President of Enterprise Applications at Red Hat. Reporting to the CIO, he is responsible for Red Hat's core business applications with a focus on enterprise transformation, application architecture, engineering, and operational excellence. He previously led the evolution of Red Hat into a data-led company by maturing the enterprise data and analytics function to include data lake, streaming data, data governance, and operationalization of analytics for decision support.

    Prior to Red Hat, Randeep was the director of global services strategy at Lenovo, where he led the strategy using market data to grow Lenovo's services business by over $400 million in three years. Prior to Lenovo, Randeep was the director of advanced analytics at Alliance One and helped build an enterprise data and analytics function. His earlier work includes seven years at SAS, helping SAS become a leader in business analytics, and at KPMG consulting, where he managed services engagements at Fortune 100 companies.

    Implement Software Asset Management

    • Buy Link or Shortcode: {j2store}313|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $107,154 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Organizations are aware of the savings that result from implementing software asset management (SAM), but are unsure of where to start the process.
    • Poor data capture procedures and lack of a centralized repository produce an incomplete picture of software assets and licenses, preventing accurate forecasting and license optimization.
    • Audit protocols are ad hoc, resulting in sloppy reporting and time-consuming work and lack of preparedness for external software audits.

    Our Advice

    Critical Insight

    • A strong SAM program will benefit all aspects of the business. Data and reports gained through SAM will enable data-driven decision making for all areas of the business.
    • Don’t just track licenses; manage them to create value from data. Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
    • Win the audit battle without fighting. Conduct internal audits to minimize surprises when external audits are requested.

    Impact and Result

    • Conduct a current state assessment of existing SAM processes to form an appropriate plan for implementing or improving your SAM program.
    • Define standard policies, processes, and procedures for each stage of the software asset lifecycle, from procurement through to retirement.
    • Develop an internal audit policy to mitigate the risk of costly external audits.

    Implement Software Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement software asset management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess & plan

    Assess current state and plan the scope of the SAM program, team, and budget.

    • Implement Software Asset Management – Phase 1: Assess & Plan
    • SAM Maturity Assessment
    • SAM Standard Operating Procedures
    • SAM Budget Workbook

    2. Procure, receive & deploy

    Define processes for software requests, procurement, receiving, and deployment.

    • Implement Software Asset Management – Phase 2: Procure, Receive & Deploy
    • SAM Process Workflows (Visio)
    • SAM Process Workflows (PDF)

    3. Manage, redeploy & retire

    Define processes for software inventory, maintenance, harvest and redeployment, and retirement.

    • Implement Software Asset Management – Phase 3: Manage, Redeploy & Retire
    • Patch Management Policy

    4. Build supporting processes

    Build processes for audits and plan the implementation.

    • Implement Software Asset Management – Phase 4: Build Supporting Processes & Tools
    • Software Audit Scoping Email Template
    • Software Audit Launch Email Template
    • SAM Communication Plan
    • SAM FAQ Template
    • Software Asset Management Policy
    [infographic]

    Workshop: Implement Software Asset Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess & Plan

    The Purpose

    Assess current state and plan the scope of the SAM program, team, and budget.

    Key Benefits Achieved

    Current state assessment

    Defined roles and responsibilities

    SAM budget plan

    Activities

    1.1 Outline SAM challenges and objectives.

    1.2 Assess current state.

    1.3 Identify roles and responsibilities for SAM team.

    1.4 Identify metrics and reports.

    1.5 Identify SAM functions to centralize vs. decentralize.

    1.6 Plan SAM budget process.

    Outputs

    Current State Assessment

    RACI Chart

    Defined metrics and reports

    SAM Budget Workbook

    2 Procure, Receive & Deploy

    The Purpose

    Define processes for software requests, procurement, receiving, and deployment.

    Key Benefits Achieved

    Defined standards for software procurement

    Documented processes for software receiving and deployment

    Activities

    2.1 Determine software standards.

    2.2 Define procurement process for new contracts.

    2.3 Define process for contract renewals and additional procurement scenarios.

    2.4 Design process for receiving software.

    2.5 Design deployment workflow.

    2.6 Define process for non-standard software requests.

    Outputs

    Software standards

    Standard Operating Procedures

    SAM Process Workflows

    3 Manage, Redeploy & Retire

    The Purpose

    Define processes for software inventory, maintenance, harvest and redeployment, and retirement.

    Key Benefits Achieved

    Defined process for conducting software inventory

    Maintenance and patch policy

    Documented workflows for software harvest and redeployment as well as retirement

    Activities

    3.1 Define process for conducting software inventory.

    3.2 Define policies for software maintenance and patches.

    3.3 Map software license harvest and reallocation process.

    3.4 Define policy for retiring software.

    Outputs

    Standard Operating Procedures

    Patch management policy

    SAM Process Workflows

    4 Build Supporting Processes & Tools

    The Purpose

    Build processes for audits, identify tool requirements, and plan the implementation.

    Key Benefits Achieved

    Defined process for internal and external audits

    Tool requirements

    Communication and implementation plan

    Activities

    4.1 Define and document the internal audit process.

    4.2 Define and document the external audit process.

    4.3 Document tool requirements.

    4.4 Develop a communication plan.

    4.5 Prepare an FAQ list.

    4.6 Identify SAM policies.

    4.7 Develop a SAM roadmap to plan your implementation.

    Outputs

    Audit response templates

    Tool requirements

    Communication plan

    End-user FAQ list

    Software Asset Management Policy

    Implementation roadmap

    Further reading

    Implement Software Asset Management

    Go beyond tracking licenses to proactively managing software throughout its lifecycle.

    Table of contents

    1. Title
    2. Executive Brief
    3. Execute the Project/DIY Guide
    4. Next Steps
    5. Appendix

    Analyst Perspective

    “Organizations often conflate software asset management (SAM) with license tracking. SAM is not merely knowing how many licenses you require to be in compliance; it’s asking the deeper budgetary questions to right-size your software spend.

    Software audits are a growing concern for businesses, but proactive reporting and decision making supported by quality data will mitigate audit risks. Value is left on the table through underused or poor-quality data, so active data management must be in play. A dedicated ITAM tool can assist with extracting value from your license data.

    Achieving an optimized SAM program is a transformative effort, but the people, processes, and technology need to be in place before that can happen.” (Sandi Conrad, Senior Director, Infrastructure & Operations Practice, Info-Tech Research Group)

    Software license complexity and audit frequency are increasing: are you prepared to manage the risk?

    This Research Is Designed For:

    • CIOs that want to improve IT’s reputation with the business.
    • CIOs that want to eliminate the threat of a software audit.
    • Organizations that want proactive reporting that benefits the entire business.
    • IT managers who want visibility into their software usage.

    This Research Will Help You:

    • Establish a standardized software management process.
    • Track and manage software throughout its lifecycle, from procurement through to retirement or redeployment.
    • Rationalize your software license estate.
    • Improve your negotiations with software vendors.
    • Improve the quality of your SAM data gathering and reporting.

    Executive summary

    Situation

    • Organizations are aware of the savings that result from implementing software asset management (SAM), but are unsure of where to start the process. With no formal standards in place for managing licenses, organizations are constantly at risk for costly software audits and poorly executed software spends.

    Complication

    • Poor data-capture procedures produce an incomplete picture of software lifecycles.
    • No centralized repository exists, resulting in fragmented reporting.
    • Audit protocols are ad hoc, resulting in sloppy reporting and time-consuming work.

    Resolution

    • Conduct a current state assessment of existing SAM processes to form an appropriate plan for implementing or improving your SAM program.
    • Build and involve a SAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the software asset lifecycle, from procurement through to retirement. Pace yourself; a staged implementation will make your ITAM program a success.
    • Develop an internal audit program to mitigate the risk of costly audits.
    • Once a standardized SAM program and data are in place, you will be able to use the data to optimize and rationalize your software licenses.

    Info-Tech Insight

    A strong SAM program will benefit all aspects of the business.
    Data and reports gained through SAM will enable data-driven decision making for all areas of the business.

    Don’t just track licenses; manage them to create value from data.
    Gathering and monitoring license data is just the beginning. What you do with that data is the real test.

    Win the audit battle without fighting.
    Conduct internal audits to minimize surprises when external audits are requested.

    Build the business case for SAM on cost and risk avoidance

    You can estimate the return even without tools or data.

    Benefit Calculate the return
    Compliance

    How many audits did you have in the past three years?

    How much time did you spend in audit response?

    Suppose you had two audits each year for the last three years, each with an average $250,000 in settlements.

    A team of four with an average salary of $75,000 each took six months to respond each year, allocating 20% of their work time to the audit.

    You could argue annual audits cost on average $530,000. Increasing ITAM maturity stands to reduce that cost significantly.

    Efficiency

    How much do you spend on software and maintenance by supplier?

    Suppose you spent $1M on software last year. What if you could reduce the spend by just 10% through better practices?

    SAM can help reduce the annual spend by simplifying support, renegotiating contracts based on asset data, reducing redundancy, and reducing spend.

    The Business Benefits of SAM

    • Compliance: Managing audits and meeting legal, contractual, and regulatory obligations.
    • Efficiency: Reducing costs and making the best use of assets while maintaining service.
    • Agility: Anticipate requirements using asset data for business intelligence and analytics.

    Poor software asset management practices increase costs and risks

    Failure to implement SAM can lead to:

    High cost of undiscovered IT assets
    • Needless procurement of software for new hires can be costly.
    Licensing, liability, and legal violations
    • Legal actions and penalties that result from ineffective SAM processes and license incompliance can severely impact an organization’s financial performance and corporate brand image.
    Compromised security
    • Not knowing what assets you have, who is using them and how, can compromise the security of sensitive information.
    Increased management costs
    • Not having up-to-date software license information impacts decision making, with many management teams failing to respond quickly and efficiently to operational demands.
    Increased disruptions
    • Vendors seek out organizations who don’t manage their software assets effectively; it is likely that you could be subject to major operational disruptions as a result of an audit.
    Poor supplier/vendor relationship
    • Most organizations fear communicating with vendors and are anxious about negotiating new licenses.

    54% — A study by 1E found that only 54% of organizations believe they can identify all unused software in their organization.

    28% — On average, 28% of deployed software is unused, with a wasted cost of $224 per PC on unused software (1E, 2014).

    53% — Express Metrix found that 53% of organizations had been audited within the past two years. Of those, 72% had been audited within the last 12 months.

    SAM delivers cost savings beyond the procurement stage

    SAM delivers cost savings in several ways:

    • Improved negotiating position
      • Certainty around software needs and licensing terms can put the organization in a better negotiating position for new contracts or contract renewals.
    • Improved purchasing position
      • Centralized procurement can allow for improved purchasing agreements with better pricing.
    • More accurate forecasting and spend
      • With accurate data on what software is installed vs. used, more accurate decisions can be made around software purchasing needs and budgeting.
    • Prevention of over deployment
      • Deploy software only where it is needed based on what end users actively use.
    • Software rationalization
      • SAM data may reveal multiple applications performing similar functions that can be rationalized into a single standard software that is used across the enterprise.
    • License harvesting
      • Identify unused licenses that can be harvested and redeployed to other users rather than purchasing new licenses.

    SAM delivers many benefits beyond cost savings

    Manage risk. If licensing terms are not properly observed, the organization is at risk of legal and financial exposure, including illegal software installation, loss of proof of licenses purchased, or breached terms and conditions.

    Control and predict spend. Unexpected problems related to software assets and licenses can significantly impact cash flow.

    Less operational interruptions. Poor software asset management processes could lead to failed deployments, software update interruptions, viruses, or a shutdown of unlicensed applications.

    Avoid security breaches. If data is not secure through software patches and security, confidential information may be disclosed.

    More informed decisions. More accurate data on software assets improves transparency and informs decision making.

    Improved contract management. Automated tools can alert you to when contracts are up for renewal to allow time to plan and negotiate, then purchase the right amount of licenses.

    Avoid penalties. Conduct internal audits and track compliance to avoid fees or penalties if an external audit occurs.

    Reduced IT support. Employees should require less support from the service desk with proper, up to date, licensed software, freeing up time for IT Operations to focus on other work.

    Enhanced productivity. By rationalizing and standardizing software offerings, more staff should be using the same software with the same versioning, allowing for better communication and collaboration.

    Asset management is especially correlated with the following processes

    Being highly effective at asset management means that you are more likely to be highly effective at almost all IT processes, especially:

    Icon for process 'BAI10 Configuration Management'. Configuration Management
    76% more effective
    Icon for process 'ITRG03 Manage Service Catalogs'. Service Catalog
    74% more effective
    Icon for process 'APO11 Quality Management'. Quality Management
    63% more effective
    Icon for process 'ITRG08 Data Quality'. Data Quality
    62% more effective
    Icon for process 'MEA01 Performance Measurement'. Performance Measurement
    61% more effective
    Icon for process 'BAI05 Organizational Change Management'. Organizational Change Management
    60% more effective
    Icon for process 'APO05 Portfolio Management'. Portfolio Management
    59% more effective
    Icon for process 'APO03 Enterprise Architecture'. Enterprise Architecture
    58% more effective

    Why? Good SAM processes are integral to both service management and configuration management

    (Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=972 organizations) (High asset management effectiveness was defined as those organizations with an effectiveness score of 8 or above.)

    To accelerate progress, Info-Tech Research Group parses software asset management into its essential processes

    Focus on software asset management essentials

    Software Procurement:

    • Define procurement standards for software and related warranties and support options.
    • Develop processes and workflows for purchasing and work out financial implications to inform budgeting later.

    Software Deployment and Maintenance:

    • Define policies, processes, and workflows for software receiving, deployment, and maintenance practices.
    • Develop processes and workflows for managing imaging, harvests and redeployments, service requests, and large-scale rollouts.

    Software Harvest and Retirement:

    • Manage the employee termination and software harvest cycle.
    • Develop processes, policies, and workflows for software security and retirement.

    Software Contract and Audit Management:

    • Develop processes for data collection and validation to prepare for an audit.
    • Define metrics and reporting processes to keep asset management processes on track.
    A diagram that looks like a tier circle with 'Implement SAM' at the center. The second ring has 'Request & Procure', 'Receive & Deploy', 'Manage & Maintain', and 'Harvest & Retire'. The third ring seems to be a cycle beginning with 'Plan', 'Request', 'Procure', 'Deploy', 'Manage', 'Retire', and back to 'Plan'.

    Asset management is a key piece of Info-Tech’s COBIT-based IT Management and Governance Framework

    The Info-Tech / COBIT5 IT Management & Governance Framework, a number of IT process icons arranged like a periodic table. A magnifying glass highlights process 'BAI09 Asset Management' in the 'Infrastructure & Operations' category.

    Follow Info-Tech's methodology to build a plan to implement software asset management

    Phase 1
    Assess & Plan
    Phase 2
    Procure, Receive & Deploy
    Phase 3
    Manage, Redeploy & Retire
    Phase 4
    Build supporting processes

    1.1

    Assess current state

    2.1

    Request & procure

    3.1

    Manage & maintain contracts

    4.1

    Compliance & audits

    1.2

    Build team and define metrics

    2.2

    Receive & deploy

    3.2

    Harvest or retire

    4.2

    Communicate & build roadmap

    1.3

    Plan & budget
    Deliverables
    Standard Operating Procedures (SOP)
    SAM maturity assessment Process workflows Process workflows Audit response templates
    RACI chart Software standards Patch management policy Communication plan & FAQ template
    SAM metrics SAM policies
    SAM budget workbook

    Thanks to SAM, Visa saved $200 million in three years

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: International Business Software Managers Association

    Visa, Inc.

    Visa, Inc. is the largest payment processing company in the world, with a network that can handle over 40,000 transactions every minute.

    Software Asset Management Program

    In 2006, Visa launched a formal IT asset management program, but it was not until 2011 that it initiated a focus on SAM. Joe Birdsong, the SAM director, first addressed four major enterprise license agreements (ELAs) and compliance issues. The SAM team implemented a few dedicated SAM tools in conjunction with an aggressive approach to training.

    Results

    The proactive approach taken by Visa used a three-pronged strategy: people, process, and tools. The process included ELA negotiations, audit responses, and software license rationalization exercises.

    According to Birdsong, “In the past three years, SAM has been credited with saving Visa over $200 million.”

    An timeline arrow with benchmarks, in order: 'Tool purchases', 'ELA negotiations', 'License rationalization', 'Audit responses', '$200 million in savings in just three years thanks to optimized SAM processes'.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    Thumbnail of Info-Tech's 'SAM Standard Operating Procedures (SOP)'.
    SAM Standard Operating Procedures (SOP)
    Thumbnail of Info-Tech's 'SAM Maturity Assessment'.
    SAM Maturity Assessment
    Thumbnail of Info-Tech's 'SAM Visio Process Workflows'.
    SAM Visio Process Workflows
    Thumbnail of Info-Tech's 'SAM Budget Workbook'.
    SAM Budget Workbook
    Thumbnail of Info-Tech's 'Additional SAM Policy Templates'.
    Additional SAM Policy Templates
    Thumbnail of Info-Tech's 'Software Asset Management Policy'.
    Software Asset Management Policy
    Thumbnail of Info-Tech's 'SAM Communication Plan'.
    SAM Communication Plan
    Thumbnail of Info-Tech's 'SAM FAQ Template'.
    SAM FAQ Template

    Use these insights to help guide your understanding of the project

    • SAM provides value to other processes in IT.
      Data, reports, and savings gained through SAM will enable data-driven decision making for all areas of the business.
    • Don’t just track licenses; manage them to create value from data.
      Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
    • SAM isn’t about managing costs; it’s about understanding your environment to make better decisions.
      Capital tied up in software can impact the progress of other projects.
    • Managing licenses can impact the entire organization.
      Gain project buy-in from stakeholders by articulating the impact that managing licenses can have on other projects and the prevalence of shadow IT.

    Measure the value of a guided implementation (GI)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value (Assuming 260 workdays in a year)
    Phase 1: Assess & Plan
    • Time, value, and resources saved by using Info-Tech’s methodology to assess current state and create a defined SAM team with actionable metrics
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 2: Procure, Receive & Deploy
    • Time, value, and resources saved by using Info-Tech’s methodology to streamline request, procurement, receiving, and deployment processes for software assets.
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 3: Manage, Redeploy & Retire
    • Time, value, and resources saved by using Info-Tech’s methodology to streamline the maintenance, inventory, license redeployment, and software retiring processes.
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 4: Build Supporting Processes and Tools
    • Time, resources, and potential audit fines saved by using Info-Tech’s methodology to improve audit defense processes ($298,325 average audit penalty (Based on the results of Cherwell Software’s 2013 Software Audit Industry Report)) and design a communication and implementation plan.
    • For example, 2 FTEs * 5days * $80,000/year = $6,400 + $298,325 = $304,725
    Total savings $330,325

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Implement Software Asset Management – project overview

    Phase 1: Assess & plan Phase 2: Procure, receive & deploy Phase 3: Manage, redeploy & retire Phase 4: Build supporting processes
    Supporting Tool icon Best-Practice Toolkit

    Step 1.1: Assess current state

    Step 1.2: Build team and define metrics

    Step 1.3: Plan and budget

    Step 2.1: Request and procure

    Step 2.2: Receive and deploy

    Step 3.1: Manage and maintain contracts

    Step 3.2: Harvest, redeploy, or retire

    Step 4.1: Compliance and audits

    Step 4.2: Communicate and build roadmap

    Guided Implementations
    • Assess current state and challenges.
    • Define roles and responsibilities as well as metrics.
    • Discuss SAM budgeting.
    • Define software standards and procurement process.
    • Build processes for receiving software and deploying software.
    • Define process for conducting software inventory and maintenance and patches.
    • Build software harvest and redeployment processes and retirement.
    • Define process for internal and external audits.
    • Develop communication and implementation plan.
    Associated Activity icon Onsite Workshop Module 1:
    Assess & Plan
    Module 2:
    Map Core Processes: Procure, Receive & Deploy
    Module 3:
    Map Core Processes: Manage, Redeploy & Retire
    Module 4:
    Prepare for audit, build roadmap and communications

    Workshop Overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities
    Assess & Plan

    1.1 Outline SAM challenges and objectives

    1.2 Assess current state

    1.3 Identify roles and responsibilities for SAM team

    1.4 Identify metrics and reports

    1.5 Identify SAM functions to centralize vs. decentralize

    1.6 Plan SAM budget process

    Map Core Processes: Procure, Receive & Deploy

    2.1 Determine software standards

    2.2 Define procurement process for new contracts

    2.3 Define process for contract renewals and additional procurement scenarios

    2.4 Design process for receiving software

    2.5 Design deployment workflow

    2.6 Define process for non-standard software requests

    Map Core Processes: Manage, Redeploy & Retire

    3.1 Define process for conducting software inventory

    3.2 Define policies for software maintenance and patches

    3.3 Map software license harvest and reallocation process

    3.4 Define policy for retiring software

    Build Supporting Processes

    4.1 Define and document the internal audit process

    4.2 Define and document the external audit process

    4.3 Develop a communication plan

    4.4 Prepare an FAQ list

    4.5 Identify SAM policies

    4.6 Develop a SAM roadmap to plan your implementation

    Deliverables
    • SAM maturity assessment
    • RACI chart
    • Defined metrics and reports
    • Budget workbook
    • Process workflows
    • Software standards
    • Process workflows
    • Patch management policy
    • Standard operating procedures
    • Audit response templates
    • Communication plan
    • FAQ template
    • Additional policy templates
    • Roadmap of initiatives

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Phase 1: Assess Current State

    VISA fought fire with fire to combat costly software audits

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    Visa implemented an IT asset management program in 2006. After years of software audit teams from large firms visiting and leaving expensive software compliance bills, the world’s leading payment processing company decided it was time for a change.

    Upper management recognized that it needed to combat audits. It had the infrastructure in place and the budget to purchase SAM tools that could run discovery and tracking functions, but it was lacking the people and processes necessary for a mature SAM program.

    Solution

    Visa decided to fight fire with fire. It initially contracted the same third-party audit teams to help build out its SAM processes. Eventually, Visa formed a new SAM team that was led by a group of former auditors.

    The former auditors recognized that their role was not technology based, so a group of technical individuals were hired to help roll out various SAM tools.

    The team rolled out tools like BDNA Discover and Normalize, Flexera FlexNet Manager, and Microsoft SCCM.

    Results

    To establish an effective SAM team, diverse talent is key. Visa focused on employees that were consultative but also technical. Their team needed to build relationships with teams within the organization and externally with vendors.

    Most importantly, the leaders of the team needed to think like auditors to better prepare for audits. According to Joe Birdsong, SAM Director at Visa, “we want to be viewed as a team that can go in and help right-size their environment and better understand licensing to help teams make better decisions.”

    The SAM team was only the beginning.

    Step 1.1 Assess current state and plan scope

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.1.1 Outline the organization’s SAM challenges
    • 1.1.2 Identify objectives of SAM program
    • 1.1.3 Determine the maturity of your SAM program
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and SAM Manager

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • An outline of the challenges related to SAM
    • A clear direction for the program based on drivers, anticipated benefits, and goals
    • A completed maturity assessment of current SAM processes

    Sketch out challenges related to software asset management to shape the direction of the project

    Common SAM challenges

    • Audits are disruptive, time-consuming, and costly
    • No audit strategy and response in place
    • Software non-compliance risk is too high
    • Lacking data to forecast software needs
    • No central repository of software licenses
    • Untracked or unused software licenses results in wasted spend
    • Software license and maintenance costs account for a large percentage of the budget
    • Lacking data to know what software is purchased and deployed across the organization
    • Lack of software standards make it difficult to collect consistent information about software products
    • New software licenses are purchased when existing licenses remain on the shelf or multiple similar software products are purchased
    • Employees or departments make ad hoc purchases, resulting in overspending and reduced purchasing power
    • License renewal dates come up unexpectedly without time for adequate decision making
    • No communication between departments to coordinate software purchasing
    • Difficult to stay up to date with software licensing rule changes to remain in compliance
    • Processes and policies are unstandardized and undocumented

    Outline the organization’s SAM challenges

    Associated Activity icon 1.1.1 Brainstorm SAM challenges

    Participants: CIO/CFO, IT Director, Asset Manager, Purchasing, Service Desk Manager, Security (optional), Operations (optional)

    1. Distribute sticky notes to participants. Have everyone start by identifying challenges they face as a result of poor software asset management.
    2. As group, discuss and outline the software asset management challenges facing the organization. These may be challenges caused by poor SAM processes or simply by a lack of process. Group the challenges into key pain points to inform the current state discussion and assessment to follow.

    To be effective with software asset management, understand the drivers and potential impact to the organization

    Drivers of effective SAM Results of effective SAM
    Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. Improved access to accurate data on contracts, licensing, warranties, installed software for new contracts, renewals, and audit requests.
    Increased need to meet compliance requires a formal approach to tracking and managing assets. Encryption, software application controls, and change notifications all contribute to better asset controls and data security.
    Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. Reduction of software spend through data for better forecasting, planning, and licensing rationalization and harvesting.
    Audits are time consuming, disruptive to project timelines and productivity, and costly. Respond to audits with a formalized process, accurate data, and minimal disruption using always-available reporting.

    Determine goals to focus the direction of your SAM program

    Associated Activity icon 1.1.2 Identify objectives of the SAM program

    Participants: CIO/CFO, IT Director, Asset Manager, Service Manager (optional)

    Document: Document in the Standard Operating Procedures.

    1. Identify the drivers behind the software asset management implementation or improvement project. List on a whiteboard or flip chart.
    2. Using the project drivers as input, brainstorm the goals of the SAM project. Discuss the goals as a group and finalize into a list of objectives for the SAM program.
    3. Record the objectives in the SOP and keep them in mind as you work through the rest of the project.

    Sample Objectives:

    1. A single data repository to efficiently manage assets for their entire lifecycle.
    2. Formalizing a methodology for documenting assets to make data retrieval easy and accurate.
    3. Defining and documenting processes to determine where improvements can be made.
    4. Improving customer experience in accessing, using, and maintaining assets.
    5. Centralizing contract information.
    6. Providing access to information for all technical teams as needed.

    Implementing SAM processes will support other IT functions

    By improving how you manage your licenses and audit requests, you will not only provide benefits through a mature SAM program, you will also improve your service desk and disaster recovery functions.

    Service Desk Disaster Recovery
    • Effective service desk tickets require a certain degree of technical detail for completion that a SAM program often provides.
    • Many tools are available that can handle both ITSM and ITAM functions. Your SAM data can be integrated into many of your service desk functions.
    • For example, if a particular application is causing a high number of tickets, SAM data could show the application’s license is almost expired and its usage has decreased due to end-user frustrations. The SAM team could review the application and decide to purchase software that better meets end-user needs.
    • If you don’t know what you have, you don’t know what needs to be back online first.
    • The ability to restore system functionality is heavily dependent on the ability to locate or reproduce master media documentation and system configuration information.
    • If systems/software are permanently lost, the ability to recover software licensing information is crucial to preserving compliance.
    • License agreement and software are needed to demonstrate software ownership. Unless the proof of ownership is present, there is no proof of compliance.
    Short description of Info-Tech blueprint 'Standardize the Service Desk'. Short description of Info-Tech blueprint 'Create a Right-Sized Disaster Recovery Plan'.

    Each level of SAM maturity comes with its own unique challenges

    Maturity People & Policies Processes Technology
    Chaos
    • No dedicated staff
    • No policies published
    • Procedures not documented or standardized
    • Licenses purchased randomly
    • Help desk images machines, but users can buy and install software
    • Minimal tracking tools in place
    Reactive
    • Semi-focused SAM manager
    • No policies published
    • Reliance on suppliers to provide reports for software purchases
    • Buy licenses as needed
    • Software installations limited to help desk
    • Discovery tools and spreadsheets used to manage software
    Controlled
    • Full-time SAM manager
    • End-user policies published and requiring sign-off
    • License reviews with maintenance and support renewals
    • SAM manager involved in budgeting and planning sessions
    • Discovery and inventory tools used to manage software
    • Compliance reports run as needed
    Proactive
    • Extended SAM team, including help desk and purchasing
    • Corporate anti-piracy statement in place and enforced
    • Quarterly license reviews
    • Centralized view into software licenses
    • Software requests through service catalog with defined standard and non-standard software
    • Product usage reports and alerts in place to harvest and reuse licenses
    • Compliance and usage reports used to negotiate software contracts
    Optimized
    • SAM manager trained and certified
    • Working with HR, Legal, Finance, and IT to enforce policies
    • Full support and maintenance analysis for all license reviews
    • Quarterly meetings with SAM team to review policies, procedures, upcoming contracts, and rollouts
    • Software deployed automatically through service catalog/apps store
    • Detailed savings reports provided to executive team annually
    • Automated policy enforcement and process workflows

    Determine the maturity of your SAM program

    Supporting Tool icon 1.1.3 Use the SAM Maturity Assessment Tool
    1. Download the SAM Maturity Assessment Tool and go to tab 2.
    2. Complete the self-assessment in all seven categories:
      1. Control Environment
      2. Roles & Responsibilities
      3. Policies & Procedures
      4. Competence
      5. Planning & Implementation Process
      6. Monitoring & Review
      7. Inventory Processes
    3. Go to tab 3 and examine the graphs produced. Identify the areas in your SAM program that require the most attention and which are already relatively mature.
    4. Use the results of this maturity assessment to focus the efforts of the project moving forward. Return to the assessment after a pre-determined time (e.g. one year later) to track improvement in maturity over time.
    Screenshot of the results page from the SAM Maturity Assessment Tool. Screenshot of the processes page from the SAM Maturity Assessment Tool.

    Step 1.2 Build team and define metrics

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.2.1 Identify roles and responsibilities for SAM team
    • 1.2.2 Identify metrics and KPIs to track the success of your SAM program
    • 1.2.3 Define SAM reports to track metrics
    • CIO/CFO
    • IT Director
    • SAM Manager
    • SAM Team
    • Service Desk Manager

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • A description of the roles and responsibilities of IT staff involved in SAM
    • A list of metrics and reports to track to measure the success of the software asset management program

    Define roles and responsibilities for the SAM program

    Roles and responsibilities should be adapted to fit specific organizational requirements based on its size, structure, and distribution and the scope of the program. Not all roles are necessary and in small organizations, one or two people may fulfill multiple roles.

    Senior Management Sponsor – Ensures visibility and support for the program.

    IT Asset Manager – Responsible for management of all assets and maintaining asset database.

    Software Asset Manager – Responsible for management of all software assets (a subset of the overall responsibility of the IT Asset Manager).

    SAM Process Owner – Responsible for overall effectiveness and efficiency of SAM processes.

    Asset Analyst – Maintains up-to-date records of all IT assets, including software version control.

    Additional roles that interact with SAM:

    • Security Manager
    • Auditors
    • Procurement Manager
    • Legal Council
    • Change Manager
    • Configuration Manager
    • Release and Deployment Manager
    • Service Desk Manager

    Form a software asset management team to drive project success

    Many organizations simply do not have a large enough staff to hire a full-time software asset manager. The role will need to be championed by an internal employee.

    Avoid filling this position with a temporary contract; one of the most difficult operational factors in SAM implementation and continuity is constant turnover and organizational shifts. Hiring a software asset manager on contract might get the project going faster, but without the knowledge gained by doing the processes, the program won’t have enough momentum to sustain itself.

    Software Asset Manager Duties

    • Gather proof of license.
    • Record and track all assets within the SAM repository.
    • Produce compliance reports.
    • Preparation of budget requests.
    • Administration of software renewal process.
    • Contract and support analysis.
    • Document procedures.
    • Ensure project is on track.

    SAM Team Member Duties

    • Record license and contract data in SAM tool.
    • Assist in production of SAM reports.
    • Data analysis.
    • Match tickets to SAM data.
    • Assist in documentation.
    • Assist in compliance reports.
    • Gather feedback from end users.

    Info-Tech Best Practice

    Make sure your SAM team is diverse. The SAM team will need to be skilled at achieving compliance, but there is also a need for technically skilled individuals to maximize the function of the SAM tool(s) at your organization.

    Identify roles and responsibilities for SAM

    Associated Activity icon 1.2.1 Complete a RACI chart for your organization

    Participants: CIO/CFO, IT Director, SAM Manager, SAM Team, Service Desk Manager

    Document: Document in the Standard Operating Procedures.

    Determine the roles and responsibilities for your SAM program. Record the results in a RACI (responsible, accountable, consulted, informed) chart such as the example below.

    SAM Processes and Tasks CIO CFO SAM Manager IT Director Service Management Team IT Ops Security Finance Legal Project Manager
    Policies/Governance A C R R I I C I R I
    Strategy A C R R I I I I C
    Risk Management/Asset Security A C R R C R C C C
    Data Entry/Quality I I A R R
    Compliance Auditing R C A R I I I I
    Education & Training R I A C I I
    Contract Lifecycle Management R R A R C C C C R C
    Workflows R C A R I I I R I C/I
    Budgeting R R R A C R
    Software Acquisition R I A R I C R C C
    Controls/Reporting R I A R I I C I
    Optimize License Harvesting I I A R I C C

    Identify metrics to form the framework of the project

    Trying to achieve goals without metrics is like trying to cook without measuring your ingredients. You might succeed, but you’ll have no idea how to replicate it.

    SAM metrics should measure one of five categories:

    • Quantity → How many do we have? How many do we want?
    • Compliance → What is the level of compliance in a specific area?
    • Duration → How long does it take to achieve the desired result?
    • Financial → What is the cost/value? What is our comparative spend?
    • Quality → How good was the end result? E.g. Completeness, accuracy, timeliness

    The metrics you track depend on your maturity level. As your organization shifts in maturity, the metrics you prioritize for tracking will shift to reflect that change. Example:

    Metric category Low maturity metric High maturity metric
    Compliance % of software installed that is unauthorized % of vendors in effective licensing position (ELP) report
    Quantity % of licenses documented in ITAM tool % of requests made through unauthorized channels

    Associate KPIs and metrics with SAM goals

    • Identify the critical success factors (CSFs) for your software asset management program based on strategic goals.
    • For each success factor, identify the key performance indicators (KPIs) to measure success, as well as specific metrics that will be tracked and reported on.
    • Sample metrics are below:

    CSF = Goal, or what success looks like

    KPI = How achievement of goal will be defined

    Metric = Numerical measure to determine if KPI has been achieved

    CSF/Goal KPI Metrics
    Improve accuracy of software budget and forecasting
    • Reduce software spend by 5%
    • Total software asset spending
    • Budgeted software spend vs. actual software spend
    Avoid over purchasing software licenses and optimize use of existing licenses
    • Reduce number of unused and underused licenses by 10%
    • Number of unused licenses
    • Money saved from harvesting licenses instead of purchasing new ones
    Improve accuracy of data
    • Data in SAM tool matches what is deployed with 95% accuracy
    • Percentage of entitlements recorded in SAM tool
    • Percentage of software titles recognized by SAM tool
    Improved service delivery
    • Reduce time to deploy new software by 10%
    • Mean time to purchase new software
    • Mean time to fulfill new software requests

    Identify metrics and KPIs to track the success of your SAM program

    Associated Activity icon 1.2.2 Brainstorm metrics and KPIs

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. Discuss the goals and objectives of implementing or improving software asset management, based on challenges identified earlier.
    2. From the goals, identify the critical success factors for the SAM program.
    3. For each CSF, identify one to three key performance indicators (KPIs) to evaluate achievement of the success factor.
    4. For each KPI, identify one to three metrics that can be tracked and reported on to measure success. Ensure that the metrics are tangible and measurable.

    Use the table below as an example.

    Goal/CSF KPI Metric
    Improve license visibility Increase accuracy and completeness of SAM data
    • % of total titles included in ITAM tool
    • % of licenses documented in ITAM tool
    Reduce software costs Reduce number of unused software licenses by 20%
    • % of licenses assigned to ex-employees
    • % of deployed licenses that have not been used in the past six months
    Reduce shadow IT Reduce number of unauthorized software purchases and installations by 10%
    • % of software requests made through unauthorized channels
    • % of software installed that is unauthorized

    Tailor metrics and reports to specific stakeholders

    Asset Managers

    Asset managers require data to manage how licenses are distributed throughout the organization. Are there multiple versions of the same application deployed? What proportion of licenses deployed are assigned to employees who are no longer at the organization? What are the usage patterns for applications?

    Service Desk Technicians

    Service desk technicians need real-time data on licenses currently available to deploy to machines that need to be imaged/updated, otherwise there is a risk of breaching a vendor agreement.

    Business Managers and Executives

    Business managers and executives need reports to make strategic decisions. The reports created for business stakeholders need to help them align business projects or business processes with SAM metrics. To determine which reports will provide the most value, start by looking at business goals and determining the tactical data that will help inform and support these goals and their progress.

    Additional reporting guidelines:

    • Dashboards should provide quick-glance information for daily maintenance.
    • Alerts should be set for all contract renewals to provide enough advanced notice (e.g. 90 days).
    • Reports should be automated to provide actionable information to appropriate stakeholders as needed.

    Define SAM reports to track metrics

    Associated Activity icon 1.2.3 Identify reports and metrics to track regularly

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. Identify key stakeholders requiring SAM reports. For each audience, identify their goals and requirements from reporting.
    2. Using the list of metrics identified previously, sort metrics into reports for each audience based on their requirements and goals. Add any additional metrics required.
    3. Identify a reporting frequency for each report.

    Example:

    Stakeholder Purpose Report Frequency
    Asset Manager
    • Manage budget
    • Manage contracts and cash flow
    • Ensure processes are being followed
    Operational budget spent to date Monthly
    Capital budget spent to date Monthly
    Contracts coming due for renewal Quarterly
    Software harvested for redeployment Quarterly
    Number of single applications being managed Annually
    CFO
    • Manage budget
    • Manage cash flow
    Software purchased, operational & capital Monthly
    Software accrued for future purchases Monthly
    Contracts coming due for renewal
    • Include dollar value, savings/spend
    Quarterly
    CIO
    • Resource planning
    • Progress reporting
    Software deployments and redeployments Monthly
    Software rollouts planned Quarterly
    % of applications patched Quarterly
    Money saved Annually
    Number of contracts & apps managed Quarterly

    Step 1.3 Plan the SAM program and budget

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.3.1 Identify SAM functions to centralize vs. decentralize
    • 1.3.2 Complete the SAM budget tool
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and SAM Manager
    • CFO

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • Defined scope for the SAM program in terms of the degree of centralization of core functions and contracts
    • A clearer picture of software spend through the use of a SAM budgeting tool.

    Asset managers need to be involved in infrastructure projects at the decision-making stage

    Ensure that your software asset manager is at the table when making key IT decisions.

    Many infrastructure managers and business managers are unaware of how software licensing can impact projects. For example, changes in core infrastructure configuration can have big impacts from a software licensing perspective.

    Mini Case Study

    • When a large healthcare organization’s core infrastructure team decided to make changes to their environment, they failed to involve their asset manager in the decision-making process.
    • When the healthcare organization decided to make changes to their servers, they were running Oracle software on their servers, but the licenses were not being tracked.
    • When the change was being made to the servers, the business contacted Oracle to notify them of the change. What began as a tech services call quickly devolved into a licensing error; the vendor determined that the licenses deployed in the server environment were unauthorized.
    • For breaching the licensing agreement, Oracle fined the healthcare organization $250,000.
    • Had the asset manager been involved in the process, they would have understood the implications that altering the hardware configuration would have on the licensing agreement and a very expensive mistake could have been avoided.

    Decide on the degree of centralization for core SAM functions

    • Larger organizations with multiple divisions or business units will need to decide which SAM functions will be centralized and which, if any, will be decentralized as they plan the scope of their SAM program. Generally, certain core functions should be centralized for the SAM program to deliver the greatest benefits.
    • The degree of centralization may also be broken down by contract, with some contracts centralized and some decentralized.
    • A centralized SAM database gives needed visibility into software assets and licenses across the organization, but operation of the database may also be done locally.

    Centralization

    • Allows for more strategic planning
    • Visibility into software licenses across the organization promotes rationalization and cost savings
    • Ensure common products are used
    • More strategic sourcing of vendors and resellers
    • Centrally negotiate pricing for better deals
    • Easier to manage risk and prepare for audits
    • Greater coordination of resources

    Decentralization

    • May allow for more innovation
    • May be easier to demonstrate local compliance if the organization is geographically decentralized
    • May be easier to procure software if offices are in different countries
    • Deployment and installation of software on user devices may be easier

    Identify SAM functions to centralize vs. decentralize

    Associated Activity icon 1.3.1 Identify functions for centralization

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. If applicable, identify SAM functions that will need to be centralized and evaluate the implications of centralization to ensure it is feasible.
    2. If applicable, identify SAM functions that will be decentralized, if resources are available to manage those functions locally.

    Example:

    Centralized Functions
    • Operation of SAM database
    • SAM budget
    • Vendor selection
    • Contract negotiation and purchasing
    • Data analysis
    • Software receiving and inventory
    • Audits and risk management
    Decentralized functions
    • Procurement
    • Deployment and installation

    Software comprises the largest part of the infrastructure and operations budget

    After employee salaries (38%), the four next largest spend buckets have historically been infrastructure related. Adding salaries and external services, the average annual infrastructure and operations spend is over 50% of all IT spend.

    The largest portion of that spend is on software license and maintenance. As of 2016, software accounted for the roughly the same budget total as voice communications, data communications, and hardware combined. Managing software contracts is a crucial part of any mature budgeting process.

    Graph showing the percentage of all IT spend used for 'Ongoing software license and maintenance' annually. In 2010 it was 17%; in 2018 it was 21%. Graph showing the percentage of all IT spend used for 'Hardware maintenance / upgrades' annually. In 2010 it was 7%; in 2018 it was 8%. Graph showing the percentage of all IT spend used for 'Data communications' annually. In 2010 it was 7%; in 2018 it was 7%. Graph showing the percentage of all IT spend used for 'Voice communications' annually. In 2010 it was 5%; in 2018 it was 7%.

    Gain control of the budget to increase the success of SAM

    A sophisticated software asset management program will be able to uncover hidden costs, identify opportunities for rationalization, save money through reharvesting unused licenses, and improve forecasting of software usage to help control IT spending.

    While some asset managers may not have experience managing budgets, there are several advantages to the ITAM function owning the budget:

    • Be more involved in negotiating pricing with vendors.
    • Build better relationships with stakeholders across the business.
    • Gain greater purchasing power and have a greater influence on purchasing decisions.
    • Forecast software requirements more accurately.
    • Inform benchmarks and metrics with more data.
    • Directly impact the reduction in IT spend.
    • Manage the asset database more easily and have a greater understanding of software needs.
    • Identify opportunities for cost savings through rationalization.

    Examine your budget from a SAM perspective to optimize software spend

    How does examining your budget from a SAM perspective benefit the business?

    • It provides a chance to examine vendor contracts as they break down contracts by projects and services, which gives a clearer picture of where software fits into the budget.
    • It also gives organizations a chance to review vendor agreements and identify any redundancies present in software supporting services.

    Review the budget:

    • When reviewing your budget, implement a contingency fund to mitigate risk from a possible breach of compliance.
    • If your organization incurs compliance issues that relate to specific services, these fines may be relayed back to the departments that own those services, affecting how much money each department has.
    • The more sure you are of your compliance position, the less likely you are to need a contingency fund, and vice versa.

    Info-Tech Best Practice

    Finance needs to be involved. Their questions may cover:

    • Where are the monthly expenditures? Where are our financial obligations? Do we have different spending amounts based on what time of year it is?

    Use the SAM Budget Workbook to uncover insights about your software spend

    Supporting Tool icon 1.3.2 Complete the SAM budget tool

    The SAM Budget Workbook is designed to assist in developing and justifying the budget for software assets for the upcoming year.

    Instructions

    1. Work through tabs 2-6, following the instructions as you go.
    2. Tab 2 involves selecting software vendors and services provided by software.
    3. Tab 3 involves classifying services by vendor and assigning a cost to them. Tab 3 also allows you to classify the contract status.
    4. Tab 4 is a cost variance tracking sheet for software contracts.
    5. Tabs 5 and 6 are monthly budget sheets that break down software costs by vendor and service, respectively.
    6. Tab 7 provides graphs to analyze the data generated by the tool.
    7. Use the results found on tab 7 to analyze your budget: are you spending too much with one service? Is there vendor overlap based on what project or service that software is reporting?
    Screenshots of the 'Budget of Services Supported by Software Vendors' and 'Software Expense cashflow reports by Vendor' pages from the SAM Budget Workbook. Screenshot of the 'Analysis of Data' page from the SAM Budget Workbook.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.3

    Sample of activity 1.1.3 'Determine the maturity of your SAM program'. Determine the maturity of your SAM program

    Using the SAM Maturity Assessment Tool, fill out a series of questions in a survey to assess the maturity of your current SAM program. The survey assesses seven categories that will allow you to align your strategy to your results.

    1.2.3

    Sample of activity 1.2.3 'Define SAM reports to track metrics'. Define SAM reports to track metrics

    Identify key stakeholders with reporting needs, metrics to track to fulfill reporting requirements, and a frequency for producing reports.

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Assess and Plan

    Proposed Time to Completion (in weeks): 4
    Step 1.1: Assess current state Step 1.2: Build team and define metrics Step 1.3: Plan and budget
    Start with an analyst kick-off call:
    • Outline SAM challenges
    • Overview of the project
    • Assess current maturity level
    Review findings with analyst:
    • Define roles and responsibilities of SAM staff
    • Identify metrics and reports to track
    Review findings with analyst:
    • Plan centralization of SAM program
    • Discuss SAM budgeting
    Then complete these activities…
    • Identify challenges
    • Identify objectives of SAM program
    • Assess maturity of current state
    Then complete these activities…
    • Define roles and responsibilities
    • Identify metrics and KPIs
    • Plan reporting
    Then complete these activities…
    • Identify SAM functions to centralize
    • Complete the SAM budgeting tool
    With these tools & templates:
    • SAM Maturity Assessment
    • Standard Operating Procedures
    With these tools & templates:
    • Standard Operating Procedures
    With these tools & templates:
    • SAM Budget Workbook

    Phase 2: Procure, Receive, and Deploy

    VISA used high-quality SAM data to optimize its software licensing

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    Visa formed a SAM team in 2011 to combat costly software audits.

    The team’s first task was to use the available SAM data and reconcile licenses deployed throughout the organization.

    Organizations as large as Visa constantly run into issues where they are grossly over or under licensed, causing huge financial risk.

    Solution

    Data collection and analysis were used as part of the license rationalization process. Using a variety of tools combined with a strong team allowed Visa to perform the necessary steps to gather license data and analyze usage.

    One of the key exercises was uniting procurement and deployment data and the teams responsible for each.

    End-to-end visibility allowed the data to be uniform. As a result, better decisions about license rationalization can be made.

    Results

    By improving its measurement of SAM data, Visa was able to dedicate more time to analyze and reconcile its licenses. This led to improved license management and negotiations that reflected actual usage.

    By improving license usage through rationalization, Visa reduced the cost of supporting additional titles.

    The SAM team also performed license reclamation to harvest and redistribute licenses to further improve usage. The team’s final task was to optimize audit responses.

    Step 2.1 Request and procure software

    Phase 2:
    Procure, Receive & Deploy
    This step will walk you through the following activities:This step involves the following participants:

    2.1

    Request & Procure
    • 2.1.1 Determine which software contracts should be centralized vs. localized
    • 2.1.2 Determine your software standards
    • 2.1.3 Define procurement policy
    • 2.1.4 Identify approvals and requests for authorization thresholds
    • 2.1.5 Build software procurement workflow for new contracts
    • 2.1.6 Define process for contract renewals and additional procurement scenarios
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    2.2

    Receive & Deploy

    Step Outcomes

    • Defined standards for software requests
    • A documented policy for software procurement including authorization thresholds
    • Documented process workflows for new contracts and contract renewals

    Procurement and SAM teams must work together to optimize purchasing

    Procurement and SAM must collaborate on software purchases to ensure software purchases meet business requirements and take into account all data on existing software and licenses to optimize the purchase and contract. Failure to work together can lead to unnecessary software purchases, overspending on purchases, and undesirable contract terms.

    SAM managers must collaborate with Procurement when purchasing software.

    SAM managers should:

    • Receive requests for software licenses
    • Ensure a duplicate license isn’t already purchased before going through with purchase
    • Ensure the correct license is purchased for the correct individuals
    • Ensure the purchasing information is tracked in the ITAM/SAM tool
    • Report on software usage to inform purchases
    Two cartoon people in work attire each holding a piece of a puzzle that fits with the other. Procurement must commit to be involved in the asset management process.

    Procurement should:

    • Review requests and ensure all necessary approvals have been received before purchasing
    • Negotiate optimal contract terms
    • Track and manage purchasing information and invoices and handle financial aspects
    • Use data from SAM team on software usage to decide on contract terms and optimize value

    Centralize procurement to decrease the likelihood of overspending

    Centralized negotiation and purchasing of software can ensure that the SAM team has visibility and control over the procurement process to help prevent overspending and uncontrolled agreements.

    Benefits of centralized procurement

    • Ability to easily manage software demand.
    • Provides capability to effectively manage your relationships with suppliers.
    • Allows for decreased contract processing times.
    • Provides easy access to data with a single consolidated system for tracking assets at an early stage.
    • Reduces number of rogue purchases by individual departments.
    • Efficiency through automation and coordinated effort to examine organization’s compliance and license position.
    • Higher degree of visibility and transparency into asset usage in the organization.

    Info-Tech Insights

    It may be necessary to procure some software locally if organizations have multiple locations, but try to centrally procure and manage the biggest contracts from vendors that are likely to audit the organization. Even with a decentralized model, ensure all teams communicate and that contracts remain visible centrally even if managed locally.

    Standards for software procurement help prevent overspending

    Software procurement is often more difficult for organizations than hardware procurement because:

    • Key departments that need to be involved in the purchasing process do not communicate or interact enough.
    • A fear of software auditing causes organizations to overspend to mitigate risk.
    • Standards are often not in place, with most purchases being made outside of the gold imaging standard.
    • A lack of discovery results in gross overspending on software licenses that are already present and underused.

    Info-Tech Insight

    One of the major challenges involved in implementing SAM is uniting multiple datasets and data sources across the enterprise. A conversation with each major business unit will help with the creation of software procurement standards that are acceptable to all.

    Determine which software contracts should be centralized vs. localized (optional)

    Associated Activity icon 2.1.1 Identify central standard enterprise offerings

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. As a group, list as many software contracts that are in place across the organization as can easily be identified, focusing on top vendors.
    2. Identify which existing software contracts are standard enterprise offerings that are procured and managed centrally and which are non-standard or localized applications.
    3. Looking at the list of non-standard software, identify if any can or should be rationalized or replaced with a standard offering.
    Standard enterprise offerings
    • Microsoft
    • IBM
    • Adobe
    • Dell
    • Cisco
    • VMware
    • Barracuda
    Localized or non-standard software

    Classify your approved software into tiers to improve workflow efficiency

    Not all titles are created equal; classifying your pre-approved and approved software titles into a tiered system will provide numerous benefits for your SAM program.

    The more prestigious the asset tier, the higher the degree of data capture, support, and maintenance required.

    • Mission-critical, high-priority applications are classified as gold standard.
    • Secondary applications or high priority are silver standard.
    • Low-usage applications or normal priority are bronze standard.

    E.g. An enterprise application that needs to be available 24/7, such as a learning management system, should be classified as a gold tier to ensure it has 24/7 support.

    Creating tiers assists stakeholders in justifying the following set of decision points:

    • Which assets will require added maintenance (e.g. software assurance for Microsoft)
    • Technical support requirements to meet business requirements
    • Lifecycle and upgrade cycle of the software assets.
    • Monitoring usage to determine whether licenses can be harvested
    • Authorizations required for purchase requests

    Determine your software standards

    Associated Activity icon 2.1.2 Identify standard software images for your organization

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    1. As a group, discuss and identify the relevant software asset tiers and number of tiers.
    2. For each tier, define:
      • Support requirements (hours and payments)
      • Maintenance requirements (mandatory or optional)
      • Lifecycle (when to upgrade, when to patch)
      • Financial requirements (CapEx/OpEx expenses)
      • Request authorizations (requestors and approvers)
    3. Sort the software contracts identified in the previous category into tiers, for example:
      • Mission-critical software (gold tier)
      • High-priority software (silver tier)
      • Normal-priority software (bronze tier)
    4. Use the SOP as an example.

    Determine which licensing options and methodologies fit into future IT strategy

    Not everyone is ready to embrace the cloud for all solutions; make sure to align cloud strategy to business requirements. Work closely with IT executives to determine appropriate contract terms, licensing options, and tracking processes.

    Vendors make changes to bundles and online services terms on a regular basis. Ensure you document your agreed upon terms to save your required functionality as vendor standard offerings change.

    • Any contracts getting moved to the cloud will need to undergo a contract comparison first.
    • The contract you signed last month could be completely different this month. Many cloud contracts are dynamic in nature.
    • Keep a copy of the electronic contract that you signed in a secure, accessible location.
    • Consider reaching a separate agreement with the vendor that they will ensure you maintain the results of the original agreement to prevent scope creep.

    Not all on-premises to cloud options transition linearly:

    • Features of perpetual licenses may not map to subscriptions
    • Product terms may differ from online services terms
    • Licensing may change from per device to per user
    • Vendor migrations may be more complex than anticipated

    Download the Own the Cloud: Strategy and Action Plan blueprint for more guidance

    Understand the three primary models of software usage agreements

    Licensed Open Source Shareware
    License Structure A software supplier is paid for the permission to use their software. The software is provided free of charge, but is still licensed. The software is provided free of charge, but is still licensed. Usage may be on a trial basis, with full usage granted after purchase.
    Source Code The source code is still owned by the supplier. Source code is provided, allowing users to change and share the software to suit their needs. Source code is property of the original developer/supplier.
    Technical Support Technical support is included in the price of the contract. Technical support may be provided, often in a community-based format from other developers of the open-source software in question. Support may be limited during trial of software, but upgraded once a purchase is made.

    Info-Tech Insight

    Open-source software should be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products, as well as any rules surrounding source code.

    Coordinate with purchasing department to define software procurement policy

    Associated Activity icon 2.1.3 Define procurement policy

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Define and document policies that will apply to IT software purchases, including policies around:

    • Software purchase approvals
    • Licenses for short-term contractors
    • On-premises vs. SaaS purchases
    • Shareware and freeware fees
    • Open-source software

    Use the example below as guidance and document in the SOP.

    • Software will not be acquired through user corporate credit cards, office supply, petty cash, or personal expense budgets. Purchases made outside of the acceptable processes will not be reimbursed and will be removed from company computers.
    • Contractors who are short term and paid through vendor contracts and invoices will supply their own licenses.
    • Software may be purchased as on-premises or as-a-service solutions as IT deems appropriate for the solution.
    • Shareware and freeware authors will be paid the fee they specify for use of their products.
    • Open-source software will be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products.

    Identify approvals and requests for authorization thresholds

    Associated Activity icon 2.1.4 Identify financial thresholds for approvals and requests

    Participants: Asset Manager, Purchasing, CIO, CFO, IT Director

    Document: Document in the Standard Operating Procedures.

    Identify and classify financial thresholds for contracts requiring approval. For each category of contract value, identify who needs to authorize the request. Discuss and document any other approvals necessary. An example is provided below.

    Example:
    Requests for authorization will need to be directed based on the following financial thresholds:

    Contract value Authorization
    <$50,000 IT Director
    $50,000 to $250,000 CIO
    $250,000 to $500,000 CIO and CFO
    >$500,000 Legal review

    Develop a defined process for software procurement

    A poorly defined software procurement workflow can result in overspending on unnecessary software licensing throughout the year. This can impact budgeting and any potential software refreshes, as businesses will often rely on purchasing what they can afford, not what they need.

    Benefits of a defined workflow

    • Standardized understanding of the authorization processes results in reduced susceptibility to errors and quicker processing times.
    • Compliance with legal regulations.
    • Protection from compliance violations.
    • Transparency with the end user by communicating the process of software procurement to the business.

    Elements to include in procurement workflows:

    • RFP
    • Authorizations and approvals
    • Contract review
    • Internal references to numbers, cost centers, locations, POs, etc.

    Four types of procurement workflows:

    1. New contract – Purchasing brand new software
    2. Add to contract – Adding new POs or line items to an existing contract
    3. Contract renewal – Renewing an existing contract
    4. No contract required – Smaller purchases that don’t require a signed contract

    Outline the procurement process for new contracts

    The procurement workflow may involve the Service Desk, procurement team, and asset manager.

    The following elements should be accounted for:

    • Assignee
    • Requestor
    • Category
    • Type
    • Model or version
    • Requisition number
    • Purchase order number
    • Unit price
    A flowchart outlining the procurement process for new contracts. There are three levels, at the top is 'Tier 2 or Tier 3', the middle is 'IT Procurement', the bottom is 'Asset Manager'. It begins in 'Tier 2 or Tier 3' with 'Approved request received', and if it is not declined it moves on to 'Purchasing request forwarded to Procurement' on the 'IT Procurement' level. If an RFP is required, it eventually moves to 'Receives contract' on the 'Asset Manager' level and ends with 'Document license requirements, notify IT Product Owner'.

    Build software procurement workflow for new contracts

    Associated Activity icon 2.1.5 Build new contract procurement workflow

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    1. As a team, outline each of the tasks in the process of procuring a new software asset using cue cards, sticky notes, or a whiteboard.
    2. Use the sample procurement workflow on the previous slide as an example if needed.
    3. Ensure the following elements required for the asset procurement process have been accounted for:
      • Assignee
      • Requestor
      • Category
      • Type
      • Model or version
      • Requisition number
      • Purchase order number
      • Unit price
    4. Review the workflow and make any adjustments necessary to improve the process. Document using Visio and add to the SOP.

    Review vendor contracts to right-size licensing procurement

    Many of your applications come from the same vendor, and a view into the business services provided by each software vendor contract will prove beneficial to the business.

    • You may uncover overlaps in services provided by software across departments.
    • The same service may be purchased from different vendors simply because two departments never compared notes!
    • This leaves a lot of money on the table from a lack of volume discounts.
    A graphic depicting a Venn diagram in which the 'Software' and 'Services' circles overlap, both of which stem from a 'Vendor Contract'.
    • Be cautious about approaching license budgeting strictly from a cost perspective. SAM is designed to right-size your licenses to properly support your organization.
    • One trap organizations often fall into is bundling discounts. Vendors will offer steep discounts if clients purchase multiple titles. On the surface, this might seem like a great offer.
    • However, what often happens is that organizations will bundle titles to get a steep discount on their prize title of the group.
    • The other titles become shelfware, and when the time comes to renew the contract, the maintenance fees on the shelfware titles will often make the contract more expensive than if only the prize title was purchased.

    Additionally, information regarding what licenses are being used for certain services may yield insight into potential redundancies. For example, two separate departments may have each have a different application deployed that supports the same service. This presents an opportunity for savings based on bulk licensing agreements, not to mention a simplified support environment by reducing the number of titles deployed in your environment.

    Define a procedure for tracking and negotiating contract renewals

    Participants: IT Director/CIO, Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Discuss and document a policy for tracking and negotiating contract renewals. Answer the following questions as guides:

    • How will renewal dates be tracked and monitored?
    • How soon should contracts be reviewed prior to renewal to determine appropriateness for use and compliance?
    • What criteria will be used to determine if the product should be renewed?
    • Who will be consulted for contract renewal decisions for major contracts?
    • How will licensing and support decisions be made?

    Optional contract review:

    1. Take a sample contract to renew. Create a list of services that are supported by the software. Look for overlaps, redundancies, shelfware, and potential bundling opportunities. Recall the issues outlined when purchasing bundled software.
    2. Create a list of action items to bring into the next round of contract negotiations with that vendor and identify a start date to begin reviewing these items.

    Define process for contract renewals and additional procurement scenarios

    Associated Activity icon 2.1.6 Build additional procurement workflows

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Build procurement workflows and define policies and procedures for additional purchasing scenarios beyond new contracts.

    This may include:

    1. Contract renewals
    2. Single purchase, non-contract procurement
    3. Adding to contracts

    Use the sample workflows in the Standard Operating Procedures as a guide.

    A flowchart outlining the procurement process for 'Software Contract Renewal'.

    A flowchart outlining the procurement process for 'Software single purchase, non-contract'.

    Negotiate for value to ensure quality license agreements

    Approach negotiating from a value-first, price-second perspective.

    Contract negotiations too often come down to a question of price. While you want to avoid overpaying for licenses, a worse offense is getting a steep discount for a bundle of applications where the majority will go unused.

    Vendors will try to sell a full stack of software at a steep discount to give the illusion of value. Often organizations bite off more than they can chew. When auditors come knocking, the business may be in compliance, but being over-licensed is a dangerous state to be in. Organizations end up over-licensed and in possession of numerous “shelfware” apps that sit on the proverbial shelf collecting dust while drawing expensive maintenance and licensing fees from the business.
    • Pressure from the business is also an issue. Negotiations can be rushed in an effort to fulfill an immediate need.
    • Make sure you clearly outline the level of compliance expected from the vendor.
    • Negotiate reduced-fee software support services. Your Service Desk can already handle the bulk of requests, and investing in a mature Service Desk will provide more lasting value than paying for expensive maintenance and support services that largely go unused.

    Learn to negotiate effectively to optimize contract renewals

    Leverage Info-Tech’s research, Master Contract Review and Negotiation for Software Agreements, to review your software contracts to leverage your unique position during negotiations and find substantial cost savings.

    This blueprint includes the following tools and templates:

    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator
    • Software Terms & Conditions Evaluation Tool
    • Software Buyer’s Checklist
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook

    Step 2.2 Receive and deploy software

    Phase 2:
    Procure, Receive & Deploy
    This step will walk you through the following activities:This step involves the following participants:

    2.1

    Request & Procure
    • 2.2.1 Identify storage locations for software information and media
    • 2.2.2 Design the workflow for receiving software
    • 2.2.3 Design and document the deployment workflow(s)
    • 2.2.4 Create a list of pre-approved, approved, and unapproved software titles
    • 2.2.5 Document the request and deployment process for non-standard software requests
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team
    • Purchasing (optional)
    • Service Desk Manager (optional)
    • Operations (optional)
    • Release & Deployment manager (optional)

    2.2

    Receive & Deploy

    Step Outcomes

    • A strategy for storing software information and media in the ITAM database and DML
    • A documented workflow for the software receiving process
    • Documented process workflows for software requests and deployment, including for large quantities of software
    • A list of pre-approved, approved, and unapproved software titles for deployment
    • A process for responding to non-standard software requests

    Verify product and information upon receipt

    Upon receipt of procured software:

    • Verify that the product is correct
    • Reconcile with purchase record to ensure the order has been completed
    • Verify that the invoice is correct
    • Update financial information such as budget and accounting records
    • Update ITAM database to show status as received
    • Record/attach license keys and software codes in ITAM database
    • Attach relevant documents to record in the ITAM database (license reports, invoices, end-user agreement, etc.)
    • Download and store any installation files, DVDs, and CDs
    • Once software has been installed, verify license is matched to discovered installed software within the ITAM database

    Info-Tech Best Practice

    While most software will be received through email and download, in some cases physical software may be received through courier or mail. Ensure processes and procedures are defined for both cases.

    Establish a secure repository for licenses and documentation

    All licenses, documentation, and digital media for authorized and supported software should be collected and stored in a central, secure location to minimize risk of theft, loss, or unauthorized installation or duplication of software.

    Where to store software data?

    The ITAM database should contain an up-to-date record of all software assets, including their associated:

    • Serial numbers
    • License keys and codes
    • Contracts and agreements

    The database allows you to view software that is installed and associated licenses.

    A definitive media library (DML) is a single logical storage area, which may consist of one or more locations in which definitive authorized versions of all software configuration items are securely stored and protected.

    The DML consists of file storage as well as physical storage of CDs and DVDs and must be continually updated to contain the latest information about each configuration item.

    The DML is used to organize content and link to automated deployment to easily install software.

    Use a definitive media library (DML) to assist in storage of software packages for deployment

    The DML will usually contain the most up-to-date versions to minimize errors created by having unauthorized, old, or problematic software releases being deployed into the live IT environment. The DML can be used for both full-packed product (FPP) software and in-house developed software, providing formalized data around releases of in-house software.

    The DML should consist of two main storage areas:

    1. Secure file storage
    2. Secure physical storage for any master CD/DVDs

    Additional Recommendations:

    • The process of building, testing, adapting, and final pre-production testing should provide your IT department with a solid final deployment package, but the archive will enable you to quickly pull in a previous version if necessary.
    • When upgrading software packages to include new patches or configurations, use the DML to ensure you're referencing a problem-free version.
    • Include the DML in your disaster recovery plan (DRP) and include testing of the DML as part of your DRP testing. If you need to rebuild servers from these files, offsite, you'll want to know your backup DML is sound.

    Ensure you have a strategy to create and update your DML

    Your DML should have a way to separate archived, new, and current software to allow for optimal organization of files and code, to ensure the correct software is installed, and to prepare for automated deployment through the service catalog.

    New software hasn’t been tested yet. Make it available for testing, but not widely available.

    Keep a record for archived software, but do not make it available for install.

    Current software is regularly used and should be available for install.

    Deployment

    • Are you using tools to integrate with the DML for deployment?
    • Store files that are ready for automated deployment in a separate location.

    Identify storage locations for software information and media

    Associated Activity icon 2.2.1 Identify software storage locations

    Participants: Asset Manager, IT Director

    Document: Document in the Standard Operating Procedures.

    1. Identify storage locations for asset data that is received (i.e. ITAM database, DML).
    2. Identify information that should be stored with each asset (i.e. license, serial number, invoice, end-user license agreement) and where this information should be stored.
    3. Identify fields that should be populated in the DML for each record:
      • Product name
      • Version
      • Description
      • Authorized by
      • Received by/date
      • Configuration item on which asset is installed
      • Media
      • Physical and backup locations
      • Verified by/date

    Define the standard process for receiving software

    Define the following in your receiving process:

    • Process for software received by email/download
    • Process for physical material received at Service Desk
    • Information to be recorded and where
    • Process following discrepancy of received software
    A flowchart outlining the standard process for receiving software. There are two levels, at the top is 'Desktop Support Team' and the bottom is 'Procurement'. It begins in 'Desktop Support Team' with 'Received at Service Desk' or 'Receive by email/download'. If the reconciliation is correct it eventually moves on to 'Fulfill service request, deliver and close ticket'. If the reconciliation is not correct it moves to 'Contact vendor with discrepancy details' in 'Procurement'. If a return is required 'Repackage and ship', or if not 'Notify Desktop Support Team of resolution'.

    Design the workflow for receiving software

    Associated Activity icon 2.2.2 Design the workflow for receiving software

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Use the sample workflow from this step as a guide if starting from scratch.
    4. Engage the team in refining the process workflow.
    5. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the SOP.

    Build release management into your software deployment process

    A sound software deployment process is tied to sound release management practices.

    Releases: A collection of authorized changes to an IT service. Releases are divided into:

    • Major software releases/upgrades: Normally containing large areas of new functionality, some of which may make intervening fixes to redundant problems.
    • Minor software releases/upgrades: Normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes.
    • Emergency software fixes: Contain the corrections to a small number of known problems.

    Ensure that release management processes work with SAM processes:

    • If a release will impact licensing, the SAM manager must be made aware to make any necessary adjustments.
    • Deployment models should be in line with SAM strategy (i.e. is software rolled out to everyone or individually when upgrades are needed?).
    • How will user requests for upgrades be managed?
    • Users should be on the same software version to ensure file compatibility and smooth patch management.
    • Ideally, software should be no more than two versions back.

    Document the process workflow for software deployment

    Define the process for deploying software to users.

    Include the following in your workflow:

    • All necessary approvals
    • Source of software
    • Process for standard vs. non-standard software requests
    • Update ITAM database once software has been installed with license data and install information
    A flowchart outlining the process workflow for software deployment. There are four levels, at the top is 'Business', then 'Desktop Support Team', 'Procurement', and the bottom is 'Asset Manager'. It begins in 'Business' with 'Request for software', and if it is approved by the manager it moves to 'Check DB: Can a volume serial # be used?' in 'Desktop Support Team'. If yes, it eventually moves on to 'Close ticket' on the same level, if not it eventually moves to 'Initiate procurement process' in 'Procurement', 'Initiate receiving process' in 'Asset Manager', and finally to 'Run quarterly license review to purchase volume licenses'.

    Large-scale software rollouts should be run as projects

    Rollouts or upgrades of large quantities of software will likely be managed as projects.

    These projects should include project plans, including resources, timelines, and detailed procedures.

    Define the process for large-scale deployment if it will differ from the regular deployment process.

    A flowchart outlining large-scale software rollouts. There are three levels, at the top is 'IT Procurement', then 'Asset Manager', and the bottom is 'Software Packager'. It begins in 'IT Procurement' with 'Project plan approved', and if a bid is not required it skips to 'Sign contract/Create purchase order'. This eventually moves to 'Receive access to eLicense site/receive access to new product' in 'Asset Manager', and either to 'Approve invoice for payment, forward to accounting' on the same level or to 'Download software, license keys' in 'Software Packager' then eventually to 'Deploy'.

    Design and document the deployment workflow(s)

    Associated Activity icon 2.2.3 Document deployment workflows for desktop and large-scale deployment

    Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager

    Document: Document in the Standard Operating Procedures.

    1. Outline each step in the process of software deployment using notecards or on a whiteboard. Be as granular as possible. On each card, describe the step and the individual responsible for each step.
      • Be sure to identify the type of release for standard software releases and patches.
      • Additionally, identify how additional software outside the scope of the base image will be addressed.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, considering people, processes, and available technology.
    4. Document separately the process for large-scale software deployment if required.

    Develop standards to streamline your software estate

    Software should be approved and deployed based on approved standards to minimize over-deployed software and manage costs appropriately. A list of standard software improves the efficiency of the software approval process.

    • Pre-approved titles include basic platforms like Office or Adobe Reader that are often available in enterprise-wide license packages.
    • Approved titles include popular titles with license numbers that need to be managed on a role-by-role basis. For example, if most of your marketing team uses the Adobe Creative Suite, a user still needs to get approval before they can get a license.
    • Unapproved titles are managed on a case-by-case basis and are up to the discretion of the asset manager and other involved parties.

    Additionally, create a list of unauthorized software including titles not to be installed under any circumstances. This list should be designed with feedback from your end users and technical support staff. Front-line knowledge is crucial to identifying which titles are causing major problems.

    Create a list of pre-approved, approved, and unapproved software titles

    Associated Activity icon 2.2.4 Determine software categories for deployment

    Participants: IT Director, Asset Manager, Purchasing (optional), Service Desk Manager (optional), Release & Deployment Manager (optional)

    Document: Document in the Standard Operating Procedures.

    1. Define software categories that will be used to build software standards.
    2. Include definitions of each category.
    3. Add examples of software to each category to begin building list of approved software titles for deployment.

    Use the following example as a guide.

    Category Definition Software titles
    Pre-approved/standard
    • Supported and approved for install for all end users
    • Included on most, if not all devices
    • Typically installed as a base image
    • Microsoft Office (Outlook, Word, Excel, PowerPoint)
    • Adobe Reader
    • Windows
    Approved by role
    • Supported and approved for install, but only for certain groups of end users
    • Popular titles with license numbers that need to be managed on a role-by-role basis
    • Pre-approved for purchase with business manager’s approval
    • Adobe Creative Cloud Suite
    • Adobe Acrobat Pro
    • Microsoft Visio
    Unapproved/requires review
    • Not previously approved or installed by IT
    • Special permission required for installation based on demonstrable business need
    • Managed on a case-by-case basis
    • Up to the discretion of the asset manager and other involved parties
    • Dynamics
    • Zoom Text
    • Adaptive Insights
    Unauthorized
    • Not to be installed under any circumstances
    • Privately owned software
    • Pirated copies of any software titles
    • Internet downloads

    Define the review and approval process for non-standard software

    Software requiring review will need to be managed on a case-by-case basis, with approval dependent on software evaluation and business need.

    The evaluation and approval process may require input from several parties, including business analysts, Security, technical team, Finance, Procurement, and the manager of the requestor’s department.

    A flowchart outlining the review and approval process for non-standard software. There are five levels, at the top is 'Business Analyst/Project Manager', then 'Security Team', 'Technical Team', 'Financial & Contract Review' and the bottom is 'Procurement'. It begins in 'Business Analyst/Project Manager' with 'Request for non-standard software', and if the approved product is available it moves to 'Evaluate tool for security, data, and privacy compliance' in 'Security Team'. If more evaluation is necessary it moves to 'Evaluate tool for infrastructure and integration requirements' in 'Technical Team', and then 'Evaluate terms and conditions' in 'Financial & Contract Review'. At any point in the evaluation process it can move back to the 'Business Analyst/Project Manager' level for 'Assemble requirements details', and finally down to the 'Procurement' level for 'Execute purchase'.

    Document the request and deployment process for non-standard software

    Associated Activity icon 2.2.5 Document process for non-standard software requests

    Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager

    Document: Document in the Standard Operating Procedures.

    Define the review and approval process for non-standard software requests.

    Use the workflow on the previous slide as a guide to map your own workflow process and document the steps in the Standard Operating Procedures.

    The following assessments may need to be included in the process:

    • Functionality and use requirements: May include suggestion back to the business before proceeding any further to see if similar, already approved software could be used in its place.
    • Technical specifications: Cloud, data center, hardware, backups, integrations (Active Directory, others), file, and program compatibility.
    • Security: Security team may need to assess to ensure nothing will install that will compromise data or systems security.
    • Privacy policy: Security and compliance team may need to evaluate the solution to ensure data will be secured and accessed only by authorized users.
    • Terms and conditions: The contracts team may evaluate terms and conditions to ensure contracts and end-user agreements do not violate existing standards.
    • Accessibility and compliance: Software may be required to meet accessibility requirements in accordance with company policies.

    BMW deployed a global data centralization program to achieve 100% license visibility

    Logo for BMW.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    BMW is a large German automotive manufacturer that employs over 100,000 people. It has over 7,000 software products deployed across 106,000 clients and servers in over 150 countries.

    When the global recession hit in 2008, the threat of costly audits increased, so BMW decided to boost its SAM program to cut licensing costs. It sought to centralize inventory data from operations across the globe.

    Solution

    A new SAM office was established in 2009 in Germany. The SAM team at BMW began by processing all the accumulated license and installation data from operations in Germany, Austria, and the UK. Within six months, the team had full visibility of all licenses and software assets.

    Compliance was also a priority. The team successfully identified where they could make substantial reductions in support and maintenance costs as well as remove surplus costs associated with duplicate licensing.

    Results

    BMW overcame a massive data centralization project to achieve 100% visibility of its global licensing estate, an incredible achievement given the scope of the operation.

    BMW experienced efficiency gains due to transparency and centralized management of licenses through the new SAM office.

    Additionally, internal investment in training and technical knowledge has helped BMW continuously improve the program. This has resulted in ongoing cost reductions for the manufacturer.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.5

    Sample of activity 2.1.5 'Build software procurement workflow for new contracts'. Build software procurement workflow for new contracts

    Use the sample workflow to document your own process for procurement of new software contracts.

    2.2.4

    Sample of activity 2.2.4 'Create a list of pre-approved, approved, and unapproved software titles'. Create a list of pre-approved, approved, and unapproved software titles

    Build definitions of software categories to inform software standards and brainstorm examples of each category.

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Procure, receive, and deploy

    Proposed Time to Completion (in weeks): 6
    Step 2.1: Request and procureStep 2.2: Receive and deploy
    Start with an analyst kick-off call:
    • Define standards for software requests
    • Build procurement policy
    • Define procurement processes
    Review findings with analyst:
    • Build processes for software receiving
    • Build processes for software requests and deployment
    • Define process for non-standard requests
    Then complete these activities…
    • Determine software standards
    • Define procurement policy
    • Identify authorization thresholds
    • Build procurement workflows for new contracts and renewals
    Then complete these activities…
    • Identify storage locations for software information
    • Design workflow for receiving software
    • Design workflow for software deployment
    • Create a list of approved and non-standard requests
    • Define process for non-standard requests
    With these tools & templates:
    • Standard Operating Procedures
    With these tools & templates:
    • Standard Operating Procedures

    Phase 3: Manage, Redeploy, and Retire

    Step 3.1 Manage and maintain software contracts

    Phase 3:
    Manage, Redeploy & Retire
    This step will walk you through the following activities:This step involves the following participants:

    3.1

    Manage & Maintain Software
    • 3.1.1 Define process for conducting software inventory
    • 3.1.2 Define policies for software maintenance and patches
    • 3.1.3 Document your patch management policy
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team
    • Release Manager (optional)
    • Security (optional)

    3.2

    Harvest, Redeploy, or Retire

    Step Outcomes

    • A process for conducting regular software inventory checks and analyzing the data to continually manage software assets and license compliance.
    • An understanding of software maintenance requirements
    • A policy for conducting regular software maintenance and patching
    • A documented patch management policy

    Manage your software licenses to decrease your risk of overspending

    Many organizations fail to track their software inventory effectively; the focus often remains on hardware due to its more tangible nature. However, annual software purchases often account for a higher IT spend than annual hardware purchases, so it’s important to track both.

    Benefits of managing software licenses

    • Better control of the IT footprint. Many companies already employ hardware asset management, but when they employ SAM, there is potential to save millions of dollars through optimal use of all technology assets.
    • Better purchasing decisions and negotiating leverage. Enhanced visibility into actual software needs means not only can companies procure and deploy the right increments of software in the right areas, but they can also do so more cost-effectively through tools such as volume purchase agreements or bundled services.
    • No refund policy combined with shelfware (software that sits unused “on the shelf”) is where software companies make their money.
    • Managing licenses will help prevent costly audit penalties. Special attention should be paid to software purchased from large vendors such as Microsoft, Oracle, Adobe, SAP, or IBM.

    Maintain a comprehensive, up-to-date software inventory to manage licenses effectively

    A clearly defined process for inventory management will reduce the risk of over buying licenses and falling out of compliance.

    • A detailed software inventory and tracking system should act as a single point of contact for all your license data.
    • Maintain a comprehensive inventory of installed software through complete and accurate records of all licenses, certifications, and software purchase transactions, storing these in a secure repository.
    • Periodically review installed software and accompanying licenses to ensure only legal and supported software is in use and to ensure ongoing compliance with the software management policy.

    Info-Tech Best Practice

    Have and maintain a list of supported software to guide what new software will be approved for purchase and what current software should be retained on the desktops, servers, and other processing devices.

    Conduct a baseline inventory of deployed software to know what you have

    You have to know what you have before you can manage it.

    A baseline inventory tells you exactly what software you have deployed and where it is being used. This can help to determine how to best optimize software and license usage.

    A software inventory will allow you to:

    • Identify all software residing on computers.
    • Compare existing software to the list of supported software.
    • Identify and delete illegal or unsupported software.
    • Identify and stop software use that violates license agreements, copyright law, or organizational policies.

    Two methods for conducting a software inventory:

    1. If you have several computers to analyze, use automated tools to conduct inventory for greater accuracy and efficiency. Software inventory or discovery tools scan installed software and generate inventory reports, while asset management tools will help you manage that data.
    2. Manual inventory may be possible if your organization has few computers.

    How to conduct a manual software inventory:

    1. Record serial number of device being analyzed.
    2. Record department and employee to whom the computer is assigned.
    3. Inspect contents of hard drive and/or server to identify software as well as hidden files and directories.
    4. Record licensing information for software found on workstation and server.
    5. Compare findings with list of supported software and licenses stored in repository.

    Keep the momentum going through regular inventory and licensing checks

    Take preventive action to avoid unauthorized software usage through regular software inventory and license management:

    • Regularly update the list of supported software and authorized use.
    • Monitor and optimize software license usage.
    • Continually communicate with and train employees around software needs and policies.
    • Maintain a regular inventory schedule to keep data up to date and remain compliant with licensing requirements – your specific schedule will depend on the size of the company and procurement schedule.
    • Conduct random spot inventories – even if you are using a tool, periodic spot checks should still be performed to ensure accuracy of inventory.
    • Periodically review software procurement records and ensure procurement process is being followed.
    • Continuously monitor software installations on networked computers through automated tools.
    • Ensure software licensing documentation and data is secure.

    Define process for conducting software inventory

    Associated Activity icon 3.1.1 Define process for regular software inventory

    Participants: IT Director, Asset Manager

    Document: Document in the Standard Operating Procedures.

    1. If a baseline software inventory has not been conducted, discuss and document a plan for completing the inventory.
      • Will the inventory be conducted manually or through automated tools?
      • If manually, what information will be collected and recorded? Which devices will be analyzed? Where will data be stored?
      • If automatically, which tools will be used? Will any additional information need to be collected? Who will have access to the inventory?
      • When will the inventory be conducted and by whom?
        • Monthly inventory may be required if there is a lot of change and movement, otherwise quarterly is usually sufficient.
    2. Document how inventory data will be analyzed.
      • How will data be compared against supported software?
      • How will software violations be addressed?
    3. Develop a plan for continual inventory spot checks and maintenance.
      • How often will inventory be conducted and/or analyzed?
      • How often will spot checks be performed?

    Don’t forget that software requires maintenance

    While maintenance efforts are typically focused around hardware, software maintenance – including upgrades and patches – must be built into the software asset management process to ensure software remains compliant with security and regulatory requirements.

    Software maintenance guidelines:

    • Maintenance agreements should be stored in the ITAM database.
    • Software should be kept as current as possible. It is recommended that software remain no more than two versions off.
    • Unsupported software should be uninstalled or upgraded as required.
    • Upgrades should be tested, especially for high-priority or critical applications or if integrated with other applications.
    • Change and release management best practices should be applied for all software upgrades and patches.
    • A process should be defined for how often patches will be applied to end-user devices.

    Integrate patch management with your SAM practice to improve security and reduce downtime

    The integration between patch management and asset management is incredibly valuable from a technology point of view. IT asset management (ITAM) tools create reports on the characteristics of deployed software. By combining these reports with a generalized software updater, you can automate most simple patches to save your team’s efforts for more-critical incidents. Usage reports can also help determine which applications should be reviewed and removed from the environment.

    • In recent years, patch management has grown in popularity due to widespread security threats, the resultant downtime, and expenses associated with them.
    • The main objective of patch management is to create a consistently configured environment that is secure against known vulnerabilities in operating systems and application software.

    Assessing new patches should include questions such as:

    • What’s the risk of releasing the patch? What is the criticality of the system? What end users will be affected?
    • How will we manage business disruption during an incident caused by a failed patch deployment?
    • In the event of service outage as a result of a failed patch deployment, how will we recover services effectively in business priority order?
    • What’s the risk of expediting the patch? Of not releasing the patch at all?

    Define policies for software maintenance and patches

    Associated Activity icon 3.1.2 Define software maintenance and patching policies

    Participants: IT Director, Asset Manager, Release Manager (optional), Security (optional)

    Document: Document in the Standard Operating Procedures.

    Software maintenance:

    Review the software maintenance guidelines in this section and in the SOP template. Discuss each policy and revise and document in accordance with your policies.

    Patch management:

    Discuss and document patch management policies:

    1. How often will end-user devices receive patches?
    2. How often will servers be patched?
    3. How will patches be prioritized? See example below.
      • Critical patches will be applied within two days of release, with testing prioritized to meet this schedule.
      • High-priority patches will be applied within 30 days of release, with testing scheduled to meet this requirement.
      • Normal-priority patches will be evaluated for appropriateness and will be installed as needed.

    Document your patch management policy

    Supporting Tool icon 3.1.3 Use the Patch Management Policy template to document your policy

    The patch management policy helps to ensure company computers are properly patched with the latest appropriate updates to reduce system vulnerability and to enhance repair application functionality. The policy aids in establishing procedures for the identification of vulnerabilities and potential areas of functionality enhancements, as well as the safe and timely installation of patches. The patch management policy is key to identifying and mitigating any system vulnerabilities and establishing standard patch management practices.

    Use Info-Tech’s Patch Management Policy template to get started.

    Sample of the 'Patch Management Policy' template.

    Step 3.2 Harvest, Redeploy, or Retire Software

    Phase 3:
    Manage, Redeploy & Retire
    This step will walk you through the following activities:This step involves the following participants:

    3.1

    Manage & Maintain Software
    • 3.2.1 Map your software license harvest and reallocation process
    • 3.2.2 Define the policy for retiring software
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    3.2

    Harvest, Redeploy, or Retire

    Step Outcomes

    • A defined process for harvesting and reallocating unused software licenses
    • A defined policy for how and when to retire unused or outdated software

    Harvest and reallocate software to optimize license usage

    Using a defined process for harvesting licenses will yield a crop of savings throughout the organization.

    Unused software licenses are present in nearly every organization and result in wasted resources and software spend. Recycling and reharvesting licenses is a critical process within software asset management to save your organization money.

    Licensing Recycling

    When computers are no longer in use and retired, the software licenses installed on the machines may be able to be reused.

    License recycling involves reusing these licenses on machines that are still in use or for new employees.

    License Harvesting

    License harvesting involves more actively identifying machines with licenses that are either not in use or under utilized, and recovering them to be used elsewhere, thus reducing overall software spend on new licenses.

    Use software monitoring data to identify licenses for reallocation in alignment with policies and agreements

    1. Monitor software usage
      Monitor and track software license usage to gain a clear picture of where and how existing software licenses are being used and identify any unused or underused licenses.
    2. Identify licenses for reharvesting
      Identify software licenses that can be reharvested and reallocated according to your policy.
    3. Uninstall software
      Notify user, schedule a removal time if approved, uninstall software, and confirm it has been removed.
    4. Reallocate license when needed

    Sources of surplus licenses for harvest:

    • Projects that required a license during a particular time period, but now do not require a license (i.e. the free version of the software will suffice)
    • Licenses assigned to users no longer with the organization
    • Software installed on decommissioned hardware
    • Installed software that hasn’t been used by the user in the last 90 days (or other defined period)
    • Over-purchased software due to poorly controlled software request, approval, or provisioning processes

    Info-Tech Insight

    Know the stipulations of your end-user license agreement (EULA) before harvesting and reallocating licenses. There may be restrictions on how often a license can be recycled in your agreement.

    Create a defined process for software license harvesting

    Define a standard reharvest timeline. For example, every 90 days, your SAM team can perform an internal audit using your SAM tool to gather data on software usage. If a user has not used a title in that time period, your team can remove that title from that user’s machine. Depending on the terms and conditions of the contract, the license can either be retired or harvested and reallocated.

    Ensure you have exception rules built in for software that’s cyclical in its usage. For example, Finance may only use tax software during tax season, so there’s no reason to lump it under the same process as other titles.

    It’s important to note that in addition to this process, you will need a software usage policy that supports your license harvest process.

    The value of license harvesting

    • Let’s say you paid for 1,000 licenses of a software title at a price of $200 per license.
    • Of this total, 950 have been deployed, and of that total, 800 are currently being used.
    • This means that 16% of deployed licenses are not in use – at a cost of $30,000.
    • With a defined license harvest process, this situation would have been prevented.

    Build a workflow to document the software harvest process

    Include the following in your process:

    • How will unused software be identified?
    • How often will usage reports be reviewed?
    • How will the user be notified of software to be removed?
    • How will the software be removed?
    A flowchart documenting the software harvest process. There are two levels, at the top is 'IT Asset Manager', and the bottom is 'Desktop Support Team'. It begins in 'IT Asset Manager' with 'Create/Review Usage Report', and if the client agrees to removal it moves to 'License deactivation required?' in 'Desktop Support Team'. Eventually you 'Close ticket' and it moves back up to 'Discovery tool will register change automatically' in 'IT Asset Manager'.

    Map your software license harvest and reallocation process

    Associated Activity icon 3.2.1 Build license harvest and reallocation workflow

    Participants: IT Director, Asset Manager, Service Desk Manager

    Document: Document in the Standard Operating Procedures.

    1. Outline each step in the process of software harvest and reallocation using notecards or a whiteboard. Be as granular as possible. On each card, describe the step and the individual responsible for each step.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, considering people, processes, and available technology.
    4. Use the sample workflow on the previous slide as a guide if needed.

    The same flowchart documenting the software harvest process from the previous section.

    Improve your software retirement process to drive savings for the whole business

    Business Drivers for Software Disposal

    • Cost Reduction
      • Application retirement allows the application and the supporting hardware stack to be decommissioned.
      • This eliminates recurring costs such as licensing, maintenance, and application administration costs, representing potentially significant savings
    • Consolidation
      • Many legacy applications are redundant systems. For example, many companies have ten or more legacy financial systems from mergers/acquisitions.
      • Systems can be siloed, running incompatible software. Moving data to a common accessible repository streamlines research, audits, and reporting.
    • Compliance
      • An increased focus on regulations places renewed emphasis on e-discovery policies. Keeping legacy applications active just to retain data is an expensive proposition.
      • During application retirement, data is classified, assigned retention policies, and disposed of according to data/governance initiatives.
    • Risk Mitigation
      • Relying on IT to manage legacy systems is problematic. The lack of IT staff familiar with the application increases the potential risk of delayed responses to audits and e-discovery.
      • Retiring application data to a common platform lets you leverage skills you have current investments in. This enables you to be responsive to audit or litigation results.

    Retire your outdated software to decrease IT spend on redundant applications

    Benefits of software retirement:

    1. Assists the service desk in not having to support every release, version, or edition of software that your company might have used in the past.
    2. Stay current with product releases so your company is better placed to take advantage of improvements built-in to such products, rather than being limited by the lack of a newly introduced function.
    3. Removing software that is no longer of commercial benefit can offer a residual value through assets.

    Consequences of continuing to support outdated software:

    • Budgets are tied up to support existing applications and infrastructure, which leaves little room to invest in new technologies that would otherwise help grow business.
    • Much of this software includes legacy systems that were acquired or replaced when new applications were deployed. The value of these outdated systems decreases with every passing year, yet organizations often continue to support these applications.
      • Fear of compliance and data access are the most common reasons.
    • Unfortunately, the cost of doing so can consume over 50% of an overall IT budget.

    The solution to this situation is to retire outdated software.

    “Time and time again, I keep hearing stories from schools on how IT budgets are constantly being squeezed, but when I dig a little deeper, little or no effort is being made on accounting for software that might be on the kit we are taking away.” (Phil Goldsmith, Managing Director – ScrumpyMacs)

    Define the policy for retiring software

    Associated Activity icon 3.2.2 Document process for software retirement

    Participants: IT Director, Asset Manager, Operations

    Document: Document in the Standard Operating Procedures.

    1. Discuss and document the process for retiring software that has been deemed redundant due to changing business needs or an improvement in competitive options.
    2. Consider the following:
      • What criteria will determine when software is suited for retirement?
      • The contract should always be reviewed before making a decision to ensure proper notice is given to the vendor.
      • Notice should be provided as soon as possible to ensure no additional billing arrives for renewals.
      • How will software be removed from all devices? How soon must the software be replaced, if applicable?
      • How long will records be archived in the ITAM database?
    3. Document decisions in the Standard Operating Procedures.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.2

    Sample of activity 3.1.2 'Define policies for software maintenance and patches'. Define policies for software maintenance and patches

    Discuss best practices and define policies for conducting regular software maintenance and patching.

    3.2.1

    Sample of activity 3.3.1 'Assess the maturity of audit management processes and policies'. Map your software license harvest and reallocation process

    Build a process workflow for harvesting and reallocating unused software licenses.

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Manage, redeploy, and retire

    Proposed Time to Completion (in weeks): 4
    Step 3.1: Manage and maintain softwareStep 3.2: Harvest, redeploy, or retire
    Start with an analyst kick-off call:
    • Define a process for conducting software inventory
    • Define a policy for software maintenance
    • Build a patch management policy
    Review findings with analyst:
    • Build a process for harvesting and reallocating software licenses
    • Define a software retirement policy
    Then complete these activities…
    • Define process for conducting software inventory
    • Define policies for software maintenance
    • Document patch management policy
    Then complete these activities…
    • Map software harvest and reallocation process
    • Define software retirement policy
    With these tools & templates:
    • Standard Operating Procedures
    • Patch Management Policy
    With these tools & templates:
    • Standard Operating Procedures

    Phase 4: Build Supporting Processes & Tools

    Visa used an internal SAM strategy to win the audit battle

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    The overarching goal of any SAM program is compliance to prevent costly audit fines. The SAM team at Visa was made up of many individuals who were former auditors.

    To deal with audit requests from vendors, “understand how auditors do things and understand their approach,” states Joe Birdsong, SAM Director at Visa.

    Vendors are always on the lookout for telltale signs of a lucrative audit. For Visa, the key was to understand these processes and learn how to prepare for them.

    Solution

    Vendors typically look for the following when evaluating an organization for audit:

    1. A recent decrease in customer spend
    2. How easy the licensed software is to audit
    3. Organizational health

    Ultimately, an audit is an attack on the relationship between the vendor and organization. According to Birdsong: “Maybe they haven’t really touched base with your teams and had good contact and relationship with them, and they don’t really know what’s going on in your enterprise.”

    Results

    By understanding the motivations behind potential audits, Visa was able to form a strategy to increase transparency with the vendor.

    Regular data collection, almost real-time reporting, and open, quick communication with the vendor surrounding audits made Visa a low-risk client for vendors.

    Buy-in from management is also important, and the creation of an official SAM strategy helps maintain support. Thanks to its proactive SAM program, Visa saved $200 million in just three years.

    Step 4.1 Ensure compliance for audits

    Phase 4:
    Build supporting processes & tools
    This step will walk you through the following activities:This step involves the following participants:

    4.1

    Compliance & audits
    • 4.1.1 Define and document the internal audit process
    • 4.1.2 Define and document the external audit process
    • 4.1.3 Prepare an audit scoping email template
    • 4.1.4 Prepare an audit launch email template
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    4.2

    Communicate & build roadmap

    Step Outcomes

    • An understanding of the audit process and importance of audit preparation
    • A defined process for conducting regular internal audits to prepare for and defend against external audits
    • A strategy and documented process for responding to external audit requests

    Take a lifecycle approach to your software compliance process

    Internal audits are an effective way for organizations to regularly assess their licensing position in preparation for an audit.

    1. Gather License Data
      Use your SAM tool to run a discovery check to determine the current state of your software estate.
    2. Improve Data Quality
      Scan the data for red flags. Improve its completeness, consistency, and quality.
    3. Identify Audit Risks
      Using corrected license data, examine your reports and identify areas of risk within the organization.
    4. Identify priority titles
      Determine which titles need attention first by using the output of the license rationalization step.
    5. Reconcile to eliminate gaps
      Ensure that the correct number of licenses are deployed for each title.
    6. Draft Vendor Response
      Prepare response to vendor for when an audit has been requested.

    Improve audit response maturity by leveraging technology and contract data

    By improving your software asset management program’s maturity, you will drive savings for the business that go beyond the negotiating table.

    Recognize the classic signs of each stage of audit response maturity to identify where your organization currently stands and where it can go.

    • Optimized: Automated tools generate compliance, usage, and savings reports. Product usage reports and alerts in place to harvest and reuse licenses. Detailed savings reports provided to executive team.
    • Proactive: Best practices enforced. Compliance positions are checked quarterly, and compliance reports are used to negotiate software contracts.
    • Reactive: Best practices identified but unused. Manual tools still primarily in use. Compliance reports are time-consuming and often inaccurate.
    • Chaotic: Purchases are ad hoc and transaction based. Minimal tracking in place, leading to time-consuming manual processes.

    Implement a proactive internal audit strategy to defend against external audits

    Audits – particularly those related to software – have been on the rise as vendors attempt to recapture revenue.

    Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.

    Conducting routine internal audits will help prepare your organization for the real deal and may even prevent the audit from happening altogether. Hundreds of thousands of dollars can be saved through a proactive audit strategy with routine documentation in place.

    In addition to the fines incurred from a failed audit, numerous other negative consequences can arise:

    • Multiple audits: Failing an audit makes the organization more likely to be audited again.
    • Poor perception of IT: Unless non-compliance was previously disclosed to the business, IT can be deemed responsible.
    • Punitive injunctions: If a settlement is not reached, vendors will apply for an injunction, inhibiting use of their software.
    • Inability to justify purchases: IT can have difficulty justifying the purchase of additional resources after a failed audit.
    • Disruption to business: Precious time and resources will be spent dealing with the results of the audit.

    Perform routine internal compliance reports to decrease audit risk

    The intent of an internal audit is to stop the battle from happening before it starts. Waiting for a knock at the door from a vendor can be stressful, and it can do harm beyond a costly fine.

    • Internal audits help to ensure you’re keeping track of any software changes to keep your data and licensing up to date and avoid costly surprises if an external audit is requested.
    • Identify areas where processes are breaking down and address them before there’s a potential negative impact.
    • Identify control points in processes ahead of time to more easily identify access points where information should be verified.

    “You want to get [the] environment to a level where you’re comfortable sharing information with [a] vendor. Inviting them in to have a chat and exposing numbers means there’s no relationship there where they’re coming to audit you. They only come to audit you when they know there’s a gain to be had, otherwise what’s the point of auditing?
    I want customers to get comfortable with licensing and what they’re spending, and then there’s no problem exposing that to vendors. Vendors actually appreciate that.”
    (Ben Brand, SAM Practice Manager, Insight)

    Info-Tech Insight

    “The supreme art of war is to subdue the enemy without fighting.” – Sun Tzu

    Performing routine checks on your license compliance will drastically reduce the risk that your organization gets hit with a costly fine. Maintaining transparency and demonstrating compliance will fend off audit-hungry vendors.

    Define and document the internal audit process

    Associated Activity icon 4.1.1 Document process and procedures for internal audits

    Participants: CIO and/or IT Director, Asset Manager, IT Managers

    Document: Document in the Standard Operating Procedures.

    Define and document a process for conducting internal software audits.
    Include the following:

    1. How often will audits be completed for each software published?
    2. When will audits be conducted?
    3. Who will conduct the audit? Who will be consulted?
    4. What will be included in the scope of the audit?

    Example:

    • Annual audits will be completed for each software publisher, scheduled as part of the license or maintenance agreement renewals.
    • Where annual purchases are not required, vendor audits for compliance will be conducted annually, with a date predetermined based on minimizing scheduling conflicts with larger audits.
    • Audit will be completed with input from product managers.
    • Audit will include:
      • Software compliance review: Licenses owned compared to product installed.
      • Version review: Determine if installed versions match company standards. If there is a need for upgrades, does the license permit upgrading?
      • Maintenance review: Does the maintenance match requirements for the next year’s plans and licenses in use?
      • Support review: Is the support contract appropriate for use?
      • Budget: Has budget been allocated; is there an adjustment required due to increases?

    Identify organizational warning signs to decrease audit risk

    Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.

    Certain triggers exist that indicate a higher risk of an audit occurring. It is important to recognize these warning signs so you can prepare accordingly.

    Health of organization
    If your organization is putting out fires and a vendor can sense it, they’ll see an audit as a highly lucrative exercise.

    Decrease in customer spend
    A decrease in spend means that an organization has a high chance of being under-licensed.

    License complexity
    The more complex the license, the harder it is to remain in compliance. Some vendors are infamous for their complex licensing agreements.

    Audit Strategy

    • Audits should neither be feared nor embraced.
    • An audit is an attack on your relationship with your vendor; your vendor needs to defend its best interests, but it would also rather maintain a satisfied relationship with its client.
    • A proactive approach to audits through routine reporting and transparency with vendors will alleviate all fear surrounding the audit process. It provides your vendor with compliance assurance and communicates that an audit won’t net the vendor enough revenue to justify the effort.

    Focus on three key tactics for success before responding to an audit

    Taking these due diligence steps will pay dividends downstream, reducing the risk of negative results such as release of confidential information.

    Form an Audit Team

    • Once an audit letter is received from a vendor or third party, a virtual team needs to be formed.
    • The team should be cross-functional, representing various core areas of the business.
    • Don’t forget legal counsel: they will assist in the review of audit provision(s) to determine your contractual rights and obligations with respect to the audit.

    Sign an NDA

    • An NDA should be signed by all parties, the organization, the vendor, and the auditor.
    • Don’t wait on a vendor to provide its NDA. The organization should have its own and provide it to both parties.
    • If the auditor is a third party, negotiate a three-way NDA. This will prevent data being shared with other third parties.

    Examine Contract History

    • Vendors will attempt to alter terms of contracts when new products are purchased.
    • Maintain your current agreement if they are more favorable by “grandfathering” your original agreement.
    • Oracle master level agreements are an example: master level agreements offer more favorable terms than more recent versions.

    Info-Tech Insight

    Even if you cannot get a third-party NDA signed, the negotiation process should delay the overall audit process by at least a month, buying your organization valuable time to gather license data.

    Be prepared for external audit requests with a defined process for responding

    1. Vendor-initiated audit request received and brought to attention of IT Asset Manager and CIO.
    2. Acknowledge receipt of audit notice.
    3. Negotiate timing and scope of the audit (including software titles, geographic locations, entities, and completion date).
    4. Notify staff not to remove or acquire licenses for software under audit.
    5. Gather documentation and create report of all licensed software within audit scope.
      • Include original contract, most recent contract, and any addendums, purchase receipts, or reseller invoices, and publisher documentation such as manuals or electronic media.
    6. Compare documentation to installed software according to ITAM database.
    7. Validate any unusual or non-compliant software.
    8. Complete documentation requested by auditor and review results.

    Define and document the external audit process

    Associated Activity icon 4.1.2 Define external audit process

    Participants: CIO and/or IT Director, Asset Manager, IT Managers

    Document: Document in the Standard Operating Procedures.

    Define and document a process for responding to external software audit requests.
    Include the following:

    1. Who must be notified of the audit request when it is received?
    2. When must acknowledgement of the notice be sent and by whom?
    3. What must be defined under the scope of the audit (e.g. software titles, geographic locations, entities, completion date)?
    4. What communications must be sent to IT staff and end users to ensure compliance?
    5. What documentation should be gathered to review?
    6. How will documentation be verified against data?
    7. How will unusual or non-compliant software be identified and validated?
    8. Who needs to be informed of the results?

    Control audit scope with an audit response template

    Supporting Tool icon 4.1.3 Prepare an audit scoping email template

    Use the Software Audit Scoping Email Template to create an email directed at your external (or internal) auditors. Send the audit scoping email several weeks before an audit to determine the audit’s scope and objectives. The email should include:

    • Detailed questions about audit scope and objectives.
    • Critical background information on your organization/program.

    The email will help focus your preparation efforts and initiate your relationship with the auditors.

    Control scope by addressing the following:

    • Products covered by a properly executed agreement
    • Geographic regions
    • User groups
    • Time periods
    • Specific locations
    • A subset of users’ computers
    Sample of the 'Software Audit Scoping Email Template'.

    Keep leadership informed with an audit launch email

    Supporting Tool icon 4.1.4 Prepare an audit launch email template

    Approximately a week before the audit, you should email the internal leadership to communicate information about the start of the audit. Use the Software Audit Launch Email Template to create this email, including:

    • Staffing
    • Functional requirements
    • Audit contact person information
    • Scheduling details
    • Audit report estimated delivery time

    For more guidance on preparing for a software audit, see Info-Tech’s blueprint: Prepare and Defend Against a Software Audit.

    Sample of the 'Software Audit Launch Email Template'.

    A large bank employed proactive, internal audits to experience big savings

    Case Study

    Industry: Banking
    Source: Pomeroy

    Challenge

    A large American financial institution with 1,300 banking centers in 12 states, 28,000 end users, and 108,000 assets needed to improve its asset management program.

    The bank had employed numerous ITAM tools, but IT staff identified that its asset data was still fragmented. There was still incomplete insight into what assets the banked owned, the precise value of those assets, their location, and what they’re being used for.

    The bank decided to establish an asset management program that involved internal audits to gather more-complete data sets.

    Solution

    With the help of a vendor, the bank implemented cradle-to-grave asset tracking and lifecycle management, which provided discovery of almost $80 million in assets.

    The bank also assembled an ITAM team and a dedicated ITAM manager to ensure that routine internal audits were performed.

    The team was instrumental in establishing standardization of IT policies, hardware configuration, and service requirements.

    Results

    • The bank identified and now tracks over 108,000 assets.
    • The previous level of 80% accuracy in inventory tracking was raised to 96%.
    • Nearly $500,000 was saved through asset recovery and repurposing of 600 idle assets.
    • There are hundreds of thousands of dollars in estimated savings as the result of avoiding costly penalties from failed audits thanks to proactive internal audits.

    Step 4.2 Build communication plan and roadmap

    Phase 4:
    Build supporting processes & tools
    This step will walk you through the following activities:This step involves the following participants:

    4.1

    Compliance & audits
    • 4.2.1 Develop a communication plan to convey the right messages
    • 4.2.2 Anticipate end-user questions by preparing an FAQ list
    • 4.2.3 Build a software asset management policy
    • 4.2.4 Build additional SAM policies
    • 4.2.5 Develop a SAM roadmap to plan your implementation
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    4.2

    Communicate & build roadmap

    Step Outcomes

    • A documented communications plan for relevant stakeholders to understand the benefits and changes the SAM program will bring
    • A list of anticipated end-user questions with responses
    • Documented software asset management policies
    • An implementation roadmap

    Communicate SAM processes to gain acceptance and support

    Communication is crucial to the integration and overall implementation of your SAM program. If staff and users do not understand the purpose of processes and policies, they will fail to provide the desired value.

    An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Communicate the following:

    1. Advertise successes

      • Regularly demonstrate the value of the SAM program with descriptive statistics focused on key financial benefits.
      • Share data with the appropriate personnel; promote success to obtain further support from senior management.
    2. Report and share asset data

      • Sharing detailed asset-related reports frequently gives decision makers useful data to aid in their strategy.
      • These reports can help your organization prepare for audits, adjust budgeting, and detect unauthorized software.
    3. Communicate the value of SAM

      • Educate management and end users about how they fit into the bigger picture.
      • Individuals need to know which behaviors may put the organization at risk or adversely affect data quality.

    Educate staff and end users through SAM training to increase program success

    As part of your communication plan and overall SAM implementation, training should be provided to both staff and end users within the organization.

    • ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly.
    • All facets of the business, from management to new hires, should be provided with training to help them understand their role in the program’s success.
    • Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.
    • Even after the SAM program has been fully implemented, keep employees up to date with policies and processes through ongoing training sessions for both new hires and existing employees:
      • New hires: Provide new hires with all relevant SAM policies and ensure they understand the importance of software asset management.
      • Existing employees: Continually remind them of how SAM is involved in their daily operations and inform them of any changes to policies.

    Create your communications plan to anticipate challenges, remove obstacles, and ensure buy-in

    Provide separate communications to key stakeholder groups

    Why:
    • What problems are you trying to solve?
    What:
    • What processes will it affect (that will affect me)?
    Who:
    • Who will be affected?
    • Who do I go to if I have issues with the new process?
    Three circular arrows each linking t the next in a downward daisy chain. The type arrow has 'IT Staff' in the middle, the second 'Management', and the third 'End Users' When:
    • When will this be happening?
    • When will it affect me?
    How:
    • How will these changes manifest themselves?
    Goal:
    • What is the final goal?
    • How will it benefit me?

    Develop a communication plan to convey the right messages

    Associated Activity icon 4.2.1 Develop a communication plan to convey the right messages

    Participants: CIO, IT Director, Asset Manager, Service Desk Manager

    Document: Document in the SAM Communication Plan.

    1. Identify the groups that will be affected by the SAM program.
    2. For each group requiring a communication plan, identify the following:
    3. Benefits of SAM for that group of individuals (e.g. more efficient software requests).
    4. The impact the change will have on them (e.g. change in the way a certain process will work).
    5. Communication method (i.e. how you will communicate).
    6. Timeframe (i.e. when and how often you will communicate the changes).
    7. Complete this information in a table like the one below and document in the Communication Plan.
    Group Benefits Impact Method Timeline
    Executives
    • Improved audit compliance
    • Improved budgeting and forecasting
    • Review and sign off on policies
    End Users
    • Streamlined software request process
    • Follow software installation and security policies
    IT
    • Faster access to data and one source of truth
    • Modified processes
    • Ensure audits are completed regularly

    Anticipate end-user questions by preparing an FAQ list

    Associated Activity icon 4.2.2 Prepare an FAQ list

    Document: Document FAQ questions and answers in the SAM FAQ Template.

    ITAM imposes changes to end users throughout the business and it’s normal to expect questions about the new program. Prepare your team ahead of time by creating a list of FAQs.

    Some common questions include:

    • Why are you changing from the old processes?
    • Why now?
    • What are you going to ask me to do differently?
    • Will I lose any of my software?

    The benefits of preparing a list of answers to FAQs include:

    • A reduction in time spent creating answers to questions. If you focus on the most common questions, you will make efficient use of your team’s time.
    • Consistency in your team’s responses. By socializing the answers to FAQs, you ensure that no one on your team is out of the loop and the message remains consistent across the board.

    Include policy design and enforcement in your communication plan

    • Software asset management policies should define the actions to be taken to support software asset management processes and ensure the effective and efficient management of IT software assets across the asset lifecycle.
    • Implementing asset management policies enforces the notion that the organization takes its IT assets and the management of them seriously and will help ensure the benefits of SAM are achieved.
    • Designing, approving, documenting, and adopting one set of standard SAM policies for each department to follow will ensure the processes are enforced equally across the organization.

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.

    Build a software asset management policy

    Supporting Tool icon 4.2.3 Document a SAM policy

    Use Info-Tech’s Software Asset Management Policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's software asset management program.

    The template allows you to customize policy requirements for:

    • Procurement
    • Installation and Removal
    • Maintenance
    • Mergers and Acquisitions
    • Company Divestitures
    • Audits

    …as well as consequences for non-compliance.

    Sample of the 'Software Asset Management Policy' template.

    Use Info-Tech’s policy templates to build additional policies

    Supporting Tool icon 4.2.4 Build additional SAM policies

    Asset Security Policy
    The IT asset security policy will describe your organization's approach to ensuring the physical and digital security of your IT assets throughout their entire lifecycle.

    End-User Devices Acceptable Use Policy
    This policy should describe how business tools provided to employees are to be used in a responsible, ethical, and compliant manner, as well as the consequences of non-compliance.

    Purchasing Policy
    The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    Release Management Policy
    Use this policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's release management program.

    Internet Acceptable Use Policy
    Use this template to help keep the internet use policy up to date. This policy template includes descriptions of acceptable and unacceptable use, security provisions, and disclaimers on the right of the organization to monitor usage and liability.

    Samples of additional SAM policies, listed to the left.

    Implement SAM in a phased, constructive approach

    One of the most difficult decisions to make when implementing a SAM program is: “where do we start?”

    It’s not necessary to deploy a comprehensive SAM program to start. Build on the essentials to become more mature as you grow.

    SAM Program Maturity (highest to lowest)

    • Audits and reporting
      Gather and analyze data about software assets to ensure compliance for audits and to continually improve the business.
    • Contracts and budget
      Analyze contracts and licenses for software across the enterprise and optimize planning to enable cost reduction.
    • Lifecycle standardization
      Define standards and processes for all asset lifecycle phases from request and procurement through to retirement and redistribution.
    • Inventory and tracking
      Define assets you will procure, distribute, and track. Know what you have, where it is deployed, and keep track of contracts and all relevant data.

    Integrate your SAM program with the organization to assist its implementation

    SAM cannot perform on its own – it must be integrated with other functional areas of the organization to maintain its stability and support.

    • Effective SAM is supported by a comprehensive set of processes as part of its implementation.
    • For example, integration with the procurement team’s processes and tools is required to track software purchases to mitigate software license compliance risk.
    • Integration with Finance is required to support internal cost allocations and chargebacks.
    • Integration with the service desk is required to track and deploy software requests.

    Info-Tech Best Practice

    To integrate SAM effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” to demonstrate success to the business early and to gain buy-in from your team. Short-term gains should be designed to support long-term goals of your SAM program.

    Sample short-term goals
    • Identify inventory classification and tool
    • Create basic SAM policies and processes
    • Implement SAM auto-discovery tools
    Sample long-term goals
    • Software contract data integration
    • Continual improvement through review and revision
    • Software compliance reports, internal audits

    Develop a SAM roadmap to plan your implementation

    Associated Activity icon 4.2.5 Build a project roadmap
    1. Identify and review all initiatives that will be taken to implement or improve the software asset management program. These may fall under people, process, or technology-related tasks.
    2. Assign a priority level to each task (Quick Win, Low, Medium, High).
    3. Use the priority to sort tasks into start dates, breaking down by:
      1. Short, medium, or long-term
      2. 1 month, 3 months, 6 months, 12+ months
      3. Q1, Q2, Q3, Q4
    4. Review tasks and adjust start dates for some, if needed to set realistic and achievable timelines.
    5. Transfer tasks to a project plan or Gantt chart to formalize.
    Examples:
    Q1 Q2 Q3 Q4
    • Hire software asset manager
    • Document SOP
    • Define policies
    • Select a SAM tool
    • Create list of approved services and software
    • Define metrics
    • Inventory existing software and contracts
    • Build a patch policy
    • Build a service catalog
    • Contract renewal alignment
    • Run internal audit
    • Security review

    Review and maintain the SAM program to reach optimal maturity

    • SAM is a dynamic process. It must adapt to keep pace with the direction of the organization. New applications, different licensing needs, and a constant stream of new end users all contribute to complicating the licensing process.
    • As part of your organization’s journey to an optimized SAM program, put in place continual improvement practices to maintain momentum.

    A suggested cycle of review and maintenance for your SAM: 'Plan', 'Do', 'Check', 'Act'.

    Info-Tech Insight

    Advertising the increased revenue that is gained from good SAM practices is a powerful way to gain project buy-in.

    Keep the momentum going:

    • Clearly define ongoing responsibilities for each role.
    • Develop a training and awareness program for new employees to be introduced to SAM processes and policies.
    • Continually review and revise existing processes as necessary.
    • Measure the success of the program to identify areas for improvement and demonstrate successes.
    • Measure adherence to process and policies and enforce as needed.

    Reflect on the outcomes of implementing SAM to target areas for improvement and share knowledge gained within and beyond the SAM team. Some questions to consider include:

    1. How did the data compare to our expectations? Was the project a success?
    2. What obstacles were present that impacted the project?
    3. How can we apply lessons learned through this project to others in the future?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.2.1

    Sample of activity 4.2.1 'Develop a communication plan to convey the right messages'. Develop a communication plan to convey the right messages

    Identify stakeholders requiring communication and formulate a message and delivery method for each.

    4.2.5

    Sample of activity 4.2.5 'Develop a SAM roadmap to plan your implementation'. Develop a SAM roadmap to plan your implementation

    Outline the tasks necessary for the implementation of this project and prioritize to build a project roadmap.

    Phase 4 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build supporting processes & tools

    Proposed Time to Completion (in weeks): 4
    Step 4.1: Compliance & audits Step 4.2: Communicate & build roadmap
    Start with an analyst kick-off call:
    • Discuss audit process
    • Define a process for internal audits
    • Define a process for external audit response
    Review findings with analyst:
    • Build communication plan
    • Discuss policy needs
    • Build a roadmap
    Then complete these activities…
    • Document internal audit process
    • Document external audit process
    • Prepare audit templates
    Then complete these activities…
    • Develop communication plan
    • Prepare an FAQ list for end users
    • Build SAM policies
    • Develop a roadmap
    With these tools & templates:
    • Standard Operating Procedures
    • Software Audit Scoping Email Template
    • Software Audit Launch Email Template
    With these tools & templates:
    • SAM Communication Plan
    • Software Asset Management FAQ Template
    • Software Asset Management Policy
    • Additional Policy Templates

    Bibliography

    2013 Software Audit Industry Report.” Express Metrix, 2013. Web.

    7 Vital Trends Disrupting Today’s Workplace: Results and Data from 2013 TINYpulse Employee Engagement Survey.” TINYpulse, 2013. Web.

    Beaupoil, Christof. “How to measure data quality and protect against software audits.” Network World, 6 June 2011.

    Begg, Daniel. “Effective Licence Position (ELP) – What is it really worth?” LinkedIn, 19 January 2016.

    Boehler, Bernhard. “Advanced License Optimization: Go Beyond Compliance for Maximum Cost Savings.” The ITAM Review, 24 November 2014.

    Bruce, Warren. “SAM Baseline – process & best practice.” Microsoft. 2013 Australia Partner Conference.

    Case Study Top 20 U.S. Bank Tackles Asset Management.” Pomeroy, 2012. Web.

    Cherwell Software Software Audit Industry Report.” Cherwell Software, 2015. Web.

    Conrad, Sandi. “SAM starter kit: everything you need to get started with software asset management. Conrad & Associates, 2010.

    Corstens, Jan, and Diederik Van der Sijpe. “Contract risk & compliance software asset management (SAM).” Deloitte, 2012.

    Deas, A., T. Markowitzm and E. Black. “Software asset management: high risk, high reward.” Deloitte, 2014.

    Doig, Chris. “Why you should always estimate ROI before buying enterprise software” CIO, 13 August 2015.

    Fried, Chuck. “America Needs An Education On Software Asset Management (SAM).” LinkedIn. 16 June 2015.

    Lyons, Gwen. “Understanding the Drivers Behind Application Rationalization Critical to Success.” Flexera Software Blog, 31 October 2012.

    Bibliography

    Metrics to Measure SAM Success: eight ways to prove your SAM program is delivering business benefits.” Snow Software White Paper, 2015.

    Microsoft. “The SAM Optimization Model.” Microsoft Corporation White Paper, 2010.

    Miller, D. and M. Oliver. “Engaging Stakeholders for Project Success.” Project Management Institute White Paper, 2015.

    Morrison, Dan. “5 Common Misconceptions of Software Asset Management.” SoftwareOne. 12 May 2015.

    O’Neill, Leslie T. “Visa Case Study: SAM in the 21st Century.” International Business Software Managers Association (IBSMA), 30 July 2014.

    Reducing Hidden Operating Costs Through IT Asset Discovery.” NetSupport Inc., 2011.

    SAM Summit 2014, 23-25 June 2014, University of Chicago Gleacher Center Conference Facilities, Chicago, MI.

    Saxby, Heather. “20 Things Every CIO Needs to Know about Software Asset Management.” Crayon Software Experts, 13 May 2015.

    The 2016 State of IT: Managing the money monsters for the coming year.” Spiceworks, 2016.

    The Hidden Cost of Unused Software.” A 1E Report, 1E.com: 2014. Web.

    What does it take to achieve software license optimization?” Flexera White Paper, 2013.

    Research contributors and experts

    Photo of Michael Dean, Director, User Support Services, Des Moines University Michael Dean
    Director, User Support Services
    Des Moines University
    Simon Leuty
    Co-Founder
    Livingstone Tech
    Photo of Simon Leuty, Co-Founder, Livingstone Tech
    Photo of Clare Walsh, PR Consultant, Adesso Tech Ltd. Clare Walsh
    PR Consultant
    Adesso Tech Ltd.
    Alex Monaghan
    Director, Presales EMEA
    Product Support Solutions
    Photo of Alex Monaghan, Director, Presales EMEA, Product Support Solutions

    Research contributors and experts

    Photo of Ben Brand, SAM Practice Manager, Insight Ben Brand
    SAM Practice Manager
    Insight
    Michael Swanson
    President
    ISAM
    Photo of Michael Swanson, President, ISAM
    Photo of Bruce Aboudara, SVP, Marketing & Business Development, Scalable Software Bruce Aboudara
    SVP, Marketing & Business Development
    Scalable Software
    Will Degener
    Senior Solutions Consultant
    Scalable Software
    Photo of Will Degener, Senior Solutions Consultant, Scalable Software

    Research contributors and experts

    Photo of Peter Gregorowicz, Associate Director, Network & Client Services, Vancouver Community College Peter Gregorowicz
    Associate Director, Network & Client Services
    Vancouver Community College
    Peter Schnitzler
    Operations Team Lead
    Toyota Canada
    Photo of Peter Schnitzler, Operations Team Lead, Toyota Canada
    Photo of David Maughan, Head of Service Transition, Mott MacDonald Ltd. David Maughan
    Head of Service Transition
    Mott MacDonald Ltd.
    Brian Bernard
    Infrastructure & Operations Manager
    Lee County Clerk of Court
    Photo of Brian Bernard, Infrastructure & Operations Manager, Lee County Clerk of Court

    Research contributors and experts

    Photo of Leticia Sobrado, IT Data Governance & Compliance Manager, Intercept Pharmaceuticals Leticia Sobrado
    IT Data Governance & Compliance Manager
    Intercept Pharmaceuticals

    Vendor Management

    • Buy Link or Shortcode: {j2store}15|cart{/j2store}
    • Related Products: {j2store}15|crosssells{/j2store}
    • member rating overall impact: 9.3/10
    • member rating average dollars saved: $9,627
    • member rating average days saved: 10
    • Parent Category Name: Financial Management
    • Parent Category Link: /financial-management
    That does not mean strong-arming. It means maximizing the vendor relationship value.

    Monitor IT Employee Experience

    • Buy Link or Shortcode: {j2store}543|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $29,096 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • In IT, high turnover and sub-optimized productivity can have huge impacts on IT’s ability to execute SLAs, complete projects on time, and maintain operations effectively.
    • With record low unemployment rates in IT, retaining top employees and keeping them motivated in their jobs has never been more critical.

    Our Advice

    Critical Insight

    • One bad experience can cost you your top employee. Engagement is the sum total of the day-to-day experiences your employees have with your company.
    • Engagement, not pay, drives results. Engagement is key to your team's productivity and ability to retain top talent. Approach it systematically to learn what really drives your team.
    • It’s time for leadership to step up. As the CIO, it’s up to you to take ownership of your team’s engagement.

    Impact and Result

    • Info-Tech tools and guidance will help you initiate an effective conversation with your team around engagement, and avoid common pitfalls in implementing engagement initiatives.
    • Monitoring employee experience continuously using the Employee Experience Monitor enables you to take a data-driven approach to evaluating the success of your engagement initiatives.

    Monitor IT Employee Experience Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should focus on employee experience to improve engagement in IT, review Info-Tech’s methodology, and understand how our tools will help you construct an effective employee engagement program.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start monitoring employee experience

    Plan out your employee engagement program and launch the Employee Experience Monitor survey for your team.

    • Drive IT Performance by Monitoring Employee Experience – Phase 1: Start Monitoring Employee Experience
    • None
    • None
    • EXM Setup Guide
    • EXM Training Guide for Managers
    • None
    • EXM Communication Template

    2. Analyze results and ideate solutions

    Interpret your Employee Experience Monitor results, understand what they mean in the context of your team, and involve your staff in brainstorming engagement initiatives.

    • Drive IT Performance by Monitoring Employee Experience – Phase 2: Analyze Results and Ideate Solutions
    • EXM Focus Group Facilitation Guide
    • Focus Group Facilitation Guide Driver Definitions

    3. Select and implement engagement initiatives

    Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.

    • Drive IT Performance by Monitoring Employee Experience – Phase 3: Measure and Communicate Results
    • Engagement Progress One-Pager
    [infographic]

    Workshop: Monitor IT Employee Experience

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the EXM

    The Purpose

    Set up the EXM and collect a few months of data to build on during the workshop.

    Key Benefits Achieved

    Arm yourself with an index of employee experience and candid feedback from your team to use as a starting point for your engagement program.

    Activities

    1.1 Identify EXM use case.

    1.2 Identify engagement program goals and obstacles.

    1.3 Launch EXM.

    Outputs

    Defined engagement goals.

    EXM online dashboard with three months of results.

    2 Explore Engagement

    The Purpose

    To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.

    Key Benefits Achieved

    Empower your leadership team to take charge of their own team's engagement.

    Activities

    2.1 Review EXM results to understand employee experience.

    2.2 Finalize focus group agendas.

    2.3 Train managers.

    Outputs

    Customized focus group agendas.

    3 Hold Employee Focus Groups

    The Purpose

    Establish an open dialogue with your staff to understand what drives their engagement.

    Key Benefits Achieved

    Understand where in your team’s experience you can make the most impact as an IT leader.

    Activities

    3.1 Identify priority drivers.

    3.2 Identify engagement KPIs.

    3.3 Brainstorm engagement initiatives.

    3.4 Vote on initiatives within teams.

    Outputs

    Summary of focus groups results

    Identified engagement initiatives.

    4 Select and Plan Initiatives

    The Purpose

    Learn the characteristics of successful engagement initiatives and build execution plans for each.

    Key Benefits Achieved

    Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.

    Activities

    4.1 Select engagement initiatives with IT leadership.

    4.2 Discuss and decide on the top five engagement initiatives.

    4.3 Create initiative project plans.

    4.4 Build detailed project plans.

    4.5 Present project plans.

    Outputs

    Engagement project plans.

    AI Trends 2023

    • Buy Link or Shortcode: {j2store}207|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy

    As AI technologies are constantly evolving, organizations are looking for AI trends and research developments to understand the future applications of AI in their industries.

    Our Advice

    Critical Insight

    • Understanding trends and the focus of current and future AI research helps to define how AI will drive an organization’s new strategic opportunities.
    • Understanding the potential application of AI and its promise can help plan the future investments in AI-powered technologies and systems.

    Impact and Result

    Understanding AI trends and developments enables an organization’s competitive advantage.

    AI Trends 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. AI Trends 2023 – An overview of trends that will continue to drive AI innovation.

    • AI Trends Report 2023
    [infographic]

    Further reading

    AI Trends Report 2023

    The eight trends:

    1. Design for AI
    2. Event-Based Insights
    3. Synthetic Data
    4. Edge AI
    5. AI in Science and Engineering
    6. AI Reasoning
    7. Digital Twin
    8. Combinatorial Optimization
    Challenges that slowed the adoption of AI

    To overcome the challenges, enterprises adopted different strategies

    Data Readiness

    • Lack of unified systems and unified data
    • Data quality issues
    • Lack of the right data required for machine learning
    • Improve data management capabilities, including data governance and data initiatives
    • Create data catalogs
    • Document data and information architecture
    • Solve data-related problems including data quality, privacy, and ethics

    ML Operations Capabilities

    • Lack of tools, technologies, and methodologies to operationalize models created by data scientists
    • Increase availability of cloud platforms, tools, and capabilities
    • Develop and grow machine learning operations (MLOps) tools, platforms, and methodologies to enable model operationalizing and monitoring in production

    Understanding of AI Role and Its Business Value

    • Lack of understanding of AI use cases – how AI/ML can be applied to solve specific business problems
    • Lack of understanding how to define the business value of AI investments
    • Identify AI C-suite toolkits (for example, Empowering AI Leadership from the World Economic Forum, 2022)
    • Document industry use cases
    • Use frameworks and tools to define business value for AI investments

    Design for AI

    Sustainable AI system design needs to consider several aspects: the business application of the system, data, software and hardware, governance, privacy, and security.

    It is important to define from the beginning how AI will be used by and for the application to clearly articulate business value, manage expectations, and set goals for the implementation.

    Design for AI will change how we store and manage data and how we approach the use of data for development and operation of AI systems.

    An AI system design approach should cover all stages of AI lifecycle, from design to maintenance. It should also support and enable iterative development of an AI system.

    To take advantage of different tools and technologies for AI system development, deployment, and monitoring, the design of an AI system should consider software and hardware needs and design for seamless and efficient integrations of all components of the system and with other existing systems within the enterprise.

    AI in Science and Engineering

    AI helps sequence genomes to identify variants in a person’s DNA that indicate genetic disorders. It allows researchers to model and calculate complicated physics processes, to forecast the genesis of the universe’s structure, and to understand planet ecosystem to help advance the climate research. AI drives advances in drug discovery and can assist with molecule synthesis and molecular property identification.

    AI finds application in all areas of science and engineering. The role of AI in science will grow and allow scientists to innovate faster.

    AI will further contribute to scientific understanding by assisting scientists in deriving new insights, generating new ideas and connections, generalizing scientific concepts, and transferring them between areas of scientific research.

    Using synthetic data and combining physical and machine learning models and other advances of AI/ML – such as graphs, use of unstructured data (language models), and computer vision – will accelerate the use of AI in science and engineering.

    Event- and Scenario-Driven AI

    AI-driven signal-gathering systems analyze a continuous stream of data to generate insights and predictions that enable strategic decision modeling and scenario planning by providing understanding of how and what areas of business might be impacted by certain events.

    AI enables the scenario-based approach to drive insights through pattern identification in addition to familiar pattern recognition, helping to understand how events are related.

    A system with anticipatory capabilities requires an event-driven architecture that enables gathering and analyzing different types of data (text, video, images) across multiple channels (social media, transactional systems, news feeds, etc.) for event-driven and event-sequencing modeling.

    ML simulation-based training of the model using advanced techniques under the umbrella of Reinforcement Learning in conjunction with statistically robust Bayesian probabilistic framework will aid in setting up future trends in AI.

    AI Reasoning

    Most of the applications of machine learning and AI today is about predicting future behaviors based on historical data and past behaviors. We can predict what product the customer would most likely buy or the price of a house when it goes on sale.

    Most of the current algorithms use the correlation between different parameters to make a prediction, for example, the correlation between the event and the outcome can look like “When X occurs, we can predict that Y will occur.” This, however, does not translate into “Y occurred because of X.”

    The development of a causal AI that uses causal inference to reason and identify the root cause and the causal relationships between variables without mistaking correlation and causation is still in its early stages but rapidly evolving.

    Some of the algorithms that the researchers are working with are casual graph models and algorithms that are at the intersection of causal inference with decision making and reinforcement learning (Causal Artificial Intelligence Lab, 2022).

    Synthetic Data

    Synthetic data is artificially generated data that mimics the structure of real-life data. It should also have the same mathematical and statistical properties as the real-world data that it is created to replicate.

    Synthetic data is used to train machine learning models when there is not enough real data or the existing data does not meet specific needs. It allows users to remove contextual bias from data sets containing personal data, prevent privacy concerns, and ensure compliance with privacy laws and regulations.

    Another application of synthetic data is solving data-sharing challenges.

    Researchers learned that quite often synthetic data sets outperform real-world data. Recently, a team of researchers at MIT built a synthetic data set of 150,000 video clips capturing human actions and used that data set to train the model. The researchers found that “the synthetically trained models performed even better than models trained on real data for videos that have fewer background objects” (MIT News Office, 2022).

    Today, synthetic data is used in language systems, in training self-driving cars, in improving fraud detection, and in clinical research, just to name a few examples.

    Synthetic data opens the doors for innovation across all industries and applications of AI by enabling access to data for any scenario and technology and business needs.

    Digital Twins

    Digital twins (DT) are virtual replicas of physical objects, devices, people, places, processes, and systems. In Manufacturing, almost every product and manufacturing process can have a complete digital replica of itself thanks to IoT, streaming data, and cheap cloud storage.

    All this data has allowed for complex simulations of, for example, how a piece of equipment will perform over time to predict future failures before they happen, reducing costly maintenance and extending equipment lifetime.

    In addition to predictive maintenance, DT and AI technologies have enabled organizations to design and digitally test complex equipment such as aircraft engines, trains, offshore oil platforms, and wind turbines before physically manufacturing them. This helps to improve product and process quality, manufacturing efficiency, and costs. DT technology also finds applications in architecture, construction, energy, infrastructure industries, and even retail.

    Digital twins combined with the metaverse provide a collaborative and interactive environment with immersive experience and real-time physics capabilities (as an example, Siemens presented an Immersive Digital Twin of a Plant at the Collision 2022 conference).

    Future trends include enabling autonomous behavior of a DT. An advanced DT can replicate itself as it moves into several devices, hence requiring the autonomous property. Such autonomous behavior of the DT will in turn influence the growth and further advancement of AI.

    Edge AI

    A simple definition for edge AI: A combination of edge computing and artificial intelligence, it enables the deployment of AI applications in devices of the physical world, in the field, where the data is located, such as IoT devices, devices on the manufacturing floor, healthcare devices, or a self-driving car.

    Edge AI integrates AI into edge computing devices for quicker and improved data processing and smart automation.

    The main benefits of edge AI include:

    • Real-time data processing capabilities to reduce latency and enable near real-time analytics and insights.
    • Reduced cost and bandwidth requirements as there is no need to transfer data to the cloud for computing.
    • Increased data security as the data is processed locally, on the device, reducing the risk of loss of sensitive data.
    • Improved automation by training machines to perform automated tasks.

    Edge AI is already used in a variety of applications and use cases including computer vision, geospatial intelligence, object detection, drones, and health monitoring devices.

    Combinatorial Optimization

    “Combinatorial optimization is a subfield of mathematical optimization that consists of finding an optimal object from a finite set of objects” (Wikipedia, retrieved December 2022).

    Applications of combinatorial optimization include:

    • Supply chain optimization
    • Scheduling and logistics, for example, vehicle routing where the trucks are making stops for pickup and deliveries
    • Operations optimization

    Classical combinatorial optimization (CO) techniques were widely used in operations research and played a major role in earlier developments of AI.

    The introduction of deep learning algorithms in recent years allowed researchers to combine neural network and conventional optimization algorithms; for example, incorporating neural combinatorial optimization algorithms in the conventional optimization framework. Researchers confirmed that certain combinations of these frameworks and algorithms can provide significant performance improvements.

    The research in this space continues and we look forward to learning how machine learning and AI (backtracking algorithms, reinforcement learning, deep learning, graph attention networks, and others) will be used for solving challenging combinatorial and decision-making problems.

    References

    “AI Can Power Scenario Planning for Real-Time Strategic Insights.” The Wall Street Journal, CFO Journal, content by Deloitte, 7 June 2021. Accessed 11 Dec. 2022.
    Ali Fdal, Omar. “Synthetic Data: 4 Use Cases in Modern Enterprises.” DATAVERSITY, 5 May 2022. Accessed
    11 Dec. 2022.
    Andrews, Gerard. “What Is Synthetic Data?” NVIDIA, 8 June 2021. Accessed 11 Dec. 2022.
    Bareinboim, Elias. “Causal Reinforcement Learning.” Causal AI, 2020. Accessed 11 Dec. 2022.
    Bengio, Yoshua, Andrea Lodi, and Antoine Prouvost. “Machine learning for combinatorial optimization: A methodological tour d’horizon.” European Journal of Operational Research, vol. 290, no. 2, 2021, pp. 405-421, https://doi.org/10.1016/j.ejor.2020.07.063. Accessed 11 Dec. 2022.
    Benjamins, Richard. “Four design principles for developing sustainable AI applications.” Telefónica S.A., 10 Sept. 2018. Accessed on 11 Dec. 2022.
    Blades, Robin. “AI Generates Hypotheses Human Scientists Have Not Thought Of.” Scientific American, 28 October 2021. Accessed 11 Dec. 2022.
    “Combinatorial Optimization.” Wikipedia article, Accessed 11 Dec. 2022.
    Cronholm, Stefan, and Hannes Göbel. “Design Principles for Human-Centred Artificial Intelligence.” University of Borås, Sweden, 11 Aug. 2022. Accessed on 11 Dec. 2022
    Devaux, Elise. “Types of synthetic data and 4 real-life examples.” Statice, 29 May 2022. Accessed 11 Dec. 2022.
    Emmental, Russell. “A Guide to Causal AI.” ITBriefcase, 30 March 2022. Accessed 11 Dec. 2022.
    “Empowering AI Leadership: AI C-Suite Toolkit.” World Economic Forum, 12 Jan. 2022. Accessed 11 Dec 2022.
    Falk, Dan. “How Artificial Intelligence Is Changing Science.” Quanta Magazine, 11 March 2019. Accessed 11 Dec. 2022.
    Fritschle, Matthew J. “The Principles of Designing AI for Humans.” Aumcore, 17 Aug. 2018. Accessed 8 Dec. 2022.
    Garmendia, Andoni I., et al. Neural Combinatorial Optimization: a New Player in the Field.” IEEE, arXiv:2205.01356v1, 3 May 2022. Accessed 11 Dec. 2022.
    Gülen, Kerem. “AI Is Revolutionizing Every Field and Science is no Exception.” Dataconomy Media GmbH, 9 Nov. 9, 2022. Accessed 11 Dec. 2022
    Krenn, Mario, et al. “On scientific understanding with artificial intelligence.” Nature Reviews Physics, vol. 4, 11 Oct. 2022, pp. 761–769. https://doi.org/10.1038/s42254-022-00518-3. Accessed 11 Dec. 2022.
    Laboratory for Information and Decision Systems. “The real promise of synthetic data.” MIT News, 16 Oct. 2020. Accessed 11 Dec. 2022.
    Lecca, Paola. “Machine Learning for Causal Inference in Biological Networks: Perspectives of This Challenge.” Frontiers, 22 Sept. 2021. Accessed 11 Dec. 2022. Mirabella, Lucia. “Digital Twin x Metaverse: real and virtual made easy.” Siemens presentation at Collision 2022 conference, Toronto, Ontario. Accessed 11 Dec. 2022. Mitchum, Rob, and Louise Lerner. “How AI could change science.” University of Chicago News, 1 Oct. 2019. Accessed 11 Dec. 2022.
    Okeke, Franklin. “The benefits of edge AI.” TechRepublic, 22 Sept. 2022, Accessed 11 Dec. 2022.
    Perlmutter, Nathan. “Machine Learning and Combinatorial Optimization Problems.” Crater Labs, 31 July 31, 2019. Accessed 11 Dec. 2022.
    Sampson, Ovetta. “Design Principles for a New AI World.” UX Magazine, 6 Jan. 2022. Accessed 11 Dec. 2022.
    Sgaier, Sema K., Vincent Huang, and Grace Charles. “The Case for Causal AI.” Stanford Social Innovation Review, Summer 2020. Accessed 11 Dec. 2022.
    “Synthetic Data.” Wikipedia article, Accessed 11 Dec. 2022.
    Take, Marius, et al. “Software Design Patterns for AI-Systems.” EMISA Workshop 2021, CEUR-WS.org, Proceedings 30. Accessed 11 Dec. 2022.
    Toews, Rob. “Synthetic Data Is About To Transform Artificial Intelligence.” Forbes, 12 June 2022. Accessed
    11 Dec. 2022.
    Zewe, Adam. “In machine learning, synthetic data can offer real performance improvements.” MIT News Office, 3 Nov. 2022. Accessed 11 Dec. 2022.
    Zhang, Junzhe, and Elias Bareinboim. “Can Humans Be out of the Loop?” Technical Report, Department of Computer Science, Columbia University, NY, June 2022. Accessed 11 Dec. 2022.

    Contributors

    Irina Sedenko Anu Ganesh Amir Feizpour David Glazer Delina Ivanova

    Irina Sedenko

    Advisory Director

    Info-Tech

    Anu Ganesh

    Technical Counselor

    Info-Tech

    Amir Feizpour

    Co-Founder & CEO

    Aggregate Intellect Inc.

    David Glazer

    VP of Analytics

    Kroll

    Delina Ivanova

    Associate Director, Data & Analytics

    HelloFresh

    Usman Lakhani

    DevOps

    WeCloudData

    Build a Data Architecture Roadmap

    • Buy Link or Shortcode: {j2store}124|cart{/j2store}
    • member rating overall impact: 8.8/10 Overall Impact
    • member rating average dollars saved: $8,846 Average $ Saved
    • member rating average days saved: 23 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Data architecture involves many moving pieces requiring coordination to provide greatest value from data.
    • Data architects are at the center of this turmoil and must be able to translate high-level business requirements into specific instructions for data workers using complex data models.
    • Data architects must account for the constantly growing data and application complexity, more demanding needs from the business, an ever-increasing number of data sources, and a growing need to integrate components to ensure that performance isn’t compromised.

    Our Advice

    Critical Insight

    • Data architecture needs to evolve with the changing business landscape. There are four common business drivers that put most pressure on archaic architectures. As a result, the organization’s architecture must be flexible and responsive to changing business needs.
    • Data architecture is not just about models. Viewing data architecture as just technical data modeling can lead to structurally unsound data that does not serve the business.
    • Data is used differently across the layers of an organization’s data architecture, and the capabilities needed to optimize use of data change with it. Architecting and managing data from source to warehousing to presentation requires different tactics for optimal use.

    Impact and Result

    • Have a framework in place to identify the appropriate solution for the challenge at hand. Our three-phase practical approach will help you build a custom and modernized data architecture.
      • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit, and determine the corresponding data architecture tiers that need to be addressed.
      • Discover the best-practice trends, measure your current state, and define the targets for your data architecture tactics.
      • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

    Build a Data Architecture Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should optimize its data architecture as it evolves with the drivers of the business to get the most from its data.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prioritize your data architecture with business-driven tactics

    Identify the business drivers that necessitate data architecture improvements, then create a tactical plan for optimization.

    • Build a Business-Aligned Data Architecture Optimization Strategy – Phase 1: Prioritize Your Data Architecture With Business-Driven Tactics
    • Data Architecture Driver Pattern Identification Tool
    • Data Architecture Optimization Template

    2. Personalize your tactics to optimize your data architecture

    Analyze how you stack up to Info-Tech’s data architecture capability model to uncover your tactical plan, and discover groundbreaking data architecture trends and how you can fit them into your action plan.

    • Build a Business-Aligned Data Architecture Optimization Strategy – Phase 2: Personalize Your Tactics to Optimize Your Data Architecture
    • Data Architecture Tactical Roadmap Tool
    • Data Architecture Trends Presentation

    3. Create your tactical data architecture roadmap

    Optimize your data architecture by following tactical initiatives and managing the resulting change brought on by those optimization activities.

    • Build a Business-Aligned Data Architecture Optimization Strategy – Phase 3: Create Your Tactical Data Architecture Roadmap
    • Data Architecture Decision Template
    [infographic]

    Workshop: Build a Data Architecture Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Drivers of the Business for Optimizing Data Architecture

    The Purpose

    Explain approach and value proposition.

    Review the common business drivers and how the organization is driving a need to optimize data architecture.

    Understand Info-Tech’s five-tier data architecture model.

    Determine the pattern of tactics that apply to the organization for optimization.

    Key Benefits Achieved

    Understanding of the current data architecture landscape.

    Priorities for tactical initiatives in the data architecture practice are identified.

    Target state for the data quality practice is defined.

    Activities

    1.1 Explain approach and value proposition.

    1.2 Review the common business drivers and how the organization is driving a need to optimize data architecture.

    1.3 Understand Info-Tech’s five-tier data architecture model.

    1.4 Determine the pattern of tactics that apply to the organization for optimization.

    Outputs

    Five-tier logical data architecture model

    Data architecture tactic plan

    2 Determine Your Tactics For Optimizing Data Architecture

    The Purpose

    Define improvement initiatives.

    Define a data architecture improvement strategy and roadmap.

    Key Benefits Achieved

    Gaps, inefficiencies, and opportunities in the data architecture practice are identified.

    Activities

    2.1 Create business unit prioritization roadmap.

    2.2 Develop subject area project scope.

    2.3 Subject area 1: data lineage analysis, root cause analysis, impact assessment, business analysis

    Outputs

    Business unit prioritization roadmap

    Subject area scope

    Data lineage diagram

    3 Create a Strategy for Data Quality Project 2

    The Purpose

    Define improvement initiatives.

    Define a data quality improvement strategy and roadmap.

    Key Benefits Achieved

    Improvement initiatives are defined.

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy.

    A roadmap is defined to depict when and how to tackle the improvement initiatives.

    Activities

    3.1 Create business unit prioritization roadmap.

    3.2 Develop subject area project scope.

    3.3 Subject area 1: data lineage analysis, root cause analysis, impact assessment, business analysis.

    Outputs

    Business unit prioritization roadmap

    Subject area scope

    Data lineage diagram

    Further reading

    Build a Data Architecture Roadmap

    Optimizing data architecture requires a plan, not just a data model.

    ANALYST PERSPECTIVE

    Integral to an insight-driven enterprise is a modern and business-driven data environment.

    “As business and data landscapes change, an organization’s data architecture needs to be able to keep pace with these changes. It needs to be responsive so as to not only ensure the organization continues to operate efficiently but that it supports the overall strategic direction of the organization.

    In the dynamic marketplace of today, organizations are constantly juggling disruptive forces and are finding the need to be more proactive rather than reactive. As such, organizations are finding their data to be a source of competitive advantage where the data architecture has to be able to not only support the increasing amount, sources, and rate at which organizations are capturing and collecting data but also be able to meet and deliver on changing business needs.

    Data architecture optimization should, therefore, aid in breaking down data silos and creating a more shared and all-encompassing data environment for better empowering the business.” (Crystal Singh, Director, Research, Data and Information Practice, Info-Tech Research Group)

    Our understanding of the problem

    This Research Is Designed For:
    • Data architects or their equivalent, looking to optimize and improve the efficiency of the capture, movement and storage of data for a variety of business drivers.
    • Enterprise architects looking to improve the backbone of the holistic approach of their organization’s structure.
    This Research Will Help You:
    • Identify the business drivers that are impacted and improved by best-practice data architecture.
    • Optimize your data architecture using tactical practices to address the pressing issues of the business to drive modernization.
    • Align the organization’s data architecture with the grander enterprise architecture.
    This Research Will Also Assist:
    • CIOs concerned with costs, benefits, and the overall structure of their organizations data flow.
    • Database administrators tasked with overseeing crucial elements of the data architecture.
    This Research Will Help Them:
    • Get a handle on the current situation of data within the organization.
    • Understand how data architecture affects the operations of the data sources within the enterprise.

    Executive summary

    Situation

    • The data architecture of a modern organization involves many moving pieces requiring coordination to provide greatest value from data.
    • Data architects are at the center of this turmoil and must be able to translate high-level business requirements into specific instructions for data workers using complex data models.

    Complication

    • Data architects must account for the constantly growing data and application complexity, and more demanding needs from the business.
    • There is an ever-increasing number of data sources and a growing need to integrate components to ensure that performance isn’t compromised.
    • There isn’t always a clearly defined data architect role, yet the responsibilities must be filled to get maximum value from data.

    Resolution

    • To deal with these challenges, a data architect must have a framework in place to identify the appropriate solution for the challenge at hand.
      • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit, and determine the corresponding data architecture tiers that need to be addressed to customize your solution.
      • Discover the best practice trends, measure your current state, and define the targets for your data architecture tactics.
      • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

    Info-Tech Insight

    1. Data architecture is not just about models. Viewing data architecture as just technical data modeling can lead to a data environment that does not aptly serve or support the business. Identify the priorities of your business and adapt your data architecture to those needs.
    2. Changes to data architecture are typically driven by four common business driver patterns. Use these as a shortcut to understand how to evolve your data architecture.
    3. Data is used differently across the layers of an organization’s data architecture; therefore, the capabilities needed to optimize the use of data change with it. Architecting and managing data from source to warehousing to presentation requires different tactics for optimal use.

    Your data is the foundation of your organization’s knowledge and ability to make decisions

    Data should be at the foundation of your organization’s evolution.

    The transformational insights that executives are constantly seeking to leverage can be uncovered with a data practice that makes high quality, trustworthy information readily available to the business users who need it.

    50% Organizations that embrace data are 50% more likely to launch products and services ahead of their competitors. (Nesta, 2016)

    Whether hoping to gain a better understanding of your business or trying to become an innovator in your industry, any organization can get value from its data regardless of where you are in your journey to becoming a data-driven enterprise:

    Business Monitoring
    • Data reporting
    • Uncover inefficiencies
    • Monitor progress
    • Track inventory levels
    Business Insights
    • Data analytics
    • Expose patterns
    • Predict future trends
    Business Optimization
    • Data-based apps
    • Build apps to automate actions based on insights
    Business Transformation
    • Monetary value of data
    • Create new revenue streams
    (Journey to Data Driven Enterprise, 2015)

    As organizations seek to become more data driven, it is imperative to better manage data for its effective use

    Here comes the zettabyte era.

    A zettabyte is a billion terabytes. Organizations today need to measure their data size in zettabytes, a challenge that is only compounded by the speed at which the data is expected to move.

    Arriving at the understanding that data can be the driving force of your organization is just the first step. The reality is that the true hurdles to overcome are in facing the challenges of today’s data landscape.

    Challenges of The Modern Data Landscape
    Data at rest Data movement
    Greater amounts Different types Uncertain quality Faster rates Higher complexity

    “The data environment is very chaotic nowadays. Legacy applications, data sprawl – organizations are grappling with what their data landscape looks like. Where are our data assets that we need to use?” (Andrew Johnston, Independent Consultant)

    Solution

    Well-defined and structured data management practices are the best way to mitigate the limitations that derive from these challenges and leverage the most possible value from your data.

    Refer to Info-Tech’s capstone Create a Plan For Establishing a Business-Aligned Data Management Practice blueprint to understand data quality in the context of data disciplines and methods for improving your data management capabilities.

    Data architecture is an integral aspect of data management

    Data Architecture

    The set of rules, policies, standards, and models that govern and define the type of data collected and how it is used, stored, managed, and integrated within the organization and its database systems.

    In general, the primary objective of data architecture is the standardization of data for the benefit of the organization.

    54% of leading “analytics-driven” enterprises site data architecture as a required skill for data analytics initiatives. (Maynard 2015)

    MYTH

    Data architecture is purely a model of the technical requirements of your data systems.

    REALITY

    Data architecture is largely dependent on a human element. It can be viewed as “the bridge between defining strategy and its implementation”. (Erwin 2016)

    Functions

    A strong data architecture should:

    • Define, visualize, and communicate data strategy to various stakeholders.
    • Craft a data delivery environment.
    • Ensure high data quality.
    • Provide a roadmap for continuous improvement.

    Business value

    A strong data architecture will help you:

    • Align data processes with business strategy and the overall holistic enterprise architecture.
    • Enable efficient flow of data with a stronger focus on quality and accessibility.
    • Reduce the total cost of data ownership.

    Data architects must maintain a comprehensive view of the organization’s rapidly proliferating data

    The data architect:
    • Acts as a “translator” between the business and data workers to communicate data and technology requirements.
    • Facilitates the creation of the data strategy.
    • Manages the enterprise data model.
    • Has a greater knowledge of operational and analytical data use cases.
    • Recommends data management policies and standards, and maintains data management artifacts.
    • Reviews project solution architectures and identifies cross impacts across the data lifecycle.
    • Is a hands-on expert in data management and warehousing technologies.
    • Is not necessarily it’s own designated position, but a role that can be completed by a variety of IT professionals.

    Data architects bridge the gap between strategic and technical requirements:

    Visualization centering the 'Data Architect' as the bridge between 'Data Workers', 'Business', and 'Data & Applications'.

    “Fundamentally, the role of a data architect is to understand the data in an organization at a reasonable level of abstraction.” (Andrew Johnston, Independent Consultant)

    Many are experiencing the pains of poor data architecture, but leading organizations are proactively tackling these issues

    Outdated and archaic systems and processes limit the ability to access data in a timely and efficient manner, ultimately diminishing the value your data should bring.

    59%

    of firms believe their legacy storage systems require too much processing to meet today’s business needs. (Attivio, Survey Big Data decision Makers, 2016)

    48%

    of companies experience pains from being reliant on “manual methods and trial and error when preparing data.” (Attivio, Survey Big Data decision Makers, 2016)

    44%
    +
    22%

    44% of firms said preparing data was their top hurdle for analytics, with 22% citing problems in accessing data. (Data Virtualization blog, Data Movement Killed the BI Star, 2016)

    Intuitive organizations who have recognized these shortcomings have already begun the transition to modernized and optimized systems and processes.

    28%

    of survey respondents say they plan to replace “data management and architecture because it cannot handle the requirements of big data.” (Informatica, Digital Transformation: Is Your Data Management Ready, 2016)

    50%

    Of enterprises plan to replace their data warehouse systems and analytical tools in the next few years. (TDWI, End of the Data Warehouse as we know it, 2017)

    Leading organizations are attacking data architecture problems … you will be left behind if you do not start now!

    Once on your path to redesigning your data architecture, neglecting the strategic elements may leave you ineffective

    Focusing on only data models without the required data architecture guidance can cause harmful symptoms in your IT department, which will lead to organization-wide problems.

    IT Symptoms Due to Ineffective Data Architecture

    Poor Data Quality

    • Inconsistent, duplicate, missing, incomplete, incorrect, unstandardized, out of date, and mistake-riddled data can plague your systems.

    Poor Accessibility

    • Delays in accessing data.
    • Limits on who can access data.
    • Limited access to data remotely.

    Strategic Disconnect

    • Disconnect between owner and consumer of data.
    • Solutions address narrow scope problems.
    • System barriers between departments.
    Leads to Poor Organizational Conditions

    Inaccurate Insights

    • Inconsistent and/or erroneous operational and management reports.
    • Ineffective cross-departmental use of analytics.

    Ineffective Decision Making

    • Slow flow of information to executive decision makers.
    • Inconsistent interpretation of data or reports.

    Inefficient Operations

    • Limits to automated functionality.
    • Increased divisions within organization.
    • Regulatory compliance violations.
    You need a solution that will prevent the pains.

    Follow Info-Tech’s methodology to optimize data architecture to meet the business needs

    The following is a summary of Info-Tech’s methodology:

    1

    1. Prioritize your core business objectives and identify your business driver.
    2. Learn how business drivers apply to specific tiers of Info-Tech’s five-tier data architecture model.
    3. Determine the appropriate tactical pattern that addresses your most important requirements.
    Visualization of the process described on the left: Business drivers applying to Info-Tech's five-tier data architecture, then determining tactical patterns, and eventually setting targets of your desired optimized state.

    2

    1. Select the areas of the five-tier architecture to focus on.
    2. Measure current state.
    3. Set the targets of your desired optimized state.

    3

    1. Roadmap your tactics.
    2. Manage and communicate change.
    A roadmap leading to communication.

    Info-Tech will get you to your optimized state faster by focusing on the important business issues

    First Things First

    1. Info-Tech’s methodology helps you to prioritize and establish the core strategic objectives behind your goal of modernizing data architecture. This will narrow your focus to the appropriate areas of your current data systems and processes that require the most attention.

    Info-Tech has identified these four common drivers that lead to the need to optimize your data architecture.

    • Becoming More Data Driven
    • Regulations and Compliance
    • Mergers and Acquisitions
    • New Functionality or Business Rule

    These different core objectives underline the motivation to optimize data architecture, and will determine your overall approach.

    Use the five-tier architecture to provide a consumable view of your data architecture

    Every organization’s data system requires a unique design and an assortment of applications and storage units to fit their business needs. Therefore, it is difficult to paint a picture of an ideal model that has universal applications. However, when data architecture is broken down in terms of layers or tiers, there exists a general structure that is seen in all data systems.

    Info-Tech's Five Tier Data Architecture. The five tiers being 'Sources' which includes 'Apps', 'Excel and other documents', and 'Access database(s)'; 'Integration and Translation' the 'Movement and transformation of data'; 'Warehousing' which includes 'Data Lakes & Warehouse(s) (Raw Data)'; 'Analytics' which includes 'Data Marts', 'Data Cube', 'Flat Files', and 'BI Tools'; and 'Presentation' which includes 'Reports' and 'Dashboards'.

    Thinking of your data systems and processes in this framework will allow you to see how different elements of the architecture relate to specific business operations.

    1. This blueprint will demonstrate how the business driver behind your redesign requires you to address specific layers of the five-tier data architecture.
    1. Once you’ve aligned your business driver to the appropriate data tiers, this blueprint will provide you with the best practice tactics you should apply to achieve an optimized data architecture.

    Use the five-tier architecture to prioritize tactics to improve your data architecture in line with your pattern

    Info-Tech’s Data Architecture Capability Model
    Info-Tech’s Data Architecture Capability Model featuring the five-tier architecture listing 'Core Capabilities' and 'Advanced Capabilities' within each tier, and a list of 'Cross Capabilities' which apply to all tiers.
    1. Based on your business driver, the relevant data tiers, and your organization’s own specific requirements you will need to establish the appropriate data architecture capabilities.
    2. This blueprint will help you measure how you are currently performing in these capabilities…
    3. And help you define and set targets so you can reach your optimized state.
    1. Once completed, these steps will be provided with the information you will need to create a comprehensive roadmap.
    2. Lastly, this blueprint will provide you with the tools to communicate this plan across your organization and offer change management guidelines to ensure successful adoption.
    Info-Tech Insight

    Optimizing data architecture requires a tactical approach, not a passive approach.

    The demanding task of optimization requires the ability to heavily prioritize. After you have identified why, determine how using our pre-built roadmap to address the four common drivers.

    Do not forget: data architecture is not a standalone concept; it fits into the more holistic design of enterprise architecture

    Data Architecture in Alignment

    Data architecture can not be designed to simply address the focus of data specialists or even the IT department.

    It must act as a key component in the all encompassing enterprise architecture and reflect the strategy and design of the entire business.

    Data architecture collaborates with application architecture in the delivery of effective information systems, and informs technology architecture on data related infrastructure requirements/considerations

    Please refer to the following blueprints to see the full picture of enterprise architecture:

    A diagram titled 'Enterprise Architecture' with multiple forms of architecture interacting with each other. At the top is 'Business Architecture' which feeds into 'Data Architecture' and 'Application Architecture' which feed into each other, and influence 'Infrastructure Architecture' and 'Security Architecture'.
    Adapted from TOGAF
    Refer to Phase C of TOGAF and Bizbok for references to the components of business architecture that are used in data architecture.

    Info-Tech’s data architecture optimization methodology helped a monetary authority fulfill strict regulatory pressures

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'. Look for this symbol as you walk through the blueprint for details on how Info-Tech Consulting assisted this monetary authority.

    Situation: Strong external pressures required the monetary authority to update and optimize its data architecture.

    The monetary authority is responsible for oversight of the financial situation of a country that takes in revenue from foreign incorporation. Due to increased pressure from international regulatory bodies, the monetary authority became responsible for generating multiple different types of beneficial ownership reports based on corporation ownership data within 24 hours of a request.

    A stale and inefficient data architecture prevented the monetary authority from fulfilling external pressures.

    Normally, the process to generate and provide beneficial ownership reports took a week or more. This was due to multiple points of stale data architecture, including a dependence on outdated legacy systems and a broken process for gathering the required data from a mix of paper and electronic sources.

    Provide a structured approach to solving the problem

    Info-Tech helped the monetary authority identify the business need that resulted from regulatory pressures, the challenges that needed to be overcome, and actionable tactics for addressing the needs.

    Info-Tech’s methodology was followed to optimize the areas of data architecture that address the business driver.

    • External Requirements
    • Business Driver
        Diagnose Data Architecture Problems
      • Outdated architecture (paper, legacy systems)
      • Stale data from other agencies
      • Incomplete data
          Data Architecture Optimization Tactics
        1. Optimized Source Databases
        2. Improved Integration
        3. Data Warehouse Optimization
        4. Data Marts for Reports
        5. Report Delivery Efficiency

    As you walk through this blueprint, watch for additional case studies that walk through the details of how Info-Tech helped this monetary authority.

    This blueprint’s three-step process will help you optimize data architecture in your organization

    Phase 1
    Prioritize Your Data Architecture With Business-Driven Tactics
    Phase 2
    Personalize Your Tactics to Optimize Your Data Architecture
    Phase 3
    Create Your Tactical Data Architecture Roadmap
    Step 1: Identify Your Business Driver for Optimizing Data Architecture
    • Learn about what data architecture is and how it must evolve with the drivers of the business.
    • Determine the business driver that your organization is currently experiencing.
    • Data Architecture Driver Pattern Identification Tool

    Step 2: Determine Actionable Tactics to Optimize Data Architecture
    • Create your data architecture optimization plan to determine the high-level tactics you need to follow.
    • Data Architecture Optimization Template

    Step 1: Measure Your Data Architecture Capabilities
    • Determine where you currently stand in the data architecture capabilities across the five-tier data architecture.
    • Data Architecture Tactical Roadmap Tool

    Step 2: Set a Target for Data Architecture Capabilities
    • Identify your targets for the data architecture capabilities.
    • Data Architecture Tactical Roadmap Tool

    Step 3: Identify the Tactics that Apply to Your Organization
    • Understand the trends in the field of data architecture and how they can help to optimize your environment.
    • Data Architecture Trends Presentation

    Step 1: Personalize Your Data Architecture Roadmap
    • Personalize the tactics across the tiers that apply to you to build your personalized roadmap.
    • Data Architecture Tactical Roadmap Tool

    Step 2: Manage Your Data Architecture Decisions and the Resulting Changes
    • Document the changes in the organization’s data architecture.
    • Data architecture involves change management – learn how data architects should support change management in the organization.
    • Data Architecture Decision Template

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Build a Business-Aligned Data Architecture Optimization Strategy – project overview

    PHASE 1
    Prioritize Your Data Architecture With Business-Driven Tactics
    PHASE 2
    Personalize Your Tactics to Optimize Your Data Architecture
    PHASE 3
    Create Your Tactical Data Architecture Roadmap
    Supporting Tool icon

    Best-Practice Toolkit

    1.1 Identify Your Business Driver for Optimizing Data Architecture

    1.2 Determine Actionable Tactics to Optimize Data Architecture

    2.1 Measure Your Data Architecture Capabilities

    2.2 Set a Target for Data Architecture Capabilities

    2.3 Identify the Tactics that Apply to Your Organization

    3.1 Personalize Your Data Architecture Roadmap

    3.2 Manage Your Data Architecture Decisions and the Resulting Changes

    Guided Implementations

    • Understand what data architecture is, how it aligns with enterprise architecture, and how data architects support the needs of the business.
    • Identify the business drivers that necessitate the optimization of the organization’s data architecture.
    • Create a tactical plan to optimize data architecture across Info-Tech’s five-tier logical data architecture model.
    • Understand Info-Tech’s tactical data architecture capability model and measure the current state of these capabilities at the organization.
    • Determine the target state of data architecture capabilities.
    • Understand the trends in the field of data architecture and identify how they can fit into your environment.
    • Use the results of the data architecture capability gap assessment to determine the priority of activities to populate your personalized data architecture optimization roadmap.
    • Understand how to manage change as a data architect or equivalent.
    Associated Activity icon

    Onsite Workshop

    Module 1:
    Identify the Drivers of the Business for Optimizing Data Architecture
    Module 2:
    Create a Tactical Plan for Optimizing Data Architecture
    Module 3:
    Create a Personalized Roadmap for Data Architecture Activities

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Preparation

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Workshop Day 5

    Organize and Plan Workshop Identify the Drivers of the Business for Optimizing Data Architecture Determine the Tactics For Optimizing Data Architecture Create Your Roadmap of Optimization Activities Create Your Personalized Roadmap Create a Plan for Change Management

    Morning Activities

    • Finalize workshop itinerary and scope.
    • Identify workshop participants.
    • Gather strategic documentation.
    • Engage necessary stakeholders.
    • Book interviews.
    • 1.1 Explain approach and value proposition.
    • 1.2 Review the common business drivers and how the organization is driving a need to optimize data architecture.
    • 2.1 Create your data architecture optimization plan.
    • 2.2 Interview key business stakeholders for input on business drivers for data architecture.
    • 3.1 Align with the enterprise architecture by interviewing the enterprise architect for input on the data architecture optimization roadmap.
    • 4.1 As a group, determine the roadmap activities that are applicable to your organization and brainstorm applicable initiatives.
    • 5.1 Use the Data Architecture Decision Documentation Template to document key decisions and updates.

    Afternoon Activities

    • 1.3 Understand Info-Tech’s Five-Tier Data Architecture.
    • 1.4 Determine the pattern of tactics that apply to the organization for optimization.
    • 2.3 With input from the business and enterprise architect, determine the current data architecture capabilities.
    • 3.3 With input from the business and enterprise architect, determine the target data architecture capabilities.
    • 4.2 Determine the timing and effort of the roadmap activities.
    • 5.2 Review best practices for change management.
    • 5.3 Present roadmap and findings to the business stakeholders and enterprise architect.

    Deliverables

    • Workshop Itinerary
    • Workshop Participant List
    1. Five-Tier Logical Data Architecture Model
    2. Data Architecture Tactic Plan
    1. Five-Tier Data Architecture Capability Model
    1. Data Architecture Tactical Roadmap
    1. Data Architecture Tactical Roadmap
    1. Data Architecture Decision Template

    Build a Business-Aligned Data Architecture Optimization Strategy

    PHASE 1

    Prioritize Your Data Architecture With Business-Driven Tactics

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Prioritize Your Data Architecture With Business-Driven Tactics

    Proposed Time to Completion: 2 weeks
    Step 1.1: Identify Your Business Driver for Optimizing Data Architecture Step 1.2: Determine Actionable Tactics to Optimize Data Architecture
    Start with an analyst kick-off call:
    • Understand what data architecture is, what it is not, and how it fits into the broader enterprise architecture program.
    • Determine the drivers that fuel the need for data architecture optimization.
    Review findings with analyst:
    • Understand the Five-Tier Data Architecture Model and how the drivers of the business inform your priorities across this logical model of data architecture.
    Then complete these activities…
    • Complete the Data Architecture Driver Pattern Identification Tool.
    Then complete these activities…
    • Create a tactical data architecture optimization plan based on the business driver input.
    With these tools & templates:
    • Data Architecture Driver Pattern Identification Tool
    With these tools & templates:
    • Data Architecture Optimization Template

    Phase 1 Results & Insights

    • Data Architecture is not just about data models. The approach that Phase 1 guides you through will help to not only plan where you need to focus your efforts as a data architect (or equivalent) but also give you guidance in how you should go about optimizing the holistic data architecture environment based on the drivers of the business.

    Phase 1 will help you create a strategy to optimize your data architecture using actionable tactics

    In this phase, you will determine your focus for optimizing your data architecture based on the business drivers that are commonly felt by most organizations.

    1. Identify the business drivers that necessitate data architecture optimization efforts.
    2. Understand Info-Tech’s Five-Tier Data Architecture, a logical architecture model that will help you prioritize tactics for optimizing your data architecture environment.
    3. Identify tactics for optimizing the organization’s data architecture across the five tiers.

    “To stay competitive, we need to become more data-driven. Compliance pressures are becoming more demanding. We need to add a new functionality.”

    Info-Tech’s Five-Tier Data Architecture:

    1. Data Sources
    2. Data Integration and Translation
    3. Data Warehousing
    4. Data Analytics
    5. Data Presentation

    Tactical plan for Data Architecture Optimization

    Phase 1, Step 1: Identify Your Business Driver for Optimizing Data Architecture

    PHASE 1

    1.1 1.2
    Identify Your Business Driver for Optimizing Data Architecture Determine Actionable Tactics to Optimize Data Architecture

    This step will walk you through the following activities:

    • Understand how data architecture fits into the organization’s larger enterprise architecture.
    • Understand what data architecture is and how it should be driven by the business.
    • Identify the driver that is creating a need for data architecture optimization.

    This step involves the following participants:

    • Data Architect
    • Enterprise Architect

    Outcomes of this step

    • A starting point for the many responsibilities of the data architect role. Balancing business and technical requirements can be challenging, and to do so you need to first understand what is driving the need for data architecture improvements.
    • Holistic understanding of the organization’s architecture environment, including enterprise, application, data, and technology architectures and how they interact.

    Data architecture involves planning, communication, and understanding of technology

    Data Architecture

    A description of the structure and interaction of the enterprise’s major types and sources of data, logical data assets, physical data assets, and data management resources (TOGAF 9).

    The subject area of data management that defines the data needs of the enterprise and designs the master blueprints to meet those needs (DAMA DMBOK, 2009).

    IBM (2007) defines data architecture as the design of systems and applications that facilitate data availability and distribution across the enterprise.

    Definitions vary slightly across major architecture and management frameworks.

    However, there is a general consensus that data architecture provides organizations with:

    • Alignment
    • Planning
    • Road mapping
    • Change management
    • A guide for the organization’s data management program

    Data architecture must be based on business goals and objectives; developed within the technical strategies, constraints, and opportunities of the organization in support of providing a foundation for data management.

    Current Data Management
    • Alignment
    • Planning
    • Road mapping
    Goal for Data Management

    Info-Tech Insight

    Data Architecture is not just data models. Data architects must understand the needs of the business, as well as the existing people and processes that already exist in the organization to effectively perform their job.

    Review how data architecture fits into the broader architectural context

    A flow diagram starting with 'Business Processes/Activities' to 'Business Architecture' which through a process of 'Integration' flows to 'Data Architecture' and 'Application Architecture', the latter of which also flows into to the former, and they both flow into 'Technology Architecture' which includes 'Infrastructure' and 'Security'.

    Each layer of architecture informs the next. In other words, each layer has components that execute processes and offer services to the next layer. For example, data architecture can be broken down into more granular activities and processes that inform how the organization’s technology architecture should be arranged.

    Data does not exist on its own. It is informed by business architecture and used by other architectural domains to deliver systems, IT services, and to support business processes. As you build your practice, you must consider how data fits within the broader architectural framework.

    The Zachman Framework is a widely used EA framework; within it, data is identified as the first domain.

    The framework aims to standardize artifacts (work-products) within each architectural domain, provides a cohesive view of the scope of EA and clearly delineates data components. Use the framework to ensure that your target DA practice is aligned to other domains within the EA framework.

    'The Zachman Framework for Enterprise Architecture: The Enterprise Ontology', a complicated framework with top and bottom column headers and left and right row headers. Along the top are 'Classification Names': 'What', 'How', 'Where', 'Who', 'When', and 'Why'. Along the bottom are 'Enterprise Names': 'Inventory Sets', 'Process Flows', 'Distribution Networks', 'Responsibility Assignments', 'Timing Cycles', and 'Motivation Intentions'. Along the left are 'Audience Perspectives': 'Executive Perspective', 'Business Mgmt. Perspective', 'Architect Perspective', 'Engineer Perspective', 'Technician Perspective', and 'Enterprise Perspective'. Along the right are 'Model Names': 'Scope Contexts', 'Business Concepts', 'System Logic', 'Technology Physics', 'Tool Components', and 'Operations Instances'.
    (Source: Zachman International)

    Data architects operate in alignment with the other various architecture groups

    Data architects operate in alignment with the other various architecture groups, with coordination from the enterprise architect.

    Enterprise Architect
    The enterprise architect provides thought leadership and direction to domain architects.

    They also maintain architectural standards across all the architectural domains and serve as a lead project solution architect on the most critical assignments.

    • Business Architect
      A business subject matter expert who works with the line-of-business team to assist in business planning through capability-based planning.
    • Security Architect
      Plays a pivotal role in formulating the security strategy of the organization, working with the business and CISO/security manager. Recommends and maintains security standards, policies, and best practices.
    • Infrastructure Architect
      Recommends and maintains standards across the compute, storage, and network layers of the organization. Reviews project solution architectures to ensure compliance with infrastructure standards, regulations, and target state blueprints.
    • Application Architect
      Manages the business effectiveness, satisfaction, and maintainability of the application portfolio. Conduct application architecture assessments to document expected quality attribute standards, identify hotspots, and recommend best practices.
    • Data Architect
      Facilitates the creation of data strategy and has a greater understanding of operational and analytical data use cases. Manages the enterprise data model which includes all the three layers of modelling - conceptual, logical, and physical. Recommends data management policies and standards, and maintains data management artefacts. Reviews project solution architectures and identifies cross impacts across the data lifecycle.

    As a data architect, you must maintain balance between the technical and the business requirements

    The data architect role is integral to connecting the long-term goals of the business with how the organization plans to manage its data for optimal use.

    Data architects need to have a deep experience in data management, data warehousing, and analytics technologies. At a high level, the data architect plans and implements an organization’s data, reporting, and analytics roadmap.

    Some of the role’s primary duties and responsibilities include:

    1. Data modeling
    2. Reviewing existing data architecture
    3. Benchmark and improve database performance
    4. Fine tune database and SQL queries
    5. Lead on ETL activities
    6. Validate data integrity across all platforms
    7. Manage underlying framework for data presentation layer
    8. Ensure compliance with proper reporting to bureaus and partners
    9. Advise management on data solutions

    Data architects bridge the gap between strategic and technical requirements:

    Visualization centering the 'Data Architect' as the bridge between 'Data Workers', 'Business', and 'Data & Applications'.

    “Fundamentally, the role of a data architect is to understand the data in an organization at a reasonable level of abstraction.” (Andrew Johnston, Independent Consultant)

    Info-Tech Insight

    The data architect role is not always clear cut. Many organizations do not have a dedicated data architect resource, and may not need one. However, the duties and responsibilities of the data architect must be carried out to some degree by a combination of resources as appropriate to the organization’s size and environment.

    Understand the role of a data architect to ensure that essential responsibilities are covered in the organization

    A database administrator (DBA) is not a data architect, and data architecture is not something you buy from an enterprise application vendor.

    Data Architect Role Description

    • The data architect must develop (along with the business) a short-term and long-term vision for the enterprise’s data architecture.
    • They must be able to create processes for governing the identification, collection, and use of accurate and valid metadata, as well as for tracking data quality, completeness, and redundancy.
    • They need to create strategies for data security, backup, disaster recovery, business continuity, and archiving, and ensure regulatory compliance.

    Skills Necessary

    • Hands-on experience with data architecting and management, data mining, and large-scale data modeling.
    • Strong understanding of relational and non-relational data structures, theories, principles, and practices.
    • Strong familiarity with metadata management.
    • Knowledge of data privacy practices and laws.

    Define Policies, Processes, and Priorities

    • Policies
      • Boundaries of the data architecture.
      • Data architecture standards.
      • Data architecture security.
      • Responsibility of ownership for the data architecture and data repositories.
      • Responsibility for data architecture governance.
    • Processes
      • Data architecture communication.
      • Data architecture change management.
      • Data architecture governance.
      • Policy compliance monitoring.
    • Priorities
      • Align architecture efforts with business priorities.
      • Close technology gaps to meet service level agreements (SLAs).
      • Determine impacts on current or future projects.

    See Info-Tech’s Data Architect job description for a comprehensive description of the data architect role.

    Leverage data architecture frameworks to understand how the role fits into the greater Enterprise Architecture framework

    Enterprise data architectures are available from industry consortiums such as The Open Group (TOGAF®), and open source initiatives such as MIKE2.0.

    Logo for The Open Group.

    The Open Group TOGAF enterprise architecture model is a detailed framework of models, methods, and supporting tools to create an enterprise-level architecture.

    • TOGAF was first developed in 1995 and was based on the Technical Architecture Framework for Information Management (TAFIM) developed by the US Department of Defense.
    • TOGAF includes application, data, and infrastructure architecture domains providing enterprise-level, product-neutral architecture principles, policies, methods, and models.
    • As a member of The Open Group, it is possible to participate in ongoing TOGAF development initiatives.

    The wide adoption of TOGAF has resulted in the mapping of it to several other industry standards including CoBIT and ITIL.

    Logo for MIKE2.0.

    MIKE2.0 (Method for an Integrated Knowledge Environment), is an open source method for enterprise information management providing a framework for information development.

    • SAFE (Strategic Architecture for the Federated Enterprise) provides the technology solution framework for MIKE2.0
    • SAFE includes application, presentation, information, data, Infrastructure, and metadata architecture domains.

    Info-Tech Best Practice

    If an enterprise-level IT architecture is your goal, TOGAF is likely a better model. However, if you are an information and knowledge-based business then MIKE2.0 may be more relevant to your business.

    The data architect must identify what drives the need for data from the business to create a business-driven architecture

    As the business landscape evolves, new needs arise. An organization may undergo new compliance requirements, or look to improve their customer intimacy, which could require a new functionality from an application and its associated database.

    There are four common scenarios that lead to an organization’s need to optimize its data architecture and these scenarios all present unique challenges for a data architect:

    1. Becoming More Data Driven As organizations are looking to get more out of their data, there is a push for more accurate and timely data from applications. Data-driven decision making requires verifiable data from trustworthy sources. Result: Replace decisions made on gut or intuition with real and empirical data - make more informed and data-driven decisions.
    2. New Functionality or Business Rule In order to succeed as business landscapes change, organizations find themselves innovating on products or services and the way they do things. Changes in business rules, product or service offering, and new functionalities can subsequently demand more from the existing data architecture. Result: Prepare yourself to successfully launch new business initiatives with an architecture that supports business needs.
    3. Mergers and Acquisitions If an organization has recently acquired, been acquired, or is merging with another, the technological implications require careful planning to ensure a seamless fit. Application consolidation, retirement, data transfer, and integration points are crucial. Result: Leverage opportunities to incorporate and consolidate new synergistic assets to realize the ROI.
    4. Risk and Compliance Data in highly regulated organizations needs to be kept safe and secure. Architectural decisions around data impact the level of compliance within the organization. Result: Avoid the fear of data audits, regulatory violations, and privacy breaches.

    Info-Tech Best Practice

    These are not the only reasons why data architects need to optimize the organization’s data architecture. These are only four of the most common scenarios, however, other business needs can be addressed using the same concept as these four common scenarios.

    Use the Data Architecture Driver tool to identify your focus for data architecture

    Supporting Tool icon 1.1 Data Architecture Driver Pattern Identification Tool

    Follow Info-Tech’s process of first analyzing the needs of the business, then determining how best to architect your data based on these drivers. Data architecture needs to be able to rapidly evolve to support the strategic goals of the business, and the Data Architecture Driver Pattern Identification Tool will help you to prioritize your efforts to best do this.

    Tab 2. Driver Identification

    Objective: Objectively assess the most pressing business drivers.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 2.

    Tab 3. Tactic Pattern Plan, Section 1

    Purpose: Review your business drivers that require architectural changes in your environment.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 3, section 1.

    Tab 3. Tactic Pattern Plan, Section 2

    Purpose: Determine a list of tactics that will help you address the business drivers.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 3, section 2.

    Step
    • Evaluate business drivers to determine the data architecture optimization priorities and tactics.
    Step
    • Understand how each business driver relates to data architecture and how each driver gives rise to a specific pattern across the five-tier data architecture.
    Step
    • Review the list of high-level tactics presented to optimize your data architecture across the five tier architecture.

    Identify the drivers for improving your data architecture

    Associated Activity icon 1.1.1 1 hour

    INPUT: Data Architecture Driver tool assessment prompts.

    OUTPUT: Identified business driver that applies to your organization.

    Materials: Data Architecture Driver Pattern Identification Tool

    Participants: Data architect, Enterprise architect

    Instructions

    In Tab 2. Driver Identification of the Data Architecture Driver Pattern Identification Tool, assess the degree to which the organization is feeling the pains of the four most common business drivers:

    1. Is there a present or growing need for the business to be making data-driven decisions?
    2. Does the business want to explore a new functionality and hence require a new application?
    3. Is your organization acquiring or merging with another entity?
    4. Is your organization’s regulatory environment quick to change and require stricter reporting?

    Data architecture improvements need to be driven by business need.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 2 Driver Identification.
    Tab 2. Driver Identification

    “As a data architect, you have to understand the functional requirements, the non-functional requirements, then you need to make a solution for those requirements. There can be multiple solutions and multiple purposes. (Andrew Johnston, Independent Consultant)

    Interview the business to get clarity on business objectives and drivers

    Associated Activity icon 1.1.2 1 hour per interview

    INPUT: Sample questions targeting the activities, challenges, and opportunities of each business unit

    OUTPUT: Sample questions targeting the activities, challenges, and opportunities of each business unit

    Materials: Data Architecture Driver Pattern Identification Tool

    Participants: Data architect, Business representatives, IT representatives

    Identify 2-3 business units that demonstrate enthusiasm for or a positive outlook on improving how organizational data can help them in their role and as a unit.

    Conducting a deep-dive interview process with these key stakeholders will help further identify high-level goals for the data architecture strategy within each business unit. This process will help to secure their support throughout the implementation process by giving them a sense of ownership.

    Key Interview Questions:

    1. What are your primary activities? What do you do?
    2. What challenges do you have when completing your activities?
    3. How is poor data impacting your job?
    4. If [your selected domain]’s data is improved, what business issues would this help solve?

    Request background information and documentation from stakeholders regarding the following:

    • What current data management policies and processes exist (that you know of)?
    • Who are the data owners and end users?
    • Where are the data sources within the department stored?
    • Who has access to these data sources?
    • Are there existing or ongoing data issues within those data sources?

    Interview the enterprise architect to get input on the drivers of the business

    Associated Activity icon 1.1.3 2 hours

    INPUT: Data Architecture Driver tool assessment prompts.

    OUTPUT: Identified business driver that applies to your organization.

    Materials: Data Architecture Driver Pattern Identification Tool

    Participants: Data architect, Enterprise architect

    Data architecture improvements need to be driven by business need.

    Instructions

    As you work through Tab 2. Driver Identification of the Data Architecture Driver Pattern Identification Tool, consult with the enterprise architect or equivalent to assist you in rating the importance of each of the symptoms of the business drivers. This will help you provide greater value to the business and more aligned objectives.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 2 Driver Identification.
    Tab 2. Driver Identification

    Once you know what that need is, go to Step 2.

    Phase 1, Step 2: Establish Actionable Tactics to Optimize Data Architecture

    PHASE 1

    1.11.2
    Identify Your Business Driver for Optimizing Data ArchitectureDetermine Actionable Tactics to Optimize Data Architecture

    This step will walk you through the following activities:

    • Understand Info-Tech’s five-tier data architecture to begin focusing your architectural optimization.
    • Create your Data Architecture Optimization Template to plan your improvement tactics.
    • Prioritize your tactics based on the five-tier architecture to plan optimization.

    This step involves the following participants:

    • Data Architect
    • Enterprise Architect
    • DBAs

    Outcomes of this step

    • A tactical and prioritized plan for optimizing the organization’s data architecture according to the needs of the business.

    To plan a business-driven architecture, data architects need to keep the organization’s big picture in mind

    Remember… Architecting an organization involves alignment, planning, road mapping, design, and change management functions.

    Data architects must be heavily involved with:

    • Understanding the short- and long-term visions of the business to develop a vision for the organization’s data architecture.
    • Creating processes for governing the identification, collection, and use of accurate and valid data, as well as for tracking data quality, completeness, and redundancy.
    • They need to create strategies for data security, backup, disaster recovery, business continuity, and archiving, and ensure regulatory compliance.

    To do this, you need a framework. A framework provides you with the holistic view of the organization’s data environment that you can use to design short- and long-term tactics for improving the use of data for the needs of the business.

    Use Info-Tech’s five-tier data architecture to model your environment in a logical, consumable fashion.

    Info-Tech Best Practice

    The more complicated an environment is, the more need there is for a framework. Being able to pick a starting point and prioritize tasks is one of the most difficult, yet most essential, aspects of any architect’s role.

    The five tiers of an organization’s data architecture support the use of data throughout its lifecycle

    Info-Tech’s five-tier data architecture model summarizes an organization’s data environment at a logical level. Data flows from left to right, but can also flow from the presentation layer back to the warehousing layer for repatriation of data.

    Info-Tech's Five Tier Data Architecture. The five tiers being 'Sources' which includes 'App1 ', 'App2', 'Excel and other documents', 'Access database(s)', 'IOT devices', and 'External data feed(s) & social media'; 'Integration and Translation' which includes 'Solutions: SOA, Point to Point, Manual Loading, ESB , ETL, ODS, Data Hub' and 'Functions: Scrambling Masking Encryption, Tokenizing, Aggregation, Transformation, Migration, Modeling'; 'Warehousing' which includes 'Data Lakes & Warehouse(s) (Raw Data)', 'EIM, ECM, DAM', and 'Data Lakes & Warehouse(s) (Derived Data)'; 'Analytics' which includes 'Data Marts', 'Data Cube', 'Flat Files', 'BI Tools', and the 'Protected Zone: Data Marts - BDG Class Ref. MDM'; and 'Presentation' which includes 'Formulas', 'Thought Models', 'Reports', 'Dashboards', 'Presentations', and 'Derived Data (from analytics activities)'.

    Use the Data Architecture Optimization Template to build your improvement roadmap

    Supporting Tool icon 1.2 Data Architecture Optimization Template

    Download the Data Architecture Optimization Template.

    Overview

    Use this template to support your team in creating a tactical strategy for optimizing your data architecture across the five tiers of the organization’s architecture. This template can be used to document your organization’s most pressing business driver, the reasons for optimizing data architecture according to that driver, and the tactics that will be employed to address the shortcomings in the architecture.

    Sample of Info-Tech’s Data Architecture Optimization Template. Info-Tech’s Data Architecture Optimization Template Table of Contents
    1. Build Your Current Data Architecture Logical Model Use this section to document the current data architecture situation, which will provide context for your plan to optimize your data architecture.
    2. Optimization Plan Use this section to document the tactics that will be employed to optimize the current data architecture according to the tactic pattern identified by the business driver.

    Fill out as you go

    As you read about the details of the five-tier data architecture model in the following slides, start building your current logical data architecture model by filling out the sections that correspond to the various tiers. For example, if you identified that the most pressing business driver is becoming compliant with regulations, document the sources of data required for compliance, as well as the warehousing strategy currently being employed. This will help you to understand the organization’s data architecture at a logical level.

    Tier 1 represents all of the sources of your organization’s data

    Tier 1 of Info-Tech's Five Tier Data Architecture, 'Sources', which includes 'App1 ', 'App2', 'Excel and other documents', 'Access database(s)', 'IOT devices', and 'External data feed(s) & social media'.
    –› Data to integration layer

    Tier 1 is where the data enters the organization.

    All applications, data documents such as MS Excel spreadsheets, documents with table entries, manual extractions from other document types, user-level databases including MS Access and MySQL, other data sources, data feeds, big datasets, etc. reside here.

    This tier typically holds the siloed data that is so often not available across the enterprise because the data is held within department-level applications or systems. This is also the layer where transactions and operational activities occur and where data is first created or ingested.

    There are any number of business activities from transactions through business processes that require data to flow from one system to another, so it is often at this layer we see data created more than once, data corruption occurs, manual re-keying of data from system to system, and spaghetti-like point-to-point connections are built that are often fragile. This is usually the single most problematic area within an enterprise’s data environment. Application- or operational-level (siloed) reporting often occurs at this level.

    Info-Tech Best Practice

    An optimized Tier 1 has the following attributes:

    • Rationalized applications
    • Operationalized database administration
    • Databases governed, monitored, and maintained to ensure optimal performance

    Tier 2 represents the movement of data

    Tier 2 of Info-Tech's Five Tier Data Architecture, 'Integration and Translation', which includes 'Solutions: SOA, Point to Point, Manual Loading, ESB , ETL, ODS, Data Hub' and 'Functions: Scrambling Masking Encryption, Tokenizing, Aggregation, Transformation, Migration, Modeling'.
    –› Data to Warehouse Environment

    Find out more

    For more information on data integration, see Info-Tech’s Optimize the Organization’s Data Integration Practices blueprint.

    Tier 2 is where integration, transformation, and aggregation occur.

    Regardless of how you integrate your systems and data stores, whether via ETL, ESB, SOA, data hub, ODS, point-to-point, etc., the goal of this layer is to move data at differing speeds for one of two main purposes:

    1) To move data from originating systems to downstream systems to support integrated business processes. This ensures the data is pristine through the process and improves trustworthiness of outcomes and speed to task and process completion.

    2) To move data to Tier 3 - The Data Warehouse Architecture, where data rests for other purposes. This movement of data in its purest form means we move raw data to storage locations in an overall data warehouse environment reflecting any security, compliance and other standards in our choices for how to store.

    Also, this is where data is transformed for unique business purpose that will also be moved to a place of rest or a place of specific use. Data masking, scrambling, aggregation, cleansing and matching, and other data related blending tasks occur at this layer.

    Info-Tech Best Practice

    An optimized Tier 2 has the following attributes:

    • Business data glossary is leveraged
    • ETL is governed
    • ETL team is empowered
    • Data matching is facilitated
    • Canonical data model is present

    Tier 3 is where data comes together from all sources to be stored in a central warehouse environment

    Tier 3 is where data rests in long-term storage.

    This is where data rests (long-term storage) and also where an enterprise’s information, documents, digital assets, and any other content types are stored. This is also where derived and contrived data creations are stored for re-use, and where formulas, thought models, heuristics, algorithms, report styles, templates, dashboard styles, and presentations-layer widgets are all stored in the enterprise information management system.

    At this layer there may be many technologies and many layers of security to reflect data domains, classifications, retention, compliance, and other data needs. This is also the layer where data lakes exist as well as traditional relational databases, enterprise database systems, enterprise content management systems, and simple user-level databases.

    Info-Tech Best Practice

    An optimized Tier 3 has the following attributes:

    • Data warehouse is governed
    • Data warehouse operations and planning
    • Data library is comprehensive
    • Four Rosetta Stones of data are in place: BDG, data classification, reference data, master data.
    Data from integration layer –›
    Tier 3 of Info-Tech's Five Tier Data Architecture, 'Data Warehouse Environment' which includes 'Data Lakes & Warehouse(s) (Raw Data)', 'EIM, ECM, DAM'.
    –› Analytics

    Find out more

    For more information on Data Warehousing, see Info-Tech’s Build an Extensible Data Warehouse Foundation and Drive Business Innovation With a Modernized Data Warehouse Environment blueprints.

    Tier 4 is where knowledge and insight is born

    Tier 4 represents data being used for a purpose.

    This is where you build fit-for-purpose data sets (marts, cubes, flat files) that may now draw from all enterprise data and information sources as held in Tier 3. This is the first place where enterprise views of all data may be effectively done and with trust that golden records from systems of record are being used properly.

    This is also the layer where BI tools get their greatest use for performing analysis. Unlike Tier 3 where data is at rest, this tier is where data moves back into action. Data is brought together in unique combinations to support reporting, and analytics. It is here that the following enterprise analytic views are crafted:
    Exploratory, Inferential, Causal, Comparative, Statistical, Descriptive, Diagnostic, Hypothesis, Predictive, Decisional, Directional, Prescriptive

    Info-Tech Best Practice

    An optimized Tier 4 has the following attributes:

    • Reporting meets business needs
    • Data mart operations are in place
    • Governance of data marts, cubes, and BI tools in place
    Warehouse Environment –›
    Tier 4 of Info-Tech's Five Tier Data Architecture, 'Analytics', which includes 'Data Marts', 'Data Cube', 'Flat Files', and 'BI Tools'.
    –› Presentation

    Find out more

    For more information on BI tools and strategy, see Info-Tech’s Select and Implement a Business Intelligence and Analytics Solution and Build a Next Generation BI with a Game-Changing BI Strategy blueprints.

    The presentation layer, Tier 5, is where data becomes presentable information

    Tier 5 represents data in knowledge form.

    This is where the data and information combine in information insight mapping methods (presentations, templates, etc.). We craft and create new ways to slice and dice data in Tier 4 to be shown and shared in Tier 5.

    Templates for presenting insights are extremely valuable to an enterprise, both for their initial use, and for the ability to build deeper, more insightful analytics. Re-use of these also enables maximum speed for sharing, consuming the outputs, and collective understanding of these deeper meanings that is a critical asset to any enterprise. These derived datasets and the thought models, presentation styles, templates, and other derived and contrived assets should be repatriated into the derived data repositories and the enterprise information management systems respectively as shown in Tier 3.

    Find out more

    For more information on enterprise content management and metadata, see Info-Tech’s Develop an ECM Strategy and Break Open Your DAM With Intuitive Metadata blueprints.

    Tier 5 of Info-Tech's Five Tier Data Architecture, 'Presentation', which includes 'Formulas', 'Thought Models', 'Reports', 'Dashboards', 'Presentations', and 'Derived Data (from analytics activities)'. The 'Repatriation of data' feeds the derived data back into Warehousing.

    Info-Tech Best Practice

    An optimized Tier 5 has the following attributes:

    • Metadata creation is supervised
    • Metadata is organized
    • Metadata is governed
    • Content management capabilities are present

    Info-Tech Insight

    Repatriation of data and information is an essential activity for all organizations to manage organizational knowledge. This is the activity where information, knowledge, and insights that are stored in content form are moved back to the warehousing layer for long-term storage. Because of this, it is crucial to have an effective ECM strategy as well as the means to find information quickly and efficiently. This is where metadata and taxonomy come in.

    As a data architect, you must prioritize your focus according to business need

    Determine your focus.

    Now that you have an understanding of the drivers requiring data architecture optimization, as well as the current data architecture situation at your organization, it is time to determine the actions that will be taken to address the driver.

    1. Business driver

    Screenshot of Data Architecture Driver Pattern Identification Tool, Tab 2. Tactic Pattern Plan.
    Data Architecture Driver Pattern Identification Tool, Tab 2. Tactic Pattern Plan

    3. Documented tactic plan

    Data Architecture Optimization Template

    2. Tactics across the five tiers

    Another screenshot of Data Architecture Driver Pattern Identification Tool, Tab 2. Tactic Pattern Plan.

    The next four slides provide an overview of the priorities that accompany the four most common business drivers that require updates to a stale data architecture.

    Business driver #1: Adding a new functionality to an application can have wide impacts on data architecture

    Does the business wants to add a new application or supplement an existing application with a new functionality?

    Whether the business wants to gain better customer intimacy, achieve operational excellence, or needs to change its compliance and reporting strategy, the need for collecting new data through a new application or a new functionality within an existing application can arise. This business driver has the following attributes:

    • Often operational oriented and application driven.
    • An application is changed through an application version upgrade, migration to cloud, or application customization, or as a result of application rationalization or changes in the way that application data is generated.
    • However, not all new functionalities trigger this scenario. Non-data-related changes, such as a new interface, new workflows, or any other application functionality changes that do not involve data, will not have data architecture impacts.
    Stock photo of someone using a smartphone with apps.
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture at the source tier and the integration of the new functionality. Tactics for this business driver should address the following pattern:
    Tiers 1 and 2 highlighted.

    Business driver #2: Organizations today are looking to become more data driven

    Does the business wants to better leverage its data?

    An organization can want to use its data for multiple reasons. Whether these reasons include improving customer experience or operational excellence, the data architect must ensure that the organization’s data aggregation environment, reporting and analytics, and presentation layer are assessed and optimized for serving the needs of the business.

    “Data-drivenness is about building tools, abilities, and, most crucially, a culture that acts on data.” (Carl Anderson, Creating a Data-Driven Organization)

    Tactics for this business driver should address the following pattern:
    Tiers 3, 4, and 5 highlighted.
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture at the source tier and the integration of the new functionality.
    Stock photo of someone sitting at multiple computers with analytics screens open.
    • This scenario is typically project driven and analytical oriented.
    • The business is looking to leverage data and information by processing data through BI tools and self-service.
    • Example: The organization wants to include new third-party data, and needs to build a new data mart to provide a slice of data for analysis.

    Business driver #3: Risk and compliance demands can put pressure on outdated architectures

    Is there increasing pressure on the business to maintain compliance requirements as per regulations?

    An organization can want to use its data for multiple reasons. Whether these reasons include improving customer experience or operational excellence, the data architect must ensure that the organization’s data aggregation environment, reporting and analytics, and presentation layer are assessed and optimized for serving the needs of the business.

    There are different types of requirements:
    • Can be data-element driven. For example, PII, PHI are requirements around data elements that are associated with personal and health information.
    • Can be process driven. For example, some requirements restrict data read/write to certain groups.
    Stock photo of someone pulling a block out of a Jenga tower.
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture where data is stored: at the sources, the warehouse environment, and analytics layer. Tactics for this business driver should address the following pattern:
    Tiers 1, 3, and 4 highlighted.

    Business driver #4: Mergers and acquisitions can require a restructuring of the organization’s data architecture

    Is the organization looking to acquire or merge with another organization or line of business?

    There are three scenarios that encompass the mergers and acquisitions business driver for data architecture:

    1. The organization acquires/merges with another organization and wants to integrate the data.
    2. The organization acquires/merges a subset of an organization (a line of business, for example) and wants to integrate the data.
    3. The organization acquires another organization for competitive purposes, and does not need to integrate the data.
    Regardless of what scenario your organization falls into, you must go through the same process of identifying the requirements for the new data:
    1. Understand what data you are getting.
      The business may acquire another organization for the data, for the technology, and/or for algorithms (for example). If the goal is to integrate the new data, you must understand if the data is unstructured, structured, how much data, etc.
    2. Plan for the integration of the new data into your environment.
      Do you have the expertise in-house to integrate the data? Database structures and systems are often mismatched (for example, acquired company could have an Oracle database whereas you are an SAP shop) and this may require expertise from the acquired company or a third party.
    3. Integrate the new data.
      Often, the extraction of the new data is the easy part. Transforming and loading the data is the difficult and costly part.
    “As a data architect, you must do due diligence of the acquired firm. What are the workflows, what are the data sources, what data is useful, what is useless, what is the value of the data, and what are the risks of embedding the data?” (Anonymous Mergers and Acquisitions Consultant)
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture at the source tier, the warehousing layer, and analytics. Tiers 1, 3, and 4 highlighted.

    Determine your tier priority pattern and the tactics that you should address based on the business drivers

    Associated Activity icon 1.2.1 30 minutes

    INPUT: Business driver assessment

    OUTPUT: Tactic pattern and tactic plan

    Materials: Data Architecture Driver Pattern Identification Tool, Data Architecture Optimization Template

    Participants: Data architect, Enterprise architect

    Instructions
    1. After you have assessed the organization’s business driver on Tab 1. Driver Identification, move to Tab 2. Tactic Pattern Plan.
    2. Here, you will find a summary of the business driver that applies to you, as well as the tier priority pattern that will help you to focus your efforts for data architecture.
    3. Document the Tier Priority Pattern and associated tactics in Section 2. Optimization Plan of the Data Architecture Optimization Plan.
    Screenshot of Data Architecture Driver Tool.
    Data Architecture Driver Tool
    Arrow pointing right. Sample of Data Architecture Optimization Template
    Data Architecture Optimization Template

    Info-Tech Insight

    Our approach will help you to get to the solution of the organization’s data architecture problems as quickly as possible. However, keep in mind that you should still address the other tiers of your data architecture even if they are not part of the pattern we identified. For example, if you need to become more data driven, don’t completely ignore the sources and the integration of data. However, to deliver the most and quickest value, focus on tiers 3, 4, and 5.

    This phase helped you to create a tactical plan to optimize your data architecture according to business priorities

    Phase 1 is all about focus.

    Data architects and those responsible for updating an organization’s data architecture have a wide-open playing field with which to take their efforts. Being able to narrow down your focus and generate an actionable plan will help you provide more value to the organization quickly and get the most out of your data.

      Phase 1
      • Business Drivers
        • Tactic Pattern
          • Tactical Plan

    Now that you have your prioritized tactical plan, move to Phase 2. This phase will help you map these priorities to the essential capabilities and measure where you stack up in these capabilities. This is an essential step in creating your data architecture roadmap and plan for coming years to modernize the organization’s data architecture.

    To identify what the monetary authority needed from its data architecture, Info-Tech helped determine the business driver

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'.

    Part 1

    Prior to receiving new external requirements, the monetary Authority body had been operating with an inefficient system. Outdated legacy systems, reports in paper form, incomplete reports, and stale data from other agencies resulted in slow data access. The new requirements demanded speeding up this process.

    Diagram comparing the 'Original Reporting' requirement of 'Up to 7 days' vs the 'New Requirement' of 'As soon as 1 hour'. The steps of reporting in that time are 'Report Request', 'Gather Data', and 'Make Report'.

    Although the organization understood it needed changes, it first needed to establish what were the business objectives, and which areas of their architecture they would need to focus on.

    The business driver in this case was compliance requirements, which directed attention to the sources, aggregation, and insights tiers.

    Tiers 1, 3, and 4 highlighted.

    Looking at the how the different tiers relate to certain business operations, the organization uncovered the best practise tactics to achieving an optimized data architecture.

    1. Source Tactics: 3. Warehousing Tactics: 4. Analytics Tactics:
    • Identify data sources
    • Ensure data quality
    • Properly catalogue data
    • Properly index data
    • Provide the means for data accessibility
    • Allow for data reduction/space for report building

    Once the business driver had been established, the organization was able to identify the specific areas it would eventually need to evaluate and remedy as needed.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1

    Sample of activity 1.1.1 'Identify the drivers for improving your data architecture'. Identify the business driver that will set the direction of your data architecture optimization plan.

    In this activity, the facilitator will guide the team in identifying the business driver that is creating the need to improve the organization’s data architecture. Data architecture needs to adapt to the changing needs of the business, so this is the most important step of any data architecture improvements.

    1.2.1

    Sample of activity 1.2.1 'Determine your tier priority pattern and the tactics that you should address based on the business drivers'. Determine the tactics that you will use to optimize data architecture.

    In this activity, the facilitator will help the team create a tactical plan for optimizing the organization’s data architecture across the five tiers of the logical model. This plan can then be followed when addressing the business needs.

    Build a Business-Aligned Data Architecture Optimization Strategy

    PHASE 2

    Personalize Your Tactics to Optimize Your Data Architecture

    Phase 2 will determine your tactics that you should implement to optimize your data architecture

    Business Drivers
    Each business driver requires focus on specific tiers and their corresponding capabilities, which in turn correspond to tactics necessary to achieve your goal.
    New Functionality Risk and Compliance Mergers and Acquisitions Become More Data Driven
    Tiers 1. Data Sources 2. Integration 3. Warehousing 4. Insights 5. Presentation
    Capabilities Current Capabilities
    Target Capabilities
    Example Tactics Leverage indexes, partitions, views, and clusters to optimize performance.

    Cleanse data source.

    Leverage integration technology.

    Identify matching approach priorities.

    Establish governing principles.

    Install performance enhancing technologies.

    Establish star schema and snowflake principles.

    Share data via data mart.

    Build metadata architecture:
    • Data lineage
    • Sharing
    • Taxonomy
    • Automatic vs. manual creation

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Personalize Your Tactics to Optimize Your Data Architecture

    Proposed Time to Completion: 2 weeks
    Step 2.1: Measure Your Data Architecture Capabilities Step 2.2: Set a Target for Data Architecture Capabilities Step 2.3: Identify the Tactics That Apply to Your Organization
    Start with an analyst kick-off call:
    • Understand Info-Tech’s data architecture capability model to begin identifying where to develop tactics for optimizing your data architecture.
    Review findings with analyst:
    • Understand Info-Tech’s data architecture capability model to begin identifying where to develop tactics for optimizing your data architecture.
    Finalize phase deliverable:
    • Learn about the trends in data architecture that can be leveraged to develop tactics.
    Then complete these activities…
    • Measure your current state across the tiers of the capability model that will help address your business driver.
    Then complete these activities…
    • Measure your target state for the capabilities that will address your business driver.
    Then complete these activities…
    • Review the tactical roadmap that was created with guidance from the capability gap analysis.
    With these tools & templates:
    • Data Architecture Tactical Roadmap Tool
    With these tools & templates:
    • Data Architecture Tactical Roadmap Tool
    With these tools & templates:
    • Data Architecture Trends Presentation Template

    Phase 2 Results & Insights

    • Data architecture is not just data models. Understand the essential capabilities that your organization needs from its data architecture to develop a tactical plan for optimizing data architecture across its people, processes, and technology.

    Phase 2, Step 1: Measure Your Data Architecture Capabilities

    PHASE 2

    2.1 2.2 2.3
    Measure Your Data Architecture Capabilities Set a Target for Data Architecture Capabilities Identify the Tactics That Apply to Your Organization

    This step will walk you through the following activities:

    • As you walk through the data architecture capability model, measure your current state in each of the relevant capabilities.
    • Distinguish between essential and nice-to-have capabilities for your organization.

    This step involves the following participants:

    • Data Architect

    Outcomes of this step

    • A framework for generating a tactical plan for data architecture optimization.
    • Knowledge of the various trends in the data architecture field that can be incorporated into your plan.

    To personalize your tactical strategy, you must measure up your base data architecture capabilities

    What is a capability?

    Capabilities represent a mixture of people, technology, and processes. The focus of capability design is on the outcome and the effective use of resources to produce a differentiating capability or an essential supporting capability.

    To personalize your tactics, you have to understand what the essential capabilities are across the five tiers of an organization’s data architecture. Then, assess where you currently stand in these capabilities and where you need to go in order to build your optimization plan.

    'Capability' as a mixture of 'People', 'Technology', 'Process', and 'Assets'.

    Info-Tech’s data architecture capability model can be laid over the five-tier data architecture to understand the essential and advanced capabilities that an organization should have, and to build your tactical strategy for optimizing the organization’s data architecture across the tiers.

    Use Info-Tech’s data architecture capability model as a resource to assess and plan your personalized tactics

    Info-Tech’s data architecture capability model can be laid over the five-tier data architecture to understand the essential and advanced capabilities that an organization should have, and to build your tactical strategy for optimizing the organization’s data architecture across the tiers.

    Info-Tech’s Data Architecture Capability Model featuring the five-tier architecture listing 'Core Capabilities' and 'Advanced Capabilities' within each tier, and a list of 'Cross Capabilities' which apply to all tiers.

    Use the Data Architecture Tactical Roadmap Tool to create a tailored plan of action

    Supporting Tool icon 2.1.1 Data Architecture Tactical Roadmap Tool

    Instructions

    Use the Data Architecture Tactical Roadmap Tool as your central tool to develop a tactical plan of action to optimize the organization’s data architecture.

    This tool contains the following sections:

    1. Business Driver Input
    2. Capability Assessment
    3. Capability Gap Analysis
    4. Tactical Roadmap
    5. Metrics
    6. Initiative Roadmap

    INFO-TECH DELIVERABLE

    Sample of the Info-Tech deliverable Data Architecture Tactical Roadmap Tool.

    Benefits of using this tool:

    • Comprehensive documentation of data architecture capabilities present in leading organizations.
    • Generates an accurate architecture roadmap for your organization that is developed in alignment with the broader enterprise architecture and related architectural domains.

    To create a plan for your data architecture priorities, you must first understand where you currently stand

    Now that you understand the business problem that you are trying to solve, it is time to take action in solving the problem.

    The organization likely has some of the capabilities that are needed to solve the problem, but also a need to improve other capabilities. To narrow down the capabilities that you should focus on, first select the business driver that was identified in Phase 1 in Tab 1. Business Driver Input of the Data Architecture Tactical Roadmap Tool. This will customize the roadmap tool to deselect the capabilities that are likely to be less relevant to your organization.

    For Example: If you identified your business driver as “becoming more data-driven”, you will want to focus on measuring and building out the capabilities within Tiers 3, 4, and 5 of the capability model.

    Data Architecture Capability Model
    Info-Tech’s Data Architecture Capability Model with tiers 3, 4, and 5 highlighted.

    Note

    If you want to assess your organization for all of the capabilities across the data architecture capability model, select “Comprehensive Data Architecture Assessment” in Tab 1. Business Driver Input of the Data Architecture Tactical Roadmap Tool.

    Determine your current state across the related architecture tiers

    Associated Activity icon 2.1.2 1 hour

    INPUT: Current data architecture capabilities.

    OUTPUT: An idea of where you currently stand in the capabilities.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect, Enterprise architect, Business representatives

    Use the Data Architecture Tactical Roadmap Tool to evaluate the baseline and target capabilities of your practice in terms of how data architecture is approached and executed.

    Instructions
    1. Invite the appropriate stakeholders to participate in this exercise.
    2. On Tab 2. Practice Components, assess the current and target states of each capability on a scale of 1–5.
    3. Note: “Ad hoc” implies a capability is completed, but randomly, informally, and without a standardized method.
      These results will set the baseline against which you will monitor performance progress and keep track of improvements over time.
    To assess data architecture maturity, Info-Tech uses the Capability Maturity Model Integration (CMMI) program for rating capabilities on a scale of 1 to 5:

    1 = Initial/Ad hoc

    2 = Developing

    3 = Defined

    4 = Managed and Measurable

    5 = Optimized

    Info-Tech Insight

    Focus on Early Alignment. Assessing capabilities within specific people’s job functions can naturally result in disagreement or debate, especially between business and IT people. Objectively facilitate any debate and only finalize capability assessments when there is full alignment. Remind everyone that data architecture should ultimately serve business needs wherever possible.

    Phase 2, Step 2: Set a Target for Data Architecture Capabilities

    PHASE 2

    2.12.22.3
    Measure Your Data Architecture CapabilitiesSet a Target for Data Architecture CapabilitiesIdentify the Tactics That Apply to Your Organization

    This step will walk you through the following activities:

    • Determine your target state in each of the relevant capabilities.
    • Distinguish between essential and nice-to-have capabilities for your organization.

    This step involves the following participants:

    • Data Architect

    Outcomes of this step

    • A holistic understanding of where the organization’s data architecture currently sits, where it needs to go, and where the biggest gaps lie.

    To create a plan for your data architecture priorities, you must also understand where you need to get to in the future

    Keep the goal in mind by documenting target state objectives. This will help to measure the highest priority gaps in the organization’s data architecture capabilities.

    Example driver = Becoming more data driven Arrow pointing right. Info-Tech’s Data Architecture Capability Model with tiers 3, 4, and 5 highlighted. Arrow pointing right. Current Capabilities Arrow pointing right. Target Capabilities
    Gaps and Priorities
    Stock photo of a hand placing four shelves arranged as stairs. On the first step is a mini-cut-out of a person walking.

    Determine your future state across the relevant tiers of the data architecture capability model

    Associated Activity icon 2.2.1 2 hours

    INPUT: Current state of data architecture capabilities.

    OUTPUT: Target state of data architecture capabilities.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect

    The future of data architecture is now.

    Determine the state of data architecture capabilities that the organization needs to reach to address the drivers of the business.

    For example: If you identified your business driver as “becoming more data driven”, you will want to focus on the capabilities within Tiers 3, 4, and 5 of the capability model.

    Driver = Becoming more data driven Arrow pointing right. Info-Tech’s Data Architecture Capability Model with tiers 3, 4, and 5 highlighted. Arrow pointing right. Target Capabilities

    Identify where gaps in your data architecture capabilities lie

    Associated Activity icon 2.2.2 1 hour

    INPUT: Current and target states of data architecture capabilities.

    OUTPUT: Holistic understanding of where you need to improve data architecture capabilities.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect

    Visualization of gap assessment of data quality practice capabilities

    To enable deeper analysis on the results of your capability assessment, Tab 4. Capability Gap Analysis in the Data Architecture Tactical Roadmap Tool creates visualizations of the gaps identified in each of your practice capabilities and related data management practices. These diagrams serve as analysis summaries.

    Gap Assessment of Data Source Capabilities

    Sample of the Data Architecture Tactical Roadmap Tool, tab 4. Capability Gap Analysis.

    Use Tab 3. Data Quality Practice Scorecard to enhance your data quality project.

    1. Enhance your gap analyses by forming a relative comparison of total gaps in key practice capability areas, which will help in determining priorities.
    2. Put these up on display to improve discussion in the gap analyses and prioritization sessions.
    3. Improve the clarity and flow of your strategy template, final presentations, and summary documents by copying and pasting the gap assessment diagrams.

    Phase 2, Step 3: Identify the Tactics That Apply to Your Organization

    PHASE 2

    2.12.22.3
    Measure Your Data Architecture CapabilitiesSet a Target for Data Architecture CapabilitiesIdentify the Tactics That Apply to Your Organization

    This step will walk you through the following activities:

    • Before making your personal tactic plan, identify the trends in data architecture that can benefit your organization.
    • Understand Info-Tech’s data architecture capability model.
    • Initiate the Data Architecture Roadmap Tool to begin creating a roadmap for your optimization plan.

    This step involves the following participants:

    • Data Architect

    Outcomes of this step

    • A framework for generating a tactical plan for data architecture optimization.
    • Knowledge of the various trends in the data architecture field that can be incorporated into your plan.

    Capitalize on trends in data architecture before you determine the tactics that apply to you

    Stop here. Before you begin to plan for optimization of the organization’s data environment, get a sense of the sustainability and scalability of the direction of the organization’s data architecture evolution.

    Practically any trend in data architecture is driven by an attempt to solve one or more the common challenges of today’s tumultuous data landscape, otherwise known as “big data.” Data is being produced in outrageous amounts, at very high speeds, and in a growing number of types and structures.

    To meet these demands, which are not slowing down, you must keep ahead of the curve. Consider the internal and external catalysts that might fuel your organization’s need to modernize its data architecture:

    Big Data

    Data Storage

    Advanced analytics

    Unstructured data

    Integration

    Hadoop ecosystem

    The discussion about big data is no longer about what it is, but how do businesses of all types operationalize it.

    Is your organization currently capturing and leveraging big data?

    Are they looking to do so in the near future?

    The cloud

    The cloud offers economical solutions to many aspects of data architecture.

    Have you dealt with issues of lack of storage space or difficulties with scalability?

    Do you need remote access to data and tools?

    Real-time architecture

    Advanced analytics (machine learning, natural language processing) often require data in real-time. Consider Lambda and Kappa architectures.

    Has your data flow prevented you from automation, advanced analytics, or embracing the world of IoT?

    Graph databases

    Self-service data access allows more than just technical users to participate in analytics. NoSQL can uncover buried relationships in your data.

    Has your organization struggled to make sense of different types of unstructured data?

    Is ETL enough?

    What SQL is to NoSQL, ETL is to NoETL. Integration techniques are being created to address the high variety and high velocity of data.

    Have your data scientists wasted too much time and resources in the ETL stage?

    Read the Data Architecture Trends Presentation to understand the current cutting edge topics in data architecture

    Supporting Tool icon 2.1 Data Architecture Trends Presentation

    The speed at which new technology is changing is making it difficult for IT professionals to keep pace with best practices, let alone cutting edge technologies.

    The Info-Tech Data Architecture Trends Presentation provides a glance at some of the more significant innovations in technology that are driving today’s advanced data architectures.

    This presentation also explains how these trends relate to either the data challenges you may be facing, or the specific business drivers you are hoping to bring to your organization.

    Sample of the Data Architecture Trends Presentation.
    Data Architecture Trends Presentation

    Gaps between your current and future capabilities will help you to determine the tactics that apply to you

    Now that you know where the organization currently stands, follow these steps to begin prioritizing the initiatives:

    1. What are you trying to accomplish? Determine target states that are framed in quantifiable objectives that can be clearly communicated. The more specific the objectives are the better.
    2. Evaluate the “delta,” or difference between where the organization currently stands and where it needs to go. This will be expressed in terms of gap closure strategies, and will help clarify the initiatives that will populate the road map.
    3. Determine the relative business value of each initiative, as well as the relative complexities of successfully implementing them. These scores should be created with stakeholder input, and then plotted in an effort/transition quadrant map to determine where the quickest and most valuable wins lie.
    Current State Gap Closure Strategies Target State Data Architecture Tactical Roadmap
    • Organization objectives
    • Functional needs
    • Current operating models
    • Technology assets
    Initiatives involving:
    • Organizational changes
    • Functional changes
    • Technology changes
    • Process changes
    • Performance objectives (revenue growth, customer intimacy, growth of organization)
    • Operating model improvements
    • Prioritized, simplified, and compelling vision of how the organization will optimize data architecture

    (Source: “How to Build a Roadmap”)

    Info-Tech Insight

    Optimizing data architecture requires a tactical approach, not a passive approach. The demanding task of optimization requires the ability to heavily prioritize. After you have identified why, determine how using our pre-built roadmap to address the four common drivers.

    Each of the layers of an organization’s data architecture have associated challenges to optimization

    Stop! Before you begin, recognize these “gotchas” that can present roadblocks to creating an effective data architecture environment.

    Before diving headfirst into creating your tactical data architecture plan, documenting the challenges associated with each aspect of the organization’s data architecture can help to identify where you need to focus your energy in optimizing each tier. The following table presents the common challenges across the five tiers:

    Source Tier

    Integration Tier

    Warehousing Tier

    Analytics Tier

    Presentation Tier

    Inconsistent data models Performance issues Scalability of the data warehouse Data currency, flexibility Model interoperability
    Data quality measures: data accuracy, timeliness, accessibility, relevance Duplicated data Infrastructure needed to support volume of data No business context for using the data in the correct manner No business context for using the data in the correct manner
    Free-form field and data values beyond data domain Tokenization and other required data transformations Performance
    Volume
    Greedy consumers can cripple performance
    Insufficient infrastructure
    Inefficiencies in building the data mart Report proliferation/chaos (“kitchen sink dashboards”)
    Reporting out of source systems DB model inefficiencies
    Manual errors;
    Application usability
    Elasticity

    Create metrics before you plan to optimize your data architecture

    Associated Activity icon 2.2.3 1 hour

    INPUT: Tactics that will be used to optimize data architecture.

    OUTPUT: Metrics that can be used to measure optimization success.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect

    Metrics will help you to track your optimization efforts and ensure that they are providing value to the organization.

    There are two types of metrics that are useful for data architects to track and measure: program metrics and project metrics. Program metrics represent the activities that the data architecture program, which is the sum of multiple projects, should help to improve. Project metrics are the more granular metrics that track each project.

    Program Metrics

    • TCO of IT
      • Costs associated with applications, databases, data maintenance
      • Should decrease with better data architecture (rationalized apps, operationalized databases)
    • Cost savings:
      • Retiring a legacy system and associated databases
      • Consolidated licensing
      • Introducing shared services
    • Data systems under maintenance (maintenance burden)
    • End-user data requests fulfilled
    • Improvement of time of delivery of reports and insights

    Project Metrics

    • Percent of projects in alignment with EA
    • Percent of projects compliant with the EA governance process (architectural due diligence rate)
    • Reducing time to market for launching new products
      • Reducing human error rates
      • Speeding up order delivery
      • Reducing IT costs
      • Reducing severity and frequency of security incidents

    Use Tab 6. Metrics of the Data Architecture Tactical Roadmap Tool to document and track metrics associated with your optimization tactics.

    Use Info-Tech’s resources to build your data architecture capabilities

    The following resources from Info-Tech can be used to improve the capabilities that were identified as having a gap. Read more about the details of the five-tier architecture in the blueprints below:

    Data Governance

    Data architecture depends on effective data governance. Use our blueprint, Enable Shared Insights With an Effective Data Governance Engine to get more out of your architecture.

    Data Quality

    The key to maintaining high data quality is a proactive approach that requires you to establish and update strategies for preventing, detecting, and correcting errors. Find out more on how to improve data quality with Info-Tech’s blueprint, Restore Trust in Your Data Using a Business-Aligned Data Quality Management Approach.

    Master Data Management

    When you start your data governance program, you will quickly realize that you need an effective MDM strategy for managing your critical data assets. Use our blueprint, Develop a Master Data Management Strategy and Roadmap to Better Monetize Data to get started with MDM.

    Data Warehouse

    The key to maintaining high data quality is a proactive approach that requires you to establish and update strategies for preventing, detecting, and correcting errors. Find out more on how to improve data quality with Info-Tech’s blueprint, Drive Business Innovation With a Modernized Data Warehouse Environment.

    With the optimal tactics identified, the monetary authority uncovered areas needing improvement

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'.

    Part 2

    After establishing the appropriate tactics based on its business driver, the monetary authority was able to identify its shortcomings and adopt resolutions to remedy the issues.

    Best Practice Tactic Current State Solution
    Tier 1 - Data Sources Identify data sources Data coming from a number of locations. Create data model for old and new systems.
    Ensure data quality Internal data scanned from paper and incomplete. Data cleansing and update governance and business rules for migration to new system.
    External sources providing conflicting data.
    Tier 3 - Data Warehousing Data catalogue Data aggregated incompletely. Built proper business data glossary for searchability.
    Indexing Data warehouse performance sub-optimal. Architected data warehouse for appropriate use (star schema).
    Tier 4 - Data Analytics Data accessibility Relevant data buried in warehouse. Build data marts for access.
    Data reduction Accurate report building could not be performed in current storage. Built interim solution sandbox, spin up SQL database.

    Establishing these solutions provided the organization with necessary information to build their roadmap and move towards implementing an optimized data architecture.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of a Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 – 2.2.2

    Sample of activities 2.1.1 and 2.2.2, the first being 'Determine your current state across the related architecture tiers'. Evaluate your current capabilities and design your target data quality practice from two angles

    In this assessment and planning activity, the team will evaluate the current and target capabilities for your data architecture’s ability to meet business needs based on the essential capabilities across the five tiers of an organization’s architectural environment.

    2.2.3

    Sample of activity 2.2.3 'Create metrics before you plan to optimize your data architecture'. Create metrics to track the success of your optimization plan.

    The Info-Tech facilitator will guide you through the process of creating program and project metrics to track as you optimize your data architecture. This will help to ensure that the tactics are helping to improve crucial business attributes.

    Build a Business-Aligned Data Architecture Optimization Strategy

    PHASE 3

    Create Your Tactical Data Architecture Roadmap

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Create Your Tactical Data Architecture Roadmap

    Proposed Time to Completion: 2 weeks
    Step 3.1: Personalize Your Data Architecture RoadmapStep 3.2: Manage Your Data Architecture Decisions and the Resulting Changes
    Start with an analyst kick-off call:
    • Review the tactical plan that addresses the business drivers by optimizing your data architecture in the relevant focus areas.
    Review findings with analyst:
    • Discuss and review the roadmap of optimization activities, including dependencies, timing, and ownership of activities.
    • Understand how change management is an integral aspect of any data architecture optimization plan.
    Then complete these activities…
    • Create your detailed data architecture initiative roadmap.
    Then complete these activities…
    • Create your Data Architecture Decision Template to document the changes that are going to be made to optimize your data architecture environment.
    • Review how change management fits into the data architecture improvement program.
    With these tools & templates:
    • Data Architecture Tactical Roadmap Tool
    With these tools & templates:
    • Data Architecture Decision Template

    Phase 3 Results & Insights

    • Phase 3 will help you to build a personalized roadmap and plan for optimizing data architecture in your organization. In carrying out this roadmap, changes will, by necessity, occur. Therefore, an integral aspect of a data architect’s role is change management. Use the resources included in Phase 3 to smoothen the change management process.

    Phase 3, Step 1: Personalize Your Data Architecture Roadmap

    PHASE 3

    3.1 3.2
    Personalize Your Data Architecture Roadmap Manage Your Data Architecture Decisions and the Resulting Changes

    This step will walk you through the following activities:

    • Determine the timing, effort, and ownership of the recommended optimization initiatives.
    • Brainstorm initiatives that are not yet on the roadmap but apply to you.

    This step involves the following participants:

    • Data Architect
    • DBAs
    • Enterprise Architect

    Outcomes of this step

    • A roadmap of specific initiatives that map to the tactical plan for optimizing your organization’s data architecture.
    • A plan for communicating high-level business objectives to data workers to address the issues of the business.

    Now that you have tactical priorities, identify the actionable steps that will lead you to an optimized data architecture

    Phase 1 and 2 helped you to identify tactics that address some of the most common business drivers. Phase 3 will bring you through the process of practically planning what those tactics look like in your organization’s environment and create a roadmap to plan how you will generate business value through optimization of your data architecture environment.

    Diagram of the three phases and the goals of each one. The first phase says 'Identify your data architecture business driver' and highlights 'Business Driver 3' out of four to focus on in Phase 2. Phase 2 says 'Optimization tactics across the five-tier logical data architecture' and identifies four of six 'Tactics' to use in Phase 3. Phase 3 is a 'Practical Roadmap of Initiatives' and utilizes a timeline of initiatives in which to apply the chosen tactics.

    Use the Data Architecture Tactic Roadmap Tool to personalize your roadmap

    Supporting Tool icon 3.1.1 Data Architecture Tactic Roadmap Tool
    Generating Your Roadmap
    1. On Tab 5. Tactic and Initiative Planning, you will find a list of tactics that correspond to every capability that applies to your chosen driver and where there is a gap. In addition, each tactic has a sequence of “Suggested Initiatives,” which represent the best-practice steps that you should take to optimize your data architecture according to your priorities and gaps.
    2. Customize this list of initiatives according to your needs.
    3. The Gantt chart is generated in Tab 7. Initiative Roadmap, and can be used to organize your plan and ensure that all of the essential aspects of optimizing data architecture are addressed.
    4. The roadmap can be used as an “executive brief” roadmap and as a communication tool for the business.
    Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 5. Tactic and Initiative Planning.
    Tab 5. Tactic and Initiative Planning

    Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 7. Initiative Roadmap.
    Tab 7. Initiative Roadmap

    Determine the details of your data architecture optimization activities

    Associated Activity icon 3.1.2 1 hour

    INPUT: Timing of initiatives for optimizing data architecture.

    OUTPUT: Optimization roadmap

    Materials: Data Architecture Tactic Roadmap Tool

    Participants: Data architect, Enterprise Architect

    Instructions

    1. With the list of suggested activities in place on Tab 5. Tactic and Initiative Planning, select whether or not the initiatives will be included in the roadmap. By default, all of the initiatives are set to “Yes.”
    2. Plan the sequence, starting time, and length of each initiative, as well as the assigned responsibility of the initiative in Tab 5. Tactic and Initiative Planning of the Data Architecture Tactic Roadmap Tool.
    3. The tool will a generate a Gantt chart based on the start and length of your initiatives.
    4. The Gantt chart is generated in Tab 7. Initiative Roadmap.
    Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 5. Tactic and Initiative Planning. Tab 5. Tactic and Initiative Planning Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 7. Initiative Roadmap. Tab 7. Initiative Roadmap

    Info-Tech Insight

    The activities that populate the roadmap can be taken as best practice activities. If you want an actionable, comprehensive, and prescriptive plan for optimizing your data architecture, fill in the timing of the activities and print the roadmap. This can serve as a rapid communication tool for your data architecture plan to the business and other architects.

    Optimizing data architecture relies on communication between the business and data workers

    Remember: Data architects bridge the gap between strategic and technical requirements of data.

    Visualization centering the 'Data Architect' as the bridge between 'Data Workers', 'Business', and 'Data & Applications'.

    Therefore, as you plan the data and its interactions with applications, it is imperative that you communicate the plan and its implications to the business and the data workers. Stock photo of coworkers communicating.
    Also remember: In Phase 1, you built your tactical data architecture optimization plan.
    Sample 1 of the Data Architecture Optimization Template. Sample 2 of the Data Architecture Optimization Template.
    Use this document to communicate your plan for data architecture optimization to both the business and the data workers. Socialize this document as a representation of your organization’s current data architecture as well as where it is headed in the future.

    Communicate your data architecture optimization plan to the business for approval

    Associated Activity icon 3.1.3 2 hours

    INPUT: Data Architecture Tactical Roadmap

    OUTPUT: Communication plan

    Materials: Data Architecture Optimization Template

    Participants: Data Architect, Business representatives, IT representatives

    Instructions

    Begin by presenting your plan and roadmap to the business units who participated in business interviews in activity 1.1.3 of Phase 1.

    If you receive feedback that suggests that you should make revisions to the plan, consult Info-Tech Research Group for suggestions on how to improve the plan.

    If you gain approval for the plan, communicate it to DBAs and other data workers.

    Iterative optimization and communication plan:
    Visualization of the Iterative optimization and communication plan. 'Start here' at 'Communicate Plan and Roadmap to the Business', and then continue in a cycle of 'Receive Approval or Suggested Modifications', 'Get Advice for Improvements to the Plan', 'Revise Plan', and back to the initial step until you receive 'Approval', then 'Present to Data Workers'.

    With a roadmap in place, the monetary authority followed a tactical and practical plan to repair outdated data architecture

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'.

    Part 3

    After establishing the appropriate tactics based on its business driver, the monetary authority was able to identify its shortcomings and adopt resolutions to remedy the issues.

    Challenge

    A monetary authority was placed under new requirements where it would need to produce 6 different report types on its clients to a regulatory body within a window potentially as short as 1 hour.

    With its current capabilities, it could complete such a task in roughly 7 days.

    The organization’s data architecture was comprised of legacy systems that had poor searchability. Moreover, the data it worked with was scanned from paper, regularly incomplete and often inconsistent.

    Solution

    The solution first required the organization to establish the business driver behind the need to optimize its architecture. In this case, it would be compliance requirements.

    With Info-Tech’s methodology, the organization focused on three tiers: data sources, warehousing, and analytics.

    Several solutions were developed to address the appropriate lacking capabilities. Firstly, the creation of a data model for old and new systems. The implementation of governance principles and business rules for migration of any data. Additionally, proper indexing techniques and business data glossary were established. Lastly, data marts and sandboxes were designed for data accessibility and to enable a space for proper report building.

    Results

    With the solutions established, the monetary authority was given information it needed to build a comprehensive roadmap, and is currently undergoing the implementation of the plan to ensure it will experience its desired outcome – an optimized data architecture built with the capacity to handle external compliance requirements.

    Phase 3, Step 2: Manage Your Data Architecture Decisions and the Resulting Changes

    PHASE 3

    3.13.2
    Personalize Your Data Architecture RoadmapManage Your Data Architecture Decisions and the Resulting Changes

    This step will walk you through the following activities:

    • With a plan in place, document the major architectural decisions that have been and will be made to optimize data architecture.
    • Create a plan for change and release management, an essential function of the data architect role.

    This step involves the following participants:

    • Data Architect
    • Enterprise Architect

    Outcomes of this step

    • Resources for documenting and managing the inevitable change associated with updates to the organization’s data architecture environment.

    To implement data architecture changes, you must plan to accommodate the issues that come with change

    Once you have a plan in place, one the most challenging aspects of improving an organization is yet to come…overcoming change!

    “When managing change, the job of the data architect is to avoid unnecessary change and to encapsulate necessary change.

    You must provide motivation for simplifying change, making it manageable for the whole organization.” (Andrew Johnston, Independent Consultant)

    Stock photo of multiple hands placing app/website design elements on a piece of paper.

    Create roadmap

    Arrow pointing down.

    Communicate roadmap

    Arrow pointing down.

    Implement roadmap

    Arrow pointing down.

    Change management

    Use the Data Architecture Decision Template when architectural changes are made

    Supporting Tool icon 3.2 Data Architecture Decision Template
    Document the architectural decisions made to provide context around changes made to the organization’s data environment.

    The goal of this Data Architecture Decision Template is to provide data architects with a template for managing the changes that accompany major architectural decisions. As you work through the Build a Business-Aligned Data Architecture Optimization Strategy blueprint, you will create a plan for tactical initiatives that address the drivers of the business to optimize your data architecture. This plan will bring about changes to the organization’s data architecture that need change management considerations.

    Document any major changes to the organization’s data architecture that are required to evolve with the organization’s drivers. This will ensure that major architectural changes are documented, tracked, and that the context around the decision is maintained.

    “Environment is very chaotic nowadays – legacy apps, sprawl, ERPs, a huge mix and orgs are grappling with what our data landscape look like? Where are our data assets that we need to use?” (Andrew Johnston, Independent Consultant)

    Sample of the Data Architecture Decision Template.

    Use Info-Tech’s Data Architecture Decision Template to document any major changes in the organization’s data architecture.

    Leverage Info-Tech’s resources to smooth change management

    As changes to the architectural environment occur, data architects must stay ahead of the curve and plan the change management considerations that come with major architectural decisions.

    “When managing change, the job of the data architect is to avoid unnecessary change and to encapsulate necessary change.

    You must provide motivation for simplifying change, making it manageable for the whole organization.” (Andrew Johnston, Independent Consultant)

    See Info-Tech’s resources on change management to smooth changes:
    Banner for the blueprint set 'Optimize Change Management' with subtitle 'Turn and face the change with a right-sized change management process'.
    Sample of the Optimize Change Management blueprint.

    Change Management Blueprint

    Sample of the Change Management Roadmap Tool.

    Change Management Roadmap Tool

    Use Info-Tech’s resources for effective release management

    As changes to the architectural environment occur, data architects must stay ahead of the curve and plan the release management considerations around new hardware and software releases or updates.

    Release management is a process that encompasses the planning, design, build, configuration, and testing of hardware and software releases to create a defined set of release components (ITIL). Release activities can include the distribution of the release and supporting documentation directly to end users. See Info-Tech’s resources on Release Management to smooth changes:

    Banner for the blueprint set 'Take a Holistic View to Optimize Release Management' with subtitle 'Build trust by right-sizing your process using appropriate governance'.
    Samples of the Release Management blueprint.

    Release Management Blueprint

    Sample of the Release Management Process Standard Template.

    Release Management Process Standard Template

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of a Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.1

    Sample of activity 3.1.2 'Determine the timing of your data architecture optimization activities'. Create your personalized roadmap of activities.

    In this activity, the facilitator will guide the team in evaluating practice gaps highlighted by the assessment, and compare these gaps at face value so general priorities can be documented. The same categories as in 3.1.1 are considered.

    3.1.3

    Sample of activity 3.1.3 'Communicate your Data Architecture Optimization Plan to the business for approval'. Communicate your data architecture optimization plan.

    The facilitator will help you to identify the optimal medium and timing for communicating your plan for optimizing your data architecture.

    Insight breakdown

    Insight 1

    • Data architecture needs to evolve along with the changing business landscape. There are four common business drivers that put most pressure on archaic architectures. As a result, the organization’s architecture must be flexible and responsive to changing business needs.

    Insight 2

    • Data architecture is not just about models.
      Viewing data architecture as just technical data modeling can lead to structurally unsound data that does not serve the business.

    Insight 3

    • Data is used differently across the layers of an organization’s data architecture, and the capabilities needed to optimize use of data change with it. Architecting and managing data from source to warehousing to presentation requires different tactics for optimal use.

    Summary of accomplishment

    Knowledge Gained

    • An understanding of what data architecture is, how data architects can provide value to the organization, and how data architecture fits into the larger enterprise architecture picture.
    • The capabilities required for optimization of the organization’s data architecture across the five tiers of the logical data architecture model.

    Processes Optimized

    • Prioritization and planning of data architect responsibilities across the five tiers of the five-tier logical data architecture model.
    • Roadmapping of tactics that address the most common business drivers of the organization.
    • Architectural change management.

    Deliverables Completed

    • Data Architecture Driver Pattern Identification Tool
    • Data Architecture Optimization Template
    • Data Architecture Trends Presentation
    • Data Architecture Roadmap Tool
    • Data Architecture Decision Template

    Research contributors and experts

    Photo of Ron Huizenga, Senior Product Manager, Embarcadero Technologies, Inc. Ron Huizenga, Senior Product Manager
    Embarcadero Technologies, Inc.

    Ron Huizenga has over 30 years of experience as an IT executive and consultant in enterprise data architecture, governance, business process reengineering and improvement, program/project management, software development, and business management. His experience spans multiple industries including manufacturing, supply chain, pipelines, natural resources, retail, healthcare, insurance, and transportation.

    Photo of Andrew Johnston, Architect, Independent Consultant. Andrew Johnston, Architect Independent Consultant

    An independent consultant with a unique combination of managerial, commercial, and technical skills, Andrew specializes in the development of strategies and technical architectures that allow businesses to get the maximum benefit from their IT resources. He has been described by clients as a "broad spectrum" architect, summarizing his ability to engage in many problems at many levels.

    Research contributors

    Internal Contributors
    Logo for Info-Tech Research Group.
    • Steven J. Wilson, Senior Director, Research & Advisory Services
    • Daniel Ko, Research Manager
    • Bernie Gilles, Senior Director, Research & Advisory Services
    External Contributors
    Logo for Embarcadero.
    Logo for Questa Computing. Logo for Geha.
    • Ron Huizenga, Embercardo Technologies
    • Andrew Johnston, Independent Consultant
    • Darrell Enslinger, Government Employees Health Association
    • Anonymous Contributors

    Bibliography

    Allen, Mark. “Get the ETL Out of Here.” MarkLogic. Sep, 2016. Web. 25 Apr 2017.[http://www.marklogic.com/blog/get-the-etl-out-of-here/]

    Anadiotis, George. “Streaming hot: Real-time big data architecture matters.” ZDNet. Jan, 2017. Web. 25 Apr 2017. [http://www.zdnet.com/article/streaming-hot-real-time-big-data-architecture-matters/]

    Aston, Dan. “The Economic value of Enterprise Architecture and How to Show It.” Erwin. Aug, 2016. Web. 20 Apr 2017. [http://erwin.com/blog/economic-value-enterprise-architecture-show/]

    Baer, Tony. “2017 Trends to Watch: Big Data.” Ovum. Nov, 2016. Web. 25 Apr 2017.

    Bmc. “Benefits & Advantages of Hadoop.” Bmc. Web. 25 Apr 2017. [http://www.bmcsoftware.ca/guides/hadoop-benefits-business-case.html]

    Boyd, Ryan, et al. “Relational vs. Graph Data Modeling” DZone. Mar 2016. Web. 25 Apr 2017. [https://dzone.com/articles/relational-vs-graph-data-modeling]

    Brahmachar, Satya. “Theme To Digital Transformation - Journey to Data Driven Enterprise” Feb, 2015. Web. 20 Apr 2017. [http://satyabrahmachari-thought-leader.blogspot.ca/2015/02/i-smac-theme-to-digital-transformation.html]

    Capsenta. “NoETL.” Capsenta. Web. 25 Apr 2017. [https://capsenta.com/wp-content/uploads/2015/03/Capsenta-Booklet.pdf]

    Connolly, Shaun. “Implementing the Blueprint for Enterprise Hadoop” Hortonworks. Apr, 2014. Web. 25 Apr 2017. https://hortonworks.com/blog/implementing-the-blue...

    Forbes. “Cloud 2.0: Companies Move From Cloud-First To Cloud-Only.” Forbes. Apr, 2017. Web. 25 Apr 2017. [https://www.forbes.com/sites/vmware/2017/04/07/cloud-2-0-companies-move-from-cloud-first-to-cloud-only/#5cd9d94a4d5e]

    Forgeat, Julien. “Lambda and Kappa.” Ericsson. Nov 2015. Web 25 Apr 2017. [https://www.ericsson.com/research-blog/data-knowledge/data-processing-architectures-lambda-and-kappa/]

    Grimes, Seth. “Is It Time For NoETL?” InformationWeek. Mar, 2010. Web. 25 Apr 2017. [http://www.informationweek.com/software/information-management/is-it-time-for-noetl/d/d-id/1087813]

    Gupta, Manav. et al. “How IB‹ leads in building big data analytics solutions in the cloud.” IBM. Feb, 2016. Web. 25 Apr 2017. [https://www.ibm.com/developerworks/cloud/library/cl-ibm-leads-building-big-data-analytics-solutions-cloud-trs/index.html#N102DE]

    “How To Build A Roadmap.” Hub Designs Magazine. Web 25 Apr 2017. [https://hubdesignsmagazine.com/2011/03/05/how-to-build-a-roadmap/]

    IBM. “Top industry use cases for stream computing.” IBM. Oct, 2015. Web. 25 Apr 2017. [https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=IMW14704USEN]

    Mateos-Garcia, Juan, et al. “Skills Of The Datavores.” Nesta. July. 2015. Web. 8 Aug 2016. [https://www.nesta.org.uk/sites/default/files/skills_of_the_datavores.pdf].

    Maynard, Steven. “Analytics: Don’t Forget The Human Element” Forbes. 2015. Web. 20 Apr. 2017. [http://www.ey.com/Publication/vwLUAssets/EY-Forbes-Insights-Data-and-Analytics-Impact-Index-2015/$FILE/EY-Forbes-Insights-Data-and-Analytics-Impact-Index-2015.pdf]

    Neo4j. “From Relational to Neo4j.” Neo4j. Web. 25 Apr 2017. [https://neo4j.com/developer/graph-db-vs-rdbms/#_from_relational_to_graph_databases]

    NoETL “NoETL.” NoETL. Web. 25 Apr 2017. [http://noetl.org/]

    Nolan, Roger. “Digital Transformation: Is Your Data Management Ready?” Informatica. Jun, 2016. Web. 20 Apr 2017. [https://blogs.informatica.com/2016/06/10/digital-transformation-data-management-ready/#fbid=hmBYQgS6hnm]

    OpsClarity. “2016 State of Fast Data & Streaming Applications.” OpsClarity. Web. 25 Apr 2017. [https://www.opsclarity.com/wp-content/uploads/2016/07/2016FastDataSurvey.pdf]

    Oracle. “A Relational Database Overview.” Oracle. Web. 25 Apr 2017. [https://docs.oracle.com/javase/tutorial/jdbc/overview/database.html]

    Ponemon Institute LLC. “Big Data Cybersecurity Analytics Research Repor.t” Cloudera. Aug, 2016. Web. 25 Apr 2017. [https://www.cloudera.com/content/dam/www/static/documents/analyst-reports/big-data-cybersecurity-analytics-research-report.pdf]

    Sanchez, Jose Juan. “Data Movement Killed the BI Star.” DV Blog. May, 2016. Web. 20 Apr. 2017. [http://www.datavirtualizationblog.com/data-movement-killed-the-bi-star/]

    SAS. “Hadoop; What it is and why does it matter?” SAS. Web. 25 Apr 2017. [https://www.sas.com/en_ca/insights/big-data/hadoop.html#hadoopusers]

    Schumacher, Robin. “A Quick Primer on graph Databases for RDBMS Professionals.” Datastax. Jul, 2016. Web. 25 Apr 2017. [http://www.datastax.com/2016/07/quick-primer-on-graph-databases-for-rdbms-professionals]

    Swoyer, Steve. “It’s the End of the Data Warehouse as We Know It.” TDWI. Jan, 2017. Web. 20 Apr. 2017. [https://upside.tdwi.org/articles/2017/01/11/end-of-the-data-warehouse-as-we-know-it.aspx]

    Webber, Jim, and Ian Robinson. “The Top 5 Use Cases of Graph Databases.” Neo4j. 2015. Web. 25 Apr 2017. [http://info.neo4j.com/rs/773-GON-065/images/Neo4j_Top5_UseCases_Graph%20Databases.pdf]

    Zachman Framework. [https://www.zachman.com/]

    Zupan, Jane. “Survey of Big Data Decision Makers.” Attiv/o. May, 2016. Web. 20 Apr 2017. [https://www.attivio.com/blog/post/survey-big-data-decision-makers]

    Quality Management

    • Buy Link or Shortcode: {j2store}45|cart{/j2store}
    • Related Products: {j2store}45|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture
    Drive efficiency and agility with right-sized quality management

    Understand the Data and Analytics Landscape

    • Buy Link or Shortcode: {j2store}131|cart{/j2store}
    • member rating overall impact: 9.8/10 Overall Impact
    • member rating average dollars saved: $2,000 Average $ Saved
    • member rating average days saved: 14 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The data and analytics landscape comprises many disciplines and components; organizations may find themselves unsure of where to start or what data topic or area they should be addressing.
    • Organizations want to better understand the components of the data and analytics landscape and how they are connected.

    Our Advice

    Critical Insight

    • This deck will provide a base understanding of the core data disciplines and will point to the various Info-Tech blueprints that dive deeper into each of the areas.

    Impact and Result

    • This deck will provide a base understanding of the core disciplines of the data and analytics landscape and will point to the various Info-Tech blueprints that dive deeper into each of the areas.

    Understand the Data and Analytics Landscape Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the data and analytics landscape

    Get an overview of the core disciplines of the data and analytics landscape.

    • Understand the Data and Analytics Landscape Storyboard

    Infographic

    Master the MSA for Your Managed Services Providers

    • Buy Link or Shortcode: {j2store}235|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $9,869 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Master Services Agreements and Service Level Agreements are tedious, and reviewers may lack the skills and experience to effectively complete the process.
    • Managed services providers have a repository of contract terms and conditions that are road-tested and prepackaged, and which are often biased in their favor.
    • With many different pricing options, it is difficult to choose the services you need.

    Our Advice

    Critical Insight

    • Manage your managed services providers. Added value is realized when managed service providers are in tune with your IT strategies, goals, and mission.
    • Negotiate an agreement that is beneficial to both parties. The most successful partnerships are a win-win agreement.
    • Lawyers can’t ensure you get the best business deal. They tend to look at general terms and conditions and may overlook IT-specific components.

    Impact and Result

    • Understanding managed services providers, including their roles and pricing models, will give you valuable insight into negotiating the best deal for your organization.
    • Info-Tech’s contract review methodology will help you navigate the complex process of managed services provider contract evaluation and review all the key details to maximize the benefits to your organization.
    • This blueprint provides guidance on catching vendor-biased terms and conditions, and suggests tips for getting managed services providers to take on their fair share of responsibilities.

    Master the MSA for Your Managed Services Providers Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should master the MSA for your MSPs, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review terms and conditions for your MSP contract

    Use Info-Tech’s MSA Contract Review Tool to locate and track improvement areas in your MSAs.

    • Master the MSA for Your Managed Services Providers – Phase 1: Review Terms and Conditions of Your MSP Contract
    • MSA Contract Review Tool
    [infographic]

    Develop and Deploy Security Policies

    • Buy Link or Shortcode: {j2store}256|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $19,953 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
    • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
    • Data breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
    • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

    Our Advice

    Critical Insight

    • Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.
    • Policies must be reasonable, auditable, enforceable, and measurable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.

    Impact and Result

    • Save time and money using the templates provided to create your own customized security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

    Develop and Deploy Security Policies Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop and Deploy Security Policies Deck – A step-by-step guide to help you build, implement, and assess your security policy program.

    Our systematic approach will ensure that all identified areas of security have an associated policy.

  • Develop the security policy program.
  • Develop and implement the policy suite.
  • Communicate the security policy program.
  • Measure the security policy program.
    • Develop and Deploy Security Policies – Phases 1-4

    2. Security Policy Prioritization Tool – A structured tool to help your organization prioritize your policy suite to ensure that you are addressing the most important policies first.

    The Security Policy Prioritization Tool assesses the policy suite on policy importance, ease to implement, and ease to enforce. The output of this tool is your prioritized list of policies based on our policy framework.

    • Security Policy Prioritization Tool

    3. Security Policy Assessment Tool – A structured tool to assess the effectiveness of policies within your organization and determine recommended actions for remediation.

    The Security Policy Assessment Tool assesses the policy suite on policy coverage, communication, adherence, alignment, and overlap. The output of this tool is a checklist of remediation actions for each individual policy.

    • Security Policy Assessment Tool

    4. Security Policy Lifecycle Template – A customizable lifecycle template to manage your security policy initiatives.

    The Lifecycle Template includes sections on security vision, security mission, strategic security and policy objectives, policy design, roles and responsibilities for developing security policies, and organizational responsibilities.

    • Security Policy Lifecycle Template

    5. Policy Suite Templates – A best-of-breed templates suite mapped to the Info-Tech framework you can customize to reflect your organizational requirements and acquire approval.

    Use Info-Tech's security policy templates, which incorporate multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA), to ensure that your policies are clear, concise, and consistent.

    • Acceptable Use of Technology Policy Template
    • Application Security Policy Template
    • Asset Management Policy Template
    • Backup and Recovery Policy Template
    • Cloud Security Policy Template
    • Compliance and Audit Management Policy Template
    • Data Security Policy Template
    • Endpoint Security Policy Template
    • Human Resource Security Policy Template
    • Identity and Access Management Policy Template
    • Information Security Policy Template
    • Network and Communications Security Policy Template
    • Physical and Environmental Security Policy Template
    • Security Awareness and Training Policy Template
    • Security Incident Management Policy Template
    • Security Risk Management Policy Template
    • Security Threat Detection Policy Template
    • System Configuration and Change Management Policy Template
    • Vulnerability Management Policy Template

    6. Policy Communication Plan Template – A template to help you plan your approach for publishing and communicating your policy updates across the entire organization.

    This template helps you consider the budget time for communications, identify all stakeholders, and avoid scheduling communications in competition with one another.

    • Policy Communication Plan Template

    7. Security Awareness and Training Program Development Tool – A tool to help you identify initiatives to develop your security awareness and training program.

    Use this tool to first identify the initiatives that can grow your program, then as a roadmap tool for tracking progress of completion for those initiatives.

    • Security Awareness and Training Program Development Tool

    Infographic

    Workshop: Develop and Deploy Security Policies

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define the Security Policy Program

    The Purpose

    Define the security policy development program.

    Formalize a governing security policy lifecycle.

    Key Benefits Achieved

    Understanding the current state of policies within your organization.

    Prioritizing list of security policies for your organization.

    Being able to defend policies written based on business requirements and overarching security needs.

    Leveraging an executive champion to help policy adoption across the organization.

    Formalizing the roles, responsibilities, and overall mission of the program.

    Activities

    1.1 Understand the current state of policies.

    1.2 Align your security policies to the Info-Tech framework for compliance.

    1.3 Understand the relationship between policies and other documents.

    1.4 Prioritize the development of security policies.

    1.5 Discuss strategies to leverage stakeholder support.

    1.6 Plan to communicate with all stakeholders.

    1.7 Develop the security policy lifecycle.

    Outputs

    Security Policy Prioritization Tool

    Security Policy Prioritization Tool

    Security Policy Lifecycle Template

    2 Develop the Security Policy Suite

    The Purpose

    Develop a comprehensive suite of security policies that are relevant to the needs of the organization.

    Key Benefits Achieved

    Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.

    Activities

    2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

    2.2 Develop and customize security policies.

    2.3 Develop a plan to gather feedback from users.

    2.4 Discuss a plan to submit policies for approval.

    Outputs

    Understanding of the risks and drivers that will influence policy development.

    Up to 14 customized security policies (dependent on need and time).

    3 Implement Security Policy Program

    The Purpose

    Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.

    Improve compliance and accountability with security policies.

    Plan for regular review and maintenance of the security policy program.

    Key Benefits Achieved

    Streamlined communication of the policies to users.

    Improved end user compliance with policy guidelines and be better prepared for audits.

    Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

    Activities

    3.1 Plan the communication strategy of new policies.

    3.2 Discuss myPolicies to automate management and implementation.

    3.3 Incorporate policies and processes into your security awareness and training program.

    3.4 Assess the effectiveness of security policies.

    3.5 Understand the need for regular review and update.

    Outputs

    Policy Communication Plan Template

    Understanding of how myPolicies can help policy management and implementation.

    Security Awareness and Training Program Development Tool

    Security Policy Assessment Tool

    Action plan to regularly review and update the policies.

    Further reading

    Develop and Deploy Security Policies

    Enhance your overall security posture with a defensible and prescriptive policy suite.

    Analyst Perspective

    A policy lifecycle can be the secret sauce to managing your policies.

    A policy for policy’s sake is useless if it isn’t being used to ensure proper processes are followed. A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant.

    Policies should be developed based on the use cases that enable the business to run securely and smoothly. Ensure they are aligned with the corporate culture. Rather than introducing hindrances to daily operations, policies should reflect security practices that support business goals and protection.

    No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep your organization secure.

    Photo of Danny Hammond, Research Analyst, Security, Risk, Privacy & Compliance Practice, Info-Tech Research Group. Danny Hammond
    Research Analyst
    Security, Risk, Privacy & Compliance Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Security breaches are damaging and costly. Trying to prevent and respond to them without robust, enforceable policies makes a difficult situation even harder to handle.
    • Informal, un-rationalized, ad hoc policies are ineffective because they do not explicitly outline responsibilities and compliance requirements, and they are rarely comprehensive.
    • Without a strong lifecycle to keep policies up to date and easy to use, end users will ignore or work around poorly understood policies.
    • Time and money is wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy program.
    Common Obstacles

    InfoSec leaders will struggle to craft the right set of policies without knowing what the organization actually needs, such as:

    • The security policies needed to safeguard infrastructure and resources.
    • The scope the security policies will cover within the organization.
    • The current compliance and regulatory obligations based on location and industry.
    InfoSec leaders must understand the business environment and end-user needs before they can select security policies that fit.
    Info-Tech’s Approach

    Info-Tech’s Develop and Deploy Security Policies takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:

    • Assess what security policies currently exist within the organization and consider additional secure policies.
    • Develop a policy lifecycle that will define the needs, develop required documentation, and implement, communicate, and measure your policy program.
    • Draft a set of security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

    Info-Tech Insight

    Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.

    Your Challenge

    This research is designed to help organizations design a program to develop and deploy security policies

    • A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.
    • The development of policy documents is an ambitious task, but the real challenge comes with communication and enforcement.
    • A good security policy allows employees to know what is required of them and allows management to monitor and audit security practices against a standard policy.
    • Unless the policies are effectively communicated, enforced, and updated, employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless.
    • Without a good policy lifecycle in place, it can be challenging to illustrate the key steps and decisions involved in creating and managing a policy.

    The problem with security policies

    29% Of IT workers say it's just too hard and time consuming to track and enforce.

    25% Of IT workers say they don’t enforce security policies universally.

    20% Of workers don’t follow company security policies all the time.

    (Source: Security Magazine, 2020)

    Common obstacles

    The problem with security policies isn’t development; rather, it’s the communication, enforcement, and maintenance of them.

    • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
    • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
    • Date breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
    • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.
    Bar chart of the 'Average cost of a data breach' in years '2019-20', '20-21', and '21-22'.
    (Source: IBM, 2022 Cost of a Data Breach; n=537)

    Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020.

    Info-Tech’s approach

    The right policy for the right audience. Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.

    Actions

    1. Develop policy lifecycle
    2. Identify compliance requirements
    3. Understand which policies need to be developed, maintained, or decommissioned
    I. Define Security Policy Program

    a) Security policy program lifecycle template

    b) Policy prioritization tool
    Clockwise cycle arrows at the centre of the table. II. Develop & Implement Policy Suite

    a) Policy template set

    Policies must be reasonable, auditable, enforceable, and measurable. Policy items that meet these requirements will have a higher level of adherence. Focus on efficiently creating policies using pre-developed templates that are mapped to multiple compliance frameworks.

    Actions

    1. Differentiate between policies, procedures, standards, and guidelines
    2. Draft policies from templates
    3. Review policies, including completeness
    4. Approve policies
    Gaining feedback on policy compliance is important for updates and adaptation, where necessary, as well as monitoring policy alignment to business objectives.

    Actions

    1. Enforce policies
    2. Measure policy effectiveness
    IV. Measure Policy Program

    a) Security policy tracking tool

    III. Communicate Policy Program

    a) Security policy awareness & training tool

    b) Policy communication plan template
    Awareness and training on security policies should be targeted and must be relevant to the employees’ jobs. Employees will be more attentive and willing to incorporate what they learn if they feel that awareness and training material was specifically designed to help them.

    Actions

    1. Identify any changes in the regulatory and compliance environment
    2. Include policy awareness in awareness and training programs
    3. Disseminate policies
    Build trust in your policy program by involving stakeholder participation through the entire policy lifecycle.

    Blueprint benefits

    IT/InfoSec Benefits

    • Reduces complexity within the policy creation process by using a single framework to align multiple compliance regimes.
    • Introduces a roadmap to clearly educate employees on the do’s and don’ts of IT usage within the organization.
    • Reduces costs and efforts related to managing IT security and other IT-related threats.

    Business Benefits

    • Identifies and develops security policies that are essential to your organization’s objectives.
    • Integrates security into corporate culture while maximizing compliance and effectiveness of security policies.
    • Reduces security policy compliance risk.

    Key deliverable:

    Security Policy Templates

    Templates for policies that can be used to map policy statements to multiple compliance frameworks.

    Sample of Security Policy Templates.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Security Policy Prioritization Tool

    The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
    Sample of the Security Policy Prioritization Tool.
    Sample of the Security Policy Assessment Tool.

    Security Policy Assessment Tool

    Info-Tech's Security Policy Assessment Tool helps ensure that your policies provide adequate coverage for your organization's security requirements.

    Measure the value of this blueprint

    Phase

    Purpose

    Measured Value

    Define Security Policy Program Understand the value in formal security policies and determine which policies to prepare to update, eliminate, or add to your current suite. Time, value, and resources saved with guidance and templates:
    1 FTE*3 days*$80,000/year = $1,152
    Time, value, and resources saved using our recommendations and tools:
    1 FTE*2 days*$80,000/year = $768
    Develop and Implement the Policy Suite Select from an extensive policy template offering and customize the policies you need to optimize or add to your own policy program. Time, value, and resources saved using our templates:
    1 consultant*15 days*$150/hour = $21,600 (if starting from scratch)
    Communicate Security Policy Program Use Info-Tech’s methodology and best practices to ensure proper communication, training, and awareness. Time, value, and resources saved using our training and awareness resources:
    1 FTE*1.5 days*$80,000/year = $408
    Measure Security Policy Program Use Info-Tech’s custom toolkits for continuous tracking and review of your policy suite. Time, value, and resources saved by using our enforcement recommendations:
    2 FTEs*5 days*$160,000/year combined = $3,840
    Time, value, and resources saved by using our recommendations rather than an external consultant:
    1 consultant*5 days*$150/hour = $7,200

    After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

    Overall Impact

    9.5 /10

    Overall Average $ Saved

    $29,015

    Overall Average Days Saved

    25

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is six to ten calls over the course of two to four months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope security policy requirements, objectives, and any specific challenges.

    Call #2: Review policy lifecycle; prioritize policy development.

    Call #3: Customize the policy templates.

    Call #4: Gather feedback on policies and get approval.

    Call #5: Communicate the security policy program.

    Call #6: Develop policy training and awareness programs.

    Call #7: Track policies and exceptions.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Define the security policy program
    Develop the security policy suite
    Develop the security policy suite
    Implement security policy program
    Finalize deliverables and next steps
    Activities

    1.1 Understand the current state of policies.

    1.2 Align your security policies to the Info-Tech framework for compliance.

    1.3 Understand the relationship between policies and other documents.

    1.4 Prioritize the development of security policies.

    1.5 Discuss strategies to leverage stakeholder support.

    1.6 Plan to communicate with all stakeholders.

    1.7 Develop the security policy lifecycle.

    2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

    2.2 Develop and customize security policies.

    2.1 Discuss the risks and drivers your organization faces that must be addressed by policies (continued).

    2.2 Develop and customize security policies (continued).

    2.3 Develop a plan to gather feedback from users.

    2.4 Discuss a plan to submit policies for approval.

    3.1 Plan the communication strategy for new policies.

    3.2 Discuss myPolicies to automate management and implementation.

    3.3 Incorporate policies into your security awareness and training program.

    3.4 Assess the effectiveness of policies.

    3.5 Understand the need for regular review and update.

    4.1 Review customized lifecycle and policy templates.

    4.2 Discuss the plan for policy roll out.

    4.3 Schedule follow-up Guided Implementation calls.

    Deliverables
    1. Security Policy Prioritization Tool
    2. Security Policy Lifecycle
    1. Security Policies (approx. 9)
    1. Security Policies (approx. 9)
    1. Policy Communication Plan
    2. Security Awareness and Training Program Development Tool
    3. Security Policy Assessment Tool
    1. All deliverables finalized

    Develop and Deploy Security Policies

    Phase 1

    Define the Security Policy Program

    Phase 1

    1.1 Understand the current state

    1.2 Align your security policies to the Info-Tech framework

    1.3 Document your policy hierarchy

    1.4 Prioritize development of security policies

    1.5 Leverage stakeholders

    1.6 Develop the policy lifecycle

    Phase 2

    2.1 Customize policy templates

    2.2 Gather feedback from users on policy feasibility

    2.3 Submit policies to upper management for approval

    Phase 3

    3.1 Understand the need for communicating policies

    3.2 Use myPolicies to automate the management of your security policies

    3.3 Design, build, and implement your communications plan

    3.4 Incorporate policies and processes into your training and awareness programs

    Phase 4

    4.1 Assess the state of security policies

    4.2 Identify triggers for regular policy review and update

    4.3 Develop an action plan to update policies

    This phase will walk you through the following activities:

    • Understand the current state of your organization’s security policies.
    • Align your security policies to the Info-Tech framework for compliance.
    • Prioritize the development of your security policies.
    • Leverage key stakeholders to champion the policy initiative.
    • Inform all relevant stakeholders of the upcoming policy program.
    • Develop the security policy lifecycle.

    1.1 Understand the current state of policies

    Scenario 1: You have existing policies

    1. Use the Security Policy Prioritization Tool to identify any gaps between the policies you already have and those recommended based on your changing business needs.
    2. As your organization undergoes changes, be sure to incorporate new requirements in the existing policies.
    3. Sometimes, you may have more specific procedures for a domain’s individual security aspects instead of high-level policies.
    4. Group current policies into the domains and use the policy templates to create overarching policies where there are none and improve upon existing high-level policies.

    Scenario 2: You are starting from scratch

    1. To get started on new policies, use the Security Policy Prioritization Tool to identify the policies Info-Tech recommends based on your business needs. See the full list of templates in the Appendix to ensure that all relevant topics are addressed.
    2. Whether you’re starting from scratch or have incomplete/ad hoc policies, use Info-Tech’s policy templates to formalize and standardize security requirements for end users.
    Info-Tech Insight

    Policies are living, evolving documents that require regular review and update, so even if you have policies already written, you’re not done with them.

    1.2 Align your security policies to the Info-Tech framework for compliance

    You have an opportunity to improve your employee alignment and satisfaction, improve organizational agility, and obtain high policy adherence. This is achieved by translating your corporate culture into a policy-based compliance culture.

    Align your security policies to the Info-Tech Security Framework by using Info-Tech’s policy templates.

    Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:
    • ISO 27001/27002
    • COBIT
    • Center for Internet Security (CIS) Critical Controls
    • NIST Cybersecurity Framework
    • NIST SP 800-53
    • NIST SP 800-171

    Info-Tech Security Framework

    Info-Tech Security Framework with policies grouped into categories which are then grouped into 'Governance' and 'Management'.

    1.3 Document your policy hierarchy

    Structuring policy components at different levels allows for efficient changes and direct communication depending on what information is needed.

    Policy hierarchy pyramid with 'Security Policy Lifecycle' on top, then 'Security Policies', then 'IT and/or Supporting Documentation'.

    Defines the cycle for the security policy program and what must be done but not how to do it. Aligns the business, security program, and policies.
    Addresses the “what,” “who,” “when,” and “where.”

    Defines high-level overarching concepts of security within the organization, including the scope, purpose, and objectives of policies.
    Addresses the high-level “what” and “why.”
    Changes when business objectives change.

    Defines enterprise/technology – specific, detailed guidelines on how to adhere to policies.
    Addresses the “how.”
    Changes when technology and processes change.

    Info-Tech Insight

    Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.

    1.3.1 Understand the relationship between policies and other documents

    Policy:
    • Provides emphasis and sets direction.
    • Standards, guidelines, and procedures must be developed to support an overarching policy.
    Arrows stemming from the above list, connecting to the three lists below.

    Standard:

    • Specifies uniform method of support for policy.
    • Compliance is mandatory.
    • Includes process, frameworks, methodologies, and technology.
    Two-way horizontal arrow.

    Procedure:

    • Step-by-step instructions to perform desired actions.
    Two-way horizontal arrow.

    Guideline:

    Recommended actions to consider in absence of an applicable standard, to support a policy.
    This model is adapted from a framework developed by CISA (Certified Information Systems Auditor).

    Supporting Documentation

    Considerations for standards

    Standards. These support policies by being much more specific and outlining key steps or processes that are necessary to meet certain requirements within a policy document. Ideally standards should be based on policy statements with a target of detailing the requirements that show how the organization will implement developed policies.

    If policies describe what needs to happen, then standards explain how it will happen.

    A good example is an email policy that states that emails must be encrypted; this policy can be supported by a standard such as Transport Layer Security (TLS) encryption that specifically ensures that all email communication is encrypted for messages “in transit” from one secure email server that has TLS enabled to another.

    There are numerous security standards available that support security policies/programs based on the kind of systems and controls that an organization would like to put in place. A good selection of supporting standards can go a long way to further protect users, data, and other organizational assets
    Key Policies Example Associated Standards
    Access Control Policy
    • Password Management User Standard
    • Account Auditing Standard
    Data Security Policy
    • Cryptography Standard
    • Data Classification Standard
    • Data Handling Standard
    • Data Retention Standard
    Incident Response Policy
    • Incident Response Plan
    Network Security Policy
    • Wireless Connectivity Standard
    • Firewall Configuration Standard
    • Network Monitoring Standard
    Vendor Management Policy
    • Vendor Risk Management Standard
    • Third-Party Access Control Standard
    Application Security Policy
    • Application Security Standard

    1.4 Prioritize development of security policies

    The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
    • The tool allows you to prioritize your policies based on:
      • Importance: How relevant is this policy to organizational security?
      • Ease to implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?
      • Ease to enforce: How much effort, time, and resources are required to enforce the policy?
    • Additionally, the weighting or priority of each variable of prioritization can be adjusted.

    Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary.

    Info-Tech Insight

    If you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies.

    Sample of the Security Policy Prioritization Tool.

    Download the Security Policy Prioritization Tool

    1.5 Leverage stakeholders to champion policies

    Info-Tech Insight

    While management support is essential to initiating a strong security posture, allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will be less of a police force and more of a partner.

    Executive champion

    Identify an executive champion who will ensure that the security program and the security policies are supported.

    Focus on risk and protection

    Security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate.

    Communicate policy initiatives

    Inform stakeholders of the policy initiative as security policies are only effective if they support the business requirements and user input is crucial for developing a strong security culture.

    Current security landscape

    Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders.

    Management buy-in

    This is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable.

    Align Projects With the IT Change Lifecycle

    • Buy Link or Shortcode: {j2store}464|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Coordinate IT change and project management to successfully push changes to production.
    • Manage representation of project management within the scope of the change lifecycle to gather requirements, properly approve and implement changes, and resolve incidents that arise from failed implementations.
    • Communicate effectively between change management, project management, and the business.

    Our Advice

    Critical Insight

    Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value and slowly add improvements to ease buy-in.

    Impact and Result

    • Establish pre-set touchpoints between IT change management and project management at strategic points in the change and project lifecycles.
    • Include appropriate project representation at the change advisory board (CAB).
    • Leverage standard change resources such as the change calendar and request for change form (RFC).

    Align Projects With the IT Change Lifecycle Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Align Projects With the IT Change Lifecycle Deck – A guide to walk through integrating project touchpoints in the IT change management lifecycle.

    Use this storyboard as a guide to align projects with your IT change management lifecycle.

    • Align Projects With the IT Change Lifecycle Storyboard

    2. The Change Management SOP – This template will ensure that organizations have a comprehensive document in place that can act as a point of reference for the program.

    Use this SOP as a template to document and maintain your change management practice.

    • Change Management Standard Operating Procedure
    [infographic]

    Further reading

    Align Projects With the IT Change Lifecycle

    Increase the success of your changes by integrating project touchpoints in the change lifecycle.

    Analyst Perspective

    Focus on frequent and transparent communications between the project team and change management.

    Benedict Chang

    Misalignment between IT change management and project management leads to headaches for both practices. Project managers should aim to be represented in the change advisory board (CAB) to ensure their projects are prioritized and scheduled appropriately. Advanced notice on project progress allows for fewer last-minute accommodations at implementation. Widespread access of the change calendar can also lead project management to effectively schedule projects to give change management advanced notice.

    Moreover, alignment between the two practices at intake allows for requests to be properly sorted, whether they enter change management directly or are governed as a project.

    Lastly, standardizing implementation and post-implementation across everyone involved ensures more successful changes and socialized/documented lessons learned for when implementations do not go well.

    Benedict Chang
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    To align projects with the change lifecycle, IT leaders must:

    • Coordinate IT change and project management to successfully push changes to production.
    • Manage representation of project management within the scope of the change lifecycle to gather requirements, properly approve and implement changes, and resolve incidents that arise from failed implementations.
    • Communicate effectively between change management, project management, and the business.

    Loose definitions may work for clear-cut examples of changes and projects at intake, but grey-area requests end up falling through the cracks.

    Changes to project scope, when not communicated, often leads to scheduling conflicts at go-live.

    Too few checkpoints between change and project management can lead to conflicts. Too many checkpoints can lead to delays.

    Set up touchpoints between IT change management and project management at strategic points in the change and project lifecycles.

    Include appropriate project representation at the change advisory board (CAB).

    Leverage standard change resources such as the change calendar and request for change form (RFC).

    Info-Tech Insight

    Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value, and slowly add improvements to ease buy-in.

    Info-Tech’s approach

    Use the change lifecycle to identify touchpoints.

    The image contains a screenshot of Info-Tech's approach.

    The Info-Tech difference:

    1. Start with your change lifecycle to define how change control can align with project management.
    2. Make improvements to project-change alignment to benefit the relationship between the two practices and the practices individually.
    3. Scope the alignment to your organization. Take on the improvements to the left one by one instead of overhauling your current process.

    Use this research to improve your current process

    This deck is intended to align established processes. If you are just starting to build IT change processes, see the related research below.

    Align Projects With the IT Change Lifecycle

    02 Optimize IT Project Intake, Approval, and Prioritization

    01 Optimize IT Change Management

    Increase the success of your changes by integrating project touchpoints in your change lifecycle.

    (You are here)

    Decide which IT projects to approve and when to start them.

    Right-size IT change management to protect the live environment.

    Successful change management will provide benefits to both the business and IT

    Respond to business requests faster while reducing the number of change-related disruptions.

    IT Benefits

    Business Benefits

    • Fewer incidents and outages at project go-live
    • Upfront identification of project and change requirements
    • Higher rate of change and project success
    • Less rework
    • Fewer service desk calls related to failed go-lives
    • Fewer service disruptions
    • Faster response to requests for new and enhanced functionalities
    • Higher rate of benefits realization when changes are implemented
    • Lower cost per change
    • Fewer “surprise” changes disrupting productivity

    IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.

    Change management improves core benefits to the business: the four Cs

    Most organizations have at least some form of change control in place, but formalizing change management leads to the four Cs of business benefits:

    Control

    Collaboration

    Consistency

    Confidence

    Change management brings daily control over the IT environment, allowing you to review every relatively new change, eliminate changes that would have likely failed, and review all changes to improve the IT environment.

    Change management planning brings increased communication and collaboration across groups by coordinating changes with business activities. The CAB brings a more formalized and centralized communication method for IT.

    Request-for-change templates and a structured process result in implementation, test, and backout plans being more consistent. Implementing processes for pre-approved changes also ensures these frequent changes are executed consistently and efficiently.

    Change management processes will give your organization more confidence through more accurate planning, improved execution of changes, less failure, and more control over the IT environment. This also leads to greater protection against audits.

    1. Alignment at intake

    Define what is a change and what is a project.

    Both changes and projects will end up in change control in the end. Here, we define the intake.

    Changes and projects will both go to change control when ready to go live. However, defining the governance needed at intake is critical.

    A change should be governed by change control from beginning to end. It would typically be less than a week’s worth of work for a SME to build and come in at a nominal cost (e.g. <$20k over operating costs).

    Projects on the other hand, will be governed by project management in terms of scope, scheduling, resourcing, etc. Projects typically take over a week and/or cost more. However, the project, when ready to go live, should still be scheduled through change control to avoid any conflicts at implementation. At triage and intake, a project can be further scoped based on projected scale.

    This initial touchpoint between change control and project management is crucial to ensure tasks and request are executed with the proper governance. To distinguish between changes and projects at intake, list examples of each and determine what resourcing separates changes from projects.

    Need help scoping projects? Download the Project Intake Classification Matrix

    Change

    Project

    • Smaller scale task that typically takes a short time to build and test
    • Generates a single change request
    • Governed by IT Change Management for the entire lifecycle
    • Larger in scope
    • May generate multiple change requests
    • Governed by PMO
    • Longer to build and test

    Info-Tech Insight

    While effort and cost are good indicators of changes and projects, consider evaluating risk and complexity too.

    1 Define what constitutes a change

    1. As a group, brainstorm examples of changes and projects. If you wish, you may choose to also separate out additional request types such as service requests (user), operational tasks (backend), and releases.
    2. Have each participant write the examples on sticky notes and populate the following chart on the whiteboard/flip chart.
    3. Use the examples to draw lines and determine what defines each category.
    • What makes a change distinct from a project?
    • What makes a change distinct from a service request?
    • What makes a change distinct from an operational task?
    • When do the category workflows cross over with other categories? (For example, when does a project interact with change management?
  • Record the definitions of requests and results in section 2.3 of the Change Management Standard Operating Procedure (SOP).
  • Change

    Project

    Service Request (Optional)

    Operational Task (Optional)

    Release (Optional)

    Changing Configuration

    New ERP

    Add new user

    Delete temp files

    Software release

    Download the Change Management Standard Operating Procedure (SOP).

    Input Output
    • List of examples of each category of the chart
    • Definitions for each category to be used at change intake
    Materials Participants
    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers/pens
    • Change Management SOP
    • Change Manager
    • Project Managers
    • Members of the Change Advisory Board

    2. Alignment at build and test

    Keep communications open by pre-defining and communicating project milestones.

    CAB touchpoints

    Consistently communicate the plan and timeline for hitting these milestones so CAB can prioritize and plan changes around it. This will give change control advanced notice of altered timelines.

    RFCs

    Projects may have multiple associated RFCs. Keeping CAB appraised of the project RFC or RFCs gives them the ability to further plan changes.

    Change Calendar

    Query and fill the change calendar with project timelines and milestones to compliment the CAB touchpoints.

    Leverage the RFC to record and communicate project details

    The request for change (RFC) form does not have to be a burden to fill out. If designed with value in mind, it can be leveraged to set standards on all changes (from projects and otherwise).

    When looking at the RFC during the Build and Test phase of a project, prioritize the following fields to ensure the implementation will be successful from a technical and user-adoption point of view.

    Filling these fields of the RFC and communicating them to the CAB at go-live approval gives the approvers confidence that the project will be implemented successfully and measures are known for when that implementation is not successful.

    Download the Request for Change Form Template

    Communication Plan

    The project may be successful from a technical point of view, but if users do not know about go-live or how to interact with the project, it will ultimately fail.

    Training Plan

    If necessary, think of how to train different stakeholders on the project go-live. This includes training for end users interacting with the project and technicians supporting the project.

    Implementation Plan

    Write the implementation plan at a high enough level that gives the CAB confidence that the implementation team knows the steps well.

    Rollback Plan

    Having a well-formulated rollback plan gives the CAB the confidence that the impact of the project is well known and the impact to the business is limited even if the implementation does not go well.

    Provide clear definitions of what goes on the change calendar and who’s responsible

    Inputs

    • Freeze periods for individual business departments/applications (e.g. finance month-end periods, HR payroll cycle, etc. – all to be investigated)
    • Maintenance windows and planned outage periods
    • Project schedules, and upcoming major/medium changes
    • Holidays
    • Business hours (some departments work 9-5, others work different hours or in different time zones, and user acceptance testing may require business users to be available)

    Guidelines

    • Business-defined freeze periods are the top priority.
    • No major or medium normal changes should occur during the week between Christmas and New Year’s Day.
    • Vendor SLA support hours are the preferred time for implementing changes.
    • The vacation calendar for IT will be considered for major changes.
    • Change priority: High > Medium > Low.
    • Minor changes and preapproved changes have the same priority and will be decided on a case-by-case basis.

    Roles

    • The Change Manager will be responsible for creating and maintaining a change calendar.
    • Only the Change Manager can physically alter the calendar by adding a new change after the CAB has agreed upon a deployment date.
    • All other CAB members, IT support staff, and other impacted stakeholders should have access to the calendar on a read-only basis to prevent people from making unauthorized changes to deployment dates.

    Info-Tech Insight

    Make the calendar visible to as many parties as necessary. However, limit the number of personnel who can make active changes to the calendar to limit calendar conflicts.

    3. Alignment at approval

    How can project management effectively contribute to CAB?

    As optional CAB members

    Project SMEs may attend when projects are ready to go live and when invited by the change manager. Optional members provide details on change cross-dependencies, high-level testing, rollback, communication plans, etc. to inform prioritization and scheduling decisions.

    As project management representatives

    Project management should also attend CAB meetings to report in on changes to ongoing projects, implementation timelines, and project milestones. Projects are typically high-priority changes when going live due to their impact. Advanced notice of timeline and milestone changes allow the rest of the CAB to properly manage other changes going into production.

    As core CAB members

    The core responsibilities of CAB must still be fulfilled:

    1. Protect the live environment from poorly assessed, tested, and implemented changes.

    2. Prioritize changes in a way that fairly reflects change impact, urgency, and likelihood.

    3. Schedule deployments in a way the minimizes conflict and disruption.

    If you need to define the authority and responsibilities of the CAB, see Activity 2.1.3 of the Optimize IT Change Management blueprint.

    4. Alignment at implementation

    At this stage, the project or project phase is treated as any other change.

    Verification

    Once the change has been implemented, verify that all requirements are fulfilled.

    Review

    Ensure all affected systems and applications are operating as predicted.

    Update change ticket and change log

    Update RFC status and CMDB as well (if necessary).

    Transition

    Once the change implementation is complete, it’s imperative that the team involved inform and train the operational and support groups.

    If you need to define transitioning changes to production, download Transition Projects to the Service Desk

    5. Alignment at post-implementation

    Tackle the most neglected portion of change management to avoid making the same mistake twice.

    1. Define RFC statuses that need a PIR
    2. Conduct PIRs for failed changes. Successful changes can simply be noted and transitioned to operations.

    3. Conduct a PIR for every failed change
    4. It’s best to perform a PIR once a change-related incident is resolved.

    5. Avoid making the same mistake twice
    6. Include a root-cause analysis, mitigation actions/timeline, and lessons learned in the documentation.

    7. Report to CAB
    8. Socialize the findings of the PIR at the subsequent CAB meeting.

    9. Circle back on previous PIRs
    10. If a similar change is conducted, append the related PIR to avoid the same mistakes.

    Info-Tech Insight

    Include your PIR documentation right in the RFC for easy reference.

    Download the RFC template for more details on post-implementation reviews

    2 Implement your alignments stepwise

    1. As a group, decide on which implementations you need to make to align change management and project management.
    2. For each improvement, list a timeline for implementation.
    3. Update section 3.5 in the Change Management Standard Operating Procedure (SOP). to outline the responsibilities of project management within IT Change Management.

    The image contains a screenshot of the Change Management SOP

    Download the Change Management Standard Operating Procedure (SOP).

    Input Output
    • This deck
    • SOP update
    Materials Participants
    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers/pens
    • Change Management SOP
    • Change Manager
    • Project Managers
    • Members of the Change Advisory Board

    Related Info-Tech Research

    Optimize IT Change Management

    Right-size IT change management to protect the live environment.

    Optimize IT Project Intake, Approval, and Prioritization

    Decide which IT projects to approve and when to start them.

    Maintain an Organized Portfolio

    Align portfolio management practices with COBIT (APO05: Manage Portfolio).

    Business Value

    • Buy Link or Shortcode: {j2store}7|cart{/j2store}
    • Related Products: {j2store}7|crosssells{/j2store}
    • Up-Sell: {j2store}7|upsells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Financial Management
    • Parent Category Link: /financial-management
    Maximize your ROI on IT through benefits realization

    IT Operations Consulting

    Operations... make sure that the services and products you offer your clients are delivered in the most efficient way possible. IT Operations makes sure that the applications and infrastructure that your delivery depends on is solid.

    Gert Taeymans has over 20 years experience in directing the implementation and management of mission-critical services for businesses in high-volume international markets. Strong track record in risk management, crisis management including disaster recovery, service delivery and change & config management.

    Register to read more …

    Scale Business Process Automation

    • Buy Link or Shortcode: {j2store}241|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Business process automation (BPA) adoption gained significant momentum as your business leaders saw the positive outcomes in your pilots, such as improvements in customer experience, operational efficiencies, and cost optimizations.
    • Your stakeholders are ready to increase their investments in more process automation solutions. They want to scale initial successes to other business and IT functions.
    • However, it is unclear how BPA can be successfully scaled and what benefits can be achieved from it.

    Our Advice

    Critical Insight

    The shift from isolated, task-based automations in your pilot to value-oriented, scaled automations brings new challenges and barriers to your organization such as:

    • Little motivation or tolerance to change existing business operations to see the full value of BPA.
    • Overinvesting in current BPA technologies to maximize the return despite available alternatives that can do the same tasks better.
    • BPA teams are ill-equipped to meet the demands and complexities of scaled BPA implementations.

    Impact and Result

    • Ground your scaling expectations. Set realistic and achievable goals centered on driving business value to the entire organization by optimizing and automating end-to-end business processes.
    • Define your scaling journey. Tailor your scaling approach according to your ability to ease BPA implementation, to broaden BPA adoption, and to loosen BPA constraints.
    • Prepare to scale BPA. Cement your BPA management and governance foundations to support BPA scaling using the lessons learned from your pilot implementation.

    Scale Business Process Automation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scale Business Process Automation Deck – A guide to learn the opportunities and values of scaling business process automation.

    This research walks you through the level setting of your scaled business process automation (BPA) expectations, factors to consider in defining your scaled BPA journey, and assessing your readiness to scale BPA.

    • Scale Business Process Automation Storyboard

    2. Scale Business Process Automation Readiness Assessment – A tool to help you evaluate your readiness to scale business process automation.

    Use this tool to identify key gaps in the people, processes, and technologies you need to support the scaling of business process automation (BPA). It also contains a canvas to facilitate your discussions around business process automation with your stakeholders and BPA teams.

    • Scale Business Process Automation Readiness Assessment
    [infographic]

    Further reading

    Scale Business Process Automation

    Take a value-first approach to automate the processes that matter

    Analyst Perspective

    Scaling business process automation (BPA) is an organization-wide commitment

    Business and IT must work together to ensure the right automations are implemented and BPA is grown and matured in a sustainable way. However, many organizations are not ready to make this commitment. Managing the automation demand backlog, coordinating cross-functional effort and organizational change, and measuring BPA value are some of the leading factors challenging scaling BPA.

    Pilot BPA with the intent to scale it. Pilots are safe starting points to establish your foundational governance and management practices and build the necessary relationships and collaborations for you to be successful. These factors will then allow you to explore more sophisticated, complicated, and innovative opportunities to drive new value to your team, department, and organization.

    A picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Business process automation (BPA) adoption gained significant momentum as your business leaders see the positive outcomes in your pilots, such as improvements in customer experience, operational efficiencies, and cost optimizations.
    • Your stakeholders are ready to increase their investments in more process automation solutions. They want to scale initial successes to other business and IT functions.
    • However, it is unclear how BPA can be successfully scaled and what benefits can be achieved from it.

    Common Obstacles

    The shift from isolated, task-based automations in your pilot to value-oriented and scaled automations brings new challenges and barriers to your organization:

    • Little motivation or tolerance to change existing business operations to see the full value of BPA.
    • Overinvesting in current BPA technologies to maximize return despite available alternatives that can do the same tasks better.
    • BPA teams are ill-equipped to meet the demands and complexities of scaled BPA implementations.

    Info-Tech's Approach

    • Ground your scaling expectations. Set realistic and achievable goals centered on driving business value to the entire organization by optimizing and automating end-to-end business processes.
    • Define your scaling journey. Tailor your scaling approach according to your ability to ease BPA implementation, to broaden BPA adoption, and to loosen BPA constraints.
    • Prepare to scale BPA. Cement your BPA management and governance foundations to support BPA scaling using the lessons learned from your pilot implementation.

    Info-Tech Insight

    Take a value-first approach in your scaling business process automation (BPA) journey. Low-risk, task-oriented automations are good starting points to introduce BPA but constrain the broader returns your organization wants. Business value can only scale when everything and everyone in your processes are working together to streamline the entire value stream rather than the small gains from optimizing small, isolated automations.

    Scale Business Process Automation

    Take a value-first approach to automate the processes that matter

    Pilot Your BPA Capabilities

    • Learn the foundation practices to design, deliver, and support BPA.
    • Understand the fit and value of BPA.
    • Gauge the tolerance for business operational change and system risk.

    See Info-Tech's Build a Winning Business Process Automation Playbook blueprint for more information.

    Build Your Scaling BPA Vision

    Apply Lessons Learned to Scale

    1. Ground Your Scaling Expectations
      Set realistic and achievable goals centered on driving business value to the entire organization by optimizing and automating end-to-end business processes.
    2. Define Your Scaling Journey
      Tailor your scaling approach according to your ability to ease BPA implementation, to broaden BPA adoption, and to loosen BPA constraints.
    3. Prepare to Scale BPA
      Cement your BPA management and governance foundations to support BPA scaling using the lessons learned from your pilot implementation.

    Research deliverable

    Design and communicate your approach to scale business process automation with Info-Tech's Scale Business Process Automation Readiness Assessment:

    • Level set your scaled BPA goals and objectives.
    • Discuss and design your scaled BPA journey.
    • Identify the gaps and improvements needed to scale your BPA practices and implementation.

    A screenshot from Info-Tech's Scale Business Process Automation Readiness Assessment

    Step 1.1

    Ground Your Scaling Expectations

    Activities

    1.1.1 Define Your Scaling Objectives

    This step involves the following participants:

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Outcomes of this step

    Scaling BPA objectives

    Organizations want to scale their initial BPA success

    Notable Initial Benefits

    1. Time Saved: "In the first day of live operations, the robots were saving 51 hours each day or the equivalent of six people working an eight-hour shift." – Brendan MacDonald, Director of Customer Compliance Operations, Ladbrokes (UiPath)
    2. Documentation & Knowledge Sharing: "If certain people left, knowledge of some processes would be lost and we realized that we needed a reliable process management system in place." – Peta Kinnane, Acting Audit and Risk Coordinator, Liverpool City Council (Nintex)
    3. Improved Service Delivery: "Thanks to this automation, our percentage of triaged and assigned tickets is now 100%. Nothing falls through the cracks. It has also improved the time to assignment. We assign tickets 2x faster than before." – Sebastian Goodwin, Head of Cybersecurity, Nutanix (Workato)

    Can We Gain More From Automation?

    The Solution

    As industries evolve and adopt more tools and technology, their products, services, and business operating models become more complex. Task- and desktop-based automations are often not enough. More sophisticated and scaled automations are needed to simplify and streamline the process from end-to-end of complex operations and align them with organizational goals.

    Stakeholders see automation as an opportunity to scale the business

    The value of scaling BPA is dependent on the organization's ability to scale with it. In other words, stakeholders should see an increase in business value without a substantial increase in resources and operational costs (e.g., there should be little difference if sending out 10 emails versus 1000).

    Examples of how business can be scaled with automation

    • Processes triggered by incoming documents or email: in these processes, an incoming document or email (that has semi-structured or unstructured data) is collected by a script or an RPA bot. This document is then processed with a machine learning model that validates it either by rules or ML models. The validated and enriched machine-readable data is then passed on to the next system of record.
    • The accounts payable process: this process includes receiving, processing, and paying out invoices from suppliers that provided goods or services to the company. While manual processing can be expensive, take too much time, and lead to errors, businesses can automate this process with machine learning and document extraction technologies like optical characters recognition (OCR), which converts texts containing images into characters that can be readable by computers to edit, compute, and analyze.
    • Order management: these processes include retrieving email and relevant attachments, extracting information that tells the business what its customers want, updating internal systems with newly placed orders or modifications, or taking necessary actions related to customer queries.
    • Enhance customer experience: [BPA tools] can help teams develop and distribute customer loyalty offers faster while also optimizing these offers with customer insights. Now, enterprises can more easily guarantee they are delivering the relevant solutions their clients are demanding.

    Source: Stefanini Group

    Scaling BPA has its challenges

    Perceived Lack of Opportunities

    Pilot BPA implementations often involve the processes that are straightforward to automate or are already shortlisted to optimize. However, these low-hanging fruits will run out. Discovering new BPA opportunities can be challenged for a variety of reasons, such as:

    • Lack of documentation and knowledge
    • Low user participation or drive to change
    • BPA technology limitations and constraints

    Perceived Lack of Opportunities

    BPA is not a cheap investment. A single RPA bot, for example, can cost between $5,000 to $15,000. This cost does not include the added cost for training, renewal fees, infrastructure set up and other variable and reoccurring costs that often come with RPA delivery and support (Blueprint). This reality can motivate BPA owners to favor existing technologies over other cheaper and more effective alternatives in an attempt boost their return on investment.

    Ill-Equipped Support Teams

    Good technical skills and tools, and the right mindset are critical to ensure BPA capabilities are deployed effectively. Low-code no-code (LCNC) can help but success isn't guaranteed. Lack of experience with low-code platforms is the biggest obstacle in low-code adoption according to 60% of respondents (Creatio). The learning curve has led some organizations to hire contractors to onboard BPA teams, hire new employees, or dedicate significant funding and resources to upskill internal resources.

    Shift your objectives from task-based efficiencies to value-driven capabilities

    How can I improve myself?

    How can we improve my team?

    How can we improve my organization?

    Objectives

    • Improve worker productivity
    • Improve the repeatability and predictability of the process
    • Deliver outputs of consistent quality and cadence
    • Increase process, tool, and technology confidence
    • Increase the team's throughput, commitment, and load
    • Apply more focus on cognitive and complex tasks
    • Reduce the time to complete error-prone, manual, and routine collaborations
    • Deliver insightful, personalized, and valuable outputs
    • Drive more value in existing pipelines and introduce new value streams
    • Deliver consistent digital experiences involving different technologies
    • Automatically tailor a customer's experience to individual preferences
    • Forecast and rapidly respond to customer issues and market trends

    Goals

    • Learn the fit of BPA & set the foundations
    • Improve the practices & tools and optimize the performance
    • Scale BPA capabilities throughout the organization

    Gauge the success of your scaled BPA

    BPA Practice Effectiveness

    Key Question: Are stakeholders satisfied with how the BPA practice is meeting their automation needs?

    Examples of Metrics:

    • User satisfaction
    • Automation request turnaround time
    • Throughput of BPA team

    Automation Solution Quality

    Key Question: How do your automation solutions perform and meet your quality standards?

    Examples of Metrics:

    • Licensing and operational costs
    • Service level agreement and uptime/downtime
    • Number of defects

    Business Value Delivery

    Key Question: How has automation improved the value your employees, teams, and the organization delivers?

    Examples of Metrics:
    Increase in revenue generation
    Reduction in operational costs
    Expansion of business capabilities with minimal increases in costs and risks

    1.1.1 Define your scaling objectives

    5 minutes

    1. Complete the following fields to build your scaled business process automation canvas:
      1. Problem that scaling BPA is intending to solve
      2. Your vision for scaling BPA
      3. Stakeholders
      4. Scaled BPA business and IT objectives and metrics
      5. Business capabilities, processes, and application systems involved
      6. Notable constraints, roadblocks, and challenges to your scaled BPA success
    2. Document your findings and discussions in Info-Tech's Scale Business Process Automation Readiness Assessment.

    Output

    Scaled BPA value canvas

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Record the results in the 2. Value Canvas Tab in the Scale Business Process Automation Readiness Assessment.

    1.1.1 cont'd

    Scaled BPA Value Canvas Template:

    A screenshot of Scaled BPA Value Canvas Template

    Align your objectives to your application portfolio strategy

    Why is an application portfolio strategy important for BPA?

    • All business process optimizations are designed, delivered, and managed to support a consistent interpretation of the business and IT vision and goals.
    • Clear understanding of the sprawl, criticality, and risks of automation solutions and applications to business capabilities.
    • BPA initiatives are planned, prioritized, and coordinated alongside modernization, upgrades, and other changes to the application portfolio.
    • Resources, skills, and capacities are strategically allocated to meet BPA demand considering other commitments in the backlog and roadmap.
    • BPA expectations and practices uphold the persona, values, and principles of the application team.

    What is an application portfolio strategy?

    An application portfolio strategy details the direction, activities, and tactics to deliver on the promise of your application portfolio. It often includes:

    • Portfolio vision and goals
    • Application, automation, and process portfolio
    • Values and principles
    • Portfolio health
    • Risks and constraints
    • Strategic roadmap

    See our Application Portfolio Management Foundations blueprint for more information.

    Leverage your BPA champions to drive change and support scaling initiatives

    An arrow showing the steps to Leverage your BPA champions to drive change and support scaling initiatives

    Expected Outcome From Your Pilot: Your pilot would have recognized the roles that know how to effectively apply good BPA practices (e.g., process analysis and optimization) and are familiar with the BPA toolset. These individuals are prime candidates who can standardize your Build a Winning Business Process Automation Playbook, upskill interested teams, and build relationships among those involved in the delivery and use of BPA.

    Step 1.2

    Define Your Scaling Journey

    Activities

    1.2.1 Discuss Your BPA Opportunities
    1.2.2 Lay Out Your Scaling BPA Journey

    Scale Business Process Automation

    This step involves the following participants:

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Outcomes of this step

    • List of scaling BPA opportunities
    • Tailored scaling journey

    Maintain a healthy demand pipeline

    A successful scaled BPA practice requires a continuous demand for BPA capabilities and the delivery of minimum viable automations (MVA) held together by a broader strategic roadmap.

    An image of a healthy demand pipeline.  it flows from opportunities to trends, with inputs from internal and external sources.

    An MVA focuses on a single and small process use case, involves minimal possible effort to improve, and is designed to satisfy a specific user group. Its purpose is to maximize learning and value and inform the further scaling of the BPA technology, approach, or practice.

    See our Build a Winning Business Process Automation Playbook blueprint for more information.

    Investigate how BPA trends can drive more value for the organization

    • Event-Driven Automation
      Process is triggered by a schedule, system output, scenario, or user (e.g., voice-activated, time-sensitive, system condition)
    • Low- & No-Code Automation build and management are completed through an easy-to-learn scripting language and/or a GUI.
    • Intelligent Document Processing
      Transform documents for better analysis, processing and handling (e.g., optical character recognition) by a tool or system.
    • End-to-End Process Automation & Transparency
      Linking cross-functional processes to enable automation of the entire value stream with seamless handoffs or triggers.
    • Orchestration of Different BPA Technologies
      Integrating and sequencing the execution of multiple automation solutions through a single console.
    • Cognitive Automation
      AI and other intelligent technologies automate information-intensive processes, including semi and unstructured data and human thinking simulation.
    • Intelligent Internet-of-Things
      Connecting process automation technologies to physical environments with sensors and other interaction devices (e.g., computer vision).
    • Ethical Design
      Optimizing processes that align to the moral value, principles, and beliefs of the organization (e.g., respects data privacy, resists manipulative patterns).
    • User Profiling & Tailored Experiences
      Customizing process outputs and user experience with user-defined configurations or system and user activity monitoring.
    • Process Mining & Discovery
      Gleaning optimization opportunities by analyzing system activities (mining) or monitoring user interactions with applications (discovery).

    1.2.1 Discuss your BPA opportunities

    5 minutes

    1. Review the goals and objectives of your initiative and the expectations you want to gain from scaling BPA.
    2. Discuss how BPA trends can be leveraged in your organization.
    3. List high priority scaling BPA opportunities.

    Output

    • Scaled BPA opportunities

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Create your recipe for success

    Your scaling BPA recipe (approach) can involve multiple different flavors of various quantities to fit the needs and constraints of your organization and workers.

    What and how many ingredients you need is dependent on three key questions:

    1. How can we ease BPA implementation?
    2. How can we broaden the BPA scope?
    3. How can we loosen constraints?

    Personalize Scaling BPA To Your Taste

    • Extend BPA Across Business Units (Horizontal)
    • Integrate BPA Across Your Application Architecture (Vertical)
    • Embed AI/ML Into Your Automation Technologies
    • Empower Users With Business-Managed Automations
    • Combine Multiple Technologies for End-to-End Automation
    • Increase the Volume and Velocity of Automation
    • Automate Cognitive Processes and Making Variable Decisions

    Answer these questions in the definition of your scaling BPA journey

    Seeing the full value of your scaling approach is dependent on your ability to support BPA adoption across the organization

    How can we ease BPA implementation?

    • Good governance practices (e.g., role definitions, delivery and management processes, technology standards).
    • Support for innovation and experimentation.
    • Interoperable and plug-and-play architecture.
    • Dedicated technology management and support, including resources, documents, templates and shells.
    • Accessible and easy-to-understand knowledge and document repository.

    How can we broaden BPA scope?

    • Provide a unified experience across processes, fragmented technologies, and siloed business functions.
    • Improve intellectually intensive activities, challenging decision making and complex processes with more valuable insights and information using BPA.
    • Proactively react to business and technology environments and operational changes and interact with customers with unattended automation.
    • Infuse BPA technologies into your product and service to expand their functions, output quality, and reliability.

    How can we loosen constraints?

    • Processes are automated without the need for structured data and optimized processes, and there is no need to work around or avoid legacy applications.
    • Workers are empowered to develop and maintain their own automations.
    • Coaching, mentoring, training, and onboarding capabilities.
    • Accessibility and adoption of underutilized applications are improved with BPA.
    • BPA is used to overcome the limitations or the inefficiencies of other BPA technologies.

    1.2.2 Lay out your scaling BPA journey

    5 minutes

    1. Review the goals and objectives of your initiative, the expectations you want to gain from scaling BPA, and the various scaling BPA opportunities.
    2. Discuss the different scaling BPA flavors (patterns) and how each flavor is applicable to your situation. Ask yourself these key questions:
      1. How can we ease BPA implementation?
      2. How can we broaden the BPA scope?
      3. How can we loosen constraints?
    3. Design the broad steps of your scaling BPA journey. See the following slide for an example.
    4. Document your findings and discussions in Info-Tech's Scale Business Process Automation Readiness Assessment.

    Record the results in the 3. Scaled BPA Journey Tab in the Scale Business Process Automation Readiness Assessment.

    Output

    • Scaled BPA journey

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    1.2.2 cont'd

    An image of the marker used to identify Continuous business process optimization and automation Continuous business process optimization and automation
    An image of the marker used to identify Scope of Info-Tech's Build Your Business Process Automation Playbook blueprintScope of Info-Tech's Build Your Business Process Automation Playbook blueprint

    Example:

    An example of the BPA journey.  Below are the links included in the journey.

    Continuously review and realign expectations

    Optimizing your scaled BPA practices and applying continuous improvements starts with monitoring the process after implementation.

    Purpose of Monitoring

    1. Diligent monitoring confirms your scaled BPA implementation is performing as desired and meeting initial expectations.
    2. Holding reviews of your BPA practice and implementations helps assess the impact of marketplace and business operations changes and allows the organization to stay on top of trends and risks.

    Metrics

    Metrics are an important aspect of monitoring and sustaining the scaled practice. The metrics will help determine success and find areas where adjustments may be needed.

    Hold retrospectives to identify any practice issues to be resolved or opportunities to undertake

    The retrospective gives your organization the opportunity to review themselves and brainstorm solutions and a plan for improvements to be actioned. This session is reoccurring, typically, after key milestones. While it is important to allow all participants the opportunity to voice their opinions, feelings, and experiences, retrospectives must be positive, productive, and time boxed.

    Step 1.3

    Prepare to Scale BPA

    Activities

    1.3.1 Assess Your Readiness to Scale BPA

    This step involves the following participants:

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Outcomes of this step

    • Scale BPA readiness assessment

    Prepare to scale by learning from your pilot implementations

    "While most organizations are advised to start with automating the 'low hanging fruit' first, the truth is that it can create traps that will impede your ability to achieve RPA at scale. In fact, scaling RPA into the organizational structure is fundamentally different from implementing a conventional software product or other process automation."
    – Blueprint

    What should be the takeaways from your pilot?

    Degree of Required BPA Support

    • Practices needed to address the organization's tolerance to business process changes and automation adoption.
    • Resources, budget and skills needed to configure and orchestrate automation technologies to existing business applications and systems.

    Technology Integration & Compatibility

    • The BPA technology and application system's flexibility to be enhanced, modified, and removed.
    • Adherence to data and system quality standards (e.g., security, availability) across all tools and technologies.

    Good Practices Toolkit

    • A list of tactics, techniques, templates, and examples to assist teams assessing and optimizing business processes and applying BPA solutions in your organization's context.
    • Strategies to navigate common blockers, challenges, and risks.

    Controls & Measures

    • Defined guardrails aligned to your organization's policies and risk tolerance
    • Key metrics are gathered to gauge the value and performance of your processes and automations for enhancements and further scaling.

    Decide how to architect and govern your BPA solutions

    Centralized

    A single body and platform to coordinate, execute, and manage all automation solutions.

    An image of the Centralized approach to governing BPA solutions.

    Distributed

    Automation solutions are locally delivered and managed whether that is per business unit, type of technology, or vendor. Some collaboration and integration can occur among solutions but might be done without a holistic strategy or approach.

    An image of the Distributed approach to governing BPA solutions.

    Hybrid

    Automation solutions are locally delivered and managed and executed for isolated use cases. Broader and complex automations are centrally orchestrated and administered.

    An image of the Hybrid approach to governing BPA solutions.

    Be prepared to address the risks with scaling BPA

    "Companies tend to underestimate the complexity of their business processes – and bots will frequently malfunction without an RPA design team that knows how to anticipate and prepare for most process exceptions. Unresolved process exceptions rank among the biggest RPA challenges, prompting frustrated users to revert to manual work."
    – Eduardo Diquez, Auxis, 2020

    Scenarios

    • Handling Failures of Dependent Systems
    • Handling Data Corruption & Quality Issues
    • Alignment to Regulatory & Industry Standards
    • Addressing Changes & Regressions to Business Processes
    • "Run Away" & Hijacked Automations
    • Unauthorized Access to Sensitive Information

    Recognize the costs to support your scaled BPA environment

    Cost Factors

    Automation Operations
    How will chaining multiple BPA technologies together impact your operating budget? Is there a limit on the number of active automations you can have at a single time?

    User Licenses
    How many users require access to the designer, orchestrator, and other functions of the BPA solution? Do they also require access to dependent applications, services, and databases?

    System Enhancements
    Are application and system upgrades and modernizations needed to support BPA? Is your infrastructure, data, and security controls capable of handling BPA demand?

    Supporting Resources
    Are dedicated resources needed to support, govern, and manage BPA across business and IT functions? Are internal resources or third-party providers preferred?

    Training & Onboarding
    Are end users and supporting resources trained to deliver, support, and/or use BPA? How will training and onboarding be facilitated: internally or via third party providers?

    Create a cross-functional and supportive body to lead the scaling of BPA

    Your supportive body is a cross-functional group of individuals promoting collaboration and good BPA practices. It enables an organization to extract the full benefits from critical systems, guides the growth and evolution of strategic BPA implementations, and provides critical expertise to those that need it. A supportive body distinctly caters to optimizing and strengthening BPA governance, management, and operational practices for a single technology or business function or broadly across the entire organization encompassing all BPA capabilities.

    What a support body is not:

    • A Temporary Measure
    • Exclusive to Large Organizations
    • A Project Management Office
    • A Physical Office
    • A Quick Fix

    See our Maximize the Benefits from Enterprise Applications With a Center of Excellence blueprint for more information.

    What are my options?

    Center of Excellence (CoE)
    AND
    Community of Practice (CoP)

    CoEs and CoPs provide critical functions

    An image of the critical functions provided by CoE and CoP.

    Shift your principles as you scale BPA

    As BPA scales, users and teams must not only think of how a BPA solution operates at a personal and technical level or what goals it is trying to achieve, but why it is worth doing and how the outcomes of the automated process will impact the organization's reputation, morality, and public perception.

    An image of the journey from Siloed BPA to Scaled BPA.

    "I think you're going to see a lot of corporations thinking about the corporate responsibility of [organizational change from automation], because studies show that consumers want and will only do business with socially responsible companies."

    – Todd Lohr

    Source: Appian, 2018.

    Assess your readiness to scale BPA

    Vision & Objectives
    Clear direction and goals of the business process automation practice.

    Governance
    Defined BPA roles and responsibilities, processes, and technology controls.

    Skills & Competencies
    The capabilities users and support roles must have to be successful with BPA.

    Business Process Management & Optimization
    The tactics to document, analyze, optimize, and monitor business processes.

    Business Process Automation Delivery
    The tactics to review the fit of automation solutions and deliver and support according to end user needs and preferences.

    Business Process Automation Platform
    The capabilities to manage BPA platforms and ensure it supports the growing needs of the business.

    1.3.1 Assess your readiness to scale BPA

    5 minutes

    1. Review your scaling BPA journey and selected patterns.
    2. Conduct a readiness assessment using the 4. Readiness Assessment tab in Info-Tech's Scale Business Process Automation Readiness Assessment.
    3. Brainstorm solutions to improve the capability or address the gaps found in this assessment.

    Output

    • Scaled BPA readiness assessment

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Record the results in the 4. Readiness Assessment tab in Info-Tech's Scale Business Process Automation Readiness Assessment.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Related Info-Tech Research

    Bibliography

    Alston, Roland. "With the Rise of Intelligent Automation, Ethics Matter Now More than Ever." Appian, 4 Sept. 2018. Web.
    "Challenges of Achieving RPA at Scale." Blueprint, N.d. Web.
    Dilmegani, Cem. "RPA Benefits: 20 Ways Bots Improve Businesses in 2023," AI Multiple, 9 Jan 2023. Web.
    Diquez, Eduardo. "Struggling To Scale RPA? Discover The Secret to Success." Auxis, 30 Sept. 2020. Web.
    "How much does Robotic Process Automation (RPA) Really Cost?" Blueprint, 14 Sept. 2021. Web.
    "Liverpool City Council improves document process with Nintex." Nintex, n.d. Web.
    "The State of Low-Code/No-Code." Creatio, 2021. Web.
    "Using automation to enhance security and increase IT NPS to 90+ at Nutanix." Workato, n.d. Web.
    "What Is Hyperautomation? A Complete Guide To One Of Gartner's Top Tech Trends." Stefanini Group, 26 Mar. 2021. Web.

    Establish an Effective Data Protection Plan

    • Buy Link or Shortcode: {j2store}504|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $6,850 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Business requirements can be vague. Not knowing the business needs often results in overspending and overexposure to liability through data hoarding.
    • Backup options are abundant. Disk, tape, or cloud? Each has drawbacks, efficiencies, and cost factors that should be considered.
    • Backup infrastructure is never greenfield. Any organization with a history has been doing backup. Existing software was likely determined by past choices and architecture.

    Our Advice

    Critical Insight

    • Don’t let failure be your metric.
      The past is not an indication of future performance! Quantify the cost of your data being unavailable to demonstrate value to the business.
    • Stop offloading backup to your most junior staff.
      Data protection should not exist in isolation. Get key leadership involved to ensure you can meet organizational requirements.
    • A lot of data is useless. Neglecting to properly tag and classify data will lead to a costly data protection solution that protects redundant, useless, or outdated data

    Impact and Result

    • Determine the current state of your data protection strategy by identifying the pains and gains of the solution and create a business-facing diagram to present to relevant stakeholders.
    • Quantify the value of data to the business to properly understand the requirements for data protection through a business impact analysis.
    • Identify the attributes and necessary requirements for your data tiers to procure a fit-for-purpose solution.

    Establish an Effective Data Protection Plan Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why the business should be involved in your data protection plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the current state of your data protection plan

    Define the current state of your data protection practices by documenting the backup process and identifying problems and opportunities for the desired state.

    • Establish an Effective Data Protection Plan – Phase 1: Define the Current State of Your Data Protection Plan
    • Data Protection Value Proposition Canvas Template

    2. Conduct a business impact analysis to understand requirements for restoring data

    Understand the business priorities.

    • Establish an Effective Data Protection Plan – Phase 2: Conduct a Business Impact Analysis to Understand Requirements for Restoring Data
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • Data Protection Recovery Workflow

    3. Propose the future state of your data protection plan

    Determine the desired state.

    • Establish an Effective Data Protection Plan – Phase 3: Propose the Future State of Your Data Protection Plan

    4. Establish proper governance for your data protection plan

    Explore the component of governance required.

    • Establish an Effective Data Protection Plan – Phase 4: Establish Proper Governance for Your Data Protection Plan
    • Data Protection Proposal Template
    [infographic]

    Leverage Big Data by Starting Small

    • Buy Link or Shortcode: {j2store}201|cart{/j2store}
    • member rating overall impact: 7.0/10 Overall Impact
    • member rating average dollars saved: 3 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • The desire for rapid decision making is increasing and the complexity of data sources is growing; business users want access to several new data sources, but in a way that is controlled and easily consumable.
    • Organizations may understand the transformative potential of a big data initiative, but struggle to make the transition from the awareness of its importance to identifying a concrete use case for a pilot project.
    • The big data ecosystem is crowded and confusing, and a lack of understanding of that ecosystem may cause a paralysis for organizations.

    Our Advice

    Critical Insight

    • Big data is simply data. With technological advances, what was once considered big data is now more approachable for all organizations irrespective of size.
    • The variety element is the key to unlocking big data value. Drill down into your specific use cases more effectively by focusing on what kind of data you should use.
    • Big data is about deep analytics. Deep doesn’t mean difficult. Visualization of data, integrating new data, and understanding associations are ways to deepen your analytics.

    Impact and Result

    • Establish a foundational understanding of what big data entails and what the implications of its different elements are for your organization.
    • Confirm your current maturity for taking on a big data initiative, and make considerations for core data management practices in the context of incorporating big data.
    • Avoid boiling the ocean by pinpointing use cases by industry and functional unit, followed by identifying the most essential data sources and elements that will enable the initiative.
    • Leverage a repeatable pilot project framework to build out a successful first initiative and implement future projects en-route to evolving a big data program.

    Leverage Big Data by Starting Small Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should leverage big data, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Undergo big data education

    Build a foundational understanding of the current big data landscape.

    • Leverage Big Data by Starting Small – Phase 1: Undergo Big Data Education

    2. Assess big data readiness

    Appraise current capabilities for handling a big data initiative and revisit the key data management practices that will enable big data success.

    • Leverage Big Data by Starting Small – Phase 2: Assess Big Data Readiness
    • Big Data Maturity Assessment Tool

    3. Pinpoint a killer big data use case

    Armed with Info-Tech’s variety dimension framework, identify the top use cases and the data sources/elements that will power the initiative.

    • Leverage Big Data by Starting Small – Phase 3: Pinpoint a Killer Big Data Use Case
    • Big Data Use-Case Suggestion Tool

    4. Structure a big data proof-of-concept project

    Leverage a repeatable framework to detail the core components of the pilot project.

    • Leverage Big Data by Starting Small – Phase 4: Structure a Big Data Proof-of-Concept Project
    • Big Data Work Breakdown Structure Template
    • Data Scientist
    • Big Data Cost/Benefit Tool
    • Big Data Stakeholder Presentation Template
    • Big Data Communication Tracking Template
    [infographic]

    Workshop: Leverage Big Data by Starting Small

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Undergo Big Data Education

    The Purpose

    Understand the basic elements of big data and its relationship to traditional business intelligence.

    Key Benefits Achieved

    Common, foundational knowledge of what big data entails.

    Activities

    1.1 Determine which of the four Vs is most important to your organization.

    1.2 Explore new data through a social lens.

    1.3 Brainstorm new opportunities for enhancing current reporting assets with big data sources.

    Outputs

    Relative importance of the four Vs from IT and business perspectives

    High-level improvement ideas to report artifacts using new data sources

    2 Assess Your Big Data Readiness

    The Purpose

    Establish an understanding of current maturity for taking on big data, as well as revisiting essential data management practices.

    Key Benefits Achieved

    Concrete idea of current capabilities.

    Recommended actions for developing big data maturity.

    Activities

    2.1 Determine your organization’s current big data maturity level.

    2.2 Plan for big data management.

    Outputs

    Established current state maturity

    Foundational understanding of data management practices in the context of a big data initiative

    3 Pinpoint Your Killer Big Data Use Case

    The Purpose

    Explore a plethora of potential use cases at the industry and business unit level, followed by using the variety element of big data to identify the highest value initiative(s) within your organization.

    Key Benefits Achieved

    In-depth characterization of a pilot big data initiative that is thoroughly informed by the business context.

    Activities

    3.1 Identify big data use cases at the industry and/or departmental levels.

    3.2 Conduct big data brainstorming sessions in collaboration with business stakeholders to refine use cases.

    3.3 Revisit the variety dimension framework to scope your big data initiative in further detail.

    3.4 Create an organizational 4-column data flow model with your big data sources/elements.

    3.5 Evaluate data sources by considering business value and risk.

    3.6 Perform a value-effort assessment to prioritize your initiatives.

    Outputs

    Potential big data use cases

    Potential initiatives rooted in the business context and identification of valuable data sources

    Identification of specific data sources and data elements

    Characterization of data sources/elements by value and risk

    Prioritization of big data use cases

    4 Structure a Big Data Proof-of-Concept Project

    The Purpose

    Put together the core components of the pilot project and set the stage for enterprise-wide support.

    Key Benefits Achieved

    A repeatable framework for implementing subsequent big data initiatives.

    Activities

    4.1 Construct a work breakdown structure for the pilot project.

    4.2 Determine your project’s need for a data scientist.

    4.3 Establish the staffing model for your pilot project.

    4.4 Perform a detailed cost/benefit analysis.

    4.5 Make architectural considerations for supporting the big data initiative.

    Outputs

    Comprehensive list of tasks for implementing the pilot project

    Decision on whether or not a data scientist is needed, and where data science capabilities will be sourced

    RACI chart for the project

    Big data pilot cost/benefit summary

    Customized, high-level architectural model that incorporates technologies that support big data

    Assess Your Cybersecurity Insurance Policy

    • Buy Link or Shortcode: {j2store}255|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $33,656 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations must adapt their information security programs to accommodate insurance requirements.
    • Organizations need to reduce insurance costs.
    • Some organizations must find alternatives to cyber insurance.

    Our Advice

    Critical Insight

    • Shopping for insurance policies is not step one.
    • First and foremost, we must determine what the organization is at risk for and how much it would cost to recover.
    • The cyber insurance market is still evolving. As insurance requirements change, effectively managing cyber insurance requires that your organization proactively manages risk.

    Impact and Result

    Perform an insurance policy comparison with scores based on policy coverage and exclusions.

    Assess Your Cybersecurity Insurance Policy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Cybersecurity Insurance Policy Storyboard - A step-by-step document that walks you through how to acquire cyber insurance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.

    • Assess Your Cybersecurity Insurance Policy Storyboard

    2. Acquire cyber insurance with confidence – Learn the essentials of the requirements gathering, policy procurement, and review processes.

    Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.

    • Threat and Risk Assessment Tool
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • DRP BIA Scoring Context Example
    • Cyber Insurance Policy Comparison Tool
    • Cyber Insurance Controls Checklist

    Infographic

    Develop a Cloud Testing Strategy for Today's Apps

    • Buy Link or Shortcode: {j2store}470|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • The growth of the Cloud and the evolution of business operations have shown that traditional testing strategies do not work well with modern applications.
    • Organizations require a new framework around testing cloud applications that account for on-demand scalability and self-provisioning.
    • Expectations of application consumers are continually increasing with speed-to-market and quality being the norm.

    Our Advice

    Critical Insight

    • Cloud technology does not change the traditional testing processes that many organizations have accepted and adopted. It does, however, enhance traditional practices with increased replication capacity, execution speed, and compatibility through its virtual infrastructure and automated processes. Consider these factors when developing the cloud testing strategy.
    • Involving the business in strategy development will keep them engaged and align business drivers with technical initiatives.
    • Implement cloud testing solutions in a well-defined rollout process to ensure business objectives are realized and cloud testing initiatives are optimized.
    • Cloud testing is green and dynamic. Realize the limitations of cloud testing and play on its strengths.

    Impact and Result

    • Engaging in a formal and standardized cloud testing strategy and consistently meeting business needs throughout the organization maintains business buy-in.
    • The Cloud compounds the benefits from virtualization and automation because of the Cloud’s scalability, speed, and off-premise and virtual infrastructure and data storage attributes.
    • Cloud testing presents a new testing avenue. Realize that only certain tests are optimized in the Cloud, i.e., load, stress, and functional testing.

    Develop a Cloud Testing Strategy for Today's Apps Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop a cloud testing strategy.

    Obtain organizational buy-ins and build a standardized and formal cloud testing strategy.

    • Storyboard: Develop a Cloud Testing Strategy for Today's Apps
    • None

    2. Assess the organization's readiness for cloud testing.

    Assess your people, process, and technology for cloud testing readiness and realize areas for improvement.

    • Cloud Testing Readiness Assessment Tool

    3. Plan and manage the resources allocated to each project task.

    Organize and monitor cloud project planning tasks throughout the project's duration.

    • Cloud Testing Project Planning and Monitoring Tool
    [infographic]

    Optimize Applications Release Management

    • Buy Link or Shortcode: {j2store}406|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $44,874 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Testing, Deployment & QA
    • Parent Category Link: /testing-deployment-and-qa
    • The business demands high service and IT needs to respond. Rapid customer response through efficient release and deployment is critical to maintain high business satisfaction.
    • The lack of process ownership leads to chaotic and uncoordinated releases, resulting in costly rework and poor hand-offs.
    • IT emphasizes tools but release tools and technologies alone will not fix the problem. Tools are integrated into the processes they support – if the process challenges aren’t addressed first, then the tool won’t help.
    • Releases are traditionally executed in silos with limited communication across the entire release pipeline. Culturally, there is little motivation for cross-functional collaboration and holistic process optimization.

    Our Advice

    Critical Insight

    • Release management is not solely driven by tools. It is about delivering high quality releases on time through accountability and governance aided by the support of tools.
    • Release management is independent of your software development lifecycle (SDLC). Release management practices sit as an agnostic umbrella over your chosen development methodology.
    • Ownership of the entire process is vital. Release managers ensure standards are upheld and the pipeline operates efficiently.

    Impact and Result

    • Acquire release management ownership. Ensure there is appropriate accountability for speed and quality of the releases passing through the entire pipeline. A release manager has oversight over the entire release process and facilitates the necessary communication between business stakeholders and various IT roles.
    • Instill holistic thinking. Release management includes all steps required to push release and change requests to production along with the hand-off to Operations and Support. Increase the transparency and visibility of the entire pipeline to ensure local optimizations do not generate bottlenecks in other areas.
    • Standardize and lay a strong release management foundation. Optimize the key areas where you are experiencing the most pain and continually improve.

    Optimize Applications Release Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize release management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review your release management objectives

    Assess the current state and define the drivers behind your release management optimizations.

    • Optimize Applications Release Management – Phase 1: Review Your Release Management Objectives
    • Release Management Process Standard Template
    • Release Management Maturity Assessment

    2. Standardize release management

    Design your release processes, program framework, and release change management standards, and define your release management team.

    • Optimize Applications Release Management – Phase 2: Standardize Release Management
    • Release Manager

    3. Roll out release management enhancements

    Create an optimization roadmap that fits your context.

    • Optimize Applications Release Management – Phase 3: Roll Out Release Management Enhancements
    [infographic]

    Workshop: Optimize Applications Release Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Your Release Management Objectives

    The Purpose

    Reveal the motivators behind the optimization of release management.

    Identify the root causes of current release issues and challenges.

    Key Benefits Achieved

    Ensure business alignment of optimization efforts.

    Firm grasp of why teams are facing release issues and the impacts they have on the organization.

    Activities

    1.1 Identify the objectives for application release.

    1.2 Conduct a current state assessment of release practices.

    Outputs

    Release management business objectives and technical drivers

    Current state assessment of release processes, communication flows, and tools and technologies

    2 Standardize Release Management

    The Purpose

    Alleviate current release issues and challenges with best practices.

    Standardize a core set of processes, tools, and roles & responsibilities to achieve consistency, cadence, and transparency.

    Key Benefits Achieved

    Repeatable execution of the same set of processes to increase the predictability of release delivery.

    Defined ownership of release management.

    Adaptable and flexible release management practices to changing business and technical environments.

    Activities

    2.1 Strengthen your release process.

    2.2 Coordinate releases with a program framework.

    2.3 Manage release issues with change management practices.

    2.4 Define your release management team.

    Outputs

    Processes accommodating each release type and approach the team is required to complete

    Release calendars and program framework

    Release change management process

    Defined responsibilities and accountabilities of release manager and release management team

    3 Roll Out Release Management Enhancements

    The Purpose

    Define metrics to validate release management improvements.

    Identify the degree of oversight and involvement of the release management team.

    Prioritize optimization roadmap against business needs and effort.

    Key Benefits Achieved

    Easy-to-gather metrics to measure success that can be communicated to stakeholders.

    Understanding of how involved release management teams are in enforcing release management standards.

    Practical and achievable optimization roadmap.

    Activities

    3.1 Define your release management metrics.

    3.2 Ensure adherence to standards.

    3.3 Create your optimization roadmap.

    Outputs

    List of metrics to gauge success

    Oversight and reporting structure of release management team

    Release management optimization roadmap

    Drive Business Value With a Right-Sized Project Gating Process

    • Buy Link or Shortcode: {j2store}445|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $61,999 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Low sponsor commitment on projects.
    • Poor quality on completed projects.
    • Little to no visibility into the project portfolio.
    • Organization does not operationalize change .
    • Analyzing, fixing, and redeploying is a constant struggle. Even when projects are done well, they fail to deliver the intended outcomes and benefits.

    Our Advice

    Critical Insight

    • Stop applying a one-size-fits-all-projects approach to governance.
    • Engage the sponsor by shifting the accountability to the business so they can get the most out of the project.
    • Do not limit the gating process to project management – expand to portfolio management.

    Impact and Result

    • Increase Project Throughput: Do more projects by ensuring the right projects and right amount of projects are approved and executed.
    • Validate Project Quality: Ensure issues are uncovered and resolved with standard check points in the project.
    • Increase Reporting and Visibility: Easily compare progress of projects across the portfolio and report outcomes to leadership.
    • Reduce Resource Waste: Terminate low-value projects early and assign the right resources to approved projects.
    • Achieve Intended Project Outcomes: Keep the sponsor engaged throughout the gating process to achieve desired outcomes.

    Drive Business Value With a Right-Sized Project Gating Process Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design a right-sized project gating process, review Info-Tech’s methodology, and understand the four ways we can support you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay the groundwork for tailored project gating

    This phase will walk you through the following activities:

  • Understand the role of gating and why we need it.
  • Determine what projects will follow the gating process and how to classify them.
  • Establish the role of the project sponsor throughout the entire project lifecycle.
    • Drive Business Value With a Right-Sized Project Gating Process – Phase 1: Lay the Groundwork for Tailored Project Gating
    • Project Intake Classification Matrix
    • Project Sponsor Role Description Template

    2. Establish level 1 project gating

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 2: Establish Level 1 Project Gating
    • Project Gating Strategic Template

    3. Establish level 2 project gating

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 3: Establish Level 2 Project Gating

    4. Establish level 3 project gating

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities. It will also help you determine next steps and milestones for the adoption of the new process.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 4: Establish Level 3 Project Gating
    • Project Gating Reference Document
    [infographic]

    Workshop: Drive Business Value With a Right-Sized Project Gating Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay the Groundwork for Tailored Project Gating

    The Purpose

    Understand the role of gating and why we need it.

    Determine what projects will follow the gating process and how to classify them.

    Establish the role of the project sponsor throughout the entire project lifecycle.

    Key Benefits Achieved

    Get stakeholder buy-in for the process.

    Ensure there is a standard leveling process to determine size, risk, and complexity of requests.

    Engage the project sponsor throughout the portfolio and project processes.

    Activities

    1.1 Project Gating Review

    1.2 Establish appropriate project levels

    1.3 Define the role of the project sponsor

    Outputs

    Project Intake Classification Matrix

    Project Sponsor Role Description Template

    2 Establish Level 1 Project Gating

    The Purpose

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a lightweight project gating process for small projects.

    Activities

    2.1 Review level 1 project gating process

    2.2 Determine what gates should be part of your custom level 1 gating process

    2.3 Establish required artifacts for each gate

    2.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    Documented outputs in the Project Gating Strategic Template

    3 Establish Level 2 Project Gating

    The Purpose

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a heavier project gating process for medium projects.

    Activities

    3.1 Review level 2 project gating process

    3.2 Determine what gates should be part of your custom level 2 gating process

    3.3 Establish required artifacts for each gate

    3.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    4 Establish Level 3 Project Gating

    The Purpose

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities.

    Come up with a roadmap for the adoption of the new project gating process.

    Key Benefits Achieved

    Create a comprehensive project gating process for large projects.

    Activities

    4.1 Review level 3 project gating process

    4.2 Determine what gates should be part of your custom level 3 gating process

    4.3 Establish required artifacts for each gate

    4.4 Define the stakeholder’s roles and responsibilities at each gate

    4.5 Determine next steps and milestones for process adoption

    Outputs

    Documented outputs in the Project Gating Strategic Template

    Documented Project Gating Reference Document for all stakeholders

    Don’t Allow Software Licensing to Derail Your M&A

    • Buy Link or Shortcode: {j2store}135|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Assuming that all parties are compliant in their licensing is a risky proposition. Most organizations are deficient in some manner of licensing. Know where those gaps are before finalizing M&A activity and have a plan in place to mitigate them right away.
    • Vendors will target companies that have undergone recent M&A activity with an audit. Vendors know that the many moving parts of M&A activity often result in license shortfall, and they may look to capitalize during the transition with audit revenue.
    • New organizational structure can offer new licensing opportunities. Take advantage of the increased volume discounting, negotiation leverage, and consolidation opportunities afforded by a merger or acquisition.

    Our Advice

    Critical Insight

    • To mitigate risks and create accurate cost estimates, create a contingency fund to compensate for unavailability of information.
    • Gathering and analyzing information is an iterative process that is ongoing throughout due diligence. Update your assumptions, risks, and budget as you obtain new information.
    • Communication with the M&A team and business process owners should be constant throughout due diligence. IT integration does not exist in isolation.

    Impact and Result

    • CIOs must be part of the conversation during the exploration/due diligence phase before the deal is closed to examine licensing compliance and software costs that could have a direct result on the valuation of the new organization.
    • Both organizations must conduct thorough due diligence (such as internal SAM audits), analyze the information, and define critical assumptions to create a strategy for the resultant IT enterprise.
    • The IT team is involved in integration, synergy realization, and cost considerations that the business often does not consider or take into account with respect to IT. License transfer, assignability, use, and geographic rights all come into play and can be overlooked.

    Don’t Allow Software Licensing to Derail Your M&A Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you shouldn’t allow software licensing to derail your M&A deal, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the M&A process with respect to software licensing

    Grasp the key pain points of software licensing and the effects it has on an M&A. Review the benefits of early IT involvement and identify IT’s capabilities.

    • Don’t Allow Software Licensing to Derail Your M&A – Phase 1: M&A Overview
    • M&A Software Asset Maturity Assessment

    2. Perform due diligence

    Understand the various steps and process when conducting due diligence. Request information and assess risks, make assumptions, and budget costs.

    • Don’t Allow Software Licensing to Derail Your M&A – Phase 2: Due Diligence
    • License Inventory
    • IT Due Diligence Report
    • M&A Software Asset RACI Template

    3. Prepare for integration

    Take a deeper dive into the application portfolios and vendor contracts of both organizations. Review integration strategies and design the end-state of the resultant organization.

    • Don’t Allow Software Licensing to Derail Your M&A – Phase 3: Pre-Integration Planning
    • Effective Licensing Position Tool
    • IT Integration Roadmap Tool

    4. Execute on the integration plan

    Review initiatives being undertaken to ensure successful integration execution. Discuss long-term goals and how to communicate with vendors to avoid licensing audits.

    • Don’t Allow Software Licensing to Derail Your M&A – Phase 4: Integration Execution
    [infographic]

    Workshop: Don’t Allow Software Licensing to Derail Your M&A

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 M&A Overview

    The Purpose

    Identify the goals and objectives the business has for the M&A.

    Understand cultural and organizational structure challenges and red flags.

    Identify SAM/licensing challenges and red flags.

    Conduct maturity assessment.

    Clarify stakeholder responsibilities.

    Build and structure the M&A team.

    Key Benefits Achieved

    The capabilities required to successfully examine software assets and licensing during the M&A transaction.

    M&A business goals and objectives identified.

    IT M&A team selected.

    Severity of SAM challenges and red flags examined.

    Activities

    1.1 Document pain points from previous experience.

    1.2 Identify IT opportunities during M&A.

    Outputs

    M&A Software Asset Maturity Assessment

    2 Due Diligence

    The Purpose

    Take a structured due diligence approach that properly evaluates the current state of the organization.

    Review M&A license inventory and use top five vendors as example sets.

    Identify data capture and reporting methods/tools.

    Scheduling challenges.

    Scope level of effort and priority list.

    Common M&A pressures (internal/external).

    Key Benefits Achieved

    A clear understanding of the steps that are involved in the due diligence process.

    Recognition of the various areas from which information will need to be collected.

    Licensing pitfalls and compliance risks to be examined.

    Knowledge of terms and conditions that will limit ability in pre-integration planning.

    Activities

    2.1 Identify IT capabilities for an M&A.

    2.2 Create your due diligence team and assign accountability.

    2.3 Use Info-Tech’s IT Due Diligence Report Template to track key elements.

    2.4 Document assumptions to back up cost estimates and risk.

    Outputs

    M&A Software Asset RACI Template

    IT Due Diligence Report

    3 Pre-Integration Planning

    The Purpose

    Review and map legal operating entity structure for the resultant organization.

    Examine impact on licensing scenarios for top five vendors.

    Identify alternative paths and solutions.

    Complete license impact for top five vendors.

    Brainstorm action plan to mitigate negative impacts.

    Discuss and explore the scalable process for second level agreements.

    Key Benefits Achieved

    Identification of the ideal post-M&A application portfolio and licensing structures.

    Recognition of the key considerations when determining the appropriate combination of IT integration strategies.

    Design of vendor contracts for the resultant enterprise.

    Recognition of how to create an IT integration budget.

    Activities

    3.1 Work with the senior management team to review how the new organization will operate.

    3.2 Document the strategic goals and objectives of IT’s integration program.

    3.3 Interview business leaders to understand how they envision their business units.

    3.4 Perform internal SAM audit.

    3.5 Create a library of all IT processes in the target organization as well as your own.

    3.6 Examine staff using two dimensions: competency and capacity.

    3.7 Design the end-state.

    3.8 Communicate your detailed pre-integration roadmap with senior leadership and obtain sign-off.

    Outputs

    IT Integration Roadmap Tool

    Effective License Position

    4 Manage Post-M&A Activities

    The Purpose

    Finalize path forward for top five vendors based on M&A license impact.

    Disclose findings and financial impact estimate to management.

    Determine methods for second level agreements to be managed.

    Provide listing of specific recommendations for top five list.

    Key Benefits Achieved

    Initiatives generated and executed upon to achieve the technology end-state of each IT domain.

    Vendor audits avoided.

    Contracts amended and vendors spoken to.

    Communication with management on achievable synergies and quick wins.

    Activities

    4.1 Identify initiatives necessary to realize the application end-state.

    4.2 Identify initiatives necessary to realize the end-state of IT processes.

    4.3 Identify initiatives necessary to realize the end-state of IT staffing.

    4.4 Prioritize initiatives based on ease of implementation and overall business impact.

    4.5 Manage vendor relations.

    Outputs

    IT Integration Roadmap Tool

    Recruit IT Talent

    • Buy Link or Shortcode: {j2store}574|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $17,565 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • Changing workforce dynamics and increased transparency have shifted the power from employers to job seekers, stiffening the competition for talent.
    • Candidate expectations match high consumer expectations and affect the employer brand, the consumer brand, and overall organizational reputation. Delivering a positive candidate experience (CX2) is no longer optional.

    Our Advice

    Critical Insight

    • Think about your candidates as consumers. Truly understanding their needs will attract great talent and build positive brand perceptions.
    • The CX2 starts sooner than you think. It encompasses all candidate interactions with an organization and begins before the formal application process.
    • Don’t try to emulate competitors. By differentiating your CX2, you build a competitive advantage.

    Impact and Result

    • Design a candidate-centric talent acquisition process that addresses candidate feedback from both unsuccessful and successful candidates.
    • Use design-thinking principles to focus your redesign on moments that matter to candidates to reduce unnecessary work or ad-hoc initiatives that don’t matter to candidates.

    Recruit IT Talent Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should redesign your CX2, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish your current process and set redesign goals

    Map the organization’s current state for CX2 and set high-level objectives and metrics.

    • Win the War for Talent With a Killer Candidate Experience – Phase 1: Establish Your Current Process and Set Redesign Goals
    • Candidate Experience Project Charter
    • Talent Metrics Library
    • Candidate Experience Process Mapping Template
    • Candidate Experience Assessment Tool

    2. Use design thinking to assess the candidate experience

    Strengthen the candidate lifecycle by improving upon pain points through design thinking methods and assessing the competitive landscape.

    • Win the War for Talent With a Killer Candidate Experience – Phase 2: Use Design Thinking to Assess the Candidate Experience
    • Design Thinking Primer
    • Empathy Map Template
    • Journey Map Guide

    3. Redesign the candidate experience

    Create action, communications, and training plans to establish the redesigned CX2 with hiring process stakeholders.

    • Win the War for Talent With a Killer Candidate Experience – Phase 3: Redesign the Candidate Experience
    • Candidate Experience Best Practices Action Guide
    • Candidate Experience Action and Communication Plan
    • Candidate Experience Service Level Agreement Template

    4. Appendix

    Leverage data collection and workshop activities.

    • Win the War for Talent With a Killer Candidate Experience – Appendix: Data Collection and Workshop Activities
    • Candidate Experience Phase One Data Collection Guide
    [infographic]

    Workshop: Recruit IT Talent

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Your Current Process and Set Redesign Goals

    The Purpose

    Assess the organization’s current state for CX2.

    Set baseline metrics for comparison with new initiatives.

    Establish goals to strengthen the CX2.

    Key Benefits Achieved

    Gained understanding of where the organization is currently.

    Established where the organization would like to be and goals to achieve the new state.

    Activities

    1.1 Review process map of current candidate lifecycle.

    1.2 Analyze qualitative and quantitative data gathered.

    1.3 Set organizational objectives and project goals.

    1.4 Set metrics to measure progress on high-level goals.

    Outputs

    Process map

    CX2 data analyzed

    Candidate Experience Project Charter

    2 Use Design Thinking to Assess the Candidate Experience

    The Purpose

    Apply design thinking methods to identify pain points in your candidate lifecycle.

    Assess the competition and analyze results.

    Empathize with candidates and their journey.

    Key Benefits Achieved

    Segments with pain points have been identified.

    Competitor offering and differentiation has been analyzed.

    Candidate thoughts and feelings have been synthesized.

    Activities

    2.1 Identify extreme users.

    2.2 Conduct an immersive empathy session or go through the process as if you were a target candidate.

    2.3 Identify talent competitors.

    2.4 Analyze competitive landscape.

    2.5 Synthesize research findings and create empathy map.

    2.6 Journey map the CX2.

    Outputs

    Extreme users identified

    Known and unknown talent competitor’s CX2 analyzed

    Empathy map created

    Journey map created

    3 Redesign the Candidate Experience

    The Purpose

    Create a communications and action plan and set metrics to measure success.

    Set expectations with hiring managers and talent acquisition specialists through a service level agreement.

    Key Benefits Achieved

    Action plan created.

    Metrics set to track progress and assess improvement.

    Service level agreement completed and expectations collaboratively set.

    Activities

    3.1 Assess each stage of the lifecycle.

    3.2 Set success metrics for priority lifecycle stages.

    3.3 Select actions from the Candidate Experience Best Practices Action Guide.

    3.4 Brainstorm other potential (organization-specific) solutions.

    3.5 Set action timeline and assign accountabilities.

    3.6 Customize service level agreement guidelines.

    Outputs

    CX2 lifecycle stages prioritized

    Metrics to measure progress set

    CX2 best practices selected

    Candidate Experience Assessment Tool

    Candidate Experience Action and Communication Plan

    Service level agreement guidelines.

    Grow Your Own PPM Solution

    • Buy Link or Shortcode: {j2store}436|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $47,944 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As portfolio manager, you’re responsible for supporting the intake of new project requests, providing visibility into the portfolio of in-flight projects, and helping to facilitate the right approval and prioritization decisions.
    • You need a project portfolio management (PPM) tool that promotes the maintenance and flow of good data to help you succeed in these tasks. However, while throwing expensive technology at bad process rarely works, many organizations take this approach to solve their PPM problems.
    • Commercial PPM solutions are powerful and compelling, but they are also expensive, complex, and hard to use. When a solution is not properly adopted, the data can be unreliable and inconsistent, defeating the point of purchasing a tool in the first place.

    Our Advice

    Critical Insight

    • Your choice of PPM solution must be in tune with your organizational PPM maturity to ensure that you are prepared to sustain the tool use without having the corresponding PPM processes collapse under its own weight.
    • A spreadsheet-based homegrown PPM solution can provide key capabilities of an optimized PPM solution with a high level of sophistication and complexity without the prohibitive capital and labor costs demanded by commercial PPM solution.
    • Focus on your PPM decision makers that will consume the reports and insights by investigating their specific reporting needs.

    Impact and Result

    • Think outside the commercial box. Develop an affordable, adoptable, and effective PPM solution using widely available tools based on Info-Tech’s ready-to-deploy templates.
    • Make your solution sustainable. When it comes to portfolio management, high level is better. A tool that is accurate and maintainable will provide more value than one that strives for precise data yet is ultimately unmaintainable.
    • Report success. A PPM tool needs to foster portfolio visibility in order to engage and inform the executive layer and support effective decision making.

    Grow Your Own PPM Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should grow your own PPM solution, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Right-size your PPM solution

    Scope an affordable, adoptable, and effective PPM solution with Info-Tech's Portfolio Manager 2017 workbook.

    • Grow Your Own PPM Solution – Phase 1: Right-Size Your PPM Solution
    • Portfolio Manager 2017 Cost-in-Use Estimation Tool
    • None

    2. Get to know Portfolio Manager 2017

    Learn how to use Info-Tech's Portfolio Manager 2017 workbook and create powerful reports.

    • Grow Your Own PPM Solution – Phase 2: Meet Portfolio Manager 2017
    • Portfolio Manager 2017
    • Portfolio Manager 2017 (with Actuals)
    • None
    • None
    • None

    3. Implement your homegrown PPM solution

    Plan and implement an affordable, adoptable, and effective PPM solution with Info-Tech's Portfolio Manager 2017 workbook.

    • Grow Your Own PPM Solution – Phase 3: Implement Your PPM Solution
    • Portfolio Manager 2017 Operating Manual
    • Stakeholder Engagement Workbook
    • Portfolio Manager Debut Presentation for Portfolio Owners
    • Portfolio Manager Debut Presentation for Data Suppliers

    4. Outgrow your own PPM solution

    Develop an exit strategy from your home-grown solution to a commercial PPM toolset. In this video, we show a rapid transition from the Excel dataset shown on this page to a commercial solution from Meisterplan. Christoph Hirnle of Meisterplan is interviewed starting at 9 minutes.

    • None
    [infographic]

    Workshop: Grow Your Own PPM Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Scope a Homegrown PPM Solution for Your Organization

    The Purpose

    Assess the current state of project portfolio management capability at your organization. The activities in this module will inform the next modules by exploring your organization’s current strengths and weaknesses and identifying areas that require improvement.

    Set up the workbook to generate a fully functional project portfolio workbook that will give you a high-level view into your portfolio.

    Key Benefits Achieved

    A high-level review of your current project portfolio capability is used to decide whether a homegrown PPM solution is an appropriate choice

    Cost-benefit analysis is done to build a business case for supporting this choice

    Activities

    1.1 Review existing PPM strategy and processes.

    1.2 Perform a cost-benefit analysis.

    Outputs

    Confirmation of homegrown PPM solution as the right choice

    Expected benefits for the PPM solution

    2 Get to Know Portfolio Manager 2017

    The Purpose

    Define a list of requirements for your PPM solution that meets the needs of all stakeholders.

    Key Benefits Achieved

    A fully customized PPM solution in your chosen platform

    Activities

    2.1 Introduction to Info-Tech's Portfolio Manager 2017: inputs, outputs, and the data model.

    2.2 Gather requirements for enhancements and customizations.

    Outputs

    Trained project/resource managers on the homegrown solution

    A wish list of enhancements and customizations

    3 Implement Your Homegrown PPM Solution

    The Purpose

    Determine an action plan regarding next steps for implementation.

    Implement your homegrown PPM solution. The activities outlined in this step will help to promote adoption of the tool throughout your organization.

    Key Benefits Achieved

    A set of processes to integrate the new homegrown PPM solution into existing PPM activities

    Plans for piloting the new processes, process improvement, and stakeholder communication

    Activities

    3.1 Plan to integrate your new solution into your PPM processes.

    3.2 Plan to pilot the new processes.

    3.3 Manage stakeholder communications.

    Outputs

    Portfolio Manager 2017 operating manual, which documents how Portfolio Manager 2017 is used to augment the PPM processes

    Plan for a pilot run and post-pilot evaluation for a wider rollout

    Communication plan for impacted PPM stakeholders

    Make the Case for Enterprise Business Analysis

    • Buy Link or Shortcode: {j2store}509|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design
    • It can be difficult to secure alignment between the many lines of business, IT included, in your organization.
    • Historically, we have drawn a dividing line between IT and "the business.”
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed to make way for the loudest voice’s option.

    Our Advice

    Critical Insight

    • Enterprise business analysis can help you stop the debate between IT and “the business,” as it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove the bias and politics in decision making all too common in organizations.
    • The business analyst is the only role that can connect the strategic with the tactical, the systems, and the operations and do so objectively. It is the one source to show how people, process, and technology connect and relate, and the most skilled can remove bias and politics from their lens of view.
    • Maturity can’t be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    Impact and Result

    Let’s make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise analysis deliver better quality outcomes, with higher value, lower cost, and higher user satisfaction.
    • Business analysts should be contributing at the strategic level, as they need to understand multiple horizons simultaneously and be able to zoom in and out as the context calls for it. Business analysts aren’t only for projects.

    Make the Case for Enterprise Business Analysis Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for Enterprise Business Analysis Storyboard – Take your business analysis from tactics to strategy.

    • Make the Case for Enterprise Business Analysis Storyboard

    2. Communicate the Case for Enterprise Business Analysis Template – Make the case for enterprise business analysis.

    • Communicate the Case for Enterprise Business Analysis
    [infographic]

    Further reading

    Make the Case for Enterprise Business Analysis

    Putting the strategic and tactical puzzle together.

    Analyst Perspective

    We commonly recognize the value of effective business analysis at a project or tactical level. A good business analysis professional can support the business by identifying its needs and recommending solutions to address them.
    Now, wouldn't it be great if we could do the same thing at a higher level?
    Enterprise (or strategic) business analysis is all about seeing that bigger picture, an approach that makes any business analysis professional a highly valuable contributor to their organization. It focuses on the enterprise, not a specific project or line of business.
    Leading the business analysis effort at an enterprise level ensures that your business is not only doing things right, but also doing the right things; aligned with the strategic vision of your organization to improve the way decisions are made, options are analyzed, and successful results are realized.

    Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Difficulty properly aligning between the many lines of business in your organization.
    • Historically, we have drawn a dividing line between IT and the business.
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed in favor of the loudest voice.

    Common Obstacles

    • Difficulty aligning an ever-changing backlog of projects, products, and services while simultaneously managing risks, external threats, and stakeholder expectations.
    • Many organizations have never heard of enterprise business analysis and only see the importance of business analysts at the project and delivery level.
    • Business analysis professionals rarely do enough to advocate for a seat at the strategic tables in their organizations.

    Info-Tech's Approach

    Let's make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise business analysis deliver better quality outcomes with higher value, lower cost, and higher user satisfaction.
    • Business analysts aren't only for projects. They should contribute at the strategic level, since they need to understand multiple horizons simultaneously and be able to zoom in and out as the context requires.

    Info-Tech Insight

    Enterprise business analysis can help you reframe the debate between IT and the business, since it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove bias and politics from decision making.

    Phase 1

    Build the case for enterprise business analysis

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 1.1.1 Discuss how business analysis is used in our organization
    • 1.1.2 Discuss your disconnects between strategy and tactics
    • 1.2.1 Identify your pains and opportunities

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    How business analysis supports our success today

    Delivering value at the tactical level

    Effective business analysis helps guide an organization through improvements to processes, products, and services. Business analysts "straddle the line between IT and the business to help bridge the gap and improve efficiency" in an organization (CIO, 2019).
    They are most heavily involved in:

    • Defining needs
    • Modeling concepts, processes, and solutions
    • Conducting analysis
    • Maintaining and managing requirements
    • Managing stakeholders
    • Monitoring progress
    • Doing business analysis planning
    • Conducting elicitation

    In a survey, business analysts indicated that of their total working time, they spend 31% performing business analysis planning and 41% performing elicitation and analysis (PMI, 2017).

    By including a business analyst in a project, organizations benefit by:
    (IAG, 2009)

    87%

    Reduced time overspending

    75%

    Prevented budget overspending

    78%

    Reduction in missed functionality

    1.1.1 Discuss how business analysis is used in your organization

    15-30 minutes

    1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives on business analysis. This should relate to their experience and not a future or aspirational usage.
    2. Have a team member facilitate the session.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives and record the results for the group to review and discuss.
    5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding of how your organization leverages its business analysis function

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Executives and leadership are satisfied with IT when there is alignment between tactics and goals

    Info-Tech's CIO Business Vision Survey data highlights the importance of IT projects in supporting the business to achieve its strategic goals.

    However, Info-Tech's CEO-CIO Alignment Survey (N=124) data indicates that CEOs perceive IT as poorly aligned with the business' strategic goals.

    Info-Tech's CIO-CEO Alignment Diagnostics

    43%

    of CEOs believe that business goals are going unsupported by IT.

    60%

    of CEOs believe that IT must improve understanding of business goals.

    80%

    of CIOs/CEOs are misaligned on the target role of IT.

    30%

    of business stakeholders support their IT departments.

    Addressing problems solely with tactics does not always have the desired effect

    94%

    Source: "Out of the Crisis", Deming (via Harvard Business Review)

    According to famed management and quality thought leader and pioneer W. Edwards Deming, 94% of issues in the workplace are systemic cause significant organizational pain.

    Yet we continue to address them on the surface, rather than acknowledge how ingrained they are in our culture, systems, and processes.

    For example, we:

    • Create workarounds to address process and solution constraints
    • Expect that poor (or lack of ) leadership can be addressed in a course or seminar
    • Expect that "going Agile" will resolve our problems, and that decision making, governance, and organizational alignment will happen organically.

    Band-aid solutions rarely have the desired effect, particularly in the long-term.

    Our solutions should likewise focus on the systemic/macro environment. We can do this via projects, products and services, but those don't always address the larger issues.

    If we take the work our business analysis currently does in defining needs and solutions, and elevate this to the strategic level, the results can be impactful.

    Many organizations would benefit from enhancing their business analysis maturity

    The often-overlooked strategic value of the role comes with maturing your practices.

    Only 18% of organizations have mature (optimized or established) business analysis practices.

    With that higher level of maturity comes increased levels of capability, efficiency, and effectiveness in delivering value to people, processes, and technology. Through such efforts, they're better equipped and able to connect the strategy of their organization to the projects, processes, and products they deliver.

    They shift focus from "figuring business analysis out" to truly unleashing its potential, with business analysts contributing in strategic and tactical ways.

    an image showing the following data: Optimized- 5; Established- 13; Improving- 37; Starting- 25; Ad hoc- 21

    (Adapted from PMI, 2017)

    Info-Tech Insight

    Business analysts are best suited to connect the strategic with the tactical, the systems, and the operations. They maintain the most objective lens regarding how people, process, and technology connect and relate, and the most skilled of them can remove bias and politics from their perspective.

    1.1.2 Discuss your disconnects between strategy and tactics

    30-60 minutes

      1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives regarding failures that resulted from disconnects between strategy and tactics.
      2. Have a team member facilitate the session.
      3. Brainstorm and document all shared thoughts and perspectives.
      4. Synthesize those thoughts and perspectives and record the results.
      5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding and list of failures due to disconnects between strategy and tactics

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Defining enterprise business analysis

    Terms may change, but the function remains the same.

    Enterprise business analysis (sometimes referred to as strategy analysis) "…focuses on defining the future and transition states needed to address the business need, and the work required is defined both by that need and the scope of the solution space. It covers strategic thinking in business analysis, as well as the discovery or imagining of possible solutions that will enable the enterprise to create greater value for stakeholders and/or capture more value for itself."
    (Source: "Business Analysis Body of Knowledge," v3)

    Define the function of enterprise business analysis

    This is a competitive advantage for mature organizations.

    Organizations with high-performing business analysis programs experience an enhanced alignment between strategy and operations. This contributes to improved organizational performance. We see this in financial (69% vs. 45%) and strategic performance (66% vs. 21%), also organizational agility (40% vs. 14%) and management of operational projects (62% vs. 29%). (PMI, 2017)

    When comparing enterprise with traditional business analysis, we see stark differences in the size and scope of their view, where they operate, and the role they play in organizational decision making.

    Enterprise Traditional
    Decision making Guides and influences Executes
    Time horizon 2-10 years 0-2 years
    Focus Strategy, connecting the strategic to the operational Operational, optimizing how business is done, and keeping the lights on
    Domain

    Whole organization

    Broader marketplace

    Only stakeholder lines of business relevant to the current project, product or service
    Organizational Level Executive/Leadership Project

    (Adapted from Schulich School of Business)

    Info-Tech Insight

    Maturity can't be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    An image showing the percentages of high- and low- maturity organizations, for the following categories: Financial performance; Strategy implementation; Organizational agility; Management of projects.

    (Adapted from PMI, 2017)

    How enterprise business analysis is used to improve organizations

    The biggest sources of project failure include:

    • Wrong (or poor) requirements
    • Unrealistic (or incomplete) business case
    • Lack of appropriate governance and oversight
    • Poor implementation
    • Poor benefits management
    • Environmental changes

    Source: MindTools.com, 2023.

    Enterprise business analysis addresses these sources and more.

    It brings a holistic view of the organization, improving collaboration and decision making across the many lines of business, effectively breaking down silos.

    In addition to ensuring we're doing the right things, not just doing things right in the form of improved requirements and more accurate business cases, or ensuring return on investment (ROI) and monitoring the broader landscape, enterprise business analysis also supports:

    • Reduced rework and waste
    • Understanding and improving operations
    • Making well-informed decisions through improved objectivity/reduced bias
    • Identifying new opportunities for growth and expansion
    • Identifying and mitigating risk
    • Eliminating projects and initiatives that do not support organizational goals or objectives
    • A career-pathing option for business analysts

    Identify your pains and opportunities

    There are many considerations in enterprise business analysis.

    Pains, gains, threats, and opportunities can come at your organization from anywhere. Be it a new product launch, an international expansion, or a new competitor, it can be challenging to keep up.

    This is where an enterprise business analyst can be the most helpful.

    By keeping a pulse on the external and internal environments, they can support growth, manage risks, and view your organization through multiple lenses and perspectives to get a single, complete picture.

    External

    Internal

    Identifying competitive forces

    In the global environment

    Organizational strengths and weaknesses

    • Monitoring and maintaining your competitive advantage.
    • Understanding trends, risks and threats in your business domain, and how they affect your organization.
    • Benchmarking performance against like and unlike organizations, to realize where you stand and set a baseline for continuous improvement and business development.
    • Leveraging tools and techniques to scan the broader landscape on an ongoing basis. Using PESTLE analysis, they can monitor the political, economic, social, technological, legal, and environmental factors that impact when, where, how, and with who you conduct your business and IT operations.
    • Supporting alignment between a portfolio or program of projects and initiatives.
    • Improving alignment between the various lines of business, who often lack full visibility outside of their silo, and can find themselves clashing over time, resources, and attention from leaders.
    • Improving solutions and outcomes through objective option selection.

    1.2.1 Identify your pains and opportunities

    30-60 minutes

    1. As a group, generate a list of the current pains and opportunities facing your organization. You can focus on a particular type (competitive, market, or internal) or leave it open. You can also focus on pains or opportunities separately, or simultaneously.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review, discuss, and prioritize.
      1. Discuss the impact and likelihood of each item. This can be formally ranked and quantified if there is data to support the item or leveraging the wisdom of the group.
      2. Prioritize the top three to five items of each type, as agreed by the group, and document the results.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Attendee knowledge
    • Supporting data, if available

    Output

    • A list of identified organizational pains and opportunities that has been prioritized by the group

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Phase 2

    Prepare the foundations for your enterprise business analysis program

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 2.1.1 Define your vision and goals
    • 2.1.2 Identify your enterprise business analysis inventory
    • 2.2.1 Now, Next, Later

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Set your vision

    Your vision becomes your "north star," guiding your journey and decisions.

    When thinking about a vision statement for enterprise business analysis, think about:

    • Who are we doing this for? Who will benefit?
    • What do our business partners need? What do our customers need?
    • What value do we provide them? How can we best support them?
    • Why is this special/different from how we usually do business?

    Always remember: Your goal is not your vision!

    Not knowing the difference will prevent you from both dreaming big and achieving your dream.

    Your vision represents where you want to go. It's what you want to do.

    Your goals represent how you want to achieve your vision.

    • They are a key element of operationalizing your vision.
    • Your strategy, initiatives, and features will align with one or more goals.

    Info-Tech Best Practice

    Your vision shouldn't be so far out that it doesn't feel real, nor so short term that it gets bogged down in details. Finding balance will take some trial and error and will be different depending on your organization.

    2.1.1 Define your vision and goals

    1-2 hours

    1. Gather the appropriate stakeholders to discuss their vision for enterprise business analysis. It should address the questions used in framing your vision statement.
    2. Have a team member facilitate the session.
    3. Review your current organizational vision and goals.
    4. Discuss and document all shared thoughts and perspectives on how enterprise business analysis can align with the organizational vision.
    5. Synthesize those thoughts and perspectives to create a vision statement.
    6. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder vision, knowledge, and experience
    • Current organizational vision and goals

    Output

    • A documented vision and goals for your enterprise business analysis program

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Components of successful enterprise business analysis programs

    Ensure you're off to the best start by examining where you are and where you want to go.

    Training

    • Do the current team members have the right level of training?
    • Can we easily obtain training to close any gaps?

    Competencies and capabilities

    • Do our business analysts have the right skills, attributes, and behaviors to be successful?

    Structure and alignment

    • Would the organizational culture support enterprise business analysis (EBA)?
    • How might we structure the EBA unit to maximize effectiveness?
    • How can we best support the organization's goals and objectives?

    Methods and processes

    • How do we plan on managing the work to be done?
    • Can we define our processes and workflows?

    Tools, techniques, and templates

    • Do we have the most effective tools, techniques, and templates?

    Governance

    • How will we make decisions?
    • How will the program be managed?

    2.1.2 Identify your enterprise business analysis inventory

    30-60 minutes

    1. Gather the appropriate stakeholders to discuss the current business analysis assets, which could be leveraged for enterprise business analysis. This includes people, processes, and technologies which cover skills, knowledge, resources, experience, knowledge, and competencies. Focus on what the organization currently has, and not what it needs.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review and discuss.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your current business analysis assets and resources Stakeholder knowledge and experience

    Output

    • A list of assets and resources to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Define your roadmap and next steps

    What do we have? What do we need?

    From completing the enterprise business analysis inventory, you will have a comprehensive list of all available assets.

    The next question is, how can this be leveraged to start building for the future?

    To operationalize enterprise business analysis, consider:

    • What do we still need to do?
    • How important are the identified gaps? Can we still operate?
    • What decisions do we need to make?
    • What stakeholders do we need to involve? Have we engaged them all?

    Lay out your roadmap

    Taking steps to mature your enterprise business analysis practice.

    The Now, Next, Later technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • Now tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • Next tasks are those that should be completed soon. These tasks are not as critical as Now tasks, but they are still important and should be tackled relatively soon.
    • Later tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks, while allowing the flexibility to adjust as necessary.

    This technique also helps clarify what must be done first vs. what can wait. This prioritizes the most important things while keeping track of what must be done next, maintaining a smooth development/improvement process.

    An image of the now - next - later roadmap technique.

    2.2.1 Now, Next, Later

    1-2 hours

    1. Use the list of items created in 2.1.2 (Identify your enterprise business analysis inventory). Add any you feel are missing during this exercise.
    2. Have a team member facilitate the session.
    3. In the Communicate the Case for Enterprise Business Analysis template, categorize these items according to Now, Next and Later, where:
      1. Now = Critically important items that may require little effort to complete. These must be done within the next six months.
      2. Next = Important items that may require more effort or depend on other factors. These must be done in six to twelve months.
      3. Later = Less important items that may require significant effort to complete. These must be done at some point within twelve months.

    Ultimately, the choice of priority and timing is yours. Recognize that items may change categories as new information arises.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your enterprise business analysis inventory and gaps
    • Stakeholder knowledge and experience

    Output

    • A prioritized list of items to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    2.3 Complete your executive communication deck

    Use the results of your completed exercises to build your executive communication slide deck, to make the case for enterprise business analysis

    Slide Header Associated Exercise Rationale
    Pains and opportunities

    1.1.2 Discuss your disconnects between strategy and tactics

    1.2.1 Identify your pains and opportunities

    This helps build the case for enterprise business analysis (EBA), leveraging the existing pains felt in the organization. This will draw the connection for your stakeholders.
    Our vision and goals 2.1.1 Define your vision and goals Defines where you want to go and what effort will be required.
    What is enterprise business analysis

    1.1.1 How is BA being used in our organization today?
    Pre-populated supporting content

    Defines the discipline of EBA and how it can support and mature your organization.
    Expected benefits Pre-populated supporting content What's in it for us? This section helps answer that question. What benefits can we expect, and is this worth the investment of time and effort?
    Making this a reality 2.1.2 Identify your EBA inventory Identifies what the organization presently has that makes the effort easier. It doesn't feel as daunting if there are existing people, processes, and technologies in place and in use today.
    Next steps 2.2.1 Now, Next, Later A prioritized list of action items. This will demonstrate the work involved, but broken down over time, into smaller, more manageable pieces.

    Track metrics

    Track metrics throughout the project to keep stakeholders informed.

    As the project nears completion:

    1. You will have better-aligned and more satisfied stakeholders.
    2. You will see fewer projects and initiatives that don't align with the organizational goals and objectives.
    3. There will be a reduction in costs attributed to misaligned projects and initiatives (as mentioned in #2) and the opportunity to allocate valuable time and resources to other, higher-value work.
    Metric Description Target Improvement/Reduction
    Improved stakeholder satisfaction Lines of business and previously siloed departments/divisions will be more satisfied with time spent on solution involvement and outcomes. 10% year 1, 20% year 2
    Reduction in misaligned/non-priority project work Reduction in projects, products, and services with no clear alignment to organizational goals. With that, resource costs can be allocated to other, higher-value solutions. 10% year 1, 25% year 2
    Improved delivery agility/lead time With improved alignment comes reduced conflict and political infighting. As a result, the velocity of solution delivery will increase. 10%

    Bibliography

    Bossert, Oliver and Björn Münstermann. "Business's 'It's not my problem' IT problem." McKinsey Digital. 30 March, 2023.
    Brule, Glenn R. "The Lay of the Land: Enterprise Analysis." Modern Analyst.
    "Business Analysis: Leading Organizations to Better Outcomes." Project Management Institute (PMI), 2017
    Corporate Finance Institute. "Strategic Analysis." Updated 14 March 2023
    IAG Consulting. Business Analysis Benchmark Report, 2009.
    International Institute of Business Analysis. "A Guide to the Business Analysis Body of Knowledge" (BABOK Guide) version 3.
    Mirabelli, Vincent. "Business Analysis Foundations: Enterprise" LinkedIn Learning, February 2022.
    - - "Essential Techniques in Enterprise Analysis" LinkedIn Learning, September 2022.
    - - "The Essentials of Enterprise Analysis" Love the Process Academy. May 2020.
    - - "The Value of Enterprise Analysis." VincentMirabelli.com
    Praslova, Ludmila N. "Today's Most Critical Workplace Challenges Are About Systems." Harvard Business Review. 10 January 2023.
    Pratt, Mary K. and Sarah K. White. "What is a business analyst? A key role for business-IT efficiency." CIO. 17 April, 2019.
    Project Management Institute. "Business Analysis: Leading Organizations to Better Outcomes." October 2017.
    Sali, Sema. "The Importance of Strategic Business Analysis in Successful Project Outcomes." International Institute of Business Analysis. 26 May 2022.
    - - "What Does Enterprise Analysis Look Like? Objectives and Key Results." International Institute of Business Analysis. 02 June 2022.
    Shaker, Kareem. "Why do projects really fail?" Project Management Institute, PM Network. July 2010.
    "Strategic Analysis: Definition, Types and Benefits" Voxco. 25 February 2022.
    "The Difference Between Enterprise Analysis and Business Analysis." Schulich School of Business, Executive Education Center. 24 September 2018 (Updated June 2022)
    "Why Do Projects Fail: Learning How to Avoid Project Failure." MindTools.com. Accessed 24 April 2023.

    Embed Security Into the DevOps Pipeline

    • Buy Link or Shortcode: {j2store}265|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $31,515 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Your organization is starting its DevOps journey and is looking to you for guidance on how to ensure that the outcomes are secure.
    • Or, your organization may have already embraced DevOps but left the security team behind. Now you need to play catch-up.

    Our Advice

    Critical Insight

    • Shift security left. Identify opportunities to embed security earlier in the development pipeline.
    • Start with minimum viable security. Use agile methodologies to further your goals of secure DevOps.
    • Treat “No” as a finite resource. The role of security must transition from that of naysayer to a partner in finding the way to “Yes.”

    Impact and Result

    • Leverage the CLAIM (Culture, Learning, Automation, Integration, Measurement) Framework to identify opportunities to close the gaps.
    • Collaborate to find new ways to shift security left so that it becomes part of development rather than an afterthought.
    • Start with creating minimum viable security by developing a DevSecOps implementation strategy that focuses initially on quick wins.

    Embed Security Into the DevOps Pipeline Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should secure the DevOps pipeline, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify opportunities

    Brainstorm opportunities to secure the DevOps pipeline using the CLAIM Framework.

    • Embed Security Into the DevOps Pipeline – Phase 1: Identify Opportunities

    2. Develop strategy

    Assess opportunities and formulate a strategy based on a cost/benefit analysis.

    • Embed Security Into the DevOps Pipeline – Phase 2: Develop Strategy
    • DevSecOps Implementation Strategy Template
    [infographic]

    The Complete Manual for Layoffs

    • Buy Link or Shortcode: {j2store}514|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $30,999 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    When the economy is negatively influenced by factors beyond any organization’s control, the impact can be felt almost immediately on the bottom line. This decline in revenue as a result of a weakening economy will force organizations to reconsider every dollar they spend.

    Our Advice

    Critical Insight

    • The remote work environment many organizations find themselves in adds a layer of complexity to the already sensitive process of laying off employees.
    • Carrying out layoffs must be done while keeping personal contact as your first priority. That personal contact should be the basis for all subsequent communication with laid-off and remaining staff, even after layoffs have occurred.

    Impact and Result

    By following our process, we can provide your organization with the direction, tools, and best practices to lay off employees. This will need to be done with careful consideration into your organization’s short- and longer-term strategic goals.

    The Complete Manual for Layoffs Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for layoffs

    Understand the most effective cost-cutting solutions and set layoff policies and guidelines.

    • The Complete Manual for Layoffs Storyboard
    • Layoffs SWOT Analysis Template
    • Redeployment and Layoff Strategy Workbook
    • Sample Layoffs Policy
    • Cost-Cutting Planning Tool
    • Termination Costing Tool

    2. Objectively identify employees

    Develop an objective layoff selection method and plan for the transfer of essential responsibilities.

    • Workforce Planning Tool
    • Employee Layoff Selection Tool

    3. Prepare to meet with employees

    Plan logistics, training, and a post-layoff plan communication.

    • Termination Logistics Tool
    • IT Knowledge Transfer Risk Assessment Tool
    • IT Knowledge Transfer Plan Template
    • IT Knowledge Identification Interview Guide Template
    • Knowledge Transfer Job Aid
    • Layoffs Communication Package

    4. Meet with employees

    Collaborate with necessary departments and deliver layoffs notices.

    • Employee Departure Checklist Tool

    5. Monitor and manage departmental effectiveness

    Plan communications for affected employee groups and monitor organizational performance.

    • Ten Ways to Connect With Your Employees
    • Creating Connections
    [infographic]

    Explore the Secrets of SAP Digital Access Licensing

    • Buy Link or Shortcode: {j2store}143|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • SAP’s licensing rules surrounding use and indirect access are vague, making it extremely difficult to purchase with confidence and remain compliant.
    • SAP has released nine document-type licenses that can be used in digital access licensing scenarios, but this model has its own challenges.
    • Whether you decide to remain “as is” or proactively change licensing over to the document model, either option can be costly and confusing.
    • Indirect static read can be a cause of noncompliance when data is exported but the processing capability of SAP ERP is used in real time.

    Our Advice

    Critical Insight

    • Examine all indirect access possibilities. Understanding how in-house or third-party applications may be accessing and utilizing the SAP digital core is critical to be able to correctly address issues.
    • Know what’s in your contract. Each customer agreement is different, and older agreements may provide both benefits and challenges when evaluating your SAP license position.
    • Understand the intricacies of document licensing. While it may seem digital access licensing will solve compliance concerns, there are still questions to address and challenges SAP must resolve.

    Impact and Result

    • Conduct an internal analysis to examine where digital access licensing may be needed to mitigate risk, as SAP will be speaking with all customers in due course. Indirect access can be a costly audit settlement.
    • Conduct an analysis to remove inactive and duplicate users, as multiple logins may exist and could end up costing the organization license fees when audited.
    • Adopt a cyclical approach to reviewing your SAP licensing and create a reference document to track your software needs, planned licensing, and purchase negotiation points.
    • Learn the SAP way of conducting business, which includes a best-in-class sales structure and unique contracts and license use policies, combined with a hyper-aggressive compliance function. Conducting business with SAP is not a typical vendor experience, and you will need different tools to emerge successfully from a commercial transaction.

    Explore the Secrets of SAP Digital Access Licensing Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your SAP digital access licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand, assess, and decide on digital access licensing

    Begin your SAP digital access licensing journey by evaluating licensing changes and options, and then make contractual changes to ensure compliance.

    • Explore the Secrets of SAP Digital Access Licensing – Phase 1: Understand, Assess, and Decide on Digital Access Licensing
    • SAP License Summary and Analysis Tool
    • SAP Digital Access Licensing Pricing Tool
    [infographic]

    Implement and Mature Your User Experience Design Practice

    • Buy Link or Shortcode: {j2store}430|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design

    Many organizations want to get to market quickly and on budget but don’t know the steps to get the right product/service to satisfy the users and business. This may be made apparent through uninformed decisions leading to lack of adoption of your product or service, rework due to post-implementation user feedback, or the competition discovering new approaches that outshine yours.

    Our Advice

    Critical Insight

    Ensure your practice has a clear understanding of the design problem space – not just the solution. An understanding of the user is critical to this.

    Impact and Result

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.
    • Create a practice that develops solutions specific to the needs of users, customers, and stakeholders.

    Implement and Mature Your User Experience Design Practice Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement an experience design practice, review Info-Tech’s methodology, and understand the four dimensions we recommend using to mature your practice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the foundation

    Motivate your team with a common vision, mission, and goals.

    • Design Roadmap Workbook
    • User Experience Practice Roadmap

    2. Review the design dimensions

    Examine your practice – from the perspectives of organizational alignment, business outcomes, design perspective, and design integration – to determine what it takes to improve your maturity.

    3. Build your roadmap and communications

    Bring it all together – determine your team structure, the roadmap for the practice maturity, and communication plan.

    [infographic]

    Workshop: Implement and Mature Your User Experience Design Practice

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Answer “So What?”

    The Purpose

    Make the case for UX. Bring the team together with a common mission, vision, and goals.

    Key Benefits Achieved

    Mission, vision, and goals for design

    Activities

    1.1 Define design practice goals.

    1.2 Generate the vision statement.

    1.3 Develop the mission statement.

    Outputs

    Design vision statement

    Design mission statement

    Design goals

    2 Examine Design Dimensions

    The Purpose

    Review the dimensions that help organizations to mature, and assess what next steps make sense for your organization.

    Key Benefits Achieved

    Develop initiatives that are right-sized for your organization.

    Activities

    2.1 Examine organizational alignment.

    2.2 Establish priorities for initiatives.

    2.3 Identify business value sources.

    2.4 Identify design perspective.

    2.5 Brainstorm design integration.

    2.6 Complete UCD-Canvas.

    Outputs

    Documented initiatives for design maturity

    Design canvas framework

    3 Create Structure and Initiatives

    The Purpose

    Make your design practice structure right for you.

    Key Benefits Achieved

    Examine patterns and roles for your organization.

    Activities

    3.1 Structure your design practice.

    Outputs

    Design practice structure with patterns

    4 Roadmap and Communications

    The Purpose

    Define the communications objectives and audience for your roadmap.

    Develop your communication plan.

    Sponsor check-in.

    Key Benefits Achieved

    Complete in-progress deliverables from previous four days.

    Set up review time for workshop deliverables and to discuss next steps.

    Activities

    4.1 Define the communications objectives and audience for your roadmap.

    4.2 Develop your communication plan.

    Outputs

    Communication Plan and Roadmap

    Take a Realistic Approach to Disaster Recovery Testing

    • Buy Link or Shortcode: {j2store}414|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity

    You have made significant investments in availability and disaster recovery – but your ability to recover hasn’t been tested in years. Testing will:

    • Improve your DR capabilities.
    • Identify required changes to planning documentation and procedures.
    • Validate DR capabilities for interested customers and auditors.

    Our Advice

    Critical Insight

    • If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience.
    • Focus on identifying gaps and risks, and addressing them, before a real disaster hits.
    • Take a realistic, iterative approach to resilience testing that starts with small, low-risk tests and builds on lessons learned.

    Impact and Result

    • Identify testing scenarios and scope that can deliver value to your organization.
    • Create practical test plans with Info-Tech’s template.
    • Demonstrate value from testing to gain buy-in for additional tests.

    Take a Realistic Approach to Disaster Recovery Testing Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take a Realistic Approach to Disaster Recovery Testing Storyboard – A guide to establishing a right-sized approach to DR testing that delivers durable value to your organization.

    Use this research to understand the different types of tests, prioritize and plan tests for your organization, review the results, and establish a cadence for testing.

    • Take a Realistic Approach to Disaster Recovery Testing Storyboard

    2. Disaster Recovery Test Plan Template – A template to document your organization's DR test plan.

    Use this template to document scope and goals, participants, key pre-test milestones, the test-day schedule, and your findings from the testing exercise.

    • Disaster Recovery Test Plan Template

    3. Disaster Recovery Testing Program Summary – A template to outline your organization's DR testing program.

    Identify the tests you will run over the next year and the expertise, governance, process, and funding required to support testing.

    • Disaster Recovery Testing Program Summary

    [infographic]

     

    Further reading

    Take a Realistic Approach to Disaster Recovery Testing

    Reduce costly downtime with a right-sized testing program that improves IT resilience.

    Analyst Perspective

    Reduce costly downtime with a right-sized testing program that improves IT resilience.

    Andrew Sharp

    Most businesses make significant investments in disaster recovery and technology resilience. Redundant sites and systems, monitoring, intrusion prevention, backups, training, documentation: it all costs time and money.

    But does this investment deliver expected value? Specifically, can you deliver service continuity in a way that meets business requirements?

    You can’t know the answer without regularly testing recovery processes and systems. And more than just validation, testing helps you deliver service continuity by finding and addressing gaps in your plans and training your staff on recovery procedures.

    Use the insights, tools, and templates in this research to create a streamlined and effective resilience testing program that helps validate recovery capabilities and enhance service reliability, availability, and continuity.

    Andrew Sharp

    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    You have made significant investments in availability and disaster recovery (DR) – but your ability to recover hasn’t been tested in years. Testing will:

    • Improve your DR capabilities.
    • Identify required changes to planning documentation and procedures.
    • Validate DR capabilities for interested customers and auditors.

    Common Obstacles

    Despite the value testing can offer, actually executing on DR tests is difficult because:

    • Testing is often an IT-driven initiative, and it can be difficult to secure business buy-in to redirect resources away from other urgent projects or accept risks that come with testing.
    • Previous tests have been overly complex and challenging to coordinate and leave a hangover so bad that no one wants to do them again.

    Info-Tech's Approach

    Take a realistic approach to resilience testing by starting with small, low-risk tests, then iterating with the lessons you’ve learned:

    • Identify testing scenarios and scope that can deliver value to your organization.
    • Create practical test plans with Info-Tech’s template.
    • Get buy-in for regular DR testing from key stakeholders with a testing program summary.

    Info-Tech Insight

    If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience. Focus on identifying gaps and risks so you can address them before a real disaster hits.

    Process and Outputs

    This research is accompanied by templates to help you achieve your goals faster.

    1 - Establish the business rationale for DR testing.
    2 - Review a range of options for testing.
    3 - Prioritize tests that are most valuable to your business.
    4 - Create a disaster recovery test plan.
    5 - Establish a Test Program to support a regular testing cycle.

    Outputs:

    DR Test Plan
    DR Testing Program Summary

    Example Orange Activity slide.
    Orange activity slides like the one on the left provide directions to help you make key decisions.

    Key Deliverable:

    Disaster Recovery Test Plan Template

    Build a plan for your first disaster recovery test.

    This document provides a complete example you can use to quickly build your own plan, including goals, milestones, participants, the test-day schedule, and findings from the after-action review.

    Why test?

    Testing helps you avoid costly downtime

    • In a disaster scenario, speed matters. Immediately after an outage, the impact on the organization is small, but impact increases rapidly the longer the outage continues.
    • A quick and reliable response and recovery can protect the organization from significant losses.
    • A DRP testing and maintenance program helps ensure you’re ready to recover when you need to, rather than figuring it out as you go.

    “Routine testing is vital to survive a disaster… that’s when muscle memory sets in. If you don’t test your DR plan it falls [in importance], and you never see how routine changes impact it.”

    – Jennifer Goshorn
    Chief Administrative Officer
    Gunderson Dettmer LLP

    Info-Tech members estimated even one day of system downtime could lead to significant revenue losses. Estimated loss of revenue over 24 hours. Core Infrastructure has the highest potential for lost revenue.

    Average estimated potential loss* in thousands of USD due to a 24-hour outage (N=41)

    *Data aggregated from 41 business impact analyses (BIAs) conducted with Info-Tech advisory assistance. BIAs evaluate potential revenue loss due to a full day of system downtime, at the worst possible time.

    Run tests to enhance disaster recovery plans

    Testing improves organizational resilience

    • Identify and address gaps in your plans before a real disaster strikes.
    • Cross-train staff on systems recovery.
    • Go beyond testing technology to test recovery processes.
    • Establish a culture that centers resilience in everyday decision-making.

    Testing keeps DR documentation ready for action

    • Update documentation ahead of tests to prepare for the testing exercise.
    • Update documentation after testing to incorporate any lessons learned.

    Testing validates that investments in resilience deliver value

    • Confirm your organization can meet defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
    • Provide proof of testing for auditors, prospective customers, and insurance applications

    Overcome testing challenges

    Despite the value of effective recovery testing, most IT organizations struggle to test recovery plans

    Common challenges

    • Key resources don’t have time for testing exercises.
    • You don’t have the technology to support live recovery testing.
    • Tests are done ad hoc and lessons learned are lost.
    • A lack of business support for test exercises as the value isn’t understood.
    • Tests are always artificially simple because RTOs and RPOs must be met to satisfy customer or auditor inquiries

    Overcome challenges with a realistic approach:

    • Start small with tabletop and recovery tests for specific systems.
    • Include recovery tests in operational tasks (e.g. restore systems when you have a maintenance window).
    • Create testing plans for larger testing exercises.
    • Build on successful tests to streamline testing exercises in the future.
    • Don’t make testing a pass-fail exercise. Focus on identifying gaps and risks so you can address them before a real disaster hits.

    Go beyond traditional testing

    Different test techniques help validate recovery against different threats

    • There are many threats to service continuity, including ransomware, severe weather events, geopolitical conflict, legacy systems, staff turnover, and day-to-day outages caused by human error, software updates, hardware failures, or network outages.
    • At its core, disaster recovery planning is about recovery. A plan for service recovery will help you mitigate against many threats at once. The testing approaches on the right will help you validate different aspects of that recovery process.
    • This research will provide an overview of the approaches outlined on the right and help you prioritize tests that are most valuable to your organization.
    Different test techniques for disaster recover training: System Failover tests, tabletop exercises, ransomware recovery tests, etc.

    00 Identify a working group

    30 minutes

    Identify a group of participants who can fill the following roles and inform the discussions around testing in this research. A single person could fill multiple roles and some roles could be filled by multiple people. Many participants will be drawn from the larger DRP team.

    Roles and expectations for Disaster Recovery Planning. DRP sponsor, Testing coordinator, System testers, business liaisons, executive team.

    Input

    • Organizational context

    Output

    • A list of key participants for test planning and execution

    Participants

    • Typically, start by identifying the sponsor and coordinator and have them identify the other members of the working group.

    Start by updating your disaster recovery plan (DRP)

    Use Info-Tech’s Create a Right-Sized Disaster Recovery Plan research to identify recovery objectives based on business impact and outline recovery processes. Both are tremendously valuable inputs to your test plans.

    Overall Business Continuity Plan

    IT Disaster Recovery Plan

    A plan to restore IT services (e.g. applications and infrastructure) following a disruption. A DRP:

    • Identifies critical applications and dependencies.
    • Defines appropriate recovery objectives based on a business impact analysis (BIA).
    • Creates a step-by-step incident response plan.

    BCP for Each Business Unit

    A set of plans to resume business processes for each business unit. A business continuity plan (BCP) is also sometimes called a continuity of operations plan (COOP).

    BCPs are created and owned by each business unit, and creating a BCP requires deep involvement from the leadership of each business unit.

    Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization.

    Crisis Management Plan

    A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

    Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

    01 Confirm: why test at all?

    15-30 minutes

    Identify the value recovery testing for your organization. Use language appropriate for a nontechnical audience. Start with the list below and add, modify, or delete bullet points to reflect your own organization.

     

    Drivers for testing – Examples:

     

    • Improve service continuity.
    • Identify and address gaps in recovery plans before a real disaster strikes.
    • Cross-train staff on systems recovery to minimize single points of failure.
    • Identify how we coordinate across teams during a major systems outage.
    • Exercise both recovery processes and technology.
    • Support a culture that centers system resilience in everyday decision-making.
    • Keep recovery documentation up-to-date and ready for action.
    • Confirm that our stated recovery objectives can be met.
    • Provide proof of testing for auditors, prospective customers, and insurance applications.
    • We require proof of testing to pass audits and renew cybersecurity insurance.

    Info-Tech Insight

    Time-strapped technical staff will sometimes push back on planning and testing, objecting that the team will “figure it out” in a disaster. But the question isn’t whether recovery is possible – it’s whether the recovery aligns with business needs. If your plan is to “MacGyver” a solution on the fly, you can’t know if it’s the right solution for your organization.

    Input

    • Business drivers and context for testing

    Output

    • Specific goals that are driving testing

    Participants

    • DR sponsor
    • Test coordinator

    Think about what and how you test

    Different layers of the stack to test: Network, Authentication, compute and storage, visualization platforms, database services, middleware, app servers, web servers.

    Find gaps and risks with tabletop testing

    Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs).

    In a tabletop planning exercise, the team walks through a disaster scenario to outline the recovery workflow, and risks or gaps that could disrupt that workflow.

    Tabletops are particularly effective because:

    • It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more easily than other testing methodologies.
    • The exercise translates into recovery documentation: you create a workflow as you go.
    • A major site or service recovery scenario will review all aspects of the recovery process and create the backbone of your recovery plan.

    02 Run a tabletop exercise

    2 hours

    Tabletop testing is part of our core DRP methodology, Create a Right-Sized Disaster Recovery Plan. This exercise can be run using cue cards, sticky notes, or on a whiteboard; many of our facilitators find building the workflow directly in flowchart software to be very effective.

    Use our Recovery Workflow Template as a starting point.

    Some tips for running your first tabletop exercise:

    Do

    • Review the complete workflow from notification all the way to user acceptance testing.
    • Keep focused; stay on task and on time.
    • Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
    • Revise and improve the plan with task owners.

    Don't

    • Get weighed down by tools.
    • Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.
    • Document the details right away – stick to the high-level plan for the first exercise.
    1. Ahead of the exercise, decide on a scenario, identify participants, and book a meeting time.
      • For your first walkthrough of a DR scenario, we often recommend a scenario that considers a site failure requiring failover to a DR site.
      • For the first exercise, focus on technical aspects of recovery before bringing in members of the business. The technical team may need space to discuss the appropriate steps in the recovery process before you bring in business liaisons to discuss user acceptance testing (UAT).
      • A complete failover considers all systems, the viability of your second site, and can help identify parts of the process that require additional exercises.
    2. Review the scenario with participants. Then, discuss and document the recovery process, starting with initial notification of an event.
      • Record steps in the process on white cards or boxes.
      • On yellow and red cards, document gaps and risks in people process and technology requirements.
    3. Once you’ve walked through the process, return to the start.
      • Record the time required to complete each step. Consider identifying who is responsible for key steps. Identify any additional gaps and risks.
    4. Clean up and record the results of the workflow. Save a copy with your DRP documentation.

    Input

    • Expert knowledge on systems recovery

    Output

    • Recovery workflow, including gaps and risks

    Participants

    • Test coordinator
    • Technical SMEs

    Move from tabletop testing to functional exercises

    See how your plans fare in the real world

    In live exercises, some portion of your recovery plans are executed in a way that mimics a real recovery scenario. Some advantages of live testing:

    • See how standby systems behave. A tabletop exercise can miss small issues that can make or break the recovery process. For example, connectivity or integration issues on a new subnet might be difficult to predict prior to actually running services in that environment.
    • Hands-on practice: Familiarize the team with the steps, commands, and interfaces of your recovery toolset.
    • Manage the pressure of the DR scenario: Nothing’s quite like the real thing, but a live exercise may be the closest your team can get to a disaster situation without experiencing it firsthand.

    Examples of live exercises

    Boot and smoke test Turn on a standby system and confirm it boots up correctly.
    Restore and validate data Restore data or servers from backup. Confirm data integrity.
    Parallel testing Send familiar transactions to production and standby systems. Confirm both systems produce the same result.
    Failover systems Shut down the production system and use the standby system in production.

    Run local tests ahead of releases

    Think small

    Most unacceptable downtime is caused by localized issues, such as hardware or software failures, rather than widespread destructive events. Regular local testing can help validate the recovery plan for local issues and improve overall service continuity.

    Make local testing a standard step in maintenance work and new deployments to embed resilience considerations in day-to-day activities. Run the same tests in both your primary and your DR environment.

    Some examples of localized tests:

    • Review backup logs and check for errors.
    • Restore files or whole systems from backup.
    • Run application-based tests as part of release management, including unit, regression, and performance tests.
      • Ensure application tests are run for both the primary and DR environment.
      • For a deep-dive on application testing, see Info-Tech’s research Automate Testing to Get More Done.

    Info-Tech Insight

    Local tests will vary between different services, and local test design is usually best left to the system SMEs. At the same time, centralize reporting to understand where tests are being done.

    Investigate whether your IT Service Management or ticketing system can create recurring tasks or work orders to schedule, document, and track test exercises. Tasks can be pre-populated with checklists and documentation to support the test and provide a record of completed tests to support oversight and reporting.

    Have the business validate recovery

    If your business doesn’t think a system’s recovered, it’s not recovered.

    User acceptance testing (UAT) after system recovery is a key step in the recovery process. Like any step in the process, there’s value in testing it before it actually needs to be done. Assign responsibility for building UATs to the person who will be responsible for executing them.

    An acceptance test script might look something like the checklist below.

    • Does the application open?
    • Does the interface look right?
    • Do you see any unusual notifications or warnings?
    • Can you conduct a key transaction with dummy data?
    • Can you run key reports?

    “I cannot stress how important it is to assign ownership of responsibilities in a test; this is the only way to truly mitigate against issues in a test.”

    – Robert Nardella
    IT Service Management
    Certified z/OS Mainframe Professional

    Info-Tech Insight

    Build test scripts and test transactions ahead of time to minimize the amount of new work required during a recovery scenario.

    Beyond the Basics: Full Failover Testing

    • A failover test – a full failover of your production environment to a secondary environment – is what many IT and businesspeople think about when they think of disaster recovery testing.
    • A full test can validate previous local or tabletop tests, identify additional gaps and risks, and provide hands-on training experience with recovery processes and technologies.
    • Setting a date for failover testing can also inject some urgency into otherwise low-priority (but high importance) disaster recovery planning and documentation exercises, which need to be completed prior to the test.
    • Despite these benefits, full failover tests carry significant risk and require a great deal of effort and cost. Typically, only businesses that already have an active-active environment capable of supporting in-scope production systems are able to run a full environment failover.
    • This is especially true the first time you test. While in theory a DR plan should be ready to go at any time, there will be documents to update, gaps to address, and risks to mitigate before you go ahead with the test.

    Full Failover Testing

    What you get:

    • Provide hands-on experience with recovery processes and technology.
    • Confirm that site failover works in practice as you assumed in tabletop or local testing exercises.
    • Identify critical gaps you might have missed without a full failover test.

    What you need:

    • An active-active secondary site, with sufficient standby equipment, data, and licensed standby software to support production.
    • A completed tabletop exercise and documented recovery workflow.
    • A documented test plan, backout plan, and formal sign-off.
    • An off-hours downtime window.
    • Time from technical SMEs and business resources, both for creating the plan and executing the test.

    Beyond the Basics: Site Reliability Engineering

    • Site reliability engineering (SRE) is an application of skills and approaches from software engineering to improve system resilience.
    • SRE is focused on “availability, latency, performance, efficiency, change management, monitoring, emergency response, and capacity planning” across a set portfolio of services (Sloss, 2017).
    • In many organizations, SRE is implemented as a team that supports separate applications teams.
    • Applications must have defined and granular resilience requirements, translated into service objectives. The SRE team and applications teams will work together to meet these objectives.
    • Site reliability engineers (the folks that do SRE, and often also abbreviated as SREs) are expected to build solutions and processes to ensure services remain stable and performant, not just respond when they fail. For example, Google allows their SREs to spend just half their time on incident response, with the rest of their time focused on development and automation tasks.

    Site Reliability Testing

    What you get:

    • Improved reliability and reduced frequency and impact of downtime.
    • Increased use of automation to address problems before they cause an incident.
    • Granular resilience objectives.

    What you need:

    • Systems running on software-defined infrastructure.
    • Specialized skills in programming, infrastructure-as-code.
    • Business & product owners able to define and fund acceptable and appropriate resilience objectives.
    • Technical experts able to translate product requirements into technical design requirements.

    Beyond the Basics: Chaos Engineering

    • Chaos engineering, a term and approach first popularized by the team at Netflix, aims to improve the resilience of particularly large and distributed systems by simulating system failures and evaluating performance against a baseline.
    • Experiments simulate a variety of real-world events that could cause outages (e.g. network slowdowns or server failures). Experiments run continuously, and the recommendation is to run them in production where feasible while minimizing the impact on customers.
    • Tools to help you run chaos testing exist, including open-source toolkits like Chaos Monkey or Mangle and paid software as a service (SaaS) solutions like Gremlin.
    • Deciding whether the long-term benefits of tests that can degrade production are worth the potential risk of system slowdowns or outages is a business or product decision. Technical considerations aside, if the business owner of a particular system doesn’t see the value of continuous testing outweighing the introduced risk, this approach to testing isn’t going to happen.

    Chaos Engineering

    What you get:

    • Confidence that systems can weather volatile and unpredictable conditions in a production environment.
    • An embedded resilience culture.

    What you need:

    • High-maturity IT incident, monitoring and event practices.
    • Standby/resilient systems to minimize downtime impact.
    • Business buy-in for introducing risk into the production environment.
    • Specialized skills to identify, develop, and run tests that degrade production performance in a controlled way.
    • Budget and time to act on issues identified through testing.

    Beyond the Basics: Security Event Simulations

    • Ransomware is driving demands for proof of recovery testing from customers, executives, auditors, and insurance companies. Systems recovery is part of ransomware recovery, but recovering from a breach includes detection, analysis, containment, and eradication of the attack vector before systems recovery can begin.
    • Beyond technical recovery, internal legal and communications teams will have a role, as will your insurance provider, consultants specialized in ransomware recovery, or professional ransom negotiators.
    • A tabletop exercise focused on ransomware incident response is a key first step. You can find Info-Tech’s methodology for a ransomware tabletop in Phase 3 of Build Resilience Against Ransomware Attacks.
    • Live testing approaches can offer hands-on experience and further insight into how your systems are vulnerable to malware. A variety of open source and proprietary tools can simulate ransomware and help you identify problems, though it’s important to understand the limitations of different simulators (Allon, 2022).
    • A “red team” exercise simulates an adversarial attack against your processes and systems. A specialized penetration tester will often take on the role of the red team and provide a report of identified gaps and risks after the engagement.

    Security Event Simulation

    What you get:

    • Hands-on experience managing and recovering from a ransomware attack in a controlled environment.
    • A better understanding of gaps in your response process.

    What you need:

    • A completed ransomware tabletop exercise and mature security incident response processes.
    • For Ransomware Simulators: An air-gapped sandbox environment hosting a copy of your production systems and security tools, and time from your technical SMEs.
    • For Red Team Exercises: A trusted provider, scope for your testing plans, and time from your security incident response team.

    Prioritize tests by asking these three questions

    1. Will the scope of this test deliver sufficient value?

    • Yes, these are critical systems with low tolerance for downtime or data loss.
    • Yes, major changes or new systems require validation of DR capabilities.
    • Yes, there’s high probability of an outage, or recent experience of an outage.
    • •Yes, we have audit requirements or customer demands for testing.

    2. Are we ready for this test?

    • Yes, recovery plans and recovery objectives are documented.
    • Yes, key technical and business resources have time to commit to testing exercises.
    • Yes, technology is currently able to support proposed tests.

    3. Is it easy to do?

    • Yes, effort required to complete the test is low (i.e. minimal work, few participants).
    • Yes, the risks related to testing are low.
    • Yes, it won’t cost much.

    Info-Tech Insight

    More complex, challenging, risky, or costly tests, such as full failover tests, can deliver value. But do the high-value, low-effort stuff first!

    03 Brainstorm and prioritize test ideas

    30-60 minutes

    Even if you have an idea of what you need to test and how you want to run those tests, this brainstorming exercise can generate useful ideas for testing that might otherwise have been missed.

      1. Review the slides above to develop ideas on how and what you want to test. These slides may be enough to kickstart a brainstorming process. Don’t debate or discount ideas at this point. Write down these ideas in a space where all participants can see them (e.g. whiteboard or shared screen).

    The next steps will help you prioritize the list – if needed – to tests that are highest value and lowest effort.

    1. Discuss where you have the greatest need to test. Assign a score of 0 – 3 for each test, with a score of 3 being high-need and a score of zero being low-need. Consider whether:
      • These applications have a low tolerance for downtime.
      • There’s a high chance of an outage, or recent experience with an outage.
      • There’s a need to train or cross-train staff on recovery for the system(s) in question.
      • Major changes require a review or validation of DR capabilities.
      • Audit requirements or customer/executive demands can be met via testing.
    2. Discuss which tests will require the least effort to complete – where readiness is high and tests are easier to do. Assign a score between 0 and 3 for each test, with a score of 3 being least effort and a score of 0 being high effort. Consider whether:
      • Recovery plans and recovery objectives are documented for these systems.
      • Technical experts are available to work on testing exercises.
      • For active testing, standby/sandbox systems are available and capable of supporting proposed tests.
      • The effort required to complete the test is low (e.g. minimal new work, few participants).
      • The risks related to testing are low.
      • You will need to secure additional funding.
    3. Sum together the assigned scores for each test. Higher scores should be the highest priority, but of course use your judgement to validate the results and select one or two tests to execute in the coming year.

    “There are different levels of testing and it is very progressive. I do not recommend my clients to do anything, unless they do it in a progressive fashion. Don’t try to do a live failover test with your users, right out of the box.”

    – Steve Tower
    Principal Consultant
    Prompta Consulting Group

    Input

    • Organizational and technical context

    Output

    • Prioritize list of DR testing ideas

    Participants

    • DR sponsor
    • Test coordinator

    04 Build a test plan

    3-5 days

    Building a test plan helps the test run smoothly and can uncover issues with the underlying DRP as you dig into the details.

    The test coordinator will own the plan document but will rely on the sponsor to confirm scope and goals, technical SMEs to develop system recovery plans, and business liaisons to create UAT scripts.

    Download Info-Tech’s Disaster Recovery Test Plan Template. Use the structure of the template to build your own document, deleting example data as you go. Consider saving a separate copy of this document as an example and working from a second copy.

    Key sections of the document include:

    • Goals, scenario, and scope of the test.
    • Assumptions, constraints, risks, and mitigation strategies.
    • Test participants.
    • Key pre-test milestones, and test-day schedule.
    • After-action review.

    Download the Disaster Recovery Test Plan Template

    Input

    • Scope
    • High-level goals

    Output

    • Test plan, including goals, scope, key milestones, risks and mitigations, and test-day schedule

    Participants

    • Test coordinator develops the plan with support from:
      • Technical SMEs
      • Business liaisons
      • DR sponsor

    05 Run an after-action review

    30-60 minutes

    Take time after test exercises – especially large-scale tests with many participants – to consider what went well, what didn’t, and where you can improve future testing exercises. Track lessons learned and next steps at the bottom of your test plan.

    1. Start with a short (5-10 minute) debrief of the test and allow participants to ask questions. Confirm:
      • Did we meet the goals we set for the exercise, including RTOs and RPOs?
      • What was done well? What issues, gaps, and risks were identified?
    2. Work through variations of the following questions:
      • Was the test plan effective, and was the test well organized?
      • Was the documentation effective? Where did we follow the plan as documented, and where did we deviate from the plan?
      • Was our communication/collaboration during the test effective?
      • Have gaps and issues found during the test been reported to the testing coordinator? Could some of the issues uncovered apply more broadly to other IT services as well?
      • What could we test next, based on what was discovered?
      • Are there other tools or approaches that could be useful?

    Input

    • Insights and experience from a recent testing exercise

    Output

    • Identified gaps and risks, and action items to address them
    • Ideas to improve future test exercises

    Participants

    • Test coordinator develops the plan with support from:
      • Test coordinator
      • Test participants

    Follow a testing cycle

    All tests are expected to drive actions to improve resilience, as appropriate. Experience from previous tests will be applied to future testing exercises.

    The testing cycle: 1. Plan a test, 2. Run test, 3. Take action.

    Use your experience to simplify testing

    The fifth testing exercise should be easier than the first

    Outputs and lessons learned from testing should help you run future tests.

    • With past experience under their belt, participants should have a better understanding of their role, and of their peers’ roles, and the goal of the exercise.
    • Facilitators will be more comfortable facilitating the exercise, and everyone should be more confident in the steps required to recover their systems.
    • Gather feedback from participants through after-action reviews to identify what worked and what didn’t.
    • Documentation from previous tests can provide a template for future tests.
    • Gaps identified in previous tests can provide ideas for future tests.

    Experience, lessons learned, improved process, new test targets, repeat.

    Info-Tech Insight

    Testing should get easier over time. But if you’re easily passing every test, it’s a sign that you’re ready to run more challenging tests.

    06 Create a test program summary

    2-4 hours

    Regular testing allows you to build on prior tests and helps keep plans current despite changes to your environment.

    Keeping a regular testing schedule requires expertise, a process to coordinate your efforts, and a level of governance to provide oversight and ensure testing continues to deliver value. Create a call to action using Info-Tech’s Disaster Recovery Testing Program Summary Template.

    The result is a summary document that:

    • Identifies key takeaways and testing goals
    • Presents key elements of the testing program
    • Outlines the testing cycle
    • Lists expected milestones for the next year
    • Identifies participants
    • Recommends next steps

    “It is extremely important in the early stages of development to concentrate the focus on actual recoverability and data protection, enhancing these capabilities over time into a fully matured program that can truly test the recovery, and not simply focusing on the testing process itself.”

    – Joe Starzyk
    Senior Business Development Executive
    IBM Global Services

    Research Contributors and Experts

    • Bernard A. Jones, Business Continuity & Disaster Recovery Expert
    • Robert Nardella, IT Service Management, Certified z/OS Mainframe Professional
    • Larry Liss, Chief Technology Officer, Blank Rome LLP
    • Jennifer Goshorn, Chief Administrative and Chief Compliance Officer, Gunderson Dettmer LLP
    • Paul Kirvan, FBCI, CISA, Independent IT Consultant/Auditor, Paul Kirvan Associates
    • Steve Tower, Principal Consultant, Prompta Consulting Group
    • Joe Starzyk, Senior Business Development Executive, IBM Global Services
    • Thomas Bronack, Enterprise Resiliency and Corporate Certification Consultant, DCAG
    • Paul S. Randal, CEO & Owner, SQLskills.com
    • Tom Baumgartner, Disaster Recovery Analyst, Catholic Health

    Bibliography

    Alton, Yoni. “Ransomware simulators – reality or a bluff?” Palo Alto Blog, 2 May 2022. Accessed 31 Jan 2023.
    https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/

    Brathwaite, Shimon. “How to Test your Business Continuity and Disaster Recovery Plan,” Security Made Simple, 13 Nov 2022. Accessed 31 Jan 2023.
    https://www.securitymadesimple.org/cybersecurity-blog/how-to-test-your-business-continuity-and-disaster-recovery-plan

    The Business Continuity Institute. Good Practice Guidelines: 2018 Edition. The Business Continuity Institute, 2017.

    Emigh, Jacqueline. “Disaster Recovery Testing: Ensuring Your DR Plan Works,” Enterprise Storage Forum, 28 May 2019. Accessed 31 Jan 2023.
    Disaster Recovery Testing: Ensuring Your DR Plan Works | Enterprise Storage Forum

    Gardner, Dana. "Case Study: Strategic Approach to Disaster Recovery and Data Lifecycle Management Pays off for Australia's SAI Global." ZDNet. BriefingsDirect, 26 Apr 2012. Accessed 31 Jan 2023.
    http://www.zdnet.com/article/case-study-strategic-approach-to-disaster-recovery-and-data-lifecycle-management-pays-off-for-australias-sai-global/.

    IBM. “Section 11. Testing the Disaster Recovery Plan.” IBM, 2 Aug 2021. Accessed 31 Jan 2023. Section 11. Testing the disaster recovery plan - IBM Documentation Lutkevich, Ben and Alexander Gillis. “Chaos Engineering”. TechTarget, Jun 2021. Accessed 31 Jan 2023.
    https://www.techtarget.com/searchitoperations/definition/chaos-engineering

    Monperrus, Martin. “Principles of Antifragility.” Arxiv Forum, 7 June 2017. Accessed 31 Jan 2023.
    https://arxiv.org/ftp/arxiv/papers/1404/1404.3056.pdf

    “Principles of Chaos Engineering.” Principles of Chaos Engineering, 2019 March. Accessed 31 Jan 2023.
    https://principlesofchaos.org/

    Sloss, Benjamin Treynor. “Introduction.” Site Reliability Engineering. Ed. Betsy Beyer. O’Reilly Media, 2017. Accessed 31 Jan 2023.
    https://sre.google/sre-book/introduction/

    Map Your Business Architecture to Define Your Strategy

    • Buy Link or Shortcode: {j2store}579|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $357,799 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • Organizations need to innovate rapidly to respond to the changing forces in their industry, but their IT initiatives often fail to deliver meaningful outcomes.
    • Planners face challenges in understanding the relationships between the important customer-focused innovations they’re trying to introduce and the resources (capabilities) that make them possible, including applications, human resources, information, and processes. For example, are we risking the success of a new service offering by underpinning it with a legacy or manual solution?

    Our Advice

    Critical Insight

    Successful execution of business strategy requires planning that:

    1. Accurately reflects organizational capabilities.
    2. Is traceable so all levels can understand how decisions are made.
    3. Makes efficient use of organizational resources.

    To accomplish this, the business architect must engage stakeholders, model the business, and drive planning with business architecture.

    • Business architecture is often regarded as an IT function when its role and tools should be fixtures within the business planning and innovation practice.
    • Any size of organization – from start-ups to global enterprises -- can benefit from using a common language and modeling rigor to identify the opportunities that will produce the greatest impact and value.
    • You don’t need sophisticated modeling software to build an effective business architecture knowledgebase. In fact, the best format for engaging business stakeholders is intuitive visuals using business language.

    Impact and Result

    • Execute more quickly on innovation and transformation initiatives.
    • More effectively target investments in resources and IT according to what goals and requirements are most important.
    • Identify problematic areas (e.g. legacy applications, manual processes) that hinder the business strategy and create inefficiencies in our information technology operation.

    Map Your Business Architecture to Define Your Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Map Your Business Architecture Deck – A step-by-step document that walks you through how to properly engage business and IT in applying a common language and process rigor to build key capabilities required to achieve innovation and growth goals.

    Build a structured, repeatable framework for both IT and business stakeholders to appraise the activities that deliver value to consumers; and assess the readiness of their capabilities to enable them.

    • Map Your Business Architecture to Define Your Strategy – Phases 1-3

    2. Stakeholder Engagement Strategy Template – A best-of-breed template to help you build a clear, concise, and compelling strategy document for identifying and engaging stakeholders.

    This template helps you ensure that your business architecture practice receives the resources, visibility, and support it needs to be successful, by helping you develop a strategy to engage the key stakeholders involved.

    • Stakeholder Engagement Strategy Template

    3. Value Stream Map Template – A template to walk through the value streams that are tied to your strategic goals.

    Record the complete value stream and decompose it into stages. Add a description of the expected outcome of the value stream and metrics for each stage.

    • Value Stream Map Template

    4. Value Stream Capability Mapping Template – A template to define capabilities and align them to selected value streams.

    Build a business capability model for the organization and map capabilities to the selected value stream.

    • Value Stream – Capability Mapping Template
    [infographic]

    Workshop: Map Your Business Architecture to Define Your Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Discover the Business Context

    The Purpose

    Identify and consult stakeholders to discover the business goals and value proposition for the customer.

    Key Benefits Achieved

    Engage stakeholders and SMEs in describing the business and its priorities and culture.

    Identify focus for the areas we will analyze and work on.

    Activities

    1.1 Select key stakeholders

    1.2 Plan for engaging stakeholders

    1.3 Gather business goals and priorities

    Outputs

    Stakeholder roles

    Engagement plan

    Business strategy, value proposition

    2 Define Value Streams

    The Purpose

    Describe the main value-adding activities of the business from the consumer’s point of view, e.g. provide product or service.

    Key Benefits Achieved

    Shared understanding of why we build resources and do what we do.

    Starting point for analyzing resources and investing in innovation.

    Activities

    2.1 Define or update value streams

    2.2 Decompose selected value stream(s) into value stages and identify problematic areas and opportunities

    Outputs

    Value streams for the enterprise

    Value stages breakdown for selected value stream(s)

    3 Build Business Capability Map

    The Purpose

    Describe all the capabilities that make up an organization and enable the important customer-facing activities in the value streams.

    Key Benefits Achieved

    Basis for understanding what resources the organization has and their ability to support its growth and success.

    Activities

    3.1 Define and describe all business capabilities (Level 1)

    3.2 Decompose and analyze capabilities for a selected priority value stream.

    Outputs

    Business Capability Map (Level 1)

    Business Capabilities Level 2 for selected value stream

    4 Develop a Roadmap

    The Purpose

    Use the Business Capability Map to identify key capabilities (e.g. cost advantage creator), and look more closely at what applications or information or business processes are doing to support or hinder that critical capability.

    Key Benefits Achieved

    Basis for developing a roadmap of IT initiatives, focused on key business capabilities and business priorities.

    Activities

    4.1 Identify key capabilities (cost advantage creators, competitive advantage creators)

    4.2 Assess capabilities with the perspective of how well applications, business processes, or information support the capability and identify gaps

    4.3 Apply analysis tool to rank initiatives

    Outputs

    Business Capability Map with key capabilities: cost advantage creators and competitive advantage creators

    Assessment of applications or business processes or information for key capabilities

    Roadmap of IT initiatives

    Further reading

    Map Your Business Architecture to Define Your Strategy

    Plan your organization’s capabilities for best impact and value.

    Info-Tech Research Group

    Info-Tech is a provider of best-practice IT research advisory services that make every IT leader’s job easier.

    35,000 members sharing best practices you can leverage Millions spent developing tools and templates annually Leverage direct access to over 100 analysts as an extension of your team Use our massive database of benchmarks and vendor assessments Get up to speed in a fraction of the time

    Analyst perspective

    Know your organization’s capabilities to build a digital and customer-driven culture.

    Business architecture provides a holistic and unified view of:

    • All the organization’s activities that provide value to their clients (value streams).
    • The resources that make them possible and effective (capabilities, i.e. its employees, software, processes, information).
    • How they inter-relate, i.e. depend on and impact each other to help deliver value.

    Without a business architecture it is difficult to see the connections between the business’s activities for the customer and the IT resources supporting them – to demonstrate that what we do in IT is customer-driven.

    As a map of your business, the business architecture is an essential input to the digital strategy:

    • Develop a plan to transform the business by investing in the most important capabilities.
    • Ensure project initiatives are aligned with business goals as they evolve.
    • Respond more quickly to customer requirements and to disruptions in the industry by streamlining operations and information sharing across the enterprise.

    Crystal Singh, Research Director, Data and Analytics

    Crystal Singh
    Research Director, Data and Analytics
    Info-Tech Research Group

    Andrea Malick, Research Director, Data and Analytics

    Andrea Malick
    Research Director, Data and Analytics
    Info-Tech Research Group

    Executive summary

    Your Challenge Common Obstacles Info-Tech’s Approach

    Organizations need to innovate rapidly to respond to ever-changing forces and demands in their industry. But they often fail to deliver meaningful outcomes from their IT initiatives within a reasonable time.

    Successful companies are transforming, i.e. adopting fluid strategies that direct their resources to customer-driven initiatives and execute more quickly on those initiatives. In a responsive and digital organization, strategies, capabilities, information, people, and technology are all aligned, so work and investment are consistently allocated to deliver maximum value.

    You don’t have a complete reference map of your organization’s capabilities on which to base strategic decisions.

    You don’t know how to prioritize and identify the capabilities that are essential for achieving the organization’s customer-driven objectives.

    You don’t have a shared enterprise vision, where everyone understands how the organization delivers value and to whom.

    Begin important business decisions with a map of your organization – a business reference architecture. Model the business in the form of architectural blueprints.

    Engage your stakeholders. Recognize the opportunity for mapping work, and identify and engage the right stakeholders.

    Drive business architecture forward to promote real value to the organization. Assess your current projects to determine if you are investing in the right capabilities. Conduct business capability assessments to identify opportunities and prioritize projects.

    Info-Tech Insight
    Business architecture is the set of strategic planning techniques that connects organization strategy to execution in a manner that is accurate and traceable and promotes the efficient use of organizational resources.

    Blueprint activities summary

    Phase Purpose Activity Outcome
    1. Business context:
    Identify organization goals, industry drivers, and regulatory requirements in consultation with business stakeholders.
    Identify forces within and outside the organization to consider when planning the focus and timing of digital growth, through conducting interviews and surveys and reviewing existing strategies. Business value canvas, business strategy on a page, customer journey
    2. Customer activities (value stream):
    What is the customer doing? What is our reason for being as a company? What products and services are we trying to deliver?
    Define or update value streams, e.g. purchase product from supplier, customer order, and deliver product to customer. Value streams enterprise-wide (there may be more than one set of value streams, e.g. a medical school and community clinic)
    Prioritize value streams:
    Select key value streams for deeper analysis and focus.
    Assess value streams. Priority value streams
    Value stages:
    Break down the selected value stream into its stages.
    Define stages for selected value streams. Selected value stream stages
    3. Business capability map, level 1 enterprise:
    What resources and capabilities at a high level do we have to support the value streams?
    Define or update the business capabilities that align with and support the value streams. Business capability map, enterprise-wide capabilities level 1
    Business capability map, level 2 for selected area:
    List resources and capabilities that we have at a more detailed level.
    Define or update business capabilities for selected value stream to level 2. Business capability map, selected value stream, capability level 2
    Heatmap Business Capability Map: Flag focus areas in supporting technology, applications, data and information.

    Info-Tech’s workshop methodology

    Day 1: Discover Business Context Day 2: Define Value Streams Day 3: Build Business Capability Map Day 4: Roadmap Business Architecture
    Phase Steps

    1.1 Collect corporate goals and strategies

    1.2 Identify stakeholders

    2.1 Build or update value streams

    2.2 Decompose selected value stream into value stages and analyze for opportunities

    3.1 Update business capabilities to level 1 for enterprise

    3.2 For selected value streams, break down level 1 to level 2

    3.3 Use business architecture to heatmap focus areas: technology, information, and processes

    3.4 Build roadmap of future business architecture initiatives

    Phase Outcomes
    • Organizational context and goals
    • Business strategy on a page, customer journey map, business model canvas
    • Roles and responsibilities
    • Value stream map and definitions
    • Selected value stream(s) decomposed into value stages
    • Enterprise business capabilities map to level 1
    • Business architecture to level 2 for prioritized value stream
    • Heatmap business architecture
    • Business architecture roadmap, select additional initiatives

    Key concepts for this blueprint

    INDUSTRY VALUE CHAIN DIGITAL TRANSFORMATION BUSINESS ARCHITECTURE
    A high-level analysis of how the industry creates value for the consumer as an overall end-to-end process. The adoption of digital technologies to innovate and re-invent existing business, talent ,and operating models to drive growth, business value, and improved customer experience. A holistic, multidimensional business view of capabilities, end-to-end value, and operating model in relation to the business strategy.
    INDUSTRY VALUE STREAM STRATEGIC OBJECTIVES CAPABILITY ASSESSMENTS
    A set of activities, tasks, and processes undertaken by a business or a business unit across the entire end-to-end business function to realize value. A set of standard objectives that most industry players will feature in their corporate plans. A heat-mapping effort to analyze the maturity and priority of each capability relative to the strategic priorities that they serve.

    Info-Tech’s approach

    1 Understand the business context and drivers
    Deepen your understanding of the organization’s priorities by gathering business strategies and goals. Talking to key stakeholders will allow you to get a holistic view of the business strategy and forces shaping the strategy, e.g. economy, workforce, and compliance.
    2 Define value streams; understand the value you provide
    Work with senior leadership to understand your customers’ experience with you and the ways your industry provides value to them.
    Assess the value streams for areas to explore and focus on.
    3 Customize the industry business architecture; develop business capability map
    Work with business architects and enterprise architects to customize Info-Tech’s business architecture for your industry as an enterprise-wide map of the organization and its capabilities.
    Extend the business capability map to more detail (Level 2) for the value stream stages you select to focus on.

    Business architecture is a planning function that connects strategy to execution

    Business architecture provides a framework that connects business strategy and IT strategy to project execution through a set of models that provide clarity and actionable insights. How well do you know your business?

    Business architecture is:

    • Inter-disciplinary: Business architecture is a core planning activity that supports all important decisions in the organization, for example, organizational resources planning. It’s not just about IT.
    • Foundational: The best way to answer the question, “Where do we start?” or “Where is our investment best directed?”, comes from knowing your organization, what its core functions and capabilities are (i.e. what’s important to us as an organization), and where there is work to do.
    • Connecting: Digital transformation and modernization cannot work with siloes. Connecting siloes means first knowing the organization and its functions and recognizing where the siloes are not communicating.

    Business architecture must be branded as a front-end planning function to be appropriately embedded in the organization’s planning process.

    Brand business architecture as an early planning pre-requisite on the basis of maintaining clarity of communication and spreading an accurate awareness of how strategic decisions are being made.

    As an organization moves from strategy toward execution, it is often unclear as to exactly how decisions pertaining to execution are being made, why priority is given to certain areas, and how the planning function operates.

    The business architect’s primary role is to model this process and document it.

    In doing so, the business architect creates a unified view as to how strategy connects to execution so it is clearly understood by all levels of the organization.

    Business architecture is part of the enterprise architecture framework

    Business Architecture
    Business strategy map Business model canvas Value streams
    Business capability map Business process flows Service portfolio
    Data Architecture Application Architecture Infrastructure Architecture
    Conceptual data model Application portfolio catalog Technology standards catalog
    Logical data model Application capability map Technology landscape
    Physical data model Application communication model Environments location model
    Data flow diagram Interface catalog Platform decomposition diagram
    Data lifecycle diagram Application use-case diagram Network computing / hardware diagram
    Security Architecture
    Enterprise security model Data security model Application security model

    Business architecture is a set of shared and practical views of the enterprise

    The key characteristic of the business architecture is that it represents real-world aspects of a business, along with how they interact.

    Many different views of an organization are typically developed. Each view is a diagram that illustrates a way of understanding the enterprise by highlighting specific information about it:

    • Business strategy view captures the tactical and strategic goals that drive an organization forward.
    • Business capabilities view describes the primary business functions of an enterprise and the pieces of the organization that perform those functions.
    • Value stream view defines the end-to-end set of activities that deliver value to external and internal stakeholders.
    • Business knowledge view establishes the shared semantics (e.g. customer, order, and supplier) within an organization and relationships between those semantics (e.g. customer name, order date, supplier name) – an information map.
    • Organizational view captures the relationships among roles, capabilities, and business units, the decomposition of those business units into subunits, and the internal or external management of those units.

    Business architect connects all the pieces

    The business owns the strategy and operating model; the business architect connects all the pieces together.

    R Business Architect (Responsible)
    A Business Unit Leads (Accountable)
    C Subject Matter Experts (Consulted)
    – Business Lines, Operations, Data, Technology Systems & Infrastructure Leads
    I Business Operators (Informed)
    – Process, Data, Technology Systems & Infrastructure

    Choose a key business challenge to address with business architecture

     Choose a key business challenge to address with business architecture

    Picking the right project is critical to setting the tone for business architecture work in the organization.

    Best practices for business architecture success

    Consider these best practices to maintain a high level of engagement from key stakeholders throughout the process of establishing or applying business architecture.

    Balance short-term cost savings with long-term benefits

    Participate in project governance to facilitate compliance

    Create a center of excellence to foster dialogue

    Identify strategic business objectives

    Value streams: Understand how you deliver value today

    It is important to understand the different value-generating activities that deliver an outcome for and from your customers.

    We do this by looking at value streams, which refer to the specific set of activities an industry player undertakes to create and capture value for and from the end consumer (and so the question to ask is, how do you make money as an organization?).

    Our approach helps you to strengthen and transform those value streams that generate the most value for your organization.

    Understand how you deliver value today

    An organization can have more than one set of streams.
    For example, an enterprise can provide both retail shopping and financial services, such as credit cards.

    Define the organization’s value streams

    • Value streams connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities. Those activities are dependent on the specific industry segment an organization operates within. Value streams can extend beyond the organization into the supporting ecosystem, whereas business processes are contained within and the organization has complete control over them.
    • There are two types of value streams: core value streams and support value streams. Core value streams are mostly externally facing: they deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map. Support value streams are internally facing and provide the foundational support for an organization to operate.
    • An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers. Info-Tech recommends identifying and organizing the value streams with customers and partners as end-value receivers.

    Example: Value stream descriptions for the retail industry

    Value Streams Create or Purchase the Product Manage Inventory Distribute Product Sell Product, Make Product Available to Customers
    • Product is developed before company sells it.
    • Make these products by obtaining raw materials from external suppliers or using their own resources.
    • Retailers purchase the products they are going to sell to customers from manufacturers or wholesale distributors.
    • Retailer success depends on its ability to source products that customers want and are willing to buy.
    • Inventory products are tracked as they arrive in the warehouse, counted, stored, and prepared for delivery.
    • Estimate the value of your inventory using retail inventory management software.
    • Optimizing distribution activities is an important capability for retailers. The right inventory needs to be at a particular store in the right quantities exactly when it is needed. This helps to maximize sales and minimize how much cash is held up in inventory.
    • Proper supply chain management can not only reduce costs for retailers but drive revenues by enhancing shopping experiences.
    • Once produced, retailers need to sell the products. This is done through many channels including physical stores, online, the mail, or catalogs.
    • After the sale, retailers typically have to deliver the product, provide customer care, and manage complaints.
    • Retailers can use loyalty programs, pricing, and promotions to foster repeat business.

    Value streams describe your core business

    Value streams describe your core business

    Value streams – the activities we do to provide value to customers – require business capabilities.

    Value streams are broken down further into value stages, for example, the Sell Product value stream has value stages Evaluate Options, Place Order, and Make Payment.

    Think of value streams as the core operations: the reason for your organization’s being. A professional consulting organization may have a legal team but it does not brand itself as a law firm. A core value stream is providing research products and services; a business capability that supports it is legal counsel.

    Decompose the value stream into stages

    The stages of a value stream are usually action-oriented statements or verbs that make up the individual steps involved throughout the scope of the value stream, e.g. Place Order or Make Payment.

    Each value stream should have a trigger or starting point and an end result for a client or receiver.

    Decompose the value stream into stages

    There should be measurable value or benefits at each stage. These are key performance indicators (KPIs). Spot problem areas in the stream.

    Value streams usually fall into one of these categories:

    1. Fulfillment of products and services
    2. Manufacturing
    3. Software products
    4. Supporting value streams (procurement of supplies, product planning)

    Value streams need capabilities

    • Value streams connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities.
    • There are two types of value streams: core value streams and support value streams. Core value streams are mostly externally facing: they deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map. Support value streams are internally facing and provide the foundational support for an organization to operate.
    • There can be different end-value receivers. Info-Tech recommends identifying and organizing the value streams with customers and partners as end-value receivers.

    Value streams need business capabilities

    Business capabilities are built up to allow the business to perform the activities that bring value to customers. Map capabilities to the value-add activities in the value stream. Business capabilities lie at the top layer of the business architecture:

    • They are the most stable reference for planning organizations.
    • They make strategy more tangible.
    • If properly defined, they can help overcome organizational silos.

    Value streams need business capabilities

    Example business capability map – Higher Education

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Example business capability map for: Higher Education

    Example business capability map for Higher Education

    Example business capability map – Local Government

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Example business capability map for: Local Government

    Example business capability map for Local Government

    Value streams need business capabilities

    Value streams – the activities we do to provide value to customers – require business capabilities. Value streams are broken down further into value stages.

    Business capabilities are built up to allow the business to perform the activities that bring value to customers. Map capabilities to the activities in the value stage to spot opportunities and problems in delivering services and value.

    Business processes fulfill capabilities. They are a step-by-step description of who is performing what to achieve a goal. Capabilities consist of networks of processes and the resources – people, technology, materials – to execute them.

    Capability = Processes + Software, Infrastructure + People

    Prioritize a value stream and identify its supporting capabilities

    Prioritize your improvement objectives and business goals and identify a value stream to transform.

    Align the business objectives of your organization to your value streams (the critical actions that take place within your organization to add value to a customer).

    Prioritize a value stream to transform based on the number of priorities aligned to a value stream, and/or the business value (e.g. revenue, EBITDA earnings, competitive differentiation, or cost efficiency).

    Decompose the selected value stream into value stages.

    Align capabilities level 1 and 2 to value stages. One capability may support several value stages in the stream.

    Build a business architecture for the prioritized value stream with a map of business capabilities up to level 2.

    NOTE: We can’t map all capabilities all at once: business architecture is an ongoing practice; select key mapping initiatives each year based on business goals.

    Prioritize a value stream and identify its supporting capabilities

    Map business capabilities to Level 2

     Map business capabilities to Level 2

    Map capabilities to value stage

    Map capabilities to value stage

    Business value realization

    Business value defines the success criteria of an organization as manifested through organizational goals and outcomes, and it is interpreted from four perspectives:

    • Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies.
    • Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies.
    • Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies.
    • Customer and market reach: The improved reach and insights of the business in existing or new markets.

    Business Value Matrix

    Value, goals, and outcomes cannot be achieved without business capabilities

    Break down your business goals into strategic and achievable initiatives focused on specific value streams and business capabilities.

    Business goals and outcomes

    Accelerate the process with an industry business architecture

    It’s never a good idea to start with a blank page.

    The business capability map available from Info-Tech and with industry standard models can be used as an accelerator. Assemble the relevant stakeholders – business unit leads and product/service owners – and modify the business capability map to suit your organization’s context.

    Acceleration path: Customize generic capability maps with the assistance of our industry analysts.

    Accelerate the process with an industry business architecture

    Identify goals and drivers

    Consider organizational goals and industry forces when planning.

    Business context Define value streams Build business capability map
    1.1 Select key stakeholders
    1.2 Collect and understand corporate goals
    2.1 Update or define value streams
    2.2 Decompose and analyze selected value stream
    3.1 Build level 1 capability map
    3.2 Build level 2 capability map
    3.3 Heatmap capability map
    3.4 Roadmap

    Use inputs from business goals and strategies to understand priorities.

    It is not necessary to have a comprehensive business strategy document to start – with key stakeholders, the business architect should be able to gather a one-page business value canvas or customer journey.

    Determine how the organization creates value

    Begin the process by identifying and locating the business mission and vision statements.

    What is business context?

    “The business context encompasses an understanding of the factors impacting the business from various perspectives, including how decisions are made and what the business is ultimately trying to achieve. The business context is used by IT to identify key implications for the execution of its strategic initiatives.”

    Source: Businesswire, 2018

    Identify the key stakeholders who can help you promote the value of business architecture

    First, as the CIO, you must engage executive stakeholders and secure their support.
    Focus on key players who have high power and high interest in business architecture.

    Engage the stakeholders who are impacted the most and have the power to impede the success of business architecture.

    For example, if the CFO – who has the power to block funding – is disengaged, business architecture will be put at risk.

    Use Info-Tech’s Stakeholder Power Map Template to help prioritize time spent with stakeholders.

    Sample power map

    Identify the key stakeholders concerned with the business architecture project

    A business architecture project may involve the following stakeholders:

    Business architecture project stakeholders

    You must identify who the stakeholders are for your business architecture work.

    Think about:

    • Who are the decision makers and key influencers?
    • Who will impact the business architecture work? Who will the work impact?
    • Who has vested interest in the success or failure of the practice?
    • Who has the skills and competencies necessary to help us be successful?

    Avoid these common mistakes:

    • Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
    • Don’t ignore subject-matter experts on either the business or IT side. You will need to consider both.

    1.1 Identify and assemble key stakeholders

    1-3 hours

    Build an accurate depiction of the business.

    1. It is important to make sure the right stakeholders participate in this exercise. The exercise of identifying capabilities for an organization is very introspective and requires deep analysis.
    2. Consider:
      1. Who are the decision makers and key influencers?
      2. Who will impact the business capability work? Who has a vested interest in the success or failure of the outcome?
      3. Who has the skills and competencies necessary to help you be successful?
    3. Avoid:
      1. Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
      2. Don’t ignore subject matter experts on either the business or IT side. You will need to consider both.
    Input Output
    • List of who is accountable for key business areas and decisions
    • Organizational chart
    • List of who has decision-making authority
    • A list of the key stakeholders
    Materials Participants
    • Whiteboard/Flip Charts
    • Modeling software (e.g. Visio, ArchiMate)
    • Business capability map industry models
    • CIO
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • Departmental Executives & Senior Managers

    Conduct interviews with the business to gather intelligence for strategy

    Talking to key stakeholders will allow you to get a holistic view of the business strategy.

    Stakeholder interviews provide holistic view of business strategy

    Build a strategy on a page through executive interviews and document reviews

    Understanding the business mandate and priorities ensures alignment across the enterprise.

    A business strategy must articulate the long-term destination the business is moving into. This illustration shapes all the strategies and activities in every other part of the business, including what IT capabilities and resources are required to support business goals. Ultimately, the benefits of a well-defined business strategy increase as the organization scales and as business units or functions are better equipped to align the strategic planning process in a manner that reflects the complexity of the organization.

    Using the Business Strategy on a Page canvas, consider the questions in each bucket to elicit the overall strategic context of the organization and uncover the right information to build your digital strategy. Interview key executives including your CEO, CIO, CMO, COO, CFO, and CRO, and review documents from your board or overall organizational strategy to uncover insights.

    Info-Tech Insight
    A well-articulated and clear business strategy helps different functional and business units work together and ensures that individual decisions support the overall direction of the business.

    Focus on business value and establish a common goal

    Business architecture is a strategic planning function and the focus must be on delivering business value.

    Examples business objectives:

    • Digitally transform the business, redefining its customer interactions.
    • Identify the root cause for escalating customer complaints and eroding satisfaction.
    • Identify reuse opportunities to increase operational efficiency.
    • Identify capabilities to efficiently leverage suppliers to handle demand fluctuations.

    Info-Tech Insight
    CIOs are ideally positioned to be the sponsors of business architecture given that their current top priorities are digital transformation, innovation catalyzation, and business alignment.

    1.2 Collect and understand business objectives

    1-3 hours

    Having a clear understanding of the business is crucial to executing on the strategic IT initiatives.

    1. Discover the strategic CIO initiatives your organization will pursue:
    • Schedule interviews.
    • Use the CIO Business Vision diagnostic or Business Context Discovery Tool.
  • Document the business goals.
  • Update and finalize business goals.
  • InputOutput
    • Existing business goals and strategies
    • Existing IT strategies
    • Interview findings
    • Diagnostic results
    • List of business goals
    • Strategy on a page
    • Business model canvas
    • Customer journey
    MaterialsParticipants
    • CIO Business Vision diagnostic
    • Interview questionnaire
    • CIO
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • Departmental Executives & Senior Managers

    CIO Business Vision Diagnostic

    CEO

    Vision

    Where do you want to go?
    What is the problem your organization is addressing?

    Mission/Mandate

    What do you do?
    How do you do?
    Whom do you do it for?

    Value Streams

    Why are you in business? What do you do?
    What products and services do you provide?
    Where has your business seen persistent demand?

    Key Products & Services

    What are your top three to five products and services?

    Key Customer Segments

    Who are you trying to serve or target?
    What are the customer segments that decide your value proposition?

    Value Proposition

    What is the value you deliver to your customers?

    Future Value Proposition

    What is your value proposition in three to five years’ time?

    Digital Experience Aspirations

    How can you create a more effective value stream?
    For example, greater value to customers or better supplier relationships.

    Business Resilience Aspirations

    How can you reduce business risks?
    For example, compliance, operational, security, or reputational.

    Sustainability (or ESG) Aspirations

    How can you deliver ESG and sustainability goals?

    Interview the following executives for each business goal area.

    CEO
    CRO
    COO

    Core Business Goals

    What are the core business goals to meet business objectives?

    Top Priorities & Initiatives

    What are the top initiatives and priorities over the planning horizon?

    Performance Insights/Metrics

    What do we need to achieve?
    How can the success be measured?

    CMO
    COO
    CFO

    Shared Business Goals

    What are the shared (operational) business goals to meet business objectives?

    Top Priorities & Initiatives

    What are the top initiatives and priorities over the planning horizon?

    Performance Insights/Metrics

    What do we need to achieve?
    How can the success be measured?

    CFO
    CIO
    COO
    CHRO

    Enabling Business Goals

    What are the enabling (supporting/enterprise) business goals to meet business objectives?

    Top Priorities & Initiatives

    What are the top initiatives and priorities over the planning horizon?

    Performance Insights/Metrics

    What do we need to achieve?
    How can the success be measured?

    Craft a strategy to increase stakeholder support and participation

    The BA practice’s supporters are potential champions who will help you market the value of BA; engage with them first to create positive momentum. Map out the concerns of each group of stakeholders so you can develop marketing tactics and communications vehicles to address them.

    Example Communication Strategy

    Stakeholder Concerns Tactics to Address Concerns Communication Vehicles Frequency
    Supporters
    (High Priority)
    • Build ability to execute BA techniques
    • Build executive support
    • Build understanding of how they can contribute to the success of the BA practice
    • Communicate the secured executive support
    • Help them apply BA techniques in their projects
    • Show examples of BA work (case studies)
    • Personalized meetings and interviews
    • Department/functional meetings
    • Communities of practice or centers of excellent (education and case studies)
    Bi-Monthly
    Indifferent
    (Medium Priority)
    • Build awareness and/or confidence
    • Feel like BA has nothing to do with them
    • Show quick wins and case studies
    • Centers of excellence (education and case studies
    • Use the support of the champions
    Quarterly
    Resistors
    (Medium Priority)
    • BA will cause delays
    • BA will step in their territory
    • BA’s scope is too broad
    • Lack of understanding
    • Prove the value of BA – case studies and metrics
    • Educate how BA complements their work
    • Educate them on the changes resulting from the BA practice’s work, and involve them in crafting the process
    • Individual meetings and interviews
    • Political jockeying
    • Use the support of the champions
    Tailored to individual groups

    1.3 Craft a strategy to increase stakeholder support and participation

    1-2 hours

    Now that you have organized and categorized your stakeholders based on their power, influence, interest, and knowledge of business architecture, it is time to brainstorm how you are going to gain their support and participation.

    Think about the following:

    • What are your stakeholders’ concerns?
    • How can you address them?
    • How will you deliver the message?
    • How often will you deliver the message?

    Avoid these common mistakes:

    • Your communication strategy development should be an iterative process. Do not assume to know the absolute best way to get through to every resistor right away. Instead, engage with your supporters for their input on how to communicate to resistors and repeat the process for indifferent stakeholders as well.
    Input Output
  • Stakeholder Engagement Map
    • Stakeholder Communications Strategy
    Materials Participants
    • Stakeholder Engagement Strategy Template
    • A computer
    • A whiteboard and markers CIO
    • Business Architect
    • IT Department Leads

    Download the Stakeholder Engagement Strategy Template for this project.

    Engaging the right stakeholders

    CASE STUDY

    Industry
    Financial - Banking

    Source
    Anonymous

    Situation Complication Result

    To achieve success with the business architecture initiative, the bank’s CIO needed to put together a plan to engage the right stakeholders in the process.

    Without the right stakeholders, the initiative would suffer from inadequate information and thus would run the risk of delivering an ineffective solution.

    The bank’s culture was resistant to change and each business unit had its own understanding of the business strategy. This was a big part of the problem that led to decreasing customer satisfaction.

    The CIO needed a unified vision for the business architecture practice involving people, process, and technology that all stakeholders could support.

    Starting with enlisting executive support in the form of a business sponsor, the CIO identified the rest of the key stakeholders, in this case, the business unit heads, who were necessary to engage for the initiative.

    Once identified, the CIO promoted the benefits of business architecture to each of the business unit heads while taking stock of their individual needs.

    1.4 Develop a plan to engage key stakeholders

    1 hour

    Using your stakeholder power map as a starting point, focus on the three most important quadrants: those that contain stakeholders you must keep informed, those to keep satisfied, and the key players.

    Plot the stakeholders from those quadrants on a stakeholder engagement map.

    Think about the following:

    • Who are your resistors? These individuals will actively detract from project’s success if you don’t address their concerns.
    • Who is indifferent? These individuals need to be educated more on the benefits of business architecture to have an opinion either way.
    • Who are your supporters? These individuals will support you and spread your message if you equip them to do so.

    Avoid these common mistakes:

    • Do not jump to addressing resistor concerns first. Instead, equip your supporters with the info they need to help your cause and gain positive momentum before approaching resistors.
    InputOutput
    • Stakeholder Engagement Map
    • Stakeholder Communications Strategy
    MaterialsParticipants
    • Stakeholder Engagement Strategy Template
    • A computer
    • A whiteboard and markers
    • CIO
    • Business Architect
    • IT Department Leads

    Download the Stakeholder Engagement Strategy Template for this project.

    1.5 Craft a strategy to increase stakeholder support and participation

    1-2 hours

    Now that you have organized and categorized your stakeholders based on their power, influence, interest, and knowledge of business architecture, it is time to brainstorm how you are going to gain their support and participation.

    Think about the following:

    • What are your stakeholders’ concerns?
    • How can you address them?
    • How will you deliver the message?
    • How often will you deliver the message?

    Avoid these common mistakes:

    • Your communication strategy development should be an iterative process. Do not assume to know the absolute best way to get through to every resistor right away. Instead, engage with your supporters for their input on how to communicate to resistors and repeat the process for indifferent stakeholders as well.
    InputOutput
    • Stakeholder Engagement Map
    • Stakeholder Communications Strategy
    MaterialsParticipants
    • Stakeholder Engagement Strategy Template
    • A computer
    • A whiteboard and markers
    • CIO
    • Business Architect
    • IT Department Leads

    Download the Stakeholder Engagement Strategy Template for this project.

    Define value streams

    Identify the core activities your organization does to provide value to your customers.

    Business context Define value streams Build business capability map

    1.1 Select key stakeholders
    1.2 Collect and understand corporate goals

    2.1 Update or define value streams
    2.2 Decompose and analyze selected value stream

    3.1 Build Level 1 capability map
    3.2 Build Level 2 capability map
    3.3 Heatmap capability map
    3.4 Roadmap

    This phase will walk you through the following activities:

    • Note: It is recommended that you gather and leverage relevant industry standard business architecture models you may have available to you. Example: Info-Tech Industry Business Architecture, BIZBOK, APQC.
    • Defining or updating the organization’s value streams.
    • Selecting priority value streams for deeper analysis.

    This phase involves the following participants:

    • Business Architect, Enterprise Architect
    • Relevant Business Stakeholder(s): Business Unit Leads, Departmental Executives, Senior Mangers, Business Analysts

    Define the organization’s value streams

    • Value streams connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the marketplace by engaging in a set of interconnected activities. Those activities are dependent on the specific industry segment an organization operates within. Value streams can extend beyond the organization into the supporting ecosystem, whereas business processes are contained within and the organization has complete control over them.
    • There are two types of value streams: core value streams and support value streams. Core value streams are mostly externally facing: they deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map. Support value streams are internally facing and provide the foundational support for an organization to operate.
    • An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers. Info-Tech recommends identifying and organizing the value streams with customers and partners as end-value receivers.

    Connect business goals to value streams

    Example strategy map and value stream

    Identifying value streams

    Value streams connect business goals to organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities.

    There are several key questions to ask when endeavoring to identify value streams.

    Key Questions
    • Who are your customers?
    • What are the benefits we deliver to them?
    • How do we deliver those benefits?
    • How does the customer receive the benefits?

    Example: Value stream descriptions for the retail industry

    Value StreamsCreate or Purchase ProductManage InventoryDistribute ProductSell Product
    • Retailers need to purchase the products they are going to sell to customers from manufacturers or wholesale distributors.
    • A retailer’s success depends on its ability to source products that customers want and are willing to buy.
    • In addition, they need to purchase the right amount and assortment of products based on anticipated demand.
    • The right inventory needs to be at a particular store in the right quantities exactly when it is needed. This helps to maximize sales and minimize how much cash is held up in inventory.
    • Inventory management includes tracking, ordering, and stocking products, e.g. raw materials, finished products, buffer inventory.
    • Optimizing distribution activities is important for retailers.
    • Proper supply chain management can not only reduce costs for retailers but also drive revenues by enhancing shopping experiences.
    • Distribution includes transportation, packaging and delivery.
    • As business becomes global, it is important to ensure the whole distribution channel is effective.
    • Once produced, retailers need to sell the products. This is done through many channels including physical stores, online, the mail, or catalogs.
    • After the sale, retailers typically have to deliver the product, provide customer care, and manage complaints.
    • Retailers can use loyalty programs, pricing, and promotions to foster repeat business.

    Value streams describe your core business

    Value streams – the activities we do to provide value to customers – require business capabilities.

    Value streams are broken down further into value stages, for example, Sell Product value stream has value stages Evaluate Options, Place Order, and Make Payment.

    Think of value streams as the core operations, the reason for our organization’s being. A professional consulting organization may have a legal team but it does not brand itself as a law firm. A core value stream is providing research products and services – a business capability that supports it is legal counsel.

    2.1 Define value streams

    1-3 hours

    Unify the organization’s perspective on how it creates value.

    1. Write a short description of the value stream that includes a statement about the value provided and a clear start and end for the value stream. Validate the accuracy of the descriptions with your key stakeholders.
    2. Consider:
      1. How does the organization deliver those benefits?
      2. How does the customer receive the benefits?
      3. What is the scope of your value stream? What will trigger the stream to start and what will the final value be?
    3. Avoid: Don’t start with a blank page. Use Info-Tech’s business architecture models for sample value streams.
    Input Output
    • Business strategy or goals
    • Financial statements
    • Info-Tech’s industry-specific business architecture
    • List of organizational specific value streams
    • Detailed value stream definition(s)
    Materials Participants
    • Whiteboard / Kanban Board
    • Reference Architecture Template – See your Account Representative for details
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Info-Tech Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    See your Info-Tech Account Representative for access to the Reference Architecture Template

    Decompose the value stream into stages

    The stages of a value stream are usually action-oriented statements or verbs that make up the individual steps involved throughout the scope of the value stream, e.g. Place Order or Make Payment.

    Each value stream should have a trigger or starting point and an end result for a client or receiver.

    Decompose the value stream into stages

    There should be measurable value or benefits at each stage.
    These are key performance indicators (KPIs).
    Spot problem areas in the stream.

    Value streams usually fall into one of these categories:

    1. Fulfillment of products and services
    2. Manufacturing
    3. Software products
    4. Supporting value streams (procurement of supplies, product planning)

    Value stream and value stages examples

    Customer Acquisitions
    Identify Prospects > Contact Prospects > Verify Interests

    Sell Product
    Identify Options > Evaluate Options > Negotiate Price and Delivery Date > Place Order > Get Invoice > Make Payment

    Product Delivery
    Confirm Order > Plan Load > Receive Warehouse > Fill Order > Ship Order > Deliver Order > Invoice Customer

    Product Financing
    Initiate Loan Application > Decide on Application > Submit Documents > Review & Satisfy T&C > Finalize Documents > Conduct Funding > Conduct Funding Audits

    Product Release
    Ideate > Design > Build > Release

    Sell Product is a value stream, made up of value stages Identify options, Evaluate options, and so on.

    2.2 Decompose selected value streams

    1-3 hours

    Once we have a good understanding of our value streams, we need to decide which ones to focus on for deeper analysis and modeling, e.g. extend the business architecture to more detailed level 2 capabilities.

    Organization has goals and delivers products or services.

    1. Identify which value propositions are most important, e.g. be more productive or manage money more simply.
    2. Identify the value stream(s) that create the value proposition.
    3. Break the selected value stream into value stages.
    4. Analyze value stages for opportunities.

    Practical Guide to Agile Strategy Execution

    InputOutput
    • Value stream maps and definitions
    • Business goals, business model canvas, customer journey (value proposition) Selected value streams decomposed into value stages
    • Analysis of selected value streams for opportunities
    • Value stream map
    MaterialsParticipants
    • Whiteboard / Kanban Board
    • Reference Architecture Template – See your Account Representative for details
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Build your value stream one layer at a time to ensure clarity and comprehensiveness

    The first step of creating a value stream is defining it.

    • In this step, you create the parameters around the value stream and document them in a list format.
    • This allows you to know where each value stream starts and ends and the unique value it provides.

    The second step is the value stream mapping.

    • The majority of the mapping is done here where you break down your value stream into each of its component stages.
    • Analysis of these stages allows for a deeper understanding of the value stream.
    • The mapping layer connects the value stream to organizational capabilities.

    Define the value streams that are tied to your strategic goals and document them in a list

    Title

    • Create a title for your value stream that indicates the value it achieves.
    • Ensure your title is clear and will be understood the same way across the organization.
    • The common naming convention for value streams is to use nouns, e.g. product purchase.

    Scope

    • Determine the scope of your value stream by defining the trigger to start the value stream and final value delivered to end the value stream.
    • Be precise with your trigger to ensure you do not mistakenly include actions that would not trigger your value stream.
    • A useful tip is creating a decision tree and outlining the path that results in your trigger.

    Objectives

    • Determine the objectives of the value stream by highlighting the outcome it delivers.
    • Identify the desired outcomes of the value stream from the perspective of your organization.

    Example Value Streams List

    Title Scope Objectives
    Sell Product From option identification to payment Revenue Growth

    Create a value stream map

    A Decompose the Value Stream Into Stages B Add the Customer Perspective
    • Determine the different stages that comprise the value stream.
    • Place the stages in the correct order.
    • Outline the likely sentiment and meaningful needs of the customer at each value stage.
    C Add the Expected Outcome D Define the Entry and Exit Criteria
    • Define the desired outcome of each stage from the perspective of the organization.
    • Define both the entry and exit criteria for each stage.
    • Note that the entry criteria of the first stage is what triggers the value stream.
    E Outline the Metrics F Assess the Stages
    • For each stage of the value stream, outline the metrics the organization can use to identify its ability to attain the desired outcome.
    • Assess how well each stage of the value stream is performing against its target metrics and use this as the basis to drill down into how/where improvements can be made.

    Decompose the value stream into its value stages

    The first step in creating a value stream map is breaking it up into its component stages.

    The stages of a value stream are usually action-oriented statements or verbs that make up the individual steps involved throughout the scope of the value stream.

    Illustration of decomposing value stream into its value stages

    The Benefit
    Segmenting your value stream into individual stages will give you a better understanding of the steps involved in creating value.

    Connect the stages of the value stream to a specific customer perspective

    Example of a sell product value stream

    The Benefit
    Adding the customer’s perspective will inform you of their priorities at each stage of the value stream.

    Connect the stages of the value stream to a desired outcome

    Example of a sell product value stream

    The Benefit
    Understanding the organization’s desired outcome at each stage of the value stream will help set objectives and establish metrics.

    Define the entry and exit criteria of each stage

    Example of entry and exit criteria for each stage

    The Benefit
    Establishing the entry and exit criteria for each stage will help you understand how the customer experience flows from one end of the stream to the other.

    Outline the key metric(s) for each stage

    Outline the key metrics for each stage

    The Benefit
    Setting metrics for each stage will facilitate the tracking of success and inform the business architecture practitioner of where investments should be made.

    Example value stream map: Sell Product

    Assess the stages of your value stream map to determine which capabilities to examine further

    To determine which specific business capabilities you should seek to assess and potentially refine, you must review performance toward target metrics at each stage of the value stream.

    Stages that are not performing to their targets should be examined further by assessing the capabilities that enable them.

    Value Stage Metric Description Metric Target Current Measure Meets Objective?
    Evaluate Options Number of Product Demonstrations 12,000/month 9,000/month No
    Identify Options Google Searches 100K/month 100K/month Yes
    Identify Options Product Mentions 1M/month 1M/month Yes
    Website Traffic (Hits)
    Average Deal Size
    Number of Deals
    Time to Complete an Order
    Percentage of Invoices Without Error
    Average Time to Acquire Payment in Full

    Determine the business capabilities that support the value stage corresponding with the failing metric

    Sell Product

    Identify Options > Evaluate Options > Negotiate Price and Delivery Date > Place Order > Get Invoice > Make Payment

    The value stage(s) that doesn’t meet its objective metrics should be examined further.

    • This is done through business capability mapping and assessment.
    • Starting at the highest level (level 0) view of a business, the business architecture practitioner must drill down into the lower level capabilities that support the specific value stage to diagnose/improve an issue.

    Info-Tech Insight
    In the absence of tangible metrics, you will have to make a qualitative judgement about which stage(s) of the value stream warrant further examination for problems and opportunities.

    Build business capability map

    Align supporting capabilities to priority activities.

    Business context Define value streams Build business capability map
    1.1 Select key stakeholders
    1.2 Collect and understand corporate goals
    2.1 Update or define value streams
    2.2 Decompose and analyze selected value stream
    3.1 Build Level 1 capability map
    3.2 Build Level 2 capability map
    3.3 Heatmap capability map
    3.4 Roadmap

    This step will walk you through the following activities:

    • Determine which business capabilities support value streams
    • Accelerate the process with an industry reference architecture
    • Validate the business capability map
    • Establish level 2 capability

    This step involves the following participants:

    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Outcomes of this step

  • A validated level 1 business capability map
  • Level 2 capabilities for selected value stream(s)
  • Heatmapped business capability map
  • Business architecture initiatives roadmap
  • Develop a business capability map – level 1

    • Business architecture consists of a set of techniques to create multiple views of an organization; the primary view is known as a business capability map.
    • A business capability defines what a business does to enable value creation and achieve outcomes, rather than how. Business capabilities are business terms defined using descriptive nouns such as “Marketing” or “Research and Development.” They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome. Business capabilities should not be defined as organizational units and are typically longer lasting than organizational structures.
    • A business capability mapping process should begin at the highest-level view of an organization, the level 1, which presents the entire business on a page.
    • An effective method of organizing business capabilities is to split them into logical groupings or categories. At the highest level, capabilities are either “core” (customer-facing functions) or “enabling” (supporting functions).
    • As a best practice, Info-Tech recommends dividing business capabilities into the categories illustrated to the right.

    The Business Capability Map is the primary visual representation of the organization’s key abilities or services that are delivered to stakeholders. This model forms the basis of strategic planning discussions.

    Example of a business capability map

    Example business capability map – Higher Education

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Example business capability map for: Higher Education

    Example business capability map for higher education

    Example business capability map – Local Government

    A business capability map can be thought of as a visual representation of your organization’s business capabilities and represents a view of what your data program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Example business capability map for: Local Government

    Example business capability map for local government

    Map capabilities to value stage

    Example of a value stage

    Source: Lambert, “Practical Guide to Agile Strategy Execution”

    3.1 Build level 1 business capability map

    1-3 hours

    1. Analyze the value streams to identify and describe the organization’s capabilities that support them. This stage requires a good understanding of the business and will be a critical foundation for the business capability map. Use the reference business architecture’s business capability map for your industry for examples of level 1 and 2 business capabilities and the capability map template to work in.
    2. Avoid:
      1. Don’t repeat capabilities. Capabilities are typically mutually exclusive activities.
      2. Don’t include temporary initiatives. Capabilities should be stable over time. The people, processes, and technologies that support capabilities will change continuously.

    Ensure you engage with the right stakeholders:

    Don’t waste your efforts building an inaccurate depiction of the business: The exercise of identifying capabilities for an organization is very introspective and requires deep analysis.

    It is challenging to develop a common language that everyone will understand and be able to apply. Invest in the time to ensure the right stakeholders are brought into the fold and bring their business area expertise and understanding to the table.

    InputOutput
    • Existing business capability maps
    • Value stream map
    • Info-Tech’s industry-specific business architecture
    • Level 1 business capability map for enterprise
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Prioritize one value stream and build a business architecture to level 2 capabilities

    Prioritize your innovation objectives and business goals, and identify a value stream to transform.

    Align the innovation goals and business objectives of your organization to your value streams (the critical actions that take place within your organization to add value to a customer).
    Prioritize a value stream to transform based on the number of priorities aligned to a value stream and/or the business value (e.g. revenue, EBITDA earnings, competitive differentiation, or cost efficiency).
    Working alongside a business or enterprise architect, build a reference architecture for the prioritized value stream up to level 2.

    Example of a value stream to business architecture level 2 capabilities

    Info-Tech Insight
    To produce maximum impact, focus on value streams that provide two-thirds of your enterprise value (EBITDA earnings).

    From level 1 to level 2 business capabilities

    Example moving from level 1 to level 2 business capabilities

    3.2 Build level 2 business capability map

    1-3 hours

    It is only at level 2 and further that we can pinpoint the business capabilities – the exact resources, whether applications or data or processes – that we need to focus on to realize improvements in the organization’s performance and customer experience.

    1. Gather industry reference models and any existing business capability maps.
    2. For the selected value stream, further break down its level 1 business capabilities into level 2 capabilities.
    3. You can often represent the business capabilities on a single page, providing a holistic visual for decision makers.
    4. Use meaningful names for business capabilities so that planners, stakeholders, and subject matter experts can easily search the map.
    InputOutput
    • Existing business capability maps
    • Value stream map
    • Info-Tech’s industry-specific business architecture
    • Level 1 business capability map
    • Level 2 Business Capability Map for selected Value Stream
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details.
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Download: See your Account Representative for access to Info-Tech’s Reference Architecture Template

    3.3 Heatmap business capability map

    1-3 hours

    Determine the organization’s key capabilities.

    1. Determine cost advantage creators. If your organization has a cost advantage over competitors, the capabilities that enable it should be identified and prioritized. Highlight these capabilities and prioritize the programs that support them.
    2. Determine competitive advantage creators. If your organization does not have a cost advantage over competitors, determine if it can deliver differentiated end-customer experiences. Once you have identified the competitive advantages, understand which capabilities enable them. These capabilities are critical to the success of the organization and should be highly supported.
    3. Define key future state capabilities. In addition to the current and competitive advantage creators, the organization may have the intention to enhance new capabilities. Discuss and select the capabilities that will help drive the attainment of future goals.
    4. Assess how well information, applications, and processes support capabilities.
    InputOutput
    • Business capability map
    • Cost advantage creators
    • Competitive advantage creators
    • IT and business assessments
    • Key business capabilities
    • Business process review
    • Information assessment
    • Application assessment
    • List of IT implications
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details.
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Download: See your Account Representative for access to Info-Tech’s Reference Architecture Template

    Business capability map: Education

    Illustrative example of a business capability map for education

    Define key capabilities

    Illustrative example of Define key capabilities

    Note: Illustrative Example

    Business process review

    Illustrative example of a business process review

    Note: Illustrative Example

    Information assessment

     Illustrative example of an Information assessment

    Note: Illustrative Example

    Application assessment

     Illustrative example of an Application assessment

    Note: Illustrative Example

    MoSCoW analysis for business capabilities

     Illustrative example of a MoSCoW analysis for business capabilities

    Note: Illustrative Example

    Ranked list of IT implications

    MoSCoW Rank IT Implication Value Stream Impacted Comments/Actions
    M [Implication] [Value Stream]
    M [Implication] [Value Stream]
    M [Implication] [Value Stream]
    S [Implication] [Value Stream]
    S [Implication] [Value Stream]
    S [Implication] [Value Stream]
    C [Implication] [Value Stream]
    C [Implication] [Value Stream]
    C [Implication] [Value Stream]
    W [Implication] [Value Stream]
    W [Implication] [Value Stream]
    W [Implication] [Value Stream]

    3.4 Roadmap business architecture initiatives

    1-3 hours

    Unify the organization’s perspective on how it creates value.

    1. Write a short description of the value stream that includes a statement about the value provided and a clear start and end for the value stream. Validate the accuracy of the descriptions with your key stakeholders.
    2. Consider:
      1. How does the organization deliver those benefits?
      2. How does the customer receive the benefits?
      3. What is the scope of your value stream? What will trigger the stream to start and what will the final value be?
    3. Don’t start with a blank page. Use Info-Tech’s business architecture models for sample value streams.
    InputOutput
    • Existing business capability maps
    • Value stream map
    • Info-Tech’s industry-specific business architecture
    • Level 1 business capability map
    • Heatmapped business capability map
    MaterialsParticipants
    • Whiteboard
    • Reference Architecture Template – See your Account Representative for details.
    • Other industry standard reference architecture models: BIZBOK, APQC, etc.
    • Archi Models
    • Enterprise/Business Architect
    • Business Analysts
    • Business Unit Leads
    • CIO
    • Departmental Executives & Senior Managers

    Download: See your Account Representative for access to Info-Tech’s Reference Architecture Template

    Example: Business architecture deliverables

    Enterprise Architecture Domain Architectural View Selection
    Business Architecture Business strategy map Required
    Business Architecture Business model canvas Optional
    Business Architecture Value streams Required
    Business Architecture Business capability map Not Used
    Business Architecture Business process flows
    Business Architecture Service portfolio
    Data Architecture Conceptual data model
    Data Architecture Logical data model
    Data Architecture Physical data model
    Data Architecture Data flow diagram
    Data Architecture Data lineage diagram

    Tools and templates to compile and communicate your business architecture work

    The Industry Business Reference Architecture Template for your industry is a place for you to collect all of the activity outputs and outcomes you’ve completed for use in next-steps.

    Download the Industry Business Reference Architecture Template for your industry

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options

    Research Contributors and Experts

    Name Role Organization
    Ibrahim Abdel-Kader Research Analyst, Data & Analytics Info-Tech Research Group
    Ben Abrishami-Shirazi Technical Counselor, Enterprise Architecture Info-Tech Research Group
    Andrew Bailey Consulting, Manager Info-Tech Research Group
    Dana Dahar Research & Advisory Director, CIO / Digital Business Strategy Info-Tech Research Group
    Larry Fretz VP Info-Tech Research Group
    Shibly Hamidur Enterprise Architect Toronto Transit Commission (TTC)
    Rahul Jaiswal Principal Research Director, Industry Info-Tech Research Group
    John Kemp Executive Counselor, Executive Services Info-Tech Research Group
    Gerald Khoury Senior Executive Advisor Info-Tech Research Group
    Igor Ikonnikov Principal Advisory Director, Data & Analytics Info-Tech Research Group
    Daniel Lambert VP Benchmark Consulting
    Milena Litoiu Principal Research Director, Enterprise Architecture Info-Tech Research Group
    Andy Neill AVP Data & Analytics, Chief Enterprise Architect Info-Tech Research Group
    Rajesh Parab Research Director, Data & Analytics Info-Tech Research Group
    Rick Pittman VP, Research Info-Tech Research Group
    Irina Sedenko Research Director, Data & Analytics Info-Tech Research Group

    Bibliography

    Andriole, Steve. “Why No One Understands Enterprise Architecture & Why Technology Abstractions Always Fail.” Forbes, 18 September 2020. Web.

    “APQC Process Classification Framework (PCF) – Retail.” American Productivity & Quality Center, 9 January 2019. Web.

    Brose, Cari. “Who’s on First? Architecture Roles and Responsibilities in SAFe.” Business Architecture Guild, 9 March 2017. Web.

    Burlton, Roger, Jim Ryne, and Daniel St. George. “Value Streams and Business Processes: The Business Architecture Perspective.” Business Architecture Guild, December 2019. Web.

    “Business Architecture: An overview of the business architecture professional.” Capstera, 5 January 2022. Web.

    Business Architecture Guild. “What is Business Architecture?” Business Analyst Mentor, 18 November 2022. Web.

    “Business Architecture Overview.” The Business Architecture Working Group of the Object Management Group (OMG), n.d. Web.

    “Delivering on your strategic vision.” The Business Architecture Guild, n.d. Web.

    Ecker, Grant. “Deploying business architecture.” LinkedIn, 11 November 2021. (Presentation)

    IRIS. “Retail Business Architecture Framework and Examples.” IRIS Business Architect, n.d. Web.

    IRIS. “What Is Business Architecture?” IRIS Business Architect, 8 May 2014. Web.

    IRIS. “Your Enterprise Architecture Practice Maturity 2021 Assessment.” IRIS Business Architect, 17 May 2021. Web.

    Khuen, Whynde. “How Business Architecture Breaks Down and Bridges Silos.” Biz Arch Mastery, January 2020. Web.

    Lambert, Daniel. “Practical Guide to Agile Strategy Execution.” 18 February 2020.

    Lankhorst, Marc, and Bernd Ihnen. “Mapping the BIZBOK Metamodel to the ArchiMate Language.” Bizzdesign, 2 September 2021. Web.

    Ramias, Alan, and Andrew Spanyi, “Demystifying the Relationship Between Processes and Capabilities: A Modest Proposal.” BPTrends, 2 February 2015. Web.

    Newman, Daniel. “NRF 2022: 4 Key Trends From This Year’s Big Show.” Forbes, 20 January 2022. Web.

    Research and Markets. “Define the Business Context Needed to Complete Strategic IT Initiatives: 2018 Blueprint.” Business Wire, 1 February 2018. Web.

    Sabanoglu, Tugba. “Retail market worldwide - Statistics & Facts.” Statista, 21 April 2022. Web.

    Spacey, John. “Capability vs Process.” Simplicable, 18 November 2016. Web.

    “The Definitive Guide to Business Capabilities.” LeanIX, n.d. Web.

    TOGAF 9. Version 9.1. The Open Group, 2011. Web.

    “What is Business Architecture?” STA Group, 2017. PDF.

    Whittie, Ralph. “The Business Architecture, Value Streams and Value Chains.” BA Institute, n.d. Web.

    Data and Analytics Trends 2023

    • Buy Link or Shortcode: {j2store}208|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy

    Data is a unique resource that keeps growing, presenting opportunities along the way. CIOs and IT leaders can use rapidly evolving technologies and capabilities to harness this data and its value for the organization.

    IT leaders must prepare their teams and operations with the right knowledge, capabilities, and strategies to make sure they remain competitive in 2023 and beyond. Nine trends that expand on the three common Vs of data – volume, velocity, and variety – can help guide the way.

    Focus on trends that align with your opportunities and challenges

    The path to becoming more competitive in a data-driven economy differs from one company to the next. IT leaders should use the data and analytics trends that align most with their organizational goals and can lead to positive business outcomes.

    1. Prioritize your investments: Conduct market analysis and prioritize the data and analytics investments that will be critical to your business.
    2. Build a robust strategy: Identify a clear path between your data vision and business outcomes to build a strategy that’s a good fit for your organization.
    3. Inspire practical innovation: Follow a pragmatic approach to implementing trends that range from data gravity and democratization to data monetization and augmented analytics.

    Data and Analytics Trends 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data and Analytics Trends Report 2023 – A report that explores nine data use cases for emerging technologies that can improve on capabilities needed to compete in the data-driven economy.

    Data technologies are rapidly evolving. Understanding data's art of the possible is critical. However, to adapt to these upcoming data trends, a solid data management foundation is required. This report explores nine data trends based on the proven framework of data V's: Volume, Velocity, Variety, Veracity, Value, Virtue, Visualization, Virality, and Viscosity.

    • Data and Analytics Trends Report 2023
    [infographic]

    Further reading

    Data and Analytics Trends Report 2023

    SOONER OR LATER, YOU WILL BE IN THE DATA BUSINESS!

    Nine Data Trends for 2023

    In this report, we explore nine data use cases for emerging technologies that can improve on capabilities needed to compete in the data-driven economy. Use cases combine emerging data trends and modernization of existing capabilities.

    1. VOLUME
      • Data Gravity
    2. VELOCITY
    • Democratizing Real-Time Data
  • VARIETY
    • Augmented Data Management
  • VERACITY
    • Identity Authenticity
  • VALUE
    • Data Monetization
  • VIRTUE
    • Adaptive Data Governance
  • VISUALIZATION
    • AI-Driven Storytelling & Augmented Analytics
  • VIRALITY
    • Data Marketplace
  • VISCOSITY
    • DevOps – DataOps – XOps

    VOLUME

    Data Gravity

    Trend 01 Demand for storage and bandwidth continues to grow

    When organizations begin to prioritize data, they first consider the sheer volume of data, which will influence data system design. Your data systems must consider the existing and growing volume of data by assessing industry initiatives such as digital transformation, Industry 4.0, IoT, consumer digital footprint, etc.

    The largest data center in the world is a citadel in Reno, Nevada, that stretches over 7.2 million square feet!

    Source: Cloudwards, 2022

    IoT devices will generate 79.4 zettabytes of data
    by 2025.

    Source: IDC, 2019

    There were about 97
    zettabytes of data generated worldwide in 2022.

    Source: “Volume of Data,” Statista, 2022

    VOLUME

    Data Gravity

    Data attracts more data and an ecosystem of applications and services

    SharePoint, OneDrive, Google Drive, and Dropbox offer APIs and integration opportunities for developers to enhance their products.

    Social media platforms thought about this early by allowing for an ecosystem of filters, apps, games, and effects that engage their users with little to no additional effort from internal resources.

    The image contains four logos. SharePoint, OneDrive, Google Drive, and Dropbox.

    VOLUME

    Data Gravity

    Focus on data gravity and avoid cloud repatriation

    Data gravity is the tendency of data to attract applications, services, and other data. A growing number of cloud migration decisions will be made based on the data gravity concept. It will become increasingly important in data strategies, with failure potentially resulting in costly cloud repatriations.

    Emerging technologies and capabilities:

    Data Lakehouse, Data Mesh, Data Fabric, Hybrid Data, Cloud Data, Edge Computing

    47%

    Centralized cloud storage going down in 2 years

    22%
    25%

    Hybrid storage (centralized + edge) going up in 2 years

    47%

    Source: CIO, 2022

    VOLUME

    Data Gravity

    What worked for terabytes is ineffective for petabytes

    When compared to on-premises infrastructure, cloud computing is less expensive and easier to implement. However, poor data replication and data gravity can significantly increase cloud costs to the point of failure. Data gravity will help organizations make better cloud migration decisions.

    It is also critical to recognize changes in the industry landscape. The goal of data processing and analytics is to generate the right data for users to act on. In most cases, the user is a human being, but in the case of autonomous driving (AD), the car takes on the role of the user (DXC Technology).

    To avoid cloud repatriation, it will become prudent for all organizations to consider data gravity and the timing of cloud migration.

    The image contains a diagram on data gravity.

    VELOCITY

    Democratizing Real-Time Data

    Trend 02 Real-time analytics presents an important differentiator

    The velocity element of data can be assessed from two standpoints: the speed at which data is being generated and how fast the organization needs to respond to the incoming information through capture, analysis, and use. Traditionally data was processed in a batch format (all at once or in incremental nightly data loads). There is a growing demand to process data continuously using streaming data-processing techniques.

    Emerging technologies and capabilities:

    Edge Computing

    Google announced it has a quantum computer that is 100 million times faster than any classical computer in its lab.

    Source: Science Alert, 2015

    The number of qubits in quantum computers has been increasing dramatically, from 2 qubits in 1998 to 128 qubits in 2019.

    Source: Statista, 2019

    IBM released a 433-qubit quantum chip named Osprey in 2022 and expects to surpass 1,000 qubits with its next chip, Condor, in 2023.

    Source: Nature, 2023

    VELOCITY

    Democratizing Real-Time Data

    Make data accessible to everyone in real time

    • 90% of an organization’s data is replicated or redundant.
    • Build API and web services that allow for live access to data.
    • Most social media platforms, like Twitter and Facebook, have APIs that offer access to incredible amounts of data and insights.

    VELOCITY

    Democratizing Real-Time Data

    Trend in Data Velocity

    Data democratization means data is widely accessible to all stakeholders without bottlenecks or barriers. Success in data democratization comes with ubiquitous real-time analytics. Google highlights a need to address democratization in two different frames:

    1. Democratizing stream analytics for all businesses to ensure real-time data at the company level.
    2. Democratizing stream analytics for all personas and the ability of all users to generate real-time insights.

    Emerging technologies and capabilities:

    Data Lakehouse, Streaming API Ecosystem, Industry 4.0, Zero-Copy Cloning

    Nearly 70% of all new vehicles globally will be connected to the internet by 2023.

    Source: “Connected light-duty vehicles,” Statista, 2022

    VELOCITY

    Democratizing Real-Time Data

    Enable real-time processing with API

    In the past, data democratization has largely translated into a free data set and open data portals. This has allowed the government to freely share data with the public. Also, the data science community has embraced the availability of large data sets such as weather data, stock data, etc. In the future, more focus will be on the combination of IoT and steaming analytics, which will provide better responsiveness and agility.

    Many researchers, media companies, and organizations now have easy access to the Twitter/Facebook API platform to study various aspects of human behavior and sentiments. Large technology companies have already democratized their data using real-time APIs.

    Thousands of sources for open data are available at your local municipalities alone.

    6G will push Wi-Fi connectivity to 1 terabyte per second! This is expected to become commercially available by 2030.

    VARIETY

    Augmented Data Management

    Trend 03 Need to manage unstructured data

    The variety of data types is increasingly diverse. Structured data often comes from relational databases, while unstructured data comes from several sources such as photos, video, text documents, cell phones, etc. The variety of data is where technology can drive business value. However, unstructured data also poses a risk, especially for external data.

    The number of IoT devices could rise to 30.9 billion by 2025.

    Source: “IoT and Non-IoT Connections Worldwide,” Statista, 2022

    The global edge computing market is expected to reach $250.6 billion by 2024.

    Source: “Edge Computing,” Statista, 2022

    Genomics research is expected to generate between 2 and 40 exabytes of data within the next decade.

    Source: NIH, 2022

    VARIETY

    Augmented Data Management

    Employ AI to automate data management

    New tools will enhance many aspects of data management:

    • Data preparation, integration, cataloging, and quality
    • Metadata management
    • Master data management

    Enabling AI-assisted decision-making tools

    The image contains logos of the AI-assisted decision-making tools. Informatica, collibra, OCTOPAI.

    VARIETY

    Augmented Data Management

    Trend in Data Variety

    Augmented data management will enhance or automate data management capabilities by leveraging AI and related advanced techniques. It is quite possible to leverage existing data management tools and techniques, but most experts have recognized that more work and advanced patterns are needed to solve many complex data problems.

    Emerging technologies and capabilities:

    Data Factory, Data Mesh, Data Fabric, Artificial Intelligence, Machine Learning

    VARIETY

    Augmented Data Management

    Data Fabric vs. Data Mesh: The Data Journey continues at an accelerated pace

    Data Fabric

    Data Mesh

    Data fabric is an architecture that facilitates the end-to-end integration of various data pipelines and cloud environments using intelligent and automated systems. It’s a data integration pattern to unify disparate data systems, embed governance, strengthen security and privacy measures, and provide more data accessibility to workers and particularly to business users.

    The data mesh architecture is an approach that aligns data sources by business domains, or functions, with data owners. With data ownership decentralization, data owners can create data products for their respective domains, meaning data consumers, both data scientists and business users, can use a combination of these data products for data analytics and data science.

    More Unstructured Data

    95% of businesses cite the need to manage unstructured data as a problem for their business.

    VERACITY

    Identity Authenticity

    Trend 04 Veracity of data is a true test of your data capabilities

    Data veracity is defined as the accuracy or truthfulness of a data set. More and more data is created in semi-structured and unstructured formats and originates from largely uncontrolled sources (e.g. social media platforms, external sources). The reliability and quality of the data being integrated should be a top concern. The veracity of data is imperative when looking to use data for predictive purposes. For example, energy companies rely heavily on weather patterns to optimize their service outputs, but weather patterns have an element of unpredictability.

    Data quality affects overall labor productivity by as much as 20%, and 30% of operating expenses are due to insufficient data.

    Source: Pragmatic Works, 2017

    Bad data costs up to
    15% to 25% of revenue.

    Source: MIT Sloan Management Review, 2017

    VERACITY

    Identity Authenticity

    Veracity of data is a true test of your data capabilities

    • Stop creating your own identity architectures and instead integrate a tried-and-true platform.
    • Aim for a single source of truth for digital identity.
    • Establish data governance that can withstand scrutiny.
    • Imagine a day in the future where verified accounts on social media platforms are available.
    • Zero-trust architecture should be used.

    VERACITY

    Identity Authenticity

    Trend in Data Veracity

    Veracity is a concept deeply linked to identity. As the value of the data increases, a greater degree of veracity is required: We must provide more proof to open a bank account than to make friends on Facebook. As a result, there is more trust in bank data than in Facebook data. There is also a growing need to protect marginalized communities.

    Emerging technologies and capabilities:

    Zero Trust, Blockchain, Data Governance, IoT, Cybersecurity

    The image contains a screenshot of Info-Tech's blueprint slide on Zero Trust.

    VERACITY

    Identity Authenticity

    The identity discussion is no longer limited to people or organizations. The development of new technologies, such as the IoT phenomenon, will lead to an explosion of objects, from refrigerators to shipping containers, coming online as well. If all these entities start communicating with each other, standards will be needed to establish who or what they are.

    IDENTITY
    IS

    Age

    Gender

    Address

    Fingerprint

    Face

    Voice

    Irises

    IDENTITY
    KNOWS

    Password

    Passphrase

    PIN

    Sequence

    IDENTITY
    HAS

    Access badge

    Smartcard

    Security token

    Mobile phone

    ID document

    IDENTITY
    DOES

    Motor skills

    Handwriting

    Gestures

    Keystrokes

    Applications use

    The IoT market is expected to grow 18% to 14.4 billion in 2022 and 27 billion by 2025.

    Source: IoT Analytics, 2022

    VALUE

    Data Monetization

    Trend 05 Not Many organization know the true value of their data

    Data can be valuable if used effectively or dangerous if mishandled. The rise of the data economy has created significant opportunities but also has its challenges. It has become urgent to understand the value of data, which may vary for stakeholders based on their business model and strategy. Organizations first need to understand ownership of their data by establishing a data strategy, then they must improve data maturity by developing a deeper understanding of data value.

    94% of enterprises say data is essential to business growth.

    Source: Find stack, 2021

    VALUE

    Data Monetization

    Start developing your data business

    • Blockbuster ran its business well, but Netflix transformed the video rental industry overnight!
    • Big players with data are catching up fast.
    • You don’t have to be a giant to monetize data.
    • Data monetization is probably closer than you think.
    • You simply need to find it, catalog it, and deliver it.

    The image contains logos of companies related to data monetization as described in the text above. The companies are Amazon Prime, Netflix, Disney Plus, Blockbuster, and Apple TV.

    VALUE

    Data Monetization

    Trend in Data Value

    Data monetization is the transformation of data into financial value. However, this does not imply selling data alone. Monetary value is produced by using data to improve and upgrade existing and new products and services. Data monetization demands an organization-wide strategy for value development.

    Emerging technologies and capabilities:

    Data Strategy, Data Monetization Strategy, Data Products

    Netflix uses big data to save $1 billion per year on customer retention.

    Source: Logidots, 2021

    VALUE

    Data Monetization

    Data is a strategic asset

    Data is beyond currency, assets, or commodities and needs to be a category
    of its own.

    • Data always outlives people, processes, and technology. They all come and go while data remains.
    • Oil is a limited resource. Data is not. Unlike oil, data is likely to grow over time.
    • Data is likely to outlast all other current popular financial instruments, including currency, assets, or commodities.
    • Data is used internally and externally and can easily be replicated or combined.

    Data monetization is currently in the speculative territory, which is unacceptable. It should instead be guided by sound data management theory.

    VIRTUE

    Adaptive Data Governance

    Trend 06 Five Core Virtues: Resilience, Humility, Grit, Liberal Education, Empathy (Forbes, 2020)

    We have become more and more dependent on data, analytics, and organizational protection policies. Data virtue is about leveraging data securely and ethically. This topic has become more critical with the advent of GDPR, the right to be forgotten, and related regulations. Data governance, which seeks to establish an oversight framework that manages the creation, acquisition, integrity, security, compliance, and quality of data, is essential for any organization that makes decisions about data.

    Cultural obstacles are the greatest barrier to becoming data-driven, according to 91.9% of executives.

    Source: Harvard Business Review, 2022

    Fifty million Facebook profiles were harvested for Cambridge Analytica in a major data breach.

    Source: The Guardian, 2018

    VIRTUE

    Adaptive Data Governance

    Encourage noninvasive and automated data governance

    • Data governance affects the entire organization, not just data.
    • The old model for data governance was slow and clumsy.
    • Adaptive data governance encourages faster decision making and a more collaborative approach to governance.
    • Agile data governance allows for faster and more flexible decision making.
    • Automated data governance will simplify execution across the organization.
    • It is great for compliance, quality, impact tracking, and cross-referencing and offers independence to data users.

    VIRTUE

    Adaptive Data Governance

    Trend in Data Virtue

    Adaptive data governance encourages a flexible approach that allows an organization to employ multiple data governance strategies depending on changing business situations. The other aspect of adaptive data governance is moving away from manual (and often slow) data governance and toward aggressive automation.

    Emerging technologies and capabilities:

    AI-Powered Data Catalog and Metadata Management,
    Automated Data Policy Enforcement

    “To effectively meet the needs and velocity of digital organizations and modern practices, IT governance must be embedded and automated where possible to drive success and value.”

    Source: Valence Howden, Info-Tech Research Group

    “Research reveals that the combination of AI and big data technologies can automate almost 80% of all physical work, 70% of data processing, and 64% of data collection tasks.”

    Source: Forbes, 2021

    VIRTUE

    Data Governance Automation

    Simple and easy Data Governance

    Tools are not the ultimate answer to implementing data governance. You will still need to secure stakeholders' buy-in and engagement in the data process. Data governance automation should be about simplifying the execution of roles and responsibilities.

    “When you can see where your data governance strategy can be improved, it’s time to put in place automation that help to streamline processes.”

    Source: Nintex, 2021

    VISUALIZATION

    AI-Driven Storytelling & Augmented Analytics

    Trend 07 Automated and augmented data storytelling is not that far away

    Today, data storytelling is led by the user. It’s the manual practice of combining narrative with data to deliver insights in a compelling form to assist decision makers in engaging with data and analytics. A story backed by data is more easily consumed and understood than a dashboard, which can be overwhelming. However, manual data storytelling has some major shortcomings.

    Problem # 1: Telling stories on more than just the insights noticed by people

    Problem # 2: Poor data literacy and the limitations of manual self-service

    Problem # 3: Scaling data storytelling across the business

    VISUALIZATION

    AI-Driven Storytelling & Augmented Analytics

    Use AI to enhance data storytelling

    • Tableau, Power BI, and many other applications already use
      AI-driven analytics.
    • Power BI and SharePoint can use AI to generate visuals for any SharePoint list in a matter of seconds.

    VISUALIZATION

    AI-Driven Storytelling & Augmented Analytics

    Trend in Data Visualization

    AI and natural language processing will drive future visualization and data storytelling. These tools and techniques are improving rapidly and are now designed in a streamlined way to guide people in understanding what their data means and how to act on it instead of expecting them to do self-service analysis with dashboards and charts and know what to do next. Ultimately, being able to understand how to translate emotion, tropes, personal interpretation, and experience and how to tell what’s most relevant to each user is the next frontier for augmented and automated analytics

    Emerging technologies and capabilities:

    AI-Powered Data Catalog and Metadata Management,
    Automated Data Policy Enforcement

    VISUALIZATION

    Data Storytelling

    Augmented data storytelling is not that far away

    Emotions are a cornerstone of human intelligence and decision making. Mastering the art of storytelling is not easy.

    Industry experts predict the combination of data storytelling with augmented and automated techniques; these capabilities are more than capable of generating and automating parts of a data story’s creation for end users.

    The next challenge for AI is translating emotion, tropes, personal interpretation, and experience into what is most essential to end users.

    Source: Yellowfin, 2021

    VIRALITY

    Data Marketplace

    Trend 08 Missing data marketplace

    Data virality measures data spread and popularity. However, for data virality to occur, an ecosystem comparable to that of traditional or modern digital marketplaces is required. Organizations must reevaluate their data strategies to ensure investment in appropriate data domains by understanding data virality. Data virality is the exact opposite of dark data.

    Dark data is “all the information companies collect in their regular business processes, don’t use, have no plans to use, but will never throw out.”

    Source: Forbes, 2019

    VIRALITY

    Data Marketplace

    Make data easily accessible

    • Making data accessible to a broader audience is the key to successful virality.
    • Data marketplaces provide a location for you to make your data public.
    • Why do this? Contributing to public data marketplaces builds credibility, just like contributing to public GitHub projects.
    • Big players like Microsoft, Amazon, and Snowflake already do this!
    • Snowflake introduced zero-copy cloning, which allows users to interact with source data without compromising the integrity of the original source.

    The image contains the logos of Microsoft, Amazon, and Snowflake.

    VIRALITY

    Data Marketplace

    Trend in Data Virality

    The data marketplace can be defined as a dynamic marketplace where users decide what has the most value. Companies can gauge which data is most popular based on usage and decide where to invest. Users can shop for data products within the marketplace and then join these products with other ones they’ve created to launch truly powerful data-driven projects.

    Emerging technologies and capabilities:

    AI-Powered Data Catalog and Metadata Management,
    Automated Data Policy Enforcement

    The image contains a screenshot of Info-Tech's Data-as-a-Service (DaaS) Framework.

    “Data is like garbage. You’d better know what you are going to do with it before you collect it.”

    – Mark Twain

    VIRALITY

    Data Marketplace

    Journey from siloed data platforms to dynamic data marketplaces

    Data remains a complex topic due to many missing foundational components and infrastructure. Interoperability, security, quality, discoverability, speed, and ease are some of those missing foundational components that most organizations face daily.

    Data lacks an ecosystem that is comparable to those of traditional assets or commodities. Data must be available in open or closed data marketplaces to measure its value. These data marketplaces are still in their infancy.

    “Data markets are an important component of the data economy that could unleash the full potential of data generated by the digital economy and human activity in general.”

    Source: ITU Journal, 2018

    VISCOSITY

    DevOps – DataOps – XOps

    Trend 09 Increase efficiency by removing bottlenecks

    Compared to water, a fluid with a high viscosity flows more slowly, like honey. Data viscosity measures the resistance to flow in a volume of data. The data resistance may come from other Vs (variety, velocity, etc.).

    VISCOSITY

    DevOps – DataOps – XOps

    Increase efficiency by removing bottlenecks

    Consider XOps for a second. It makes no difference what X is. What's important is matching operational requirements to enterprise capabilities.

    • For example, Operations must meet the demands of Sales – hence SalesOps
      or S&Op.
    • Development resources must meet the demands of Operations – hence DevOps.
    • Finally, Data must also meet the demand of Operations.

    These Operations guys are demanding!!

    VISCOSITY

    DevOps – DataOps – XOps

    Trend in Data Viscosity

    The merger of development (Dev) and IT Operations (Ops) started in software development with the concept of DevOps. Since then, new Ops terms have formed rapidly (AIOps, MLOps, ModelOps, PlatformOps, SalesOps, SecOps, etc.). All these methodologies come from Lean manufacturing principles, which seek to identify waste by focusing on eliminating errors, cycle time, collaboration, and measurement. Buzzwords are distractions, and the focus must be on the underlying goals and principles. XOps goals should include the elimination of errors and improving efficiencies.

    Emerging technologies and capabilities:

    Collaborative Data Management, Automation Tools

    VISCOSITY

    DataOps → Data Observability

    Data observability, a subcomponent of DataOps, is a set of technical practices, cultural norms, and architecture that enables low error rates. Data observability focuses on error rates instead of only measuring data quality at a single point in time.

    Data Quality Dimensions

    • Uniqueness
    • Timeliness
    • Validity
    • Accuracy
    • Consistency

    ERROR RATES

    Lateness: Missing Your SLA

    System Processing Issues

    Code Change That Broke Something

    Data Quality

    What’s next? Go beyond the buzzwords.

    Avoid following trends solely for the sake of following them. It is critical to comprehend the concept and apply it to your industry. Every industry has its own set of problems and opportunities.

    Highlight the data trends (or lack thereof) that have been most beneficial to you in your organizations. Follow Info-Tech’s approach to building a data practice and platform to develop your data capabilities through the establishment of data goals.

    The image contains a screenshot of Info-Tech's Build Your Data Pracrice and Platform.

    Research Authors

    Rajesh Parab Chris Dyck

    Rajesh Parab

    Director, Research & Advisory

    Data and Analytics

    Chris Dyck

    Research Lead

    Data and Analytics

    “Data technologies are rapidly evolving. Understanding what’s possible is critical. Adapting to these upcoming data trends requires a solid data management foundation.”

    – Rajesh Parab

    Contributing Experts

    Carlos Thomas John Walsh

    Carlos Thomas

    Executive Counselor

    Info-Tech Research Group

    John Walsh

    Executive Counselor

    Info-Tech Research Group

    Bibliography

    Bean, Randy. “Why Becoming a Data-Driven Organization Is So Hard.” Harvard Business Review, 24 Feb. 2022. Accessed Oct. 2022.
    Brown, Annie. “Utilizing AI And Big Data To Reduce Costs And Increase Profits In Departments Across An Organization.” Forbes, 13 April 2021.
    Accessed Oct. 2022.
    Burciaga, Aaron. “Five Core Virtues For Data Science And Artificial Intelligence.” Forbes, 27 Feb. 2020. Accessed Aug. 2022.
    Cadwalladr, Carole, and Emma Graham-Harrison. “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.”
    The Guardian, 17 March 2018. Accessed Aug. 2022.
    Carlier, Mathilde. “Connected light-duty vehicles as a share of total vehicles in 2023.” Statista, 31 Mar. 2021. Accessed Oct. 2022.
    Carter, Rebekah. “The Ultimate List of Big Data Statistics for 2022.” Findstack, 22 May 2021. Accessed Oct. 2022.
    Castelvecchi, Davide. “Underdog technologies gain ground in quantum-computing race.” Nature, 6 Nov. 2023. Accessed Feb. 2023.
    Clark-Jones, Anthony, et al. “Digital Identity:” UBS, 2016. Accessed Aug 2022.
    “The Cost of Bad Data Infographic.” Pragmatic Works, 25 May 2017. Accessed Oct. 2022.
    Demchenko, Yuri, et al. “Data as Economic Goods: Definitions, Properties, Challenges, Enabling Technologies for Future Data Markets.“ ITU Journal: ICT Discoveries, Special Issue, no. 2, vol. 23, Nov. 2018. Accessed Aug 2022.
    Feldman, Sarah. ”20 Years of Quantum Computing Growth.” Statista, 6 May 2019. Accessed Oct. 2022.
    “Genomic Data Science.” NIH, National Human Genome Research Institute, 5 April 2022. Accessed Oct. 2022.

    Bibliography

    Hasbe, Sudhir, and Ryan Lippert. “The democratization of data and insights: making real-time analytics ubiquitous.” Google Cloud, 15 Jan. 2021.
    Accessed Aug. 2022.
    Helmenstine, Anne. “Viscosity Definition and Examples.” Science Notes, 3 Aug. 2021. Accessed Aug. 2022.
    “How data storytelling and augmented analytics are shaping the future of BI together.” Yellowfin, 19 Aug. 2021. Accessed Aug. 2022.
    “How Netflix Saves $1B Annually using AI?” Logidots, 24 Sept. 2021. Accessed Oct. 2022
    Hui, Kenneth. “The AWS Love/Hate Relationship with Data Gravity.” Cloud Architect Musings, 30 Jan. 2017. Accessed Aug 2022.
    ICD. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” Business Wire, 18 June 2019. Accessed Oct 2022.
    Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025” Statista, 27 Nov. 2022. Accessed Nov. 2022.
    Koch, Gunter. “The critical role of data management for autonomous driving development.” DXC Technology, 2021. Accessed Aug. 2022.
    Morris, John. “The Pull of Data Gravity.” CIO, 23 Feb. 2022. Accessed Aug. 2022.
    Nield, David. “Google's Quantum Computer Is 100 Million Times Faster Than Your Laptop.” ScienceAlert, 9 Dec. 2015. Accessed Oct. 2022.
    Redman, Thomas C. “Seizing Opportunity in Data Quality.” MIT Sloan Management Review, 27 Nov. 2017. Accessed Oct. 2022.
    Segovia Domingo, Ana I., and Álvaro Martín Enríquez. “Digital Identity: the current state of affairs.” BBVA Research, 2018. Accessed Aug. 2022.

    Bibliography

    “State of IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally.” IOT Analytics, 18 May 2022. Accessed. 14 Nov. 2022.
    Strod, Eran. “Data Observability and Monitoring with DataOps.” DataKitchen, 10 May 2021. Accessed Aug. 2022.
    Sujay Vailshery, Lionel. “Edge computing market value worldwide 2019-2025.” Statista, 25 Feb. 2022. Accessed Oct 2022.
    Sujay Vailshery, Lionel. “IoT and non-IoT connections worldwide 2010-2025.” Statista, 6 Sept. 2022. Accessed Oct. 2022.
    Sumina, Vladimir. “26 Cloud Computing Statistics, Facts & Trends for 2022.” Cloudwards, 7 June 2022. Accessed Oct. 2022.
    Taulli, Tom. “What You Need To Know About Dark Data.” Forbes, 27 Oct. 2019. Accessed Oct. 2022.
    Taylor, Linnet. “What is data justice? The case for connecting digital rights and freedoms globally.“ Big Data & Society, July-Dec 2017. Accessed Aug 2022.
    “Twitter: Data Collection With API Research Paper.” IvyPanda, 28 April 2022. Accessed Aug. 2022.
    “Using governance automation to reduce data risk.” Nintex, 15 Nov. 2021. Accessed Oct. 2022
    “Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025.” Statista, 8 Sept. 2022. Accessed Oct 2022.
    Wang, R. “Monday's Musings: Beyond The Three V's of Big Data – Viscosity and Virality.” Forbes, 27 Feb. 2012. Accessed Aug 2022.
    “What is a data fabric?” IBM, n.d. Accessed Aug 2022.
    Yego, Kip. “Augmented data management: Data fabric versus data mesh.” IBM, 27 April 2022. Accessed Aug 2022.

    Develop an IT Strategy to Support Customer Service

    • Buy Link or Shortcode: {j2store}528|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Customer expectations regarding service are rapidly evolving. As your current IT systems may be viewed as ineffective at delivering upon these expectations, a transformation is called for.
    • It is unclear whether IT has the system architecture/infrastructure to support modern Customer Service channels and technologies.
    • The relationship between Customer Service and IT is strained. Strategic system-related decisions are being made without the inclusions of IT, and IT is only engaged post-purchase to address integration or issues as they arise.
    • Scope: An ABPM-centric approach is taken to model the desired future state, and retrospectively look into the current state to derive gaps and sequential requirements. The requirements are bundled into logical IT initiatives to be plotted on a roadmap and strategy document.
    • Challenge: The extent to which business processes can be mapped down to task-based Level 5 can be challenging depending on the maturity of the organization.
    • Pain/Risk: The health of the relationship between IT and Customer Service may determine project viability. Poor collaboration and execution may strain the relationship further.

    Our Advice

    Critical Insight

    • When transformation is called for, start with future state visioning. Current state analysis can impede your ability to see future needs and possibilities.
    • Solve your own problems by enhancing core or “traditional” Customer Service functionality first, and then move on to more ambitious business enabling functionality.
    • The more rapidly businesses can launch applications in today’s market, the better positioned they are to improve customer experience and reap the associated benefits. Ensure that technology is implemented with a solid strategy to support the initiative.

    Impact and Result

    • The right technology is established to support current and future Customer Service needs.
    • Streamlined and optimized Customer Service processes that drive efficiency and improve Customer Service quality are established.
    • The IT and Customer Service functions are both transformed from a cost center into a competitive advantage.

    Develop an IT Strategy to Support Customer Service Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Structure the project

    Identify project stakeholders, define roles, and create the project charter.

    • Develop an IT Strategy to Support Customer Service Storyboard
    • Project RACI Chart
    • Project Charter

    2. Define vision for future state

    Identify and model the future state of key business processes.

    • Customer Service Business Process Shortlisting Tool
    • Customer Service Systems Strategy Tool

    3. Document current state and assess gaps

    Model the current state of key business processes and assess gaps.

    4. Evaluate solution options

    Review the outputs of the current state architecture health assessment and adopt a preliminary posture on architecture.

    5. Evaluate application options

    Evaluate the marketplace applications to understand the “art of the possible.”

    6. Frame desired state and develop roadmap

    Compile and score a list of initiatives to bridge the gaps, and plot the initiatives on a strategic roadmap.

    • Customer Service Initiative Scoring and Roadmap
    [infographic]

    Workshop: Develop an IT Strategy to Support Customer Service

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Vision for Future State

    The Purpose

    Discuss Customer Service-related organizational goals and align goals with potential strategies for implementation.

    Score level 5 Customer Service business processes against organizational goals to come up with a shortlist for modeling.

    Create a future state model for one of the shortlisted business processes.

    Draft the requirements as they relate to the business process.

    Key Benefits Achieved

    Preliminary list of Customer Service-related business goals

    List of Customer Service business processes (Task Level 5)

    Pre-selected Customer Service business process for modeling

    Activities

    1.1 Outline and prioritize your customer goals and link their relevance and value to your Customer Service processes with the Customer Service Business Process Shortlisting Tool.

    1.2 Score customer service business processes against organizational goals with the Customer Service Systems Strategy Tool.

    Outputs

    Initial position on viable Customer Service strategies

    Shortlist of key business processes

    Documented future state business process model

    Business/functional/non-functional requirements

    2 Document Current State and Assess Gaps

    The Purpose

    Create a current state model for the shortlisted business processes.

    Score the functionality and integration of current supporting applications.

    Revise future state model and business requirements.

    Key Benefits Achieved

    Inventory of Customer Service supporting applications

    Inventory of related system interfaces

    Activities

    2.1 Holistically assess multiple aspects of Customer Service-related IT assets with the Customer Service Systems Strategy Tool.

    Outputs

    Documented current state business process model

    Customer Service systems health assessment

    3 Adopt an Architectural Posture

    The Purpose

    Review the Customer Service systems health assessment results.

    Discuss options.

    Key Benefits Achieved

    Completed Customer Service systems health assessment

    Application options

    Activities

    3.1 Analyze CS Systems Strategy and review results with the Customer Service Systems Strategy Tool

    Outputs

    Posture on system architecture

    4 Frame Desired State and Develop Roadmap

    The Purpose

    Draft a list of initiatives based on requirements.

    Score and prioritize the initiatives.

    Plot the initiatives on a roadmap.

    Key Benefits Achieved

    Business/functional/non-functional requirements

    Activities

    4.1 Help project and management stakeholders visualize the implementation of Customer Service IT initiatives with the Customer Service Initiative Scoring and Roadmap Tool.

    Outputs

    Scored and prioritized list of initiatives

    Customer Service implementation roadmap

    Further reading

    Develop an IT Strategy to Support Customer Service

    E-commerce is accelerating, and with it, customer expectations for exceptional digital service.

    Analyst Perspective

    The future of Customer Service is digital. Your organization needs an IT strategy to meet this demand.

    The image contains a picture of Thomas E. Randall.

    As the pandemic closed brick-and-mortar stores, the acceleration of ecommerce has cemented Customer Service’s digital future. However, the pandemic also revealed severe cracks in the IT strategy of organizations’ Customer Service – no matter the industry. These cracks may include low resolution and high wait times through the contact center, or a lack of analytics that fuel a reactive environment. Unfortunately, organizations have no time to waste in resolving these issues. Customer patience for poor digital service has only decreased since March 2020, leaving organizations with little to no runway for ramping up their IT strategy.

    Organizations that quickly mature their digital Customer Service will come out the other side of COVID-19 more competitive and with a stronger reputation. This move necessitates a concrete IT strategy for coordinating what the organization’s future state should look like and agreeing on the technologies and software required to meet this state across the entire organization.

    Thomas E. Randall, Ph.D.

    Senior Research Analyst, Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Solution

    • COVID-19 has accelerated ecommerce, rapidly evolving customer expectations about the service they should receive. Without a robust IT strategy for enabling remote, contactless points of service, your organization will quickly fall behind.
    • The organization would like to use modern channels and technologies to enhance customer service, but it is unclear whether IT has the infrastructure to support them.
    • The relationship between Customer Service and IT is strained. Strategic system-related decisions are being made without the inclusion of IT.
    • IT is in a permanent reactive state, only engaged post-purchase to fix issues as they arise and to offer workarounds.
    • Use Info-Tech’s methodology to produce an IT strategy for Customer Service:
      • Phase 1: Define Project and Future State
      • Phase 2: Evaluate Current State
      • Phase 3: Build a Roadmap to Future State
    • Each phase contributes toward this blueprint’s key deliverable: the Strategic Roadmap.

    Info-Tech Insight

    IT must proactively engage with the organization to define what good customer service should look like. This ensures IT has a fair say in what kinds of architectural solutions are feasible for any projected future state. In this proactive scenario, IT can help build the roadmap for implementing and maintaining customer service infrastructure and operations, reducing the time and resources spent on putting out preventable fires or trying to achieve an unworkable goal set by the organization.

    Key insights

    Develop an IT Strategy to Support Customer Service

    Ecommerce growth has increased customer expectations

    Despite the huge obstacles that organizations are having to overcome to meet accelerating ecommerce from the pandemic, customers have not increased their tolerance for organizations with poor service. Indeed, customer expectations for excellent digital service have only increased since March 2020. If organizations cannot meet these demands, they will become uncompetitive.

    The future of customer service is tied up in analytics

    Without a coordinated IT strategy for leveraging technology and data to improve Customer Service, the organization will quickly be left behind. Analytics and reporting are crucial for proactively engaging with customers, planning marketing campaigns, and building customer profiles. Failing to do so leaves the organization blind to customer needs and will constantly be in firefighting mode.

    Meet the customer wherever they are – no matter the channel

    Providing an omnichannel experience is fast becoming a table stakes offering for customers. To maximize customer engagement and service, the organization must connect with the customer on whatever channel the customer prefers – be it social media, SMS, or by phone. While voice will continue to dominate how Customer Service connects with customers, demographics are shifting toward a digital-first generation. Organizations must be ready to capture this rapidly expanding audience.

    This blueprint will achieve:

    Increased customer satisfaction

    • An IT strategy for Customer Service that proactively meets customer demand, improving overall customer satisfaction with the organization’s services.
    • A process for identifying the organization’s future state of Customer Service and developing a concrete gap analysis.

    Time saved

    • Ready-to-use deliverables that analyze and provide a roadmap toward the organization’s desired future state.
    • Market analyses and rapid application selection through SoftwareReviews to streamline project time-to-completion.

    Increased ROI

    • A modernization process that aids Customer Service digital transformation, with a view to achieve high ROI.
    • Save costs through an effective requirements gathering method.
    • Building and expanding the organization’s customer base to increase revenues by meeting the customers where they are – no matter what channel.

    An IT strategy for customer service is imperative for a post-COVID world

    COVID-19 has accelerated ecommerce, rapidly evolving customer expectations for remote, contactless service.

    59% Of customers agree that the pandemic has raised their standards for service (Salesforce, 2020).

    • With COVID-19, most customer demand and employment moved online and turned remote.
    • Retailers had to rapidly respond, meeting customer demand through ecommerce. This not only entailed a complete shift in how customers could buy their goods but how retailers could provide a remote customer journey from discovery to post-purchase support.

    Info-Tech Insight

    The pandemic did not improve customer tolerance for bad service – instead, the demand for good service increased dramatically. Organizations need an IT strategy to meet customer support demands wherever the customer is located.

    The technology to provide remote customer support is surging

    IT needs to be at the forefront of learning about and suggesting new technologies, working with Customer Service to deliver a consistent, business-driven approach.

    78%

    Of decision makers say they’ve invested in new technology as a result of the pandemic (Salesforce, 2020).

    OMNICHANNEL SUPPORT

    Rapidly changing demographics and modes of communications require an evolution toward omnichannel engagement. Agents need customer information synced across each channel they use, meeting the customer’s needs where they are.

    78%

    Of customers have increased their use of self-service during the pandemic (Salesforce, 2020).

    INTELLIGENT SELF-SERVICE PORTALS

    Customers want their issues resolved as quickly as possible. Machine-learning self-service options deliver personalized customer experiences, which also reduce both agent call volume and support costs for the organization.

    90%

    Of global executives who use data analytics report that they improved their ability to deliver a great customer experience (Gottlieb, 2019).

    LEVERAGING ANALYTICS

    The future of customer service is tied up with analytics: from AI-driven capabilities that include agent assist and using biometric data (e.g., speech) for security, to feeding real insights about how customers and agents are doing and performing.

    Executive Brief – Case Study

    Self-service options improve quality of service and boost organization’s competitiveness in a digital marketspace.

    INDUSTRY: Financial Services

    SOURCE: TSB

    Situation

    Solution

    Results

    • The pandemic increased pressure on TSB’s Customer Service, with higher call loads from their five million customers who were anxious about their financial situation.
    • TSB needed to speed up its processing times to ensure loan programs and other assistances were provided as quickly as possible.
    • As meeting in-person became impossible due to the lockdown, TSB had to step up its digital abilities to serve their customers.
    • TSB sought to boost its competitiveness by shifting as far as possible to digital services.
    • TSB launched government loan programs in 36 hours, ahead of its competitors.
    • TSB created and released 21 digital self-service forms for customers to complete without needing to interact with bank staff.
    • TSB processed 140,000 forms in three months, replacing 15,000 branch visits.
    • TSB increased digital self-service rate by nine percent.

    IT can demonstrate its value to business by enhancing remote customer service

    IT must engage with Customer Service – otherwise, IT risks being perennially reactive and dictated to as remote customer service needs increase.

    IT benefits

    Customer Service benefits

    • The right technology is established to support Customer Service.
    • IT is viewed as a strategic partner and innovator, not just a cost center and support function.
    • Streamlined and optimized Customer Service processes that drive efficiency and improve Customer Service quality.
    • Transformation of the Customer Service function into a competitive advantage.

    Info-Tech Insight

    Change to how Customer Service will operate is inevitable. This is an opportunity for IT to establish their value to the business and improve their autonomy in how new technologies should be onboarded and utilized.

    Customer Service and IT need to work together to mitigate their pain points

    IT and Customer Service have an opportunity to reinforce and build their organization’s customer base by working together to streamline operations.

    IT pain points

    Customer Service pain points

    • IT lacks understanding of Customer Service challenges and pain points.
    • IT has technical debt or constrained technology funding.
    • The IT department is viewed as a cost center and support organization, not an engine of innovation, growth, and service delivery performance.
    • Processes supporting Customer Service delivery may be sub-optimal.
    • The existing technology cannot support the increasingly advanced needs of Customer Service functions.
    • Customer Service isn’t fully aware of what your customers think of your service quality. There is little to no monitoring of customer sentiment.
    • There is a lack of value-based segmentation of customers and information on their channel usage and preferences.
    • Competitor actions are not actively monitored.

    IT often cannot spark a debate with Customer Service on whether a decision made without IT is misaligned with corporate direction. It’s almost always an uphill battle for IT.

    Sahri Lava, Research Director, IDC

    Develop an IT Strategy to Support Customer Service

    DON’T FALL BEHIND

    70% of companies either have a digital transformation strategy in place or are working on one (Tech Pro Research, 2018). Unless IT can enable technology that meets the customer where they are, the organization will quickly fall behind in an age of accelerating ecommerce.

    DEVELOP FUTURE STATES

    Many customer journeys are now exclusively digital – 63% of customers expect to receive service over social media (Ringshall, 2020). Organization’s need an IT strategy to develop the future of their customer service – from leveraging analytics to self-service AI portals.

    BUILD GAP ANALYSIS

    73% of customers prefer to shop across multiple channels (Sopadjieva et al., 2017). Assess your current state’s application integrations and functionality to ensure your future state can accurately sync customer information across each channel.

    SHORTLIST SOLUTIONS

    Customer relationship management software is one of the world's fastest growing industries (Kuligowski, 2022). Choosing a best-fit solution requires an intricate analysis of the market, future trends, and your organization’s requirements.

    ADVANCE CHANGE

    95% of customers cite service as key to their brand loyalty (Microsoft, 2019). Build out your roadmap for the future state to retain and build your customer base moving forward.

    Use Info-Tech’s method to produce an IT strategy for Customer Service:

    PHASE 1: Define Project and Future State

    Output: Project Charter and Future State Business Processes

    1.1 Structure the Project

    1.2 Define a Vision for Future State

    1.3 Document Preliminary Requirements

    KEY DELIVERABLE:

    Strategic Roadmap

    The image contains a screenshot of the strategic roadmap.

    PHASE 2: Evaluate Current State

    Output: Requirements Identified to Bridge Current to Future State

    2.1 Document Current State Business Processes

    2.2 Assess Current State Architecture

    2.3 Review and Finalize Requirements for Future State

    PHASE 3: Build a Roadmap to Future State

    Output: Initiatives and Strategic Roadmap

    3.1 Evaluate Architectural and Application Options

    3.2 Understand the Marketplace

    3.3 Score and Plot Initiatives Along Your Strategic Roadmap

    Key deliverable and tools outline

    Each step of this blueprint is accompanied by supporting materials to help you accomplish your goals.

    Project RACI Chart

    Activity 1.1a Organize roles and responsibilities for carrying out project steps.

    The image contains a screenshot of the Project RACI Chart.

    Key Deliverable:

    Strategic Roadmap

    Develop, prioritize, and implement key initiatives for your customer service IT strategy, plotting and tracking them on an easy-to-read timeline.

    The image contains a screenshot of the Strategic Roadmap.

    Business Process Shortlisting Tool

    Activities 1.2a, 1.2b, and 2.1aOutline and prioritize customer service goals.

    The image contains a screenshot of the Business Process Shortlisting Tool.

    Project Charter Template

    Activity 1.1b Define the project, its key deliverables, and metrics for success.

    The image contains a screenshot of the Project Charter Template.

    Systems Strategy Tool

    Activities 1.3a, Phase 2, 3.1a Prioritize requirements, assess current state customer service functions, and decide what to do with your current systems going forward.

    .The image contains a screenshot of the Systems Strategy Tool.

    Looking ahead: defining metrics for success

    Phase 1 of this blueprint will help solidify how to measure this project’s success. Start looking ahead now.

    For example, the metrics below show the potential business benefits for several stakeholders through building an IT strategy for Customer Service. These stakeholders include agents, customers, senior leadership, and IT. The benefits of this project are listed to the right.

    Metric Description

    Current Metric

    Future Goal

    Number of channels for customer contact

    1

    6

    Customer self-service resolution

    0%

    50%

    % ROI

    - 4%

    11%

    Agent satisfaction

    42%

    75%

    As this project nears completion:

    1. Customers will have more opportunities for self-service resolution.
    2. Agents will experience higher satisfaction, improving attrition rates.
    3. The organization will experience higher ROI from its digital Customer Service investments.
    4. Customers can engage the contact center via a communication channel that suits them.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical Guided Implementation on this topic look like?

    Define Project and Future StateDocument and Assess Current StateEvaluate Architectural and Application OptionsBuild Roadmap to Future State

    Call #1: Introduce project, defining its vision and metrics of success.

    Call #2: Review environmental scan to define future state vision.

    Call #3: Examine future state business processes to compile initial requirements.

    Call #4: Document current state business processes.

    Call #5: Assess current customer service IT architecture.

    Call #6: Refine and prioritize list of requirements for future state.

    Call #7: Evaluate architectural options.

    Call #8: Evaluate application options.

    Call #9:Develop and score initiatives to future state.

    Call #10: Develop timeline and roadmap.

    Call #11: Review progress and wrap-up project.

    A Guided Implementation is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical Guided Implementation is two to 12 calls over the course of four to six months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Day 1Day 2Day 3Day 4Day 5

    Define Your Vision for Future State

    Document Current State and Assess Gaps

    Adopt an Architectural Posture

    Frame Desired State and Develop Roadmap

    Communicate and Implement

    Activities

    1.1 Outline and prioritize your customer goals.

    1.2 Link customer service goals’ relevance and value to your Customer Service processes.

    1.3 Score Customer Service business processes against organizational goals.

    2.1 Holistically assess multiple aspects of Customer Service-related IT assets with Customer Service Systems Strategy Tool.

    3.1 Analyze Customer Service Systems Strategy and review results with the Customer Service Systems Strategy Tool.

    4.1 Help project management stakeholders visualize implementation of Customer Service IT initiatives.

    4.2 Build strategic roadmap and plot initiatives.

    5.1 Finalize deliverables.

    5.2 Support communication efforts.

    5.3 Identify resources in support of priority initiatives.

    Deliverables

    1. Initial position on viable Customer Service strategies.
    2. Shortlist of key business processes.
    3. Documented future-state business process model.
    4. Business/functional/non-functional requirements.
    1. Documented current state business process model.
    2. Customer Service systems health assessment.
    3. Inventory of Customer Service supporting applications.
    4. Inventory of related system interfaces.
    1. Posture on system architecture.
    2. Completed Customer Service systems health assessment.
    3. List of application options.
    1. Scored and prioritized list of initiatives.
    2. Customer Service implementation roadmap.
    1. Customer Service IT Strategy Roadmap.
    2. Mapping of Info-Tech resources against individual initiatives.

    Phase 1

    Define Project and Future State

    Phase 1

    Phase 2

    Phase 3

    1.1 Structure the Project

    1.2 Define Vision for Future State

    1.3 Document Preliminary Requirements

    2.1 Document Current State Business Processes

    2.2 Assess Current State Architecture

    2.3 Review and Finalize Requirements for Future State

    3.1 Evaluate Architectural and Application Options

    3.2 Understand the Marketplace

    3.3 Score and Plot Initiatives Along Strategic Roadmap

    This phase will guide you through the following activities:

    1.1a Create your project’s RACI chart to establish key roles throughout the timeline of the project.

    1.1b Finalize your project charter that captures the key goals of the project, ready to communicate to stakeholders for approval.

    1.2a Begin documenting business processes to establish potential future states.

    1.2b Model future state business processes for looking beyond current constraints and building the ideal scenario.

    1.3a Document your preliminary requirements for concretizing a future state and performing a gap analysis.

    Participants required for Phase 1:

    • Applications Director
    • Customer Service Director
    • IT and Customer Service Representatives

    1.1 Identify process owners early for successful project execution

    IT and Customer Service must work in tandem throughout the project. Both teams’ involvement ensures all stakeholders are heard and support the final decision.

    Customer Service Perspective

    IT Perspective

    • Customer Service is the victim of pain points resulting from suboptimal systems and it stands to gain the most benefits from a well-planned systems strategy.
    • Looking to reduce pain points, Customer Service will likely initiate, own, and participate heavily in the project.
    • Customer Service must avoid the tendency to make IT-independent decisions. This could lead to disparate systems that contribute little to the overall organizational goals.
    • IT owns the application and back-end support of all Customer Service business processes. Any technological aspect of processes will need IT involvement.
    • IT may or may not have the mandate to run the Customer Service strategy project. Responsibility for systems decisions remains with IT.
    • IT should own the task of filtering out unnecessary or infeasible application and technology decisions. IT capabilities to support such acquisitions and post-purchase maintenance must be considered.

    Info-Tech Insight

    While involving management is important for high-level strategic decisions, input from those who interact day-to-day with the systems is a crucial component to a well-planned strategy.

    1.1 Define project roles and responsibilities to improve progress tracking

    Assign responsibilities, accountabilities, and other project involvement roles using a RACI chart.

    • IT should involve Customer Service from the beginning of project planning to implementation and execution. The project requires input and knowledge from both functions to succeed.
    • Do not let the tasks be forgotten within inter-functional communication. Define roles and responsibilities for the project as early as possible.
    • Each member of the project team should be given a RACI designation, which will vary for each task to ensure clear ownership, execution, and progress tracking.
    • Assigning RACI early can:
      • Improve project quality by assigning the right people to the right tasks.
      • Improve chances of project task completion by assigning clear accountabilities.
      • Improve project buy-in by ensuring that stakeholders are kept informed of project progress, risks, and successes.

    R – Responsibility

    A – Accountability

    C – Consulted

    I – Informed

    1.1 Use Info-Tech’s recommended process owners and roles for this blueprint

    Customer Service Head

    Customer Service Director

    CIO

    Applications Director*

    CEO/COO

    Marketing Head

    Sales Head

    Determine Project Suitability

    ARCCCII

    Phase 1.1

    CCARIII

    Phases 1.2 – 1.3

    ARCCICC

    Phase 2

    ARICIII

    Phase 3.1

    (Architectural options)

    CCARIII

    Phase 3.1

    (Application options)

    ACIRICC

    Phases 3.2 – 3.3

    CCARCII

    * The Applications Director is to compile a list of Customer Service systems; the Customer Service Director is responsible for vetting a list and mapping it to Customer Service functions.

    ** The Applications Director is responsible for technology-related decisions (e.g. SaaS or on-premise, integration issues); the Customer Service Director is responsible for functionality-related decisions.

    1.1a Create your project’s RACI chart

    1 hour

    1. The Applications Director and Customer Service Head should identify key participants and stakeholders of the project.
    2. Use Info-Tech’s Project RACI Chart to identify ownership of tasks.
    3. Record roles in the Project RACI Chart.
    The image contains a screenshot of the project RACI chart.
    InputOutput
    • Identification of key project participants and stakeholders.
    • Identification of key project participants and stakeholders.

    Materials

    Participants

    • Project RACI Chart
    • Applications Director
    • Customer Service Director

    Download the Project RACI Chart

    1.1 Start developing the project charter

    A project charter should address the following:

    • Executive Summary and Project Overview
      • Goals
      • Benefits
      • Critical Success Factors
    • Scope
    • Key Deliverables
    • Stakeholders and RACI
    • Risk Assessment
      • What are some risks you may encounter during project execution?
    • Projected Timeline and Key Milestones
    • Review and Approval Process

    What is a project charter?

    • The project charter defines the project and lays the foundation for all subsequent project planning.
    • Once approved by the business, the charter gives the project lead formal authority to initiate the project.

    Why create a project charter?

    • The project charter allows all parties involved to reach an agreement and document major aspects of the project.
    • It also supports the decision-making process and can be used as a communication tool.

    Stakeholders must:

    • Understand and agree on the objectives and important characteristics of the project charter before the project is initiated.
    • Be given the opportunity to adjust the project charter to better address their needs and concerns.

    1.1b Finalize the project charter

    1-2 hours

    1. Request relevant individuals and parties to complete sections of Info-Tech’s Project Charter Template.
    2. Input the simplified RACI output from tab 3 in Info-Tech’s Project RACI Chart tool into the RACI section of the charter.
    3. Send the completed template to the CIO and Customer Service Head for approval.
    4. Communicate the document to stakeholders for changes and finalization.
    The image contains a screenshot of the Project Charter Template.

    Input

    Output

    • Customer Service and IT strategies
    • Justification of impetus to begin this project
    • Timeline estimates
    • A completed project charter that captures the key goals of the project, ready to communicate to stakeholders for approval.

    Materials

    Participants

    • Project RACI Chart
    • Project Charter Template
    • Applications Director
    • Customer Service Director

    Download the Project Charter Template

    1.2 IT must play a role shaping Customer Service’s future vision

    IT is only one or two degrees of separation from the end customer – their involvement can significantly impact the customer experience.

    IT

    Customer Service

    Customer

    Customer Service-Facing Application

    Customer-Facing Application

    • IT enables, supports, and maintains the applications used by the Customer Service organization to service customers. IT provides the infrastructural and technical foundation to operate the function.
    • IT supports customer-facing interfaces and channels for Customer Service interaction.
    • Channel examples include web pages, mobile device applications and optimization, and interactive voice response for callers.

    1.2 Establish a vision for Customer Service excellence

    Info-Tech has identified three prominent Customer Service strategic patterns. Evaluate which fits best with your situation and organization.

    Retention

    Efficiency

    Cross-Sell/Up-Sell

    Ensuring customers remain customers by providing proactive customer service and a seamless omnichannel strategy.

    Reducing costs by diverting customers to lower cost channels and empowering agents to solve problems quickly.

    Maximizing the value of existing customers by capitalizing on cross-sell and up-sell opportunities.

    1.2 Let profitability goals help reveal which strategy to pursue

    Profitability goals are tied to the enabling of customer service strategies.

    • If looking to drive cost decreases across the organization, pursue cost efficiency strategies such as customer volume diversion in order to lower cost channels and avoid costly escalations for customer complaints and inquiries.
    • Ongoing Contribution Margin is positive only once customer acquisition costs (CAC) have been paid back. For every customer lost, another customer has to be acquired in order to experience no loss. In this way, customer retention strategies help decrease your overall costs.
    • Once cost reduction and customer retention measures are in place, look to increase overall revenue through cross-selling and up-selling activities with your customers.
    The image contains a screenshot of a diagram to demonstrate the relationship between goals and enabling strategies.

    Info-Tech Insight

    Purely driving efficiency is not the goal. Create a balance that does not compromise customer satisfaction.

    Customer Service strategies: Case studies

    Efficiency

    • Volume diversion to lower cost channels
    • Agent empowerment

    MISS DIG 811 – a utility notification system – sought to make their customer service more efficient by moving to softphones. Using the Cisco Customer Journey Platform, Miss Dig saw a 9% YoY increase in agent productivity and 83% reduction in phone equipment costs. Source: (Cisco, 2018).

    Retention

    • Proactive Customer Service
    • Seamless omnichannel strategy

    VoiceSage worked with Home Retail Group – a general merchandise retailer – to proactively increase customer outreach, reducing the number of routine customer order and delivery queries received. In four weeks, Home Retail Group increased their 30-40% answer rate from customers to 100%, with 90% of incoming calls answered and 60% of contacts made via SMS. Source: (VoiceSage, 2018)

    Cross-Sell/

    Up-Sell

    • Cross-Sell and Up-Sell opportunities

    A global brand selling language-learning software utilized Callzilla to help improve their call conversion rate of 2%. After six months of agent and supervisor training, this company increased their call conversion rate to 16% and their upsell rate to 40%. Their average order value increased from < $300 to $465. Source: (Callzilla, n.d.)

    1.2 Performing an environmental scan can help IT optimize Customer Service support

    Though typically executed by Customer Service, IT can gain valuable insights for best supporting infrastructure, applications, and operations from an environmental scan.

    An environmental scan seeks to understand your organization’s customers from multiple directions. It considers:

    • Customers’ value-based segmentations.
    • The interaction channels customers prefer to use.
    • Customers’ likes and dislikes.
    • The general sentiment of your customer service quality.
    • What your competitors are doing in this space.
    The image contains a screenshot of a diagram to demonstrate how performing an environmental scan can help IT optimize Customer Service support.

    Info-Tech Insight

    Business processes must directly relate to customer service. Failing to correlate customer experience with business performance outcomes overlooks the enormous cost of negative sentiment.

    1.2 The environmental scan results should drive IT’s strategy and resource spend

    Insights derived from this scan can help frame IT’s contributions to Customer Service’s future vision.

    Why IT should care:

    Implications:

    Each customer experience, from product/service selection to post-transaction support, can have a significant impact on business performance.

    It is not just IT or Customer Service that should care; rather, it should be an organizational responsibility to care about what customers say.

    Customers have little tolerance for mediocrity or poor service and simply switch their allegiances to those that can satisfy their expectations.

    Do not ignore your competitors; they may be doing something well in Customer Service technology which may serve as your organization’s benchmark.

    With maturing mobile and social technologies, customers want to be treated as individuals rather than as a series of disconnected accounts

    Do not ignore your customers’ plea for individuality through mobile and social. Assess your customers’ technology channel preferences.

    Customer service’s perception of service quality may be drastically different than what is expected by the customers.

    Prevent your organization from investing in technology that will have no positive impact on your customer experience.

    Some customers may not provide your organization the business value that surpasses your cost to serve them.

    Focus on enhancing the technology and customer service experience for your high-value customers.

    1.2 Have Customer Service examine feedback across channels for a holistic view

    Your method of listening needs to evolve to include active listening on social and mobile channels.

    Insights and Implications for Customer Service

    Limitations of conventional listening:

    • Solicited customer feedback, such as surveys, do not provide an accurate feedback method since customers only have one channel to express their views.
    • Sentiment, voice, and text analytics within social media channels provide the most accurate and timely intelligence.

    How IT Can Help

    IT can help facilitate the customer feedback process by:

    • Conducting customer feedback with voice recognition software.
    • Monitoring customer sentiment on mobile and social channels.
    • Utilizing customer data analytic engines on social media management platforms.
    • Referring Customer Service to customer advisory councils and their databases.

    1.2 Benchmark IT assets by examining your competitors’ Customer Service capabilities

    The availability of the internet means almost complete transparency between your products and services, and those of your competitors.

    Insights and implications from Customer Service

    How IT can help

    Competitor actions are crucial. Watch your competitors to learn how they use Customer Service as a competitive differentiator and a customer acquisition tool.

    Do not learn about a competitor’s actions because your customers are already switching to them. Track your competitors before getting a harsh surprise from your customers.

    View the customer service experience from the outside in. Assessing from the inside out gives an internal perspective on how good the service is, rather than what customers are experiencing.

    Take a data and analytics-driven approach to mine insights on what customers are saying about your competitors. Negative sentiment and specific complaints can be used as reference for IT and Customer Service to:

    • Avoid repeating the competitor’s mistakes.
    • Utilize sentiment as a benchmark for goal setting and improvements.
    • Duplicate successful technology initiatives to realize business value.

    Info-Tech Insight

    Look to your competitors for comparative models but do not pursue to solely replicate what they currently have. Aim higher and attempt to surpass their capabilities and brand value.

    1.2 Collaborate with Customer Service to understand customer value segments

    Let segmentation help you gain intelligence on customers’ expectations.

    Insights and implications from customer service

    • Segment your customers based on their value relative to the cost to serve. The easiest way to do so is with channel preference categorization.
    • If the cost for retention attempts are higher than the value that those customers provide, there is little business case to pursue retention action.

    How IT can help

    • Couple value-based segmentation with channel preference and satisfaction levels of your most-valued customers to effectively target IT investments in channels that maximize service customization and quality.
    • Correlate the customers’ channel and technology usage with their business value to see which IT assets are delivering on their investments.

    The image contains a screenshot of a graph to demonstrate the relationship between cost of retention and value.

    “If you're developing a Customer Service strategy, it has to start with who your clients are, what [they are] trying to do, and through what channels […] and then your decision around processes have to fall out of that. If IT is trying to lead the conversation, or bring people together to lead the conversation, then marketing and whoever does segmentation has to be at the table as a huge component of this.”

    Lisa Woznica, Director of Client Experience, BMO Financial Group

    1.2 Be mindful of trends in the consumer and technology landscape

    Building a future vision of customer service requires knowing what upcoming technologies can aid the organization.

    OMNICHANNEL SUPPORT

    Rapidly changing demographics and modes of communication requires an evolution toward omnichannel engagement. 63% of customers now expect to communicate with contact centers over their social media (Ringshall 2020). Agents need customer information synced across each channel they use, meeting the customer’s needs where they are.

    INTELLIGENT SELF-SERVICE PORTALS

    Customers want their issues resolved as quickly as possible. Machine learning self-service options deliver personalized customer experiences, which also reduce both agent call volume and support costs for the organization. 60% of contact centers are using or plan to use AI in the next 12 months to improve their customer (Canam Research 2020).

    LEVERAGING ANALYTICS

    The future of customer service is tied up with analytics. This not only entails AI-driven capabilities that fetch the agent relevant information, but it finds skills-based routing and uses biometric data (e.g., speech) for security. It also feeds operations leaders’ need for easy access to real insights about how their customers and agents are doing.

    Phase 1 – Case Study

    Omnichannel support delivers a financial services firm immediate customer service results.

    INDUSTRY: Financial Services

    SOURCE: Mattsen Kumar

    Situation

    Solution

    Results

    • A financial services firm’s fast growth began to show cracks in their legacy customer service system.
    • Costs to support the number of customer queries increased.
    • There was a lack of visibility into incoming customer communications and their resolutions.
    • Business opportunities were lost due to a lack of information on customers’ preferences and challenges. Customer satisfaction was decreasing, negatively impacting the firm’s brand.
    • Mattsen Kumar diagnosed that the firm’s major issue was that their customer service processes required a high percentage of manual interventions.
    • Mattsen Kumar developed an omnichannel strategy, including a mix of social channels joined together by a CRM.
    • A key aspect of this omnichannel experience was designing automated processes with minimal manual intervention.
    • 25% reduction in callbacks from customers.
    • $50,000 reduction in operational costs.
    • Two minutes wait time reduction for chat process.
    • 14% decrease in average handle time.
    • Scaled up from 6000 to 50,000 monthly calls that could be handled by the current team.
    • Enabled more than 10,000 customer queries over chats.

    1.2 Construct your future state using a business process management approach

    Documenting and evaluating your business processes serves as a good starting point for defining the overall Customer Service strategy.

    • Examining key Customer Service business processes can unlock clues around the following:
      • Driving operational effectiveness.
      • Identifying, implementing, and maintaining reusable enterprise systems.
      • Identifying gaps that can be addressed by acquisition of additional systems.
    • Business process modeling facilitates the collaboration between business and IT, recording the sequence of events, tasks performed, by whom they are performed, and the levels of interaction with the various supporting applications.
    • By identifying the events and decision points in the process, and overlaying the people that perform the functions and technologies that support them, organizations are better positioned to identify gaps that need to be bridged.
    • Encourage the analysis by compiling the inventory of Customer Service business processes that are relevant to the organization.

    Info-Tech Insight

    A process-oriented approach helps organizations see the complete view of the system by linking strategic requirements to business requirements, and business requirements to system requirements.

    1.2 Use the APQC Framework to define your Customer Service-related processes

    • APQC’s Process Classification Framework (PCF) is a taxonomy of cross-functional business processes intended to allow the objective comparison of organizational performance within and among organizations.
    • Section 5 of the PCF details various levels of Customer Service business processes, useful for mapping on to your own organization’s current state.
    • The APQC Framework can be accessed through the following link: APQC’s Process Classification Framework.

    The APQC Framework serves as a high-level, industry-neutral enterprise model that allows organizations to see activities from a cross-industry process perspective.

    The image contains a screenshot example of the APQC Process Classification Framework.
    Source: (Ziemba and Eisenbardt 2015)

    Info-Tech Caution

    The APQC framework does not list all processes within a specific organization, nor are the processes which are listed in the framework present in every organization. It is designed as a framework and global standard to be customized for use in any organization.

    1.2 Each APQC process has five levels that represent its logical components

    The image contains a screenshot of the APQC five levels. The levels include: category, process group, process, and activity.

    The PCF provides L1 through 4 for the Customer Service Framework.

    L5 processes are task- and industry-specific and need to be defined by the organization.

    Source: (APQC 2020)
    This Industry Process Classification Framework was jointly developed by APQC and IBM to facilitate improvement through process management and benchmarking. ©2018 APQC and IBM. ALL RIGHTS RESERVED.

    1.2a Begin documenting business processes

    4 hours

    1. Using Info-Tech’s Customer Service Business Process Shortlisting Tool, list the Customer Service goals and rank them by importance.
    2. Score the APQC L4 processes by relevance to the defined goals and perceived satisfaction index.
    3. Define the L5 processes for the top scoring L4 process.
    4. Leave Tab 5, Columns G – I for now. These columns will be revisited in activities 1.2b and 2.1a.
    The image contains a screenshot of the Customer Service Process Shortlisting Tool.

    Input

    Output

    • List of Customer Service goals
    • A detailed prioritization of Customer Service business processes to model for future states

    Materials

    Participants

    • Whiteboard
    • Writing materials
    • Customer Service Business Process Shortlisting Tool
    • Applications Director
    • Customer Service Director
    • IT and Customer Service Representatives

    Download the Customer Service Business Process Shortlisting Tool

    1.2 Start designing the future state of key business processes

    If Customer Service transformation is called for, start with your future-state vision. Don’t get stuck in current state and the “art of the possible” within its context.

    Future-State Analysis

    Start by designing your future state business processes (based on the key processes shortlisting exercise). Design these processes as they would exist as your “ideal scenario.” Next, analyze your current state to help better your understanding of:

    • The gaps that exist and must be bridged to achieve the future-state vision.
    • Whether or not any critical functions that support your business were omitted accidentally from the future-state processes.
    • Whether or not any of the supporting applications or architecture can be salvaged and used toward delivery of your future-state vision.

    Though it’s a commonly used approach, documenting your current-state business processes first can have several drawbacks:

    • Current-state analysis can impede your ability to see future possibility.
    • Teams will spend a great deal of time and effort on documenting current state and inevitably succumb to “analysis paralysis.”
    • Current state assessment, when done first, limits the development of the future (or target) state, constraining thinking to the limitations of the current environment rather than the requirements of the business strategy.

    Current-State Analysis

    “If you're fairly immature and looking for a paradigm shift or different approach [because] you recognize you're totally doing it wrong today, then starting with documenting current state doesn't do a lot except make you sad. You don't want to get stuck in [the mindset of] ‘Here's the current state, and here’s the art of the possible.’”

    Trevor Timbeck, Executive Coach, Parachute Executive Coaching

    1.2 Start modeling future-state processes

    Build buy-in and accountability in process owners through workshops and whiteboarding – either in-person or remotely.

    Getting consensus on the process definition (who does what, when, where, why, and how) is one of the hardest parts of BPM.

    Gathering process owners for a process-defining workshop isn’t easy. Getting them to cooperate can be even harder. To help manage these difficulties during the workshop, make sure to:

    • Keep the scope contained to the processes being defined in order to make best use of everyone’s time, as taking time away from employees is a cost too.
    • Prior to the workshop, gather information about the processes with interviews, questionnaires, and/or system data gathering and analysis.
    • Use the information gathered to have real-life examples of the processes in question so that time isn’t wasted.

    Info-Tech Insight

    Keep meetings short and on task as tangents are inevitable. Set ground rules at the beginning of any brainstorming or whiteboarding session to ensure that all participants are aligned.

    1.2 Use the five W’s to help map out your future-state processes

    Define the “who, what, why, where, when, and how” of the process to gain a better understanding of individual activities.

    Owner

    Who

    What

    When

    Where

    Why

    How

    Record Claim

    Customer Service

    Customer Service Rep.

    Claim

    Accident

    Claims system

    Customer notification

    Agent enters claim into the system and notifies claims department

    Manage Claim

    Claims Department

    Claims Clerk

    Claim

    Agent submitted the claim

    Claims system

    Agent notification

    Clerk enters claim into the claims system

    Investigate Claim

    Claims Investigation

    Adjuster

    Claim

    Claim notification

    Property where claim is being made

    Assess damage

    Evaluation and expert input

    Settle Claim

    Claims Department

    Claim Approver

    Claim and Adjuster’s evaluation

    Receipt of Adjuster’s report

    Claims system

    Evaluation

    Approval or denial

    Administer Claim

    Finance Department

    Finance Clerk

    Claim amount

    Claim approval notification

    Finance system

    Payment required

    Create payment voucher and cut check

    Close Claim

    Claims Department

    Claims Clerk

    Claim and all supporting documentation

    Payment issued

    Claims system

    Claim processed

    Close the claim in the system

    Info-Tech Insight

    It’s not just about your internal processes. To achieve higher customer retention and satisfaction, it’s also useful to map the customer service process from the customer perspective to identify customer pain points and disconnects.

    1.2 Use existing in-house software as a simplistic entry point to process modeling

    A diagramming tool like Visio enables you to plot process participants and actions using dedicated symbols and connectors that indicate causality.

    • Models can use a stick-figure format, a cross-functional workflow format, or BPMN notation.
    • Plot the key activities and decision points in the process using standard flowcharting shapes. Identify the data that belongs to each step in a separate document or as call-outs on the diagram.
    • Document the flow control between steps, i.e., what causes one step to finish and another to start?

    The image contains a screenshot of the sample cross-functional diagram using the claims process.

    Info-Tech Best Practice

    Diagramming tools can force the process designer into a specific layout: linear or cross-functional/swim lane.

    • A linear format is recommended for single function and system processes.
    • A swim lane format is recommended for cross-functional and cross-departmental processes.

    1.2 Introduce low investment alternatives for process modeling for modeling disciplines

    SaaS and low-cost modeling tools are emerging to help organizations with low to medium BPM maturity visualize their processes.

    • Formal modeling tools allow a designer to model in any view and easily switch to other views to gain new perspectives on the process.
    • Subscription-based, best-of-breed SaaS tools provide scalable and flexible process modeling capabilities.
    • Open source and lower cost tools also exist to help distribute BPM modeling discipline and standards.
    • BPMS suites incorporate advanced modeling tools with process execution engines for end-to-end business process management. Integrate process discovery with modeling, process simulation, and analysis. Deploy, monitor, and measure process models in process automation engines.

    The image contains a screenshot of a diagram of the claims process.

    Explore SoftwareReviews’ Business Process Management market analysis by clicking here.

    1.2b Model future state business processes

    4 hours

    1. Model the future state of the most critical business processes.
    2. Use Tab 5, Columns G – H of Info-Tech’s Customer Service Business Process Shortlisting Tool to keep stock of what processes are targeted for modeling, and whether the models have been completed.
    The image contains a screenshot of the Customer Service Business Process Shortlisting Tool.

    Input

    Output

    • Modeled future Customer Service business processes
    • An inventory of modeled future states for critical Customer Service business processes

    Materials

    Participants

    • Whiteboard
    • Writing materials
    • Customer Service Business Process Shortlisting Tool
    • Applications Director
    • Customer Service Director

    Download the Customer Service Business Process Shortlisting Tool

    1.3 Start a preliminary inventory of your requirements

    Use the future state business process models as a source for software requirements.

    • Business process modeling deals with business requirements that can be used as the foundation for elicitation of system (functional and non-functional) requirements.
    • Modeling creates an understanding of the various steps and transfers in each business process, as well as the inputs and outputs of the process.
    • The future state models form an understanding of what information is needed and how it flows from one point to another in each process.
    • Understand what technologies are (or can be) leveraged to facilitate the exchange of information and facilitate the process.

    For each task or event in the process, ask the following questions:

    • What is the input?
    • What is the output?
    • What are the underlying risks and how can they be mitigated?
    • What conditions should be met to mitigate or eliminate each risk?
    • What are the improvement opportunities?
    • What conditions should be met to enable these opportunities?

    Info-Tech Insight

    Incorporate future considerations into the requirements. How will the system need to adapt over time to accommodate additional processes, process variations, introduction of additional channels and capabilities, etc. Do not overreach by identifying system capabilities that cannot possibly be met.

    1.3 Understand the four different requirements to document

    Have a holistic view for capturing the various requirements the organization has for a Customer Service strategy.

    Business requirements

    High-level requirements that management would typically understand.

    User requirements

    High-level requirements on how the tool should empower users’ lives.

    Non-functional requirements

    Criteria that can be used to judge the operation of a contact center. It defines how the system should perform for the organization.

    Functional requirements

    Outline the technical requirements for the desired contact center.

    1.3 Extract requirements from the business process models

    To see how, let us examine our earlier example for the Claims Process, extracting requirements from the “Record Claim” task.

    The image contains an example of the claims process, and focuses on the record claim task.

    1.3a Document your preliminary requirements

    4 hours

    1. The Applications Director and Customer Service Head are to identify participants based on the business processes that will be reviewed.
    2. They are to conduct a workshop to gather all requirements that can be taken from the business process models.
    3. Use Tab 4 of Info-Tech’s Customer Service Systems Strategy Tool to document your preliminary requirements.
    The image contains a screenshot of the Customer Service Systems Strategy Tool.
    InputOutput
    • Half-day workshop to review the proposed future-state diagrams and distill from them the business, functional, and non-functional requirements
    • Future state business process models from activities 1.2a and 1.2b
    • An inventory of preliminary requirements for modeled future states
    MaterialsParticipants
    • Whiteboard
    • Writing materials
    • Customer Service Systems Strategy Tool
    • Results of activities 1.2a and 1.2b
    • Applications Director
    • Customer Service Director
    • IT and Customer Service Representatives

    Download the Customer Service Systems Strategy Tool

    Phase 2

    Evaluate Current State

    Phase 1

    Phase 2

    Phase 3

    1.1 Structure the Project

    1.2 Define Vision for Future State

    1.3 Document Preliminary Requirements

    2.1 Document Current State Business Processes

    2.2 Assess Current State Architecture

    2.3 Review and Finalize Requirements for Future State

    3.1 Evaluate Architectural and Application Options

    3.2 Understand the Marketplace

    3.3 Score and Plot Initiatives Along Strategic Roadmap

    This phase will guide you through the following activities:

    2.1a Model current-state business processes for an inventory to compare against future-state models.

    2.1b Compare future and current business states for a preliminary gap analysis.

    2.1c Begin compiling an inventory of CS Systems by function for an overview of your current state map.

    2.2a Rate your functional and integration quality to assess the performance of your application portfolio.

    2.3a Compare states and propose action to bridge current business processes with viable future alternatives.

    2.3b Document finalized requirements, ready to enact change.

    Participants required for Phase 2:

    • Applications Director
    • Customer Service Director
    • IT and Customer Service Representatives
    • IT Managers

    2.1 Document the current state of your key business processes

    Doing so will solidify your understanding of the gaps, help identify any accidental omissions from the future state vision, and provide clues as to what can be salvaged.

    • Analysis of the current state is important in the context of gap analysis. It aids in understanding the discrepancies between your baseline and the future-state vision, and ensuring that these gaps are recorded as part of the overall requirements.
    • By analyzing the current state of key business processes, you may identify critical functions that are in place today that were not taken into consideration during the future-state business process visioning exercise.
    • By overlaying the current state process models with the applications that support them, the current state models will indicate what systems and interfaces can be salvaged.
    • The baseline feeds the business case, allowing the team to establish proposed benefits and improvements from implementing the future-state vision. Seek to understand the following:
      • The volumes of work
      • Major exceptions
      • Number of employees involved
      • Amount of time spent in each area of the process

    2.1 Assess the current state to drive the gap analysis

    Before you choose any solution, identify what needs to be done to your current state in order to achieve the vision you have defined.

    • By beginning with the future state in mind, you have likely already envisioned some potential solutions.
    • By reviewing your current situation in contrast with your desired future state, you can deliberate what needs to be done to bridge the gap. The differences between the models allow you to define a set of changes that must be enacted in sequence or in parallel. These represent the gaps.
    • The gaps, once identified, translate themselves into additional requirements.

    Assessment Example

    Future State

    Current Situation

    Next Actions/ Proposals

    Incorporate social channels for responding to customer inquiries.

    No social media monitoring or channels for interaction exist at present.

    1. Implement a social media monitoring platform tool and integrate it with the current CSM.
    2. Recruit additional Customer Service representatives to monitor and respond to inquiries via social channels.
    3. Develop report(s) for analyzing volumes of inquiries received through social channels.

    Info-Tech Insight

    It is important to allot time for the current-state analysis, confine it to the minimum effort required to understand the gaps, and identify any missing pieces from your future-state vision. Make sure the work expended is proportional to the benefit derived from this exercise.

    2.1a Model current-state business processes

    2 hours

    1. Model the current state of the most critical business processes, using the work done in activities 1.2a and 1.2b to help identify these processes.
    2. Use Tab 5, Column I of Info-Tech’s Customer Service Business Process Shortlisting Tool to keep stock of what models have been completed.
    3. This tool is now complete.
    The image contains a screenshot of the Customer Service Business Process Shortlisting Tool.
    InputOutput
    • Modeled current-state Customer Service business processes
    • An inventory of modeled current states for critical Customer Service business processes
    MaterialsParticipants
    • Whiteboard
    • Writing materials
    • Customer Service Business Process Shortlisting Tool
    • Results of activities 1.2a and 1.2b.
    • Applications Director
    • Customer Service Director

    Download the Customer Service Business Process Shortlisting Tool

    2.1b Compare future and current business states

    2 hours

    1. Use Tab 9 of Info-Tech’s Customer Service Systems Strategy Tool to record a summary of the future state, current state, and actions proposed in order to bridge the gaps.
      • Fill out the desired future state of the business processes and IT architecture.
      • Fill out the current state of the business processes and IT architecture.
      • Fill out the actions required to mitigate the gaps between the future and current state.
    The image contains a screenshot of thr Customer Service Systems Strategy Tool.
    InputOutput
    • The results of activities 1.2a, 1.2b, and 2.1a.
    • Modeled future- and current-state business processes
    • An overview and analysis of how to reach certain future states from the current state.
    • A preliminary list of next steps through bridging the gap between current and future states.
    MaterialsParticipants
    • Whiteboard
    • Writing materials
    • Customer Service Business Process Shortlisting Tool
    • Applications Director
    • Customer Service Director

    Download the Customer Service Systems Strategy Tool

    2.1 Assess whether Customer Service architecture can meet future-state vision

    Approach your CS systems holistically to identify opportunities for system architecture optimization.

    • Organizations often do not have a holistic view of their Customer Service systems. These systems are often cobbled together from disparate parts, such as:
      • Point solutions (both SaaS and on-premise).
      • Custom interfaces between applications and databases.
      • Spreadsheets and other manual workarounds.
    • A high degree of interaction between multiple systems can cause distention in the application portfolio and databases, creating room for error and more work for CS and IT staff. Mapping your systems and architectural landscape can help you:
      • Identify the number of manual processes you currently employ.
      • Eliminate redundancies.
      • Allow for consolidation and/or integration.

    Consider the following metrics when tracking your CS systems:

    Time needed to perform core tasks (i.e., resolving a customer complaint)

    Accuracy of basic information (customer history, customer product portfolio)

    CSR time spent on manual process/workarounds

    Info-Tech Insight

    There is a two-step process to document the current state of your Customer Service systems:

    1. Compile an inventory of systems by function
    2. Identify points of integration across systems

    2.1c Begin compiling an inventory of CS systems by function

    2 hours

    1. Using Tab 2 of Info-Tech’s Customer Service Systems Strategy Tool, request that the CS managers fill in the application inventory template with all the CS systems that they use.
    2. Questions to trigger exercise:
      • Which applications am I using?
      • Which CS function does the application support?
      • How many applications support the same function?
      • What spreadsheets or manual workarounds do I use to fill in system gaps?
    3. Send the filled-in template to IT Managers to validate and fill in missing system information.
    InputOutput
    • Applications Directors’ knowledge of the current state
    • IT Managers’ validation of this state
    • A corroborated inventory of the current state for Customer Service systems
    MaterialsParticipants
    • Customer Service Systems Strategy Tool
    • Applications Director
    • IT managers

    Download the Customer Service Systems Strategy Tool

    2.1 Use activity 2.1c for an overview of your current state map

    The image contains a screenshot of activity 2.1.

    Info-Tech Insight

    A current-state map of CS systems can offer insight on:

    • Coverage, i.e. whether all functional areas are supported by systems.
    • Redundancies, i.e. functional areas with multiple systems. If a customer’s records are spread across multiple systems, it may be difficult to obtain a single source of truth.

    2.2 Assess current state with user interface architecture diagrams

    Understand a high-level overview of how your current state integrates together to rate its overall quality.

    • If IT already has an architecture diagram, use this in conjunction with your application inventory for the basis of current state discussions.
    • If your organization does not already have an architecture diagram for review and discussion, consider creating one in its most simplistic form using the following guidelines (see illustrative example on next slide):

    Represent each of your systems as a labelled shape with a unique number (this number can be referenced in other artifacts that can provide more detail).

    Color coding can also be applied to differentiate these objects, e.g., to indicate an internal system (where development is owned by your organization) vs. an external system (where development is outside of your organization’s control).

    2.2 Example: Current state with user interface architecture diagrams

    The image contains a screenshot of an example of current state with user interface architecture diagrams.

    2.2 Evaluate application functionality and functional coverage

    Use this documentation of the current state as an opportunity to spot areas for rationalizing your application portfolio.

    If an application is well-received by the organization and is an overall good platform, consider acquiring more modules from the same vendor application.

    The image contains a screenshot of a diagram to demonstrate functionality and functional coverage.

    If you have more than one application for a function, consider why that is and how you might consolidate into a single application.

    Measure the effectiveness of applications under consideration. For example, consider the number of failures when an application attempts a function (by ticket numbers), and overall satisfaction/ease of use.

    The above steps will reveal capability overlaps and application pain points and show how the overall portfolio could be made more efficient.

    2.2 Determine the degree of integration between systems

    Data and system integration are key components of an effective CS system portfolio.

    The needed level of integration will depend on three major factors:

    Integration between systems helps facilitate reporting. The required reports will vary from organization to organization:

    How many other systems benefit from the data of the application?

    Large workforces will benefit from more detailed WFM reports for optimizing workforce planning and talent acquisition.

    Will automating the integration between systems alleviate a significant amount of manual effort?

    Organizations with competitive sales and incentives will want to strategize around talent management and compensation.

    What kind of reports will your organization require in order to perform core and business-enabling functions?

    Aging workforces or organizations with highly specialized skills can benefit from detailed analysis around succession planning.

    Phase 2 – Case Study

    Integrating customer relationship information streamlines customer service and increases ROI for the organization.

    INDUSTRY: Retail and Wholesale

    SOURCE: inContact

    Situation

    Solution

    Results

    • Hall Automotive – a group of 14 multi-franchise auto dealerships located throughout Virginia and North Carolina – had customer information segmented throughout their CRM system at each dealership.
    • Call center agents lacked the technology to synthesize this information, leading customers to receive multiple and unrelated service calls.
    • Hall Automotive wanted to avoid embarrassing information gaps, integrate multiple CRM systems, and help agents focus on customers.
    • Hall Automotive utilized an inContact solution that included Automated Call Distributor, Computer Telephony Integration, and IVR technologies.
    • This created a complete customer-centric system that interfaced with multiple CRM and back-office systems.
    • The inContact solution simplified intelligent call flows, routed contacts to the right agent, and provided comprehensive customer information.
    • Call time decreased from five minutes to one minute and 23 seconds.
    • 350% increase in production.
    • Market response time down from three months to one day.
    • Cost per call cut from 83 cents to 23 cents.
    • Increased agents’ calls-per-hour from 12 to 43.
    • Scalability matched seasonal fluctuations in sales.

    2.2a Rate your functional and integration quality

    2 hours

    1. Using Tab 5 of Info-Tech’s Customer Service Systems Strategy Tool, evaluate the functionality of your applications.
    2. Then, use Tab 6 of the Customer Service Systems Strategy Tool to evaluate the integration of your applications.
    The image contains screenshots of the Customer Service Systems Strategy Tool.
    InputOutput
    • Applications Directors’ knowledge of the current state
    • IT Managers’ validation of this state
    • A documented evaluation of the organization’s application portfolio regarding functional and integration quality
    MaterialsParticipants
    • Customer Service Systems Strategy Tool
    • Applications Director
    • IT managers

    Download the Customer Service Systems Strategy Tool

    2.3 Revisit and refine the future-state business processes and list of requirements

    With a better understanding of the current state, determine whether the future-state models hold up. Ensure that the requirements are updated accordingly to reflect the full set of gaps identified.

    • Future-state versus current-state modeling is an iterative process.
    • By assessing the gaps between target state and current state, you may decide that:
      • The future state model was overly ambitious for what can reasonably be delivered in the near-term.
      • Core functions that exist today were accidentally omitted from the future state models and need to be incorporated.
      • There are systems or processes that your organization would like to salvage, and they must be worked into the future-state model.
    • Once the future state vision is stabilized, ensure that all gaps have been translated into business requirements.
      • If possible, categorize all gaps by functional and non-functional requirements.

    2.3a Compare states and propose action

    3 hours

    • Revisit Tab 9 of Info-Tech’s Customer Service Systems Strategy Tool to more accurately compare your organization’s current- and future-state business processes.
    • Ensure that gaps in the system architecture have been captured.
    The image contains a screenshot of the Customer Service Systems Strategy Tool.
    InputOutput
    • Modeled future- and current-state business processes
    • Refined and prioritized list of requirements
    • An accurate list of action steps for bridging current and future state business processes
    MaterialsParticipants
    • Whiteboard
    • Writing materials
    • Customer Service Systems Strategy Tool
    • Applications Director
    • IT managers

    Download the Customer Service Systems Strategy Tool

    2.3 Prioritize and finalize the requirements

    Prioritizing requirements will help to itemize initiatives and the timing with which they need to occur.

    Requirements are to be prioritized based on relative important and the timing of the respective initiatives.

    Prioritize the full set of requirements by assigning a priority to each:

    1. High/Critical: A critical requirement; without it, the product is not acceptable to the stakeholders.
    2. Medium/Important: A necessary but deferrable requirement that makes the product less usable but still functional.
    3. Low/Desirable: A nice feature to have if there are resources, but the product can function well without it.

    Requirements prioritization must be completed in collaboration with all key stakeholders (business and IT).

    Consider the following criteria when assigning the priority:

    • Business value
    • Business or technical risk
    • Implementation difficulty
    • Likelihood of success
    • Regulatory compliance
    • Relationship to other requirements
    • Urgency
    • Unified stakeholder agreement

    Stakeholders must ask themselves:

    • What are the consequences to the business objectives if this requirement is omitted?
    • Is there an existing system or manual process/workaround that could compensate for it?
    • Why can’t this requirement be deferred to the next release?
    • What business risk is being introduced if a particular requirement cannot be implemented right away?

    2.3b Document finalized requirements

    4 hours

    1. Using Tab 4 of Info-Tech’s Customer Service Systems Strategy Tool, evaluate your applications’ functionality, review, refine, prioritize, and finalize your requirements.
    2. Review the proposed future state diagrams in activity 2.3a and distill from them the business, functional, and non-functional requirements.
    3. The Applications Director and Customer Service Head are to identify participants based on the business processes that will be reviewed. They are to conduct a workshop to gather all the requirements that can be taken from the business process models.
    The image contains a screenshot of the Customer Service Systems Strategy Tool.
    InputOutput
    • Modeled future- and current-state business processes
    • Refined and prioritized list of requirements
    • A documented finalized list of requirements to achieve future state business processes
    MaterialsParticipants
    • Whiteboard
    • Writing materials
    • Customer Service Systems Strategy Tool
    • IT Applications Director
    • Customer Service Director
    • IT and Customer Service Representatives

    Download the Customer Service Systems Strategy Tool

    Phase 3

    Build Roadmap to Future State

    Phase 1

    Phase 2

    Phase 3

    1.1 Structure the Project

    1.2 Define Vision for Future State

    1.3 Document Preliminary Requirements

    2.1 Document Current State Business Processes

    2.2 Assess Current State Architecture

    2.3 Review and Finalize Requirements for Future State

    3.1 Evaluate Architectural and Application Options

    3.2 Understand the Marketplace

    3.3 Score and Plot Initiatives Along Strategic Roadmap

    This phase will guide you through the following activities:

    3.1a Analyze future architectural posture to understand how applications within the organization ought to be arranged.

    3.3a Develop a Customer Service IT Systems initiative roadmap to reach your future state.

    Participants required for Phase 3:

    • Applications Director
    • CIO
    • Customer Service Director
    • Customer Service Head
    • IT and Customer Service Representatives
    • IT Applications Director

    3.1a Analyze future architectural posture

    1 hour

    Review Tab 8 of the Customer Service Systems Strategy Tool.

    This tab plots each system that supports Customer Service on a 2x2 framework based on its functionality and integration scores. Where these systems plot on each 2x2 provides clues as to whether they should be considered for retention, functional enhancement (upgrade), increased system integration, or replacement.

    • Integrate: The application is functionally rich, so integrate it with other modules by building or enhancing interfaces.
    • Retain: The application satisfies both functionality and integration requirements, so it should be considered for retention.
    • Replace: The application neither offers the functionality sought, nor is it integrated with other modules.
    • Replace/Enhance: The module offers poor functionality but is well integrated with other modules. If enhancing for functionality is easy (e.g., through configuration or custom development), consider enhancement or replace it altogether.
    The image contains a screenshot of tab 8 of the Customer Service Systems Strategy Tool.
    InputOutput
    • Review Tab 8 of the Customer Service Systems Strategy Tool
    • An overview of how different applications in the organization ought to be assessed
    MaterialsParticipants
    • Customer Service Systems Strategy Tool
    • IT Applications Director
    • Customer Service Director
    • IT and Customer Service Representatives

    Download the Customer Service Systems Strategy Tool

    3.1 Interpret 3.1a’s results for next steps

    Involving both sales and marketing in these discussions will provide a 360-degree view on what the modifications should accomplish.

    If the majority of applications are plotted in the “Integrate” quadrant:

    The applications are performing well in terms of functionality but have poor integration. Determine what improvements can be made to enhance integration between the systems where required (e.g. re-working existing interfaces to accommodate additional data elements, automating interfaces, or creating brand new custom interfaces where warranted).

    If the applications are spread across “Integrate,” “Retain,” and “Replace/Enhance”:

    There is no clear recommended direction in this case. Weigh the effort required to replace/enhance/integrate specific applications critical for supporting processes. If resource usage for piecemeal solutions is too high, consider replacement with suite.

    If the majority of applications are plotted in the “Retain” quadrant:

    All applications satisfy both functionality and integration requirements. There is no evidence that significant action is required.

    If the application placements are split between the “Retain” and “Replace/Enhance” quadrants:

    Consider whether or not IT has the capabilities to execute application replacement procedures. If considering replacement, consider the downstream impact on applications that the system in question is currently integrated with. Enhancing an application usually implies upgrading or adding a module to an existing application. Consider the current satisfaction with the application vendor and whether the upgrade or additional module will satisfy your customer service needs.

    3.1 Work through architectural considerations to narrow future states

    Best-of-breeds vs. suite

    Integration and consolidation

    Deployment

    Does the organization only need a point solution or an entire platform of solutions?

    Does the current state enable interoperability between software? Is there room for rationalization?

    Should any new software be SaaS-based, on-premises, or a hybrid?

    Info-Tech Insight

    Decommissioning and replacing entire applications can put well-functioning modules at risk. Make sure to drill down into the granular features to assess if the feature level performance prompts change. The goal is to make the architecture more efficient for Customer Service and easier to manage for IT. If integration has been chosen as a course of action, make sure that the spend on resources and effort is less than that on system replacement. Also make sure that the intended architecture streamlines usability for agents.

    3.1 Considerations: Best-of-breeds vs. suite

    If requirements extend beyond the capabilities of a best-of-breed solution, a suite of tools may be required.

    Best-of-breed

    Suite

    Benefits

    • Features may be more advanced for specific functional areas and a higher degree of customization may be possible.
    • If a potential delay in real-time customer data transfer is acceptable, best-of-breeds provide a similar level of functionality to suites for a lower price.
    • Best-of-breeds allow value to be realized faster than suites, as they are easier and faster to implement and configure.
    • Rip and replace is easier and vendor updates are relatively quick to market.

    Benefits

    • Everyone in the organization works from the same set of customer data.
    • There is a “lowest common denominator” for agent learning as consistent user interfaces lower learning curves and increase efficiency in usage.
    • There is a broader range of functionality using modules.
    • Integration between functional areas will be strong and the organization will be in a better position to enable version upgrades without risking invalidation of an integration point between separate systems.

    Challenges

    • Best-of-breeds typically cover less breadth of functionality than suites.
    • There is a lack of uniformity in user experience across best-of-breeds.
    • Data integrity risks are higher.
    • Variable infrastructure may be implemented due to multiple disparate systems, which adds to architecture complexity and increased maintenance.
    • There is potential for redundant functionality across multiple best-of-breeds.

    Challenges

    • Suites exhibit significantly higher costs compared to point solutions.
    • Suite module functionality may not have the same depth as point solutions.
    • Due to high configuration availability and larger-scale implementation requirements, the time to deploy is longer than point solutions.

    3.1 Considerations: Integration and consolidation

    Use Tab 7 of Info-Tech’s Customer Service Systems Strategy Tool to gauge the need for consolidation.

    IT benefits

    • Decreased spend on infrastructure, application acquisition, and development.
    • Reduced complexity in vendor management.
    • Less resources and effort spent on internal integration and functional customization.

    Customer Service benefits

    • Reduced user confusion and application usage efficiency.
    • Increased operational visibility and ease process mapping.
    • Improved data management and integrity.

    Theoretical scenarios and recommendations

    The image contains a screenshot of an example of a customer service functional purpose.

    Problem:

    • Large Redundancy – multiple applications address the same function, but one application performs better than others.

    Recommendation:

    • Consolidate the functions into Application 1 and consider decommissioning Applications 2 to 4.
    The image contains a screenshot of an example of a customer service functional purpose.

    Problem:

    • Large Redundancy – multiple applications address the same function, but none of them do it well.

    Recommendation:

    • None of the applications perform well in functional support. Consider replacing with suite or leveraging the Application 3 vendor for functional module expansion, if feasible.

    3.1 Considerations: Deployment

    SaaS is typically recommended as it reduces IT support needs. However, customization limitations and higher long-term TCO values continue to be a challenge for SaaS.

    On-premises deployment

    Hybrid deployment

    Public cloud deployment

    Benefits

    • Solution and deployment are highly customizable.
    • There are fewer compliance and security risks because customer data is kept on premises.

    Challenges

    • There is slower physical deployment.
    • Physical hardware and software are required.
    • There are higher upfront costs.

    Benefits

    • Pick-and-mix which aspects to keep on premises and which to outsource.
    • Benefits of scaling and flexibility for outsourced solution.

    Challenges

    • Expensive to maintain.
    • Requires in-house skillset for on-premises option.
    • Some control is lost over outsourced customization.

    Benefits

    • Physical hardware is not required.
    • There is rapid deployment, vendor managed product updates, and server maintenance.
    • There are lower upfront costs.

    Challenges

    • There is higher TCO over time.
    • There are perceived security risks.
    • There are service availability and reliability risks.
    • There is limited customization.

    3.1 Considerations: Public cloud deployment

    Functionality is only one aspect of a broader range of issues to narrow down the viability of a cloud-based architecture.

    Security/Privacy Concerns:

    Whether the data is stored on premise or in the cloud, it is never 100% safe. The risk increases with a multi-tenant cloud solution where a single vendor manages the data of multiple clients. If your data is particularly sensitive, heavily scrutinize the security infrastructure of potential vendors or store the data internally if internal security is deemed stronger than that of a vendor.

    Location:

    If there are individuals that need to access the system database and work in different locations, centralizing the system and its database in the cloud may be an effective approach.

    Compatibility:

    Assess the compatibility of the cloud solutions with your internal IT systems. Cloud solutions should be well-integrated with internal systems for data flow to ensure efficiency in service operations.

    Cost/Budget Constraints:

    SaaS allows conversion of up-front CapEx to periodic OpEx. It assists in bolstering a business case as costs in the short-run are much more manageable. On-premise solutions have a much higher upfront TCO than cloud solutions. However, the TCO for the long-term usage of cloud solutions under the licensing model will exceed that of an on-premise solution, especially with a growing business and user base.

    Functionality/Customization:

    Ensure that the function or feature that you need is available on the cloud solution market and that the feature is robust enough to meet service quality standards. If the available cloud solution does not support the processes that fit your future-state vision and gaps, it has little business value. If high levels of customization are required to meet functionality, the amount of effort and cost in dealing with the cloud vendor may outweigh the benefits.

    Maintenance/Downtime:

    For most organizations, lapses in cloud-service availability can become disastrous for customer satisfaction and service quality. Organizations should be prepared for potential outages since customers require constant access to customer support.

    3.2 Explore the customer service technology marketplace

    Your requirements, gap analysis, and assessment of current applications architecture may have prompted the need for a new solutions purchase.

    • Customer service technology has come a long way since PABX in 1960s call centers. Let Info-Tech give you a quick overview of the market and the major systems that revolve around Customer Service.
    • The image contains a screenshot of a timeline of the market and major systems that revolve  around customer service.

    Info-Tech Insight

    While Customer Relationships Management systems interlock several aspects of the customer journey, best-of-breed software for specific aspects of this journey could provide a better ROI if the organization’s coverage of these aspects are only “good enough” and need boosting.

    3.2 The CRM software market will continue to grow at an aggressive rate

    • In recent years, CRM suite solutions have matured significantly in their customer support capabilities. Much of this can be attributed to their acquisitions of smaller best-of-breed Customer Service vendors.
    • Many of the larger CRM solutions (like those offered by Salesforce) have now added social media engagement, knowledge bases, and multi-channel capabilities into their foundational offering.
    • CRM systems are capable of huge sophistication and integration with the core ERP, but they also have heavy license and implementation costs, and therefore may not be for everyone.
    • In some cases, customers are looking to augment upon very specific capabilities that are lacking from their customer service foundation. In these cases, best-of-breed solutions ought to be integrated with a CRM, ERP, or with one another through API integration.
    The image contains a screenshot of a graph that demonstrates the CRM global market growth, 2019-2027.

    3.2 Utilize SoftwareReviews to focus on which CS area needs enhancing

    Contact Center as a Service (CCaaS)

    Cloud-based customer experience solution that allows organizations to utilize a provider’s software to administer incoming support or inquiries from consumers in a hosted, subscription model.

    Customer Service Management (CSM)

    Supports an organization's interaction with current and potential customers. It uses data-driven tools designed to help organizations drive sales and deliver exceptional customer experiences.

    Customer Intelligence Platform

    Gather and analyze data from both structured and unstructured sources regarding your customers, including their demographic/firmographic details and activities, to build deeper and more effective customer relationships and improve business outcomes.

    Enterprise Social Media Management

    Software for monitoring social media activity with the goal of gaining insight into user opinion and optimizing social media campaigns.

    Customer Relationship Management (CRM)

    Consists of applications designed to automate and manage the customer life cycle. CRM software optimizes customer data management, lead tracking, communication logging, and marketing campaigns.

    Virtual Assistants and Chatbots

    interactive applications that use Artificial Intelligence (AI) to engage in conversation via speech or text. These applications simulate human interaction by employing natural language input and feedback.

    3.2 SoftwareReviews’ data accelerates and improves the software selection process

    SoftwareReviews collects and analyzes detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    With SoftwareReviews:

    • Access premium reports to understand the marketspace of 193 software categories.
    • Compare vendors with SoftwareReviews’ Data Quadrant Reports.
    • Discover which vendors have better customer relations management with SoftwareReviews’ Emotional Footprint Reports.
    • Explore the Product Scorecards of single vendors for a detailed analysis of their software offerings.
    The image contains a screenshot of the Software Reviews offerings.

    3.2 Speak with category experts to dive deeper into the vendor landscape

    Fact-based reviews of business software from IT professionals.

    Product and category reports with state-of-the-art data visualization.

    Top-tier data quality backed by a rigorous quality assurance process.

    User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to access SoftwareReviews

    Comprehensive software reviews to make better IT decisions.

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech.

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. The insights of our expert analysts provide unparalleled support to our members at every step of their buying journey.

    3.2 Leverage Info-Tech’s Rapid Application Selection Framework

    Improve your key software selection metrics for best-of-breed customer service software.

    The image contains a screenshot of an example of Info-Tech's Rapid Application Selection Framework.

    A simple measurement of the number of days from intake to decision.

    Use our Project Satisfaction Tool to measure stakeholder project satisfaction.

    Use our Application Portfolio Assessment Tool annually to measure application satisfaction.

    Use our Contract Review Service to benchmark and optimize your technology spending.

    Learn more about Info-Tech’s The Rapid Application Selection Framework

    The Rapid Application Selection Framework (RASF) is best geared toward commodity and mid-tier enterprise applications

    Not all software selection projects are created equal – some are very small, some span the entire enterprise. To ensure that IT is using the right framework, understand the cost and complexity profile of the application you’re looking to select. The RASF approach is best for commodity and mid-tier enterprise applications; selecting complex applications is better handled by the methodology described in Implement a Proactive and Consistent Vendor Selection Process.

    RASF Methodology

    Commodity & Personal Applications

    • Simple, straightforward applications (think OneNote vs. Evernote)
    • Total application spend of up to $10,000; limited risk and complexity
    • Selection done as a single, rigorous, one-day session

    Complex Mid-Tier Applications

    • More differentiated, department-wide applications (Marketo vs. Pardot)
    • Total application spend of up to $100,000; medium risk and complexity
    • RASF approach done over the course of an intensive 40-hour engagement

    Consulting Engagement

    Enterprise Applications

    Sophisticated, enterprise-wide applications (Salesforce vs. Dynamics)

    Total application spend of over $100,000; high risk and complexity

    Info-Tech can assist with tailored, custom engagements

    3.3 Translate gathered requirements and gaps into project-based initiatives

    Identify initiatives that can address multiple requirements simultaneously.

    The Process

    • You now have a list of requirements from assessing business processes and the current Customer Service IT systems architecture.
    • With a viable architecture and application posture, you can now begin scoring and plotting key initiatives along a roadmap.
    • Group similar requirements into categories of need and formulate logical initiatives to fulfill the requirements.
    • Ensure that all requirements are related to business needs, measurable, sufficiently detailed, and prioritized, and identify initiatives that meet the requirements.

    Consider this case:

    Paul’s organization, a midsize consumer packaged goods retailer, needs to monitor social media for sentiment, use social analytics to gain intelligence, and receive and respond to inquiries made over Twitter.

    The initiative:

    Implement a social media management platform (SMMP): A SMMP is able to deliver on all of the above requirements. SMMPs are highly capable platforms that have social listening modules and allow costumer service representatives to post to and monitor social media.

    3.3 Prioritize your initiatives and plan the order of rollout

    Initiatives should not and cannot be tackled all at once. There are three key factors that dictate the prioritization of initiatives.

    1. Value
      • What is the monetary value/perceived business value?
      • Are there regulatory or security related impacts if the initiative is not undertaken?
      • What is the time to market and is it an easily achievable goal?
      • How well does it align with the strategic direction?
    2. Risk
      • How technically complex is it?
      • Does it impact existing business processes?
      • Are there ample resources and right skillsets to support it?
    3. Dependencies
      • What initiatives must be undertaken first?
      • Which subsequent initiatives will it support?

    Example scenario using Info-Tech’s Initiative Scoring and Roadmap Tool

    An electronics distributor wants to implement social media monitoring and response. Its existing CRM does not have robust channel management functions. The organization plans to replace its CRM in the future, but because of project size and impact and budgetary constraints, the replacement project has been scheduled to occur two years from now.

    • The SMMP solution proposed for implementation has a high perceived value and is low risk.
    • The CRM replacement has higher value, but also carries significantly more risk.
    • Option 1: Complete the CRM replacement first, and overlay the social media monitoring component afterward (as the SMMP must be integrated with the CRM).
    • Option 2: Seize the easily achievable nature of the SMMP initiative. Implement it now and plan to re-work the CRM integration later.
    The image contains a screenshot of an example scenario using Info-Tech's Initiative Scoring and Roadmap Tool.

    3.3a Develop a Customer Service IT Systems initiative roadmap

    1 hour

    • Complete the tool as a team during a one-hour meeting to collaborate and agree on criteria and weighting.
      1. Input initiative information.
      2. Determine value and risk evaluation criteria.
      3. Evaluate each initiative to determine its priority.
      4. Create a roadmap of prioritized initiatives.
    The image contains a screenshot of the Customer Service Initiative Scoring and Roadmap Tool.
    InputOutput
    • Input the initiative information including the start date, end date, owner, and dependencies
    • Adjust the evaluation criteria, i.e., the value and risk factors
    • A list of initiatives and a roadmap toward the organization’s future state of Customer Service IT Systems
    MaterialsParticipants
    • Customer Service Initiative Scoring and Roadmap Tool
    • Applications Director
    • CIO
    • Customer Service Head

    Download the Customer Service Initiative Scoring and Roadmap Tool

    Document and communicate the strategy

    Leverage the artifacts of this blueprint to summarize your findings and communicate the outcomes of the strategy project to the necessary stakeholders.

    Document Section

    Proposed Content

    Leverage the Following Artifacts

    Executive Summary

    • Introduction
    • The opportunity
    • The scope
    • The stakeholders
    • Project success measures

    Project Charter section:

    • 1.1 Project Overview
    • 1.2 Project Objectives
    • 1.3 Project Benefits
    • 2.0 Scope

    Project RACI Chart Tool:

    • Tab 3. Simplified Output
    The image contains screenshots from the Project Charter, and the RACI Chart Tool.

    Background

    • The project approach
    • Current situation overview
    • Results of the environmental scan

    Blueprint slides:

    • Info-Tech’s methodology to develop your IT Strategy for CS Systems
    The image contains a screenshot from the blueprint slides.

    Future-State Vision

    • Customer service goals
    • Future-state modeling findings

    Customer Service Business Process Shortlisting Tool:

    • Tab 2. Customer Service Goals
    • Tab 5. Level 5 Process Inventory

    Future State Business Process Models

    The image contains screenshots from the Customer Service Business Process Shortlisting Tool.

    Current Situation

    • Current-state modeling findings
    • Current-state architecture findings
    • Gap assessment
    • Requirements

    Customer Service Systems Strategy Tool:

    • Tab 2. Inventory of Applications
    • Tab 7. Systems Health Heat Map
    • Tab 8. Systems Health Dashboard
    • Tab 9. Future vs. Current State
    • Tab 4. Requirements Collection
    The image contains screenshots from the Customer Service Systems Strategy Tool.

    Summary of Recommendations

    • Optimization opportunities
    • New capabilities

    N/A

    IT Strategy Implementation Plan

    • Implementation plan
    • Business case

    Customer Service Initiative Scoring and Roadmap Tool:

    • Tab 2. CS Initiative Definition
    • Tab 4. CS Technology Roadmap
    The image contains screenshots from the Customer Service Initiative Scoring and Roadmap Tool.

    Summary of Accomplishment

    Develop an IT Strategy to Support Customer Service

    With ecommerce accelerating and customer expectations rising with it, organizations must have an IT strategy to support Customer Service.

    The deliverable you have produced from this blueprint provides a solution to this problem: a roadmap to a desired future state for how IT can ground an effective customer service engagement. From omnichannel to self-service, IT will be critical to enabling the tools required to digitally meet customer needs.

    Begin implementing your roadmap!

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Deliver a Customer Service Training Program to Your IT Department

    • One training session is not enough to make a change. Leaders must embed the habits, create a culture of engagement and positivity, provide continual coaching and development, regularly gather customer feedback, and seek ways to improve.

    Build a Chatbot Proof of Concept

    • When implemented effectively, chatbots can help save costs, generate new revenue, and ultimately increase customer satisfaction for both external- and internal-facing customers.

    The Rapid Application Selection Framework

    • Application selection is a critical activity for IT departments. Implement a repeatable, data-driven approach that accelerates application selection efforts.

    Bibliography (1/2)

    • Callzilla. "Software Maker Compares Call Center Companies, Switches to Callzilla After 6 Months of Results." Callzilla. N.d. Accessed: 4 Jul. 2022.
    • Cisco. “Transforming Customer Service.” Cisco. 2018. Accessed: 8 Feb. 2021.
    • Gottlieb, Giorgina. “The Importance of Data for Superior Customer Experience and Business Success.” Medium. 23 May 2019. Accessed: 8 Feb. 2021.
    • Grand View Research. “Customer Relationship Management Market Size, Share & Trends Analysis Report By Solution, By Deployment, By Enterprise Size, By End Use, By Region, And Segment Forecasts, 2020 – 2027.” Grand View Research. April 2020. Accessed: 17 Feb. 2021.
    • inContact. “Hall Automotive Accelerates Customer Relations with inContact.” inContact. N.d. Accessed: 8 Feb. 2021.
    • Kulbyte, Toma. “37 Customer Experience Statistics to Know in 2021.” Super Office. 4 Jan. 2021. Accessed: 5 Feb. 2021.
    • Kuligowski, Kiely. "11 Benefits of CRM Systems." Business News Daily. 29 Jun. 2022. Accessed: 4 Jul. 2022.
    • Mattsen Kumar. “Ominchannel Support Transforms Customer Experience for Leading Fintech Player in India.” Mattsen Kumar. 4 Apr. 2020. Accessed: 8 Feb. 2021.
    • Microsoft. “State of Global Customer Service Report.” Microsoft. Mar. 2019. Accessed: 8 Feb. 2021.
    • Ringshall, Ben. “Contact Center Trends 2020: A New Age for the Contact Center.” Fonolo. 20 Oct. 2020. Accessed 2 Nov. 2020.
    • Salesforce. “State of Service.” Salesforce. 4th ed. 2020. Accessed: 8 Feb. 2021.
    • Sopadjieva, Emma, Utpal M. Dholakia, and Beth Benjamin. “A Study of 46,000 Shoppers Shows That Omnichannel Retailing Works.” Harvard Business Review. 3 Jan. 2017. Accessed: 8 Feb. 2021.

    Bibliography (2/2)

    • Tech Pro Research. “Digital Transformation Research Report 2018: Strategy, Returns on Investment, and Challenges.” Tech Pro Research. 29 Jul. 2018. Accessed: 5 Feb. 2021.
    • TSB. “TSB Bank Self-Serve Banking Increases 9% with Adobe Sign.” TSB. N.d. Accessed: 8 Feb. 2021.
    • VoiceSage. “VoiceSage Helps Home Retail Group Transform Customer Experience.” VoiceSage. 4 May 2018. Accessed: 8 Feb. 2021.

    Digital Data Ethics

    • Download01-Title: Tech Trend Update: If Digital Ethics Then Data Equity
    • Download-01: Visit Link
    • member rating overall impact: 9/10
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    In the past two years, we've seen that we need quick technology solutions for acute issues. We quickly moved to homeworking and then to a hybrid form. We promptly moved many of our offline habits online.

    That necessitated a boost in data collection from us towards our customers and employees, and business partners.
    Are you sure how to approach this structurally? What is the right thing to do?

    Impact and Results

    • When you partner with another company, set clear expectations
    • When you are building your custom solution, invite constructive criticism
    • When you present yourself as the authority, consider the most vulnerable in the relationship

    innovation

    Develop an Availability and Capacity Management Plan

    • Buy Link or Shortcode: {j2store}500|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: $2,840 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Availability & Capacity Management
    • Parent Category Link: /availability-and-capacity-management
    • It is crucial for capacity managers to provide capacity in advance of need to maximize availability.
    • In an effort to ensure maximum uptime, organizations are overprovisioning (an average of 59% for compute, and 48% for storage). With budget pressure mounting (especially on the capital side), the cost of this approach can’t be ignored.
    • Half of organizations have experienced capacity-related downtime, and almost 60% wait more than three months for additional capacity.

    Our Advice

    Critical Insight

    • All too often capacity management is left as an afterthought. The best capacity managers bake capacity management into their organization’s business processes, becoming drivers of value.
    • Communication is key. Build bridges between your organization’s silos, and involve business stakeholders in a dialog about capacity requirements.

    Impact and Result

    • Map business metrics to infrastructure component usage, and use your organization’s own data to forecast demand.
    • Project future needs in line with your hardware lifecycle. Never suffer availability issues as a result of a lack of capacity again.
    • Establish infrastructure as a driver of business value, not a “black hole” cost center.

    Develop an Availability and Capacity Management Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a capacity management plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop an Availability and Capacity Management Plan – Phases 1-4

    1. Conduct a business impact analysis

    Determine the most critical business services to ensure availability.

    • Develop an Availability and Capacity Management Plan – Phase 1: Conduct a Business Impact Analysis
    • Business Impact Analysis Tool

    2. Establish visibility into core systems

    Craft a monitoring strategy to gather usage data.

    • Develop an Availability and Capacity Management Plan – Phase 2: Establish Visibility into Core Systems
    • Capacity Snapshot Tool

    3. Solicit and incorporate business needs

    Integrate business stakeholders into the capacity management process.

    • Develop an Availability and Capacity Management Plan – Phase 3: Solicit and Incorporate Business Needs
    • Capacity Plan Template

    4. Identify and mitigate risks

    Identify and mitigate risks to your capacity and availability.

    • Develop an Availability and Capacity Management Plan – Phase 4: Identify and Mitigate Risks

    [infographic]

    Workshop: Develop an Availability and Capacity Management Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Conduct a Business Impact Analysis

    The Purpose

    Determine the most important IT services for the business.

    Key Benefits Achieved

    Understand which services to prioritize for ensuring availability.

    Activities

    1.1 Create a scale to measure different levels of impact.

    1.2 Evaluate each service by its potential impact.

    1.3 Assign a criticality rating based on the costs of downtime.

    Outputs

    RTOs/RPOs

    List of gold systems

    Criticality matrix

    2 Establish Visibility Into Core Systems

    The Purpose

    Monitor and measure usage metrics of key systems.

    Key Benefits Achieved

    Capture and correlate data on business activity with infrastructure capacity usage.

    Activities

    2.1 Define your monitoring strategy.

    2.2 Implement your monitoring tool/aggregator.

    Outputs

    RACI chart

    Capacity/availability monitoring strategy

    3 Develop a Plan to Project Future Needs

    The Purpose

    Determine how to project future capacity usage needs for your organization.

    Key Benefits Achieved

    Data-based, systematic projection of future capacity usage needs.

    Activities

    3.1 Analyze historical usage trends.

    3.2 Interface with the business to determine needs.

    3.3 Develop a plan to combine these two sources of truth.

    Outputs

    Plan for soliciting future needs

    Future needs

    4 Identify and Mitigate Risks

    The Purpose

    Identify potential risks to capacity and availability.

    Develop strategies to ameliorate potential risks.

    Key Benefits Achieved

    Proactive approach to capacity that addresses potential risks before they impact availability.

    Activities

    4.1 Identify capacity and availability risks.

    4.2 Determine strategies to address risks.

    4.3 Populate and review completed capacity plan.

    Outputs

    List of risks

    List of strategies to address risks

    Completed capacity plan

    Further reading

    Develop an Availability and Capacity Management Plan

    Manage capacity to increase uptime and reduce costs.

    ANALYST PERSPECTIVE

    The cloud changes the capacity manager’s job, but it doesn’t eliminate it.

    "Nobody doubts the cloud’s transformative power. But will its ascent render “capacity manager” an archaic term to be carved into the walls of datacenters everywhere for future archaeologists to puzzle over? No. While it is true that the cloud has fundamentally changed how capacity managers do their jobs , the process is more important than ever. Managing capacity – and, by extent, availability – means minimizing costs while maximizing uptime. The cloud era is the era of unlimited capacity – and of infinite potential costs. If you put the infinity symbol on a purchase order… well, it’s probably not a good idea. Manage demand. Manage your capacity. Manage your availability. And, most importantly, keep your stakeholders happy. You won’t regret it."

    Jeremy Roberts,

    Consulting Analyst, Infrastructure Practice

    Info-Tech Research Group

    Availability and capacity management transcend IT

    This Research Is Designed For:

    ✓ CIOs who want to increase uptime and reduce costs

    ✓ Infrastructure managers who want to deliver increased value to the business

    ✓ Enterprise architects who want to ensure stability of core IT services

    ✓ Dedicated capacity managers

    This Research Will Help You:

    ✓ Develop a list of core services

    ✓ Establish visibility into your system

    ✓ Solicit business needs

    ✓ Project future demand

    ✓ Set SLAs

    ✓ Increase uptime

    ✓ Optimize spend

    This Research Will Also Assist:

    ✓ Project managers

    ✓ Service desk staff

    This Research Will Help Them:

    ✓ Plan IT projects

    ✓ Better manage availability incidents caused by lack of capacity

    Executive summary

    Situation

    • IT infrastructure leaders are responsible for ensuring that the business has access to the technology needed to keep the organization humming along. This requires managing capacity and availability.
    • Dependencies go undocumented. Services are provided on an ad hoc basis, and capacity/availability are managed reactively.

    Complication

    • Organizations are overprovisioning an average of 59% for compute, and 48% for storage. This is expensive. With budget pressure mounting, the cost of this approach can’t be ignored.
    • Lead time to respond to demand is long. Half of organizations have experienced capacity-related downtime, and almost 60% wait 3+ months for additional capacity. (451 Research, 3)

    Resolution

    • Conduct a business impact analysis to determine which of your services are most critical, and require active capacity management that will reap more in benefits than it produces in costs.
    • Establish visibility into your system. You can’t track what you can’t see, and you can’t see when you don’t have proper monitoring tools in place.
    • Develop an understanding of business needs. Use a combination of historical trend analyses and consultation with line of business and project managers to separate wants from needs. Overprovisioning used to be necessary, but is no longer required.
    • Project future needs in line with your hardware lifecycle. Never suffer availability issues as a result of a lack of capacity again.

    Info-Tech Insight

    1. Components are critical. The business doesn’t care about components. You, however, are not so lucky…
    2. Ask what the business is working on, not what they need. If you ask them what they need, they’ll tell you – and it won’t be cheap. Find out what they’re going to do, and use your expertise to service those needs.
    3. Cloud shmoud. The role of the capacity manager is changing with the cloud, but capacity management is as important as ever.

    Save money and drive efficiency with an effective availability and capacity management plan

    Overprovisioning happens because of the old style of infrastructure provisioning (hardware refresh cycles) and because capacity managers don’t know how much they need (either as a result of inaccurate or nonexistent information).

    According to 451 Research, 59% of enterprises have had to wait 3+ months for new capacity. It is little wonder, then, that so many opt to overprovision. Capacity management is about ensuring that IT services are available, and with lead times like that, overprovisioning can be more attractive than the alternative. Fortunately there is hope. An effective availability and capacity management plan can help you:

    • Identify your gold systems
    • Establish visibility into them
    • Project your future capacity needs

    Balancing overprovisioning and spending is the capacity manager’s struggle.

    Availability and capacity management go together like boots and feet

    Availability and capacity are not the same, but they are related and can be effectively managed together as part of a single process.

    If an IT department is unable to meet demand due to insufficient capacity, users will experience downtime or a degradation in service. To be clear, capacity is not the only factor in availability – reliability, serviceability, etc. are significant as well. But no organization can effectively manage availability without paying sufficient attention to capacity.

    "Availability Management is concerned with the design, implementation, measurement and management of IT services to ensure that the stated business requirements for availability are consistently met."

    – OGC, Best Practice for Service Delivery, 12

    "Capacity management aims to balance supply and demand [of IT storage and computing services] cost-effectively…"

    – OGC, Business Perspective, 90

    Integrate the three levels of capacity management

    Successful capacity management involves a holistic approach that incorporates all three levels.

    Business The highest level of capacity management, business capacity management, involves predicting changes in the business’ needs and developing requirements in order to make it possible for IT to adapt to those needs. Influx of new clients from a failed competitor.
    Service Service capacity management focuses on ensuring that IT services are monitored to determine if they are meeting pre-determined SLAs. The data gathered here can be used for incident and problem management. Increased website traffic.
    Component Component capacity management involves tracking the functionality of specific components (servers, hard drives, etc.), and effectively tracking their utilization and performance, and making predictions about future concerns. Insufficient web server compute.

    The C-suite cares about business capacity as part of the organization’s strategic planning. Service leads care about their assigned services. IT infrastructure is concerned with components, but not for their own sake. Components mean services that are ultimately designed to facilitate business.

    A healthcare organization practiced poor capacity management and suffered availability issues as a result

    CASE STUDY

    Industry: Healthcare

    Source: Interview

    New functionalities require new infrastructure

    There was a project to implement an elastic search feature. This had to correlate all the organization’s member data from an Oracle data source and their own data warehouse, and pool them all into an elastic search index so that it could be used by the provider portal search function. In estimating the amount of space needed, the infrastructure team assumed that all the data would be shared in a single place. They didn’t account for the architecture of elastic search in which indexes are shared across multiple nodes and shards are often split up separately.

    Beware underestimating demand and hardware sourcing lead times

    As a result, they vastly underestimated the amount of space that was needed and ended up short by a terabyte. The infrastructure team frantically sourced more hardware, but the rush hardware order arrived physically damaged and had to be returned to the vendor.

    Sufficient budget won’t ensure success without capacity planning

    The project’s budget had been more than sufficient to pay for the extra necessary capacity, but because a lack of understanding of the infrastructure impact resulted in improper forecasting, the project ended up stuck in a standstill.

    Manage availability and keep your stakeholders happy

    If you run out of capacity, you will inevitably encounter availability issues like downtime and performance degradation . End users do not like downtime, and neither do their managers.

    There are three variables that are monitored, measured, and analyzed as part of availability management more generally (Valentic).

      1. Uptime:

    The availability of a system is the percentage of time the system is “up,” (and not degraded) which can be calculated using the following formula: uptime/(uptime + downtime) x 100%. The more components there are in a system, the lower the availability, as a rule.

      1. Reliability:

    The length of time a component/service can go before there is an outage that brings it down, typically measured in hours.

      1. Maintainability:

    The amount of time it takes for a component/service to be restored in the event of an outage, also typically measured in hours.

    Enter the cloud: changes in the capacity manager role

    There can be no doubt – the rise of the public cloud has fundamentally changed the nature of capacity management.

    Features of the public cloudImplications for capacity management
    Instant, or near-instant, instantiation Lead times drop; capacity management is less about ensuring equipment arrives on time.
    Pay-as-you go services Capacity no longer needs to be purchased in bulk. Pay only for what you use and shut down instances that are no longer necessary.
    Essentially unlimited scalability Potential capacity is infinite, but so are potential costs.
    Offsite hosting Redundancy, but at the price of the increasing importance of your internet connection.

    Vendors will sell you the cloud as a solution to your capacity/availability problems

    The image contains two graphs. The first graph on the left is titled: Reactive Management, and shows the struggling relationship between capacity and demand. The second graph on the right is titled: Cloud future (ideal), which demonstrates a manageable relationship between capacity and demand over time.

    Traditionally, increases in capacity have come in bursts as a reaction to availability issues. This model inevitably results in overprovisioning, driving up costs. Access to the cloud changes the equation. On-demand capacity means that, ideally, nobody should pay for unused capacity.

    Reality check: even in the cloud era, capacity management is necessary

    You will likely find vendors to nurture the growth of a gap between your expectations and reality. That can be damaging.

    The cloud reality does not look like the cloud ideal. Even with the ostensibly elastic cloud, vendors like the consistency that longer-term contracts offer. Enter reserved instances: in exchange for lower hourly rates, vendors offer the option to pay a fee for a reserved instance. Usage beyond the reserved will be billed at a higher hourly rate. In order to determine where that line should be drawn, you should engage in detailed capacity planning. Unfortunately, even when done right, this process will result in some overprovisioning, though it does provide convenience from an accounting perspective. The key is to use spot instances where demand is exceptional and bounded. Example: A university registration server that experiences exceptional demand at the start of term but at no other time.

    The image contains an example of cloud reality not matching with the cloud ideal in the form of a graph. The graph is split horizontally, the top half is red, and there is a dotted line splitting it from the lower half. The line is labelled: Reserved instance ceiling. In the bottom half, it is the colour green and has a curving line.

    Use best practices to optimize your cloud resources

    The image contains two graphs. The graph on the left is labelled: Ineffective reserve capacity. At the top of the graph is a dotted line labelled: Reserved Instance ceiling. The graph is measuring capacity requirements over time. There is a curved line on the graph that suddenly spikes and comes back down. The spike is labelled unused capacity. The graph on the right is labelled: Effective reserve capacity. The reserved instance ceiling is about halfway down this graph, and it is comparing capacity requirements over time. This graph has a curved line on it, also has a spike and is labelled: spot instance.

    Even in the era of elasticity, capacity planning is crucial. Spot instances – the spikes in the graph above – are more expensive, but if your capacity needs vary substantially, reserving instances for all of the space you need can cost even more money. Efficiently planning capacity will help you draw this line.

    Evaluate business impact; not all systems are created equal

    Limited resources are a reality. Detailed visibility into every single system is often not feasible and could be too much information.

    Simple and effective. Sometimes a simple display can convey all of the information necessary to manage critical systems. In cars it is important to know your speed, how much fuel is in the tank, and whether or not you need to change your oil/check your engine.

    Where to begin?! Specialized information is sometimes necessary, but it can be difficult to navigate.

    Take advantage of a business impact analysis to define and understand your critical services

    Ideally, downtime would be minimal. In reality, though, downtime is a part of IT life. It is important to have realistic expectations about its nature and likelihood.

    STEP 1

    STEP 2

    STEP 3

    STEP 4

    STEP 5

    Record applications and dependencies

    Utilize your asset management records and document the applications and systems that IT is responsible for managing and recovering during a disaster.

    Define impact scoring scale

    Ensure an objective analysis of application criticality by establishing a business impact scale that applies to all applications.

    Estimate impact of downtime

    Leverage the scoring criteria from the previous step and establish an estimated impact of downtime for each application.

    Identify desired RTO and RPO

    Define what the RTOs/RPOs should be based on the impact of a business interruption and the tolerance for downtime and data loss.

    Determine current RTO/RPO

    Conduct tabletop planning and create a flowchart of your current capabilities. Compare your current state to the desired state from the previous step.

    Info-Tech Insight

    According to end users, every system is critical and downtime is intolerable. Of course, once they see how much totally eliminating downtime can cost, they might change their tune. It is important to have this discussion to separate the critical from the less critical – but still important – services.

    Establish visibility into critical systems

    You may have seen “If you can’t measure it, you can’t manage it” or a variation thereof floating around the internet. This adage is consumable and makes sense…doesn’t it?

    "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth."

    – W. Edwards Deming, statistician and management consultant, author of The New Economics

    While it is true that total monitoring is not absolutely necessary for management, when it comes to availability and capacity – objectively quantifiable service characteristics – a monitoring strategy is unavoidable. Capturing fluctuations in demand, and adjusting for those fluctuations, is among the most important functions of a capacity manager, even if hovering over employees with a stopwatch is poor management.

    Solicit needs from line of business managers

    Unless you head the world’s most involved IT department (kudos if you do) you’re going to have to determine your needs from the business.

    Do

    Do not

    ✓ Develop a positive relationship with business leaders responsible for making decisions.

    ✓ Make yourself aware of ongoing and upcoming projects.

    ✓ Develop expertise in organization-specific technology.

    ✓ Make the business aware of your expenses through chargebacks or showbacks.

    ✓ Use your understanding of business projects to predict business needs; do not rely on business leaders’ technical requests alone.

    X Be reactive.

    X Accept capacity/availability demands uncritically.

    X Ask line of business managers for specific computing requirements unless they have the technical expertise to make informed judgments.

    X Treat IT as an opaque entity where requests go in and services come out (this can lead to irresponsible requests).

    Demand: manage or be managed

    You might think you can get away with uncritically accepting your users’ demands, but this is not best practice. If you provide it, they will use it.

    The company meeting

    “I don’t need this much RAM,” the application developer said, implausibly. Titters wafted above the assembled crowd as her IT colleagues muttered their surprise. Heads shook, eyes widened. In fact, as she sat pondering her utterance, the developer wasn’t so sure she believed it herself. Noticing her consternation, the infrastructure manager cut in and offered the RAM anyway, forestalling the inevitable crisis that occurs when seismic internal shifts rock fragile self-conceptions. Until next time, he thought.

    "Work expands as to fill the resources available for its completion…"

    – C. Northcote Parkinson, quoted in Klimek et al.

    Combine historical data with the needs you’ve solicited to holistically project your future needs

    Predicting the future is difficult, but when it comes to capacity management, foresight is necessary.

    Critical inputs

    In order to project your future needs, the following inputs are necessary.

    1. Usage trends: While it is true that past performance is no indication of future demand, trends are still a good way to validate requests from the business.
    2. Line of business requests: An understanding of the projects the business has in the pipes is important for projecting future demand.
    3. Institutional knowledge: Read between the lines. As experts on information technology, the IT department is well-equipped to translate needs into requirements.
    The image contains a graph that is labelled: Projected demand, and graphs demand over time. There is a curved line that passes through a vertical line labelled present. There is a box on top of the graph that contains the text: Note: confidence in demand estimates will very by service and by stakeholder.

    Follow best practice guidelines to maximize the efficiency of your availability and capacity management process

    The image contains Info-Tech's IT Management & Governance Framework. The framework displays many of Info-Tech's research to help optimize and improve core IT processes. The name of this blueprint is under the Infrastructure & Operations section, and has been circled to point out where it is in the framework.

    Understand how the key frameworks relate and interact

    The image contains a picture of the COBIT 5 logo.

    BA104: Manage availability and capacity

    • Current state assessment
    • Forecasting based on business requirements
    • Risk assessment of planning and implementation of requirements
    The image contains a picture of the ITIL logo

    Availability management

    • Determine business requirements
    • Match requirements to capabilities
    • Address any mismatch between requirements and capabilities in a cost-effective manner

    Capacity management

    • Monitoring services and components
    • Tuning for efficiency
    • Forecasting future requirements
    • Influencing demand
    • Producing a capacity plan
    The image contains a picture of Info-Tech Research Group logo.

    Availability and capacity management

    • Conduct a business impact analysis
    • Establish visibility into critical systems
    • Solicit and incorporate business needs
    • Identify and mitigate risks

    Disaster recovery and business continuity planning are forms of availability management

    The scope of this project is managing day-to-day availability, largely but not exclusively, in the context of capacity. For additional important information on availability, see the following Info-Tech projects.

      • Develop a Business Continuity Plan

    If your focus is on ensuring process continuity in the event of a disaster.

      • Establish a Program to Enable Effective Performance Monitoring

    If your focus is on flow mapping and transaction monitoring as part of a plan to engage APM vendors.

      • Create a Right-Sized Disaster Recovery Plan

    If your focus is on hardening your IT systems against major events.

    Info-Tech’s approach to availability and capacity management is stakeholder-centered and cloud ready

    Phase 1:

    Conduct a business impact analysis

    Phase 2:

    Establish visibility into core systems

    Phase 3:

    Solicit and incorporate business needs

    Phase 4:

    Identify and mitigate risks

    1.1 Conduct a business impact analysis

    1.2 Assign criticality ratings to services

    2.1 Define your monitoring strategy

    2.2 Implement monitoring tool/aggregator

    3.1 Solicit business needs

    3.2 Analyze data and project future needs

    4.1 Identify and mitigate risks

    Deliverables

    • Business impact analysis
    • Gold systems
    • Monitoring strategy
    • List of stakeholders
    • Business needs
    • Projected capacity needs
    • Risks and mitigations
    • Capacity management summary cards

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Availability & capacity management – project overview

     

    Conduct a business impact analysis

    Establish visibility into core systems

    Solicit and incorporate business needs

    Identify and
    mitigate risks

    Best-Practice Toolkit

    1.1 Create a scale to measure different levels of impact

    1.2 Assign criticality ratings to services

    2.1 Define your monitoring strategy

    2.2 Implement your monitoring tool/aggregator

    3.1 Solicit business needs and gather data

    3.2 Analyze data and project future needs

    4.1 Identify and mitigate risks

    Guided Implementations

    Call 1: Conduct a business impact analysis Call 1: Discuss your monitoring strategy

    Call 1: Develop a plan to gather historical data; set up plan to solicit business needs

    Call 2: Evaluate data sources

    Call 1: Discuss possible risks and strategies for risk mitigation

    Call 2: Review your capacity management plan

    Onsite Workshop

    Module 1:

    Conduct a business impact analysis

    Module 2:

    Establish visibility into core systems

    Module 3:

    Develop a plan to project future needs

    Module 4:

    Identify and mitigate risks

     

    Phase 1 Results:

    • RTOs/RPOs
    • List of gold systems
    • Criticality matrix

    Phase 2 Results:

    • Capacity/availability monitoring strategy

    Phase 3 Results:

    • Plan for soliciting future needs
    • Future needs

    Phase 4 Results:

    • Strategies for reducing risks
    • Capacity management plan

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

     

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

     

    Conduct a business
    impact analysis

    Establish visibility into
    core systems

    Solicit and incorporate business needs

    Identify and mitigate risks

    Activities

    1.1 Conduct a business impact analysis

    1.2 Create a list of critical dependencies

    1.3 Identify critical sub-components

    1.4 Develop best practices to negotiate SLAs

    2.1 Determine indicators for sub-components

    2.2 Establish visibility into components

    2.3 Develop strategies to ameliorate visibility issues

    3.1 Gather relevant business-level data

    3.2 Gather relevant service-level data

    3.3 Analyze historical trends

    3.4 Build a list of business stakeholders

    3.5 Directly solicit requirements from the business

    3.6 Map business needs to technical requirements

    3.7 Identify inefficiencies and compare historical data

    • 4.1 Brainstorm potential causes of availability and capacity risk
    • 4.2 Identify and mitigate capacity risks
    • 4.3 Identify and mitigate availability risks

    Deliverables

    1. Business impact analysis
    2. List of gold systems
    3. SLA best practices
    1. Sub-component metrics
    2. Strategy to establish visibility into critical sub-components
    1. List of stakeholders
    2. Business requirements
    3. Technical requirements
    4. Inefficiencies
    1. Strategies for mitigating risks
    2. Completed capacity management plan template

    PHASE 1

    Conduct a Business Impact Analysis

    Step 1.1: Conduct a business impact analysis

    This step will walk you through the following activities:

    • Record applications and dependencies in the Business Impact Analysis Tool.
    • Define a scale to estimate the impact of various applications’ downtime.
    • Estimate the impact of applications’ downtime.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • Estimated impact of downtime for various applications

    Execute a business impact analysis (BIA) as part of a broader availability plan

    1.1a Business Impact Analysis Tool

    Business impact analyses are an invaluable part of a broader IT strategy. Conducting a BIA benefits a variety of processes, including disaster recovery, business continuity, and availability and capacity management

    STEP 1

    STEP 2

    STEP 3

    STEP 4

    STEP 5

    Record applications and dependencies

    Utilize your asset management records and document the applications and systems that IT is responsible for managing and recovering during a disaster.

    Define impact scoring scale

    Ensure an objective analysis of application criticality by establishing a business impact scale that applies to all applications.

    Estimate impact of downtime

    Leverage the scoring criteria from the previous step and establish an estimated impact of downtime for each application.

    Identify desired RTO and RPO

    Define what the RTOs/RPOs should be based on the impact of a business interruption and the tolerance for downtime and data loss.

    Determine current RTO/RPO

    Conduct tabletop planning and create a flowchart of your current capabilities. Compare your current state to the desired state from the previous step.

    Info-Tech Insight

    Engaging in detailed capacity planning for an insignificant service draws time and resources away from more critical capacity planning exercises. Time spent tracking and planning use of the ancient fax machine in the basement is time you’ll never get back.

    Control the scope of your availability and capacity management planning project with a business impact analysis

    Don’t avoid conducting a BIA because of a perception that it’s too onerous or not necessary. If properly managed, as described in this blueprint, the BIA does not need to be onerous and the benefits are tangible.

    A BIA enables you to identify appropriate spend levels, continue to drive executive support, and prioritize disaster recovery planning for a more successful outcome. For example, an Info-Tech survey found that a BIA has a significant impact on setting appropriate recovery time objectives (RTOs) and appropriate spending.

    The image contains a graph that is labelled: BIA Impact on Appropriate RTOS. With no BIA, there is 59% RTOs are appropriate. With BIA, there is 93% RTOS being appropriate. The image contains a graph that is labelled: BIA Impact on Appropriate Spending. No BIA has 59% indication that BCP is cost effective. With a BIA there is 86% indication that BCP is cost effective.

    Terms

    No BIA: lack of a BIA, or a BIA bases solely on the perceived importance of IT services.

    BIA: based on a detailed evaluation or estimated dollar impact of downtime.

    Source: Info-Tech Research Group; N=70

    Select the services you wish to evaluate with the Business Impact Analysis Tool

    1.1b 1 hour

    In large organizations especially, collating an exhaustive list of applications and services is going to be onerous. For the purposes of this project, a subset should suffice.

    Instructions

    1. Gather a diverse group of IT staff and end users in a room with a whiteboard.
    2. Solicit feedback from the group. Questions to ask:
    • What services do you regularly use? What do you see others using? (End users)
    • Which service inspires the greatest number of service calls? (IT)
    • What services are you most excited about? (Management)
    • What services are the most critical for business operations? (Everybody)
  • Record these applications in the Business Impact Analysis Tool.
  • Input

    • Applications/services

    Output

    • Candidate applications for the business impact analysis

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect
    • Application owners
    • End users

    Info-Tech Insight

    Include a variety of services in your analysis. While it might be tempting to jump ahead and preselect important applications, don’t. The process is inherently valuable, and besides, it might surprise you.

    Record the applications and dependencies in the BIA tool

    1.1c Use tab 1 of the Business Impact Analysis Tool

    1. In the Application/System column, list the applications identified for this pilot as well as the Core Infrastructure category. Also indicate the Impact on the Business and Business Owner.
    2. List the dependencies for each application in the appropriate columns:
    • Hosted On-Premises (In-House) – If the physical equipment is in a facility you own, record it here, even if it is managed by a vendor.
    • Hosted by a Co-Lo/MSP – List any dependencies hosted by a co-lo/MSP vendor.
    • Cloud (includes "as a Service”) – List any dependencies hosted by a cloud vendor.

    Note: If there are no dependencies for a particular category, leave it blank.

  • If you wish to highlight specific dependencies, put an asterisk in front of them (e.g. *SAN). This will cause the dependency to be highlighted in the remaining tabs in this tool.
  • Add comments as needed in the Notes columns. For example, for equipment that you host in-house but is remotely managed by an MSP, specify this in the notes. Similarly, note any DR support services.
  • Example

    The image contains a screenshot of Info-Tech's Business Impact Analysis Tool specifically tab 1.

    ID is optional. It is a sequential number by default.

    In-House, Co-Lo/MSP, and Cloud dependencies; leave blank if not applicable.

    Add notes as applicable – e.g. critical support services.

    Define a scoring scale to estimate different levels of impact

    1.1d Use tab 2 of the Business Impact Analysis Tool

    Modify the Business Impact Scales headings and Overall Criticality Rating terminology to suit your organization. For example, if you don’t have business partners, use that column to measure a different goodwill impact or just ignore that column in this tool (i.e. leave it blank). Estimate the different levels of potential impact (where four is the highest impact and zero is no impact) and record these in the Business Impact Scales columns.

    The image contains a screenshot of Info-Tech's Business Impact Analysis Tool, specifically tab 2.

    Estimate the impact of downtime for each application

    1.1e Use tab 3 of the Business Impact Analysis Tool

    In the BIA tab columns for Direct Costs of Downtime, Impact on Goodwill, and Additional Criticality Factors, use the drop-down menu to assign a score of zero to four based on levels of impact defined in the Scoring Criteria tab. For example, if an organization’s ERP is down, and that affects call center sales operations (e.g. ability to access customer records and process orders), the impact might be as described below:

      • Loss of Revenue might score a two or three depending on the proportion of overall sales lost due to the downtime.
      • The Impact on Customers might be a one or two depending on the extent that existing customers might be using the call center to purchase new products or services, and are frustrated by the inability to process orders.
      • The Legal/Regulatory Compliance and Health or Safety Risk might be a zero.

    On the other hand, if payroll processing is down, this may not impact revenue, but it certainly impacts internal goodwill and productivity.

    Rank service criticality: gold, silver, and bronze

    Gold

    Mission critical services. An outage is catastrophic in terms of cost or public image/goodwill. Example: trading software at a financial institution.

    Silver

    Important to daily operations, but not mission critical. Example: email services at any large organization.

    Bronze

    Loss of these services is an inconvenience more than anything, though they do serve a purpose and will be missed if they are never brought back online. Example: ancient fax machines.

    Info-Tech Best Practice

    Info-Tech recommends gold, silver, and bronze because of this typology’s near universal recognition. If you would prefer a particular designation (it might help with internal comprehension), don’t hesitate to use that one instead.

    Use the results of the business impact analysis to sort systems based on their criticality

    1.1f 1 hour

    Every organization has its own rules about how to categorize service importance. For some (consumer-facing businesses, perhaps) reputational damage may trump immediate costs.

    Instructions

    1. Gather a group of key stakeholders and project the completed Business Impact Analysis Tool onto a screen for them.
    2. Share the definitions of gold, silver, and bronze services with them (if they are not familiar), and begin sorting the services by category,
    • How long would it take to notice if a particular service went out?
    • How important are the non-quantifiable damages that could come with an outage?
  • Sort the services into gold, silver, and bronze on a whiteboard, with sticky notes, or with chart paper.
  • Verify your findings and record them in section 2.1 of the Capacity Plan Template.
  • Input

    • Results of the business impact analysis exercise

    Output

    • List of gold, silver, and bronze systems

    Materials

    • Projector
    • Business Impact Analysis Tool
    • Capacity Plan Template

    Participants

    • Infrastructure manager
    • Enterprise architect

    Leverage the rest of the BIA tool as part of your disaster recovery planning

    Disaster recovery planning is a critical activity, and while it is a sort of availability management, it is beyond this project’s scope. You can complete the business impact analysis (including RTOs and RPOs) for the complete disaster recovery package.

    See Info-Tech’s Create a Right-Sized Disaster Recovery Plan blueprint for instructions on how to complete your business impact analysis.

    Step 1.2: Assign criticality ratings to services

    This step will walk you through the following activities:

    • Create a list of dependencies for your most important applications.
    • Identify important sub-components.
    • Use best practices to develop and negotiate SLAs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • List of dependencies of most important applications
    • List of important sub-components
    • SLAs based on best practices

    Determine the base unit of the capacity you’re looking to purchase

    Not every IT organization should approach capacity the same way. Needs scale, and larger organizations will inevitably deal in larger quantities.

    Large cloud provider

    Local traditional business

    • Thousands of servers housed in a number of datacenters around the world.
    • Dedicated capacity manager.
    • Purchases components from OEMs in bulk as part of bespoke contracts that are worth many millions of dollars over time.
    • May deal with components at a massive scale (dozens of servers at once, for example).
    • A small server room that runs non-specialized services (email, for example).
    • Barely even a dedicated IT person, let alone an IT capacity manager.
    • Purchases new components from resellers or even retail stores.
    • Deals with components at a small scale (a single switch here, a server upgrade there).

    "Cloud capacity management is not exactly the same as the ITIL version because ITIL has a focus on the component level. I actually don’t do that, because if I did I’d go crazy. There’s too many components in a cloud environment."

    – Richie Mendoza, IT Consultant, SMITS Inc.

    Consider the relationship between component capacity and service capacity

    End users’ thoughts about IT are based on what they see. They are, in other words, concerned with service availability: does the organization have the ability to provide access to needed services?

    Service

    • Email
    • CRM
    • ERP

    Component

    • Switch
    • SMTP server
    • Archive database
    • Storage

    "You don’t ask the CEO or the guy in charge ‘What kind of response time is your requirement?’ He doesn’t really care. He just wants to make sure that all his customers are happy."

    – Todd Evans, Capacity and Performance Management SME, IBM.

    One telco solved its availability issues by addressing component capacity issues

    CASE STUDY

    Industry: Telecommunications

    Source: Interview

    Coffee and Wi-Fi – a match made in heaven

    In tens of thousands of coffee shops around the world, patrons make ample use of complimentary Wi-Fi. Wi-Fi is an important part of customers’ coffee shop experience, whether they’re online to check their email, do a YouTube, or update their Googles. So when one telco that provided Wi-Fi access for thousands of coffee shops started encountering availability issues, the situation was serious.

    Wi-Fi, whack-a-mole, and web woes

    The team responsible for resolving the issue took an ad hoc approach to resolving complaints, fixing issues as they came up instead of taking a systematic approach.

    Resolution

    Looking at the network as a whole, the capacity manager took a proactive approach by using data to identify and rank the worst service areas, and then directing the team responsible to fix those areas in order of the worst first, then the next worst, and so on. Soon the availability of Wi-Fi service was restored across the network.

    Create a list of dependencies for your most important applications

    1.2a 1.5 hours

    Instructions

    1. Work your way down the list of services outlined in step 1, starting with your gold systems. During the first iteration of this exercise select only 3-5 of your most important systems.
    2. Write the name of each application on a sticky note or at the top of a whiteboard (leaving ample space below for dependency mapping).
    3. In the first tier below the application, include the specific services that the general service provides.
    • This will vary based on the service in question, but an example for email is sending, retrieving, retrieving online, etc.
  • For each of the categories identified in step 3, identify the infrastructure components that are relevant to that system. Be broad and sweeping; if the component is involved in the service, include it here. The goal is to be exhaustive.
  • Leave the final version of the map intact. Photographing or making a digital copy for posterity. It will be useful in later activities.
  • Input

    • List of important applications

    Output

    • List of critical dependencies

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Infrastructure manager
    • Enterprise architect

    Info-Tech Insight

    Dependency mapping can be difficult. Make sure you don’t waste effort creating detailed dependency maps for relatively unimportant services.

    Dependency mapping can be difficult. Make sure you don’t waste effort creating detailed dependency maps for relatively unimportant services.

    The image contains a sample dependency map on ride sharing. Ride Sharing has been split between two categories: Application and Drivers. Under drivers it branches out to: Availability, Car, and Pay. Under Application, it branches out to: Compute, Network, Edge devices, Q/A maintenance, and Storage. Compute branches out to Cloud Services. Network branches out to Cellular network and Local. Edge Devices branch out to Drivers and Users. Q/A maintenance does not have a following branch. Storage branches out to Storage (Enterprise) and Storage (local).

    Ride sharing cannot work, at least not at maximum effectiveness, without these constituent components. When one or more of these components are absent or degraded, the service will become unavailable. This example illustrates some challenges of capacity management; some of these components are necessary, but beyond the ride-sharing company’s control.

    Leverage a sample dependency tree for a common service

    The image contains a sample dependency tree for the Email service. Email branches out to: Filtering, Archiving, Retrieval, and Send/receive. Filtering branches out to security appliance which then branches out to CPU, Storage, and Network. Archiving branches to Archive server, which branches out to CPU, Storage, and Network. Retrieval branches out to IMAP/PoP which branches out to CPU, Storage, and Network. Send/receive branches out to IMAP/PoP and SMTP. SMTP branches out to CPU, Storage and Network.

    Info-Tech Best Practice

    Email is an example here not because it is necessarily a “gold system,” but because it is common across industries. This is a useful exercise for any service, but it can be quite onerous, so it should be conducted on the most important systems first.

    Separate the wheat from the chaff; identify important sub-components and separate them from unimportant ones

    1.2b 1.5 hours

    Use the bottom layer of the pyramid drawn in step 1.2a for a list of important sub-components.

    Instructions

    1. Record a list of the gold services identified in the previous activity. Leave space next to each service for sub-components.
    2. Go through each relevant sub-component. Highlight those that are critical and could reasonably be expected to cause problems.
    • Has this sub-component caused a problem in the past?
    • Is this sub-component a bottleneck?
    • What could cause this component to fail? Is it such an occurrence feasible?
  • Record the results of the exercise (and the service each sub-component is tied to) in tab 2 (columns B &C) of the Capacity Snapshot Tool.
  • Input

    • List of important applications

    Output

    • List of critical dependencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect

    Understand availability commitments with SLAs

    With the rise of SaaS, cloud computing, and managed services, critical services and their components are increasingly external to IT.

    • IT’s lack of access to the internal working of services does not let them off the hook for performance issues (as much as that might be the dream).
    • Vendor management is availability management. Use the dependency map drawn earlier in this phase to highlight the components of critical services that rely on capacity that cannot be managed internally.
    • For each of these services ensure that an appropriate SLA is in place. When acquiring new services, ensure that the vendor SLA meets business requirements.

    The image contains a large blue circle labelled: Availability. Also in the blue circle is a small red circle labelled: Capacity.

    In terms of service provision, capacity management is a form of availability management. Not all availability issues are capacity issues, but the inverse is true.

    Info-Tech Insight

    Capacity issues will always cause availability issues, but availability issues are not inherently capacity issues. Availability problems can stem from outages unrelated to capacity (e.g. power or vendor outages).

    Use best practices to develop and negotiate SLAs

    1.2c 20 minutes per service

    When signing contracts with vendors, you will be presented with an SLA. Ensure that it meets your requirements.

    1. Use the business impact analysis conducted in this project’s first step to determine your requirements. How much downtime can you tolerate for your critical services?
    2. Once you have been presented with an SLA, be sure to scour it for tricks. Remember, just because a vendor offers “five nines” of availability doesn’t mean that you’ll actually get that much uptime. It could be that the vendor is comfortable eating the cost of downtime or that the contract includes provisions for planned maintenance. Whether or not the vendor anticipated your outage does little to mitigate the damage an outage can cause to your business, so be careful of these provisions.
    3. Ensure that the person ultimately responsible for the SLA (the approver) understands the limitations of the agreement and the implications for availability.

    Input

    • List of external component dependencies

    Output

    • SLA requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect

    Info-Tech Insight

    Vendors are sometimes willing to eat the cost of violating SLAs if they think it will get them a contract. Be careful with negotiation. Just because the vendor says they can do something doesn’t make it true.

    Negotiate internal SLAs using Info-Tech’s rigorous process

    Talking past each other can drive misalignment between IT and the business, inconveniencing all involved. Quantify your needs through an internal SLA as part of a comprehensive availability management plan.

    See Info-Tech’s Improve IT-Business Alignment Through an Internal SLA blueprint for instructions on why you should develop internal SLAs and the potential benefits they bring.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2

    The image contains a screenshot of activity 1.2 as previously described above.

    Create a list of dependencies for your most important applications

    Using the results of the business impact analysis, the analyst will guide workshop participants through a dependency mapping exercise that will eventually populate the Capacity Plan Template.

    Phase 1 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Conduct a business impact analysis

    Proposed Time to Completion: 1 week

    Step 1.1: Create a scale to measure different levels of impact

    Review your findings with an analyst

    Discuss how you arrived at the rating of your critical systems and their dependencies. Consider whether your external SLAs are appropriate.

    Then complete these activities…

    • Use the results of the business impact analysis to sort systems based on their criticality

    With these tools & templates:

    Business Impact Analysis Tool

    Step 1.2: Assign criticality ratings to services

    Review your findings with an analyst

    Discuss how you arrived at the rating of your critical systems and their dependencies. Consider whether your external SLAs are appropriate.

    Then complete these activities…

    • Create a list of dependencies for your most important applications
    • Identify important sub-components
    • Use best practices to develop and negotiate SLAs

    With these tools & templates:

    Capacity Snapshot Tool

    Phase 1 Results & Insights:

    • Engaging in detailed capacity planning for an insignificant service is a waste of resources. Focus on ensuring availability for your most critical systems.
    • Carefully evaluate vendors’ service offerings. Make sure the SLA works for you, and approach pie-in-the-sky promises with skepticism.

    PHASE 2

    Establish Visibility Into Core Systems

    Step 2.1: Define your monitoring strategy

    This step will walk you through the following activities:

    • Determine the indicators you should be tracking for each sub-component.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • List of indicators to track for each sub-component

    Data has its significance—but also its limitations

    The rise of big data can be a boon for capacity managers, but be warned: not all data is created equal. Bad data can lead to bad decisions – and unemployed capacity managers.

    Your findings are only as good as your data. Remember: garbage in, garbage out. There are three characteristics of good data:*

    1. Accuracy: is the data exact and correct? More detail and confidence is better.
    2. Reliability: is the data consistent? In other words, if you run the same test twice will you get the same results?
    3. Validity: is the information gleaned believable and relevant?

    *National College of Teaching & Leadership, “Reliability and Validity”

    "Data is king. Good data is absolutely essential to [the capacity manager] role."

    – Adrian Blant, Independent Capacity Consultant, IT Capability Solutions

    Info-Tech Best Practice

    Every organization’s data needs are different; your data needs are going to be dictated by your services, delivery model, and business requirements. Make sure you don’t confuse volume with quality, even if others in your organization make that mistake.

    Take advantage of technology to establish visibility into your systems

    Managing your availability and capacity involves important decisions about what to monitor and how thresholds should be set.

    • Use the list of critical applications developed through the business impact analysis and the list of components identified in the dependency mapping exercise to produce a plan for effectively monitoring component availability and capacity.
    • The nature of IT service provision – the multitude of vendors providing hardware and services necessary for even simple IT services to work effectively – means that it is unlikely that capacity management will be visible through a single pane of glass. In other words, “email” and “CRM” don’t have a defined capacity. It always depends.
    • Establishing visibility into systems involves identifying what needs to be tracked for each component.

    Too much monitoring can be as bad as the inverse

    In 2013, a security breach at US retailer Target compromised more than 70 million customers’ data. The company received an alert, but it was thought to be a false positive because the monitoring system produced so many false and redundant alerts. As a result of the daily deluge, staff did not respond to the breach in time.

    Info-Tech Insight

    Don’t confuse monitoring with management. While establishing visibility is a crucial step, it is only part of the battle. Move on to this project’s next phase to explore opportunities to improve your capacity/availability management process.

    Determine the indicators you should be tracking for each sub-component

    2.1a Tab 3 of the Capacity Snapshot Tool

    It is nearly impossible to overstate the importance of data to the process of availability and capacity management. But the wrong data will do you no good.

    Instructions

    1. Open the Capacity Snapshot Tool to tab 2. The tool should have been populated in step 1.2 as part of the component mapping exercise.
    2. For each service, determine which metric(s) would most accurately tell the component’s story. Consider the following questions when completing this activity (you may end up with more than one metric):
    • How would the component’s capacity be measured (storage space, RAM, bandwidth, vCPUs)?
    • Is the metric in question actionable?
  • Record each metric in the Metric column (D) of the Capacity Snapshot Tool. Use the adjacent column for any additional information on metrics.
  • Info-Tech Insight

    Bottlenecks are bad. Use the Capacity Snapshot Tool (or another tool like it) to ensure that when the capacity manager leaves (on vacation, to another role, for good) the knowledge that they have accumulated does not leave as well.

    Understand the limitations of this approach

    Although we’ve striven to make it as easy as possible, this process will inevitably be cumbersome for organizations with a complicated set of software, hardware, and cloud services.

    Tracking every single component in significant detail will produce a lot of noise for each bit of signal. The approach outlined here addresses that concern in two ways:

    • A focus on gold services
    • A focus on sub-components that have a reasonable likelihood of being problematic in the future.

    Despite this effort, however, managing capacity at the component level is a daunting task. Ultimately, tools provided by vendors like SolarWinds and AppDynamics will fill in some of the gaps. Nevertheless, an understanding of the conceptual framework underlying availability and capacity management is valuable.

    Step 2.2: Implement your monitoring tool/aggregator

    This step will walk you through the following activities:

    • Clarify visibility.
    • Determine whether or not you have sufficiently granular visibility.
    • Develop strategies to .any visibility issues.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team
    • Applications personnel

    Outcomes of this step

    • Method for measuring and monitoring critical sub-components

    Companies struggle with performance monitoring because 95% of IT shops don’t have full visibility into their environments

    CASE STUDY

    Industry: Financial Services

    Source: AppDynamics

    Challenge

    • Users are quick to provide feedback when there is downtime or application performance degradation.
    • The challenge for IT teams is that while they can feel the pain, they don’t have visibility into the production environment and thus cannot identify where the pain is coming from.
    • The most common solution that organizations rely on is leveraging the log files for issue diagnosis. However, this method is slow and often unable to pinpoint the problem areas, leading to delays in problem resolution.

    Solution

    • Application and infrastructure teams need to work together to develop infrastructure flow maps and transaction profiles.
    • These diagrams will highlight the path that each transaction travels across your infrastructure.
    • Ideally at this point, teams will also capture latency breakdowns across every tier that the business transaction flows through.
      • This will ultimately kick start the baselining process.

    Results

    • Ninety-five percent of IT departments don’t have full visibility into their production environment. As a result, a slow business transaction will often require a war-room approach where SMEs from across the organization gather to troubleshoot.
    • Having visibility into the production environment through infrastructure flow mapping and transaction profiling will help IT teams pinpoint problems.
      • At the very least, teams will be able to identify common problem areas and expedite the root-cause analysis process.

    Source: “Just how complex can a Login Transaction be? Answer: Very!,” AppDynamics

    Monitor your critical sub-components

    Establishing a monitoring plan for your capacity involves answering two questions: can I see what I need to see, and can I see it with sufficient granularity?

    • Having the right tool for the job is an important step towards effective capacity and availability management.
    • Application performance management tools (APMs) are essential to the process, but they tend to be highly specific and vertically oriented, like using a microscope.
    • Some product families can cover a wider range of capacity monitoring functions (SolarWinds, for example). It is still important, however, to codify your monitoring needs.

    "You don’t use a microscope to monitor an entire ant farm, but you might use many microscopes to monitor specific ants."

    – Fred Chagnon, Research Director, Infrastructure Practice, Info-Tech Research Group

    Monitor your sub-components: clarify visibility

    2.2a Tab 2 of the Capacity Snapshot Tool

    The next step in capacity management is establishing whether or not visibility (in the broad sense) is available into critical sub-components.

    Instructions

    1. Open the Capacity Snapshot Tool and record the list of sub-components identified in the previous step.
    2. For each sub-component answer the following question:
    • Do I have easy access to the information I need to monitor to ensure this component remains available?
  • Select “Yes” or “No” from the drop-down menus as appropriate. In the adjacent column record details about visibility into the component.
    • What tool provides the information? Where can it be found?

    The image contains a screenshot of Info-Tech's Capacity Snapshot Tool, Tab 2.

    Monitor your sub-components; determine whether or not you have sufficient granular visibility

    2.2b Tab 2 of the Capacity Snapshot Tool

    Like ideas and watches, not all types of visibility are created equal. Ensure that you have access to the right information to make capacity decisions.

    Instructions

    1. For each of the sub-components clarify the appropriate level of granularity for the visibility gained to be useful. In the case of storage, for example, is raw usage (in gigabytes) sufficient, or do you need a breakdown of what exactly is taking up the space? The network might be more complicated.
    2. Record the details of this ideation in the adjacent column.
    3. Select “Yes” or “No” from the drop-down menu to track the status of each sub-component.

    The image contains a picture of an iPhone storage screen where it breaks down the storage into the following categories: apps, media, photos, and other.

    For most mobile phone users, this breakdown is sufficient. For some, more granularity might be necessary.

    Info-Tech Insight

    Make note of monitoring tools and strategies. If anything changes, be sure to re-evaluate the visibility status. An outdated spreadsheet can lead to availability issues if management is unaware of looming problems.

    Develop strategies to ameliorate any visibility issues

    2.2c 1 hour

    The Capacity Snapshot Tool color-codes your components by status. Green – visibility and granularity are both sufficient; yellow – visibility exists, though not at sufficient granularity; and red – visibility does not exist at all.

    Instructions

    1. Write each of the yellow and red sub-components on a whiteboard or piece of chart paper.
    2. Brainstorm amelioration strategies for each of the problematic sub-components.
    • Does the current monitoring tool have sufficient functionality?
    • Does it need to be further configured/customized?
    • Do we need a whole new tool?
  • Record these strategies in the Amelioration Strategy column on tab 4 of the tool.
  • Input

    • Sub-components
    • Capacity Snapshot Tool

    Output

    • Amelioration strategies

    Materials

    • Whiteboard
    • Markers
    • Capacity Snapshot Tool

    Participants

    • Infrastructure manager

    Info-Tech Best Practice

    It might be that there is no amelioration strategy. Make note of this difficulty and highlight it as part of the risk section of the Capacity Plan Template.

    See Info-Tech’s projects on storage and network modernization for additional details

    Leverage other products for additional details on how to modernize your network and storage services.

    The process of modernizing the network is fraught with vestigial limitations. Develop a program to gather requirements and plan.

    As part of the blueprint, Modernize Enterprise Storage, the Modernize Enterprise Storage Workbook includes a section on storage capacity planning.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2

    The image contains a screenshot of activity 2.2.

    Develop strategies to ameliorate visibility issues

    The analyst will guide workshop participants in brainstorming potential solutions to visibility issues and record them in the Capacity Snapshot Tool.

    Phase 2 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Establish visibility into core systems

    Proposed Time to Completion: 3 weeks

    Step 2.1: Define your monitoring strategy

    Review your findings with an analyst

    Discuss your monitoring strategy and ensure you have sufficient visibility for the needs of your organization.

    Then complete these activities…

    • Determine the indicators you should be tracking for each sub-component

    With these tools & templates:

    • Capacity Snapshot Tool

    Step 2.2: Implement your monitoring tool/aggregator

    Review your findings with an analyst

    Discuss your monitoring strategy and ensure you have sufficient visibility for the needs of your organization.

    Then complete these activities…

    • Clarify visibility
    • Determine whether or not you have sufficiently granular visibility
    • Develop strategies to ameliorate any visibility issues

    With these tools & templates:

    • Capacity Snapshot Tool

    Phase 2 Results & Insights:

    • Every organization’s data needs are different. Adapt data gathering, reporting, and analysis according to your services, delivery model, and business requirements.
    • Don’t confuse monitoring with management. Build a system to turn reported data into useful information that feeds into the capacity management process.

    PHASE 3

    Solicit and Incorporate Business Needs

    Step 3.1: Solicit business needs and gather data

    This step will walk you through the following activities:

    • Build relationships with business stakeholders.
    • Analyze usage data and identify trends.
    • Correlate usage trends with business needs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • System for involving business stakeholders in the capacity planning process
    • Correlated data on business level, service level, and infrastructure level capacity usage

    Summarize your capacity planning activities in the Capacity Plan Template

    The availability and capacity management summary card pictured here is a handy way to capture the results of the activities undertaken in the following phases. Note its contents carefully, and be sure to record specific outputs where appropriate. One such card should be completed for each of the gold services identified in the project’s first phase. Make note of the results of the activities in the coming phase, and populate the Capacity Snapshot Tool. These will help you populate the tool.

    The image contains a screenshot of Info-Tech's Capacity Plan Template.

    Info-Tech Best Practice

    The Capacity Plan Template is designed to be a part of a broader mapping strategy. It is not a replacement for a dedicated monitoring tool.

    Analyze historical trends as a crucial source of data

    The first place to look for information about your organization is not industry benchmarks or your gut (though those might both prove useful).

    • Where better to look than internally? Use the data you’ve gathered from your APM tool or other sources to understand your historical capacity needs and to highlight any periods of unavailability.
    • Consider monitoring the status of the capacity of each of your crucial components. The nature of this monitoring will vary based on the component in question. It can range from a rough Excel sheet all the way to a dedicated application performance monitoring tool.

    "In all cases the very first thing to do is to look at trending…The old adage is ‘you don’t steer a boat by its wake,’ however it’s also true that if something is growing at, say, three percent a month and it has been growing at three percent a month for the last twelve months, there’s a fairly good possibility that it’s going to carry on going in that direction."

    – Mike Lynch, Consultant, CapacityIQ

    Gather relevant data at the business level

    3.1a 2 hours per service

    A holistic approach to capacity management involves peering beyond the beaded curtain partitioning IT from the rest of the organization and tracking business metrics.

    Instructions

    1. Your service/application owners know how changes in business activities impact their systems. Business level capacity management involves responding to those changes. Ask service/application owners what changes will impact their capacity. Examples include:
    • Business volume (net new customers, number of transactions)
    • Staff changes (new hires, exits, etc.)
  • For each gold service, brainstorm relevant metrics. How can you capture that change in business volume?
  • Record these metrics in the summary card of the Capacity Plan Template.
  • In the notes section of the summary card record whether or not you have access to the required business metric.
  • Input

    • Brainstorming
    • List of gold services

    Output

    • Business level data

    Materials

    • In-house solution or commercial tool

    Participants

    • Capacity manager
    • Application/service owners

    Gather relevant data at the service level

    3.1b 2 hours per service

    One level of abstraction down is the service level. Service level capacity management, recall that service level capacity management is about ensuring that IT is meeting SLAs in its service provision.

    Instructions

    1. There should be internal SLAs for each service IT offers. (If not, that’s a good place to start. See Info-Tech’s research on the subject.) Prod each of your service owners for information on the metrics that are relevant for their SLAs. Consider the following:
    • Peak hours, requests per second, etc.
    • This will usually include some APM data.
  • Record these metrics in the summary card of the Capacity Plan Template.
  • Include any visibility issues in the notes in a similar section of the Capacity Plan Template.
  • Input

    • Brainstorming
    • List of gold services

    Output

    • Service level data

    Materials

    • In-house solution or commercial tool

    Participants

    • Capacity manager
    • Application/service owners

    Leverage the visibility into your infrastructure components and compare all of your data over time

    You established visibility into your components in the second phase of this project. Use this data, and that gathered at the business and service levels, to begin analyzing your demand over time.

    • Different organizations will approach this issue differently. Those with a complicated service catalog and a dedicated capacity manager might employ a tool like TeamQuest. If your operation is small, or you need to get your availability and capacity management activities underway as quickly as possible, you might consider using a simple spreadsheet software like Excel.
    • If you choose the latter option, select a level of granularity (monthly, weekly, etc.) and produce a line graph in Excel.
    • Example: Employee count (business metric)

    Jan

    Feb

    Mar

    Apr

    May

    June

    July

    74

    80

    79

    83

    84

    100

    102

    The image contains a graph using the example of employee count described above.

    Note: the strength of this approach is that it is easy to visualize. Use the same timescale to facilitate simple comparison.

    Manage, don’t just monitor; mountains of data need to be turned into information

    Information lets you make a decision. Understand the questions you don’t need to ask, and ask the right ones.

    "Often what is really being offered by many analytics solutions is just more data or information – not insights."

    – Brent Dykes, Director of Data Strategy, Domo

    Info-Tech Best Practice

    You can have all the data in the world and absolutely nothing valuable to add. Don’t fall for this trap. Use the activities in this phase to structure your data collection operation and ensure that your organization’s availability and capacity management plan is data driven.

    Analyze historical trends and track your services’ status

    3.1c Tab 3 of the Capacity Snapshot Tool

    At-a-glance – it’s how most executives consume all but the most important information. Create a dashboard that tracks the status of your most important systems.

    Instructions

    1. Consult infrastructure leaders for information about lead times for new capacity for relevant sub-components and include that information in the tool.
    • Look to historical lead times. (How long does it traditionally take to get more storage?)
    • If you’re not sure, contact an in-house expert, or speak to your vendor
  • Use tab 3 of the tool to record whether your existing capacity will be exceeded before you can stand more hardware up (red), you have a plan to ameliorate capacity issues but new capacity is not yet in place (yellow), or if you are not slated to run out of capacity any time soon (green).
  • Repeat the activity regularly. Include notes about spikes that might present capacity challenges, and information about when capacity may run out.
  • This tool collates and presents information gathered from other sources. It is not a substitute for a performance monitoring tool.

    Build a list of key business stakeholders

    3.1d 10 minutes

    Stakeholder analysis is crucial. Lines of authority can be diffuse. Understand who needs to be involved in the capacity management process early on.

    Instructions

    1. With the infrastructure team, brainstorm a group of departments, roles, and people who may impact demand on capacity.
    2. Go through the list with your team and identify stakeholders from two groups:
    • Line of business: who in the business makes use of the service?
    • Application owner: who in IT is responsible for ensuring the service is up?
  • Insert the list into section 3 of the Capacity Plan Template, and update as needed.
  • Input

    • Gold systems
    • Personnel Information

    Output

    • List of key business stakeholders

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Best Practice

    Consider which departments are most closely aligned with the business processes that fuel demand. Prioritize those that have the greatest impact. Consider the stakeholders who will make purchasing decisions for increasing infrastructure capacity.

    Organize stakeholder meetings

    3.1e 10 hours

    Establishing a relationship with your stakeholders is a necessary step in managing your capacity and availability.

    Instructions

    1. Gather as many of the stakeholders identified in the previous activity as you can and present information on availability and capacity management
    • If you can’t get everyone in the same room, a virtual meeting or even an email blast could get the job done.
  • Explain the importance of capacity and availability management
    • Consider highlighting the trade-offs between cost and availability.
  • Field any questions the stakeholders might have about the process. Be honest. The goal of this meeting is to build trust. This will come in handy when you’re gathering business requirements.
  • Propose a schedule and seek approval from all present. Include the results in section 3 of the Capacity Plan Template.
  • Input

    • List of business stakeholders
    • Hard work

    Output

    • Working relationship, trust
    • Regular meetings

    Materials

    • Work ethic
    • Executive brief

    Participants

    • Capacity manager
    • Business stakeholders

    Info-Tech Insight

    The best capacity managers develop new business processes that more closely align their role with business stakeholders. Building these relationships takes hard work, and you must first earn the trust of the business.

    Bake stakeholders into the planning process

    3.1f Ongoing

    Convince, don’t coerce. Stakeholders want the same thing you do. Bake them into the planning process as a step towards this goal.

    1. Develop a system to involve stakeholders regularly in the capacity planning process.
    • Your system will vary depending on the structure and culture of your organization.
    • See the case study on the following slide for ideas.
    • It may be as simple as setting a recurring reminder in your own calendar to touch base with stakeholders.
  • Liaise with stakeholders regularly to keep abreast of new developments.
    • Ensure stakeholders have reasonable expectations about IT’s available resources, the costs of providing capacity, and the lead times required to source additional needed capacity.
  • Draw on these stakeholders for the step “Gather information on business requirements” later in this phase.
  • Input

    • List of business stakeholders
    • Ideas

    Output

    • Capacity planning process that involves stakeholders

    Materials

    • Meeting rooms

    Participants

    • Capacity manager
    • Business stakeholders
    • Infrastructure team

    A capacity manager in financial services wrangled stakeholders and produced results

    CASE STUDY

    Industry: Financial Services

    Source: Interview

    In financial services, availability is king

    In the world of financial services, availability is absolutely crucial. High-value trades occur at all hours, and any institution that suffers outages runs the risk of losing tens of thousands of dollars, not to mention reputational damage.

    People know what they want, but sometimes they have to be herded

    While line of business managers and application owners understand the value of capacity management, it can be difficult to establish the working relationship necessary for a fruitful partnership.

    Proactively building relationships keeps services available

    He built relationships with all the department heads on the business side, and all the application owners.

    • He met with department heads quarterly.
    • He met with application owners and business liaisons monthly.

    He established a steering committee for capacity.

    He invited stakeholders to regular capacity planning meetings.

    • The first half of each meeting was high-level outlook, such as business volume and IT capacity utilization, and included stakeholders from other departments.
    • The second half of the meeting was more technical, serving the purpose for the infrastructure team.

    He scheduled lunch and learn sessions with business analysts and project managers.

    • These are the gatekeepers of information, and should know that IT needs to be involved when things come down the pipeline.

    Step 3.2: Analyze data and project future needs

    This step will walk you through the following activities:

    • Solicit needs from the business.
    • Map business needs to technical requirements, and technical requirements to infrastructure requirements.
    • Identify inefficiencies in order to remedy them.
    • Compare the data across business, component, and service levels, and project your capacity needs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • Model of how business processes relate to technical requirements and their demand on infrastructure
    • Method for projecting future demand for your organization’s infrastructure
    • Comparison of current capacity usage to projected demand

    “Nobody tells me anything!” – the capacity manager’s lament

    Sometimes “need to know” doesn’t register with sales or marketing. Nearly every infrastructure manager can share a story about a time when someone has made a decision that has critically impacted IT infrastructure without letting anyone in IT in on the “secret.”

    In brief

    The image contains a picture of a man appearing to be overwhelmed.

    Imagine working for a media company as an infrastructure capacity manager. Now imagine that the powers that be have decided to launch a content-focused web service. Seems like something they would do, right? Now imagine you find out about it the same way the company’s subscribers do. This actually happened – and it shouldn’t have. But a similar lack of alignment makes this a real possibility for any organization. If you don’t establish a systematic plan for soliciting and incorporating business requirements, prepare to lose a chunk of your free time. The business should never be able to say, in response to “nobody tells me anything,” “nobody asked.”

    Pictured: an artist’s rendering of the capacity manager in question.

    Directly solicit requirements from the business

    3.2a 30 minutes per stakeholder

    Once you’ve established, firmly, that everyone’s on the same team, meet individually with the stakeholders to assess capacity.

    Instructions

    1. Schedule a one-on-one meeting with each line of business manager (stakeholders identified in 3.1). Ideally this will be recurring.
    • Experienced capacity managers suggest doing this monthly.
  • In the meeting address the following questions:
    • What are some upcoming major initiatives?
    • Is the department going to expand or contract in a noticeable way?
    • Have customers taken to a particular product more than others?
  • Include the schedule in the Capacity Plan Template, and consider including details of the discussion in the notes section in tab 3 of the Capacity Snapshot Tool.
  • Input

    • Stakeholder opinions

    Output

    • Business requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Sometimes line of business managers will evade or ignore you when you come knocking. They do this because they don’t know and they don’t want to give you the wrong information. Explain that a best guess is all you can ask for and allay their fears.

    Below, you will find more details about what to look for when soliciting information from the line of business manager you’ve roped into your scheme.

    1. Consider the following:
    • Projected sales pipeline
    • Business growth
    • Seasonal cycles
    • Marketing campaigns
    • New applications and features
    • New products and services
  • Encourage business stakeholders to give you their best guess for elements such as projected sales or business growth.
  • Estimate variance and provide a range. What can you expect at the low end? The high end? Record your historical projections for an idea of how accurate you are.
  • Consider carefully the infrastructure impact of new features (and record this in the notes section of the Capacity Snapshot Tool).
  • Directly solicit requirements from the business (optional)

    3.2a 1 hour

    IT staff and line of business staff come with different skillsets. This can lead to confusion, but it doesn’t have to. Develop effective information solicitation techniques.

    Instructions

    1. Gather your IT staff in a room with a whiteboard. As a group, select a gold service/line of business manager you would like to use as a “practice dummy.”
    2. Have everyone write down a question they would ask of the line of business representative in a hypothetical business/service capacity discussion.
    3. As a group discuss the merits of the questions posed:
    • Are they likely to yield productive information?
    • Are they too vague or specific?
    • Is the person in question likely to know the answer?
    • Is the information requested a guarded trade secret?
  • Discuss the findings and include any notes in section 3 of the Capacity Plan Template.
  • Input

    • Workshop participants’ ideas

    Output

    • Interview skills

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Capacity manager
    • Infrastructure staff

    Map business needs to technical requirements, and technical requirements to infrastructure requirements

    3.2b 5 hours

    When it comes to mapping technical requirements, IT alone has the ability to effectively translate business needs.

    Instructions

    1. Use your notes from stakeholder meetings to assess the impact of any changes on gold systems.
    2. For each system brainstorm with infrastructure staff (and any technical experts as necessary) about what the information gleaned from stakeholder discussions. Consider the following discussion points:
    • How has demand for the service been trending? Does it match what the business is telling us?
    • Have we had availability issues in the past?
    • Has the business been right with their estimates in the past?
  • Estimate what a change in business/service metrics means for capacity.
    • E.g. how much RAM does a new email user require?
  • Record the output in the summary card of the Capacity Plan Template.
  • Input

    • Business needs

    Output

    • Technical and infrastructure requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Adapt the analysis to the needs of your organization. One capacity manager called the one-to-one mapping of business process to infrastructure demand the Holy Grail of capacity management. If this level of precision isn’t attainable, develop your own working estimates using the higher-level data

    Avoid putting too much faith in the cloud as a solution to your problem

    Has the rise of on-demand, functionally unlimited services eliminated the need for capacity and availability management?

    Capacity management

    The role of the capacity manager is changing, but it still has a purpose. Consider this:

    • Not everything can move to the cloud. For security/functionality reasons, on-premises infrastructure will continue to exist.
    • Cost management is more relevant than ever in the cloud age. Manage your instances.
    • While a cloud migration might render some component capacity management functions irrelevant, it could increase the relevance of others (the network, perhaps).

    Availability management

    Ensuring services are available is still IT’s wheelhouse, even if that means a shift to a brokerage model:

    • Business availability requirements (as part of the business impact analysis, potentially) are important; internal SLAs and contracts with vendors need to be managed.
    • Even in the cloud environment, availability is not guaranteed. Cloud providers have outages (unplanned, maintenance related, etc.) and someone will have to understand the limitations of cloud services and the impact on availability.

    Info-Tech Insight

    The cloud comes at the cost of detailed performance data. Sourcing a service through an SLA with a third party increases the need to perform your own performance testing of gold level applications. See performance monitoring.

    Beware Parkinson’s law

    A consequence of our infinite capacity for creativity, people have the enviable skill of making work. In 1955, C. Northcote Parkinson pointed out this fact in The Economist . What are the implications for capacity management?

    "It is a commonplace observation that work expands so as to fill the time available for its completion. Thus, an elderly lady of leisure can spend the entire day in writing and despatching a postcard to her niece at Bognor Regis. An hour will be spent in finding the postcard, another in hunting for spectacles, half-an-hour in a search for the address, an hour and a quarter in composition, and twenty minutes in deciding whether or not to take an umbrella when going to the pillar-box in the next street."

    C. Northcote Parkinson, The Economist, 1955

    Info-Tech Insight

    If you give people lots of capacity, they will use it. Most shops are overprovisioned, and in some cases that’s throwing perfectly good money away. Don’t be afraid to prod if someone requests something that doesn’t seem right.

    Optimally align demand and capacity

    When it comes to managing your capacity, look for any additional efficiencies.

    Questions to ask:

    • Are there any infrastructure services that are not being used to their full potential, sitting idle, or allocated to non-critical or zombie functions?
      • Are you managing your virtual servers? If, for example, you experience a seasonal spike in demand, are you leaving virtual machines running after the fact?
    • Do your organization’s policies and your infrastructure setup allow for the use of development resources for production during periods of peak demand?
    • Can you make organizational or process changes in order to satisfy demand more efficiently?

    In brief

    Who isn’t a sports fan? Big games mean big stakes for pool participants and armchair quarterbacks—along with pressure on the network as fans stream games from their work computers. One organization suffered from this problem, and, instead of taking a hardline and banning all streams, opted to stream the game on a large screen in a conference room where those interested could work for its duration. This alleviated strain on the network and kept staff happy.

    Shutting off an idle cloud to cut costs

    CASE STUDY

    Industry:Professional Services

    Source:Interview

    24/7 AWS = round-the-clock costs

    A senior developer realized that his development team had been leaving AWS instances running without any specific reason.

    Why?

    The development team appreciated the convenience of an always-on instance and, because the people spinning them up did not handle costs, the problem wasn’t immediately apparent.

    Resolution

    In his spare time over the course of a month, the senior developer wrote a program to manage the servers, including shutting them down during times when they were not in use and providing remote-access start-up when required. His team alone saved $30,000 in costs over the next six months, and his team lead reported that it would have been more than worth paying the team to implement such a project on company time.

    Identify inefficiencies in order to remediate them

    3.2c 20 minutes per service

    Instructions

    1. Gather the infrastructure team together and discuss existing capacity and demand. Use the inputs from your data analysis and stakeholder meetings to set the stage for your discussion.
    2. Solicit ideas about potential inefficiencies from your participants:
    • Are VMs effectively allocated? If you need 7 VMs to address a spike, are those VMs being reallocated post-spike?
    • Are developers leaving instances running in the cloud?
    • Are particular services massively overprovisioned?
    • What are the biggest infrastructure line items? Are there obvious opportunities for cost reduction there?
  • Record any potential opportunities in the summary of the Capacity Plan Template.
  • Input

    • Gold systems
    • Data inputs

    Output

    • Inefficiencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    The most effective capacity management takes a holistic approach and looks at the big picture in order to find ways to eliminate unnecessary infrastructure usage, or to find alternate or more efficient sources of required capacity.

    Dodging the toll troll by rerouting traffic

    CASE STUDY

    Industry:Telecommunications

    Source: Interview

    High-cost lines

    The capacity manager at a telecommunications provider mapped out his firm’s network traffic and discovered they were using a number of VP circuits (inter building cross connects) that were very expensive on the scale of their network.

    Paying the toll troll

    These VP circuits were supplying needed network services to the telecom provider’s clients, so there was no way to reduce this demand.

    Resolution

    The capacity manager analyzed where the traffic was going and compared this to the cost of the lines they were using. After performing the analysis, he found he could re-route much of the traffic away from the VP circuits and save on costs while delivering the same level of service to their users.

    Compare the data across business, component, and service levels, and project your capacity needs

    3.2d 2 hour session/meeting

    Make informed decisions about capacity. Remember: retain all documentation. It might come in handy for the justification of purchases.

    Instructions

    1. Using either a dedicated tool or generic spreadsheet software like Excel or Sheets, evaluate capacity trends. Ask the following questions:
    • Are there times when application performance degraded, and the service level was disrupted?
    • Are there times when certain components or systems neared, reached, or exceeded available capacity?
    • Are there seasonal variations in demand?
    • Are there clear trends, such as ongoing growth of business activity or the usage of certain applications?
    • What are the ramifications of trends or patterns in relation to infrastructure capacity?
  • Use the insight gathered from stakeholders during the stakeholder meetings, project required capacity for the critical components of each gold service.
  • Record the results of this activity in the summary card of the Capacity Plan Template.
  • Compare current capacity to your projections

    3.2e Section 5 of the Capacity Plan Template

    Capacity management (and, by extension, availability management) is a combination of two balancing acts: cost against capacity and supply and demand.*

    Instructions

    1. Compare your projections with your reality. You already know whether or not you have enough capacity given your lead times. But do you have too much? Compare your sub-component capacity projections to your current state.
    2. Highlight any outliers. Is there a particular service that is massively overprovisioned?
    3. Evaluate the reasons for the overprovisioning.
    • Is the component critically important?
    • Did you get a great deal on hardware?
    • Is it an oversight?
  • Record the results in the notes section of the summary card of the Capacity Plan Template.
  • *Office of Government Commerce 2001, 119.

    In brief

    The fractured nature of the capacity management space means that every organization is going to have a slightly different tooling strategy. No vendor has dominated, and every solution requires some level of customization. One capacity manager (a cloud provider, no less!) relayed a tale about a capacity management Excel sheet programmed with 5,000+ lines of code. As much work as that is, a bespoke solution is probably unavoidable.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2

    The image contains a screenshot of activity 3.2.

    Map business needs to technical requirements and technical requirements to infrastructure requirements

    The analyst will guide workshop participants in using their organization’s data to map out the relationships between applications, technical requirements, and the underlying infrastructure usage.

    Phase 3 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Solicit and incorporate business needs

    Proposed Time to Completion: 2 weeks

    Step 3.1: Solicit business needs and gather data

    Review your findings with an analyst

    Discuss the effectiveness of your strategies to involve business stakeholders in the planning process and your methods of data collection and analysis.

    Then complete these activities…

    • Analyze historical trends and track your services’ status
    • Build a list of key business stakeholders
    • Bake stakeholders into the planning process

    With these tools & templates:

    Capacity Plan Template

    Step 3.2: Analyze data and project future needs

    Review your findings with an analyst

    Discuss the effectiveness of your strategies to involve business stakeholders in the planning process and your methods of data collection and analysis.

    Then complete these activities…

    • Map business needs to technical requirements and technical requirements to infrastructure requirements
    • Compare the data across business, component, and service levels, and project your capacity needs
    • Compare current capacity to your projections

    With these tools & templates:

    Capacity Snapshot Tool

    Capacity Plan Template

    Phase 3 Results & Insights:

    • Develop new business processes that more closely align your role with business stakeholders. Building these relationships takes hard work, and won’t happen overnight.
    • Take a holistic approach to eliminate unnecessary infrastructure usage or source capacity more efficiently.

    PHASE 4

    Identify and Mitigate Risks

    Step 4.1: Identify and mitigate risks

    This step will walk you through the following activities:

    • Identify potential risks.
    • Determine strategies to mitigate risks.
    • Complete your capacity management plan.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • Strategies for reducing risks
    • Capacity management plan

    Understand what happens when capacity/availability management fails

    1. Services become unavailable. If availability and capacity management are not constantly practiced, an inevitable consequence is downtime or a reduction in the quality of that service. Critical sub-component failures can knock out important systems on their own.
    2. Money is wasted. In response to fears about availability, it’s entirely possible to massively overprovision or switch entirely to a pay-as-you-go model. This, unfortunately, brings with it a whole host of other problems, including overspending. Remember: infinite capacity means infinite potential cost.
    3. IT remains reactive and is unable to contribute more meaningfully to the organization. If IT is constantly putting out capacity/availability-related fires, there is no room for optimization and activities to increase organizational maturity. Effective availability and capacity management will allow IT to focus on other work.

    Mitigate availability and capacity risks

    Availability: how often a service is usable (that is to say up and not too degraded to be effective). Consequences of reduced availability can include financial losses, impacted customer goodwill, and reduced faith in IT more generally.

    Causes of availability issues:

    • Poor capacity management – a service becomes unavailable when there is insufficient supply to meet demand. This is the result of poor capacity management.
    • Scheduled maintenance – services go down for maintenance with some regularity. This needs to be baked into service-level negotiations with vendors.
    • Vendor outages – sometimes vendors experience unplanned outages. There is typically a contract provision that covers unplanned outages, but that doesn’t change the fact that your service will be interrupted.

    Capacity: a particular component’s/service’s/business’ wiggle room. In other words, its usage ceiling.

    Causes of capacity issues:

    • Poor demand management – allowing users to run amok without any regard for how capacity is sourced and paid for.
    • Massive changes in legitimate demand – more usage means more demand.
    • Poor capacity planning – predictable changes in demand that go unaddressed can lead to capacity issues.

    Add additional potential causes of availability and capacity risks as needed

    4.1a 30 minutes

    Availability and capacity issues can stem from a number of different causes. Include a list in your availability and capacity management plan.

    Instructions

    1. Gather the group together. Go around the room and have participants provide examples of incidents and problems that have been the result of availability and capacity issues.
    2. Pose questions to the group about the source of those availability and capacity issues.
    • What could have been done differently to avoid these issues?
    • Was the availability/capacity issue a result of a faulty internal/external SLA?
  • Record the results of the exercise in sections 4.1 and 4.2 of the Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Additional sources of availability and capacity risks

    Materials

    • Capacity Plan Template

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Availability and capacity problems result in incidents, critical incidents, and problems. These are addressed in a separate project (incident and problem management), but information about common causes can streamline that process.

    Identify capacity risks and mitigate them

    4.1b 30 minutes

    Based on your understanding of your capacity needs (through written SLAs and informal but regular meetings with the business) highlight major risks you foresee.

    Instructions

    1. Make a chart with two columns on a whiteboard. They should be labelled “risk” and “mitigation” respectively.
    2. Record risks to capacity you have identified in earlier activities.
    • Refer to the Capacity Snapshot Tool for components that are highlighted in red and yellow. These are specific components that present special challenges. Identify the risk(s) in as much detail as possible. Include service and business risks as well.
    • Examples: a marketing push will put pressure on the web server; a hiring push will require more Office 365 licenses; a downturn in registration will mean that fewer VMs will be required to run the service.

    Input

    • Capacity Snapshot Tool results

    Output

    • Inefficiencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    It’s an old adage, but it checks out: don’t come to the table armed only with problems. Be a problem solver and prove IT’s value to the organization.

    Identify capacity risks and mitigate them (cont.)

    4.1b 1.5 hours

    Instructions (cont.)

    1. Begin developing mitigation strategies. Options for responding to known capacity risks fall into one of two camps:
    • Acceptance: responding to the risk is costlier than acknowledging its existence without taking any action. For gold systems, acceptance is typically not acceptable.
    • Mitigation: limiting/reducing, eliminating, or transferring risk (Herrera) comprise the sort of mitigation discussed here.
      • Limiting/reducing: taking steps to improve the capacity situation, but accepting some level of risk (spinning up a new VM, pushing back on demands from the business, promoting efficiency).
      • Eliminating: the most comprehensive (and most expensive) mitigation strategy, elimination could involve purchasing a new server or, at the extreme end, building a new datacenter.
      • Transfer: “robbing Peter to pay Paul,” in the words of capacity manager Todd Evans, is one potential way to limit your exposure. Is there a less critical service that can be sacrificed to keep your gold service online?
  • Record the results of this exercise in section 5 of the Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Capacity risk mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    It’s an old adage, but it checks out: don’t come to the table armed only with problems. Be a problem solver and prove IT’s value to the organization.

    Identify availability risks and mitigate them

    4.1c 30 minutes

    While capacity management is a form of availability management, it is not the only form. In this activity, outline the specific nature of threats to availability.

    Instructions

    1. Make a chart with two columns on a whiteboard. They should be labelled “risk” and “mitigation” respectively.
    2. Begin brainstorming general availability risks based on the following sources of information/categories:
    • Vendor outages
    • Disaster recovery
    • Historical availability issues

    The image contains a large blue circle labelled: Availability. Also in the blue circle is a small red circle labelled: Capacity.

    Input

    • Capacity Snapshot Tool results

    Output

    • Availability risks and mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Best Practice

    A dynamic central repository is a good way to ensure that availability issues stemming from a variety of causes are captured and mitigated.

    Identify availability risks and mitigate them (cont.)

    4.1c 1.5 hours

    Although it is easier said than done, identifying potential mitigations is a crucial part of availability management as an activity.

    Instructions (cont.)

    1. Begin developing mitigation strategies. Options for responding to known capacity risks fall into one of two camps:
    • Acceptance – responding to the risk is costlier than taking it on. Some unavailability is inevitable, between maintenance and unscheduled downtime. Record this, though it may not require immediate action.
    • Mitigation strategies:
      • Limiting/reducing – taking steps to increase availability of critical systems. This could include hot spares for unreliable systems or engaging a new vendor.
      • Eliminating – the most comprehensive (and most expensive) mitigation strategy. It could include selling.
      • Transfer – “robbing Peter to pay Paul,” in the words of capacity manager Todd Evans, is one potential way to limit your exposure. Is there a less critical service that can be sacrificed to keep your gold service online?
  • Record the results of this exercise in section 5 of Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Availability risks and mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Iterate on the process and present your completed availability and capacity management plan

    The stakeholders consulted as part of the process will be interested in its results. Share them, either in person or through a collaboration tool.

    The current status of your availability and capacity management plan should be on the agenda for every stakeholder meeting. Direct the stakeholders’ attention to the parts of the document that are relevant to them, and solicit their thoughts on the document’s accuracy. Over time you should get a pretty good idea of who among your stakeholder group is skilled at projecting demand, and who over- or underestimates, and by how much. This information will improve your projections and, therefore, your management over time.

    Info-Tech Insight

    Use the experience gained and the artifacts generated to build trust with the business. The meetings should be regular, and demonstrating that you’re actually using the information for good is likely to make hesitant participants in the process more likely to open up.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    The image contains a screenshot of activity 4.1.

    Identify capacity risks and mitigate them

    The analyst will guide workshop participants in identifying potential risks to capacity and determining strategies for mitigating them.

    Phase 4 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Identify and mitigate risks

    Proposed Time to Completion: 1 week

    Step 4.1: Identify and mitigate risks

    Review your findings with an analyst

    • Discuss your potential risks and your strategies for mitigating those risks.

    Then complete these activities…

    • Identify capacity risks and mitigate them
    • Identify availability risks and mitigate them
    • Complete your capacity management plan

    With these tools & templates:

    Capacity Snapshot Tool

    Capacity Plan Template

    Phase 4 Results & Insights:

    • Be a problem solver and prove IT’s value to the organization. Capacity management allows infrastructure to drive business value.
    • Iterate and share results. Reinforce your relationships with stakeholders and continue to refine how capacity management transforms your organization’s business processes.

    Insight breakdown

    Insight 1

    Components are critical to availability and capacity management.

    The CEO doesn’t care about the SMTP server. She cares about meeting customer needs and producing profit. For IT capacity and availability managers, though, the devil is in the details. It only takes one faulty component to knock out a service. Keep track and keep the lights on.

    Insight 2

    Ask what the business is working on, not what they need.

    If you ask them what they need, they’ll tell you – and it won’t be cheap. Find out what they’re going to do, and use your expertise to service those needs. Use your IT experience to estimate the impact of business and service level changes on the components that secure the availability you need.

    Insight 3

    Cloud shmoud.

    The role of the capacity manager might be changing with the advent of the public cloud, but it has not disappeared. Capacity managers in the age of the cloud are responsible for managing vendor relationships, negotiating external SLAs, projecting costs and securing budgets, reining in prodigal divisions, and so on.

    Summary of accomplishment

    Knowledge Gained

    • Impact of downtime on the organization
    • Gold systems
    • Key dependencies and sub-components
    • Strategy for monitoring components
    • Strategy for soliciting business needs
    • Projected capacity needs
    • Availability and capacity risks and mitigations

    Processes Optimized

    • Availability management
    • Capacity management

    Deliverables Completed

    • Business Impact Analysis
    • Capacity Plan Template

    Project step summary

    Client Project: Develop an Availability and Capacity Management Plan

    1. Conduct a business impact analysis
    2. Assign criticality ratings to services
    3. Define your monitoring strategy
    4. Implement your monitoring tool/aggregator
    5. Solicit business needs and gather data
    6. Analyze data and project future needs
    7. Identify and mitigate risks

    Info-Tech Insight

    This project has the ability to fit the following formats:

    • Onsite workshop by Info-Tech Research Group consulting analysts.
    • Do-it-yourself with your team.
    • Remote delivery via Info-Tech Guided Implementation.

    Research contributors and experts

    The image contains a picture of Adrian Blant.

    Adrian Blant, Independent Capacity Consultant, IT Capability Solutions

    Adrian has over 15 years' experience in IT infrastructure. He has built capacity management business processes from the ground up, and focused on ensuring a productive dialogue between IT and the business.

    The image contains a picture of James Zhang.

    James Zhang, Senior Manager Disaster Recovery, AIG Technology

    James has over 20 years' experience in IT and 10 years' experience in capacity management. Throughout his career, he has focused on creating new business processes to deliver value and increase efficiency over the long term.

    The image contains a picture of Mayank Banerjee.

    Mayank Banerjee, CTO, Global Supply Chain Management, HelloFresh

    Mayank has over 15 years' experience across a wide range of technologies and industries. He has implemented highly automated capacity management processes as part of his role of owning and solving end-to-end business problems.

    The image contains a picture of Mike Lynch

    Mike Lynch, Consultant, CapacityIQ

    Mike has over 20 years' experience in IT infrastructure. He takes a holistic approach to capacity management to identify and solve key problems, and has developed automated processes for mapping performance data to information that can inform business decisions.

    The image contains a picture of Paul Waguespack.

    Paul Waguespack, Manager of Application Systems Engineering, Tufts Health Plan

    Paul has over 10 years' experience in IT. He has specialized in implementing new applications and functionalities throughout their entire lifecycle, and integrating with all aspects of IT operations.

    The image contains a picture of Richie Mendoza.

    Richie Mendoza, IT Consultant, SMITS Inc.

    Richie has over 10 years' experience in IT infrastructure. He has specialized in using demand forecasting to guide infrastructure capacity purchasing decisions, to provide availability while avoiding costly overprovisioning.

    The image contains a picture of Rob Thompson.

    Rob Thompson, President, IT Tools & Process

    Rob has over 30 years’ IT experience. Throughout his career he has focused on making IT a generator of business value. He now runs a boutique consulting firm.

    Todd Evans, Capacity and Performance Management SME, IBM

    Todd has over 20 years' experience in capacity and performance management. At Kaiser Permanente, he established a well-defined mapping of the businesses workflow processes to technical requirements for applications and infrastructure.

    Bibliography

    451 Research. “Best of both worlds: Can enterprises achieve both scalability and control when it comes to cloud?” 451 Research, November 2016. Web.

    Allen, Katie. “Work Also Shrinks to Fit the Time Available: And We Can Prove It.” The Guardian. 25 Oct. 2017.

    Amazon. “Amazon Elastic Compute Cloud.” Amazon Web Services. N.d. Web.

    Armandpour, Tim. “Lies Vendors Tell about Service Level Agreements and How to Negotiate for Something Better.” Network World. 12 Jan 2016.

    “Availability Management.” ITIL and ITSM World. 2001. Web.

    Availability Management Plan Template. Purple Griffon. 30 Nov. 2012. Web.

    Bairi, Jayachandra, B., Murali Manohar, and Goutam Kumar Kundu. “Capacity and Availability Management by Quantitative Project Management in the IT Service Industry.” Asian Journal on Quality 13.2 (2012): 163-76. Web.

    BMC Capacity Optimization. BMC. 24 Oct 2017. Web.

    Brooks, Peter, and Christa Landsberg. Capacity Management in Today’s IT Environment. MentPro. 16 Aug 2017. Web.

    "Capacity and Availability Management." CMMI Institute. April 2017. Web.

    Capacity and Availability Management. IT Quality Group Switzerland. 24 Oct. 2017. Web.

    Capacity and Performance Management: Best Practices White Paper. Cisco. 4 Oct. 2005. Web.

    "Capacity Management." Techopedia.

    “Capacity Management Forecasting Best Practices and Recommendations.” STG. 26 Jan 2015. Web.

    Capacity Management from the Ground up. Metron. 24 Oct. 2017. Web.

    Capacity Management in the Modern Datacenter. Turbonomic. 25 Oct. 2017. Web.

    Capacity Management Maturity Assessing and Improving the Effectiveness. Metron. 24 Oct. 2017. Web.

    “Capacity Management Software.” TeamQuest. 24 Oct 2017. Web,

    Capacity Plan Template. Purainfo. 11 Oct 2012. Web.

    “Capacity Planner—Job Description.” Automotive Industrial Partnership. 24 Oct. 2017. Web.

    Capacity Planning. CDC. Web. Aug. 2017.

    "Capacity Planning." TechTarget. 24 Oct 2017. Web.

    “Capacity Planning and Management.” BMC. 24 Oct 2017. Web.

    "Checklist Capacity Plan." IT Process Wiki. 24 Oct. 2017. Web.

    Dykes, Brent. “Actionable Insights: The Missing Link Between Data and Business Value.” Forbes. April 26, 2016. Web.

    Evolved Capacity Management. CA Technologies. Oct. 2013. Web.

    Francis, Ryan. “False positives still cause threat alert fatigue.” CSO. May 3, 2017. Web.

    Frymire, Scott. "Capacity Planning vs. Capacity Analytics." ScienceLogic. 24 Oct. 2017. Web.

    Glossary. Exin. Aug. 2017. Web.

    Herrera, Michael. “Four Types of Risk Mitigation and BCM Governance, Risk and Compliance.” MHA Consulting. May 17, 2013.

    Hill, Jon. How to Do Capacity Planning. TeamQuest. 24 Oct. 2017. Web.

    “How to Create an SLA in 7 Easy Steps.” ITSM Perfection. 25 Oct. 2017. Web.

    Hunter, John. “Myth: If You Can’t Measure It: You Can’t Manage It.” W. Edwards Deming Institute Blog. 13 Aug 2015. Web.

    IT Service Criticality. U of Bristol. 24 Oct. 2017. Web.

    "ITIL Capacity Management." BMC's Complete Guide to ITIL. BMC Software. 22 Dec. 2016. Web.

    “Just-in-time.” The Economist. 6 Jul 2009. Web.

    Kalm, Denise P., and Marv Waschke. Capacity Management: A CA Service Management Process Map. CA. 24 Oct. 2017. Web.

    Klimek, Peter, Rudolf Hanel, and Stefan Thurner. “Parkinson’s Law Quantified: Three Investigations in Bureaucratic Inefficiency.” Journal of Statistical Mechanics: Theory and Experiment 3 (2009): 1-13. Aug. 2017. Web.

    Landgrave, Tim. "Plan for Effective Capacity and Availability Management in New Systems." TechRepublic. 10 Oct. 2002. Web.

    Longoria, Gina. “Hewlett Packard Enterprise Goes After Amazon Public Cloud in Enterprise Storage.” Forbes. 2 Dec. 2016. Web.

    Maheshwari, Umesh. “Understanding Storage Capacity.” NimbleStorage. 7 Jan. 2016. Web.

    Mappic, Sandy. “Just how complex can a Login Transaction be? Answer: Very!” Appdynamics. Dec. 11 2011. Web.

    Miller, Ron. “AWS Fires Back at Larry Ellison’s Claims, Saying It’s Just Larry Being Larry.” Tech Crunch. 2 Oct. 2017. Web.

    National College for Teaching & Leadership. “The role of data in measuring school performance.” National College for Teaching & Leadership. N.d. Web,

    Newland, Chris, et al. Enterprise Capacity Management. CETI, Ohio State U. 24 Oct. 2017. Web.

    Office of Government Commerce . Best Practice for Service Delivery. London: Her Majesty’s Stationery Office, 2001.

    Office of Government Commerce. Best Practice for Business Perspective: The IS View on Delivering Services to the Business. London: Her Majesty’s Stationery Office, 2004.

    Parkinson, C. Northcote. “Parkinson’s Law.” The Economist. 19 Nov. 1955. Web.

    “Parkinson’s Law Is Proven Again.” Financial Times. 25 Oct. 2017. Web.

    Paul, John, and Chris Hayes. Performance Monitoring and Capacity Planning. VM Ware. 2006. Web.

    “Reliability and Validity.” UC Davis. N.d. Web.

    "Role: Capacity Manager." IBM. 2008. Web.

    Ryan, Liz. “‘If You Can’t Measure It, You Can’t Manage It’: Not True.” Forbes. 10 Feb. 2014. Web.

    S, Lalit. “Using Flexible Capacity to Lower and Manage On-Premises TCO.” HPE. 23 Nov. 2016. Web.

    Snedeker, Ben. “The Pros and Cons of Public and Private Clouds for Small Business.” Infusionsoft. September 6, 2017. Web.

    Statement of Work: IBM Enterprise Availability Management Service. IBM. Jan 2016. Web.

    “The Road to Perfect AWS Reserved Instance Planning & Management in a Nutshell.” Botmetric. 25 Oct. 2017. Web.

    Transforming the Information Infrastructure: Build, Manage, Optimize. Asigra. Aug. 2017. Web.

    Valentic, Branimir. "Three Faces of Capacity Management." ITIL/ISO 20000 Knowledge Base. Advisera. 24 Oct. 2017. Web.

    "Unify IT Performance Monitoring and Optimization." IDERA. 24 Oct. 2017. Web.

    "What is IT Capacity Management?" Villanova U. Aug. 2017. Web.

    Wolstenholme, Andrew. Final internal Audit Report: IT Availability and Capacity (IA 13 519/F). Transport For London. 23 Feb. 2015. Web.

    Service Desk

    • Buy Link or Shortcode: {j2store}11|cart{/j2store}
    • Related Products: {j2store}11|crosssells{/j2store}
    • Up-Sell: {j2store}11|upsells{/j2store}
    • member rating overall impact: 9.4/10
    • member rating average dollars saved: $22,900
    • member rating average days saved: 20
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    The service desk is typically the first point of contact for clients and staff who need something. Make sure your team is engaged, involved, knowledgeable, and gives excellent customer service.

    Optimize the Current Testing Process for Enterprise Mobile Applications

    • Buy Link or Shortcode: {j2store}404|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Testing, Deployment & QA
    • Parent Category Link: /testing-deployment-and-qa
    • Your team has little or no experience in mobile testing.
    • You need to optimize current testing processes to include mobile.
    • You need to conduct an RFP for mobile testing tools.

    Our Advice

    Critical Insight

    • One-size-fits-all testing won’t work for mobile. The testing tools are fragmented.
    • Mobile offers many new test cases, so organizations can expect to spend more time testing.

    Impact and Result

    • Identify and address gaps between your current testing process and a target state that includes mobile testing.
    • Establish project value metrics to ensure business and technical requirements are met.

    Optimize the Current Testing Process for Enterprise Mobile Applications Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess the current testing state

    Determine a starting point for architecture and discuss pain points that will drive reusability.

    • Storyboard: Optimize the Current Testing Process for Enterprise Mobile Applications
    • Mobile Testing Project Charter Template
    • Visual SOP Template for Application Testing

    2. Determine the target state testing framework

    Document a preliminary list of test requirements and create vendor RFP and scoring.

    • Test Requirements Tool
    • Request for Proposal (RFP) Template

    3. Implement testing tools to support the testing SOP

    Create an implementation rollout plan.

    • Project Planning and Monitoring Tool

    Infographic

    Workshop: Optimize the Current Testing Process for Enterprise Mobile Applications

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Fit for Test Process Optimization

    The Purpose

    Understand mobile testing pain points.

    Evaluate current statistics and challenges around mobile testing and compare with your organization.

    Realize the benefits of mobile testing.

    Understand the differences of mobile testing.

    Assess your readiness for optimizing testing to include mobile.

    Key Benefits Achieved

    Preliminary understanding of how mobile testing is different from conventional approaches to testing apps.

    Understanding of how mobile testing can optimize your current testing process.

    Activities

    1.1 Understand the pain points experienced with mobile testing

    1.2 Evaluate current statistics and challenges of mobile testing and compare your organization

    1.3 Realize the benefits that come from mobile testing

    1.4 Understand the differences between mobile app testing and conventional app testing

    1.5 Assess your readiness for optimizing the testing process to include mobile

    Outputs

    Organizational state assessment for mobile testing

    2 Structure & Launch the Project

    The Purpose

    Identify stakeholders for testing requirements gathering.

    Create a project charter to obtain project approval.

    Present and obtain project charter sign-off.

    Key Benefits Achieved

    Well documented project charter.

    Approval to launch the project.

    Activities

    2.1 Identify stakeholders for testing requirements gathering

    2.2 Create a project charter to obtain project approval

    2.3 Present & obtain project charter sign-off

    Outputs

    Project objectives and scope

    Project roles and responsibilities

    3 Assess Current Testing State

    The Purpose

    Document your current non-mobile testing processes.

    Create a current testing visual SOP.

    Determine current testing pain points.

    Key Benefits Achieved

    Thorough understanding of current testing processes and pain points.

    Activities

    3.1 Document your current non-mobile testing processes

    3.2 Create a current state visual SOP

    3.3 Determine current testing pain points

    Outputs

    Documented current testing processes in the form of a visual SOP

    List of current testing pain points

    4 Determine Target State Testing Framework

    The Purpose

    Determine your target state for mobile testing.

    Choose vendors for the RFP process.

    Evaluate selected vendor(s) against testing requirements.

    Design mobile testing visual SOP(s).

    Key Benefits Achieved

    Prioritized list of testing requirements for mobile.

    Vendor selection for mobile testing solutions through an RFP process.

    New SOP designed to include both current testing and mobile testing processes.

    Activities

    4.1 Determine your target state for mobile testing by following Info-Tech’s framework as a starting point

    4.2 Design new SOP to include testing for mobile apps

    4.3 Translate all considered visual SOP mobile injections into requirements

    4.4 Document the preliminary list of test requirements in the RFP

    4.5 Determine which vendors to include for the RFP process

    4.6 Reach out to vendors for a request for proposal

    4.7 Objectively evaluate vendors against testing requirements

    4.8 Identify and assess the expected costs and impacts from determining your target state

    Outputs

    List of testing requirements for mobile

    Request for Proposal

    5 Implement Testing Tools to Support Your Testing SOP

    The Purpose

    Develop an implementation roadmap to integrate new testing initiatives.

    Anticipate potential roadblocks during implementation rollout.

    Operationalize mobile testing and ensure a smooth hand-off to IT operations.

    Key Benefits Achieved

    Creation of implementation project plan.

    List of approaches to mitigate potential implementation roadblocks.

    Achieving clean hand-off to IT ops team.

    Activities

    5.1 Develop a project plan to codify your current understanding of the scope of work

    5.2 Anticipate potential roadblocks during your tool’s implementation

    5.3 Operationalize your testing tools and ensure a smooth hand-off from the project team

    Outputs

    Mobile testing metrics implementation plan

    6 Conduct Your Retrospectives

    The Purpose

    Conduct regular retrospectives to consider areas for improvement.

    Adjust your processes, systems, and testing tools to improve performance and usability.

    Revisit implementation metrics to communicate project benefits.

    Leverage the lessons learned and apply them to other projects.

    Key Benefits Achieved

    Project specific metrics.

    Discovery of areas to improve.

    Activities

    6.1 Conduct regular retrospectives to consider areas for improvement

    6.2 Revisit your implementation metrics to communicate project benefits to business stakeholders

    6.3 Adjust your processes, systems, and testing tools to improve performance and usability

    6.4 Leverage the lessons learned and apply them to other IT projects

    Outputs

    Steps to improve your mobile testing

    Sustain and Grow the Maturity of Innovation in Your Enterprise

    • Buy Link or Shortcode: {j2store}91|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Customers are not waiting – they are insisting on change now. The recent litany of business failures and the ongoing demand for improved services means that “not in my backyard” will mean no backyard.
    • Positive innovation is about achieving tomorrow’s success today, where everyone is a leader and ideas and people can flourish – in every sector.

    Our Advice

    Critical Insight

    • Many innovation programs are not delivering value at a time when change is constant and is impacting both public and private sector organizations.
    • Organizations are not well-positioned in terms of leadership skills to advance their innovation programs.
    • Unlock your innovation potential by looking at your innovation projects on both a macro and micro level.
    • Innovation capacity is directly linked with creativity; allow your employees' creativity to flourish using Info-Tech’s positive innovation techniques.
    • Innovations need to be re-harvested each year in order to maximize your return on investment.

    Impact and Result

    • From an opportunity perspective, create an effective innovation program that spawns more innovations, realizes benefits from existing assets not fully being leveraged, and lays the groundwork for enhanced products and services.
    • This complementary toolkit and method (to existing blueprints/research) guides you to assess the “aspiration level” of innovations and the innovation program, assess the resources/capabilities that an entity has to date employed in its innovation program, and position IT for success to achieve the strategic objectives of the enterprise.

    Sustain and Grow the Maturity of Innovation in Your Enterprise Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should formalize processes to improve your innovation program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scope and define

    Understand your current innovation capabilities and create a mandate for the future of your innovation program.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 1: Scope and Define
    • Innovation Program Mandate and Terms of Reference Template
    • Innovation Program Overview Presentation Template
    • Innovation Assessment Tool

    2. Assess and aspire

    Assess opportunities for your innovation program on a personnel and project level, and provide direction on how to improve along these dimensions.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 2: Assess and Aspire
    • Appreciative Inquiry Questionnaire

    3. Implement and inspire

    Formalize the innovation improvements you identified earlier in the blueprint by mapping them to your IT strategy.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 3: Implement and Inspire
    • Innovation Planning Tool
    [infographic]

    Workshop: Sustain and Grow the Maturity of Innovation in Your Enterprise

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-Work

    The Purpose

    Gather data that will be analyzed in the workshop.

    Key Benefits Achieved

    Information gathered with which analysis can be performed.

    Activities

    1.1 Do an inventory of innovations/prototypes underway.

    1.2 High-level overview of all existing project charters, and documentation of innovation program.

    1.3 Poll working group or key stakeholders in regards to scope of innovation program.

    Outputs

    Up-to-date inventory of innovations/prototypes

    Document review of innovation program and its results to date

    Draft scope of the innovation program and understanding of the timelines

    2 Scope and Define

    The Purpose

    Scope the innovation program and gain buy-in from major stakeholders.

    Key Benefits Achieved

    Buy-in from IT steering committee for innovation program improvements.

    Activities

    2.1 Establish or re-affirm values for the program.

    2.2 Run an initial assessment of the organization’s innovation potential (macro level).

    2.3 Set/reaffirm scope and budget for the program.

    2.4 Define or refine goals and outcomes for the program.

    2.5 Confirm/re-confirm risk tolerance of organization.

    2.6 Update/document innovation program.

    2.7 Create presentation to gain support from the IT steering committee.

    Outputs

    Innovation program and terms of reference

    Presentation on organization innovation program for IT steering committee

    3 Assess and Aspire

    The Purpose

    Analyze the current performance of the innovation program and identify areas for improvement.

    Key Benefits Achieved

    Identify actionable items that can be undertaken in order to improve the performance of the innovation program.

    Activities

    3.1 Assess your level of innovation per innovation project (micro level).

    3.2 Update the risk tolerance level of the program.

    3.3 Determine if your blend of innovation projects is ideal.

    3.4 Re-prioritize your innovation projects (if needed).

    3.5 Plan update to IT steering committee.

    3.6 Assess positive innovation assessment of team.

    3.7 Opportunity analysis of innovation program and team.

    Outputs

    Positive innovation assessment

    Re-prioritized innovation projects

    Updated presentation for IT steering committee

    4 Implement and Inspire

    The Purpose

    Formalize the innovation program by tying it into the IT strategy.

    Key Benefits Achieved

    A formalized innovation program that is closely tied to the IT strategy.

    Activities

    4.1 Update business context in terms of impact on IT implications.

    4.2 Update IT strategy in terms of impact and benefits of innovation program.

    4.3 Update/create innovation program implementation plan.

    4.4 Plan update for IT steering committee.

    Outputs

    Updated business context

    Updated IT strategy

    Innovation implementation plan, including roadmap

    Updated presentation given to IT steering committee

    Take Control of Cloud Costs on AWS

    • Buy Link or Shortcode: {j2store}425|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $62,500 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • Traditional IT budgeting and procurement processes don't work for public cloud services.
    • The self-service nature of the cloud means that often the people provisioning cloud resources aren't accountable for the cost of those resources.
    • Without centralized control or oversight, organizations can quickly end up with massive AWS bills that exceed their IT salary cost.

    Our Advice

    Critical Insight

    • Most engineers care more about speed of feature delivery and reliability of the system than they do about cost.
    • Often there are no consequences for over architecting or overspending on AWS.
    • Many organizations lack sufficient visibility into their AWS spend, making it impossible to establish accountability and controls.

    Impact and Result

    • Define roles and responsibilities.
    • Establish visibility.
    • Develop processes, procedures, and policies.

    Take Control of Cloud Costs on AWS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should take control of cloud costs, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build cost accountability framework

    Assess your current state, define your cost allocation model, and define roles and responsibilities.

    • Cloud Cost Management Worksheet
    • Cloud Cost Management Capability Assessment
    • Cloud Cost Management Policy
    • Cloud Cost Glossary of Terms

    2. Establish visibility

    Define dashboards and reports, and document account structure and tagging requirements.

    • Service Cost Cheat Sheet

    3. Define processes and procedures

    Establish governance for tagging and cost control, define processes for right-sizing, and define processes for purchasing commitment discounts.

    • Right-Sizing Workflow (Visio)
    • Right-Sizing Workflow (PDF)
    • Commitment Purchasing Workflow (Visio)
    • Commitment Purchasing Workflow (PDF)

    4. Build implementation plan

    Document process interactions, establish program KPIs, and build implementation roadmap and communication plan.

    • Cloud Cost Management Task List

    Infographic

    Workshop: Take Control of Cloud Costs on AWS

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build Cost Accountability Framework

    The Purpose

    Establish clear lines of accountability and document roles and responsibilities to effectively manage cloud costs.

    Key Benefits Achieved

    Chargeback/showback model to provide clear accountability for costs.

    Understanding of key areas to focus on to improve cloud cost management capabilities.

    Activities

    1.1 Assess current state

    1.2 Determine cloud cost model

    1.3 Define roles and responsibilities

    Outputs

    Cloud cost management capability assessment

    Cloud cost model

    Roles and responsibilities

    2 Establish Visibility

    The Purpose

    Establish visibility into cloud costs and drivers of those costs.

    Key Benefits Achieved

    Better understanding of what is driving costs and how to keep them in check.

    Activities

    2.1 Develop architectural patterns

    2.2 Define dashboards and reports

    2.3 Define account structure

    2.4 Document tagging requirements

    Outputs

    Architectural patterns; service cost cheat sheet

    Dashboards and reports

    Account structure

    Tagging scheme

    3 Define Processes and Procedures

    The Purpose

    Develop processes, procedures, and policies to control cloud costs.

    Key Benefits Achieved

    Improved capability of reducing costs.

    Documented processes and procedures for continuous improvement.

    Activities

    3.1 Establish governance for tagging

    3.2 Establish governance for costs

    3.3 Define right-sizing process

    3.4 Define purchasing process

    3.5 Define notification and alerts

    Outputs

    Tagging policy

    Cost control policy

    Right-sizing process

    Commitment purchasing process

    Notifications and Alerts

    4 Build Implementation Plan

    The Purpose

    Document next steps to implement and improve cloud cost management program.

    Key Benefits Achieved

    Concrete roadmap to stand up and/or improve the cloud cost management program.

    Activities

    4.1 Document process interaction changes

    4.2 Define cloud cost program KPIs

    4.3 Build implementation roadmap

    4.4 Build communication plan

    Outputs

    Changes to process interactions

    Cloud cost program KPIs

    Implementation roadmap

    Communication plan

    Streamline Your Workforce During a Pandemic

    • Buy Link or Shortcode: {j2store}515|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    Reduced infection rates in compromised areas are providing hope that these difficult times will pass. However, organizations are facing harsh realities in real time. With significant reductions in revenue, employers are facing pressure to quickly implement cost-cutting strategies, resulting in mass layoffs of valuable employees.

    Our Advice

    Critical Insight

    Employees are an organization’s greatest asset. When faced with cost-cutting pressures, look for redeployment opportunities that use talent as a resource to get through hard times before resorting to difficult layoff decisions.

    Impact and Result

    Make the most of your workforce in this unprecedented situation by following McLean & Company’s process to initiate redeployment efforts and reduce costs. If all else fails, follow our guidance on planning for layoffs and considerations when doing so.

    Streamline Your Workforce During a Pandemic Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Meet with leadership

    Set a strategy with senior leadership, brainstorm underused and understaffed employee segments and departments, then determine an approach to redeployments and layoffs.

    • Streamline Your Workforce During a Pandemic Storyboard
    • Redeployment and Layoff Strategy Workbook

    2. Plan individual and department redeployment

    Collect key information, prepare and redeploy, and roll up information across the organization.

    • Short-Term Survival Segment Evaluation Tool
    • Skills Inventory for Redeployment Tool
    • Redeployment Action and Communication Plan
    • Crisis Communication Guide for HR
    • Crisis Communication Guide for Leaders
    • Leadership Crisis Communication Guide Template
    • 3i's of Engaging Management – Manager Guide
    • Feedback and Coaching Guide for Managers
    • Redeployment Communication Roll-up Template

    3. Plan individual and department layoffs

    Plan for layoffs, execute on the layoff plan, and communicate to employees.

    • Employee Departure Checklist Tool
    • 10 Communication Best Practices in the Face of Crisis
    • Termination Logistics Tool
    • Termination Costing Tool
    • COVID-19: Employee-Facing Frequently Asked Questions Template
    • COVID-19: Employee-Facing Frequently Asked Questions
    • Standard Internal Communications Plan

    4. Monitor and manage departmental effectiveness

    Monitor departmental performance, review organizational performance, and determine next steps.

    • HR Metrics Library
    • Standard HR Scorecard
    [infographic]

    Implement Your Negotiation Strategy More Effectively

    • Buy Link or Shortcode: {j2store}225|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Forty-eight percent of CIOs believe their budgets are inadequate.
    • CIOs and IT departments are getting more involved with negotiations to reduce costs and risk.
    • Not all negotiators are created equal, and the gap between a skilled negotiator and an average negotiator is not always easy to identify objectively.
    • Skilled negotiators are in short supply.

    Our Advice

    Critical Insight

    • Preparation is critical for the success of your negotiation, but you cannot prepare for every eventuality.
    • Communication is the heart and soul of negotiations, but what is being “said” is only part of the picture.
    • Skilled negotiators separate themselves based on skillsets, and outcomes alone may not provide an accurate assessment of a negotiator.

    Impact and Result

    Addressing and managing critical negotiation elements helps:

    • Improve negotiation skills.
    • Implement your negotiation strategy more effectively.
    • Improve negotiation results.

    Implement Your Negotiation Strategy More Effectively Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create and follow a scalable process for preparing to negotiate with vendors, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. During

    Throughout this phase, ten essential negotiation elements are identified and reviewed.

    • Implement Your Negotiation Strategy More Effectively – Phase 1: During
    • During Negotiations Tool
    [infographic]

    Workshop: Implement Your Negotiation Strategy More Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 12 Steps to Better Negotiation Preparation

    The Purpose

    Improve negotiation skills and outcomes.

    Understand how to use the Info-Tech During Negotiations Tool.

    Key Benefits Achieved

    A better understanding of the subtleties of the negotiation process and an identification of where the negotiation strategy can go awry.

    The During Negotiation Tool will be reviewed and configured for the customer’s environment (as applicable).

    Activities

    1.1 Manage six key items during the negotiation process.

    1.2 Set the right tone and environment for the negotiation.

    1.3 Focus on improving three categories of intangibles.

    1.4 Improve communication skills to improve negotiation skills.

    1.5 Customize your negotiation approach to interact with different personality traits and styles.

    1.6 Maximize the value of your discussions by focusing on seven components.

    1.7 Understand the value of impasses and deadlocks and how to work through them.

    1.8 Use concessions as part of your negotiation strategy.

    1.9 Identify and defeat common vendor negotiation ploys.

    1.10 Review progress and determine next steps.

    Outputs

    Sample negotiation ground rules

    Sample vendor negotiation ploys

    Sample discussion questions and evaluation matrix

    Master Contract Review and Negotiation for Software Agreements

    • Buy Link or Shortcode: {j2store}170|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Internal stakeholders usually have different – and often conflicting – needs and expectations that require careful facilitation and management.
    • Vendors have well-honed negotiating strategies. Without understanding your own position and leverage points, it’s difficult to withstand their persuasive – and sometimes pushy – tactics.
    • Software – and software licensing – is constantly changing, making it difficult to acquire and retain subject matter expertise.

    Our Advice

    Critical Insight

    • Conservatively, it’s possible to save 5% of the overall IT budget through comprehensive software contract review.
    • Focus on the terms and conditions, not just the price.
    • Learning to negotiate is crucial.

    Impact and Result

    • Look at your contract holistically to find cost savings.
    • Guide communication between vendors and your organization for the duration of contract negotiations.
    • Redline the terms and conditions of your software contract.
    • Prioritize crucial terms and conditions to negotiate.

    Master Contract Review and Negotiation for Software Agreements Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to redline and negotiate your software agreement, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gather requirements

    Build and manage your stakeholder team, then document your business use case.

    • Master Contract Review and Negotiation for Software Agreements – Phase 1: Gather Requirements
    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator

    2. Redline contract

    Redline your proposed software contract.

    • Master Contract Review and Negotiation for Software Agreements – Phase 2: Redline Contract
    • Software Terms & Conditions Evaluation Tool
    • Software Buyer's Checklist

    3. Negotiate contract

    Create a thorough negotiation plan.

    • Master Contract Review and Negotiation for Software Agreements – Phase 3: Negotiate Contract
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook
    [infographic]

    Workshop: Master Contract Review and Negotiation for Software Agreements

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Collect and Review Data

    The Purpose

    Assemble documentation.

    Key Benefits Achieved

    Understand current position before going forward.

    Activities

    1.1 Assemble existing contracts.

    1.2 Document their strategic and tactical objectives.

    1.3 Identify current status of the vendor relationship and any historical context.

    1.4 Clarify goals for ideal future state.

    Outputs

    Business Use Case

    2 Define Business Use Case and Build Stakeholder Team

    The Purpose

    Define business use case and build stakeholder team.

    Key Benefits Achieved

    Create business use case to document functional and nonfunctional requirements.

    Build internal cross-functional stakeholder team to negotiate contract.

    Activities

    2.1 Establish negotiation team and define roles.

    2.2 Write communication plan.

    2.3 Complete business use case.

    Outputs

    RASCI Chart

    Vendor Communication Management Plan

    SaaS TCO Calculator

    Software Business Use Case

    3 Redline Contract

    The Purpose

    Examine terms and conditions and prioritize for negotiation.

    Key Benefits Achieved

    Discover cost savings.

    Improve agreement terms.

    Prioritize terms for negotiation.

    Activities

    3.1 Review general terms and conditions.

    3.2 Review license- and application-specific terms and conditions.

    3.3 Match to business and technical requirements.

    3.4 Redline agreement.

    Outputs

    Software Terms & Conditions Evaluation Tool

    Software Buyer’s Checklist

    4 Build Negotiation Strategy

    The Purpose

    Create a negotiation strategy.

    Key Benefits Achieved

    Establish controlled communication.

    Choose negotiation tactics.

    Plot negotiation timeline.

    Activities

    4.1 Review vendor- and application-specific negotiation tactics.

    4.2 Build negotiation strategy.

    Outputs

    Contract Negotiation Tactics Playbook

    Controlled Vendor Communications Letter

    Key Vendor Fiscal Year End Calendar

    CIO Priorities 2023

    • Buy Link or Shortcode: {j2store}84|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    CIOs are facing these challenges in 2023:

    • Trying to understand the implications of external trends.
    • Determining what capabilities are most important to support the organization.
    • Understanding how to help the organization pursue new opportunities.
    • Preparing to mitigate new sources of organizational risk.

    Our Advice

    Critical Insight

    • While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full context awareness. It's up to them to assess their gaps, consider the present scenario, and then make their next move.
    • Each priority carries new opportunities for organizations that pursue them.
    • There are also different risks to mitigate as each priority is explored.

    Impact and Result

    • Inform your IT strategy for the year ahead.
    • Identify which capabilities you need to improve.
    • Add initiatives that support your priorities to your roadmap.

    CIO Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. CIO Priorities 2023 Report – Read about the priorities on IT leaders' agenda.

    Understand the five priorities that will help navigate the opportunities and risks of the year ahead.

    • CIO Priorities 2023 Report

    Infographic

     

    Further reading

    CIO Priorities 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    Analyst Perspective

    Take a full view of the board and use all your pieces to win.

    In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.

    If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.

    In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.

    It's up to them to assess their gaps, consider the present scenario, and then make their next move.

    This is a picture of Brian Jackson

    Brian Jackson
    Principal Research Director, Research – CIO
    Info-Tech Research Group

    CIO Priorities 2023 is informed by Info-Tech's primary research data of surveys and benchmarks

    Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.

    2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
    Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.

    2023 The State of Hybrid Work in IT Survey; N=518
    The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.

    Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.

    Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).

    The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.

    Build IT alignment

    Assess your IT processes

    Determine stakeholder satisfaction

    Most IT departments should aim to drive outcomes that deliver better efficiency and cost savings

    Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.

    In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.

    Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.

    Current and future state of IT maturity

    This image depicts a table showing the Current and future states of IT maturity.

    Trends indicate a need to focus on leadership and change management

    Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.

    To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.

    Tier 1: The Most Important Capabilities In 2023

    Enterprise Application Selection & Implementation

    Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost.

    Effectiveness: 6.5; Importance: 8.8

    Leadership, Culture, and Values

    Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance.

    Effectiveness: 6.9; Importance: 9

    Data Architecture

    Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization.

    Effectiveness: 6.3; Importance: 8.8

    Organizational Change Management

    Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture.

    Effectiveness: 6.1; Importance: 8.8

    External Compliance

    Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.

    Effectiveness: 7.4; Importance: 8.8

    Info-Tech's Management and Diagnostic Benchmark

    Tier 2: Other Important Capabilities In 2023

    Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.

    Asset Management

    Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed.

    Effectiveness: 6.4; Importance: 8.5

    Business Intelligence and Reporting

    Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis.

    Effectiveness: 6.3; Importance: 8.8

    Business Value

    Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits.

    Effectiveness: 6.5; Importance: 8.7

    Cost and Budget Management

    Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services.

    Effectiveness: 6.5; Importance: 8.8

    Data Quality

    Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business.

    Effectiveness: 6.4; Importance: 8.9

    Enterprise Architecture

    Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure.

    Effectiveness: 6.8; Importance: 8.8

    IT Organizational Design

    Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business.

    Effectiveness: 6.8; Importance: 8.8

    Performance Measurement

    Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance.

    Effectiveness: 6; Importance: 8.4

    Stakeholder Relations

    Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes.

    Effectiveness: 6.7; Importance: 9.2

    Vendor Management

    Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance.

    Effectiveness: 6.6; Importance: 8.4

    Defining the CIO Priorities for 2023

    Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.

    This is an image of the four analyses: 1: Implications; 2: Opportunities and risks; 3: Case examples; 4: Priorities to action.

    The Five CIO Priorities for 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
      • Business Value
      • Vendor Management
      • Cost and Budget Management
    2. Prepare your data pipeline to train AI
      • Business Intelligence and Reporting
      • Data Quality
      • Data Architecture
    3. Go all in on zero-trust security
      • Asset Management
      • Stakeholder Relations
      • External Compliance
    4. Engage employees in the digital age
      • Leadership, Culture, and Values
      • Organizational Change Management
      • Enterprise Architecture
    5. Shape the IT organization to improve customer experience
      • Enterprise Application Selection & Implementation
      • Performance Measurement
      • IT Organizational Design

    Adjust IT operations to manage for inflation

    Priority 01

    • APO06 Cost and Budget Management
    • APo10 Vendor Management
    • EDM02 Business Value

    Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.

    Inflation takes a bite out of the budget

    Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).

    CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.

    Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

    Global inflation estimates by year

    2022 8.8%
    2023 6.5%
    2024 4.1%

    International Monetary Fund, 2022

    CIOs are more optimistic about budgets than their supervisors

    Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.

    While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.

    When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.

    CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.

    Expect headcount to stay flat or decline over 3-5 years

    CIO: 10%; CXO: 24%

    IT budget expectations to stay flat or decrease before inflation

    CIO: 13.6 %; CXO: 3.2%

    IT budget expectations to stay flat or decrease adjusted for inflation

    CIO: 25.8%; CXO: 9.7%

    Info-Tech's CEO-CIO Alignment Program

    Opportunities

    Appoint a "cloud economist"

    Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.

    Partner with technology providers

    Keep your friends close and your vendors closer. Look for opportunities to create leverage with your strategic vendors to unlock new opportunities. Identify if a vendor you work with is not entrenched in your industry and offer them the credibility of working with you in exchange for a favorable contract. Offering up your logo for a website listing clients or giving your own time to speak in a customer session at a conference can go a long way to building up some goodwill with your vendors. That's goodwill you'll need when you ask for a new multi-year contract on your software license without annual increases built into the structure.

    Demonstrate IT projects improve efficiency

    An IT department that operates at the Optimize level of Info-Tech's maturity scale can deliver outcomes that lower costs for other departments. IT can defend its own budget if it's able to demonstrate that its initiatives will automate or augment business activities in a way that improves margins. The argument becomes even more compelling if IT can demonstrate it is supporting a revenue-generating initiative or customer-facing experience. CIOs will need to find business champions to vouch for the important contributions IT is making to their area.

    Risks

    Imposition of non-financial reporting requirements

    In some jurisdictions, the largest companies will be required to start collecting information on carbon emissions emitted as a result of business activities by the end of next year. Smaller sized organizations will be next on the list to determine how to meet new requirements issued by various regulators. Risks of failure include facing fines or being shunned by investors. CIOs will need to support their financial reporting teams in collecting the new required data accurately. This will incur new costs as well.

    Rising asset costs

    Acquiring IT equipment is becoming more expensive due to overall inflation and specific pressures around semiconductor supply chains. As a result, more CIOs are extending their device refresh policies to last another year or two. Still, demands for new devices to support new hybrid work models could put pressure on budgets as IT teams are asked to modernize conferencing rooms. For organizations adopting mixed reality headsets, cutting-edge capabilities will come at a premium. Operating costs of devices may also increase as inflation increases costs of the electricity and bandwidth they depend on.

    CASE STUDY
    Leverage your influence in vendor negotiations

    Denise Cornish, Associate VP of IT and Deputy COO,
    Western University of Health Sciences

    Since taking on the lead IT role at Western University in 2020, Denise Cornish has approached vendor management like an auditable activity. She evaluates the value she gets from each vendor relationship and creates a list of critical vendors that she relies upon to deliver core business services. "The trick is to send a message to the vendor that they also need us as a customer that's willing to act as a reference," she says. Cornish has managed to renegotiate a contract with her ERP vendor, locking in a multi-year contract with a very small escalator in exchange for presenting as a customer at conferences. She's also working with them on developing a new integration to another piece of software popular in the education space.

    Western University even negotiated a partnership approach with Apple for a program run with its College of Osteopathic Medicine of the Pacific (COMP) called the Digital Doctor Bag. The partnership saw Apple agree to pre-package a customer application developed by Western that delivered the curriculum to students and facilitated communications across students and faculty. Apple recognized Western as an Apple Distinguished School, a program that recognizes innovative schools that use Apple products.

    "I like when negotiations are difficult.
    I don't necessarily expect a zero-sum game. We each need to get something out of this and having the conversation and really digging into what's in it for you and what's in it for me, I enjoy that. So usually when I negotiate a vendor contract, it's rare that it doesn't work out."

    CASE STUDY
    Control cloud costs with a simplified approach

    Jim Love, CIO, IT World Canada

    As an online publisher and a digital marketing platform for technology products and services companies, IT World Canada (ITWC) has observed that there are differences in how small and large companies adopt the cloud as their computing infrastructure. For smaller companies, even though adoption is accelerating, there may still be some reluctance to fully embrace cloud platforms and services. While larger companies often have a multi-cloud approach, this might not be practical for smaller IT shops that may struggle to master the skills necessary to effectively manage one cloud platform. While Love acknowledges that the cloud is the future of corporate computing, he also notes that not all applications or workloads may be well suited to run in the cloud. As well, moving data into the cloud is cheap but moving it back out can be more expensive. That is why it is critical to understand your applications and the data you're working with to control costs and have a successful cloud implementation.

    "Standardization is the friend of IT. So, if you can standardize on one platform, you're going to do better in terms of costs."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Cost and Budget Management

    Take control of your cloud costs by providing central financial oversight on the infrastructure-as-a-service provider your organization uses. Create visibility into your operational costs and define policies to control them. Right-size the use of cloud services to stay within organizational budget expectations.

    Take Control of Cloud Costs on AWS

    Take Control of Cloud Costs on Microsoft Azure

    Improve Business Value

    Reduce the funds allocated to ongoing support and impose tougher discipline around change requests to lighten your maintenance burden and make room for investment in net-new initiatives to support the business.

    Free up funds for new initiatives

    Improve Vendor Management

    Lay the foundation for a vendor management process with long-term benefits. Position yourself as a valuable client with your strategic vendors and leverage your position to improve your contract terms.

    Elevate Your Vendor Management Initiative

    Prepare your data pipeline to train AI

    Priority 02

    • ITRG06 BUSINESS INTELLIGENCE AND REPORTING
    • ITRG07 DATA ARCHITECTURE
    • ITRG08 DATA QUALITY

    Keep pace as the market adopts AI capabilities, and be ready to create competitive advantage.

    Today's innovation is tomorrow's expectation

    During 2022, some compelling examples of generative-AI-based products took the world by storm. Images from AI-generating bots Midjourney and Stable Diffusion went viral, flooding social media and artistic communities with images generated from text prompts. Exchanges with OpenAI's ChatGPT bot also caught attention, as the bot was able to do everything from write poetry, to provide directions on a cooking recipe and then create a shopping list for it, to generate working code in a variety of languages. The foundation models are trained with AI techniques that include generative adversarial networks, transformers, and variational autoencoders. The end result is an algorithm that can produce content that's meaningful to people based on some simple direction. The industry is only beginning to come to grips with how this sort of capability will disrupt the enterprise.

    Slightly more than one-third of IT professionals say their organization has already invested in AI or machine learning. It's the sixth-most popular technology to have already invested in after cloud computing (82%), application programming interfaces (64%), workforce management solutions (44%), data lakes (36%), and next-gen cybersecurity (36%). It's ahead of 12 other technologies that IT is already invested in.

    When we asked what technologies organizations planned to invest in for next year, AI rocketed up the list to second place, as it's selected by 44% of IT professionals. It falls behind only cloud computing. This jump up the list makes AI the fastest growing technology for new investment from organizations.

    Many AI capabilities seem cutting edge now, but organizations are prioritizing it as a technology investment. In a couple of years, access to foundational models that produce images, text, or code will become easy to access with a commercial license and an API integration. AI will become embedded in off-the-shelf software and drive many new features that will quickly become commonplace.

    To stay even with the competition and meet customer expectations, organizations will have to work to at least adopt these AI-enhanced products and services. For those that want to create a competitive advantage, they will have to build a data pipeline that is capable of training their own custom AI models based on their unique data sets.

    Which of the following technology categories has your organization already invested in?

    A bar graph is depicted the percentage of organizations which already had invested in the following Categories: Cloud Computing; Application Programming; Next-Gen Cybersecurity; Workforce Management Solutions; Data Lake/Lakehouse; Artificial Intelligence or Machine Learning.

    Which of those same technologies does your organization plan to invest in by the end of 2023?

    A bar graph is depicted the percentage of organizations which plan to invest in the following categories by the end of 2023: No-Code / Low-Code Platforms; Next-Gen Cybersecurity; Application Programming Interfaces (APIs); Data Lake / Lakehouse; Artificial Intelligence (AI) or Machine Learning; Cloud Computing

    Tech Trends 2023 Survey

    Data quality and governance will be critical to customize generative AI

    Data collection and analysis are on the minds of both CIOs and their supervisors. When asked what technologies the business should adopt in the next three to five years, big data (analytics) ranked as most critical to adopt among CIOs and their supervisors. Big data (collection) ranked fourth out of 11 options.

    Organizations that want to drive a competitive advantage from generative AI will need to train these large, versatile models on their own data sets. But at the same time, IT organizations are struggling to provide clean data. The second-most critical gap for IT organizations on average is data quality, behind only organizational change management. Organizations know that data quality is important to support analytics goals, as algorithms can suffer in their integrity if they don't have reliable data to work with. As they say, garbage in, garbage out.

    Another challenge to overcome is the gap seen in IT governance, the sixth largest gap on average. Using data toward training custom generative models will hold new compliance and ethical implications for IT departments to contend with. How user data can be leveraged is already the subject of privacy legislation in many different jurisdictions, and new AI legislation is being developed in various places around the world that could create further demands. In some cases, users are reacting negatively to AI-generated content.

    Biggest capability gaps between rated importance and effectiveness

    This is a Bar graph showing the capability gaps between rated importance and effectiveness.

    IT Management and Governance Diagnostic

    Most critical technologies to adopt rated by CIOs and their supervisors

    This is a Bar graph showing the most critical technologies to adopt as rated by CIO's and their supervisors

    CEO-CIO Alignment Program

    Opportunities

    Enterprise content discovery

    Many organizations still cobble together knowledgebases in SharePoint or some other shared corporate drive, full of resources that no one quite knows how to find. A generative AI chatbot holds potential to be trained on an organization's content and produce content based on an employee's queries. Trained properly, it could point employees to the right resource they need to answer their question or just provide the answer directly.

    Supply chain forecasts

    After Hurricane Ian shut down a Walmart distribution hub, the retailer used AI to simulate the effects on its supply chain. It rerouted deliveries from other hubs based on the predictions and planned for how to respond to demand for goods and services after the storm. Such forecasts would typically take a team of analysts days to compose, but thanks to AI, Walmart had it done in a matter of hours (The Economist, 2022).

    Reduce the costs of AI projects

    New generative AI models of sufficient scale offer advantages over previous AI models in their versatility. Just as ChatGPT can write poetry or dialogue for a play or perhaps a section of a research report (not this one, this human author promises), large models can be deployed for multiple use cases in the enterprise. One AI researcher says this could reduce the costs of an AI project by 20-30% (The Economist, 2022).

    Risks

    Impending AI regulation

    Multiple jurisdictions around the world are pursuing new legislation that imposes requirements on organizations that use AI, including the US, Europe, and Canada. Some uses of AI will be banned outright, such as the real-time use of facial recognition in public spaces, while in other situations people can opt out of using AI and work with a human instead. Regulations will take the risk of the possible outcomes created by AI into consideration, and organizations will often be required to disclose when and how AI is used to reach decisions (Science | Business, 2022). Questions around whether creators can prevent their content from being used for training AI are being raised, with some efforts already underway to collect a list of those who want to opt out. Organizations that adopt a generative AI model today may find it needs to be amended for copyright reasons in the future.

    Bias in the algorithms

    Organizations using a large AI model trained by a third party to complete their tasks or as a foundation to further customize it with their own data will have to contend with the inherent bias of the algorithm. This can lead to unintended negative experiences for users, as it did for MIT Technology Review journalist Melissa Heikkilä when she uploaded her images to AI avatar app Lensa, only to have it render a collection of sexualized portraits. Heikkilä contends that her Asian heritage overly influenced the algorithm to associate her with video-game characters, anime, and adult content (MIT Technology Review, 2022).

    Convincing nonsense

    Many of the generative AI bots released so far often create very good responses to user queries but sometimes create nonsense that at first glance might seem to be accurate. One example is Meta's Galactica bot – intended to streamline scientific research discovery and aid in text generation – which was taken down only three days after being made available. Scientists found that it generated fake research that sounded convincing or failed to do math correctly (Spiceworks, 2022).

    CASE STUDY
    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    At the Toronto Raptors practice facility, the OVO Athletic Centre, a new 120-foot custom LG video screen towers over the court. The video board is used to playback game clips so coaches can use them to teach players, but it also displays analytics from algorithmic models that are custom-made for each player. Data on shot-making or defensive deflections are just a couple examples of what might inform the players.

    Vice President of Digital Technology Christian Magsisi leads a functional Digital Labs technical group at MLSE. The in-house team builds the specific data models that support the Raptors in their ongoing efforts to improve. The analytics are fed by Noah Analytics, which uses cognitive vision to provide real-time feedback on shot accuracy. SportsVU is a motion capture system that represents how players are positioned on the court, with detail down to which way they are facing and whether their arms are up or down. The third-party vendors provide the solutions to generate the analytics, but it's up to MLSE's internal team to shape them to be actionable for players during a practice.

    "All the way from making sure that a specific player is achieving the results that they're looking for and showing that through data, or finding opportunities for the coaching staff. This is the manifestation of it in real life. Our ultimate goal with the coaches was to be able to take what was on emails or in a report and sometimes even in text message and actually implement it into practice."

    Read the full story on Spiceworks Insights.

    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices (cont.)

    Humza Teherany, Chief Technology Officer, MLSE

    MLSE's Digital Labs team architects its data insights pipeline on top of cloud services. Amazon Web Services Rekognition provides cognitive vision analysis from video and Amazon Kinesis provides the video processing capabilities. Beyond the court, MLSE uses data to enhance the fan experience, explains CTO Humza Teherany. It begins with having meaningful business goals about where technology can provide the most value. He starts by engaging the leadership of the organization and considering the "art of the possible" when it comes to using technology to unlock their goals.

    Humza Teherany (left) and Christian Magsisi lead MLSE's digital efforts for the pro sports teams owned by the group, including the Toronto Raptors, Toronto Maple Leafs, and Toronto Argonauts. (Photo by Brian Jackson).

    Read the full story on Spiceworks Insights.

    "Our first goal in the entire buildup of the Digital Labs organization has been to support MLSE and all of our teams. We like to do things first. We leverage our own technology to make things better for our fans and for our teams to complete and find incremental advantages where possible."
    Humza Teherany,
    Chief Technology Officer, MLSE

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Data Quality

    The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

    Prepare for Cognitive Service Management

    Improve Business Intelligence and Reporting

    Explore the enterprise chatbots that are available to not only assist with customer interactions but also help your employees find the resources they need to do their jobs and retrieve data in real time.

    Explore the best chatbots software

    Improve Data Architecture

    Understand if you are ready to embark on the AI journey and what business use cases are appropriate for AI. Plan around the organization's maturity in people, tools, and operations for delivering the correct data, model development, and model deployment and managing the models in the operational areas.

    Create an Architecture for AI

    Go all in on zero-trust security

    Priority 03

    • BAI09 ASSET MANAGEMENT
    • APO08 STAKEHOLDER RELATIONS
    • MEA03 EXTERNAL COMPLIANCE

    Adopt zero-trust architecture as the new security paradigm across your IT stack and from an organizational risk management perspective.

    Putting faith in zero trust

    The push toward a zero-trust security framework is becoming necessary for organizations for several different reasons over the past couple of years. As the pandemic forced workers away from offices and into their homes, perimeter-based approaches to security were challenged by much wider network footprints and the need to identify users external to the firewall. Supply-chain security became more of a concern with notable attacks affecting many thousands of firms, some with severe consequences. Finally, the regulatory pressure to implement zero trust is rising following President Joe Biden's 2021 Executive Order on Improving the Nation's Cybersecurity. It directs federal agencies to implement zero trust. That will impact any company doing business with the federal government, and it's likely that zero trust will propagate through other government agencies in the years ahead. Zero-trust architecture can also help maintain compliance around privacy-focused regulations concerned about personal data (CSO Online, 2022).

    IT professionals are modestly confident that they can meet new government legislation regarding cybersecurity requirements. When asked to rank their confidence on a scale of one to five, the most common answer was 3 out of 5 (38.5%). The next most common answer was 4 out of 5 (33.3%).

    Zero-trust barriers:
    Talent shortage and lack of leadership involvement

    Out of a list of challenges, IT professionals are most concerned with talent shortages leading to capacity constraints in cybersecurity. Fifty-four per cent say they are concerned or very concerned with this issue. Implementing a new zero-trust framework for security will be difficult if capacity only allows for security teams to respond to incidents.

    The next most pressing concern is that cyber risks are not on the radar of executive leaders or the board of directors, with 46% of IT pros saying they are concerned or very concerned. Since zero-trust requires that organizations take an enterprise risk management approach to cybersecurity and involve top decision makers, this reveals another area where organizations may fall short of achieving a zero-trust environment.

    How confident are you that your organization is prepared to meet current and future government legislation regarding cybersecurity requirements? A circle graph is shown with 68.6% colored dark green, and the words: AVG 3.43 written inside the graph.
    a bar graph showing the confidence % for numbers 1-5
    54%

    of IT professionals are concerned with talent shortages leading to capacity constraints in cybersecurity.

    46%

    of IT professionals are concerned that cyber risks are not on the radar of executive leaders or the board of directors.

    Zero trust mitigates risk while removing friction

    A zero-trust approach to security requires organizations to view cybersecurity risk as part of its overall risk framework. Both CIOs and their supervisors agree that IT-related risks are a pain point. When asked to rate the severity of pain points, 58% of CIOs rated IT-related business risk incidents as a minor pain or major pain. Their supervisors were more concerned, with 61% rating it similarly. Enterprises can mitigate this pain point by involving top levels of leadership in cybersecurity planning.

    Organizations can be wary about implementing new security measures out of concern it will put barriers between employees and what they need to work. Through a zero-trust approach that focuses on identity verification, friction can be avoided. Overall, IT organizations did well to provide security without friction for stakeholders over the past 18 months. Results from Info-Tech's CIO Business Vision Diagnostic shows that stakeholders almost all agree friction due to security practices are acceptable. The one area that stands to be improved is remote/mobile device access, where 78.3% of stakeholders view the friction as acceptable.

    A zero-trust approach treats user identity the same regardless of device and whether it is inside or outside of the corporate network. This can remove friction when workers are looking to connect remotely from a mobile device.

    IT-related business risk incidents viewed as a pain point

    CXO 61%
    CIO 58%

    Business stakeholders rate security friction levels as acceptable

    A bar graph is depicted with the following dataset: Regulatory Compliance: 93.80%; Office/Desktop Computing:	86.50%;Data Access/Integrity: 86.10%; Remote/Mobile Device Access:	78.30%;

    CIO Business Vision Diagnostic, N=259

    Opportunities

    Move to identity-driven access control

    Today's approach to access control on the network is to allow every device to exchange data with every other device. User endpoints and servers talk to each other directly without any central governance. In a zero-trust environment, a centralized zero-trust network access broker provides one-to-one connectivity. This allows servers to rest offline until needed by a user with the right access permissions. Users verify their identity more often as they move throughout the network. The user can access the resources and data they need with minimal friction while protecting servers from unauthorized access. Log files are generated for analysis to raise alerts about when an authorized identity has been compromised.

    Protect data with just-in-time authentication

    Many organizations put process in place to make sure data at rest is encrypted, but often when users copy that data to their own devices, it becomes unencrypted, allowing attackers opportunities to exfiltrate sensitive data from user endpoints. Moving to a zero-trust environment where each data access is brokered by a central broker allows for encryption to be preserved. Parties accessing a document must exchange keys to gain access, locking out unauthorized users that don't have both sets of keys to decrypt the data (MIT Lincoln Laboratory, 2022).

    Harness free and open-source tools to deploy zero trust

    IT teams may not be seeing a budget infusion to invest in a new approach to security. By making use of the many free and open-source tools available, they can bootstrap their strategy into reality. Here's a list to get started:

    PingCastle Wrangle your Active Directory and find all the domains that you've long since forgotten about and manage the situation appropriately. Also builds a spoke-and-hub map of your Active Directory.

    OpenZiti Create an overlay network to enable programmable networking that supports zero trust.

    Snyk Developers can automatically find and fix vulnerabilities before they commit their code. This vendor offers a free tier but users that scale up will need to pay.

    sigstore Open-source users and maintainers can use this solution to verify the code they are running is the code the developer intended. Works by stitching together free services to facilitate software signing, verify against a transparent ledger, and provide auditable logs.

    Microsoft's SBOM generation tool A software bill of materials is a requirement in President Biden's Executive Order, intended to provide organizations with more transparency into their software components by providing a comprehensive list. Microsoft's tool will work with Windows, Linux, and Mac and auto-detect a longlist of software components, and it generates a list organized into four sections that will help organizations comprehend their software footprint.

    Risks

    Organizational culture change to accommodate zero trust

    Zero trust requires that top decision makers get involved in cybersecurity by treating it as an equal consideration of overall enterprise risk. Not all boards will have the cybersecurity expertise required, and some executives may not prioritize cybersecurity despite the warnings. Organizations that don't appoint a chief information security officer (CISO) role to drive the cybersecurity agenda from the top will be at risk of cybersecurity remaining an afterthought.

    Talent shortage

    No matter what industry you're in or what type of organization you run, you need cybersecurity. The demand for talent is very high and organizations are finding it difficult to hire in this area. Without the talent needed to mature cybersecurity approaches to a zero-trust model, the focus will remain on foundational principles of patch management to eliminate vulnerabilities and intrusion prevention. Smaller organizations may want to consider a "virtual CISO" that helps shape the organizational strategy on a part-time basis.

    Social engineering

    Many enterprise security postures remain vulnerable to an attack that commandeers an employee's identity to infiltrate the network. Hosted single sign-on models provide low friction and continuity of identity across applications but also offer a single point of failure that hackers can exploit. Phishing scams that are designed to trick an employee into providing their credentials to a fake website or to just click on a link that delivers a malware payload are the most common inroads that criminals take into the corporate network. Being aware of how user behavior influences security is crucial.

    CASE STUDY
    Engage the entire organization with cybersecurity awareness

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    Brosnan provides private security services to high-profile clients and is staffed by security experts with professional backgrounds in intelligence services and major law enforcement agencies. Safe to say that security is taken seriously in this culture and CIO Serge Suponitskiy makes sure that extends to all back-office staff that support the firm's activities. He's aware that people are often the weakest link in a cybersecurity posture and are prone to being fooled by a phishing email or even a fraudulent phone call. So cybersecurity training is an ongoing activity that takes many forms. He sends out a weekly cybersecurity bulletin that features a threat report and a story about the "scam of the week." He also uses KnowBe4, a tool that simulates phishing attacks and trains employees in security awareness. Suponitskiy advises reaching out to Marketing or HR for help with engaging employees and finding the right learning opportunities.

    "What is financially the best solution to protect yourself? It's to train your employees. … You can buy all of the tools and it's expensive. Some of the prices are going up for no reason. Some by 20%, some by 50%, it's ridiculous. So, the best way is to keep training, to keep educating, and to reimagine the training. It's not just sending this video that no one clicks on or posting a poster no one looks at. … Given the fact we're moving into this recession world, and everyone is questioning why we need to spend more, it's time to reimagine the training approach."

    CASE STUDY
    Focus on micro-segmentation as the foundation of zero trust

    David Senf, National Cybersecurity Strategist, Bell

    As a cybersecurity analyst and advisor that works with Bell's clients, David Senf sees zero-trust security as an opportunity for organizations to put a strong set of mitigating controls in place to defend against the thorny challenge of reducing vulnerabilities in their software supply chain. With major breaches being linked to widely used software in the past couple of years, security teams might find it effective to focus on a different layer of security to prevent certain breaches. With security policy being enforced at a narrow point/perimeter, attacks are in essence blocked from exploiting application vulnerabilities (e.g. you can't exploit what you can see). Organizations must still ensure there is a solid vulnerability management program in place, but surrounding applications with other controls is critical. One aspect of zero trust, micro-segmentation, which is an approach to network management, can limit the damage caused by a breach. The solutions help to map out and protect the different connections between applications that could otherwise be abused for discovery or lateral movement. Senf advises that knowing your inventory of software and the interdependencies between applications is the first step on a zero-trust journey, before putting protection and detection in place.

    "Next year will be a year of a lot more ZTNA, zero-trust network access, being deployed. So, I think that will give organizations more of an understanding of what zero trust is as well, from a really basic perspective. If I can just limit what applications you can see and no one can even see that application, it's undiscoverable because I've got that ZTNA solution in place. … I would see that as a leading area of deployment and coming to understand what zero trust is in 2023."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Asset Management

    Enable reduced friction in the remote user experience by underpinning it with a hardware asset management program. Creating an inventory of devices and effectively tracking them will aid in maintaining compliance, result in stronger policy enforcement, and reduce the harm of a lost or stolen device.

    Implement Hardware Asset Management

    Improve Stakeholder Relations

    Communicate the transition from a perimeter-based security approach to an "Always Verify" approach with a clear roadmap toward implementation. Map key protect surfaces to business goals to demonstrate the importance of zero-trust security in helping the organization succeed. Help the organization's top leadership build awareness of cybersecurity risk.

    Build a Zero Trust Roadmap

    Improve External Compliance

    Manage the challenge of meeting new government requirements to implement zero-trust security and other data protection and cybersecurity regulations with a compliance program. Create a control environment that aligns multiple compliance regimes, and be prepared for IT audits.

    Build a Security Compliance Program

    Engage employees in the digital age

    Priority 04

    • ITRG02 LEADERSHIP, CULTURE, AND VALUES
    • BAI05 ORGANIZATIONAL CHANGE MANAGEMENT
    • APO03 ENTERPRISE ARCHITECTURE

    Lead a strong culture through digital means to succeed in engaging the hybrid workforce.

    The new deal for employers in a hybrid work world

    Necessity is the mother of innovation.

    The pandemic's disruption for non-essential workers looks to have a long-lasting, if not permanent, effect on the relationship between employer and employee. The new bargain for almost all organizations is a hybrid work reality, with employees splitting time between the office and working remotely, if not working remotely full-time. IT is in a unique position in the organization as it must not only contend with the shift to this new deal with its own employees but facilitate it for the entire organization.

    With 90% of organizations embracing some form of hybrid work, IT leaders have an opportunity to shift from coping with the new work reality to finding opportunities to improve productivity. Organizations that embrace a hybrid model for their IT departments see a more effective IT department. Organizations that offered no remote work for IT rated their IT effectiveness on average 6.2 out of 10, while organizations with at least 10% of IT roles in a hybrid model saw significantly higher effectiveness. At minimum, organizations with between 50%-70% of IT roles in a hybrid model rated their effectiveness at 6.9 out of 10.

    IT achieved this increase in effectiveness during a disruptive time that often saw IT take on a heavier burden. Remote work required IT to support more users and be involved in facilitating more work processes. Thriving through this challenging time is a win that's worth sharing with the rest of the organization.

    90% of organizations are embracing some form of hybrid work.

    IT's effectiveness compared to % working hybrid or remotely

    A bar graph is shown which compares the effectiveness of IT work with hybrid and full remote work, compared to No Remote Work for IT.

    High effectiveness doesn't mean high engagement

    Despite IT's success with hybrid work, CIOs are more concerned about their staff sufficiency, skill, and engagement than their supervisors. Among clients using our CEO-CIO Alignment Diagnostic, 49% of CIOs considered this issue a major pain point compared to only 32% of CXOs. While IT staff are more effective than ever, even while carrying more of a burden in the digital age, CIOs are still looking to improve staff engagement.

    Info-Tech's State of Hybrid Work Survey illuminates further details about where IT leaders are concerned for their employee engagement. About four in ten IT leaders say they are concerned for employee wellbeing, and almost the same amount say they are concerned they are not able to see signs that employees are demotivated (N=518).

    Boosting IT employees' engagement levels to match their effectiveness will require IT leaders to harness all the tools at their disposal. Communicating culture and effectively managing organizational change in the digital age is a real test of leadership.

    Staff sufficiency, skill, and engagement issues as a major pain point

    CXO 32%
    CIO 49%

    CEO-CIO Alignment Diagnostic

    Opportunities

    Drive effectiveness with a hybrid environment

    IT leaders concerned about the erosion of culture and connectedness due to hybrid work can mitigate those effects with increased and improved communication. Among highly effective IT departments, 55% of IT leaders made themselves highly available through instant messaging chat. Another 54% of highly effective leaders increased team meetings (State of Hybrid Work Survey, n=213). The ability to adapt to the team's needs and use a number of tactics to respond is the most important factor. The greater the number of tactics used to overcome communication barriers, the more effective the IT department (State of Hybrid Work Survey, N=518).

    Modernize the office conference room

    A hybrid work approach emphasizes the importance of not only the technology in the office conference room but the process around how meetings are conducted. Creating an equal footing for all participants regardless of how they join is the goal. In pursuit of that, 63% of organizations say they have made changes or upgrades to their conference room technology (n=496). The conferencing experience can influence employee engagement and work culture and enhance collaboration. IT should determine if the business case exists for upgrades and work to decrease the pain of using legacy solutions where possible (State of Hybrid Work in IT: A Trend Report).

    Understand the organizational value chain

    Map out the value chain from the customer perspective and then determine the organizational capabilities involved in delivering on that experience. It is a useful tool for helping IT staff understand how they're connected to the customer experience and organizational mission. It's crucial to identify opportunities to resolve pain points and create more efficiency throughout the organization.

    Risks

    Talent rejects the working model

    Many employees that experienced hybrid work over the past couple of years are finding it's a positive development for work/life balance and aren't interested in a full-time return to the office. Organizations that insist on returning all employees to the office all the time may find that employees choose to leave the organization. Similarly, it could be hard to hire IT talent in a competitive market if the position is required to be onsite every day. Most organizations are providing flexible options to employees and finding ways to manage work in the new digital age.

    Wasted expense on facilities

    Organizations may choose to keep their physical office only to later realize that no one is going to work there. While providing an office space can help foster positive culture through valuable face time, it has to be used intentionally. Managers should plan for specific days that their teams will meet in the office and make sure that work activities take advantage of everyone being in the same place at the same time. Asking everyone to come in so that they can be on a videoconference meeting in their cubicle isn't the point.

    Isolated employees and teams

    Studies on a remote work environment show it has an impact on how many connections each employee maintains within the company. Employees still interact well within their own teams but have fewer interactions across departments. Overall, workers are likely to collaborate just as often as they did when working in the office but with fewer other individuals at the company. Keep the isolating effect of remote work in mind and foster collaboration and networking opportunities across different departments (BBC News, 2022).

    CASE STUDY
    Equal support of in-office and remote work

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Working in the legislature of the Ontario provincial government, CIO Roberto Eberhardt's staff went from a fully onsite model to a fully remote model at the outset of the pandemic. Today he's navigating his path to a hybrid model that's somewhere in the middle. His approach is to allow his business colleagues to determine the work model that's needed but to support a technology environment that allows employees to work from home or in the office equally. Every new process that's introduced must meet that paradigm, ensuring it will work in a hybrid environment. For his IT staff, he sees a culture of accountability and commitment to metrics to drive performance measurement as key to the success of this new reality.

    "While it's good in a way, the challenge for us is it became a little more complex because you have to account for all those things in the office environment and in the remote work approach. Everything you do now, you have to say OK well how is this going to work in this world and how will it work in the other world?"

    Creating purpose for IT through strategy

    Mike Russell, Virginia Community College System

    At the Virginia Community College System (VCCS), CIO Mike Russell's IT team supports an organization that governs and delivers services to all community colleges in the state. Russell sees his IT team's purpose as being driven by the organization's mission to ensure success throughout the entire student journey, from enrolment to becoming employed after graduation. That customer-focused mindset starts from the top-level leadership, the chancellor, and the state governor. The VCCS maintains a six-year business plan that informs IT's strategic plan and aligns IT with the mission, and both plans are living documents that get refreshed every two years. Updating the plans provides opportunities for the chancellor to engage the organization and remind everyone of the purpose of their work.

    "The outcome isn't the degree. The outcome we're trying to measure is the job. Did you get the job that you wanted? Whether it's being re-employed or first-time employment, did you get what you were after?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Leadership, Culture, and Values

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Prepare People Leaders for the Hybrid Work Environment

    Improve Organizational Change Management

    Assign accountability for managing the changes that the organization is experiencing in the digital age. Make a people-centric approach that takes human behavior into account and plans to address different needs in different ways. Be proactive about change.

    Master Organizational Change Management Practices

    Improve Enterprise Architecture

    Develop a foundation for aligning IT's activities with business value by creating a right-sized enterprise architecture approach that isn't heavy on bureaucracy. Drive IT's purpose by illustrating how their work contributes to the overall mission and the customer experience.

    Create a Right-Sized Enterprise Architecture Governance Framework

    Shape the IT organization to improve customer experience

    PRIORITY 05

    • BAI03 ENTERPRISE APPLICATION SELECTION & IMPLEMENTATION
    • MEA01 PERFORMANCE MEASUREMENT
    • ITRG01 IT ORGANIZATIONAL DESIGN

    Tightly align the IT organization with the organization's value chain from a customer perspective.

    IT's value is defined by faster, better, bigger

    The pandemic motivated organizations to accelerate their digital transformation efforts, digitalizing more of their tasks and organizing the company's value chain around satisfying the customer experience. Now we see organizations taking their foot off the gas pedal of digitalization and shifting their focus to extracting the value from their investments. They want to execute on the digital transformation in their operations and realize the vision they set out to achieve.

    In our Trends Report we compared the emphasis organizations are putting on digitalization to last year. Overall, we see that most organizations shifted fewer of their processes to digital in the past year.

    We also asked organizations what motivated their push toward automation. The most common drivers are to improve efficiency, with almost seven out of ten organizations looking to increase staff on high-level tasks by automating repetitive tasks, 67% also wanting to increase productivity without increasing headcount, and 59% wanting to reduce errors being made by people. In addition, more than half of organizations pursued automation to improve customer satisfaction.

    What best describes your main motivation to pursue automation, above other considerations?

    A bar graph is depicted showing the following dataset: Increase staff focus on high-level tasks by automating repetitive tasks:	69%; Increase productivity of existing staff to avoid increasing headcount:	67%; Reduce errors made by people:	59%; Improve customer satisfaction:	52%; Achieve cost savings through reduction in headcount:	35%; Increase revenue by enabling higher volume of work:	30%

    Tech Trends 2023 Survey

    To what extent did your organization shift its processes from being manually completed to digitally completed during past year?

    A bar graph is depicted showing the extent to which organizations shifted processes from manual to digital during the past year for 2022 and 2023, from Tech Trends 2023 Survey

    With the shift in focus from implementing new applications to support digital transformation to operating in the new environment, IT must shift its own focus to help realize the value from these systems. At the same time, IT must reorganize itself around the new value chain that's defined by a customer perspective.

    IT struggles to deliver business value or support innovation

    Many current IT departments are structured around legacy processes that hinder their ability to deliver business value. CIOs are trying to grapple with the misalignment between the modern business structure and keep up with the demands for innovation and agility.

    Almost nine in ten CIOs say that business frustration with IT's failure to deliver value is a pain point. Their supervisors have a slightly more favorable opinion, with 76% agreeing that it is a pain point.

    Similarly, nine in ten CIOs say that IT limits affecting business innovation and agility is a pain point, while 81% of their supervisors say the same.

    Supervisors say that IT should "ensure benefits delivery" as the most important process (CEO-CIO Alignment Program). This underlines the need to achieve alignment, optimize service delivery, and facilitate innovation. The pain points identified here will need to be resolved to make this possible.

    IT departments will need to contend with a tight labor market and economic volatility in the year ahead. If this drives down resource capacity, it will be even more critical to tightly align with the organization.

    Views business frustration with IT failure to deliver value as a pain point

    CXO 76%
    CIO 88%

    Views IT limits affecting business innovation and agility as a pain point

    CXO 81%
    CIO

    90%

    CEO-CIO Alignment Program

    Opportunities

    Define IT's value by its contributions to enterprise value

    Communicate the performance of IT to stakeholders by attributing positive changes in enterprise value to IT initiatives. For example, if a digital channel helped increase sales in one area, then IT can claim some portion of that revenue. If optimization of another process resulted in cost savings, then IT can claim that as a contribution toward the bottom line. CIOs should develop their handle on how KPIs influence revenues and costs. Keeping tabs on normalized year-over-year revenue comparisons can help demonstrate that IT contributions are making an impact on driving profitability.

    Go with buy versus build if it's a commodity service

    Most back-office functions common to operating a company can be provided by cloud-based applications accessed through a web browser. There's no value in having IT spend time maintaining on-premises applications that require hosting and ongoing maintenance. Organizations that are still accruing technical debt and are unable to modernize will increasingly find it is negatively impacting employee experience, as users expect their working experience to be similar to their experience with consumer applications. In addition, IT will continue to have capacity challenges as resources will be consumed by maintenance. As they seek to outsource some applications, IT will need to consider the geopolitical risk of certain jurisdictions in selecting a provider.

    Redefine how employee performance is tracked

    The concept of "clocking in" for a shift and spending eight hours a day on the job doesn't help guide IT toward its objectives or create any higher sense of purpose. Leaders must work to create a true sense of accountability by reaching consensus on what key performance indicators are important and tasking staff to improve them. Metrics should clearly link back to business outcomes and IT should understand the role they play in delivering a good customer experience.

    Risks

    Lack of talent available to drive transformation

    CIOs are finding it difficult to hire the talent needed to create the capacity they need as digital demands of their organizations increase. This could slow the pace of change as new positions created in IT go unfilled. CIOs may need to consider reskilling and rebalancing workloads of existing staff in the short term and tap outsourcing providers to help make up shortfalls.

    Resistance to change

    New processes may have been given the official rubber stamp, but that doesn't mean staff are adhering to them. Organizations that reorganize themselves must take steps to audit their processes to ensure they're executed the way they intend. Some employees may feel they are being made obsolete or pushed out of their jobs and become disengaged.

    Short-term increased costs

    Restructuring the organization can come with the need for new tools and more training. It may be necessary to operate with redundant staff for the transitional period. Some additional expenses might be incurred for a brief period as the new structure is being put in place.

    Emphasize the value of IT in driving revenue

    Salman Ali, CIO, McDonald's Germany

    As the new CIO to McDonald's Germany, Salman Ali came on board with an early mandate to reorganize the IT department. The challenge is to merge two organizations together: one that delivers core technology services of infrastructure, security, service desk, and compliance and one that delivers customer-facing technology such as in-store touchscreen kiosks and the mobile app for food delivery. He is looking to organize this new-look department around the technology in the hands of both McDonald's staff and its customers. In conversations with his stakeholders, Ali emphasizes the value that IT is driving rather than discussing the costs that go into it. For example, there was a huge cost in integrating third-party meal delivery apps into the point-of-sales system, but the seamless experience it delivers to customers looking to place an order helps to drive a large volume of sales. He plans to reorganize his department around this value-driven approach. The organization model will be executed with clear accountability in place and key performance indicators to measure success.

    "Technology is no longer just an enabler. It's now a strategic business function. When they talk about digital, they are really talking about what's in the customers' hands and what do they use to interact with the business directly? Digital transformation has given technology a new front seat that's really driving the business."

    CASE STUDY
    Overhauling the "heartbeat" of the organization

    Ernest Solomon, Former CIO, LAWPRO

    LAWPRO is a provider of professional liability insurance and title insurance in Canada. The firm is moving its back-office applications from a build approach to a buy approach and focusing its build efforts on customer-facing systems tied to revenue generation. CIO Ernest Solomon says his team has been developing on a legacy platform for two decades, but it's time to modernize. The firm is replacing its legacy platform and moving to a cloud-based system to address technical debt and improve the experience for staff and customers. The claims and policy management platform, the "heartbeat" of the organization, is moving to a software-as-a-service model. At the same time, the firm's customer-facing Title Plus application is being moved to a cloud-native, serverless architecture. Solomon doesn't see the need for IT to spend time building services for the back office, as that doesn't align with the mission of the organization. Instead, he focuses his build efforts on creating a competitive advantage.

    "We're redefining the customer experience, which is how do we move the needle in a positive direction for all the lawyers that interact with us? How do we generate that value-based proposition and improve their interactions with our organization?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Enterprise Application Selection & Implementation

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Embrace Business-Managed Applications

    Improve Performance Measurement

    Drive the most important IT process in the eyes of supervisors by defining business value and linking IT spend to it. Make benefits realization part of your IT governance.

    Maximize Business Value From IT Through Benefits Realization

    Improve IT Organizational Design

    Showcase IT's value to the business by aligning IT spending and staffing to business functions. Provide transparency into business consumption of IT and compare your spending to your peers'.

    IT Spend & Staffing Benchmarking

    The Five Priorities

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
    2. Prepare your data pipeline to train AI
    3. Go all in on zero-trust security
    4. Engage employees in the digital age
    5. Shape the IT organization to improve customer experience

    Expert Contributors

    In order of appearance

    Denise Cornish, Associate VP of IT and Deputy COO, Western University of Health Sciences

    Jim Love, CIO, IT World Canada

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    Humza Teherany, Chief Technology Officer, MLSE

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    David Senf, National Cybersecurity Strategist, Bell

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Mike Russell, Virginia Community College System

    Salman Ali, CIO, McDonald's Germany

    Ernest Solomon, Former CIO, LAWPRO

    Bibliography

    Anderson, Brad, and Seth Patton. "In a Hybrid World, Your Tech Defines Employee Experience." Harvard Business Review, 18 Feb. 2022. Accessed 12 Dec. 2022.
    "Artificial Intelligence Is Permeating Business at Last." The Economist, 6 Dec. 2022. Accessed 12 Dec. 2022.
    Badlani, Danesh Kumar, and Adrian Diglio. "Microsoft Open Sources Its Software Bill
    of Materials (SBOM) Generation Tool." Engineering@Microsoft, 12 July 2022. Accessed
    12 Dec. 2022.
    Birch, Martin. "Council Post: Equipping Employees To Succeed In Digital Transformation." Forbes, 9 Aug. 2022. Accessed 7 Dec. 2022.
    Bishop, Katie. "Is Remote Work Worse for Wellbeing than People Think?" BBC News,
    17 June 2022. Accessed 7 Dec. 2022.
    Carlson, Brian. "Top 5 Priorities, Challenges For CIOs To Recession-Proof Their Business." The Customer Data Platform Resource, 19 July 2022. Accessed 7 Dec. 2022.
    "CIO Priorities: 2020 vs 2023." IT PRO, 23 Sept. 2022. Accessed 2 Nov. 2022.
    cyberinsiders. "Frictionless Zero Trust Security - How Minimizing Friction Can Lower Risks and Boost ROI." Cybersecurity Insiders, 9 Sept. 2021. Accessed 7 Dec. 2022.
    Garg, Sampak P. "Top 5 Regulatory Reasons for Implementing Zero Trust."
    CSO Online, 27 Oct. 2022. Accessed 7 Dec. 2022.
    Heikkilä, Melissa. "The Viral AI Avatar App Lensa Undressed Me—without My Consent." MIT Technology Review, 12 Dec. 2022. Accessed 12 Dec. 2022.
    Jackson, Brian. "How the Toronto Raptors Operate as the NBA's Most Data-Driven Team." Spiceworks, 1 Dec. 2022. Accessed 12 Dec. 2022.
    Kiss, Michelle. "How the Digital Age Has Transformed Employee Engagement." Spiceworks,16 Dec. 2021. Accessed 7 Dec. 2022.
    Matthews, David. "EU Hopes to Build Aligned Guidelines on Artificial Intelligence with US." Science|Business, 22 Nov. 2022. Accessed 12 Dec. 2022.
    Maxim, Merritt. "New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities." Forrester, 23 Aug. 2022. Accessed 7 Dec. 2022.
    Miller, Michael J. "Gartner Surveys Show Changing CEO and Board Concerns Are Driving a Different CIO Agenda for 2023." PCMag, 20 Oct. 2022. Accessed 2 Nov. 2022.
    MIT Lincoln Laboratory. "Overview of Zero Trust Architectures." YouTube,
    2 March 2022. Accessed 7 Dec. 2022.
    MIT Technology Review Insights. "CIO Vision 2025: Bridging the Gap between BI and AI." MIT Technology Review, 20 Sept. 2022. Accessed 1 Nov. 2022.
    Paramita, Ghosh. "Data Architecture Trends in 2022." DATAVERSITY, 22 Feb. 2022. Accessed 7 Dec. 2022.
    Rosenbush, Steven. "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ." The Wall Street Journal, 17 Oct. 2022. Accessed 2 Nov. 2022.
    Sacolick, Isaac. "What's in the Budget? 7 Investments for CIOs to Prioritize." StarCIO,
    22 Aug. 2022. Accessed 2 Nov. 2022.
    Singh, Yuvika. "Digital Culture-A Hurdle or A Catalyst in Employee Engagement." International Journal of Management Studies, vol. 6, Jan. 2019, pp. 54–60. ResearchGate, https://doi.org/10.18843/ijms/v6i1(8)/08.
    "Talent War Set to Become Top Priority for CIOs in 2023, Study Reveals." CEO.digital,
    8 Sept. 2022. Accessed 7 Dec. 2022.
    Tanaka, Rodney. "WesternU COMP and COMP-Northwest Named Apple Distinguished School." WesternU News. 10 Feb. 2022. Accessed 12 Dec. 2022.
    Wadhwani, Sumeet. "Meta's New Large Language Model Galactica Pulled Down Three Days After Launch." Spiceworks, 22 Nov. 2022. Accessed 12 Dec. 2022.
    "World Economic Outlook." International Monetary Fund (IMF), 11 Oct. 2022. Accessed
    14 Dec. 2022.

    Assess Your Readiness to Implement UCaaS

    • Buy Link or Shortcode: {j2store}305|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Voice & Video Management
    • Parent Category Link: /voice-video-management
    • Employees no longer work in the office all the time and have adopted a hybrid or remote policy.
    • Security is on your mind when it comes to the risks associated with data and voice across the internet.
    • You are unaware of the technology used by other departments, such as sales and marketing.

    Our Advice

    Critical Insight

    • The importance of doing your due diligence and building out requirements is paramount to deciding on what UCaaS solution works for you. Even if you decide not to pursue this cloud-based service, at least you have done your homework.
    • There are five reasons you should migrate to UCaaS: flexibility & scalability, productivity, enhanced security, business continuity, and cost savings. Challenge your selection with these criteria at your foundation and you cannot go wrong.

    Impact and Result

    With features such as messaging, collaboration tools, and video conferencing, UCaaS enables users to be more effective regardless of location and device. This can lead to quicker decision making and reduce communication delays.

    Assess Your Readiness to Implement UCaaS Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Readiness to Implement UCaaS Storyboard – Research that reviews the business drivers to move to a UCaaS solution.

    In addition to examining the benefits of UCaaS, this deck covers how to drive toward an RFP and convince the C-suite to champion your UCaaS strategy.

    • Assess Your Readiness to Implement UCaaS Storyboard

    2. UCaaS Readiness Questionnaire – Three sets of questions to help determine your organization's readiness to move to a UCaaS platform.

    This questionnaire is a starting point. Sections include: 1) Current State Questionnaire, 2) IT Infrastructure Readiness Questionnaire, and 3) UCaaS Vendor Questionnaire. These questions can also be added to an RFP for UCaaS vendors you may want to work with.

    • UCaaS Readiness Questionnaire
    [infographic]

    Further reading

    Assess Your Readiness to Implement UCaaS

    Unified communication as a service (UCaaS) is already here. Find the right solution for your organization, whether it is Teams Phone or another solution.

    Analyst Perspective

    UCaaS is the solution to the hybrid and remote working world

    Hybrid/remote work is a reality and there is little evidence to prove otherwise despite efforts to return employees to the office. A 2023 survey from Zippia says 74% of US companies are planning to or have implemented hybrid work policies. Given the reality of the new ways people work, there’s a genuine need for a UCaaS solution.

    The days of on-premises private branch exchange (PBX) and legacy voice over internet protocol (VoIP) solutions are numbered, and organizations are examining alternative solutions to redundant desk phones. The stalwarts of voice solutions, Cisco and Avaya, have seen the writing on the wall for some time: the new norm must be a cloud-based solution that integrates via API with content resource management (CRM), email, chat, and collaboration tools.

    Besides remaining agile when accommodating different work locations, it’s advantageous to be able to quickly scale and meet the needs of organizations and their employees. New technology is moving at such a pace that utilizing a UCaaS service is truly beneficial, especially given its AI, analytics, and mobile capabilities. Being held back by an on-premises solution that is capitalized over several years is not a wise option.

    Photo of John Donovan
    John Donovan
    Principle Research Director, I&O Practice
    Info-Tech Research Group

    Insight Summary

    Improved integration and communication in a hybrid world
    Unified communication as a service (UCaaS) integrates several tools into one platform to provide seamless voice, video, chat, collaboration, sharing and much more. The ability to work from anywhere and the ability to use application programming interfaces (APIs) to integrate content resource management (CRM) and other productivity tools into a unified environment is a key component of employee productivity, whether at the office or remote, or even on mobile devices.

    Simplify your maintenance, management, and support
    Communication and voice using a cloud provisioner has many benefits and makes life easier for your IT staff. No more ongoing maintenance, upgrades, patching and managing servers or private branch exchanges (PBXs). UCaaS is easy to deploy, and due to its scalability and flexibility, users can easily be added or removed. Now businesses can retire their legacy technical debt of voice hardware and old desk phones that clutter the office.

    Oversight on security
    The utilization of a software as a service (SaaS) platform in UCaaS form does by design risk data breaches, phishing, and third-party malware. Fortunately, you can safeguard your organization’s security by ensuring the vendor you choose features SOC2 certification, taking care of encryption, firewalls, two-factor authentication and security incident handling, and disaster recovery. The big players in the UCaaS world have these features.

    Executive Summary

    Your Challenge

    So, your legacy PBX is ready to be replaced. It has no support or maintenance contract, and you face a critical decision. You could face these challenges:

    • Employees no longer work in the office all the time and have adopted a hybrid or remote policy
    • Security risks associated with data and voice across the internet
    • Limited awareness of the technology used by some departments, such as sales and marketing

    Common Obstacles

    Businesses may worry about several obstacles when it’s time to choose a voice and collaboration solution. For example:

    • Concern over internet connectivity or disruptions
    • Uncertainty integrating systems with the platform
    • Unsure whether employees will embrace new tools/workflows that completely change how they work, collaborate, and communicate
    • Failure to perform due diligence when trying to choose the right solution for an organization

    Info-Tech’s Approach

    It’s critically important to perform due diligence and build out requirements when deciding what UCaaS solution works for you. Even if you decide not to pursue this cloud-based service, at least you will:

    • Determine your business case
    • Evaluate your roadmap for unified communication
    • Ask all the right questions to determine suitability

    In this advisory deck, you will see a set of questions you must ask including whether Teams is suitable for your business.

    Info-Tech Insight

    Determine your communication and collaboration needs. Evaluate your current use of voice, video, chat, collaboration, sharing, and mobility whether for the office or remote work. Evaluate your security and regulatory requirements and needs. Determine the integration requirements when evaluating top vendors.

    The evolution of unified communication

    How we moved from fax machines and desk phones to an integrated set of tools on one platform in the cloud

    A diagram that shows the evolution of unified communication from 1980s to 2020s.

    Business drivers for moving to UCaaS

    What organizations look to gain or save by moving to UCaaS solutions

    Flexibility and scalability
    Ability to add/remove users and services as appropriate for changing business needs, allowing for quick adaptation to changing markets.

    Productivity
    Offering features like messaging, collaboration tools, and video conferencing enables users to be more effective regardless of location and device. May lead to quicker decision making and reduced communication delays.

    Cost savings
    Eliminating the need for on-premises hardware and software, reducing maintenance and support costs. Predictable monthly billing.

    Business continuity
    Reducing risks of disruption or disaster. Allowing users to work from anywhere when the physical office is unavailable. Additional features can include disaster recovery and backup services.

    Enhanced security
    UCaaS providers usually offer advanced security and compliance features including encryption, firewall, intrusion detection, and certifications like HIPAA and SOC 2.

    KPIs to demonstrate success

    What key metrics should businesses measure to demonstrate a successful UCaaS project?
    What improvements are needed?
    What can be optimized?

    KPI Measurement
    User adoption rate
    • % of employees utilizing UCaaS solutions
    • # of users who completed UCaaS training/onboarding
    • # of calls or messages sent per user
    Call quality and reliability
    • % of calls with good to excellent quality
    • # of dropped calls or call disruption
    • Mean opinion score (MOS) for video and voice quality
    Cost savings
    • TCO for UCaaS compared to previous solution
    • Cost per month for UCaaS
    • Reduced hardware/maintenance and communication costs
    Improved productivity
    • Time saved with streamlined comms workflows
    • # of successful collaborative projects or meetings
    • Improved speed and quality for customer service or support
    Customer satisfaction
    • Net promoter score or CSAT
    • Positive customer reviews
    • Time-to-resolution of customer issues
    Scalability
    • Ability to add/remove/change user features as needed
    • Time to deploy new UCaaS features
    • Scalability of network to support increased UCaaS usage

    What are the surveys telling us?

    Different organizations adopt UCaaS solutions for different reasons

    95%

    Collaboration: No Jitter’s study on team collaboration found that 95% of survey respondents think collaborative communication apps are a necessary component of a successful communications strategy.
    Source: No Jitter, 2018.

    95%

    Security: When deploying remote communication solutions, 95% of businesses say they want to use VPN connections to keep data private.
    Source: Mitel, 2018.

    31%

    Flexibility: While there are numerous advantages to cloud-based communications, 31% of companies intend to use UCaaS to eliminate technical debt from legacy systems and processes.
    Source: Freshworks, 2019.

    UCaaS adoption

    While many organizations are widely adopting UCaaS, they still have data security concerns

    UCaaS deployments are growing

    UCaaS is growing at a rate that shows the market for UC is moving toward cloud-based voice and collaboration solutions at a rate of 29% year over year.

    Source: Synergy Research Group, 2017.

    Security is still a big concern

    While it’s increasingly popular to adopt cloud-based unified communication solutions, 70% of those companies are still concerned about their data security.

    Source: Masergy, 2022.


    Concerns around security range from encrypting conversations to controlling who has access to what data in the organization’s network to how video is managed on emerging video communications platforms.

    Info-Tech Insight

    Ensure you maintain a robust security posture with your data regardless of where it is being stored. Security breaches can happen at any location.

    UCaaS vs. on-premises UC

    A diagram that shows UCaaS benefits

    Main benefits of UCaaS

    • Rapid deployment: Cloud hosting provides the ability to deploy quickly.
    • Ease of management: It’s no longer necessary for companies to manage communications across multiple platforms and devices.
    • Better connection: The communication flow across teams and with customers is faster and easier with phone, messaging, audio and video conferencing available in one place.
    • Scalability: Since UCaaS is an on-demand service, companies can scale their communication needs to what’s immediately required at an affordable price.

    Info-Tech Insight

    There are five reasons you should migrate to UCaaS. They are advanced technology, easily scalable, cost efficiencies, highly available, and security. There are always outliers, but these five criteria are a reliable foundation when assessing a vendor/product.

    UCaaS architecture

    The 6 primary elements of UCaaS

    Unified communications as a service (UCaaS) is a cloud-based subscription service primarily for communication tools such as voice, video, messaging, collaboration, content sharing, and other cloud services over the internet. It uses VoIP to process calls.

    The popularity of UCaaS is increasing with the recent trend of users working remotely full or part-time and requiring collaboration tools for their work.

    • The main benefit to businesses is the ability to remove on-premises hardware and reduce technical debt.
    • Additionally, it removes the need for expensive up-front capital costs and reduces communications costs.
    • From a productivity perspective, delivering these services under one platform/service increases effective collaboration and allows instant communication regardless of device or location.

    A diagram that shows protocols

    Features available to UCaaS/UC

    Must-haves vs. nice-to-haves

    A diagram that shows Must-haves vs. nice-to-haves UC features

    Info-Tech Insight

    Decide what matters most to the organization when choosing the UC platform and applications. Divide criteria into must-have vs. nice-to-have categories.

    Security and UCaaS

    • Maintain company integrity
    • Enhance data security
    • Regulatory compliance
    • Reduce risk of fraud
    • Protect data for multiple devices

    What are the concerns? What is at risk?

    • DDoS attacks: Enterprise transactions are paralyzed by flooding of data across the network preventing access
    • Phishing: Users are tricked into clicking a URL and sharing an organization’s sensitive data
    • Ransomware: Malicious attack preventing the business from accessing data and demanding a ransom for access
    • Third-party malware: Software infected with a virus, trojan horse, worms, spyware, or even ransomware with malicious intent

    Security solutions in UCaaS

    End-to-end encryption is critical

    SRTP

    • Secure real-time protocol is a cryptographic protocol used to secure voice & video calls over IP networks
    • SRTP provides encryption, message authentication, and integrity protection for voice and data packets. Using advanced encryption standard (AES) reduces chance of DDoS attacks

    TLS

    • Transport layer security (TLS) is a cryptographic protocol that secures data in transit over the internet, protecting from interception and tampering

    VPNs and firewalls

    • Virtual private networks (VPNs) are used to secure and encrypt connections between remote devices and the network. UCaaS providers can use VPN to secure access from remote locations
    • Firewalls are your primary line of defense against unauthorized traffic entering or leaving the network

    SIP

    • Session initiated protocol (SIP) over TLS is used to initiate and terminate video and voice calls over the internet. UCaaS providers often use SIP over TLS to encrypt and secure SIP messages

    SSH

    • Secure shell (SSH) is a cryptographic network protocol used to secure remote access and communications over the network. SSH is often used by UCaaS providers to secure remote management and configuration of systems

    Info-Tech Insight

    Encryption is a must for securing data and voice packets across the internet. These packets can be vulnerable to eavesdropping techniques and local area network (LAN) breaches. This risk must be mitigated from end to end.

    UCaaS

    Seven vendors competing with Microsoft’s integrated suite of collaboration tools

    Zoom

    A logo of Zoom
    Best for large meetings and webinars

    Key features:

    • Virtual meetings up to 300 users, up to 1,000 with enterprise version
    • Team chat
    • Digital whiteboard
    • Phone

    RingCentral

    A logo of RingCentral
    Best for project management collaboration tools

    Key features:

    • Video conferencing up to 200 users
    • Chat
    • Voice calls
    • Video polls and captioning
    • Digital whiteboard

    Nextiva

    A logo of Nextiva
    Best for CRM support, best-in-class functionality and features

    Key features:

    • Single dashboard
    • Chat
    • Cospace collaboration tool
    • Templates
    • Voice and call pop

    GoTo Connect

    A logo of GoTo Connect
    Best for integration with other business apps

    Key features:

    • Video conferencing up to 250 participants
    • Meeting transcripts
    • Dial plan

    Dialpad

    A logo of Dialpad
    Best for small companies under 15 users

    Key features:

    • Video meetings up to 15 participants
    • AI transcripts with call summary
    • Call controls share screen, switch between devices
    • Channel conversations with calendar app

    WebEx

    A logo of WebEx
    Only vendor offering real-time translation & closed captioning

    Key features:

    • Video meetings up to 200 participants
    • Calling features with noise removal, call recording, and transcripts
    • Live polling and Q&A

    Google Workspace

    A logo of Google Workspace
    Best for whole team collaboration for docs and slides

    Key features:

    • Google meet video
    • Collaboration on docs, sheets, and slides
    • Google chat and spaces
    • Calendars with sync updates with Gmail and auto-reminders

    Avaya and Cisco

    The major players in the VoIP on-premises PBX world have moved to a cloud experience to compete with Microsoft and other UCaaS players

    Avaya offers the OneCloud UC platform. It is one of the last UC vendors to offer on-premises solutions. In a market which is moving to the cloud at a serious pace, Avaya retains a 14% share. It made a strategic partnership with RingCentral in 2019 and in February 2021 they formed a joint venture which is now called Avaya Cloud Office, a UCaaS solution that integrates Avaya’s communication and collaboration solution with the RingCentral cloud platform.

    With around 33% of the UC market, Cisco also has a selection of UC products and services for on-premises deployment and the cloud, including WebEx Calling, Jabber, Unity Connections for voice messaging, and Single Number Reach for extensive telephony features.

    Both vendors support on-premises and cloud-based solutions for UC.

    Services provided by Avaya and Cisco in the UCaaS space

    A logo of Avaya Cloud Office
    Avaya Cloud Office

    • Voice calling: Cloud-based phone system over the internet with call forwarding, call transfer, voice mail, and more
    • Video conferencing: Virtual meetings for real-time collaboration, screen sharing, virtual backgrounds, video layout, meeting recording, whiteboarding and annotation, and virtual waiting room
    • Messaging: A feature that allows users to send and receive instant messages and SMS text messaging on the same platform
    • Collaboration: Work together on documents and projects in real time. File sharing and task management
    • Contact center: Manage customer interactions across voice, email, chat, and social media
    • Mobile app: Allows users to access communication and collaboration features on smartphones and tablets

    A logo of Cisco WebEx
    Cisco WebEx

    • Voice calling: Cisco WebEx calling provides cloud-based phone system over the internet including call forwarding, transfer, and voice mail
    • Video conferencing: Features include virtual meeting and real-time collaboration, screen sharing, and virtual backgrounds and layouts, highly scalable to large audiences
    • Messaging: Features include chat and SMS
    • Collaboration: Allows users to work together on docs and projects in real time, including file sharing and task management
    • Contact center: Multiple contact center solutions offered for small, medium, and large enterprises
    • Mobile app: Software clients for Jabber on cellphones
    • Artificial intelligence: Business insights, automatic transcripts, notes, and highlights to capture the meeting

    Service desk and contact center cloud options

    INDUSTRY: All industries
    SOURCE: Software reviews

    What vendors offer and what they don’t

    RingCentral integrates with some popular contact centers such as Five 9, Talkdesk and Sharpen. They also have a built-in contact center solution that can be integrated with their messaging and video conferencing tools.

    GoToConnect integrates with several leading customer service providers including Zendesk and Salesforce Service Cloud They also offer a built-in contact center solution with advanced call routing and management features.

    WebEx integrates with a variety of contact center and customer service platforms including Five9, Genesys, and ServiceNow.

    Dialpad integrates with contact center platforms such as Talkdesk and ServiceNow as well as CRM tools such as Salesforce and HubSpot.

    Google Workspace integrates with third-party contact center platforms through their Google Cloud Contact Center AI offering.

    SoftwareReviews

    A diagram that shows some top cloud options in Software reviews

    UCaaS comparison table

    A diagram of a UCaaS comparison table
    * Some reported issues around sound and voice quality may be due to network
    **Limited to certain plans

    Differences between UCaaS and CPaaS

    UCaaS

    CPaaS

    Defined

    Unified communication as a service – a cloud-based platform providing a suite of tools like voice, video messaging, file sharing & contact center.

    Communication platform as a service – a cloud-based platform allowing developers to use APIs to integrate real-time communications into their own applications.

    Functionality

    Designed for end users accessing a suite of tools for communication and collaboration through a unified platform.

    Designed for developers to create and integrate comms features into their own applications.

    Use cases

    Replace aging on-premises PBX systems with consolidated voice and collaboration services.

    Embedded communications capabilities into existing applications through SDKs, Java, and .NET libraries.

    Cost

    Often has a higher cost depending on services provided which can be quite comprehensive.

    Can be more cost effective than UCaaS if the business only requires a few communication features Integrated into their apps.

    Customization

    Offers less customization as it provides a predefined suite of tools that are rarely customized.

    Highly flexible and customizable so developers can build and integrate to fit unique use cases.

    Vendors

    Zoom, MS Teams, Cisco WebEx, RingCentral 8x8, GoTo Meeting, Slack, Avaya & many more.

    Twilio, Vonage, Pivo, MessageBird, Nexmo, SignalWire, CloudTalk, Avaya OneCloud, Telnyx, Voximplant, and others.

    Microsoft Teams Phone

    UCaaS for Microsoft 365

    Consider your approach to the telephony question. Microsoft incorporates telephony functionality with their broader collaboration suite. Other providers do the opposite.

    Microsoft’s voice solution

    These options allow you to plan for an all-cloud solution, connect to your own carrier, or use a combination of all cloud with a third-party carrier. Caveat: Calling plans must be available in your country or region.

    How do you connect with the public switched telephone network (PSTN)?

    Microsoft has three options for connecting the phone system to the PSTN:

    Calling Plan

    • Uses Microsoft's phone system and adds a domestic and international calling plan, which enables worldwide calling but depends on your chosen license
    • Since PSTN Calling Plan operates out of Microsoft 365, you are not required to deploy/maintain on-premises hardware
    • Customers can connect a supported session border controller (SBC) via direct routing if it’s necessary to operate with third-party PBX analog devices or other voice solutions supported by the SBC
    • You can assign your phone numbers directly in the Teams Admin Center

    This plan will work for you if:

    • There is a calling plan available in your region
    • You don’t need to maintain your PSTN carrier
    • You want to use Microsoft's managed PSTN
    • No SBC is necessary in your organization
    • Teams provides all the features your business needs

    Operator Connect

    • Leverage existing contracts or find a new operator from a selection of participating operators
    • Operator-managed infrastructure, your operator manages PSTN calling services and SBC
    • Faster, easier deployment, quickly connect to your operator and assign phone numbers directly from Teams Admin Center
    • Enhanced support and reliability, operators provide technical support and shared service level agreements
    • Customers can connect a supported SBC via Direct Routing for interoperability with third-party PBXs, analog devices, and other third-party voice solution equipment supported by SBC

    This plan will work for you if:

    • There is no calling plan available in your region
    • Your preferred carrier participates in the Microsoft operator connect plan
    • You are looking to get a new operator that enables calling in Teams

    Direct Routing

    • Connect your own supported SBC to Microsoft Phone System directly without needing additional on-premises software
    • Use virtually any voice solution carrier with Microsoft Phone System
    • Can be configured and managed by customers or by your carrier or partner (ask if your carrier or partner provides this option)
    • Configure interoperability between your voice solution equipment (e.g., a third-party PBX and analog devices) and Microsoft Phone System
    • Assign phone numbers directly from Teams Admin Center

    This plan will work for you if:

    • You want to use Teams with Phone System
    • You need to retain your current PSTN carrier
    • You want to mix routing – some calls are going via Calling Plans, some via your carrier
    • You need to interoperate with third-party PBXs and/or equipment such as overhead pagers, analog devices
    • Teams has all the features that your organization requires


    For more information, go to Microsoft Teams call flows.

    Teams phone architecture

    Microsoft offers three options that can be deployed based on several factors and questions you must answer.

    Microsoft Teams phone considerations when connecting to a PSTN

    • Do you want to move on-premises users to the cloud?
    • Is Microsoft's PSTN Calling Plan available in your region?
    • Is your preferred operator a participant in the Microsoft Operator Connect Program?
    • Do you want or need to keep your current voice carrier (e.g., does an existing contract require you to do so)?
    • Do you have an existing on-premises legacy PBX that you want or need to keep?
    • Does your current legacy PBX offer unique business-critical features?
    • Do all/any of your users require features not currently offered in Phone System?

    1. Phone System with Calling Plan

    All in the cloud for Teams users
    A diagram that shows Phone System with Calling Plan.

    Infrastructure requirements:

    Requires uninterrupted connection with Microsoft 365 Yes
    Available worldwide* No
    Requires deploying and maintaining a supported session border controller (SBC) No
    Requires contract with third-party carrier No

    *List of countries where calling plans are available: aka.ms/callingplans

    2. Phone System with own carrier via operator connect

    Phone system in the cloud; connectivity to on-premises voice network for Teams users
    A diagram that shows Phone System with own carrier via operator connect

    Infrastructure requirements:

    Requires uninterrupted connection with Microsoft 365 Yes
    Available worldwide* No
    Requires deploying and maintaining a supported session border controller (SBC) No
    Requires contract with third-party carrier Yes

    *List of countries where Operator Connect is available: aka.ms/operatorconnect

    3. Phone System with own carrier via Direct Routing

    Phone system in the cloud; connectivity to on-premises voice network for Teams users
    A diagram that shows Phone System with own carrier via Direct Routing

    Infrastructure requirements:

    Requires uninterrupted connection with Microsoft 365 Yes
    Available worldwide Yes
    Requires deploying and maintaining a supported session border controller (SBC) Yes
    Requires contract with third-party carrier* Yes

    *Unless deployed as an option to provide connection to third-party PBX, analog devices, or other voice equipment for users who are on Phone System with Calling Plans


    A Metrigy study found that 70% of organizations adopting MS Teams are using direct routing to connect to the PSTN
    Note: Complex organizations with varying needs can adopt all three options simultaneously.

    Avoid overpurchasing Microsoft telephony

    Microsoft telephony products on a page

    A diagram that shows Microsoft telephony products

    Pros:

    • The complete package: sole-sourcing your environment for simpler management
    • Users familiar with Microsoft will only have one place to go for telephony
    • You can bring your own provider and manage your own routing, giving you more choice
    • This can keep costs down as you do not have to pay for calling plan services
    • You can choose your own third-party solution while still taking advantage of the integrations that make Microsoft so attractive as a vendor

    Cons:

    • The most expensive option of the three
    • Less control and limited features compared to other pure-play telephony vendors
    • This service requires expertise in managing telephony infrastructure
    • Avoiding the cloud may introduce technical debt in the long term
    • You will have to manage integrations and deal with limited feature functionality (e.g. you may be able to receive inbound calls but not make outbound calls)

    Why does it matter?

    Phone System is Microsoft’s answer to the premises-based private branch exchange (PBX) functionality that has traditionally required a large capital expenditure. The cloud-based Phone System, offered with Microsoft’s highest tier of Microsoft/Office 365 licensing, allows Skype/Teams customers access to the following features (among others):

    • PSTN telephony (inbound and outbound)
    • Auto attendants (a menu system for callers to navigate your company directory)
    • Call forwarding, voice mail, and transferring
    • Caller ID
    • Shared lines
    • Common area phones

    Phone System, especially the Teams version, is a fully-featured telephony solution that integrates natively with a popular productivity solution. Phone System is worth exploring because many organizations already have Teams licenses.

    Key insights

    1. Don’t pay twice for the same service (unless you must). If you already have M/O365 E5 customer, Teams telephony can be a great way to save money and streamline your environment.
    2. Consider your approach to the telephony question. Microsoft incorporates telephony functionality into a broader collaboration suite. Other providers do the opposite. This reflects their relative strengths.
    3. Teams is a platform. You can use it as a front end for other telephone services. This might make sense if you have a preferred cloud PBX provider.

    Sources

    “Plan your Teams voice solution,” Microsoft, 2022.

    “Microsoft Calling Plans for Teams,” Microsoft, 2023.

    “Plan Direct Routing,” Microsoft, 2023.

    “Cisco vs. Microsoft Cloud Calling—Discussing the Options,” UC Today, 2022.

    “Microsoft Teams Phone Systems: 5 Deployment Options in 2020,” AeroCom, 2020.

    Contact Center and Teams integration

    Three Teams integration options

    If you want to use a certified and direct routing solution for Teams Phone, use the Connect model.

    If you want to use Azure bots and the Microsoft Graph Communication APIs that enable solution providers to create the Teams app, use the Extend model.

    If you want to use the SDK that enables solution providers to embed native Teams experiences in their App, use the Power model (under development).

    The Connect model features

    The Extend model features

    The Power model features (TBD)

    Office 365 authN for agents to connect to their MS tenant from their integrated CCaaS client

    Team graph APIs and Cloud Communication APIs for integration with Teams

    Goal: One app, one screen contact center experience

    Use Teams to see when agents are available

    Teams-based app for agent experience Chat and collaboration experience integrated with the Teams Client

    Goal: Adapt using software development kits (SDKs)

    Transfers and groups call support for Teams

    Teams as the primary calling endpoint for the agent

    Goal: One dashboard experience

    Teams Graph APIs and Cloud communication APIs for integration with Teams

    Teams' client calling for the all the call controls. Preserve performance & quality of Teams client experience

    Multi-tenant SIP trunking to support several customers on solution provider’s SBC

    Agent experience apps for both Teams web and mobile client

    Solution providers to use Microsoft certified session border controller (SBC)

    Analytics workflow management role-based experience for agents in the CaaS app in Teams

    Teams phone network assessment

    Useful tools for Microsoft network testing and Microsoft Teams site assessment

    Plan network basics

    • Does your network infrastructure have enough capacity? Consider switch ports, wireless access points, and other coverage.
    • If you use VLANs and DHCP, are your scopes sized accordingly?
    • Evaluate and test network paths from where devices are deployed to Microsoft 365.
    • Open the required firewall ports and URLs for Microsoft 365 as per guidance.
    • Review and test E911 requirements and configuration for location accuracy and compliance.
    • Avoid using a proxy server and optimize media paths for reliability and quality.

    What internet speed do I need for Teams calls?

    • Microsoft Teams uses about 1.2 Mbps for HD video calling (720p), 1.5 Mbps for 1080p, 500 kbps for standard quality video (360p). Group video requires about 1 Mbps, HD group video uses about 2 Mbps.

    Key physical considerations

    • Power: Do you have enough electrical outlets? If the device needs an external power source, how close can you position it to an outlet?
    • Device placement: Where will your device be located? Review desk stands, wall mounts, and other accessories from the original equipment manufacturer (OEM).
    • Security: Does your device need to be locked in certain spaces?
    • Accessibility: Does the device meet the accessibility requirements of its primary user? Consider where it's placed, wire length, and handset or headset usability.

    Prepare your organization's network for Microsoft Teams

    Plan your Teams voice solution

    Check your internet connection for Teams Phone System

    Teams Phone Mobile

    UCaaS Activity

    Questions that must be addressed by your business and the vendor. Site surveys and questionnaires for your assessment

    Activity: Questionnaire

    Input: Evaluate your current state, Network readiness
    Output: Decisions on readiness, Gaps in infrastructure readiness, Develop a project plan
    Materials: UCaaS Readiness Questionnaire
    Participants: Infrastructure Manager, Project Manager, Network Engineer, Voice Engineer

    As a group, read through the questions on Tabs 1 and 2 of the UCaaS Readiness Questionnaire workbook. The answers to the questions will determine if you have gaps to fill when determining your readiness to move forward on a UCaaS solution.

    You may produce additional questions during the session that pertain to your specific business and situation. Please add them to the questionnaire as needed.

    Record your answers to determine next steps and readiness.

    When assessing potential vendors, use Tab 3 to determine suitability for your organization and requirements. This section may be left to a later date when building a request for proposal (RFP).

    Call #1: Review client advisory deck and next steps.

    Call #2: Assess readiness from answers to the Tab 1 questions.

    Download the UCaaS Readiness Questionnaire here

    Critical Path – Teams with Phone System Deployment

    A diagram that shows Critical Path – Teams with Phone System Deployment

    Example Ltd.’s Communications Guide

    A diagram that shows Example Ltd.’s Communications Guide

    [Insert Organization Name]’s Communications Guide

    A diagram that shows [Insert Organization Name]’s Communications Guide

    Related Info-Tech Research

    Photo of Modernize Communications and Collaboration Infrastructure

    Modernize Communications and Collaboration Infrastructure

    Organizations are losing productivity from managing the limitations of yesterday’s technology. The business is changing and the current communications solution no longer adequately connects end users. A new communications and collaboration infrastructure is due to replace or update the legacy infrastructure in place today.

    Photo of Establish a Communication and Collaboration System Strategy

    Establish a Communication and Collaboration System Strategy

    Communication and collaboration portfolios are overburdened with redundant and overlapping services. Between Office 365, Slack, Jabber, and WebEx, IT is supporting a collection of redundant apps. This redundancy takes a toll on IT, and on the user.

    Photo of Implement a Transformative IVR Experience That Empowers Your Customers

    Implement a Transformative IVR Experience That Empowers Your Customers

    Learn the strategies that will allow you to develop an effective interactive voice response (IVR) framework that supports self-service and improves the customer experience.

    Bibliography

    “8 Security Considerations for UCaaS.” Tech Guidance, Feb. 2022. Accessed March 2023.

    “2022 UCaaS & CCaaS market trends snapshot.” Masergy, 2022. Web.

    “All-in-one cloud communications.” Avaya, 2023. Accessed April 2023. Web.

    Carter, Rebekah. “UC Case Study in Focus: Microsoft Teams and GroupM.” UC Today, 9 May 2022. Accessed Feb. 2023.

    “Cisco Unified Communications Manager Cloud (Cisco UCM Cloud) Data Sheet.” Cisco, 15 Sept. 2021. Accessed Jan. 2023.

    “Cloud Adoption as Viewed by European Companies: Assessing the Impact on Public, Hybrid and Private Cloud Communications.” Mitel, 2018. Web.

    De Guzman, Marianne. “Unified Communications Security: The Importance of UCaaS Encryption.” Fit Small Business, 13 Dec. 2022. Accessed March 2023.

    “Evolution of Unified Communications.” TrueConf, n.d. Accessed March 2023. Web.

    Froehlich, Andrew. “Choose between Microsoft Teams vs. Zoom for conference needs.” TechTarget, 7 May 2021. Accessed March 2023.

    Gerwig, Kate. “UCaaS explained: Guide to unified communications as a service.” TechTarget, 29 March 2022. Accessed Jan. 2023.

    Irei, Alissa. “Emerging UCaaS trends include workflow integrations and AI.” TechTarget, 21 Feb 2020. Accessed Feb. 2023.

    Kuch, Mike. “What Is Unified Communications as a Service (UCaaS)?” Avaya, 27 Dec. 2022. Accessed Jan. 2023.

    Lazar, Irwin. “UC vendors extend mobile telephony capabilities.” TechTarget, 10 Feb. 2023. Accessed Mar 2023.

    McCain, Abby. "30 Essential Hybrid Work Statistics [2023]: The Future of Work." Zippia, 20 Feb. 2023. Accessed Mar 2023.

    “Meet the modern CIO: What CEOs expect from their IT leaders.” Freshworks, 2019. Web.

    “A New Era of Workplace Communications: Will You Lead or Be Left Behind.” No Jitter, 2018. Web.

    Plumley, Mike, et al. “Microsoft Teams IT architecture and voice solutions posters.’” Microsoft Teams, Microsoft, 14 Feb. 2023. Accessed March 2023.

    Rowe, Carolyn, et al. “Plan your Teams voice solution” Microsoft Learn, Microsoft, 1 Oct. 2022.

    Rowe, Carolyn, et al. “Microsoft Calling Plans for Teams.” Microsoft Learn, Microsoft, 23 May 2023.

    Rowe, Carolyn, et al. “Plan Direct Routing.” Microsoft Learn, Microsoft, 20 Feb. 2023.

    Scott, Rob. “Cisco vs. Microsoft Cloud Calling—Discussing the Options,” UC Today, 21 April 2022.

    Smith, Mike. “Microsoft Teams Phone Systems: 5 Deployment Options in 2020.” YouTube, uploaded by AeroCom Inc, 23 Oct. 2020.

    “UCaaS - Getting Started With Unified Communications As A Service.” Cloudscape, 10 Nov. 2022. Accessed March 2023.

    “UCaaS Market Accelerating 29% per year; RingCentral, 8x8, Mitel, BroadSoft and Vonage Lead.” Synergy Research Group, 16 Oct. 2017. Web.

    “UCaaS Statistics – The Future of Remote Work.” UC Today, 21 April 2022. Accessed Feb. 2023.

    “Workplace Collaboration: 2021-22.” Metrigy, 27 Jan. 2021. Web.

    Accelerate Digital Transformation With a Digital Factory

    • Buy Link or Shortcode: {j2store}93|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $50,000 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Organizational challenges are hampering digital transformation (DX) initiatives.
    • The organization’s existing digital factory is failing to deliver value.
    • Designing a successful digital factory is a difficult process.

    Our Advice

    Critical Insight

    To remain competitive, enterprises must deliver products and services like a startup or a digital native enterprise. This requires enterprises to:

    • Understand how digital native enterprises are designed.
    • Understand the foundations of good design: purpose, organizational support, and leadership.
    • Understand the design of the operating model: structure and organization, management practices, culture, environment, teams, technology platforms, and meaningful metrics and KPIs.

    Impact and Result

    Organizations that implement this project will draw benefits in the following aspects:

    • Gain awareness and understanding of various aspects that hamper DX.
    • Set the right foundations by having clarity of purpose, alignment on organizational support, and the right leadership in place.
    • Design an optimal operating model by setting up the right organizational structures, management practices, lean and optimal governance, agile teams, and an environment that promotes productivity and wellbeing.
    • Finally, set the right measures and KPIs.

    Accelerate Digital Transformation With a Digital Factory Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand the importance of a well-designed digital factory.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the case

    Collect data and stats that will help build a narrative for digital factory.

    • Digital Factory Playbook

    2. Lay the foundation

    Discuss purpose, mission, organizational support, and leadership.

    3. Design the operating model

    Discuss organizational structure, management, culture, teams, environment, technology, and KPIs.

    [infographic]

    Workshop: Accelerate Digital Transformation With a Digital Factory

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build the case

    The Purpose

    Understand and gather data and stats for factors impacting digital transformation.

    Develop a narrative for the digital factory.

    Key Benefits Achieved

    Identification of key pain points and data collected

    Narrative to support the digital factory

    Activities

    1.1 Understand the importance and urgency of digital transformation (DX).

    1.2 Collect data and stats on the progress of DX initiatives.

    1.3 Identify the factors that hamper DX and tie them to data/stats.

    1.4 Build the narrative for the digital factory (DF) using the data/stats.

    Outputs

    Identification of factors that hamper DX

    Data and stats on progress of DX

    Narrative for the digital factory

    2 Lay the foundation

    The Purpose

    Discuss the factors that impact the success of establishing a digital factory.

    Key Benefits Achieved

    A solid understanding and awareness that successful digital factories have clarity of purpose, organizational support, and sound leadership.

    Activities

    2.1 Discuss

    2.2 Discuss what organizational support the digital factory will require and align and commit to it.

    2.3 Discuss reference models to understand the dynamics and the strategic investment.

    2.4 Discuss leadership for the digital age.

    Outputs

    DF purpose and mission statements

    Alignment and commitment on organizational support

    Understanding of competitive dynamics and investment spread

    Develop the profile of a digital leader

    3 Design the operating model (part 1)

    The Purpose

    Understand the fundamentals of the operating model.

    Understand the gaps and formulate the strategies.

    Key Benefits Achieved

    Design of structure and organization

    Design of culture aligned with organizational goals

    Management practices aligned with the goals of the digital factory

    Activities

    3.1 Discuss structure and organization and associated organizational pathologies, with focus on hierarchy and silos, size and complexity, and project-centered mindset.

    3.2 Discuss the importance of culture and its impact on productivity and what shifts will be required.

    3.3 Discuss management for the digital factory, with focus on governance, rewards and compensation, and talent management.

    Outputs

    Organizational design in the context of identified pathologies

    Cultural design for the DF

    Management practices and governance for the digital factory

    Roles/responsibilities for governance

    4 Design the operating model (part 2)

    The Purpose

    Understand the fundamentals of the operating model.

    Understand the gaps and formulate the strategies.

    Key Benefits Achieved

    Discuss agile teams and the roles for DF

    Environment design that supports productivity

    Understanding of existing and new platforms

    Activities

    4.1 Discuss teams and various roles for the DF.

    4.2 Discuss the impact of the environment on productivity and satisfaction and discuss design factors.

    4.3 Discuss technology and tools, focusing on existing and future platforms, platform components, and organization.

    4.4 Discuss design of meaningful metrics and KPIs.

    Outputs

    Roles for DF teams

    Environment design factors

    Platforms and technology components

    Meaningful metrics and KPIs

    Design and Implement a Business-Aligned Security Program

    • Buy Link or Shortcode: {j2store}368|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • You need to build a security program that enables business services and secures the technology that makes them possible.
    • Building an effective, business-aligned security program requires that you coordinate many components, including technologies, processes, organizational structures, information flows, and behaviors.
    • The program must prioritize the right capabilities, and support its implementation with clear accountabilities, roles, and responsibilities.

    Our Advice

    Critical Insight

    • Common security frameworks focus on operational controls rather than business value creation, are difficult to convey to stakeholders, and provide little implementation guidance.
    • A security strategy can provide a snapshot of your program, but it won’t help you modernize or transform it, or align it to meet emerging business requirements.
    • There is no unique, one-size-fits-all security program. Each organization has a distinct character and profile and differs from others in several critical respects.

    Impact and Result

    Tailor your security program according to what makes your organization unique.

    • Analyze critical design factors to determine and refine the scope of your security program and prioritize core program capabilities.
    • Identify program accountabilities, roles, and responsibilities.
    • Build an implementation roadmap to ensure its components work together in a systematic way to meet business requirements.

    Design and Implement a Business-Aligned Security Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Design and Implement a Business-Aligned Security Strategy – A step-by-step guide on how to understand what makes your organization unique and design a security program with capabilities that create business value.

    This storyboard will help you lay foundations for your security program that will inform future security program decisions and give your leadership team the information they need to support your success. You will evaluate design factors that make your organization unique, prioritize the security capabilities to suit, and assess the maturity of key security program components including security governance, security strategy, security architecture, service design, and service metrics.

    • Design and Implement a Business-Aligned Security Program Storyboard

    2. Security Program Design Tool – Tailor the security program to what makes your organization unique to ensure business-alignment.

    Use this Excel workbook to evaluate your security program against ten key design factors. The tool will produce a goals cascade that shows the relationship between business and security goals, a prioritized list of security capabilities that align to business requirements, and a list of program accountabilities.

    • Security Program Design Tool

    3. Security Program Design and Implementation Plan – Assess the current state of different security program components, plan next steps, and communicate the outcome to stakeholders.

    This second Excel workbook will help you conduct a gap analysis on key security program components and identify improvement initiatives. You can then use the Security Program Design and Implementation Plan to collect results from the design and implementation tools and draft a communication deck.

    • Security Program Implementation Tool
    • Security Program Design and Implementation Plan

    Infographic

    Workshop: Design and Implement a Business-Aligned Security Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Initial Security Program Design

    The Purpose

    Determine the initial design of your security program.

    Key Benefits Achieved

    An initial prioritized list of security capabilities that aligns with enterprise strategy and goals.

    Activities

    1.1 Review Info-Tech diagnostic results.

    1.2 Identify project context.

    1.3 Identify enterprise strategy.

    1.4 Identify enterprise goals.

    1.5 Build a goal cascade.

    1.6 Assess the risk profile.

    1.7 Identify IT-related issues.

    1.8 Evaluate initial program design.

    Outputs

    Stakeholder satisfaction with program

    Situation, challenges, opportunities

    Initial set of prioritized security capabilities

    Initial set of prioritized security capabilities

    Initial set of prioritized security capabilities

    Initial set of prioritized security capabilities

    Initial set of prioritized security capabilities

    Initial set of prioritized security capabilities

    2 Refine Security Program Capabilities

    The Purpose

    Refine the design of your security program.

    Key Benefits Achieved

    A refined, prioritized list of security capabilities that reflects what makes your organization unique.

    Activities

    2.1 Gauge threat landscape.

    2.2 Identify compliance requirements.

    2.3 Categorize the role of IT.

    2.4 Identify the sourcing model.

    2.5 Identify the IT implementation model.

    2.6 Identify the tech adoption strategy.

    2.7 Refine the scope of the program.

    Outputs

    Refined set of prioritized security capabilities

    Refined set of prioritized security capabilities

    Refined set of prioritized security capabilities

    Refined set of prioritized security capabilities

    Refined set of prioritized security capabilities

    Refined set of prioritized security capabilities

    Refined set of prioritized security capabilities

    3 Security Program Gap Analysis

    The Purpose

    Finalize security program design.

    Key Benefits Achieved

    Key accountabilities to support the security program

    Gap analysis to produce an improvement plan

    Activities

    3.1 Identify program accountabilities.

    3.2 Conduct program gap analysis.

    3.3 Prioritize initiatives.

    Outputs

    Documented program accountabilities.

    Security program gap analysis

    Security program gap analysis

    4 Roadmap and Implementation Plan

    The Purpose

    Create and communicate an improvement roadmap for the security program.

    Key Benefits Achieved

    Security program design and implementation plan to organize and communicate program improvements.

    Activities

    4.1 Build program roadmap

    4.2 Finalize implementation plan

    4.3 Sponsor check-in

    Outputs

    Roadmap of program improvement initiatives

    Roadmap of program improvement initiatives

    Communication deck for program design and implementation

    Further reading

    Design a Business-Aligned Security Program

    Focus on business value first.

    EXECUTIVE BRIEF

    Analyst Perspective

    Business alignment is no accident.

    Michel Hébert

    Security leaders often tout their choice of technical security framework as the first and most important program decision they make. While the right framework can help you take a snapshot of the maturity of your program and produce a quick strategy and roadmap, it won’t help you align, modernize, or transform your program to meet emerging business requirements.

    Common technical security frameworks focus on operational controls rather than business services and value creation. They are difficult to convey to business stakeholders and provide little program management or implementation guidance.

    Focus on business value first, and the security services that enable it. Your organization has its own distinct character and profile. Understand what makes your organization unique, then design and refine the design of your security program to ensure it supports the right capabilities. Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place to support the implementation of the security program.

    Michel Hébert
    Research Director, Security & Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • You need to build a security program that enables business services and secures the technology that makes them possible.
    • Building an effective, business-aligned security program requires that you coordinate many components, including technologies, processes, organizational structures, information flows, and behaviors.
    • The program must prioritize the right capabilities, and support its implementation with clear accountabilities, roles, and responsibilities.
    • Common security frameworks focus on operational controls rather than business value creation, are difficult to convey to stakeholders, and provide little implementation guidance.
    • A security strategy can provide a snapshot of your program, but it won’t help you modernize or transform it, or align it to meet emerging business requirements.
    • There is no unique, one-size-fits-all security program. Each organization has a distinct character and profile and differs from others in several critical respects.

    Tailor your security program according to what makes your organization unique.

    • Analyze critical design factors to determine and refine the design of your security program and prioritize core program capabilities.
    • Identify program accountabilities, roles, and responsibilities.
    • Build an implementation roadmap to ensure its components work together in a systematic way to meet business requirements.

    Info-Tech Insight

    You are a business leader who supports business goals and mitigates risk. Focus first on business value and the security services that enable it, not security controls.

    Your challenge

    The need for a solid and responsive security program has never been greater.

    • You need to build a security program that enables business services and secures the technology that makes them possible.
    • Building an effective, business-aligned security program requires that you coordinate many components, including technologies, processes, organizational structures, information flows, and behaviors.
    • The program must prioritize the right capabilities, and support its implementation with clear accountabilities, roles, and responsibilities.
    • You must communicate effectively with stakeholders to describe the risks the organization faces, their likely impact on organizational goals, and how the security program will mitigate those risks and support the creation of business value.
    • Ransomware is a persistent threat to organizations worldwide across all industries.
    • Cybercriminals deploying ransomware are evolving into a growing and sophisticated criminal ecosystem that will continue to adapt to maximize its profits.

    • Critical infrastructure is increasingly at risk.
    • Malicious agents continue to target critical infrastructure to harm industrial processes and the customers they serve State-sponsored actors are expected to continue to target critical infrastructure to collect information through espionage, pre-position in case of future hostilities, and project state power.

    • Disruptive technologies bring new threats.
    • Malicious actors increasingly deceive or exploit cryptocurrencies, machine learning, and artificial intelligence technologies to support their activities.

    Sources: CCCS (2023), CISA (2023), ENISA (2023)

    Your challenge

    Most security programs are not aligned with the overall business strategy.

    50% Only half of leaders are framing the impact of security threats as a business risk.

    49% Less than half of leaders align security program cost and risk reduction targets with the business.

    57% Most leaders still don’t regularly review security program performance of the business.

    Source: Tenable, 2021

    Common obstacles

    Misalignment is hurting your security program and making you less influential.

    Organizations with misaligned security programs have 48% more security incidents...

    …and the cost of their data breaches are 40% higher than those with aligned programs.

    37% of stakeholders still lack confidence in their security program.

    54% of senior leaders still doubt security gets the goals of the organization.

    Source: Frost & Sullivan, 2019
    Source: Ponemon, 2023

    Common obstacles

    Common security frameworks won’t help you align your program.

    • Common security frameworks focus on operational controls rather than business value creation, are difficult to convey to stakeholders, and provide little implementation guidance.
    • A security strategy based on the right framework can provide a snapshot of your program, but it won’t help you modernize, transform, or align your program to meet emerging business requirements.
    • The lack of guidance leads to a lack of structure in the way security services are designed and managed, which reduces service quality, increases security friction, and reduces business satisfaction.

    There is no unique, one-size-fits-all security program.

    • Each organization has a distinct character and profile and differs from others in several critical respects. The security program for a cloud-first, DevOps environment must emphasize different capabilities and accountabilities than one for an on-premise environment and a traditional implementation model.

    Info-Tech’s approach

    You are a business leader who supports business goals and mitigates risk.

    • Understand what makes your organization unique, then design and refine a security program with capabilities that create business value.
    • Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place, and build an implementation roadmap to ensure its components work together over time.

    Security needs to evolve as a business strategy.

    • Laying the right foundations for your security program will inform future security program decisions and give your leadership team the information they need to support your success. You can do it in two steps:
      • Evaluate the design factors that make your organization unique and prioritize the security capabilities to suit. Info-Tech’s approach is based on the design process embedded in the latest COBIT framework.
      • Review the key components of your security program, including security governance, security strategy, security architecture, service design, and service metrics.

    If you build it, they will come

    “There's so much focus on better risk management that every leadership team in every organization wants to be part of the solution.

    If you can give them good data about what things they really need to do, they will work to understand it and help you solve the problem.”

    Dan Bowden, CISO, Sentara Healthcare (Tenable)

    Design a Business-Aligned Security Program

    The image contains a screenshot of how to Design a business-aligned security program.


    Choose your own adventure

    This blueprint is ideal for new CISOs and for program modernization initiatives.

    1. New CISO

    “I need to understand the business, prioritize core security capabilities, and identify program accountabilities quickly.”

    2. Program Renewal

    “The business is changing, and the threat landscape is shifting. I am concerned the program is getting stale.”

    Use this blueprint to understand what makes your organization unique:

    1. Prioritize security capabilities.
    2. Identify program accountabilities.
    3. Plan program implementation.

    If you need a deep dive into governance, move on to a security governance and management initiative.

    3. Program Update

    “I am happy with the fundamentals of my security program. I need to assess and improve our security posture.”

    Move on to our guidance on how to Build an Information Security Strategy instead.

    Info-Tech’s methodology for security program design

    Define Scope of
    Security Program

    Refine Scope of
    Security Program

    Finalize Security
    Program Design

    Phase steps

    1.1 Identify enterprise strategy

    1.2 Identify enterprise goals

    1.3 Assess the risk profile

    1.4 Identify IT-related issues

    1.5 Define initial program design

    2.1 Gage threats and compliance

    2.2 Assess IT role and sourcing

    2.3 Assess IT implementation model

    2.4 Assess tech adoption strategy

    2.5 Refine program design

    3.1 Identify program accountabilities

    3.2 Define program target state

    3.3 Build program roadmap

    Phase outcomes

    • Initial security program design
    • Refined security program design
    • Prioritized set of security capabilities
    • Program accountabilities
    • Program gap closure initiatives

    Tools

    Insight Map

    You are a business leader first and a security leader second

    Technical security frameworks are static and focused on operational controls and standards. They belong in your program’s solar system but not at its center. Design your security program with business value and the security services that enable it in mind, not security controls.

    There is no one-size-fits-all security program
    Tailor your security program to your organization’s distinct profile to ensure the program generates value.

    Lay the right foundations to increase engagement
    Map out accountabilities, roles, and responsibilities to ensure the components of your security program work together over time to secure and enable business services.

    If you build it, they will come
    Your executive team wants to be part of the solution. If you give them reliable data for the things they really need to do, they will work to understand and help you solve the problem.

    Blueprint deliverables

    Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

    Security Program Design Tool

    Tailor the security program to what makes your organization unique to ensure alignment.

    The image contains a screenshot of the Security Program Design Tool.

    Security Program Implementation Tool

    Assess the current state of different security program components and plan next steps.



    SecurityProgram Design and Implementation Plan

    Communicate capabilities, accountabilities, and implementation initiatives.

    The image contains a screenshot of the Security Program Design and Implementation Plan.

    Key deliverable

    Security Program Design and Implementation Plan

    The design and implementation plan captures the key insights your work will generate, including:

    • A prioritized set of security capabilities aligned to business requirements.
    • Security program accountabilities.
    • Security program implementation initiatives.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Laying the right foundations for your security program will:
      • Inform the future security governance, security strategy, security architecture, and service design decisions you need to make.
      • Improve security service design and service quality, reduce security friction, and increase business satisfaction with the security program.
      • Help you give your leadership team the information they need to support your success.
      • Improve the standing of the security program with business leaders.
    • Organizations with a well-aligned security program:
      • Improve security risk management, performance measurement, resource management, and value delivery.
      • Lower rates of security incidents and lower-cost security breaches.
      • Align costs, performance, and risk reduction objectives with business needs.
      • Are more satisfied with their security program.

    Measure the value of using Info-Tech’s approach

    Assess the effectiveness of your security program with a risk-based approach.

    Deliverable

    Challenge

    Security Program Design

    • Prioritized set of security capabilities
    • Program accountabilities
    • Devise and deploy an approach to gather business requirements, identify and prioritize relevant security capabilities, and assign program accountabilities.
    • Cost and Effort : 2 FTEs x 90 days x $130,000/year

    Program Assessment and Implementation Plan

    • Security program assessment
    • Roadmap of gap closure initiatives
    • Devise and deploy an approach to assess the current state of your security program, identify gap closure or improvement initiatives, and build a transformation roadmap.
    • Cost and Effort : 2 FTEs x 90 days x $130,000/year

    Measured Value

    • Using Info-Tech’s best practice methodology will cut the cost and effort in half.
    • Savings: 2 FTEs x 45 days x $130,000/year = $65,000

    Measure the impact of your project

    Use Info-Tech diagnostics before and after the engagement to measure your progress.

    • Info-Tech diagnostics are standardized surveys that produce historical and industry trends against which to benchmark your organization.
    • Run the Security Business Satisfaction and Alignment diagnostic now, and again in twelve months to assess business satisfaction with the security program and measure the impact of your program improvements.
    • Reach out to your account manager or follow the link to deploy the diagnostic and measure your success. Diagnostics are included in your membership.

    Inform this step with Info-Tech diagnostic results

    • Info-Tech diagnostics are standardized surveys that accelerate the process of gathering and analyzing pain point data.
    • Diagnostics also produce historical and industry trends against which to benchmark your organization.
    • Reach out to your account manager or follow the links to deploy some or all these diagnostics to validate your assumptions. Diagnostics are included in your membership.

    Governance & Management Maturity Scorecard
    Understand the maturity of your security program across eight domains.
    Audience: Security Manager

    Security Business Satisfaction and Alignment Report
    Assess the organization’s satisfaction with the security program.
    Audience: Business Leaders

    CIO Business Vision
    Assess the organization’s satisfaction with IT services and identify relevant challenges.
    Audience: Business Leaders

    Executive Brief Case Study

    INDUSTRY: Higher Education

    SOURCE: Interview

    Building a business-aligned security program

    Portland Community College (PCC) is the largest post-secondary institution in Oregon and serves more than 50,000 students each year. The college has a well-established information technology program, which supports its education mission in four main campuses and several smaller centers.

    PCC launched a security program modernization effort to deal with the evolving threat landscape in higher education. The CISO studied the enterprise strategy and goals and reviewed the college’s risk profile and compliance requirements. The exercise helped the organization prioritize security capabilities for the renewal effort and informed the careful assessment of technical controls in the current security program.

    Results

    Laying the right foundations for the security program helped the security function understand how to provide the organization with a clear report of its security posture. The CISO now reports directly to the board of directors and works with stakeholders to align cost, performance, and risk reduction objectives with the needs of the college.

    The security program modernization effort prioritized several critical design factors

    • Enterprise Strategy
    • Enterprise Goals
    • IT Risk Profile
    • IT-Related Issues
    • IT Threat Landscape
    • Compliance Requirements

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1:
    Scope requirements, objectives, and specific challenges.

    Call #2:
    Define business context, assess risk profile, and identify existing security issues.

    Define initial design of security program.

    Call #3:
    Evaluate threat landscape and compliance requirements.

    Call #4:
    Analyze the role of IT, the security sourcing model, technology adoption, and implementation models.

    Refine the design of the security program.

    Call #5:
    Identify program accountabilities.

    Call #6:
    Design program target state and draft security program implementation plan.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 4 to 6 calls over the course of 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Initial Security
    Program Design

    Refine Security
    Program Design

    Security Program
    Gap Analysis

    Roadmap and Implementation Plan

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1.0 Review Info-Tech diagnostic results

    1.1.1 Identify project context

    1.1.2 Identify enterprise strategy

    1.2.1 Identify enterprise goals

    1.2.2 Build a goals cascade

    1.3 Assess the risk profile

    1.4 Identify IT-related issues

    1.5 Evaluate initial program design

    2.1.1 Gauge threat landscape

    2.1.2 Identify compliance requirements

    2.2.1 Categorize the role of IT

    2.2.2 Identify the sourcing model

    2.3.1 Identify the IT implementation model

    2.4.1 Identify the tech adoption strategy

    2.5.1 Refine the design of the program

    3.1 Identify program accountabilities

    3.2.1 Conduct program gap analysis

    3.2.2 Prioritize initiatives

    3.3.1 Build program roadmap

    3.3.2 Finalize implementation plan

    3.3.3 Sponsor check-in

    4.1 Complete in-progress deliverables from previous four days

    4.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables

    1. Project context
    2. Stakeholder satisfaction feedback on security program
    3. Initial set of prioritized security capabilities
    1. Refined set of prioritized security capabilities
    1. Documented program accountabilities
    2. Security program gap analysis
    1. Roadmap of initiatives
    2. Communication deck for program design and implementation
    1. Completed security program design
    2. Security program design and implementation plan

    Customize your journey

    The security design blueprint pairs well with security governance and security strategy.

    • The prioritized set of security capabilities you develop during the program design project will inform efforts to develop other parts of your security program, like the security governance and management program and the security strategy.
    • Work with your member services director, executive advisor, or technical counselor to scope the journey you need. They will work with you to align the subject matter experts to support your roadmap and workshops.

    Workshop
    Days 1 and 2

    Workshop
    Days 3 and 4

    Security Program Design Factors

    Security Program Gap Analysis or
    Security Governance and Management

    Build a Robust and Comprehensive Data Strategy

    • Buy Link or Shortcode: {j2store}120|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $46,734 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down.
    • At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing expectations and demands.

    Our Advice

    Critical Insight

    • As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    • A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    • Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Impact and Result

    • Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:
      • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy
      • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
      • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Build a Robust and Comprehensive Data Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data Strategy Research – A step-by-step document to facilitate the formulation of a data strategy that brings together the business context, data management foundation, people, and culture.

    Data should be at the foundation of your organization’s evolution. The transformational insights that executives and decision makers are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, trusted, and relevant data readily available to the users who need it.

    • Build a Robust and Comprehensive Data Strategy – Phases 1-3

    2. Data Strategy Stakeholder Interview Guide and Findings – A template to support you in your meetings or interviews with key stakeholders as you work on understanding the value of data within the various lines of business.

    This template will help you gather insights around stakeholder business goals and objectives, current data consumption practices, the types or domains of data that are important to them in supporting their business capabilities and initiatives, the challenges they face, and opportunities for data from their perspective.

    • Data Strategy Stakeholder Interview Guide and Findings

    3. Data Strategy Use Case Template – An exemplar template to demonstrate the business value of your data strategy.

    Data strategy optimization anchored in a value proposition will ensure that the data strategy focuses on driving the most valuable and critical outcomes in support of the organization’s enterprise strategy. The template will help you facilitate deep-dive sessions with key stakeholders for building use cases that are of demonstrable value not only to their relevant lines of business but also to the wider organization.

    • Data Strategy Use Case Template

    4. Chief Data Officer – A job description template that includes a detailed explication of the responsibilities and expectations of a CDO.

    Bring data to the C-suite by creating the Chief Data Officer role. This position is designed to bridge the gap between the business and IT by serving as a representative for the organization's data management practices and identifying how the organization can leverage data as a competitive advantage or corporate asset.

    • Chief Data Officer

    5. Data Strategy Document Template – A structured template to plan and document your data strategy outputs.

    Use this template to document and formulate your data strategy. Follow along with the sections of the blueprint Build a Robust and Comprehensive Data Strategy and complete the template as you progress.

    • Data Strategy Document Template
    [infographic]

    Workshop: Build a Robust and Comprehensive Data Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value: Understand the Current Business Environment

    The Purpose

    Establish the business context for the business strategy.

    Key Benefits Achieved

    Substantiates the “why” of the data strategy.

    Highlights the organization’s goals, objectives, and strategic direction the data must align with.

    Activities

    1.1 Data Strategy 101

    1.2 Intro to Tech’s Data Strategy Framework

    1.3 Data Strategy Value Proposition: Understand stakeholder’s strategic priorities and the alignment with data

    1.4 Discuss the importance of vision, mission, and guiding principles of the organization’s data strategy

    1.5 Understand the organization’s data culture – discuss Data Culture Survey results

    1.6 Examine Core Value Streams of Business Architecture

    Outputs

    Business context; strategic drivers

    Data strategy guiding principles

    Sample vision and mission statements

    Data Culture Diagnostic Results Analysis

    2 Business-Data Needs Discovery: Key Business Stakeholder Interviews

    The Purpose

    Build use cases of demonstrable value and understand the current environment.

    Key Benefits Achieved

    An understanding of the current maturity level of key capabilities.

    Use cases that represent areas of concern and/or high value and therefore need to be addressed.

    Activities

    2.1 Conduct key business stakeholder interviews to initiate the build of high-value business-data cases

    Outputs

    Initialized high-value business-data cases

    3 Understand the Current Data Environment & Practice: Analyze Data Capability and Practice Gaps and Develop Alignment Strategies

    The Purpose

    Build out a future state plan that is aimed at filling prioritized gaps and that informs a scalable roadmap for moving forward on treating data as an asset.

    Key Benefits Achieved

    A target state plan, formulated with input from key stakeholders, for addressing gaps and for maturing capabilities necessary to strategically manage data.

    Activities

    3.1 Understand the current data environment: data capability assessment

    3.2 Understand the current data practice: key data roles, skill sets; operating model, organization structure

    3.3 Plan target state data environment and data practice

    Outputs

    Data capability assessment and roadmapping tool

    4 Align Business Needs with Data Implications: Initiate Roadmap Planning and Strategy Formulation

    The Purpose

    Consolidate business and data needs with consideration of external factors as well as internal barriers and enablers to the success of the data strategy. Bring all the outputs together for crafting a robust and comprehensive data strategy.

    Key Benefits Achieved

    A consolidated view of business and data needs and the environment in which the data strategy will be operationalized.

    An analysis of the feasibility and potential risks to the success of the data strategy.

    Activities

    4.1 Analyze gaps between current- and target-state

    4.2 Initiate initiative, milestone and RACI planning

    4.3 Working session with Data Strategy Owner

    Outputs

    Data Strategy Next Steps Action Plan

    Relevant data strategy related templates (example: data practice patterns, data role patterns)

    Initialized Data Strategy on-a-Page

    Further reading

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    ANALYST PERSPECTIVE

    Data Strategy: Key to helping drive organizational innovation and transformation

    "In the dynamic environment in which we operate today, where we are constantly juggling disruptive forces, a well-formulated data strategy will prove to be a key asset in supporting business growth and sustainability, innovation, and transformation.

    Your data strategy must align with the organization’s business strategy, and it is foundational to building and fostering an enterprise-wide data-driven culture."

    Crystal Singh,

    Director – Research and Advisory

    Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • Chief data officers (CDOs), chief architects, VPs, and digital transformation directors and CIOs who are accountable for ensuring data can be leveraged as a strategic asset of the organization.

    This Research Will Help You:

    • Put a strategy in place to ensure data is available, accessible, well integrated, secured, of acceptable quality, and suitably visualized to fuel decision making by the organizations’ executives.
    • Align data management plans and investments with business requirements and the organization’s strategic plans.
    • Define the relevant roles for operationalizing your data strategy.

    This Research Will Also Assist:

    • Data architects and enterprise architects who have been tasked with supporting the formulation or optimization of the organization’s data strategy.
    • Business leaders creating plans for leveraging data in their strategic planning and business processes.
    • IT professionals looking to improve the environment that manages and delivers data.

    This Research Will Help Them:

    • Get a handle on the current situation of data within the organization.
    • Understand how the data strategy and its resulting initiatives will affect the operations, integration, and provisioning of data within the enterprise.

    Executive Summary

    Situation

    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down. At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing and demanding expectations.

    Complication

    • As organizations pivot in response to industry disruptions and changing landscapes, a reactive and piecemeal approach leads to data architectures and designs that fail to deliver real and measurable value to the business.
    • Despite the growing focus on data, many organizations struggle to develop a cohesive business-driven strategy for effectively managing and leveraging their data assets.

    Resolution

    Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:

    • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy.
    • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
    • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Info-Tech Insight

    1. As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    2. A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    3. Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Why do you need a data strategy?

    Your data strategy is the vehicle for ensuring data is poised to support your organization’s strategic objectives.

    The dynamic marketplace of today requires organizations to be responsive in order to gain or maintain their competitive edge and place in their industry.

    Organizations need to have that 360-degree view of what’s going on and what’s likely to happen.

    Disruptive forces often lead to changes in business models and require organizations to have a level of adaptability to remain relevant.

    To respond, organizations need to make decisions and should be able to turn to their data to gain insights for informing their decisions.

    A well-formulated and robust data strategy will ensure that your data investments bring you the returns by meeting your organization’s strategic objectives.

    Organizations need to be in a position where they know what’s going on with their stakeholders and anticipate what their stakeholders’ needs are going to be.

    Data cannot be fully leveraged without a cohesive strategy

    Most organizations today will likely have some form of data management in place, supported by some of the common roles such as DBAs and data analysts.

    Most will likely have a data architecture that supports some form of reporting.

    Some may even have a chief data officer (CDO), a senior executive who has a seat at the C-suite table.

    These are all great assets as a starting point BUT without a cohesive data strategy that stitches the pieces together and:

    • Effectively leverages these existing assets
    • Augments them with additional and relevant key roles and skills sets
    • Optimizes and fills in the gaps around your current data management enablers and capabilities for the growing volume and variety of data you’re collecting
    • Fully caters to real, high-value strategic organizational business needs

    you’re missing the mark – you are not fully leveraging the incredible value of your data.

    Cross-industry studies show that on average, less than half of an organization’s structured data is actively used in making decisions

    And, less than 1% of its unstructured data is analyzed or used at all. Furthermore, 80% of analysts' time is spent simply discovering and preparing, data with over 70% of employees having access to data they should not. Source: HBR, 2017

    Organizational drivers for a data strategy

    Your data strategy needs to align with your organizational strategy.

    Main Organizational Strategic Drivers:

    1. Stakeholder Engagement/Service Excellence
    2. Product and Service Innovations
    3. Operational Excellence
    4. Privacy, Risk, and Compliance Management

    “The companies who will survive and thrive in the future are the ones who will outlearn and out-innovate everyone else. It is no longer ‘survival of the fittest’ but ‘survival of the smartest.’ Data is the element that both inspires and enables this new form of rapid innovation.– Joel Semeniuk, 2016

    A sound data strategy is the key to unlocking the value in your organization’s data.

    Data should be at the foundation of your organization’s evolution.

    The transformational insights that executives are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, well-integrated, trustworthy, relevant data readily available to the business users who need it.

    Whether hoping to gain a better understanding of your business, trying to become an innovator in your industry, or having a compliance and regulatory mandate that needs to be met, any organization can get value from its data through a well-formulated, robust, and cohesive data strategy.

    According to a leading North American bank, “More than one petabyte of new data, equivalent to about 1 million gigabytes” is entering the bank’s systems every month. – The Wall Street Journal, 2019

    “Although businesses are at many different stages in unlocking the power of data, they share a common conviction that it can make or break an enterprise.”– Jim Love, ITWC CIO and Chief Digital Officer, IT World Canada, 2018

    Data is a strategic organizational asset and should be treated as such

    The expression “Data is an asset” or any other similar sentiment has long been heard.

    With such hype, you would have expected data to have gotten more attention in the boardrooms. You would have expected to see its value reflected on financial statements as a result of its impact in driving things like acquisition, retention, product and service development and innovation, market growth, stakeholder satisfaction, relationships with partners, and overall strategic success of the organization.

    The time has surely come for data to be treated as the asset it is.

    “Paradoxically, “data” appear everywhere but on the balance sheet and income statement.”– HBR, 2018

    “… data has traditionally been perceived as just one aspect of a technology project; it has not been treated as a corporate asset.”– “5 Essential Components of a Data Strategy,” SAS

    According to Anil Chakravarthy, who is the CEO of Informatica and has a strong vantage point on how companies across industries leverage data for better business decisions, “what distinguishes the most successful businesses … is that they have developed the ability to manage data as an asset across the whole enterprise.”– McKinsey & Company, 2019

    How data is perceived in today’s marketplace

    Data is being touted as the oil of the digital era…

    But just like oil, if left unrefined, it cannot really be used.

    "Data is the new oil." – Clive Humby, Chief Data Scientist

    Source: Joel Semeniuk, 2016

    Enter your data strategy.

    Data is being perceived as that key strategic asset in your organization for fueling innovation and transformation.

    Your data strategy is what allows you to effectively mine, refine, and use this resource.

    “The world’s most valuable resource is no longer oil, but data.”– The Economist, 2017

    “Modern innovation is now dependent upon this data.”– Joel Semeniuk, 2016

    “The better the data, the better the resulting innovation and impact.”– Joel Semeniuk, 2016

    What is it in it for you? What opportunities can data help you leverage?

    GOVERNMENT

    Leveraging data as a strategic asset for the benefit of citizens.

    • The strategic use of data can enable governments to provide higher-quality services.
    • Direct resources appropriately and harness opportunities to improve impact.
    • Make better evidence-informed decisions and better understand the impact of programs so that funds can be directed to where they are most likely to deliver the best results.
    • Maintain legitimacy and credibility in an increasingly complex society.
    • Help workers adapt and be competitive in a changing labor market.
    • A data strategy would help protect citizens from the misuse of their data.

    Source: Privy Council Office, Government of Canada, 2018

    What is it in it for you? What opportunities can data help you leverage?

    FINANCIAL

    Leveraging data to boost traditional profit and loss levers, find new sources of growth, and deliver the digital bank.

    • One bank used credit card transactional data (from its own terminals and those of other banks) to develop offers that gave customers incentives to make regular purchases from one of the bank’s merchants. This boosted the bank’s commissions, added revenue for its merchants, and provided more value to the customer (McKinsey & Company, 2017).
    • In terms of enhancing productivity, a bank used “new algorithms to predict the cash required at each of its ATMs across the country and then combined this with route-optimization techniques to save money” (McKinsey & Company, 2017).

    A European bank “turned to machine-learning algorithms that predict which currently active customers are likely to reduce their business with the bank.” The resulting understanding “gave rise to a targeted campaign that reduced churn by 15 percent” (McKinsey & Company, 2017).

    A leading Canadian bank has built a marketplace around their data – they have launched a data marketplace where they have productized the bank’s data. They are providing data – as a product – to other units within the bank. These other business units essentially represent internal customers who are leveraging the product, which is data.

    Through the use of data and advanced analytics, “a top bank in Asia discovered unsuspected similarities that allowed it to define 15,000 microsegments in its customer base. It then built a next-product-to-buy model that increased the likelihood to buy three times over.” Several sets of big data were explored, including “customer demographics and key characteristics, products held, credit-card statements, transaction and point-of-sale data, online and mobile transfers and payments, and credit-bureau data” (McKinsey & Company, 2017).

    What is it in it for you? What opportunities can data help you leverage?

    HEALTHCARE

    Leveraging data and analytics to prevent deadly infections

    The fifth-largest health system in the US and the largest hospital provider in California uses a big data and advanced analytics platform to predict potential sepsis cases at the earliest stages, when intervention is most helpful.

    Using the Sepsis Bio-Surveillance Program, this hospital provider monitors 120,000 lives per month in 34 hospitals and manages 7,500 patients with potential sepsis per month.

    Collecting data from the electronic medical records of all patients in its facilities, the solution uses natural language processing (NLP) and a rules engine to continually monitor factors that could indicate a sepsis infection. In high-probability cases, the system sends an alarm to the primary nurse or physician.

    Since implementing the big data and predictive analytics system, this hospital provider has seen a significant improvement in the mortality and the length of stay in ICU for sepsis patients.

    At 28 of the hospitals which have been on the program, sepsis mortality rates have dropped an average of 5%.

    With patients spending less time in the ICU, cost savings were also realized. This is significant, as sepsis is the costliest condition billed to Medicare, the second costliest billed to Medicaid and the uninsured, and the fourth costliest billed to private insurance.

    Source: SAS, 2019

    What is it in it for you? What opportunities can data help you leverage?

    RETAIL

    Leveraging data to better understand customer preferences, predict purchasing, drive customer experience, and optimize supply and demand planning.

    Netflix is an example of a big brand that uses big data analytics for targeted advertising. With over 100 million subscribers, the company collects large amounts of data. If you are a subscriber, you are likely familiar with their suggestions messages of the next series or movie you should catch up on. These suggestions are based on your past search data and watch data. This data provides Netflix with insights into your interests and preferences for viewing (Mentionlytics, 2018).

    “For the retail industry, big data means a greater understanding of consumer shopping habits and how to attract new customers.”– Ron Barasch, Envestnet | Yodlee, 2019

    The business case for data – moving from platitudes to practicality

    When building your business case, consider the following:

    • What is the most effective way to communicate the business case to executives?
    • How can CDOs and other data leaders use data to advance their organizations’ corporate strategy?
    • What does your data estate look like? Are you looking to leverage and drive value from your semi-structured and unstructured data assets?
    • Does your current organizational culture support a data-driven one? Does the organization have a history of managing change effectively?
    • How do changing privacy and security expectations alter the way businesses harvest, save, use, and exchange data?

    “We’re the converted … We see the value in data. The battle is getting executive teams to see it our way.”– Ted Maulucci, President of SmartONE Solutions Inc. IT World Canada, 2018

    Where do you stack up? What is your current data management maturity?

    Info-Tech’s IT Maturity Ladder denotes the different levels of maturity for an IT department and its different functions. What is the current state of your data management capability?

    Innovator - Transforms the Business. Business Partner - Expands the Business. Trusted Operator - Optimizes the Business. Firefighter - Supports the Business. Unstable - Struggles to Support.

    Info-Tech Insight

    You are best positioned to successfully execute on a data strategy if you are currently at or above the Trusted Operator level. If you find yourself still at the Unstable or Firefighter stage, your efforts are best spent on ensuring you can fulfill your day-to-day data and data management demands. Improving this capability will help build a strong data management foundation.

    Guiding principles of a data strategy

    Value of Clearly Defined Data Principles

    • Guiding principles help define the culture and characteristics of your practice by describing your beliefs and philosophy.
    • Guiding principles act as the heart of your data strategy, helping to shape initiative plans and day-to-day behaviors related to the use and treatment of the organization’s data assets.

    “Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.”– McKinsey, 2018

    Build a Robust and Comprehensive Data Strategy

    Business Strategy and Current Environment connect with the Data Strategy. Data Strategy includes: Organizational Drivers and Data Value, Data Strategy Objectives and Guiding Principles, Data Strategy Vision and Mission, Data Strategy Roadmap, People: Roles and Organizational Structure, Data Culture and Data Literacy, Data Management and Tools, Risk and Feasibility.

    Follow Info-Tech’s methodology for effectively leveraging the value out of your data

    Some say it’s the new oil. Or the currency of the new business landscape. Others describe it as the fuel of the digital economy. But we don’t need platitudes — we need real ways to extract the value from our data. – Jim Love, CIO and Chief Digital Officer, IT World Canada, 2018

    1. Business Context. 2. Data and Resources Foundation. 3. Effective Data Strategy

    Our practical step-by-step approach helps you to formulate a data strategy that delivers business value.

    1. Establish Business Context and Value: In this phase, you will determine and substantiate the business drivers for optimizing the data strategy. You will identify the business drivers that necessitate the data strategy optimization and examine your current organizational data culture. This will be key to ensuring the fruits of your optimization efforts are being used. You will also define the vision, mission, and guiding principles and build high-value use cases for the data strategy.
    2. Ensure You Have a Solid Data and Resources Foundation: This phase will help you ensure you have a solid data and resources foundation for operationalizing your data strategy. You will gain an understanding of your current environment in terms of data management enablers and the required resources portfolio of key people, roles, and skill sets.
    3. Formulate a Sustainable Data Strategy: In this phase, you will bring the pieces together for formulating an effective data strategy. You will evaluate and prioritize the use cases built in Phase 1, which summarize the alignment of organizational goals with data needs. You will also create your strategic plan, considering change management and communication.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks are used throughout all four options.

    Secure Operations in High-Risk Jurisdictions

    • Buy Link or Shortcode: {j2store}369|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    Business operations in high-risk areas of the world contend with complex threat environments and risk scenarios that often require a unique response. But traditional approaches to security strategy often miss these jurisdictional risks, leaving organizations vulnerable to threats that range from cybercrime and data breaches to fines and penalties.

    Security leaders need to identify high-risk jurisdictions, inventory critical assets, identify vulnerabilities, assess risks, and identify security controls necessary to mitigate those risks.

    Secure operations and protect critical assets in high-risk regions

    Across risks that include insider threats and commercial surveillance, the two greatest vulnerabilities that organizations face in high-risk parts of the world are travel and compliance. Organizations can make small adjustments to their security program to address these risks:

    1. Support high-risk travel: Put measures and guidelines in place to protect personnel, data, and devices before, during, and after employee travel.
    2. Mitigate compliance risk: Consider data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth.

    Using these two prevalent risk scenarios in high-risk jurisdictions as examples, this research walks you through the steps to analyze the threat landscape, assess security risks, and execute a response to mitigate them.

    Secure Operations in High-Risk Jurisdictions Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure Operations in High-Risk Jurisdictions – A step-by-step approach to mitigating jurisdictional security and privacy risks.

    Traditional approaches to security strategy often miss jurisdictional risks. Use this storyboard to make small adjustments to your security program to mitigate security risks in high-risk jurisdictions.

    • Secure Operations in High-Risk Jurisdictions – Phases 1-3

    2. Jurisdictional Risk Register and Heat Map Tool – A tool to inventory, assess, and treat jurisdictional risks.

    Use this tool to track jurisdictional risks, assess the exposure of critical assets, and identify mitigation controls. Use the geographic heatmap to communicate inherent jurisdictional risk with key stakeholders.

    • Jurisdictional Risk Register and Heat Map Tool

    3. Guidelines for Key Jurisdictional Risk Scenarios – Two structured templates to help you develop guidelines for two key jurisdictional risk scenarios: high-risk travel and compliance risk

    Use these two templates to develop help you develop your own guidelines for key jurisdictional risk scenarios. The guidelines address high-risk travel and compliance risk.

    • Digital Safety Guidelines for International Travel
    • Guidelines for Compliance With Local Security and Privacy Laws Template

    Infographic

    Workshop: Secure Operations in High-Risk Jurisdictions

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Context for Risk Assessment

    The Purpose

    Assess business requirements and evaluate security pressures to set the context for the security risk assessment.

    Key Benefits Achieved

    Understand the goals of the organization in high-risk jurisdictions.

    Assess the threats to critical assets in these jurisdictions and capture stakeholder expectations for information security.

    Activities

    1.1 Determine assessment scope.

    1.2 Determine business goals.

    1.3 Determine compliance obligations.

    1.4 Determine risk appetite.

    1.5 Conduct pressure analysis.

    Outputs

    Business requirements

    Security pressure analysis

    2 Analyze Key Risk Scenarios for High-Risk Jurisdictions

    The Purpose

    Build key risk scenarios for high-risk jurisdictions.

    Key Benefits Achieved

    Identify critical assets in high-risk jurisdictions, their vulnerabilities to relevant threats, and the adverse impact should malicious agents exploit them.

    Assess risk exposure of critical assets in high-risk jurisdictions.

    Activities

    2.1 Identify critical assets.

    2.2 Identify threats.

    2.3 Assess risk likelihood.

    2.4 Assess risk impact.

    Outputs

    Key risk scenarios

    Jurisdictional risk exposure

    Jurisdictional Risk Register and Heat Map

    3 Build Risk Treatment Roadmap

    The Purpose

    Prioritize and treat jurisdictional risks to critical assets.

    Key Benefits Achieved

    Build an initiative roadmap to reduce residual risks in high-risk jurisdictions.

    Activities

    3.1 Identify and assess risk response.

    3.2 Assess residual risks.

    3.3 Identify security controls.

    3.4 Build initiative roadmap.

    Outputs

    Action plan to mitigate key risk scenarios

    Further reading

    Secure Operations in High-Risk Jurisdictions

    Assessments often omit jurisdictional risks. Are your assets exposed?

    EXECUTIVE BRIEF

    Analyst Perspective

    Operations in high-risk jurisdictions face unique security scenarios.

    The image contains a picture of Michel Hebert.

    Michel Hébert

    Research Director

    Security and Privacy

    Info-Tech Research Group


    The image contains a picture of Alan Tang.

    Alan Tang

    Principal Research Director

    Security and Privacy

    Info-Tech Research Group


    Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.

    Executive Summary

    Your Challenge

    • Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
    • Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.

    Common Obstacles

    • Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
    • Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.

    Info-Tech’s Approach

    Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.

    This approach includes tools for:

    • Evaluating the security context of your organization’s high-risk jurisdictions.
    • Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
    • Planning and executing a response.

    Info-Tech Insight

    Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.

    Business operations in high-risk jurisdictions face a more complex security landscape

    Information security risks to business operations vary widely by region.

    The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.

    Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.

    The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on higher security-related business risks.

    Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.

    Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further

    The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.

    The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.

    The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:

    • 33% had no data protection legislation.
    • 47% had no breach notification measures in place.
    • 50% had no legislation on the theft of personal information.
    • 19% still had no legislation on illegal access.

    Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.

    The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on scores in relation to the Global Security Index.

    The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)

    Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.

    Securing critical assets in high-risk jurisdictions requires additional effort

    Traditional approaches to security strategy may miss these key risk scenarios.

    As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.

    Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.

    • Engage the organization with the right questions.
    • Identify critical assets and assess vulnerabilities.
    • Catalogue threats and build risk scenarios.
    • Identify the security controls necessary to mitigate risks.

    Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.

    This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance
    The image contains a screenshot of an Info-Tech thought model regarding secure global operations in high-risk jurisdictions.

    Travel risk is the first scenario we use as an example throughout the blueprint

    • This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
    • Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
    • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.

    The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.

    Before you leave

    • Identify high-risk countries.
    • Enable controls.
    • Limit what you pack.

    During your trip

    • Assume you are monitored.
    • Limit access to systems.
    • Prevent theft.

    When you return

    • Change your password.
    • Restore your devices.

    Compliance risk is the second scenario we use as an example

    • Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
    • Later sections will show how to think through at least four compliance risks, including:
      • Cross-border data transfer
      • Third-party risk management
      • Data breach notification
      • Data residency

    The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.

    Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology

    1. Identify Context

    2. Assess Risks

    3. Execute Response

    Phase Steps

    1. Assess business requirements
    2. Evaluate security pressures
    1. Identify risks
    2. Assess risk exposure
    1. Treat security risks
    2. Build initiative roadmap

    Phase Outcomes

    • Internal security pressures that capture the governance, policies, practices, and risk tolerance of the organization
    • External security pressures that capture the expectations of customers, regulators, legislators, and business partners
    • A heatmap that captures not only the global exposure of your critical assets but also the business processes they support
    • A security risk register to allow for the easy transfer of critical assets’ global security risk data to your organization’s enterprise risk management practice
    • A roadmap of prioritized initiatives to apply relevant controls and secure global assets
    • A set of key risk indicators to monitor and report your progress

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Business Security Requirements

    Identify the context for the global security risk assessment, including risk appetite and risk tolerance.

    Jurisdictional Risk Register and Heatmap

    Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.

    Mitigation Plan

    Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.

    Key deliverable:

    Jurisdictional Risk Register and Heatmap

    Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.

    Blueprint benefits

    Protect critical assets in high-risk jurisdictions

    IT Benefits

    Assess and remediate information security risk to critical assets in high-risk jurisdictions.

    Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.

    Illustrate key information security risk scenarios to make the case for action in terms the business understands.

    Business Benefits

    Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.

    Support business growth in high-risk jurisdictions without compromising critical assets.

    Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.

    Quantify the impact of securing global operations

    The tool included with this blueprint can help you measure the impact of implementing the research

    • Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.
    The image contains a screenshot of Info-Tech's Jurisdictional Risk Register and Heatmap Tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

    Establish Baseline Metrics

    • Review existing information security and risk management metrics and the output of the tools included with the blueprint.
    • Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
    • Compare your results with those in your overall security and risk management program.

    ID

    Metric

    Why is this metric valuable?

    How do I calculate it?

    1.

    Overall Exposure – High-Risk Jurisdictions

    Illustrates the overall exposure of critical assets in high-risk jurisdictions.

    Use the Jurisdictional Risk Register and Heatmap Tool. Calculate the impact times the probability rating for each risk. Take the average.

    2.

    # Risks Identified – High-Risk Jurisdictions

    Informs risk tolerance assessments.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    3.

    # Risks Treated – High-Risk Jurisdictions

    Informs residual risk assessments.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    4.

    Mitigation Cost – High-Risk Jurisdictions

    Informs cost-benefit analysis to determine program effectiveness.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    5.

    # Security Incidents – High-Risk Jurisdictions

    Informs incident trend calculations to determine program effectiveness.

    Draw the information from your service desk or IT service management tool.

    6.

    Incident Remediation Cost – High-Risk Jurisdictions

    Informs cost-benefit analysis to determine program effectiveness.

    Estimate based on cost and effort, including direct and indirect cost such as business disruptions, administrative finds, reputational damage, etc.

    7.

    TRENDS: Program Effectiveness – High-Risk Jurisdictions

    # of security incidents over time. Remediation : Mitigation costs over time

    Calculate based on metrics 5 to 7.

    Info-Tech offers various levels of support to best suit your needs.

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Call #1: Scope project requirements, determine assessment scope, and discuss challenges.

    Phase 2

    Call #2: Conduct initial risk assessment and determine risk tolerance.

    Call #3: Evaluate security pressures in high-risk jurisdictions.

    Call #4: Identify risks in high-risk jurisdictions.

    Call #5: Assess risk exposure.

    Phase 3

    Call #6: Treat security risks in high-risk jurisdictions.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Days 1

    Days 2-3

    Day 4

    Day 5

    Identify Context

    Key Risk Scenarios

    Build Roadmap

    Next Steps and Wrap-Up (offsite)

    Activities

    1.1.1 Determine assessment scope.

    1.1.2 Determine business goals.

    1.1.3 Identify compliance obligations.

    1.2.1 Determine risk appetite.

    1.2.2 Conduct pressure analysis.

    2.1.1 Identify assets.

    2.1.2 Identify threats.

    2.2.1 Assess risk likelihood.

    2.2.2 Assess risk impact.

    3.1.1 Identify and assess risk response.

    3.1.2 Assess residual risks.

    3.2.1 Identify security controls.

    3.2.2 Build initiative roadmap.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Business requirements for security risk assessment
    2. Identification of high-risk jurisdictions
    3. Security threat landscape for high-risk jurisdictions
    1. Inventory of relevant threats, critical assets, and their vulnerabilities
    2. Assessment of adverse effects should threat agents exploit vulnerabilities
    3. Risk register with key risk scenarios and heatmap of high-risk jurisdictions
    1. Action plan to mitigate key risk scenarios
    2. Investment and implementation roadmap
    1. Completed information security risk assessment for two key risk scenarios
    2. Risk mitigation roadmap

    No safe jurisdictions

    Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.

    Traditional approaches to security strategy often omit jurisdictional risks.

    Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.

    The two greatest risks are high-risk travel and compliance risk.

    You can mitigate them with small adjustments to your security program.

    Support High-Risk Travel

    When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.

    Mitigate Compliance Risk

    Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.

    Phase 1

    Identify Context

    This phase will walk you through the following activities:

    • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
    • Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.

    This phase involves the following participants:

    • Business stakeholders
    • IT leadership
    • Security team
    • Risk and Compliance

    Step 1.1

    Assess Business Requirements

    Activities

    1.1.1 Determine assessment scope

    1.1.2 Identify enterprise goals in high-risk jurisdictions

    1.1.3 Identify compliance obligations

    This step involves the following participants:

    • Business stakeholders
    • IT leadership
    • Security team
    • Risk and Compliance

    Outcomes of this step

    • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.

    Focus the risk assessment on high-risk jurisdictions

    Traditional approaches to information security strategy often miss threats to global operations

    • Successful security strategies are typically sensitive to risks to different IT systems and lines of business.
    • However, securing global operations requires additional focus on high-risk jurisdictions, considering what makes them unique.
    • This first phase of the project will help you evaluate the business context of operations in high-risk jurisdictions, including:
      • Enterprise and security goals.
      • Lines of business, physical locations, and IT systems that need additional oversight.
      • Unique compliance obligations.
      • Unique risks and security pressures.
      • Organizational risk tolerance in high-risk jurisdictions.

    Focus your risk assessment on the business activities security supports in high-risk jurisdictions and the unique threats they face to bridge gaps in your security strategy.

    Identify jurisdictions with higher inherent risks

    Your security strategy may not describe jurisdictional risk adequately.

    • Security strategies list lines of business, physical locations, and IT systems the organization needs to secure and those whose security will depend on a third-party. You can find additional guidance on fixing the scope and boundaries of a security strategy in Phase 1 of Build an Information Security Strategy.
    • However, security risks vary widely from one jurisdiction to another according to:
      • Active cyber threats.
      • Legal and regulatory frameworks.
      • Regional security and preparedness capabilities.
    • Your first task is to identify high-risk jurisdictions to target for additional oversight.

    Work closely with your enterprise risk management function.

    Enterprise risk management functions are often tasked with developing risk assessments from composite sources. Work closely with them to complete your own assessment.

    Countries at heightened risk of money laundering and terrorism financing are examples of high-risk jurisdictions. The Financial Action Task Force and the U.S. Treasury publish reports three times a year that identify Non-Cooperative Countries or Territories.

    Develop a robust jurisdictional assessment

    Design an intelligence collection strategy to inform your assessment

    Strategic Intelligence

    White papers, briefings, reports. Audience: C-Suite, board members

    Tactical Intelligence

    Internal reports, vendor reports. Audience: Security leaders

    Operational intelligence

    Indicators of compromise. Audience: IT Operations

    Operational intelligence focuses on machine-readable data used to block attacks, triage and validate alerts, and eliminate threats from the network. It becomes outdated in a matter of hours and is less useful for this exercise.

    Determine travel risks to bolster your assessments

    Not all locations and journeys will require the same security measures.

    • Travel risks vary significantly according to destination, the nature of the trip, and traveler profile.
    • Access to an up-to-date country risk rating system enables your organization and individual staff to quickly determine the overall level of risk in a specific country or location.
    • Based on this risk rating, you can specify what security measures are required prior to travel and what level of travel authorization is appropriate, in line with the organization's security policy or travel security procedures.
    • While some larger organizations can maintain their own country risk ratings, this requires significant capacity, particularly to obtain the necessary information to keep these regularly updated.
    • It may be more effective for your organization to make use of the travel risk ratings provided by an external security information provider, such as a company linked to your travel insurance or travel booking service, if available.
    • Alternatively, various open-source travel risk ratings are available via embassy travel sites or other website providers.

    Without a flexible system to account for the risk exposures of different jurisdictions, staff may perceive measures as a hindrance to operations.

    Develop a tiered risk rating

    The example below outlines potential risk indicators for high-risk travel.

    Rating

    Description

    Low

    Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable.

    Moderate

    Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics.

    High

    Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high, often targeting foreigners. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing natural disasters or epidemics are considered high risk.

    Extreme

    Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to parts of the country. Transportation and communication services are severely degraded or nonexistent. Violence presents a direct threat to staff security.

    Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

    1.1.1 Determine assessment scope

    1 – 2 hours

    1. As a group, brainstorm a list of high-risk jurisdictions to target for additional assessment. Write down as many items as possible to include in:
    • Lines of business
    • Physical locations
    • IT systems

    Pay close attention to elements of the assessment that are not in scope.

  • Discuss the response and the rationale for targeting each of them for additional risk assessments. Identify security-related concerns for different lines of business, locations, user groups, IT systems, and data.
  • Record your responses and your comments in the Information Security Requirements Gathering Tool.
  • Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Relevant threat intelligence
    • A list of high-risk jurisdictions to focus your risk assessment

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Position your efforts in a business context

    Securing critical assets in high-risk jurisdictions is a business imperative

    • Many companies relegate their information security strategies to their IT department. Aside from the strain the choice places on a department that already performs many different functions, it wrongly implies that mitigating information security risk is simply an IT problem.
    • Managing information security risks is a business problem. It requires that organizations identify their risk appetite, prioritize relevant threats, and define risk mitigation initiatives. Business leaders can only do these activities effectively in a context that recognizes the business and financial benefits of implementing protections.
    • This is notably true of businesses with operations in many different countries. Each jurisdiction has its own set of security risks the organization must account for, as well as unique local laws and regulations that affect business operations.
    • In high-risk jurisdictions, your efforts must consider the unique operational challenges your organization may not face in its home country. Your efforts to secure critical assets will be most successful if you describe key risk scenarios in terms of their impact on business goals.
    • You can find additional guidance on assessing the business context of a security strategy in Phase 1 of Build an Information Security Strategy.

    Do you understand the unique business context of operations in high-risk jurisdictions?

    1.1.2 Identify business goals

    Estimated Time: 1-2 hours

    1. As a group, brainstorm the primary and secondary business goals of the organization. Focus your assessment on operations in high-risk jurisdictions you identified in Exercise 1.1.1. Review:
    • Relevant corporate and IT strategies.
    • The business goal definitions and indicator metrics in tab 2, “Goals Definition,” of the Information Security Requirements Gathering Tool.
  • Limit business goals to no more than two primary goals and three secondary goals. This limitation will help you prioritize security initiatives at the end of the project.
  • For each business goal, identify up to two security alignment goals that will support business goals in high-risk jurisdictions.
  • Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Your goals for the security risk assessment for high-risk jurisdictions

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Record business goals

    Capture the results in the Information Security Requirements Gathering Tool

    1. Record the primary and secondary business goals you identified in tab 3, “Goals Cascade,” of the Information Security Requirements Gathering Tool.
    2. Next, record the two security alignment goals you selected for each business goal based on the tool’s recommendations.
    3. Finally, review the graphic diagram that illustrates your goals on tab 6, “Results,” of the Information Security Requirements Gathering Tool.
    4. Revisit this exercise whenever operations expands to a new jurisdiction to capture how they contribute to the organization’s mission and vision and how the security program can support them.
    The image contains a screenshot of Tab 3, Goals Cascade.

    Tab 3, Goals Cascade

    The image contains a screenshot of Tab 6, Results.

    Tab 6, Results

    Analyze business goals

    Assess how operating in multiple jurisdictions adds nuance to your business goals

    • Security leaders need to understand the direction of the business to propose relevant security initiatives that support business goals in high-risk jurisdictions.
    • Operating in different jurisdictions carries its own degree of risk. The organization is subject not only to the information security risks and legal frameworks of its country of origin but also to those associated with international jurisdictions.
    • You need to understand where your organization operates and how these different jurisdictions contribute to your business goals to support their performance and protect the firm’s reputation.
    • This exercise will make an explicit link between security and privacy concerns in high-risk jurisdictions, what the business cares about, and what security is trying to accomplish.

    If the organization is considering a merger and acquisition project that will expand operations in jurisdictions with different travel risk profiles, the security organization needs to revise the security strategy to ensure the organization can support high-risk travel and mitigate risks to critical assets.

    Identify compliance obligations

    Data compliance obligations loom large in high-risk jurisdictions

    The image contains four hexagons, each with their own words. SOX, PCI DSS, HIPAA, HITECH.

    Security leaders are familiar with most conventional regulatory obligations that govern financial, personal, and healthcare data in North America and Europe.

    The image contains four hexagons, each with their own words. Residency, Cross-Border Transfer, Breach Notification, Third-Party Risk Mgmt.

    Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency and data localization and to shut down the cross-border transfer of data.

    The next step requires you to consider the compliance obligations the organization needs to meet to support the business as it expands to other jurisdictions through natural growth, mergers, and acquisitions.

    1.1.3 Identify compliance obligations

    Estimated Time: 1-2 hours

    1. As a group, brainstorm compliance obligations in target jurisdictions. Focus your assessment on operations in high-risk jurisdictions.
    2. Include:

    • Laws
    • Governing regulations
    • Industry standards
    • Contractual agreements
  • Record your compliance obligations and comments on tab 4, “Compliance Obligations,” of the Information Security Requirements Gathering Tool.
  • If you need to take full stock of the laws and regulations in place in the jurisdictions where you operate that you are not familiar with, consider seeking local legal counsel to help you navigate this exercise.
  • Input

    Output

    • Legal and compliance frameworks in target jurisdictions
    • Mandatory and voluntary compliance obligations for target jurisdictions

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Step 1.2

    Evaluate Security Pressures

    Activities

    1.2.1 Conduct initial risk assessment

    1.2.2 Conduct pressure analysis

    1.2.3 Determine risk tolerance

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    Identify threats to global assets and capture the security expectations of external stakeholders, including customers, regulators, legislators, and business partners, and determine risk tolerance.

    Evaluate security pressures to set the risk context

    Perform an initial assessment of high-risk jurisdictions to set the context.

    Assess:

    • The threat landscape.
    • The security pressures from key stakeholders.
    • The risk tolerance of your organization.

    You should be able to find the information in your existing security strategy. If you don’t have the information, work through the next three steps of the project blueprint.

    The image contains a diagram to demonstrate evaluating security pressures, as described in the text above.

    Some jurisdictions carry inherent risks

    • Jurisdictional risks stem from legal, regulatory, or political factors that exist in different countries or regions. They can also stem from unexpected legal changes in regions where critical assets have exposure. Understanding jurisdictional risks is critical because they can require additional security controls.
    • Jurisdictional risk tends to be higher in jurisdictions:
      • Where the organization:
        • Conducts high-value or high-volume financial transactions.
        • Supports and manages critical infrastructure.
        • Has high-cost data or data whose compromise could undermine competitive advantage.
        • Has a high percentage of part-time employees and contractors.
        • Experiences a high rate of employee turnover.
      • Where state actors:
        • Have a low commitment to cybersecurity, financial, and privacy legislation and regulation.
        • Support cybercrime organizations within their borders.

    Jurisdictional risk is often reduced to countries where money laundering and terrorist activities are high. In this blueprint, the term refers to the broader set of information security risks that arise when operating in a foreign country or jurisdiction.

    Five key risk scenarios are most prevalent

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance

    Security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets. The goal of the next two exercises is to analyze the threat landscape and security pressures unique to high-risk jurisdictions, which will inform the construction of key scenarios in Phase 2. These five scenarios are most prevalent in high-risk jurisdictions. Keep them in mind as you go through the exercises in this section.

    1.2.1 Assess jurisdictional risk

    1-3 hours

    1. As a group, review the questions on tab 2, “Risk Assessment,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk elements with a focus on high-risk jurisdictions:
    3. Review each question in tab 2 of the Information Security Pressure Analysis Tool and select the most appropriate response.

    Input

    Output

    • Existing security strategy
    • List of organizational assets
    • Historical data on information security incidents
    • Completed risk assessment

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Risk Management

    For more information on how to complete the risk assessment questionnaire, see Step 1.2.1 of Build an Information Security Strategy.

    1.2.2 Conduct pressure analysis

    1-3 hours

    1. As a group, review the questions on tab 3, “Pressure Analysis,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following pressure elements with a focus on high-risk jurisdictions:
    • Compliance and oversight
    • Customer expectations
    • Business expectations
    • IT expectations
  • Review each question in the questionnaire and provide the most appropriate response using the drop-down list. It may be helpful to consult with the appropriate departments to obtain their perspectives.
  • For more information on how to complete the pressure analysis questionnaire, see Step 1.3 of Build an Information Security Strategy.

    Input

    Output

    • Information on various pressure elements within the organization
    • Existing security strategy
    • Completed pressure analysis

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Business leaders
    • Compliance

    A low security pressure means that your stakeholders do not assign high importance to information security. You may need to engage stakeholders with the right key risk scenarios to illustrate jurisdictional risk and generate support for new security controls.

    Download the Information Security Pressure Analysis Tool

    Assess risk tolerance

    • Risk tolerance expresses the types and amount of risk the organization is willing to accept in pursuit of its goals.
    • These expectations can help you identify, manage, and report on key risk scenarios in high-risk jurisdictions.
    • For instance, an organization with a low risk tolerance will require a stronger information security program to minimize operational security risks.
    • It’s up to business leaders to determine the risks they are willing to accept. They may need guidance to understand how system-level risks affect the organization’s ability to pursue its goals.

    A formalized risk tolerance statement can help:

    • Support risk-based security decisions that align with business goals.
    • Provide a meaningful rationale for security initiatives.
    • Improve the transparency of investments in the organization’s security program.
    • Provide guidance for monitoring inherent risk and residual risk exposure.

    The role of security professionals is to identify and analyze key risk scenarios that may prevent the organization from reaching its goals.

    1.2.3 Determine risk tolerance

    1-3 hours

    1. As a group, review the questions on tab 4, “Risk Tolerance,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk tolerance elements:
    • Recent IT problems, especially downtime and data recovery issues
    • Historical security incidents
  • Review any relevant documentation, including:
    • Existing security strategy
    • Business impact assessments
    • Service-level agreements

    For more information on how to complete the risk tolerance questionnaire, see Step 1.4 of Build an Information Security Strategy.

    Input

    Output

    • Existing security strategy
    • Data on recent IT problems and incidents
    • Business impact assessments
    • Completed risk tolerance statement

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Risk Management

    Download the Information Security Pressure Analysis Tool

    Review the output of the results tab

    • The organizational risk assessment provides a high-level assessment of inherent risks in high-risk jurisdictions. Use the results to build and assess key risk scenarios in Phase 2.
    • Use the security pressure analysis to inform stakeholder management efforts. A low security pressure indicates that stakeholders do not yet grasp the impact of information security on organizational goals. You may need to communicate its importance before you discuss additional security controls.
    • Jurisdictions in which organizations have a low risk tolerance will require stronger information security controls to minimize operational risks.
    The image contains a screenshot of the organizational risk assessment. The image contains a screenshot of the security pressure analysis. The image contains a screenshot of the risk tolerance curve.

    Phase 2

    Assess Security Risks to Critical Assets

    This phase will walk you through the following activities:

    • Identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.
    • Assess risk exposure of critical assets in high-risk jurisdictions for each risk scenario through an analysis of its likelihood and impact.

    This phase involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Step 2.1

    Identify Risks

    Activities

    2.1.1 Identify assets

    2.1.2 Identify threats

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Define risk scenarios that identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.

    This blueprint focuses on mitigating jurisdictional risks

    The image contains a screenshot of the IT Risk Management Framework. The framework includes: Risk Identification, Risk Assessment, Risk Response, and Risk Governance.

    For a deeper dive into building a risk management program, see Info-Tech’s core project blueprints on risk management:

    Build an IT Risk Management Program

    Combine Security Risk Management Components Into One Program

    Draft key risk scenarios to illustrate adverse events

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Well-crafted risk scenarios have four components

    The second phase of the project will help you craft meaningful risk scenarios

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health & safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events. Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address and treat security risks in high-risk jurisdictions.

    The next slides review five key risk scenarios prevalent in high-risk jurisdictions. Use them as examples to develop your own.

    Travel to high-risk jurisdictions requires special measures to protect staff, devices, and data

    Governmental, academic, and commercial advisors compile lists of jurisdictions that pose greater travel risks annually.

    For instance, in the US, these lists might include countries that are:

    • Subjects of travel warnings by the US Department of State.
    • Identified as high risk by other US government sources such as:
      • The Department of the Treasury Office of Foreign Assets Control (OFAC).
      • The Federal Bureau of Investigation (FBI).
      • The Office of the Director of National Intelligence (ODNI).
    • Compiled from academic and commercial sources, such as Control Risks.

    When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security.

    The image contains a diagram to present high-risk jurisdictions.

    The diagram presents high-risk jurisdictions based on US governmental sources (2021) listed on this slide.

    High-risk travel

    Likelihood: Medium

    Impact: Medium

    Key Risk Scenario #1

    Malicious state actors, cybercriminals, and competitors can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

    Threat Actor:

    • Malicious state actors
    • Cybercriminals
    • Competitors

    Assets:

    • Staff
    • IT systems
    • Sensitive data

    Effect:

    • Compromised staff health and safety
    • Loss of data
    • Lost of system integrity

    Methods:

    • Identify, steal, or target mobile devices.
    • Compromise network, wireless, or Bluetooth connections.
    • Leverage stolen devices as a means of infecting other networks.
    • Access devices to track user location.
    • Activate microphones on devices to collect information.
    • Intercept electronic communications users send from high-risk jurisdictions.

    The data compliance landscape is a jigsaw puzzle of data protection and data residency requirements

    Since the EU passed the GDPR in 2016, jurisdictions have turned to data regulations to protect citizen data

    Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency, breach notification, and cross-border data transfer regulations. As 2021 wound down to a close, nearly all the world’s 30 largest economies had some form of data regulation in place. The regulatory landscape is shifting rapidly, which complicates operations as organizations grow into new markets or engage in merger and acquisition activities.

    Global operations require special attention to data-residency requirements, data breach notification requirements, and cross-border data transfer regulations to mitigate compliance risk.

    The image contains a diagram to demonstrate the data regulations placed in various places around the world.

    Compliance risk

    Likelihood: Medium

    Impact: High

    Key Risk Scenario #2

    Rapid changes in the privacy and security regulatory landscape threaten organizations’ ability to meet their compliance obligations from local legal and regulatory frameworks. Organizations risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

    Threat Actor:

    • Local, regional, and national state actors

    Asset:

    • Reputation, market share
    • License to operate

    Effect:

    • Administrative fines
    • Loss of reputation, brand trust, and consumer loyalty
    • Loss of market share
    • Suspension of business operations
    • Lawsuits due to collective actions and claims
    • Criminal charges

    Methods:

    • Shifts in the privacy and security regulatory landscape, including requirements for:
      • Data residency.
      • Cross-border data transfer.
      • Data breach notification.
      • Third-party security and privacy risk management.

    The incidence of insider threats varies widely by jurisdiction in unexpected ways

    On average, companies in North America, the Middle East, and Africa had the most insider incidents in 2021, while those in the Asia-Pacific region had the least.

    The Ponemon Institute set out to understand the financial consequences that result from insider threats and gain insight into how well organizations are mitigating these risks.

    In the context of this research, insider threat is defined as:

    • Employee or contractor negligence.
    • Criminal or malicious insider activities.
    • Credential theft (imposter risk).

    On average, the total cost to remediate insider threats in 2021 was US$15.4 million per incident.

    In all regions, employee or contractor negligence occurred most frequently. Organizations in North America and in the Middle East and Africa were most likely to experience insider threat incidents in 2021.

    the image contains a diagram of the world, with various places coloured in different shades of blue.

    The diagram represents the average number of insider incidents reported per organization in 2021. The results are analyzed in four regions (Ponemon Institute, 2022)

    Insider threat

    Likelihood: Low to Medium

    Impact: High

    Key Risk Scenario #3

    Malicious insiders, negligent employees, and credential thieves can exploit inside access to information systems to commit fraud, steal confidential or commercially valuable information, or sabotage computer systems. Insider threats are difficult to identify, especially when security is geared toward external threats. They are often familiar with the organization’s data and intellectual property as well as the methods in place to protect them. An insider may steal information for personal gain or install malicious software on information systems. They may also be legitimate users who make errors and disregard policies, which places the organization at risk.

    Threat Actor:

    • Malicious insiders
    • Negligent employees
    • Infiltrators

    Asset:

    • Sensitive data
    • Employee credentials
    • IT systems

    Effects:

    • Loss of system integrity
    • Loss of data confidentiality
    • Financial loss

    Methods:

    • Infiltrators may compromise credentials.
    • Malicious or negligent insiders may use corporate email to steal or share sensitive data, including:
      • Regulated data.
      • Intellectual property.
      • Critical business information.
    • Malicious agents may facilitate data exfiltration, as well as open-port and vulnerability scans.

    The risk of advanced persistent threats is more prevalent in Central and South America and the Asia-Pacific region

    Attacks from advanced persistent threat (APT) actors are more sophisticated than traditional ones.

    • More countries will use legal indictments as part of their cyber strategy. Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same.
    • Expect APTs to increasingly target network appliances like VPN gateways as organizations continue to sustain hybrid workforces.
    • The line between APTs and state-sanctioned ransomware groups is blurring. Expect cybercriminals to wield better tools, mount more targeted attacks, and use double-extortion tactics.
    • Expect more disruption and collateral damage from direct attacks on critical infrastructure.

    Top 10 Significant Threat Actors:

    • Lazarus
    • DeathStalker
    • CactusPete
    • IAmTheKing
    • TransparentTribe
    • StrongPity
    • Sofacy
    • CoughingDown
    • MuddyWater
    • SixLittleMonkeys

    Top 10 Targets:

    • Government
    • Banks
    • Financial Institutions
    • Diplomatic
    • Telecommunications
    • Educational
    • Defense
    • Energy
    • Military
    • IT Companies
    The image contains a world map coloured in various shades of blue.
    Top 12 countries targeted by APTs (Kaspersky, 2020)

    Track notable APTs to revise your list of high-risk jurisdictions and review the latest tactics and techniques

    Governmental advisors track notable APT actors that pose greater risks.

    The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site provide helpful and timely information to understand APT risks in different jurisdictions.

    The following threat actors are currently associated with cyberattacks affiliated with the Russian government.

    Activity Group

    Risks

    APT28 (GRU)

    Known as Fancy Bear, this threat group has been tied to espionage since 2004. They compromised the Hillary Clinton campaign, amid other major events.

    APT29 (SVT)

    Tied to espionage since 2008. Reportedly compromised the Democratic National Committee in 2015. Cited in the 2021 SolarWinds compromise.

    Buhtrap/RTM Group

    Group focused on financial targets since 2014. Currently known to target Russian and Ukrainian banks.

    Gamaredon

    Operating in Crimea. Aligned with Russian interests. Has previously targeted Ukrainian government officials and organizations.

    DEV-0586

    Carried out wiper malware attacks on Ukrainian targets in January 2022.

    UNC1151

    Active since 2016. Linked to information operation campaigns and the distribution of anti-NATO material.

    Conti

    Most successful ransomware gang of 2021, with US$188M revenue. Supported Russian invasion of Ukraine, threatening attacks on allied critical infrastructure.

    Sources: MITRE ATT&CK; Security Boulevard, 2022; Reuters, 2022; The Verge, 2022

    Advanced persistent threat

    Likelihood: Low to Medium

    Impact: High

    Key Risk Scenario #4

    Advanced persistent threats are state actors or state-sponsored affiliates with the means to avoid detection by anti-malware software and intrusion detection systems. These highly-skilled and persistent malicious agents have significant resources with which to bypass traditional security controls, establish a foothold in the information technology infrastructure, and exfiltrate data undetected. APTs have the resources to adapt to a defender’s efforts to resist them over time. The loss of system integrity and data confidentiality over time can lead to financial losses, business continuity disruptions, and the destruction of critical infrastructure.

    Threat Actor:

    • State actors
    • State-sponsored affiliates

    Asset:

    • Sensitive data
    • IT systems
    • Critical infrastructure

    Effects:

    • Loss of system integrity
    • Loss of data confidentiality
    • Financial loss
    • Business continuity disruptions
    • Infrastructure destruction

    Methods:

    • Persistent, consistent attacks using the most advanced threats and tactics to bypass security defenses.
    • The goal of APTs is to maintain access to networks for prolonged periods without being detected.
    • The median dwell time differs widely between regions. FireEye reported the mean dwell time for 2018:
      • Americas: 71 days
      • Europe, Middle East, and Africa: 177 days
      • Asia-Pacific: 204 days
    Sources: Symantec, 2011; FireEye, 2019

    Threat agents have deployed invasive technology for commercial surveillance in at least 76 countries since 2015

    State actors and their affiliates purchased and used invasive spyware from companies in Europe, Israel, and the US.

    • “Customers are predominantly repressive regimes looking for new ways to control the flow of information and stifle dissent. Less than 10% of suspected customers are considered full democracies by the Economist Intelligence Unit.” (Top10VPN, 2021)
    • Companies based in economically developed and largely democratic states are profiting off the technology.
    • The findings demonstrate the need to consider geopolitical realities when assessing high-risk jurisdictions and to take meaningful action to increase layered defenses against invasive malware.
    • Spyware is having an increasingly well-known impact on civil society. For instance, since 2016, over 50,000 individual phone numbers have been identified as potential targets by NSO Group, the Israeli manufacturers of the notorious Pegasus Spyware. The target list contained the phone numbers of politicians, journalists, activists, doctors, and academics across the world.
    • The true number of those affected by spyware is almost impossible to determine given that many fall victim to the technology and do not notice.
    The image contains a map of the world with various countries highlighted in shades of blue.

    Countries where commercial surveillance tools have been deployed (“Global Spyware Market Index,” Top10VPN, 2021)

    The risks and effects of spyware vary greatly

    Spyware can steal mundane information, track a user’s every move, and everything in between.

    Adware

    Software applications that display advertisements while the program is running.

    Keyboard Loggers

    Applications that monitor and record keystrokes. Malicious agents use them to steal credentials and sensitive enterprise data.

    Trojans

    Applications that appear harmless but inflict damage or data loss to a system.

    Mobile Spyware

    Surveillance applications that infect mobile devices via SMS or MMS channels, though the most advanced can infect devices without user input.

    State actors and their affiliates use system monitors to track browsing habits, application usage, and keystrokes and capture information from devices’ GPS location data, microphone, and camera. The most advanced system monitor spyware, such as NSO Group’s Pegasus, can infect devices without user input and record conversations from end-to-end encrypted messaging systems.

    Commercial surveillance

    Likelihood: Low to Medium

    Impact: Medium

    Key Risk Scenario #5

    Malicious agents can deploy malware on end-user devices with commercial tools available off the shelf to secretly monitor the digital activity of users. Attacks exploit widespread vulnerabilities in telecommunications protocols. They occur through email and text phishing campaigns, malware embedded in untested applications, and sophisticated zero-click attacks that deliver payloads without requiring user interactions. Attacks target sensitive as well as mundane information. They can be used to track employee activities, investigate criminal activity, or steal credentials, credit card numbers, or other personally identifiable information.

    Threat Actor:

    • State actors
    • State-sponsored affiliates

    Asset:

    • Sensitive data
    • Staff health and safety
    • IT systems

    Effects:

    • Data breaches
    • Loss of data confidentiality
    • Increased risk to staff health and safety
    • Misuse of private data
    • Financial loss

    Methods:

    • Email and text phishing attacks that delivery malware payloads
    • Sideloading untested applications from a third-party source rather than an official retailer
    • Sophisticated zero-click attacks that deliver payloads without requiring user interaction

    Use the Jurisdictional Risk Register and Heatmap Tool

    The tool included with this blueprint can help you draft risk scenarios and risk statements in this section.

    The risk register will capture a list of critical assets and their vulnerabilities, the threats that endanger them, and the adverse effect your organization may face.

    The image includes two screenshots of the jurisdictional risk register and heatmap tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

    Download the Jurisdictional Risk Register and Heatmap Tool

    2.1.1 Identify assets

    1 – 2 hours

    1. As a group, consider critical or mission-essential functions in high-risk jurisdictions and the systems on which they depend. Brainstorm a list of the organization’s mission-supporting assets in high-risk jurisdictions. Consider:
    • Staff
    • Critical IT systems
    • Sensitive data
    • Critical operational processes
  • On a whiteboard, brainstorm the potential adverse effect of malicious agents in high-risk jurisdictions compromising critical assets. Consider the impact on:
    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Business impact analyses
    • A list of the organization’s mission-supporting assets

    Materials

    Participants

    • Laptop
    • Projector
    • Whiteboard
    • Security team
    • IT leadership
    • System owner
    • Enterprise Risk Management

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    The image contains an example of the activity mentioned in the text above.

    Model threats to narrow the range of scenarios

    Motives and capabilities to perform attacks on critical assets vary across different threat actors.

    Category

    Actions

    Motivation

    Sophistication

    Nation-states

    Cyberespionage, cyberattacks

    Geopolitical

    High. Dedicated resources and personnel, extensive planning and coordination.

    Proxy organizations

    Espionage, destructive attacks

    Geopolitical, Ideological, Profit

    Moderate. Some planning and support functions and technical expertise.

    Cybercrime

    Theft, fraud, extortion

    Profit

    Moderate. Some planning and support functions and technical expertise.

    Hacktivists

    Disrupt operations, attack brands, release sensitive data

    Ideological

    Low. Rely on widely available tools that require little skill to deploy.

    Insiders

    Destruction or release of sensitive data, theft, exposure through negligence

    Incompetence, Discontent

    Internal access. Acting on their own or in concert with any of the above.

    • Criminals, hacktivists, and insiders vary in sophistication. Some criminal groups demonstrate a high degree of sophistication; however, a large cyber event that damages critical infrastructure does not align with their incentives to make money at minimal risk.
    • Proxy actors conduct offensive cyber operations on behalf of a beneficiary. They may be acting on behalf of a competitor, national government, or group of individuals.
    • Nation-states engage in long-term espionage and offensive cyber operations that support geopolitical and strategic policy objectives.

    2.1.2 Identify threats

    1 – 2 hours

    1. Review the outputs from activity 1.1.1 and activity 2.1.1.
    2. Identify threat agents that could undermine the security of critical assets in high-risk jurisdictions. Include internal and external actors.
    3. Assess their motives, means, and opportunities.
    • Which critical assets are most attractive? Why?
    • What paths and vulnerabilities can threat agents exploit to reach critical assets without going through a control?
    • How could they defeat existing controls? Draw on the MITRE framework to inform your analysis.
    • Once agents defeat a control, what further attack can they launch?

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    Input

    Output

    • Jurisdictional assessment from activity 1.1.1
    • Critical assets from activity 2.1.1
    • Potential vulnerabilities from:
      • Security control gap analysis
      • Security risk register
    • Threat intelligence
    • MITRE framework
    • A list of critical assets, threat agents, vulnerabilities, and potential attack vectors.

    Materials

    Participants

    • Laptop
    • Projector
    • Whiteboard
    • Security team
    • Infrastructure & Operations team
    • Enterprise Risk Management

    2.1.2 Identify threats (continued)

    1 – 2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.

    For example:

    • State actors and cybercriminals may steal or compromise end-user devices during travel to high-risk jurisdictions using malware they embed in airport charging stations, internet café networks, or hotel business centers.
    • Compromised devices may infect corporate networks and threaten sensitive data once they reconnect to them.

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    The image contains a screenshot of activity 2.1.2 as described in the text above.

    Bring together the critical risk elements into a single risk scenario

    Summarize the scenario further into a single risk statement

    Risk Scenario: High-Risk Travel

    State actors and cybercriminals can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

    Risk Statement

    Cybercriminals compromise end-user devices during travel to high-risk jurisdictions, jeopardizing staff safety and leading to loss of sensitive data.

    Risk Scenario: Compliance Risk

    Rapid changes in the privacy and security regulatory landscape threaten an organization’s ability to meet its compliance obligations from local legal and regulatory frameworks. Organizations that fail to do so risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

    Risk Statement

    Rapid changes in the privacy and security regulations landscape threaten our ability to remain compliant, leading to reputational and financial loss.

    Fill out the Jurisdictional Risk Register and Heatmap Tool

    The tool is populated with data from two key risk scenarios: high-risk travel and compliance risk.

    The image includes two screenshots of the Jurisdictional Risk Register and Heatmap Tool.

    1. Label the risk in Tab 3, Column B.
    2. Record your risk scenario in Tab 3, Column C.
    3. Record your risk statement in Tab 3, Column D.
    4. Identify the applicable jurisdictions in Tab 3, Column E.
    5. You can further categorize the scenario as:
      • an enterprise risk (Column G).
      • an IT risk (Column H).

    Download the Jurisdictional Risk Register and Heatmap Tool

    Step 2.2

    Assess Risk Exposure

    Activities

    2.2.1 Identify existing controls

    2.2.2 Assess likelihood and impact

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Assess risk exposure for each risk scenario through an analysis of its likelihood and impact.

    Brush up on risk assessment essentials

    The next step will help you prioritize IT risks based on severity.

    Likelihood of Occurrence X Likelihood of Impact = Risk Severity

    Likelihood of occurrence: How likely the risk is to occur.

    Likelihood of impact: The likely impact of a risk event.

    Risk severity: The significance of the risk.

    Evaluate risk severity against the risk tolerance thresholds and the cost of risk response.

    Identify existing controls before you proceed

    Existing controls will reduce the inherent likelihood and impact of the risk scenario you face.

    Existing controls were put in place to avoid, mitigate, or transfer key risks your organization faced in the past. Without considering existing controls, you run the risk of overestimating the likelihood and impact of the risk scenarios your organization faces in high-risk jurisdictions.

    For instance, the ability to remote-wipe corporate-owned devices will reduce the potential impact of a device lost or compromised during travel to high-risk jurisdictions.

    As you complete the risk assessment for each scenario, document existing controls that reduce their inherent likelihood and impact.

    2.2.1 Document existing controls

    6-10 hours

    1. Document the Risk Category and Existing Controls in the Jurisdictional Risk Register and Heatmap Tool.
      • Tactical controls apply to individual risks only. For instance, the ability to remote-wipe devices mitigates the impact of a device lost in a high-risk jurisdiction.
      • Strategic controls apply to multiple risks. For instance, deploying MFA for critical applications mitigates the likelihood that malicious actors can compromise a lost device and impedes their access in devices they do compromise.

    Input

    Output

    • Risk scenarios
    • Existing controls for risk scenarios

    Materials

    Participants

    • Jurisdictional Risk Register and Heatmap Tool
    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management

    Download the Jurisdictional Risk Register and Heatmap Tool.

    Assess the risk scenarios you identified in Phase 1

    The risk register is the central repository for risks in high-risk jurisdictions.

    • Use the second tab of the Jurisdictional Risk Register and Heatmap Tool to create likelihood, impact, and risk tolerance assessment scales to evaluate every risk event effectively.
    • Severity-level assessment is a “first pass” of your risk scenarios that will reveal your organization’s most severe risks in high-risk jurisdictions.
    • You can incorporate expected cost calculations into your evaluation to assess scenarios in greater detail.
    • Expected cost represents how much you would expect to pay in an average year for each risk event. Expected cost calculations can help compare IT risks to non-IT risks that may not use the same scales and communicate system-level risk to the business in a language they will understand.

    Expected cost calculations may not be practical. Determining robust likelihood and impact values to produce cost estimates can be challenging and time consuming. Use severity-level assessments as a first pass to make the case for risk mitigation measures and take your lead from stakeholders.

    The image contains two screenshots of the Jurisdictional Risk Register and Heatmap Tool.

    Use the Jurisdictional Risk Register and Heatmap Tool to capture and analyze your data.

    2.2.2 Assess likelihood and impact

    6-10 hours

    1. Assign each risk scenario a likelihood of occurrence and a likely impact level that represents the impact of the scenario on the whole organization considering existing controls. Record your results in Tab 3, column R and S, respectively.
    2. You can further dissect likelihood and impact into component parameters but focus first on total likelihood and impact to keep the task manageable.
    3. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy. For instance, is a device lost in a high-risk jurisdiction truly more impactful than a device compromised with commercial surveillance software?
    4. The tool will calculate the probability of risk exposure based on the likelihood and consequence associated with the scenario. The results are published in Tab 3, Column T.

    Input

    Output

    • Risk scenarios
    • Assessed the likelihood of occurrence and impact for all identified risk events

    Materials

    Participants

    • Jurisdictional Risk Register and Heatmap Tool
    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management

    Download the Jurisdictional Risk Register and Heatmap Tool.

    Refine your risk assessment to justify your estimates

    Document the rationale behind each value and the level of consensus in group discussions.

    Stakeholders will likely ask you to explain some of the numbers you assigned to likelihood and impact assessments. Pointing to an assessment methodology will give your estimates greater credibility.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    The goal is to develop robust intersubjective estimates of the likelihood and impact of a risk scenario.

    We assigned a 50% likelihood rating to a risk scenario. Were we correct?

    Assess the truth of the following statements to test likelihood assessments. In this case, do these two statements seem true?

    • The risk event will likely occur once in the next two years, all things being equal.
    • In two nearly identical organizations, one out of two will experience the risk event this year.
    The image includes a screenshot of the High-Risk Travel Jurisdictions.

    Phase 3

    Execute Response

    This phase will walk you through the following activities:

    • Prioritize and treat global risks to critical assets based on their value and exposure.
    • Build an initiative roadmap that identifies and applies relevant controls to protect critical assets. Identify key risk indicators to monitor progress.

    This phase involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Step 3.1

    Treat Security Risks

    Activities

    3.1.1 Identify and assess risk response

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Analyze and select risk responses

    The next step will help you treat the risk scenarios you built in Phase 2.

    Identify

    Identify risk responses.

    Predict

    Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk.

    Calculate

    The tool will calculate the residual severity of the risk after applying the risk response.

    The first part of the phase outlines project activities. The second part elaborates on high-risk travel and compliance risk, the two key risk scenarios we are following throughout the project. Use the Jurisdictional Risk Register and Heatmap Tool to capture your work.

    Analyze likelihood and impact to identify response

    The image contains a diagram of he risk response analysis. Risk Transfer and Risk Avoidance has the most likelihood, and Risk Acceptance and Risk Mitigation have the most impact. Risk Avoidance has the most likelihood and most impact in regards to risk response.

    3.1.1 Identify and assess risk response

    Complete the following steps for each risk scenario.

    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the scenario were to occur. Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level. This is the same step you performed in Activity 2.2.2, but you are now are estimating the likelihood and impact of the risk event after you implemented the risk response action successfully. The Jurisdictional Risk Register and Heatmap Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Jurisdictional Risk Register and Heatmap Tool .
    4. For each risk event, document risk response actions, residual likelihood and impact levels, and residual risk severity level.

    Input

    Output

    • Risk scenarios from Phase 2
    • Risk scenario mitigation plan

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Download the Jurisdictional Risk Register and Heatmap Tool

    Step 3.2

    Mitigate Travel Risk

    Activities

    3.2.1 Develop a travel policy

    3.2.2 Develop travel procedures

    3.2.3 Design high-risk travel guidelines

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Identify controls to mitigate jurisdictional risk

    This section provides guidance on the most prevalent risk scenarios identified in Phase 2 and provides a more in-depth examination of the two most prevalent ones, high-risk travel and compliance risk. Determine the appropriate response to each risk scenario to keep global risks to critical assets aligned with the organization’s risk tolerance.

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance

    Travel risk is a common concern in organizations with global operations

    • The security of staff, devices, and data is one of the biggest challenges facing organizations with a global footprint. Working and traveling in unpredictable environments will aways carry a degree of risk, but organizations can do much to develop a safer and more secure working environment.
    • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.
    • For many organizations, security risk assessments, security plans, travel security procedures, security training, and incident reporting systems are a key part of their operating language.
    • The following section provides a simple structure to help organizations demystify travel in high-risk jurisdictions.

    The image contains a diagram to present high-risk jurisdictions.

    Before you leave

    • Identify high-risk countries.
    • Enable controls.
    • Limit what you pack.

    During your trip

    • Assume you are monitored.
    • Limit access to systems.
    • Prevent theft.

    When you return

    • Change your password.
    • Restore your devices.

    Case study

    Higher Education: Camosun College

    Interview: Evan Garland

    Frame additional security controls as a value-added service.

    Situation

    The director of the international department at Camosun College reached out to IT security for additional support. Department staff often traveled to hostile environments. They were concerned malicious agents would either steal end-user devices or compromise them and access sensitive data. The director asked IT security for options that would better protect traveling staff, their devices, and the information they contain.

    Challenges

    First, controls would need to admit both work and personal use of corporate devices. Staff relied exclusively on work devices for travel to mitigate the risk of personal device theft. Personal use of corporate devices during travel was common. Second, controls needed to strike the right balance between friction and effortless access. Traveling staff had only intermittent access to IT support. Restrictive controls could prevent them from accessing their devices and data altogether.

    Solution

    IT consulted staff to discuss light-touch solutions that would secure devices without introducing too much complexity or compromising functionality. They then planned security controls that involved user interaction and others that did not and identified training requirements.

    Results

    Controls with user interaction

    Controls without user interaction

    • Multifactor authentication for college systems and collaboration platforms
    • Password manager for both work and personal use for staff for stronger passwords and practices
    • Security awareness training to help traveling staff identify potential threats while traveling through airports or accessing public Wi-Fi.
    • Drive encryption and always-on VPN to protect data at rest and in transit
    • Increased setting for phishing and spam filtering for traveling staff email
    • Enhanced anti-malware/endpoint detection and response (EDR) solution for traveling laptops

    Build a program to mitigate travel risks

    There is no one-size-fits-all solution.

    The most effective solution will take advantage of existing risk management policies, processes, and procedures at your organization.

    • Develop a framework. Outline the organization’s approach to high-risk travel, including the policies, procedures, and mechanisms put in place to ensure safe travel to high-risk jurisdictions.
    • Draft a policy. Outline the organization’s risk attitude and key security principles and define roles and responsibilities. Include security responsibilities and obligations in job descriptions of staff members and senior managers.
    • Provide flexible options. Inherent travel risk will vary from one jurisdiction to another. You will likely not find an approach that works for every case. Establish locally relevant measures and plans in different security contexts and risk environments.
    • Look for quick wins. Identify measures or requirements that you can establish quickly but that can have a positive effect on the security of staff, data, and devices.
    • Monitor and review. Undertake periodic reviews of the organization’s security approach and management framework, as well as their implementation, to ensure the framework remains effective.

    3.2.1 Develop a travel policy

    1. Work with your business leaders to build a travel policy for high-risk jurisdictions. The policy should be a short and accessible document structured around four key sections:
      • A statement on the importance of staff security and safety, the scope of the policy, and who it applies to (staff, consultants, contractors, volunteers, visitors, accompanying dependants, etc.).
      • A principles section explaining the organization’s security culture, risk attitude, and the key principles that shape the organization’s approach to staff security and safety.
      • A responsibilities section setting out the organization’s security risk management structure and the roles and actions allocated to specific positions.
      • A minimal security requirements section establishing the specific security requirements that must be in place in all locations and specific locations.
    2. Common security principles include:
    • Shared responsibility – Managing risks to staff is a shared organizational responsibility.
    • Acknowledgment of risk – Managing security will not remove all risks. Staff need to appreciate, as part of their informed consent, that they are still exposed to risk.
    • Primacy of life – Staff safety is of the highest importance. Staff should never place themselves at excessive risk to meet program objectives or protect property.
    • Proportionate risk – Risks must be assessed to ensure they are proportionate to the benefits organizational activities provide and the ability to manage those risks.
    • Right to withdraw – Staff have the right to withdraw from or refuse to take up work in a particular area due to security concerns.
    • No right to remain – The organization has the right to suspend activities that it considers too dangerous.
  • Cross-reference the organization’s other governing policies that outline requirements related to security risk management, such as the health and safety policy, access control policy, and acceptable use of security assets.
  • Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • Data inventory and data flows
    • Travel policy for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Develop security plans for high-risk travel

    Security plans advise staff on how to manage the risk identified in assessments.

    Security plans are key country documents that outline the security measures and procedures in place and the responsibilities and resources required to implement them. Security plans should be established in high-risk jurisdictions where your organization has a regular, significant presence. Security plans must remain relevant and accessible documents that address the specific risks that exist in that location, and, if appropriate, are specific about where the measures apply and who they apply to. Plans should be updated regularly, especially following significant incidents or changes in the operating environment or activities.

    Key Components

    Critical information – One-page summary of pertinent information for easy access and quick reference (e.g. curfew times, no-go areas, important contacts).

    Overview – Purpose and scope of the document, responsibilities for security plan, organization’s risk attitude, date of completion and review date, and a summary of the security strategy and policy.

    Current Context – Summary of current operating context and overall security situation; main risks to staff, assets, and operations; and existing threats and risk rating.

    Procedures – Simple security procedures that staff should adhere to in order to prevent incidents and how to respond should problems arise. Standard operating procedures (SOPs) should address key risks identified in the assessment.

    Security levels – The organization's security levels/phases, with situational indicators that reflect increasing risks to staff in that context and location and specific actions/measures required in response to increasing insecurity.

    Incident reporting – The procedures and responsibilities for reporting security-related incidents; for example, the type of incidents to be reported, the reporting structure, and the format for incident reporting.

    Determine travel risk

    Tailor your risk response to the security risk assessment you conducted in earlier stages of this project.

    Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

    Rating

    Description (Examples)

    Recommended Action

    Low

    Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable.

    Basic personal security, travel, and health precautions required.

    Moderate

    Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics.

    Increased vigilance and routine security procedures required.

    High

    Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high and targeting of foreigners is common. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing a natural disaster or a disease epidemic are considered high risk.

    High level of vigilance and effective, context-specific security precautions required.

    Extreme

    Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Civil authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to significant parts of the country. Transportation and communication services are severely degraded or non-existent. Violence presents a direct threat to staff security.

    Stringent security precautions essential and may not be sufficient to prevent serious incidents.

    Program activities may be suspended and staff withdrawn at very short notice.

    3.2.2 Develop travel procedures

    1. Work with your business leaders to build travel procedures for high-risk jurisdictions. The procedures should be tailored to the risk assessment and address the risk scenarios identified in Phase 2.
    2. Use the categories outlined in the next two slides to structure the procedure. Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip.
    3. Consider the implementation of special measures to limit the impact of a potential security event, including:
      • Information end-user device loaner programs.
      • Temporary travel service email accounts.
    4. Specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.
    5. Discuss the rationale for each procedure. Ensure the components align with the policy statements outlined in the high-risk travel policy developed in the previous step.

    Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • High-risk travel policy
    • Travel procedures for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Draft procedures to mitigate travel risks

    Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip

    Introduction

    Clarifies who the procedures apply to. Highlights any differences in travel security requirements or support provided to staff, consultants, partners, and official visitors.

    Travel risk ratings

    Explains the travel or country risk rating system, how staff access the information, the different categories and indicators, and their implications.

    Roles and responsibilities

    Clarifies the responsibilities of travelers, their line managers or contact points, and senior management regarding travel security and how this changes for destinations with higher risk ratings.

    Travel authorization

    Stipulates who in the organization authorizes travel, the various compliance measures required, and how this changes for destinations with higher risk ratings.

    Travel risk assessment

    Explains when travel risk assessments are required, the template that should be used, and who approves the completed assessments.

    Travel security procedures should specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.

    Pre-travel briefings

    Outlines the information that must be provided to travelers prior to departure, the type of briefing required and who provides it, and how these requirements change as risk ratings increase.

    Security training

    Explain security training required prior to travel. This may vary depending on the country’s risk rating. Includes information on training waiver system, including justifications and authorization.

    Traveler profile forms

    Travelers should complete a profile form, which includes personal details, emergency contacts, medical details, social media footprint, and proof-of-life questions (in contexts where there are abduction risks).

    Check-in protocol

    Specifies who travelers must maintain contact with while traveling and how often, as well as the escalation process in case of loss of contact. The frequency of check-ins should reflect the increase in the risk rating for the destination.

    Emergency procedures

    Outlines the organization's emergency procedures for security and medical emergencies.

    3.2.3 Design high-risk travel guidelines

    • Supplement the high-risk travel policies and procedures with guidelines to help international travelers stay safe.
    • The document is intended for an end-user audience and should reflect your organization’s policies and procedures for the use of information and information systems during international travel.
    • Use the Digital Safety Guidelines for International Travel template in concert with this blueprint to provide guidance on what end users can do to stay safe before they leave, during their trip, and when they return.
    • Consider integrating the guidelines into specialized security awareness training sessions that target end users who travel to high-risk jurisdictions.
    • The guidelines should supplement and align with existing technical controls.

    Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • High-risk travel policy
    • High-risk travel procedure
    • Travel guidelines for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Digital Safety Guidelines for International Travel template

    Step 3.3

    Mitigate Compliance Risk

    Activities

    3.3.1 Identify data localization obligations

    3.3.2 Integrate obligations into IT system design

    3.3.3 Document data processing activities

    3.3.4 Choose the right mechanism

    3.3.5 Implement the appropriate controls

    3.3.6 Identify data breach notification obligations

    3.3.7 Integrate data breach notification into incident response

    3.3.8 Identify vendor security and data protection requirements

    3.3.9 Build due diligence questionnaire

    3.3.10 Build appropriate data processing agreement

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Compliance risk is a prevalent risk in organizations with a global footprint

    • The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
    • Organizations with a global footprint must stay abreast of local regulations and provide risk management guidance to business leaders to support global operations.
    • This sections describes four compliance risks in this context:
      • Cross-border data transfer
      • Third-party risk management
      • Data breach notification
      • Data residency

    Compliance with local obligations

    Likelihood: Medium to High

    Impact: High

    Data Residency

    Gap Controls

    • Identify and document the data localization obligations for the jurisdictions that the organization is operating in.
    • Design and implement IT systems that satisfy the data localization requirements.
    • Comply with data localization obligations within each jurisdiction.

    Heatmap of Global Data Residency Regulations

    The image contains a screenshot of a picture of a world map with various shades of blue to demonstrate the heatmap of global data residency regulations.
    Source: InCountry, 2021

    Examples of Data Residency Requirements

    Country

    Data Type

    Local Storage Requirements

    Australia

    Personal data – heath record

    My Health Records Act 2012

    China

    Personal information — critical information infrastructure operators

    Cybersecurity law

    Government cloud data

    Opinions of the Office of the Central Leading Group for Cyberspace Affairs on Strengthening Cybersecurity Administration of Cloud Computing Services for Communist Party and Government Agencies

    India

    Government email data

    The Public Records Act of 1993

    Indonesia

    Data held by electronic system operator for the public service

    Regulation 82 concerning “Electronic System and Transaction Operation”

    Germany

    Government cloud service data

    Criteria for the procurement and use of cloud services by the federal German administration

    Russia

    Personal data

    The amendments of Data Protection Act No. 152 FZ

    Vietnam

    Data held by internet service providers

    The Decree on Management, Provision, and Use of Internet Services and Information Content Online (Decree 72)

    US

    Government cloud service data

    Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)

    3.3.1 Identify data localization obligations

    1-2 hours

    1. Work with your business leaders to identify and document the jurisdictions where your organization is operating in or providing services and products to consumers within.
    2. Work with your legal team to identify and document all relevant data localization obligations for the data your organization generates, collects, and processes in order to operate your business.
    3. Record your data localization obligations in the table below.

    Jurisdiction

    Relevant Regulations

    Local Storage Requirements

    Date Type

    Input

    Output

    • List of jurisdictions your organization is operating in
    • Relevant security and data protection regulations
    • Data inventory and data flows
    • Completed list of data localization obligations

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.2 Integrate obligations into your IT system design

    1-2 hours

    1. Work with your IT department to design the IT architecture and systems to satisfy the data localization requirements.
    2. The table below provides a checklist for integrating privacy considerations into your IT systems.

    Item

    Consideration

    Answer

    Supporting Document

    1

    Have you identified business services that process data that will be subject to localization requirements?

    2

    Have you identified IT systems associated with the business services mentioned above?

    3

    Have you established a data inventory (i.e. data types, business purposes) for the IT systems mentioned above?

    4

    Have you established a data flow diagram for the data identified above?

    5

    Have you identified the types of data that should be stored locally?

    6

    Have you confirmed whether a copy of the data locally stored will satisfy the obligations?

    7

    Have you confirmed whether an IT redesign is needed or whether modifications (e.g. adding a server) to the IT systems would satisfy the obligations?

    8

    Have you confirmed whether access from another jurisdiction is allowed?

    9

    Have you identified how long the data should be stored?

    Input

    Output

    • Data localization obligations
    • Business services that process data that will be subject to localization requirements
    • IT systems associated with business services
    • Data inventory and data flows
    • Completed checklist of localization obligations for IT system design

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: Medium to High

    Impact: High

    Cross-Border Transfer

    Gap Controls

    • Know where you transfer your data.
    • Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data.
    • Adopt and implement a proper cross-border data transfer mechanism in accordance with applicable privacy laws and regulations.
    • Re-evaluate at appropriate intervals.

    Which cross-border transfer mechanism should I choose?

    Transfer Mechanism

    Advantages

    Disadvantages

    Standard Contractual Clauses (SCC)

    • Easy to implement
    • No DPA (data processing agreement) approval
    • Not suitable for complex data transfers
    • Do not meet business agility
    • Needs legal solution

    Binding Corporate Rules (BCRs)

    • Meets business agility needs
    • Raises trust in the organization
    • Doubles as solution for art. 24/25 of the GDPR
    • Sets high compliance maturity level
    • Takes time to draft/implement
    • Requires DPA approval (scrutiny)
    • Requires culture of compliance
    • Approved by one "lead" authority and two other "co-lead“ authorities
    • Takes usually between six and nine months for the approval process only

    Code of Conduct

    • Raises trust in the sector
    • Self-regulation instead of law
    • No code of conduct approved yet
    • Takes time to draft/implement
    • Requires DPA approval and culture of compliance
    • Needs of organization may not be met

    Certification

    • Raises trust in the organization
    • No certification schemes available yet
    • Risk of compliance at minimum necessary
    • Requires audits

    Consent

    • Legal certainty
    • Transparent
    • Administrative burden
    • Some data subjects are incapable of consenting all or nothing

    3.3.3 Document data processing activities

    1-2 hours

    1. Identify and document the following information:
      • Name of business process
      • Purposes of processing
      • Lawful basis
      • Categories of data subjects and personal data
      • Data subject categories
      • Which system the data resides in
      • Recipient categories
      • Third country/international organization
      • Documents for appropriate safeguards for international transfer (adequacy, SCCs, BCRs, etc.)
      • Description of mitigating measures

    Input

    Output

    • Name of business process
    • Categories of personal data
    • Which system the data resides
    • Third country/international organization
    • Documents for appropriate safeguards for international transfer
    • Completed list of data processing activities

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.4 Choose the right mechanism

    1-2 hours

    1. Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data. For example, the EU’s GDPR and China’s Personal Information Protection Law require proper cross-border transfer mechanisms before the data transfers. Your organization should decide which cross-border transfer mechanism is the best fit for your cross-border data transfer scenarios.
    2. Use the following table to identify and document the pros and cons of each data transfer mechanism and the final decision.

    Data Transfer Mechanism

    Pros

    Cons

    Final Decision

    SCC

    BCR

    Code of Conduct

    Certification

    Consent

    Input

    Output

    • List of relevant data transfer mechanisms
    • Assessment of the pros and cons of each mechanism
    • Final decision regarding which data transfer mechanism is the best fit for your organization

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.5 Implement the appropriate controls

    1-3 hours

    • One of the most common mechanisms is standard contractual clauses (SCCs).
    • Use Info-Tech’s Standard Contractual Clauses Template to facilitate your cross-border transfer activities.
    • Identify and check whether the following core components are covered in your SCC and record the results in the table below.
    # Core Components Status Note
    1 Purpose and scope
    2 Effect and invariability of the Clauses
    3 Description of the transfer(s)
    4 Data protection safeguards
    5 Purpose limitation
    6 Transparency
    7 Accuracy and data minimization
    8 Duration of processing and erasure or return of data
    9 Storage limitation
    10 Security of processing
    11 Sensitive data
    12 Onward transfers
    13 Processing under the authority of the data importer
    14 Documentation and compliance
    15 Use of subprocessors
    16 Data subject rights
    17 Redress
    18 Liability
    19 Local laws and practices affecting compliance with the Clauses
    20 Noncompliance with the Clauses and termination
    21 Description of data processing activities, such as list of parties, description of transfer, etc.
    22 Technical and organizational measures
    InputOutput
    • Description of the transfer(s)
    • Duration of processing and erasure or return of data
    • Onward transfers
    • Use of subprocessors
    • Etc.
    • Draft of the standard contractual clauses (SCC)
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: High

    Impact: Medium to High

    Data Breach

    Gap Controls

    • Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
    • Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
    • Integrate breach notification obligations into security incident response process.

    Examples of Data Breach Notification Obligations

    Location

    Regulation/ Standard

    Reporting Obligation

    EU

    GDPR

    72 hours

    China

    PIPL

    Immediately

    US

    HIPAA

    No later than 60 days

    Canada

    PIPEDA

    As soon as feasible

    Global

    PCI DSS

    • Visa – immediately after breach discovered
    • Mastercard – within 24 hours of discovering breach
    • American Express – immediately after breach discovered

    Summary of US State Data Breach Notification Statutes

    The image contains a graph to show the summary of the US State Data Breach Notification Statutes.

    Source: Davis Wright Tremaine

    3.3.6 Identify data breach notification obligations

    1-2 hours

    1. Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
    2. Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
    3. Record your data breach obligations in the table below.
    Region Regulation/Standard Reporting Obligation

    Input

    Output

    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Documentation of data breach reporting obligations in applicable jurisdictions

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.7 Integrate data breach notification into incident response

    1-2 hours

    • Integrate breach notification obligations into the security incident response process. Understand the security incident management framework.
    • All incident runbooks follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.
    • The table below provides a basic checklist for you to consider when implementing your data breach and incident handling process.
    # Phase Considerations Status Notes
    1 Prepare Ensure the appropriate resources are available to best handle an incident.
    2 Detect Leverage monitoring controls to actively detect threats.
    3 Analyze Distill real events from false positives.
    4 Contain Isolate the threat before it can cause additional damage.
    5 Eradicate Eliminate the threat from your operating environment.
    6 Recover Restore impacted systems to a normal state of operations.
    7 Report Report data breaches to relevant regulators and data subjects if required.
    8 Post-Incident Activities Conduct a lessons-learned post-mortem analysis.
    InputOutput
    • Security and data protection incident response steps
    • Key considerations for integrating data breach notifications into incident response
    • Data breach notifications integrated into the incident response process
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Security team
    • Privacy team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: High

    Impact: Medium to High

    Third-Party Risk

    Gap Controls

    • Build an end-to-end third-party security and privacy risk management process.
    • Perform internal due diligence prior to selecting a service provider.
    • Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.

    End-to-End Third-Party Security and Privacy Risk Management

    1. Pre-Contract
    • Due diligence check
  • Signing of Contract
    • Data processing agreement
  • Post-Contract
    • Continuous monitoring
    • Regular check or audit
  • Termination of Contract
    • Data deletion
    • Access deprovisioning

    Examples of Vendor Security Management Requirements

    Region

    Law/Standard

    Section

    EU

    General Data Protection Regulation (GDPR)

    Article 28 (1)

    Article 46 (1)

    US

    Health Insurance Portability and Accountability Act (HIPAA)

    §164.308(b)(1)

    US

    New York Department of Financial Services Cybersecurity Requirements

    500.11(a)

    Global

    ISO 27002:2013

    15.1.1

    15.1.2

    15.1.3

    15.2.1

    15.2.2

    US

    NIST 800-53

    SA-12

    SA-12 (2)

    US

    NIST Cybersecurity Framework

    ID-SC-1

    ID-SC-2

    ID-SC-3

    ID-SC-4

    Canada

    OSFI Cybersecurity Guidelines

    4.25

    4.26

    3.3.8 Identify vendor security and data protection requirements

    1-2 hours

    • Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic reassessments.
    • An efficient and effective assessment process can only be achieved when all stakeholders are participating.
    • Identify and document your vendor security and data protection requirements in the table below.
    Region Law/Standard Section Requirements

    Input

    Output

    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Documentation of vendor security and data protection obligations in applicable jurisdictions

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.9 Build due diligence questionnaire

    1-2 hours

    Perform internal due diligence prior to selecting a service provider.

    1. Build and right-size your vendor security questionnaire by leveraging Info-Tech’s Vendor Security Questionnaire template.
    2. Document your vendor security questionnaire in the table below.
    # Question Vendor Request Vendor Comments
    1 Document Requests
    2 Asset Management
    3 Governance
    4 Supply Chain Risk Management
    5 Identify Management, Authentication, and Access Control
    InputOutput
    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Business security and data protection requirements and expectations
    • Draft of due diligence questionnaire
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.10 Build appropriate data processing agreement

    1-2 hours

    1. Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.
    2. Leverage Info-Tech’s Data Processing Agreement Template to put the language into your legally binding document.
    3. Use the table below to check whether core components of a typical DPA are covered in your document.
    # Core Components Status Note
    1 Processing of personal data
    2 Scope of application and responsibilities
    3 Processor's obligations
    4

    Controller's obligations

    5 Data subject requests
    6 Right to audit and inspection
    7 Subprocessing
    8 Data breach management
    9 Security controls
    10 Transfer of personal data
    11 Duty of confidentiality
    12 Compliance with applicable laws
    13 Service termination
    14 Liability and damages
    InputOutput
    • Processing of personal data
    • Processor’s obligations
    • Controller’s obligations
    • Subprocessing
    • Etc.
    • Draft of data processing agreement (DPA)
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Summary of Accomplishment

    Problem Solved

    By following Info-Tech’s methodology for securing global operations, you have:

    • Evaluated the security context of your organization’s global operations.
    • Identified security risks scenarios unique to high-risk jurisdictions and assessed the exposure of critical assets.
    • Planned and executed a response.

    You have gone through a deeper analysis of two key risk scenarios that affect global operations:

    • Travel to high-risk jurisdictions.
    • Compliance risk.

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

    Contact your account representative for more information.

    workshop@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    The image contains a picture of Michel Hebert.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    The image contains a screenshot of High-Risk Travel Jurisdictions.

    Identify High-Risk Jurisdictions

    Develop requirements to identify high-risk jurisdictions.

    The image contains a screenshot of Build Risk Scenarios.

    Build Risk Scenarios

    Build risk scenarios to capture assets, vulnerabilities, threats, and the potential effect of a compromise.

    External Research Contributors

    Ken Muir

    CISO

    LMC Security

    Premchand Kurup

    CEO

    Paramount Computer Systems

    Preeti Dhawan

    Manager, Security Governance

    Payments Canada

    Scott Wiggins

    Information Risk and Governance

    CDPHP

    Fritz Y. Jean Louis

    CISO

    Globe and Mail

    Eric Gervais

    CIO

    Ovivo Water

    David Morrish

    CEO

    MBS Techservices

    Evan Garland

    Manager, IT Security

    Camosun College

    Jacopo Fumagalli

    CISO

    Axpo

    Dennis Leon

    Governance and Security Manager

    CPA Canada

    Tero Lehtinen

    CIO

    Planmeca Oy

    Related Info-Tech Research

    Build an IT Risk Management Program

    • Build a program to identify, evaluate, assess, and treat IT risks.
    • Monitor and communicate risks effectively to support business decision making.

    Combine Security Risk Management Components Into One Program

    • Develop a program focused on assessing and managing information system risks.
    • Build a governance structure that integrates security risks within the organization’s broader approach to risk management.

    Build an Information Security Strategy

    • Build a holistic, risk-aware strategy that aligns to business goals.
    • Develop a roadmap of prioritized initiatives to implement the strategy over 18 to 36 months.

    Bibliography

    2022 Cost of Insider Threats Global Report.” Ponemon Institute, NOVIPRO, 9 Feb. 2022. Accessed 25 May 22.

    “Allianz Risk Barometer 2022.” Allianz Global Corporate & Specialty, Jan. 2022. Accessed 25 May 22.

    Bickley, Shaun. “Security Risk Management: a basic guide for smaller NGOs”. European Interagency Security Forum (EISF), 2017. Web.

    “Biden Administration Warns against spyware targeting dissidents.” New York Times, 7 Jan 22. Accessed 20 Jan 2022.

    Boehm, Jim, et al. “The risk-based approach to cybersecurity.” McKinsey & Company, October 2019. Web.

    “Cost of a Data Breach Report 2021.” IBM Security, July 2021. Web.

    “Cyber Risk in Asia-Pacific: The Case for Greater Transparency.” Marsh & McLennan Companies, 2017. Web.

    “Cyber Risk Index.” NordVPN, 2020. Accessed 25 May 22

    Dawson, Maurice. “Applying a holistic cybersecurity framework for global IT organizations.” Business Information Review, vol. 35, no. 2, 2018, pp. 60-67.

    “Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 16 Apr 2018. Web.

    “Global Cybersecurity Index 2020.” International Telecommunication Union (ITU), 2021. Accessed 25 May 22.

    “Global Risk Survey 2022.” Control Risks, 2022. Accessed 25 May 22.

    “International Travel Guidance for Government Mobile Devices.” Federal Mobility Group (FMG), Aug. 2021. Accessed 18 Nov 2021.

    Kaffenberger, Lincoln, and Emanuel Kopp. “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment.” Carnegie Endowment for International Peace, September 2019. Accessed 11 Jan 2022.

    Koehler, Thomas R. Understanding Cyber Risk. Routledge, 2018.

    Owens, Brian. “Cybersecurity for the travelling scientist.” Nature, vol. 548, 3 Aug 2017. Accessed 19 Jan. 2022.

    Parsons, Fintan J., et al. “Cybersecurity risks and recommendations for international travellers.” Journal of Travel Medicine, vol. 1, no. 4, 2021. Accessed 19 Jan 2022.

    Quinn, Stephen, et al. “Identifying and estimating cybersecurity risk for enterprise risk management.” National Institute of Standards and Technology (NIST), Interagency or Internal Report (IR) 8286A, Nov. 2021.

    Quinn, Stephen, et al. “Prioritizing cybersecurity risk for enterprise risk management.” NIST, IR 8286B, Sept. 2021.

    “Remaining cyber safe while travelling security recommendations.” Government of Canada, 27 April 2022. Accessed 31 Jan 2022.

    Stine, Kevin, et al. “Integrating cybersecurity and enterprise risk management.” NIST, IR 8286, Oct. 2020.

    Tammineedi, Rama. “Integrating KRIs and KPIs for effective technology risk management.” ISACA Journal, vol. 4, 1 July 2018.

    Tikk, Eneken, and Mika Kerttunen, editors. Routledge Handbook of International Cybersecurity. Routledge, 2020.

    Voo, Julia, et al. “National Cyber Power Index 2020.” Belfer Center for Science and International Affairs, Harvard Kennedy School, Sept. 2020. Web.

    Zhang, Fang. “Navigating cybersecurity risks in international trade.” Harvard Business Review, Dec 2021. Accessed 31 Jan 22.

    Appendix

    Insider Threat

    Key Risk Scenario

    Likelihood: Medium to High

    Impact: High

    Gap Controls

    The image contains a picture of the Gap Controls. The controls include: Policy and Awareness, Identification, Monitoring and Visibility, which leads to Cooperation.

    • Identification: Effective and efficient management of insider threats begins with a threat and risk assessment to establish which assets and which employees to consider, especially in jurisdictions associated with sensitive or critical data. You need to pay extra attention to employees who are working in satellite offices in jurisdictions with loose security and privacy laws.
    • Monitoring and Visibility: Organizations should monitor critical assets and groups with privileged access to defend against malicious behavior. Implement an insider threat management platform that provides your organization with the visibility and context into data movement, especially cross-border transfers that might cause security and privacy breaches.
    • Policy and Awareness Training: Insider threats will persist without appropriate action and culture change. Training and consistent communication of best practices will mitigate vulnerabilities to accidental or negligent attacks. Customized training materials using local languages and role-based case studies might be needed for employees in high-risk jurisdictions.
    • Cooperation: An effective insider threat management program should be built with cross-team functions such as Security, IT, Compliance and Legal, etc.

    For more holistic approach, you can leverage our Reduce and Manage Your Organization’s Insider Threat Risk blueprint.

    Info-Tech Insight

    You can’t just throw tools at a human problem. While organizations should monitor critical assets and groups with privileged access to defend against malicious behavior, good management and supervision can help detect attacks and prevent them from happening in the first place.

    Insider threats are not industry specific, but malicious insiders are

    Industry

    Actors

    Risks

    Tactics

    Motives

    State and Local Government

    • Full-time employees
    • Current employees
    • Privileged access to personally identifiable information, financial assets, and physical property
    • Abuse of privileged access
    • Received or transferred fraudulent funds
    • Financial gain
    • Recognition
    • Benefiting foreign entity

    Information Technology

    • Equal mix of former and current employees
    • Privileged access to networks or systems as well as data
    • Highly technical attacks
    • Received or transferred fraudulent funds
    • Revenge
    • Financial gain

    Healthcare

    • Majority were full-time and current employees
    • Privileged access to customer data with personally identifiable information, financial assets
    • Abuse of privileged access
    • Received or transferred fraudulent funds
    • Financial gain
    • Entitlement

    Finance and Insurance

    • Majority were full-time and current employees
    • Authorized users
    • Electronic financial assets
    • Privileged access to customer data
    • Created or used fraudulent accounts
    • Fraudulent purchases
    • Identity theft
    • Financial gain
    • Gambling addiction
    • Family pressures
    • Multiple motivations

    Source: Carnegie Mellon University Software Engineering Institute, 2019

    Advanced Persistent Threat

    Key Risk Scenario #4

    Likelihood: Medium to High

    Impact: High

    Gap Controls

    The image contains a screenshot of the Gap Controls listed: Prevent, Detect, Analyze, Respond.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.

    Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.

    Respond: Organizations can’t rely on ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

    Best practices moving forward

    Defense in Depth

    Lock down your organization. Among other tactics, control administrative privileges, leverage threat intelligence, use IP whitelisting, adopt endpoint protection and two-factor authentication, and formalize incident response measures.

    Block Indicators

    Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act upon gathered intelligence.

    Drive Adoption

    Create organizational situational awareness around security initiatives to drive adoption of foundational security measures: network hardening, threat intelligence, red-teaming exercises, and zero-day mitigation, policies, and procedures.

    Supply Chain Security

    Security extends beyond your organization. Ensure your organization has a comprehensive view of your organizational threat landscape and a clear understanding of the security posture of any managed service providers in your supply chain.

    Awareness and Training

    Conduct security awareness and training. Teach end users how to recognize current cyberattacks before they fall victim – this is a mandatory first line of defense.

    Additional Resources

    Follow only official sources of information to help you assess risk

    The image contains an image highlighting a few additional resources.

    As misinformation is a major attack vector for malicious actors, follow only reliable sources for cyberalerts and actionable intelligence. Aggregate information from these reliable sources.

    Federal Cyber Agency Alerts

    Informational Resources

    Info-Tech Insight

    The CISA Shields Up site provides the latest cyber risk updates on the Russia-Ukraine conflict and should provide the most value in staying informed.

    The Essential COVID-19 Childcare Policy for Every Organization, Yesterday

    • Buy Link or Shortcode: {j2store}598|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Helping employees navigate personal and business responsibilities to find solutions that ensure both are taken care of.
    • Reducing potential disruption to business operations through employee absenteeism due to increased care-provider responsibilities.

    Our Advice

    Critical Insight

    • Remote work is complicated by children at home with school closures. Implement alternative temporary work arrangements that allow and support employees to balance work and personal obligations.
    • Adjustments to work arrangements and pay may be necessary. Temporary work arrangements while caring for dependents over a longer-term pandemic may require adjustments to the duties carried out, number of hours worked, and adjustments to employee pay.
    • Managing remotely is more than staying in touch by phone. As a leader you will need to provide clear options that provide solutions to your employees to avoid them getting overwhelmed while taking care of the business to ensure there is a business long term.

    Impact and Result

    • Develop a policy that provides parameters around mutually agreed adjustments to performance levels while balancing dependent care with work during a pandemic.
    • Take care of the business through clear guidelines on compensation while taking care of the health and wellness of your people.
    • Develop detailed work-from-home plans that lessen disruption to your work while taking care of children or aged parents.

    The Essential COVID-19 Childcare Policy for Every Organization, Yesterday Research & Tools

    Start here. Read The Essential COVID-19 Childcare Policy for Every Organization, Yesterday

    Read our recommendations and follow the steps to develop a policy that will help your employees work productively while managing care-provider responsibilities at home.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • The Essential COVID-19 Childcare Policy for Every Organization, Yesterday Storyboard
    • Pandemic Dependent Care Policy
    • COVID-19 Dependent Care Policy Manager Action Toolkit
    • COVID-19 Dependent Care Policy Employee Guide
    • Dependent-Flextime Agreement Template
    • Workforce Planning Tool
    • Nine Ways to Support Working Caregivers Today
    • Employee Resource Group (ERG) Charter Template
    [infographic]

    Foster Data-Driven Culture With Data Literacy

    • Buy Link or Shortcode: {j2store}132|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 115 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    Organizations are joining the wave and adopting machine learning and artificial intelligence (AI) to unlock the value in their data and power their competitive advantage. But to succeed with these complex analytics programs, they need to begin by looking at their data – empowering their people to realize and embrace the valuable insights within the organization’s data.

    The key to achieve becoming a data-driven organization is to foster a strong data culture and equip employees with data skills through an organization-wide data literacy program.

    Our Advice

    Critical Insight

    • Start with real business problems in a hands-on format to demonstrate the value of data.
    • Use a formalized organization-wide approach to data literacy program to bridge the data skills gap.
    • Provide relevant and practical training programs tailored to different learning styles and tenures (e.g. onboarding, development plan).

    Impact and Result

    Data literacy is critical to the success of digital transformation and AI analytics. Info-Tech’s approach to creating a sustainable and effective data literacy program is recognizing it is:

    • More than just technical training. A data literacy program isn’t just about data; it encompasses aspects of business, IT, and data.
    • More than a one-off exercise. To keep the literacy skills alive the program must be regular, sustainable, and tailored to different needs across all levels of the organization.
    • More than one delivery format. Different delivery methods need to be considered to suit various learning styles to ensure an effective delivery.

    Foster Data-Driven Culture With Data Literacy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Foster Data-Driven Culture With Data Literacy Storyboard – A step-by-step guide to help organizations build an effective and sustainable data literacy program that benefits all employees who work with data.

    Data literacy as part of the data governance strategic program should be launched to all levels of employees that will help your organization bridge the data knowledge gap at all levels of the organization. This research recommends approaches to different learning styles to address data skill needs and helps members create a practical and sustainable data literacy program.

    • Foster Data-Driven Culture With Data Literacy Storyboard

    2. Fundamental Data Literacy Program Template – A document that provides an example of a fundamental data literacy program.

    Kick off a data awareness program that explains the fundamental understanding of data and its lifecycle. Explore ways to create or mature the data literacy program with smaller amounts of information on a more frequent basis.

    • Fundamental Data Literacy Program Template
    [infographic]

    Further reading

    Foster Data-Driven Culture With Data Literacy

    Data literacy is an essential part of a data-driven culture, bridging the data knowledge gaps across all levels of the organization.

    Analyst Perspective

    Data literacy is the missing link to becoming a data-driven organization.

    “Digital transformation” and “data driven” are two terms that are inseparable. With organizations accelerating in their digital transformation roadmap implementation, organizations need to invest in developing data skills with their people. Talent is scarce and the demand for data skills is huge, with 70% of employees expected to work heavily with data by 2025. There is no time like the present to launch an organization-wide data literacy program to bridge the data knowledge gap and foster a data-driven culture.

    Data literacy training is as important as your cybersecurity training. It impacts all levels of the organization. Data literacy is critical to success with digital transformation and AI analytics.

    Annabel Lui

    Principal Advisory Director, Data & Analytics Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Organizations are joining the wave and adopting machine learning (ML) and artificial intelligence (AI) to unlock the value in their data and power their competitive advantage. But to succeed with these complex analytics programs, they need to begin by empowering their people to realize and embrace the valuable insights within the organization’s data.

    The key to becoming a data-driven organization is to foster a strong data culture and equip people with data skills through an organization-wide data literacy program.

    Common Obstacles

    Challenges the data leadership is likely to face as digital transformation initiatives drive intensified competition:

    • Resistance to change
    • Technological distractions
    • “Shadow data”
    • Difficulty securing resources and skilled data professionals
    • Inability to appreciate the value of data and its meaning for users – even fear of it

    Info-Tech's Approach

    We interviewed data leaders and instructors to gather insights about investing in data:

    • Start with real business problems in a hands-on format to demonstrate the value of data.
    • Implement a formalized organization-wide approach to data literacy program to bridge the data skill gap.
    • Provide relevant and practical training programs tailored to different learning styles and tenures (e.g. onboarding,development plan).

    Info-Tech Insight

    By thoughtfully designing a data literacy training program for the audience's own experience, maturity level, and learning style, organizations build the data-driven and engaged culture that helps them to unlock their data's full potential and outperform other organizations.

    Your Challenge

    Data literacy is the missing link to drive business outcomes from data.

    • Having a data-driven culture as an organization’s mission statement without implementing a data literacy program is like making an empty promise and leaving the value unrealized and unattainable.
    • A study conducted by the Data Literacy Project clearly indicates that organizations with aggressive data literacy programs will outperform those who do not have such programs. By 2030, data literacy will be one of the most sought-after skill sets. All employees require data literacy skills.
    • Everyone has a role in data. From employees who are actively involved in data collection to operational teams who create reports with analytics tools and finally to executives who use data to make business decisions – they all require continuous data literacy training in a data-driven organization. Because of differences in maturity, data literacy strategies cannot be one-size-fits-all.

    “Data literacy is the ability to read, work with, analyze, and communicate with data. It's a skill that empowers all levels of workers to ask the right questions of data and machines, build knowledge, make decisions, and communicate meaning to others.” – Qlik, n.d.

    75% of organizational employees have access to data tools – only 21% demonstrated confidence in their data skills.

    Source: Accenture, 2020.

    89% of C-level executives expect team members to explain how data has informed their decisions, but only 11% employees are fully confident in their ability to read, analyze, work with, and communicate with data

    Source: Qlik, 2022.

    Data debt or data asset?

    Manage your data as strategic assets.

    “[Data debt is] when you have undocumented, unused, incomplete, and inconsistent data,” according to Secoda (2023). “When … data debt is not solved, data teams could risk wasting time managing reports no one uses and producing data that no one understands.”

    Signs of data debt when considering investing in data literacy:

    • Lack of definition and understanding of data terms, therefore they don’t speak the same language. Without data literacy, an organization will not succeed in becoming a data-driven organization.
    • Putting data literacy as a low priority. Organization sees this as “another” training to put on the list and keeps it on the back burner.
    • Data literacy is not seen as the number one skill set needed in the organization. However, anyone who works with data requires data skills.
    • End users are not trained on self-serve features and tools.
    • Focusing on a minority group of people rather than everyone in the organization or seeing it as a one-off exercise.
    • Delays or failure to deliver digital transformation projects due to lack of data skills and data access issues.

    66%

    of organizations say a backlog of data debt is impacting new data management initiatives.

    40%

    of organizations say individuals within the business do not trust data insights.

    30%

    of organizations are unable to become data-driven.

    Source: Experian, 2020

    Info-Tech’s Approach

    Data literacy is critical to success with digital transformation and AI analytics.

    Diagram showing components of Data literacy: 1 - Data: understand your data, 2 - Business: define the purpose, 3 - IT: Introduce new ways of working

    The Info-Tech difference:

    1. More than just technical training. Data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data.
    2. More than a one-off exercise. To keep literacy skills alive, the program must be routine and sustainable, tailored to different needs across all levels of the organization.
    3. More than one delivery format. Different delivery methods need to be considered to suit various learning styles.

    Data needs to be processed

    Data – facts – are organized, processed, and given meaning to become insights.

    Data, information, knowledge, insight, wisdom

    Image source: Welocalize, 2020.

    Data represents a discrete fact or event without relation to other things (e.g. it is raining). Data is unorganized and not useful on its own.

    Information organizes and structures data so that it is meaningful and valuable for a specific purpose (i.e. it answers questions). Information is a refined form of data.

    When information is combined with experience and intuition, it results in knowledge. It is our personal map/model of the world.

    Knowledge set with context generates insight. We become knowledgeable as a result of reading, researching, and memorizing (i.e. accumulating information).

    Wisdom means the ability to make sound judgments. Wisdom synthesizes knowledge and experiences into insights.

    Investment in data literacy is a game changer.

    Data literacy is the ability to collect, manage, evaluate, and apply data in a critical manner.

    A data-driven culture is “an operating environment that seeks to leverage data whenever and wherever possible to enhance business efficiency and effectiveness” (Forbes).

    Info-Tech Insight

    Data-driven culture refers to a workplace where decisions are made based on data evidence, not on gut instinct.

    Info-Tech’s methodology for building a data literacy program

    Phase Steps

    1. Define Data Literacy Objectives

    1.1 Understand organization’s needs

    1.2 Create vision and objective for data literacy program

    2. Assess Learning Style and Align to Program Design

    2.1 Create persona and identify audience

    2.2 Assess learning style and align to program design

    2.3 Determine the right delivery method

    3. Socialize Roadmap and Milestones

    3.1 Establish a roadmap

    3.2 Set key performance metrics and milestones

    Phase Outcomes

    Identify key objectives to establish and grow the data literacy program by articulating the problem and solutions proposed.

    Assess each audience’s learning style and adapt the program to their unique needs.

    Show a roadmap with key performance indicators to track each milestone and tell a data story.

    Insight Summary

    “In a world of more data, the companies with more data-literate people are the ones that are going to win.”

    – Miro Kazakoff, senior lecturer, MIT Sloan, in MIT Sloan School of Management, 2021

    Overarching insight

    By thoughtfully designing a data literacy training program personalized to each audience's maturity level, learning style, and experience, organizations can develop and grow a data-driven culture that unlocks the data's full potential for competitive differentiation.

    Module 1 insight

    We can learn a lot from each other. Literacy works both ways – business data stewards learn to “speak data” while IT data custodians understand the business context and value. Everyone should strive to exchange knowledge.

    Module 2 insight

    Avoid traditional classroom teaching – create a data literacy program that is learner-centric to allow participants to learn and experiment with data.

    Aligning program design to those learning styles will make participants more likely to be receptive to learning a new skill.

    Module 3 insight

    A data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data. With executive support and partnership with business, running a data literacy program means that it won’t end up being just another technical training. The program needs to address why, what, how questions.

    Tactical insight

    A lot of programs don’t include the fundamentals. To get data concepts to stick, focus on socializing the data/information/knowledge/wisdom foundation.

    Tactical insight

    Many programs speak in abstract terms. We present case studies and tangible use cases to personalize training to the audience’s world and showcase opportunities enabled through data.

    Key performance indicators (KPIs) for your data literacy program

    How do you know if your data literacy program is successful? Here are some useful KPIs:

    Program Adoption Metrics

    • Percentage of employees attending data literacy training
    • Percentage of participants who report gains in data management knowledge after training sessions
    • Maturity assessment result
    • Survey and diagnostic feedback before and after training
    • Trend analysis of overall data literacy program

    Operational Metrics

    • Number of requests for analytics/reporting services
    • Number of reports created by users
    • Speed and quality of business decisions
    • User satisfaction with reports and analytics services
    • Improved business performance (customer satisfaction)
    • Improved valuation of organization data

    A data-driven culture builds tools and skills, builds users’ trust in the quality of data across sources, and raises the skills and understanding among the frontlines by encouraging everyone to leverage data for critical thinking and innovation.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of the project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1

    Session 2

    Session 3

    Session 4

    Activities

    Define Data Literacy Objectives

    1.1 Review Data Culture Diagnostic results

    1.2 Identify business context: business goals, initiatives

    1.3 Create vision and objective for data literacy program

    Assess Learning Style and Align to Program Design

    2.1 Identify audience

    2.2 Assess learning style and align to program design

    2.3 Determine the right delivery method

    Build a Data Literacy Roadmap and Milestones

    3.1 Identify program initiatives and topics

    3.2 Determine delivery methods

    3.3 Build the data literacy roadmap

    Operational Strategy to implement Data Literacy

    4.1 Identify key performance metrics

    4.2 Identify owners and document RACI matrix

    4.3 Discuss next steps and wrap up.

    Deliverables

    1. Diagnostics reports (data culture survey)
    2. Vision and value statement
    1. Assessment of audience covering all levels of organization
    1. List of key program initiatives and topics
    2. Allocation of delivery methods
    3. Roadmap
    1. Data literacy metrics
    2. List of owners and roles and responsibilities
    3. Next step and implementation schedule

    Phase 1

    Define Data Literacy Objectives

    Phase 1: step 1 - Understand organization's needs, step 2 - Create vision and objective for data literacy program.

    Foster Data-Driven Culture With Data Literacy

    This phase will walk you through the following activities:

    • Understand the organization’s needs.
    • Create vision and objective for data literacy program.

    This phase involves the following participants:

    • Data governance sponsor
    • Data owners
    • Data stewards
    • Data custodians

    1.1 Gauge your organization’s current data culture

    Conduct data culture survey or diagnostic.

    1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
    2. Conduct an information session to introduce Info-Tech’s Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organization’s current data culture and inform the improvement of that culture.
    3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
    4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

    Input

    • Email addresses of participants in your organization who should receive the survey

    Output

    • Your organization’s Data Culture Scorecard for understanding current data culture as it relates to the use and consumption of data
    • An understanding of whether data is currently perceived to be an asset to the organization

    Materials

    • Info-Tech’s Data Culture Diagnostic service

    Participants

    • Participants include those at the senior leadership level through to middle management, as well as other business stakeholders at varying levels across the organization
    • Data owners, stewards, and custodians
    • Core data users and consumers

    Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

    1.2 Define data literacy objectives

    1. Understand the organization’s needs by identifying opportunities and challenges relating to data. Document the described real-life examples.
    2. Categorize the list and identify areas where data literacy can address the business problem.
    3. Create a vision statement for the data literacy program, ensuring that it covers all levels of the organization.
    4. Articulate the intended targets and goals in planning for a data literacy program.

    Input

    • List of opportunities and challenges relating to data
    • Relevant business real-life examples

    Output

    • Categorized list of data literacy needs
    • Vision for literacy program
    • Targets and goals

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • CDO or sponsor
    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data governance working group

    Quick wins for improving data literacy

    Data collected through Info-Tech’s Data Culture Diagnostic suggests three ways to improve data literacy:

    87%

    think more can be done to define and document commonly used terms with methods such as a business data glossary.

    68%

    think they can have a better understanding of the meaning of all data elements that are being captured or managed.

    86%

    feel that they can have more training in terms of tools as well as on what data is available at the organization.

    Source: Info-Tech Research Group's Data Culture Diagnostic, 2022; N=2,652

    Quick Wins

    • Create a business data glossary to document and define common terms.
    • Provide easy access to the business data glossary and procedures on how data is captured and managed.
    • Launch an organization-wide data literacy program.

    Delivering value is a means and the goal

    Start with real business problems in a hands-on format to demonstrate the value of data.

    Identify business problem:

    • Business decisions without facts are just guesses.
    • Management spends a lot of time finding and fixing data.
    • Unknown challenges on data assets and risk.
    • Incomplete view of customer/client and industry.
    • Not ready for modern data opportunities (e.g. artificial intelligence).

    Create an objective

    Treat data as a strategic asset to gain insight into our customers for all levels of organization.

    The solution: Data-driven culture powered by people who speak data.

    • Data dictionary
    • Data literacy
    • Trusted single source
    • Access to analytics tools
    • Decision making

    "According to Forrester, 91% of organizations find it challenging to improve the use of data insights for decision-making – even though 90% see it as a priority. Why the disconnect? A lack of data literacy."

    – Alation, 2020

    Fundamental data literacy

    Data literacy is more than just a technical training or a one-off exercise.

    Info-Tech provides various topics suited for a data literacy program that can accommodate different data skill requirements and encompasses relevant aspects of business, IT, and data.

    Info-Tech Research Group’s Data Literacy Program

    Use discovery and diagnostics to understand users’ comfort level and maturity with data.

    Data lunch 'n' learn

    • The power and value of data
    • Everyone is a data steward
    • Becoming data literate
    • Data 101
    • The future is data
    1 hour
    For: General audience, senior leadership, data leads, change management

    Speak data

    • What is data
    • Meet the data team
    • Day in the life of a steward
    • How data impacts you
    • Tools of the trade
    1/2 day
    For: New stewards, data owners, pre-data strategy workshop

    Your data story

    • Ask the right questions
    • Find the top five data elements
    • Understand your data
    • Present your data story
    • Lessons from COVID-19
    1/2 day
    For: New stewards, business data owners, pre-BI/analytics workshop

    Phase 2

    Assess Learning Style and Align to Program Design

    Phase 2: step 1 - Identify audience, step 2 - Access learning style and align to program design, step 3 - Determine the right delivery method.

    Foster Data-Driven Culture With Data Literacy

    This phase will walk you through the following activities:

    • Identify your audience.
    • Assess learning styles and align them to the data program design.
    • Determine the right delivery method.

    This phase involves the following participants:

    • Data governance sponsor
    • Data owners
    • Data stewards
    • Data custodians

    Avoid common pitfalls

    75%

    feel that training was too long to remember or to apply in their day-to-day work.

    21%

    find training had insufficient follow-up to help them apply on the job.

    Source: Grovo, 2018.

    1. Information Overload

      Trying to cover too much useful information results in overwhelm and does not deliver on key training objectives.
    2. Limited Implementation

      Learning is only the beginning. The real results are obtained when learning is followed by practice, which turns new knowledge into reliable habits.
    3. Lack of Organizational Alignment

      Implementing training without a clear link to organizational objectives leaves you unable to clearly communicate its value, undermines your ability to secure buy-in from attendees and executives, and leaves you unable to verify that the training is actually improving effectiveness.

    2.1 Understand learning style

    1. Create persona and identify the audiences and their roles in data across all levels of the organization.
    2. Identify the data program initiatives and assign the best delivery method to each initiative.
    3. Assign participants to each program initiative based on their skill gap and learning style.

    Input

    • List of audiences, their roles, and tenures
    • Data skill gap assessment
    • List of literacy program initiatives/topics

    Output

    • Target audience grouping
    • List of program initiatives with assigned groups

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • CDO or sponsor
    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data governance working group

    You and data

    Is data an integral part of your work?

    Do you feel comfortable finding and using data in your organization?

    • Many people feel intimidated by data and therefore miss out on what data can do for them.
    • Often the obstacle is language. If you don’t understand the semantics around data, you will not feel confident to contribute to discussions around data.
    • You use data every day but need additional vocabulary to understand how to handle it properly.
    • Data literacy is the ability to “speak data” and to understand what data means (i.e. how to read charts and graphs, draw valid conclusions, and recognize when data is misinterpreted or used inappropriately to be misleading).
    • The business often doesn’t understand its role in data governance and how it informs and assists IT in responsible data management.

    Info-Tech Insight

    IT and data professionals need to understand the business as much as business needs to talk about data. Bidirectional learning and feedback improves the synergy between business and IT.

    Create personas

    Persona creation is a way to brainstorm ideas for the data literacy program.

    Choose a data role (e.g. data steward, data owner, data scientist).

    Describe the persona based on goals, priorities, tenures, preferred learning style, type of work with data.

    Identify data skill and level of skills required.

    Persona 1: Denise - Manager, People and Culture. Goals, priorities, tenure, data role, learning style, skill level

    Consider these other ways to brainstorm:

    • Review current in-flight projects.
    • Analyze types of data requests.
    • Understand needs by department.
    • Share learnings in a community of practice.

    Program design

    Categorize into six data skill areas

    Not everyone needs the same level of skill sets

    Bullseye board with skill levels (Innermost going outward): Expert, advanced, intermediate and Basic. The six data skill areas: 1. Understanding Data, 2. Find and Obtain Data, 3. Read, Interpret and Evaluate Data, 4. Manage Data, 5. Create and Use Data, 6. Tell a Story and Share Data are placed equally around in sections.

    Map the personas to the program

    Bridging the data knowledge gap.

    • Each component will promote the value of data to all levels of employees when demonstrating the right way for data to be understood, managed, and consumed in the organization.
    • Categorizing the data literacy program into six areas and levels of skill sets will provide clarity into which areas to focus on.
    • The program is intended to be implemented in stages, allowing the audience to learn and adopt the new skills. Leveraging in-flight projects for rolling out training will have a higher success because the need is already built into the project.
    Personas are placed at different points in the data skill area and skill level.

    Align program design to learning styles

    The four methods (Discussion, Information, Coaching, and Self-Discovery) are based on learner-centered model design rather than the traditional teacher-centered model.

    Info-Tech Insight

    Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to different levels of users.

    When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to spread knowledge throughout your organization. It should target everyone from executive leadership to management to subject matter experts across all functions of the business.

    Discussion method

    Delivery Method

    • Interactive format between instructor and learner
    • Instructor empowers and motivates learner through dialogues and exercises

    The imaginative learner

    The imaginative learner group likes to engage in feelings and spend time on reflection. This type of learner desires personal meaning and involvement. They focus on personal values for themselves and others and make connections quickly.

    For this group of learners, their question is: why should I learn this?

    Learning characteristics

    • Seek meaning
    • Need to be personally involved
    • Learn by listening and sharing ideas
    • Function through social interaction

    Information method

    Delivery Method

    • Instructor does most of the talking in the training
    • Instructor is teaching the content, delivering the training content, and demonstrating

    Analytical learner

    The analytical learner group likes to listen, to think about information, and to come up with ideas. They are interested in acquiring facts and delving into concepts and processes. They can learn effectively and enjoy doing independent research.

    For this group of learners, their question is: what should I learn?

    Learning characteristics

    • Seek and examine the facts
    • Need to know what experts think
    • Interested in ideas and concepts
    • Critique information and collect data
    • Function by adapting to experts

    Coaching method

    Delivery Method

    • Learning has on-the-job training or learning through role-play exercises
    • Instructor is coaching and facilitating learner

    Common sense learner

    The common sense learner group likes thinking and doing. They are satisfied when they can carry out experiments, build and design, and create usability. They like tinkering and applying useful ideas.

    For this group of learners, their question is: how should I learn?

    Learning characteristics

    • Seek usability
    • Need to know how things work
    • Learn by testing theories using practical methods
    • Use factual data to build concepts
    • Enjoy hands-on experience

    Self-discovery method

    Delivery Method

    • Interactive format between instructor and learner
    • Instructor provides evaluation and remedial instruction

    Common sense learner

    The dynamic learner group learns through doing and experiencing. They are continually looking for hidden possibilities and researching ideas to make original adjustments. They learn through trial and error and self-discovery.

    For this group of learners, their question is: what if I learn this?

    Learning characteristics

    • Seek hidden possibilities
    • Need to know what can be done with things
    • Learn by trial and error
    • Enjoy variety and excel in being flexible

    Delivery method considerations

    There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

    There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

    Phase 3

    Map Out Data Literacy Roadmap and Milestones

    Phase 3: step 1 - Roadmap exercise, step 2 - Set key performance metrics and milestones.

    Foster Data-Driven Culture With Data Literacy

    This phase will walk you through the following activities:

    • Complete a roadmap exercise.
    • Set key performance metrics and milestones.

    This phase involves the following participants:

    • Data governance sponsor
    • Data owners
    • Data stewards
    • Data custodians

    3.1 Build the data literacy roadmap and milestones

    1-3 hours
    1. Gather the data literacy objectives and list of program initiatives with their assigned groups.
    2. Discuss each program initiative with the data literacy creation team, assigning content owners and estimating effort required to build the content.

    For the Gantt chart:

    • Input the roadmap start year.
    • List each data literacy topic and delivery method.
    • Populate the planned start and end dates for the prepopulated list of program initiatives.

    Input

    • List of data literacy topics with assigned groups
    • Vision statement of data literacy program
    • Data literacy objectives

    Output

    • Roadmap Gantt chart
    • List of program initiatives with start and end date
    • Content owner assignment

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • MS Projects/Excel

    Participants

    • CDO or sponsor
    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data governance working group

    Data literacy journey mapping

    Making it sustainable

    • Deliver the literacy program in stages to make it easier for the audience to consume the content.
    • Allow opportunities to apply the learnings at work.
    • Map out the data literacy trainings as they get delivered and identify gaps, if any. Continue to refine and adjust the program and delivery method for better outcome.
    • Set clear goals and KPIs measurement up front.
    • Conduct Info-Tech Research Group’s Data Culture Diagnostics to set the baseline and repeat the assessment in 12 to 18 months.
    • Assign champions to lead change and influence end users to adopt better processes.
    Data Literacy journey mapping. Different departments need different skills in data literacy.

    Research contributors

    Name

    Position

    Andrea Malick Advisory Director, Info-Tech Research Group
    Andy Neill AVP, Data and Analytics, Chief Enterprise Architect, Info-Tech Research Group
    Crystal Singh Research Director, Info-Tech Research Group
    Imad Jawadi Senior Manager, Consulting Advisory, Info-Tech Research Group
    Irina Sedenko Research Director, Info-Tech Research Group
    Reddy Doddipalli Senior Workshop Director, Info-Tech Research Group
    Sherwick Min Technical Counselor, Info-Tech Research Group
    Wayne Cain Principal Advisory Director, Info-Tech Research Group

    Info-Tech’s Data Literacy Program

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1

    Session 2

    Session 3

    Session 4

    Activities

    Understand the WHY and Value of Data

    1.1 Business context, business objectives, and goals

    1.2 You and data

    1.3 Data journey from data to insights

    1.4 Speak data – common terminology

    Learn about the WHAT Through Data Flow

    2.1 Data creation

    2.2 Data ingestion

    2.3 Data accumulation

    2.4 Data augmentation

    2.5 Data delivery

    2.6 Data consumption

    Explore the HOW Through Data Visualization Training

    3.1 Ask the right questions

    3.2 Find the top five data elements

    3.3 Understand your data

    3.4 Present your data story

    3.5 Sharing of lessons learned

    Put Them All Together Through Data Governance Awareness

    4.1 Data governance framework

    4.2 Data roles and responsibilities

    4.3 Data domain and owners

    Deliverables

    1. Learning material for understanding the data fundamental and its terminology
    1. Learning material for data flow elements
    1. Learning material for data visualization
    1. Learning material for data governance awareness program

    Related Info-Tech Research

    Establish Data Governance

    Deliver measurable business value.

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    Create a Data Management Roadmap

    Streamline your data management program with our simplified framework.

    Bibliography

    About Learning. “4MAT overview.” About Learning., 16 Aug. 2001. Web.

    Accenture. “The Human Impact of Data Literacy,” Accenture, 2020. Web.

    Anand, Shivani. “IDC Reveals India Data and Content Technologies Predictions for 2022 and onwards; Focus on Data Literacy for an Elevated data Culture.” IDC, 14 Mar. 2022. Web.

    Belissent, Jennifer, and Aaron Kalb. “Data Literacy: The Key to Data-Driven Decision Making.” Alation, April 2020. Web.

    Brown, Sara. “How to build data literacy in your company.” MIT Sloan School of Management, 9 Feb 2021. Web.

    ---. “How to build a data-driven company.” MIT Sloan School of Management, 24 Sept. 2020. Web.

    Domo. “Data Never Sleeps 9.0.” Domo, 2021. Web.

    Dykes, Brent. “Creating A Data-Driven Culture: Why Leading By Example Is Essential.” Forbes, 26 Oct. 2017. Web.

    Experian. “10 signs you are sitting on a pile of data debt.” Experian, 2020. Accessed 25 June 2021. Web.

    Experian. “2019 Global Data Management Research.” Experian, 2019. Web.

    Knight, Michelle. “Data Literacy Trends in 2023: Formalizing Programs.” Dataversity, 3 Jan. 2023. Web.

    Ghosh, Paramita. “Data Literacy Skills Every Organization Should Build.” Dataversity, 2 Nov. 2022. Web.

    Johnson, A., et al., “How to Build a Strategy in a Digital World,” Compact, 2018, vol. 2. Web.

    LifeTrain. “Learning Style Quiz.” EMTrain, Web.

    Lambers, E., et al. “How to become data literate and support a data-drive culture.” Compact, 2018, vol. 4. Web.

    Marr, Benard. “Why is data literacy important for any business?” Bernard Marr & Co., 16 Aug. 2022. Web.

    Marr, Benard. “8 simple ways to enhance your data literacy skills.” Bernard Marr & Co., 16 Aug. 2022. Web/

    Mendoza, N.F. “Data literacy: Time to cure data phobia” Tech Republic, 27 Sept. 2022. Web.

    Mizrahi, Etai. “How to stay ahead of data debt and downtime?” Secoda, 17 April 2023. Web.

    Needham, Mass., “IDC FutureScape: Top 10 Predictions for the Future of Intelligence.” IDC, 5 Dec. 2022. Web.

    Paton, J., and M.A.P. op het Veld. “Trusted Analytics.” Compact, 2017, vol. 2. Web.

    Qlik. “Data Literacy to be Most In-Demand Skill by 2030 as AI Transforms Global Workplaces.” Qlik., 16 Mar 2022. Web.

    Qlik. “What is data literacy?” Qlik, n.d. Web.

    Reed, David. Becoming Data Literate. Harriman House Publishing, 1 Sept. 2021. Print.

    Salomonsen, Summer. “Grovo’s First-Time Manager Microlearning® Program Will Help Your New Managers Thrive in 2018.” Grovos Blog, 5 Dec. 2018. Web.

    Webb, Ryan. “More Than Just Reporting: Uncovering Actionable Insights From Data.” Welocalize, 1 Sept. 2020. Web.

    Ransomware Cyber Attack. The real Disaster Recovery Scenario

    Cyber-ransomware criminals need to make sure that you cannot simply recover your encrypted data via your backups. They must make it look like paying is your only option. And if you do not have a strategy that takes this into account, unfortunately, you may be up the creek without a paddle. because how do they make their case? Bylooking for ways to infect your backups, way before you find out you have been compromised. 

    That means your standard disaster recovery scenarios provide insufficient protection against this type of event. You need to think beyond DRP and give consideration to what John Beattie and Michael Shandrowski call "Cyber Incident Recovery Risk management" (CIR-RM).  

    incident, incident management, cybersecurity, cyber, disaster recovery, drp, business continuity, bcm, recovery

    Register to read more …

    Develop an IT Asset Management Strategy

    • Buy Link or Shortcode: {j2store}295|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $52,211 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management

    You have a mandate to create an accurate and actionable database of the IT assets in your environment, but:

    • The data you have is often incomplete or wrong.
    • Processes are broken or non-existent.
    • Your tools aren’t up to the task of tracking ever more hardware, software, and relevant metadata.
    • The role of stakeholders outside the core ITAM team isn’t well defined or understood.

    Our Advice

    Critical Insight

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

    Impact and Result

    • Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.
    • Clarify the structure for the ITAM program, including scope, responsibility and accountability, centralization vs. decentralization, outsourcing vs. insourcing, and more.
    • Create a practical roadmap to guide improvement.
    • Summarize your strategy and approach using Info-Tech’s templates for review with stakeholders.

    Develop an IT Asset Management Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop an IT Asset Management Strategy – A methodology to create a business-aligned, coherent, and durable approach to ITAM.

    This two-phase, step-by-step methodology will guide you through the activities to build a business-aligned, coherent, and durable approach to ITAM. Review the executive brief at the start of the slide deck for an overview of the methodology and the value it can provide to your organization.

    • Develop an IT Asset Management Strategy – Phases 1-2

    2. ITAM Strategy Template – A presentation-ready repository for the work done as you define your ITAM approach.

    Use this template to document your IT asset management strategy and approach.

    • ITAM Strategy Template

    3. IT Asset Estimations Tracker – A rough-and-ready inventory exercise to help you evaluate the work ahead of you.

    Use this tool to estimate key data points related to your IT asset estate, as well as your confidence in your estimates.

    • IT Asset Estimations Tracker

    Infographic

    Workshop: Develop an IT Asset Management Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify ITAM Priorities & Goals, Maturity, Metrics and KPIs

    The Purpose

    Align key stakeholders to the potential strategic value of the IT asset management practice.

    Ensure the ITAM practice is focused on business-aligned goals.

    Key Benefits Achieved

    Define a business-aligned direction and expected outcomes for your ITAM program.

    Activities

    1.1 Brainstorm ITAM opportunities and challenges.

    1.2 Conduct an executive alignment working session.

    1.3 Set ITAM priorities, goals and tactics.

    1.4 Identify target and current state ITAM maturity.

    Outputs

    ITAM opportunities and challenges

    Align executive priorities with ITAM opportunities.

    ITAM metrics and KPIs

    ITAM maturity

    2 Identify Your Approach to Support ITAM Priorities and Goals

    The Purpose

    Translate goals into specific and coherent actions to enable your ITAM practice to deliver business value.

    Key Benefits Achieved

    A business-aligned approach to ITAM, encompassing scope, structure, tools, audits, budgets, documentation and more.

    A high-level roadmap to achieve your vision for the ITAM practice.

    Activities

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Outputs

    Your ITAM approach

    ITAM roadmap and communication plan

    Further reading

    Develop an IT Asset Management Strategy

    Define your business-aligned approach to ITAM.

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    17 Phase 1: Establish Business-Aligned ITAM Goals and Priorities

    59 Phase 2: Support ITAM Goals and Priorities

    116 Bibliography

    Develop an IT Asset Management Strategy

    Define your business-aligned approach to ITAM.

    EXECUTIVE BRIEF

    Analyst Perspective

    Track hardware and software. Seems easy, right?

    It’s often taken for granted that IT can easily and accurately provide definitive answers to questions like “how many laptops do we have at Site 1?” or “do we have the right number of SQL licenses?” or “how much do we need to budget for device replacements next year?” After all, don’t we know what we have?

    IT can’t easily provide these answers because to do so you must track hardware and software throughout its lifecycle – which is not easy. And unfortunately, you often need to respond to these questions on very short notice because of an audit or to support a budgeting exercise.

    IT Asset Management (ITAM) is the solution. It’s not a new solution – the discipline has been around for decades. But the key to success is to deploy the practice in a way that is sustainable, right-sized, and maximizes value.

    Use our practical methodology to develop and document your approach to ITAM that is aligned with the goals of your organization.

    Photo of Andrew Sharp, Research Director, Infrastructure & Operations Practice, Info-Tech Research Group.

    Andrew Sharp
    Research Director
    Infrastructure & Operations Practice
    Info-Tech Research Group

    Realize the value of asset management

    Cost optimization, application rationalization and reduction of technical debt are all considered valuable to right-size spending and improve service outcomes. Without access to accurate data, these activities require significant investments of time and effort, starting with creation of point-in-time inventories, which lengthens the timeline to reaching project value and may still not be accurate.

    Cost optimization and reduction of technical debt should be part of your culture and technical roadmap rather than one-off projects. Why? Access to accurate information enables the organization to quickly make decisions and pivot plans as needed. Through asset management, ongoing harvest and redeployment of assets improves utilization-to-spend ratios. We would never see any organization saying, “We’ve closed our year end books, let’s fire the accountants,” but often see this valuable service relegated to the back burner. Similar to the philosophy that “the best time to plant a tree is 20 years ago and the next best time is now,” the sooner you can start to collect, validate, and analyze data, the sooner you will find value in it.

    Photo of Sandi Conrad, Principal Research Director, Infrastructure & Operations Practice, Info-Tech Research Group.

    Sandi Conrad
    Principal Research Director
    Infrastructure & Operations Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    You have a mandate to create an accurate and actionable database of the IT assets in your environment, but:

    • The data you have is often incomplete or wrong.
    • Processes are broken or non-existent.
    • Your tools aren’t up to the task of tracking ever more hardware, software, and relevant metadata.
    • The role of stakeholders outside the core ITAM team isn’t well defined or understood.
    Common Obstacles

    It is challenging to make needed changes because:

    • There’s cultural resistance to asset tracking, it’s seen as busywork that doesn’t clearly create value.
    • Decentralized IT teams aren’t generating the data required to track hardware and licenses.
    • ITAM can’t direct needed tool improvements because the admins don’t report to ITAM.
    • It’s hard to find time to improve processes given the day-to-day demands on your time.
    Info-Tech’s Approach
    • Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.
    • Clarify the structure for the ITAM program, including scope, responsibility and accountability, centralization vs. decentralization, outsourcing vs. insourcing, and more.
    • Create a practical roadmap to guide improvement.
    • Summarize your strategy and approach using Info-Tech’s templates for review with stakeholders.

    Info-Tech Insight

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

    Unlock business value with IT asset management

    • IT asset management (ITAM) is the practice of maintaining accurate, accessible, and actionable data on the assets within the organization’s IT estate. Each IT asset will have a record that tracks it across its lifecycle from purchase to disposal.
    • ITAM’s value is realized through other processes and practice areas that can leverage ITAM data to manage risk, improve IT services, and control costs.
    • Develop an approach to ITAM that maximizes the value delivered to the business and IT. ITAM succeeds when its partners succeed at delivering business value, and it fails when it doesn’t show value to those partners.

    This blueprint will help you develop your approach for the management of IT hardware and software, including cloud services. Leverage other Info-Tech methodologies to dive directly into developing hardware asset management procedures, software asset management procedures, or to implement configuration management best practices.

    Info-Tech Members report significant savings from implementing our hardware and software asset management frameworks. In order to maximize value from the process-focused methodologies below, develop your ITAM strategy first.

    Implement Hardware Asset Management (Based on Info-Tech Measured Value Surveys results from clients working through these blueprints, as of February 2022.)

    9.6/10

    $23k

    32

    Overall Impact Average $ Saved Average Days Saved
    Implement Software Asset Management (Based on Info-Tech Measured Value Surveys results from clients working through these blueprints, as of February 2022.)

    9.0/10

    $12k

    5

    Overall Impact Average $ Saved Average Days Saved

    ITAM provides both early and ongoing value

    ITAM isn’t one-and-done. Properly supported, your ITAM practice will deliver up-front value that will help demonstrate the value ongoing ITAM can offer through the maintenance of an accurate, accessible, and actionable ITAM database.

    Example: Software Savings from ITAM



    This chart shows the money saved between the first quote and the final price for software and maintenance by a five-person ITAM team. Over a year and a half, they saved their organization a total of $7.5 million from a first quote total of $21 million over that period.

    This is a perfect example of the direct value that ITAM can provide on an ongoing basis to the organization, when properly supported and integrated with IT and the business.

    Examples of up-front value delivered in the first year of the ITAM practice:

    • Save money by reviewing and renegotiating critical, high-spend, and undermanaged software and service contracts.
    • Redeploy or dispose of clearly unused hardware and software.
    • Develop and enforce standards for basic hardware and software.
    • Improve ITAM data quality and build trust in the results.

    Examples of long-term value from ongoing governance, management, and operational ITAM activities:

    • Optimize spend: Reallocate unused hardware and software, end unneeded service agreements, and manage renewals and audits.
    • Reduce risk: Provide comprehensive asset data for security controls development and incident management; manage equipment disposal.
    • Improve IT service: Support incident, problem, request, and change management with ITAM data. Develop new solutions with an understanding of what you have already.

    Common obstacles

    The rulebook is available, but hard to follow
    • ITAM takes a village, but stakeholders aren’t aware of their role. ITAM processes rely on technicians to update asset records, vendors to supply asset data, administrators to manage tools, leadership to provide direction and support, and more.
    • Constant change in the IT and business environment undermines the accuracy of ITAM records (e.g. licensing and contract changes, technology changes that break discovery tools, personnel and organizational changes).
    • Improvement efforts are overwhelmed by day-to-day activities. One study found that 83% of SAM teams’ time is consumed by audit-related activities. (Flexera State of ITAM Report 2022) A lack of improvement becomes a vicious cycle when stakeholders who don’t see the value of ITAM decline to dedicate resources for improvement.
    • Stakeholders expect ITAM tools to be a cure-all, but even at their best, they can’t provide needed answers without some level of configuration, manual input, and supervision.
    • There’s often a struggle to connect ITAM to value. For example, respondents to Info-Tech’s Management & Governance Diagnostic consistently rank ITAM as less important than other processes that ITAM directly supports (e.g. budget management and budget optimization). (Info-Tech MGD Diagnostic (n=972 unique organizations))
    ITAM is a mature discipline with well-established standards, certifications, and tools, but we still struggle with it.
    • Only 28% of SAM teams track IaaS and PaaS spend, and only 35% of SAM teams track SaaS usage.
    • Increasing SAM maturity is a challenge for 76% of organizations.
    • 10% of organizations surveyed have spent more than $5 million in the last three years in audit penalties and true-ups.
    • Half of all of organizations lack a viable SAM tool.
    • Seventy percent of SAM teams have a shortfall of qualified resources.
    • (Flexera State of ITAM Report 2022)

    Info-Tech's IT Asset Management Framework (ITAM)

    Adopt, manage, and mature activities to enable business value thorugh actionable, accessible, and accurate ITAM data

    Logo for Info-Tech Research Group. Enable Business Value Logo for #iTRG.
    Business-Aligned Spend
    Optimization and Transparency
    Facilitate IT Services
    and Products
    Actionable, Accessible,
    and Accurate Data
    Context-Aware Risk Management
    and Security Controls

    Plan & Govern

    Business Goals, Risks, and Structure
    • ITAM Goals & Priorities
    • Roles, Accountability, Responsibilities
    • Scope
    Ongoing Management Commitment
    • Resourcing & Funding
    • Policies & Enforcement
    • Continuous Improvement
    Culture
    • ITAM Education, Awareness & Training
    • Organizational Change Management
    Section title 'Operate' with a cycle surrounding key components of Operate: 'Data Collection & Validation', 'Tool Administration', 'License Management', and 'Lease Management'. The cycle consists of 'Request', 'Procure', 'Receive', 'Deploy', 'Manage', 'Retire & Dispose', and back to 'Request'.

    Build & Manage

    Tools & Data
    • ITAM Tool Selection & Deployment
    • Configuration Management Synchronization
    • IT Service Management Integration
    Process
    • Process Management
    • Data & Process Audits
    • Document Management
    People, Policies, and Providers
    • Stakeholder Management
    • Technology Standardization
    • Vendor & Contract Management

    Info-Tech Insight

    ITAM is a foundational IT service that provides actionable, accessible, and accurate data on IT assets. But there's no value in data for data's sake. Use this methodology to enable collaboration between ITAM, the business, and IT to develop an approach to ITAM that maximizes the value the ITAM team can deliver as service providers.

    Key deliverable

    IT asset management requires ongoing practice – you can’t just implement it and walk away.

    Our methodology will help you build a business-aligned strategy and approach for your ITAM practice with the following outputs:

    • Business-aligned ITAM priorities, opportunities, and goals.
    • Current and target state ITAM maturity.
    • Metrics and KPIs.
    • Roles, responsibilities, and accountability.
    • Insourcing, outsourcing, and (de)centralization.
    • Tools and technology.
    • A documentation framework.
    • Initiatives, a roadmap, and a communication plan.
    Each step of this blueprint is designed to help you create your IT asset management strategy:
    Sample of Info-Tech's key deliverable 'IT Asset Management' blueprint.

    Info-Tech’s methodology to develop an IT asset management strategy

    1. Establish business-aligned ITAM goals and priorities 2. Identify your approach to support ITAM priorities and goals
    Phase Steps
    • 1.1 Define ITAM and brainstorm opportunities and challenges.
    • Executive Alignment Working Session:
    • 1.2 Review organizational priorities, strategy, and key initiatives.
    • 1.3 Align executive priorities with ITAM opportunities and priorities.
    • 1.4 Identify business-aligned ITAM goals and target maturity.
    • 1.5 Write mission and vision statements.
    • 1.6 Define ITAM metrics and KPIs.
    • 2.1 Define ITAM scope.
    • 2.2 Acquire ITAM services (outsourcing and contracting).
    • 2.3 Centralize or decentralize ITAM capabilities.
    • 2.4 Create a RACI for the ITAM practice.
    • 2.5 Align ITAM with other service management practices.
    • 2.6 Evaluate ITAM tools and integrations.
    • 2.7 Create a plan for internal and external audits.
    • 2.8 Improve your budget processes.
    • 2.9 Establish a documentation framework.
    • 2.10 Create a roadmap and communication plan.
    Phase Outcomes Defined, business-aligned goals and priorities for ITAM. Establish an approach to achieving ITAM goals and priorities including scope, structure, tools, service management integrations, documentation, and more.
    Project Outcomes Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.

    Insight Summary

    There’s no value in data for data’s sake

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an approach to ITAM that maximizes the value they can deliver as service providers.

    Service provider to a service provider

    ITAM is often viewed (when it’s viewed at all) as a low-value administrative task that doesn’t directly drive business value. This can make it challenging to build a case for funding and resources.

    Your ITAM strategy is a critical component to help you define how ITAM can best deliver value to your organization, and to stop creating data for the sake of data or just to fight the next fire.

    Collaboration over order-taking

    To align ITAM practices to deliver organizational value, you need a very clear understanding of the organization’s goals – both in the moment and as they change over time.

    Ensure your ITAM team has clear line of sight to business strategy, objectives, and decision-makers, so you can continue to deliver value as priorities change

    Embrace dotted lines

    ITAM teams rely heavily on staff, systems, and data beyond their direct area of control. Identify how you will influence key stakeholders, including technicians, administrators, and business partners.

    Help them understand how ITAM success relies on their support, and highlight how their contributions have created organizational value to encourage ongoing support.

    Project benefits

    Benefits for IT
    • Set a foundation and direction for an ITAM practice that will allow IT to manage risk, optimize spend, and enhance services in line with business requirements.
    • Establish accountability and responsibility for essential ITAM activities. Decide where to centralize or decentralize accountability and authority. Identify where outsourcing could add value.
    • Create a roadmap with concrete, practical next steps to develop an effective, right-sized ITAM practice.
    Stock image of a trophy. Benefits for the business
    • Plan and control technology spend with confidence based on trustworthy ITAM data.
    • Enhance IT’s ability to rapidly and effectively support new priorities and launch new projects. Effective ITAM can support more streamlined procurement, deployment, and management of assets.
    • Implement security controls that reflect your total technology footprint. Reduce the risk that a forgotten device or unmanaged software turns your organization into the next Colonial Pipeline.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI around 12 calls over the course of 6 months.

    What does a typical GI on this topic look like?

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Review business priorities.

    Call #3: Identify ITAM goals & target maturity.

    Call #4: Identify metrics and KPIs. Call #5: Define ITAM scope.

    Call #6: Acquire ITAM services.

    Call #7: ITAM structure and RACI.

    Call #8: ITAM and service management.

    Tools and integrations.

    Call #10: Internal and external audits.

    Call #11: Budgets & documentation

    Call #12: Roadmap, comms plan. Wrap-up.

    Phase 1 Phase 2

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Identify ITAM priorities & goals, maturity, metrics and KPIs
    Identify your approach to support ITAM priorities and goals
    Next Steps and wrap-Up (offsite)
    Activities

    1.1 Define ITAM.

    1.2 Brainstorm ITAM opportunities and challenges.

    Conduct an executive alignment working session:

    1.3 Review organizational priorities, strategy, and key initiatives.

    1.4 Align executive priorities with ITAM opportunities.

    1.5 Set ITAM priorities.

    2.1 Translate opportunities into ITAM goals and tactics.

    2.2 Identify target and current state ITAM maturity.

    2.3 Create mission and vision statements.

    2.4 Identify key ITAM metrics and KPIs.

    3.1 Define ITAM scope.

    3.2 Acquire ITAM services (outsourcing and contracting)

    3.3 Centralize or decentralize ITAM capabilities.

    3.4 Create a RACI for the ITAM practice.

    3.5 Align ITAM with other service management practices.

    3.6 Evaluate ITAM tools and integrations.

    4.1 Create a plan for internal and external audits.

    4.2 Improve your budget processes.

    4.3 Establish a documentation framework and identify documentation gaps.

    4.4 Create a roadmap and communication plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. ITAM opportunities and challenges.
    2. Align executive priorities with ITAM opportunities.
    3. Set ITAM priorities.
    1. ITAM goals and tactics.
    2. Current and target ITAM maturity.
    3. Mission and vision statements.
    4. ITAM metrics and KPIs.
    1. Decisions that will shape your ITAM approach, including:
      1. What’s in scope (hardware, software, and cloud services).
      2. Where to centralize, decentralize, or outsource ITAM activities.
      3. Accountability, responsibility, and structure for ITAM activities.
      4. Service management alignment, tooling gaps, audit plans, budget processes, and required documentation.
    2. A roadmap and communication plan.
    1. Your completed ITAM strategy template.
    Develop an IT Asset Management Strategy

    Phase 1:

    Establish business-aligned ITAM goals and priorities

    Phase 1

    1.1 Define ITAM and brainstorm opportunities and challenges.

    Executive Alignment Working Session:

    1.2 Review organizational priorities, strategy, and key initiatives.

    1.3 Align executive priorities with ITAM opportunities & priorities.

    1.4 Identify business-aligned ITAM goals and target maturity.

    1.5 Write mission and vision statements.

    1.6 Define ITAM metrics and KPIs.

    Phase 2

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Phase Outcomes:

    Defined, business-aligned goals, priorities, and KPIs for ITAM. A concise vision and mission statement. The direction you need to establish a practical, right-sized, effective approach to ITAM for your organization.

    Before you get started

    Set yourself up for success with these three steps:
    • This methodology and the related slides are intended to be executed via intensive, collaborative working sessions using the rest of this slide deck.
    • Ensure the working sessions are a success by working through these steps before you start work on your IT asset management strategy.

    1. Identify participants

    Review recommended roles and identify who should participate in the development of your ITAM strategy.

    2. Estimate assets managed today

    Work through an initial assessment to establish ease of access to ITAM data and your level of trust in the data available to you.

    3. Create a working folder

    Create a repository to house your notes and any work in progress, including your copy of the ITAM Strategy Template.

    0.1 Identify participants

    30 minutes

    Output: List of key roles for the strategy exercises outlined in this methodology

    Participants: Project sponsor, Lead facilitator, ITAM manager and SMEs

    This methodology relies on having the right stakeholders in the room to identify ITAM goals, challenges, roles, structure, and more. On each activity slide in this deck, you’ll see an outline of the recommended participants. Use the table below to translate the recommended roles into specific people in your organization. Note that some people may fill multiple roles.

    Role Expectations People
    Project Sponsor Accountable for the overall success of the methodology. Ideally, participates in all exercises in this methodology. May be the asset manager or whoever they report to. Jake Long
    Lead Facilitator Leads, schedules, and manages all working sessions. Guides discussions and ensures activity outputs are completed. Owns and understands the methodology. Has a working knowledge of ITAM. Robert Loblaw
    Asset Manager(s) SME for the ITAM practice. Provides strategic direction to mature ITAM practices in line with organizational goals. Supports the facilitator. Eve Maldonado
    ITAM Team Hands-on ITAM professionals and SMEs. Includes the asset manager. Provide input on tactical ITAM opportunities and challenges. Bruce Wayne, Clark Kent
    IT Leaders & Managers Leaders of key stakeholder groups from across the IT department – the CIO and direct reports. Provide input on what IT needs from ITAM, and the role their teams should play in ITAM activities. May include delegates, particularly those familiar with day-to-day processes relevant to a particular discussion or exercise. Marcelina Hardy, Edmund Broughton
    ITAM Business Partners Non-IT business stakeholders for ITAM. This could include procurement, vendor management, accounting, and others. Zhang Jin, Effie Lamont
    Business Executives Organizational leaders and executives (CFO, COO, CEO, and others) or their delegates. Will participate in a mini-workshop to identify organizational goals and initiatives that can present opportunities for the ITAM practice. Jermaine Mandar, Miranda Kosuth

    0.2 Estimate asset numbers

    1 hour

    Output: Estimates of quantity and spend related to IT assets, Confidence/margin of error on estimates

    Participants: IT asset manager, ITAM team

    What do you know about your current IT environment, and how confident are you in that knowledge?

    This exercise will help you evaluate the size of the challenge ahead in terms of the raw number of assets in your environment, the spend on those assets, and the level of trust your organization has in the ITAM data.

    It is also a baseline snapshot your ability to relay key ITAM metrics quickly and confidently, so you can measure progress (in terms of greater confidence) over time.

    1. Download the estimation tracker below. Add any additional line items that are particularly important to the organization.
    2. Time-box this exercise to an hour. Use your own knowledge and existing data repositories to identify count/spend for each line item, then add a margin of error to your guess. Larger margins of error on larger counts will typically indicate larger risks.
    3. Track any assumptions, data sources used, or SMEs consulted in the comments.

    Download the IT Asset Estimation Tracker

    “Any time there is doubt about the data and it doesn’t get explained or fixed, then a new spreadsheet is born. Data validation and maintenance is critical to avoid the hidden costs of having bad data”

    Allison Kinnaird,
    Operations Practice Lead,
    Info-Tech Research Group

    0.3 Create a working folder

    15 minutes

    Output: A repository for templates and work in progress

    Participants: Lead facilitator

    Create a central repository for collaboration – it seems like an obvious step, but it’s one that gets forgotten about
    1. Download a copy of the ITAM Strategy Template.
      1. This will be the repository for all the work you do in the activities listed in this blueprint; take a moment to read it through and familiarize yourself with the contents.
    2. House the template in a shared repository that can house other related work in progress. Share this folder with participants so they can check in on your progress.
    3. You’ll see this callout box: Add your results to your copy of the ITAM Strategy Template as you work through activities in this blueprint. Copy the output to the appropriate slide in the ITAM Strategy Template.
    Stock image of a computer screen with a tiny person putting likes on things.

    Collect action items as you go

    Don’t wait until the end to write down your good ideas.
    • The last exercise in this methodology is to gather everything you’ve learned and build a roadmap to improve the ITAM practice.
    • The output of the exercises will inform the roadmap, as they will highlight areas with opportunities for improvement.
    • Write them down as you work through the exercises, or you risk forgetting valuable ideas.
    • Keep an “idea space” – a whiteboard with sticky notes or a shared document – to which any of your participants can post an idea for improvement and that you can review and consolidate later.
    • Encourage participants to add their ideas at any time during the exercises.
    Pad of sticky notes, the top of which reads 'Good ideas go here!'

    Step 1.1: Brainstorm ITAM opportunities and challenges

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Rally the working group around a collection of ideas that, when taken together, create a vision for the future ITAM practice.
    • Identify your organization’s current ITAM challenges.

    “ITAM is a cultural shift more than a technology shift.” (Rory Canavan, SAM Charter)

    What is an IT Asset?

    Any piece of technology can be considered an asset, but it doesn’t mean you need to track everything. Image of three people building a computer from the inside.
    Icon of a power button.

    According to the ISO 19770 standard on ITAM, an IT Asset is “[an] item, thing, or entity that can be used to acquire, process, store and distribute digital information and has potential or actual value to an organization.”
    These are all things that IT is expected to support and manage, or that have the potential to directly impact services that IT supports and manages.

    Icon of a half-full battery.

    IT assets are distinct from capital assets. Some IT assets will also be capital assets, but not all will be. And not all capital assets are IT assets, either.

    Icon of a microphone.

    IT assets are typically tracked by IT, not by finance or accounting.
    IT needs more from their IT asset tracking system than the typical finance department can deliver.
    This can include end-user devices, software, IT infrastructure, cloud-based resources, third-party managed IT services, Internet-of-Things devices, embedded electronics, SCADA equipment, “smart” devices, and more.

    Icon of a fingerprint.

    It’s important to track IT assets in a way that enables IT to deliver value to the business – and an important part of this is understanding what not to track. This list should be aligned to the needs of your organization.

    What is IT asset management?

    • IT asset management is the practice of maintaining accurate, accessible, and actionable data on IT hardware, software, and cloud assets from procurement to disposal.
    • Trustworthy data maintained by an IT asset management practice will help your business meet its goals by managing risk, controlling costs, and enabling IT services and products.
    • ITAM tends to focus on the asset itself – its technical, financial, contractual, lifecycle, and ownership attributes – rather than its interactions or connections to other IT assets, which tends to be part of configuration management.

    What IT Asset Management is NOT:

    Configuration Management: Configuration management databases (CMDBs) often draw from the same data pool as ITAM (many configuration items are assets, and vice versa), but they focus on the interaction, interconnection, and interoperation of configuration items within the IT estate.

    In practice, many configuration items will be IT assets (or parts of assets) and vice versa. Configuration and asset teams should work closely together as they develop different but complementary views of the IT environment. Use Info-Tech’s methodology to harness configuration management superpowers.

    Organizational Data Management: Leverage a different Info-Tech methodology to develop a digital and data asset management program within Info-Tech’s DAM framework.

    “Asset management’s job is not to save the organization money, it’s not to push back on software audits.

    It’s to keep the asset database as up-to-date and as trustworthy as possible. That’s it.” (Jeremy Boerger, Consultant & Author)

    “You can’t make any real decisions on CMDB data that’s only 60% accurate.

    You start extrapolating that out, you’re going to get into big problems.” (Mike Austin, Founder & CEO, MetrixData 360)

    What is an ITAM strategy?

    Our strategy document will outline a coherent, sustainable, business-aligned approach to ITAM.

    No single approach to ITAM fits all organizations. Nor will the same approach fit the same organization at different times. A world-leading research university, a state government, and a global manufacturer all have very different goals and priorities that will be best supported by different approaches to ITAM.

    This methodology will walk you through these critical decisions that will define your approach to ITAM:

    • Business-aligned priorities, opportunities, and goals: What pressing opportunities and challenges do we face as an organization? What opportunities does this create that ITAM can seize?
    • Current and future state maturity, challenges: What is the state of the practice today? Where do we need to improve to meet our goals? What challenges stand in the way of improvement?
    • Responsibility, accountability, sourcing and (de)centralization: Who does what? Who is accountable? Where is there value to outsourcing? What authority will be centralized or decentralized?
    • Tools, policies, and procedures: What technology do we need? What’s our documentation framework?
    • Initiatives, KPIs, communication plan, and roadmap: What do we need to do, in what order, to build the ITAM practice to where we need it to be? How long do we expect this to take? How will we measure success?

    “A good strategy has coherence, coordinating actions, policies, and resources so as to accomplish an important end. Most organizations, most of the time, don’t have this.

    Instead, they have multiple goals and initiatives that symbolize progress, but no coherent approach to accomplish that progress other than ‘spend more and try harder.’” (Good Strategy, Bad Strategy, Richard Rumelt)

    Enable business value with IT asset management

    If you’ve never experienced a mature ITAM program before, it is almost certainly more rewarding than you’d expect once it’s functioning as intended.

    Each of the below activities can benefit from accessible, actionable, and accurate ITAM data.

    • Which of the activities, practices, and initiatives below have value to your organization?
    • Which could benefit most from ITAM data?
    Manage Risk: Effective ITAM practices provide data and processes that help mitigate the likelihood and impact of potentially damaging IT risks.

    ITAM supports the following practices that help manage organizational risk:

    • Security Controls Development
    • Security Incident Response
    • Security Audit Reports
    • Regulatory Compliance Reports
    • IT Risk Management
    • Technical Debt Management
    • M&A Due Diligence
    Optimize Spend: Asset data is essential to maintaining oversight of IT spend, ensuring that scarce resources are allocated where they can have the most impact.

    ITAM supports these activities that help optimize spend:

    • Vendor Management & Negotiations
    • IT Budget Management & Variance Analysis
    • Asset Utilization Analysis
    • FinOps & Cloud Spend Optimization
    • Showback & Chargeback
    • Software Audit Defense
    • Application Rationalization
    • Contract Consolidation
    • License and Device Reallocation
    Improve IT Services: Asset data can help inform solutions development and can be used by service teams to enhance and improve IT service practices.

    Use ITAM to facilitate these IT services and initiatives:

    • Solution and Enterprise Architecture
    • Service Level Management
    • Technology Procurement
    • Technology Refresh Projects
    • Incident & Problem Management
    • Request Management
    • Change Management
    • Green IT

    1.1 Brainstorm ideas to create a vision for the ITAM practice

    30 minutes

    Input: Stakeholders with a vision of what ITAM could provide, if resourced and funded adequately

    Output: A collection of ideas that, when taken together, create a vision for the future ITAM practice

    Materials: ITAM strategy template, Whiteboard or virtual whiteboard

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    It can be easy to lose sight of long-term goals when you’re stuck in firefighting mode. Let’s get the working group into a forward-looking mindset with this exercise.

    Think about what ITAM could deliver with unlimited time, money, and technology.

    1. Provide three sticky notes to each participant.
    2. Add the headings to a whiteboard, or use a blank slide as a digital whiteboard
    3. On each sticky note, ask participants to outline a single idea as follows:
      1. We could: [idea]
      2. Which would help: [stakeholder]
      3. Because: [outcome]
    4. Ask participants to present their sticky notes and post them to the whiteboard. Ask later participants to group similar ideas together.

    As you hear your peers describe what they hope and expect to achieve with ITAM, a shared vision of what ITAM could be will start to emerge.

    1.1 Identify structural ITAM challenges

    30 minutes

    Input: The list of common challenges on the next slide, Your estimated visibility into IT assets from the previous exercise, The experience and knowledge of your participants

    Output: Identify current ITAM challenges

    Materials: Your working copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    What’s standing in the way today of delivering the ITAM practices you want to achieve?

    Review the list of common challenges on the next slide as a group.

    1. Delete any challenges that don’t apply to your organization.
    2. Modify any challenges as required to reflect your organization.
    3. Add further challenges that aren’t on the list, as required.
    4. Highlight challenges that are particularly painful.

    Add your results to your copy of the ITAM Strategy Template

    “The problem – the reason why asset management initiatives keep falling on their face – is that people attack asset management as a problem to solve, instead of a practice and epistemological construct.” (Jeremy Boerger, Consultant & Author)

    1.1 Identify structural ITAM challenges

    Review and update the list of common challenges below to reflect your own organization.

    • Leadership and executives don’t understand the value of asset management and don’t fund or resource it.
    • Tools aren’t fit for purpose, don’t scale, or are broken.
    • There’s a cultural tendency to focus on tools over processes.
    • ITAM data is fragmented across multiple repositories.
    • ITAM data is widely viewed as untrustworthy.
    • Stakeholders respond to vendor audits before consulting ITAM, which leads to confusion and risks penalties.
    • No time for improvement; we’re always fighting fires.
    • We don’t audit our own ITAM data for accuracy.
    • End-user equipment is shared, re-assigned, or disposed without notifying or involving IT.
    • No dedicated resources.
    • Lack of clarity on roles and responsibilities.
    • Technicians don’t track assets consistently; ITAM is seen as administrative busywork.
    • Many ITAM tasks are manual and prone to error.
    • Inconsistent organizational policies and procedures.
    • We try to manage too many hardware types/software titles.
    • IT is not involved in the procurement process.
    • Request and procurement is seen as slow and excessively bureaucratic.
    • Hardware/software standards don’t exist or aren’t enforced.
    • Extensive rogue purchases/shadow IT are challenging to manage via ITAM tools and processes.
    What Else?

    Copy results to your copy of the ITAM Strategy Template

    Step 1.2: Review organizational priorities, strategy, initiatives

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • Business executives or their delegates

    Outcomes

    • Review organizational priorities and strategy.
    • Identify key initiatives.

    Enter the executives

    Deliver on leadership priorities

    • Your business’ major transformative projects and executive priorities might seem far removed from hardware and software tracking. Why would we start with business strategy and executive priorities as we’re setting goals for the ITAM program?
    • While business executives have (likely) no interest in how software and hardware is tracked, they are accountable for the outcomes ITAM can enable. They are the most likely to understand why and how ITAM can deliver value to the organization.
    • ITAM succeeds by enabling its stakeholders to achieve business outcomes. The next three activities are designed to help you identify how you can enable your stakeholders, and what outcomes are most important from their point of view. Specifically:
      • What are the business’ planned transformational initiatives?
      • What are your highest priority goals?
      • What should the priorities of the ITAM practice be?
    • The answers to these questions will shape your approach to ITAM. Direct input from your leadership and executives – or their delegates – will help ensure you’re setting a solid foundation for your ITAM practice.

    “What outcomes does the organization want from IT asset management? Often, senior managers have a clear vision for the organization and where IT needs to go, and the struggle is to communicate that down.” (Kylie Fowler, ITAM Intelligence)

    Stock image of many hands with different puzzle pieces.

    Executive Alignment Session Overview

    ITAM Strategy Working Sessions

    • Discover & Brainstorm
    • Executive Alignment Working Session
      • 1.2 Review organizational strategy, priorities, and key initiatives
      • 1.3 Align executive priorities with ITAM opportunities, set ITAM priorities
    • ITAM Practice Maturity, Vision & Mission, Metrics & KPIs
    • Scope, Outsourcing, (De)Centralization, RACI
    • Service Management Integration
    • ITAM Tools
    • Audits, Budgets, Documents
    • Roadmap & Comms Plan

    A note to the lead facilitator and project sponsor:
    Consider working through these exercises by yourself ahead of time. As you do so, you’ll develop your own ideas about where these discussions may go, which will help you guide the discussion and provide examples to participants.

    1.2 Review organizational strategy and priorities

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leadership, Business executives or delegates

    Welcome your group to the working session and outline the next few exercises using the previous slide.

    Ask the most senior leader present to provide a summary of the following:

    1. What is the vision for the organization?
    2. What are our priorities and what must we absolutely get right?
    3. What do we expect the organization to look like in three years?

    The facilitator or a dedicated note-taker should record key points on a whiteboard or flipchart paper.

    1.2 Identify transformational initiatives

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leadership, Business executives or delegates

    Ask the most senior leader present to provide a summary of the following: What transformative business and IT initiatives are planned? When will they begin and end?

    Using one box per initiative, draw the initiatives in a timeline like the one below.

    Sample timeline for ITAM initiatives.

    Add your results to your copy of the ITAM Strategy Template

    Step 1.3: Set business-aligned ITAM priorities

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • Business executives

    Outcomes

    • Connect executive priorities to ITAM opportunities.
    • Set business-aligned priorities for the ITAM practice.

    1.3 Align executive priorities with ITAM opportunities

    45 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leaders and managers, Business executives or delegates

    In this exercise, we’ll use the table on the next slide to identify the top priorities of key business and IT stakeholders and connect them to opportunities for the ITAM practice.

    1. Ask your leadership or executive delegates – what are their goals? What are they trying to accomplish? List roles and related goals in the table.
    2. Brainstorm opportunities for IT asset management to support listed goals:
      1. Can ITAM provide an enhanced level of service, access, or insight?
      2. Can ITAM address an existing issue or mitigate an existing risk?

    Add your results to your copy of the ITAM Strategy Template

    1.3 Align executive priorities with ITAM opportunities (example)

    ITAM is for the… Who wants to… Which presents these ITAM opportunities
    CEO Deliver transformative business initiatives Acquire the right tech at the right time to support transformational initiatives.
    Establish a data-driven culture of stewardship Improve data to increase IT spend transparency.
    COO Improve organizational efficiency Increase asset use.
    Consolidate major software contracts to drive discounts.
    CFO Accurately forecast spending Track and anticipate IT asset spending.
    Control spending Improve data to increase IT spend transparency.
    Consolidate major software contracts to drive discounts.
    CIO Demonstrate IT value Use data to tell a story about value delivered by IT assets.
    Govern IT use Improve data to increase IT spend transparency.
    CISO Manage IT security and compliance risks Identify abandoned or out-of-spec IT assets.
    Provide IT asset data to support controls development.
    Respond to security incidents Support security incident teams with IT asset data.
    Apps Leader Build, integrate, and support applications Identify opportunities to retire applications with redundant functionality.
    Connect applications to relevant licensing and support agreements.
    IT Infra Leader Build and support IT infrastructure. Provide input on opportunities to standardize hardware and software.
    Provide IT asset data to technicians supporting end users.

    1.3 Categorize ITAM opportunities

    10-15 minutes

    Input: The outputs from the previous exercise

    Output: Executive priorities, sorted into the three categories at the right

    Materials: The table in this slide, The outputs from the previous exercise

    Participants: Lead facilitator

    Give your participants a quick break. Quickly sort the identified ITAM opportunities into the three main categories below as best you can.

    We’ll use this table as context for the next exercise.

    Example: Optimize Spend Enhance IT Services Manage Risk
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Consolidate major software contracts to drive discounts.
    • Increase asset utilization.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.

    Add your results to your copy of the ITAM Strategy Template

    1.3 Set ITAM priorities

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: Whiteboard, The template on the next slide, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leaders and managers, Business executives or delegates

    The objective of this exercise is to prioritize the outcomes your organization wants to achieve from its ITAM practice, given the context from the previous exercises.

    Review the image below. The three points of the triangle are the three core goals of ITAM: Enhance IT Service, Manage Risk, and Optimize Spend. This exercise was first developed by Kylie Fowler of ITAM Intelligence. It is an essential exercise to understand ITAM priorities and the tradeoffs associated with those priorities. These priorities aren’t set in stone and should be revisited periodically as technology and business priorities change.

    Draw the diagram on the next slide on a whiteboard. Have the most senior leader in the room place the dot on the triangle – the closer it is to any one of the goals, the more important that goal is to the organization. Note: The center of the triangle is off limits! It’s very rarely possible to deliver on all three at once.
    Track notes on what’s being prioritized – and why – in the template on the next slide.
    Triangle with the points labelled 'Enhance IT Service', 'Manage Risk', and 'Optimize Spend'.

    Add your results to your copy of the ITAM Strategy Template

    1.3 Set ITAM Priorities

    The priorities of the ITAM practice are to:
    • Optimize Spend
    • Manage Risk
    Why?
    • We believe there is significant opportunity right now to rationalize spend by consolidating key software contracts.
    • Major acquisitions are anticipated in the near future. Effective ITAM processes are expected to mitigate acquisition risk by supporting due diligence and streamlined integration of acquired organizations.
    • Ransomware and supply chain security threats have increased demands for a comprehensive accounting of IT assets to support security controls development and security incident response.
    (Update this section with notes from your discussion.)
    Triangle with the points labelled 'Enhance IT Service', 'Manage Risk', and 'Optimize Spend'. There is a dot close to the 'Optimize Spend' corner, a legend labelling the dot as 'Our Target', and a note reading 'Move this dot to reflect your priorities'.

    Step 1.4: Identify ITAM goals, target maturity

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Connect executive priorities to ITAM opportunities.
    • Set business-aligned priorities for the ITAM practice.

    “ITAM is really no different from the other ITIL practices: to succeed, you’ll need some ratio of time, treasure, and talent… and you can make up for less of one with more of the other two.” (Jeremy Boerger, Consultant and Author)

    1.4 Identify near- and medium-term goals

    15-30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Narrow down the list of opportunities to identify specific goals for the ITAM practice.

    1. Use one color to highlight opportunities you will seize in the next year.
    2. Use a second color to highlight opportunities you plan to address in the next three years.
    3. Leave blank anything you don’t intend to address in this timeframe.

    The highlighted opportunities are your near- and medium-term objectives.

    Optimize Spend Enhance IT Services Manage Risk
    Priority Critical Normal High
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Increase asset utilization.
    • Consolidate major software contracts to drive discounts.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.

    1.4 Connect ITAM goals to tactics

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Let’s dig down a little deeper. Connect the list of opportunities from earlier to specific ITAM tactics that allow the team to seize those opportunities.

    Add another row to the earlier table for ITAM tactics. Brainstorm tactics with your participants (e.g. sticky notes on a whiteboard) and align them with the priorities they’ll support.

    Optimize SpendEnhance IT ServicesManage Risk
    PriorityCriticalNormalHigh
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Increase asset utilization.
    • Consolidate major software contracts to drive discounts.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.
    ITAM Tactics to Seize Opportunities
    • Review and improve hardware budgeting exercises.
    • Reallocate unused licenses, hardware.
    • Ensure ELP reports are up to date.
    • Validate software usage.
    • Data to support software renewal negotiations.
    • Use info from ITAM for more efficient adds, moves, changes.
    • Integrate asset records with the ticket intake system, so that when someone calls the service desk, the list of their assigned equipment is immediately available.
    • Find and retire abandoned devices or services with access to the organization’s network.
    • Report on lost/stolen devices.
    • Develop reliable disposal processes.
    • Report on unpatched devices/software.

    Add your results to your copy of the ITAM Strategy Template

    1.4 Identify current and target state

    20 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    We’ll use this exercise to identify the current and one-year target state of ITAM using Info-Tech’s ITAM maturity framework.

    1. Review the maturity framework on the next slide as a group.
    2. In one color, highlight statements that reflect your organization today. Summarize your current state. Are you in firefighter mode? Between “firefighter” and “trusted operator”?
    3. In a second color, highlight statements that reflect where you want to be one year from today, taking into consideration the goals and tactics identified in the last exercise.
    4. During a break, copy the highlighted statements to the table on the slide after next, then add this final slide to your working copy of the ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    Establish current and target ITAM maturity

    IT maturity ladder with five color-coded levels. Innovator – Optimized Asset Management
    • All items from Business & Technology Partner, plus:
    • Business and IT stakeholders collaborate regularly with the ITAM team to identify new opportunities to leverage or deploy ITAM practices and data to mitigate risks, optimize spend, and improve service. The ITAM program scales with the business.
    Business & Technology Partner – Proactive Asset Management
    • All items from Trusted Operator, plus:
    • The ITAM data is integral to decisions related to budget, project planning, IT architecture, contract renewal, and vendor management. Software and cloud assets are reviewed as frequently as required to manage costs. ITAM data consumers have self-serve access to ITAM data.
    • Continuous improvement practices strengthen ITAM efficiency and effectiveness.
    • ITAM processes, standards, and related policies are regularly reviewed and updated. ITAM teams work closely with SMEs for key tools/systems integrated with ITAM (e.g. AD, ITSM, monitoring tools) to maximize the value and reliability of integrations.
    Trusted Operator – Controls Assets
    • ITAM data for deployed hardware and software is regularly audited for accuracy.
    • Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Policies and procedures are documented and enforced. Key licenses and contracts are available to the ITAM team. Discovery, tracking, and analysis tools support most important use cases.
    Firefighter – Reactive Asset Tracking
    • Data is often untrustworthy, may be fragmented across multiple repositories, and typically requires significant effort to translate or validate before use.
    • Insufficient staff, fragmented or incomplete policies or documentation. Data tracking processes are extremely highly manual. Effective cooperation for ITAM data collection is challenging.
    • ITAM tools are in place, but additional configuration or tooling is needed.
    Unreliable - Struggles to Support
    • No data, or data is typically unusable.
    • No allocated staff, no cooperation between parties responsible for ITAM data collection.
    • No related policies or documentation.
    • Tools are non-existent or not fit-for-purpose.

    Current and target ITAM maturity

    Today:
    Firefighter
    • Data is often untrustworthy, is fragmented across multiple repositories, and typically requires significant effort to translate or validate before use.
    • Insufficient staff, fragmented or incomplete policies or documentation.
    • Tools are non-existent.
    In One Year:
    Trusted Operator
    • ITAM data for deployed hardware and software is regularly audited for accuracy.
    • Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role.
    • Teams responsible for ITAM data collection cooperate effectively.
    • Discovery, tracking, and analysis tools support most important use cases.
    IT maturity ladder with five color-coded levels.

    Innovator – Optimized Asset Management

    Business & Technology Partner – Proactive Asset Management

    Trusted Operator – Controls Assets

    Firefighter – Reactive Asset Tracking

    Unreliable - Struggles to Support

    Step 1.5: Write mission and vision statements

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Write a mission statement that encapsulates the purpose and intentions of the ITAM practice today.
    • Write a vision statement that describes what the ITAM practice aspires to become and achieve.

    Write vision and mission statements

    Create two statements to summarize the role of the ITAM practice today – and where you want it to be in the future.

    Create two short, compelling statements that encapsulate:
    • The vision for what we want the ITAM practice to be in the future; and
    • The mission – the purpose and intentions – of the ITAM practice today.

    Why bother creating mission and vision statements? After all, isn’t it just rehashing or re-writing all the work we’ve just done? Isn’t that (at best) a waste of time?

    There are a few very important reasons to create mission and vision statements:

    • Create a compass that can guide work today and your roadmap for the future.
    • Focus on the few things you must do, rather than the many things you could do.
    • Concisely communicate a compelling vision for the ITAM practice to a larger audience who (let’s face it) probably won’t read the entire ITAM Strategy deck.

    “Brevity is the soul of wit.” (Hamlet, Act 2, Scene 2)

    “Writing is easy. All you have to do is cross out the wrong words.” (Mark Twain)

    1.5 Write an ITAM vision statement

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: A whiteboard, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT Leaders and managers

    Your vision statement describes the ITAM practice as it will be in the far future. It is a target to aspire to, beyond your ability to achieve in the near or medium term.

    Examples of ITAM vision statements:

    Develop the single accurate view of IT assets, available to anyone who needs it.

    Indispensable data brokers that support strategic decisions on the IT environment.

    Provide sticky notes to participants. Write out the three questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

    1. What’s the desired future state of the ITAM practice?
    2. What needs to be done to achieved this desired state?
    3. How do we want ITAM to be perceived in this desired state?

    Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

    Document your vision statement in your ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    1.5 Write an ITAM mission statement

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Your ITAM mission statement is an expression of what your IT asset management function brings to your organization today. It should be presented in straightforward language that is compelling, easy to understand, and sharply focused.

    Examples of ITAM mission statements:

    Maintain accurate, actionable, accessible on data on all IT assets.

    Support IT and the business with centralized and integrated asset data.

    Provide sticky notes to participants. Write out the questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

    1. What is our role as the asset management team?
    2. How do we support the IT and business strategies?
    3. What does our asset management function offer that no one else can?

    Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

    Document your vision statement in your ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    Step 1.6: Define ITAM metrics and KPIs

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Identify metrics, data, or reports that may be of interest to different consumers of ITAM data.
    • Identify the key performance indicators (KPIs) for the ITAM practice, based on the goals and priorities established earlier.

    Navigate a universe of ITAM metrics

    When you have the data, how will you use it?

    • There’s a dizzying array of potential metrics you can develop and track across your ITAM environment.
    • Different stakeholders will need different data feeds, metrics, reports, and dashboards.
    • Different measures will be useful at different times. You will often need to filter or slice the data in different ways (by department, timeframe, equipment type, etc.)
    • We’ll use the next few exercises to identify the types of metrics that may be useful to different stakeholders and the KPIs to measure progress towards ITAM goals and priorities.

    ITAM Metrics

    • Quantity
      e.g. # of devices or licenses
    • Cost
      e.g. average laptop cost
    • Compliance
      e.g. effective license position reports
    • Progress
      e.g. ITAM roadmap items completed
    • Quality
      e.g. ITAM data accuracy rate
    • Time
      e.g. time to procure/ deploy

    Drill down by:

    • Vendor
    • Date
    • Dept.
    • Product
    • Location
    • Cost Center

    Develop different metrics for different teams

    A few examples:

    • CIOs — CIOs need asset data to govern technology use, align to business needs, and demonstrate IT value. What do we need to budget for hardware and software in the next year? Where can we find money to support urgent new initiatives? How many devices and software titles do we manage compared to last year? How has IT helped the business achieve key goals?
    • Asset Managers — Asset managers require data to help them oversee ITAM processes, technology, and staff, and to manage the fleet of IT assets they’re expected to track. What’s the accuracy rate of ITAM data? What’s the state of integrations between ITAM and other systems and processes? How many renewals are coming up in the next 90 days? How many laptops are in stock?
    • IT Leaders — IT managers need data that can support their teams and help them manage the technology within their mandate. What technology needs to be reviewed or retired? What do we actually manage?
    • Technicians — Service desk technicians need real-time access to data on IT assets to support service requests and incident management – for example, easy access to the list of equipment assigned to a particular user or installed in a particular location.
    • Business Managers and Executives — Business managers and executives need concise, readable dashboards to support business decisions about business use of IT assets. What’s our overall asset spend? What’s our forecasted spend? Where could we reallocate spend?

    1.6 Identify useful ITAM metrics and reports

    60 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Use this exercise to identify as many potentially useful ITAM metrics and reports as possible, and narrow them down to a few high-priority metrics. Leverage the list of example metrics on the next slide for your own exercise. If you have more than six participants, consider splitting into two or more groups, and divide the table between groups to minimize overlap.

    1. List potential consumers of ITAM data in the column on the left.
    2. What type of information do we think this role needs? What questions about IT assets do we get on a regular basis from this role or team?
    3. Review and consolidate the list as a group. Discuss and highlight any metrics the group thinks are a particularly high priority for tracking.
    Role Compliance Quality Quantity Cost Time Progress
    IT Asset Manager Owned devices not discovered in last 60 days Discrepancies between discovery data and ITAM DB records # of corporate-owned devices Spend on hardware (recent and future/ planned) Average time, maximum time to deploy end-user devices Number of ITAM roadmap items in progress
    Service Desk

    Add your results to your copy of the ITAM Strategy Template

    Examples of ITAM metrics

    Compliance Quality Quantity Cost Time/Duration/Age Progress
    Owned devices not discovered in last 60 days Discrepancies between discovery data and ITAM DB records # of corporate-owned devices Spend on hardware (recent and future/planned) Average time, maximum time to deploy end-user devices Number of ITAM roadmap items in progress or completed
    Disposed devices without certificate of destruction Breakage rates (in and out of warranty) by vendor # of devices running software title X, # of licenses for software title X Spend on software (recent and future/planned) Average time, maximum time to deploy end user software Number of integrations between ITAM DB and other sources
    Discrepancies between licenses and install count, by software title RMAs by vendor, model, equipment type Number of requests by equipment model or software title Spend on cloud (recent and future/planned) Average & total time spent on software audit responses Number of records in ITAM database
    Compliance reports (e.g. tied to regulatory compliance or grant funding) Tickets by equipment type or software title Licenses issued from license pool in the last 30 days Value of licenses issued from license pool in the last 30 days (cost avoidance) Devices by age Software titles with an up-to-date ELP report
    Reports on lost and stolen devices, including last assigned, date reported stolen, actions taken User device satisfaction scores, CSAT scores Number of devices retired or donated in last year Number of IT-managed capital assets Number of hardware/software request tickets beyond time-to-fulfil targets Number of devices audited (by ITAM team via self-audit)
    Number of OS versions, unpatched systems Number of devices due for refresh in the next year Spend saved by harvesting unused software Number of software titles, software vendors managed by ITAM team
    Audit accuracy rate Equipment in stock Cost savings from negotiations
    # of users assigned more than one device Number of non-standard devices or requests Dollars charged during audit or true-up

    Differentiate between metrics and KPIs

    Key performance indicators (KPIs) are metrics with targets aligned to goals.

    Targets could include one or more of:

    • Target state (e.g. completed)
    • Target magnitude (e.g. number, percent, rate, dollar amount)
    • Target direction (e.g. trending up or down)

    You may track many metrics, but you should have only a few KPIs (typically 2-3 per objective).

    A breached KPI should be a trigger to investigate and remediate the root cause of the problem, to ensure progress towards goals and priorities can continue.

    Which KPIs you track will change over the life of the practice, as ITAM goals and priorities shift. For example, KPIs may initially track progress towards maturing ITAM practices. Once you’ve reached target maturity, KPIs may shift to track whether the key service targets are being met.

    1.6 Identify ITAM KPIs

    20 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Good KPIs are a more objective measure of whether you’re succeeding in meeting the identified priorities for the ITAM practice.

    Identify metrics that can measure progress or success against the priorities and goals set earlier. Aim for around three metrics per goal. Identify targets for the metric you think are SMART (specific, measurable, achievable, relevant, and timebound). Track your work using the example table below.

    Goal Metric Target
    Consolidate major software contracts to drive discounts Amount spent on top 10 software contracts Decrease by 10% by next year
    Customer satisfaction scores with enterprise software Satisfaction is equal to or better than last year
    Value of licenses issued from license pool 30% greater than last year
    Identify abandoned or out-of-spec IT assets # of security incidents involving undiscovered assets Zero
    % devices with “Deployed” status in ITAM DB but not discovered for 30+ days ‹1% of all records in ITAM DB
    Provide IT asset data to technicians for service calls Customer satisfaction scores Satisfaction is equal to or better than last year
    % of end-user devices meeting minimum standards 97%

    Add your results to your copy of the ITAM Strategy Template

    Develop an IT Asset Management Strategy

    Phase 2:

    Identify your approach to support ITAM priorities and goals

    Phase 1

    1.1 Define ITAM and brainstorm opportunities and challenges.

    Executive Alignment Working Session:

    1.2 Review organizational priorities, strategy, and key initiatives.

    1.3 Align executive priorities with ITAM opportunities & priorities.

    1.4 Identify business-aligned ITAM goals and target maturity.

    1.5 Write mission and vision statements.

    1.6 Define ITAM metrics and KPIs.

    Phase 2

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Phase Outcomes:

    Establish an approach to achieving ITAM goals and priorities, including scope, structure, tools, service management integrations, documentation, and more.

    Create a roadmap that enables you to realize your approach.

    Step 2.1: Define ITAM Scope

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Establish what types of equipment and software you’ll track through the ITAM practice.
    • Establish which areas of the business will be in scope of the ITAM practice.

    Determine ITAM Scope

    Focus on what’s most important and then document it so everyone understands where they can provide the most value.

    Not all categories of assets require the same level of tracking, and some equipment and software should be excluded from the ITAM practice entirely.

    In some organizations, portions of the environment won’t be tracked by the asset management team at all. For example, some organizations will choose to delegate tracking multi-function printers (MFPs) or proprietary IoT devices to the department or vendor that manages them.

    Due to resourcing or technical limitations, you may decide that certain equipment or software is out of scope for the moment.

    What do other organizations typically track in detail?
    • Installs and entitlements for major software contracts that represent significant spend and/or are highly critical to business goals.
    • Equipment managed directly by IT that needs to be refreshed on a regular cycle:
      • End-user devices such as laptops, desktops, and tablets.
      • Server, network, and telecoms devices.
    • High value equipment that is not regularly refreshed may also be tracked, but in less detail – for example, you may not refresh large screen TVs, but you may need to track date of purchase, deployed location, vendor, and model for insurance or warranty purposes.

    2.1 Establish scope for ITAM

    45 minutes

    Input: Organizational strategy documents

    Output: ITAM scope, in terms of types of assets tracked and not tracked

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Establish the hardware and software that are within the scope of the ITAM program by updating the tables below to reflect your own environment. The “out of scope” category will include asset types that may be of value to track in the future but for which the capability or need don’t exist today.

    Hardware Software Out of Scope
    • End-user devices housing data or with a dollar value of more than $300, which will be replaced through lifecycle refresh.
    • Infrastructure devices, including network, telecom, video conferencing, servers and more
    • End-user software purchased under contract
    • Best efforts on single license purchases
    • Infrastructure software, including solutions used by IT to manage the infrastructure
    • Enterprise applications
    • Cloud (SaaS, IaaS, PaaS)
    • Departmental applications
    • Open-source applications
    • In-house developed applications
    • Freeware & shareware
    • IoT devices

    The following locations will be included in the ITAM program: All North and South America offices and retail locations.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.2: Acquire ITAM Services

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Define the type of work that may be more effectively or efficiently delivered by an outsourcer or contractor.

    “We would like our clients to come to us with an idea of where they want to get to. Why are you doing this? Is it for savings? Because you want to manage your security attack surface? Are there digital initiatives you want to move forward? What is the end goal?” (Mike Austin, MetrixData 360)

    Effectively acquire ITAM services

    Allow your team to focus on strategic, value-add activities by acquiring services that free them from commodity tasks.
    • When determining which asset capabilities and activities are best kept in-house and which ones are better handled by a supplier, it is imperative to keep the value to the business in mind.
    • Activities/capabilities that are challenging to standardize and are critical to enabling business goals are better kept in-house.
    • Activities/capabilities that are (or should be) standardized and automated are ideal candidates for outsourcing.
    • Outsourcing can be effective and successful with a narrow scope of engagement and an alignment to business outcomes.
    • Organizations that heavily weigh cost reduction as a significant driver for outsourcing are far less likely to realize the value they expected to receive.
    Business Enablement
    • Supports business-aligned ITAM opportunities & priorities
    • Highly specialized
    • Offers competitive advantages
    Map with axes 'Business Enablement' and 'Vendor's Performance Advantage' for determining whether or not to outsource.
    Vendor’s Performance Advantage
    • Talent or access to skills
    • Economies of scale
    • Access to technology
    • Does not require deep knowledge of your business

    Decide what to outsource

    It’s rarely all or nothing.

    Ask yourself:
    • How important is this activity or capability to ITAM, IT, and business priorities and goals?
    • Is it a non-commodity IT service that can improve customer satisfaction?
    • Is it a critical service to the business and the specialized knowledge must remain in-house?
    • Does the function require access to talent or skills not currently available in-house, and is cost-prohibitive to obtain?
    • Are there economies of scale that can help us meet growing demand?
    • Does the vendor provide access to best-of-breed tools and solutions that can handle the integration, management, maintenance and support of the complete system?

    You may ultimately choose to engage a single vendor or a combination of multiple vendors who can best meet your ITAM needs.

    Establishing effective vendor management processes, where you can maximize the amount of service you receive while relying on the vendor’s expertise and ability to scale, can help you make your asset management practice a net cost-saver.

    ITAM activities and capabilities
    • Contract review
    • Software audit management
    • Asset tagging
    • Asset disposal and recycling
    • Initial ITAM record creation
    • End-user device imaging
    • End-user device deployment
    • End-user software provisioning
    • End-user image management
    • ITAM database administration
    • ELP report creation
    • ITAM process management
    • ITAM report generation
    ITAM-adjacent activities and capabilities
    • Tier 1 support/service desk
    • Deskside/field support
    • Tier 3 support
    • IT Procurement
    • Device management/managed IT services
    • Budget development
    • Applications development, maintenance
    • Infrastructure hosting (e.g. cloud or colocation)
    • Infrastructure management and support
    • Discovery/monitoring tools management and support

    2.2 Identify outsourcing opportunities

    1-2 hours

    Input: Understanding of current ITAM processes and challenges

    Output: Understanding of potential outsourcing opportunities

    Materials: The table in this slide, and insight in previous slides, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    At a high level, discuss which functions of ITAM are good candidates for outsourcing.

    Start with the previous slide for examples of outsourcing activities or capabilities directly related to or adjacent to the ITAM practice. Categorize these activities as follows:

    Outsource Potentially Outsource Insource
    • Asset disposal/recycling
    • ELP report creation
    • ITAM process management

    Go through the list of activities to potentially or definitely outsource and confirm:

    1. Will outsourcing solve a resourcing need for an existing process, or can you deliver this adequately in-house?
    2. Will outsourcing improve the effectiveness and efficiency of current processes? Will it deliver more effective service channels or improved levels of reliability and performance consistency?
    3. Will outsourcing provide or enable enhanced service capabilities that your IT customers could use, and which you cannot deliver in-house due to lack of scale or capacity?

    Answering “no” to more than one of these questions suggests a need to further review options to ensure the goals are aligned with the potential value of the service offerings available.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.3: Centralize or decentralize ITAM capabilities

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Outline where the team(s) responsible for ITAM sit across the organization, who they report to, and who they need to work with across IT and the business.

    Align ITAM with IT’s structure

    ITAM’s structure will typically align with the larger business and IT structure. The wrong structure will undermine your ability to meet ITAM goals and lead to frustration, missed work, inefficiency, and loss of value.

    Which of the four archetypes below reflects the structure you need?

    1. Centralized — ITAM is entirely centralized in a single function, which reports into a central IT department.
    2. Decentralized — Local IT groups are responsible and accountable for ITAM. They may coordinate informally but do not report to any central team.
    3. Hybrid-Shared Services — Local IT can opt in to shared services but must follow centrally set ITAM practices to do so, usually with support from a shared ITAM function.
    4. Hybrid-Federated — Local IT departments are free to develop their own approach to ITAM outside of core, centrally set requirements.

    Centralized ITAM

    Total coordination, control, and oversight

    • ITAM accountability, policies, tools, standards, and expertise – in this model, they’re all concentrated in a single, specialized IT asset management practice. Accountability, authority, and oversight are concentrated in the central function as well.
    • A central ITAM team will benefit from knowledge sharing and task specialization opportunities. They are a visible single point of contact for ITAM-related questions
    • The central ITAM team will coordinate ITAM activities across the organization to optimize spend, manage risk, and enhance service. Any local IT teams are supported by and directly answerable to the central ITAM team for ITAM activities.
    • There is a single, centrally managed ITAM database. Wherever possible, this database should be integrated with other tools to support cross-solution automation (e.g. integrate AD to automatically reflect user identity changes in the ITAM database).
    • This model drives cross-organization coordination and oversight, but it may not be responsive to specific and nuanced local requirements.
    Example: Centralized
    Example of a Centralized ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working or reporting relationship

    Decentralized ITAM

    Maximize choice

    • ITAM accountability and oversight are entirely devolved to local or regional IT and/or ITAM organizations, which are free to set their own priorities, goals, policies, and standards. This model maximizes the authority of local groups to build practices that meet local requirements.
    • It may be challenging to resource and mature local practices. ITAM maturity will vary from one local organization to the next.
    • It is more likely that ITAM managers are a part-time role, and sometimes even a non-IT role. Local ITAM teams or coordinators may coordinate and share knowledge informally, but specialization can be challenging to build or leverage effectively across the organization.
    • There is likely no central ITAM tool. Local tools may be acquired, implemented, and integrated by local IT departments to suit their own needs, which can make it very difficult to report on assets organization-wide – for example, to establish compliance on an enterprise software contract.
    Example: Decentralized


    Example of a Decentralized ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working or reporting relationship

    Blue dotted line. Informal working relationships, knowledge sharing

    Hybrid: Federation

    Centralization with a light touch

    • A middle ground between centralized and decentralized ITAM, this model balances centralized decision making, specialization, and governance with local autonomy.
    • A central team will define organization-wide ITAM goals, develop capabilities, policies, and standards, and monitor compliance by local and central teams. All local teams must comply with centrally defined requirements, but they can also develop further capabilities to meet local goals.
    • For example, there will typically be a central ITAM database that must be used for at least a subset of assets, but other teams may build their own databases for day-to-day operations and export data to the central database as required.
    • There are often overlapping responsibilities in this model. A strong collaborative relationship between central and local ITAM teams is especially important here, particularly after major changes to requirements, processes, tools, or staffing when issues and breakdowns are more likely.
    Example: Federation


    Example of a Federation ITAM.

    Solid line. Direct reporting relationship

    Purple solid line. Oversight/governance

    Dotted line. Dotted line working or reporting relationship

    Hybrid: Shared Services

    Optional centralization

    • A special case of federated ITAM that balances central control and local autonomy, but with more power given to local IT to opt out of centralized shared services that come with centralized ITAM requirements.
    • ITAM requirements set by the shared services team will support management, allocation, and may have showback or chargeback implications. Following the ITAM requirements is a condition of service. If a local organization chooses to stop using shared services, they are (naturally) no longer required to adhere to the shared services ITAM requirements.
    • As with the federated model, local teams may develop further capabilities to meet local goals.
    Example: Shared Services


    Example of a Shared Services ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working relationship

    Blue dotted line. Informal working relationships, knowledge sharing

    Structure data collection & analysis

    Consider the implications of structure on data.

    Why centralize?
    • There is a need to build reports that aggregate data on assets organization-wide, rather than just assets within a local environment.
    • Decentralized ITAM tracking isn’t producing accurate or usable data, even for local purposes.
    • Tracking tools have overlapping functionality. There’s an opportunity to rationalize spend, management and support for ITAM tools.
    • Contract centralization can optimize spend and manage risks, but only with the data required to manage those contracts.
    Why decentralize?
    • Tracking and reporting on local assets is sufficient to meet ITAM goals; there is limited or no need to track assets organization-wide.
    • Local teams have the skills to track and maintain asset data; subsidiaries have appropriate budgets and tools to support ITAM tracking.
    • Decentralized ITSM/ITAM tools are in place, populated, and accurate.
    • The effort to consolidate tools and processes may outweigh the benefits to data centralization.
    • Lots of variability in types of assets and the environment is stable.
    Requirements for success:
    • A centralized IT asset management solution is implemented and managed.
    • Local teams must understand the why and how of centralized data tracking and be held accountable for assigned responsibilities.
    • The asset tool should offer both centralized and localized views of the data.
    Requirements for success:
    • Guidelines and expectations for reporting to centralized asset management team will be well defined and supported.
    • Local asset managers will have opportunity to collaborate with others in the role for knowledge transfer and asset trading, where appropriate.

    Structure budget and contract management

    Contract consolidation creates economies of scale for vendor management and license pooling that strengthen your negotiating position with vendors and optimize spend.

    Why centralize?
    • Budgeting, governance, and accountability are already centralized. Centralized ITAM practices can support the existing governance practices.
    • Centralizing contract management and negotiation can optimize spend and/or deliver access to better service.
    • Centralize management for contracts that cover most of the organization, are highly complex, involve large spend and/or higher risk, and will benefit from specialization of asset staff.
    Why decentralize?
    • Budgeting, governance, and accountability rest with local organizations.
    • There may be increased need for high levels of customer responsiveness and support.
    • Decentralize contract management for contracts used only by local groups (e.g. a few divisions, a few specialized functions), and that are smaller, low risk, and come with standard terms and conditions.
    Requirements for success:
    • A centralized IT asset management solution is implemented and managed.
    • Contract terms must be harmonized across the organization.
    • Centralized fulfillment is as streamlined as possible. For example, software contracts should include the right to install at any time and pay through a true-up process.
    Requirements for success:
    • Any expectations for harmonization with the centralized asset management team will be well defined and supported.
    • Local asset managers can collaborate with other local ITAM leads to support knowledge transfer, asset swapping, etc.

    Structure technology management

    Are there opportunities to centralize or decentralize support functions?

    Why centralize?
    • Standard technologies are deployed organization-wide.
    • There are opportunities to improve service and optimize costs by consolidating knowledge, service contracts, and support functions.
    • Centralizing data on product supply allows for easier harvest and redeployment of assets by a central support team.
    • A stable, central support function can better support localized needs during seasonal staffing changes, mergers and acquisitions.
    Why decentralize?
    • Technology is unique to a local subset of users or customers.
    • Minimal opportunity for savings or better support by consolidating knowledge, service contracts, or support functions.
    • Refresh standards are set at a local level; new tech adoption may be impeded by a reliance on older technologies, local budget shortfalls, or other constraints.
    • Hardware may need to be managed locally if shipping costs and times can’t reasonably be met by a distant central support team.
    Requirements for success:
    • Ensure required processes, technologies, skills, and knowledge are in place to enable centralized support.
    • Keep a central calendar of contract renewals, including reminders to start work on the renewal no less than 90 days prior. Prioritize contracts with high dollar value or high risk.
    • The central asset management solution should be configured to provide data that can enable the central support team.
    Requirements for success:
    • Ensure required processes, technologies, skills, and knowledge are in place to enable decentralized support.
    • Decentralized support teams must understand and adhere to ITAM activities that are part of support work (e.g. data entry, data audits).
    • The central asset management solution should be configured to provide data that can enable the central support team, or decentralized asset solutions must be funded, and teams trained on their use.

    2.3 Review ITAM Structure

    1-2 hours

    Input: Understanding of current organizational structure, Understanding of challenges and opportunities related to the current structure

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Outline the current model for your organization and identify opportunities to centralize or decentralize ITAM-related activities.

    1. What model best describes how ITAM should be structured in your organization? Modify the slide outlining structure as a group to outline your own organization, as required.
    2. In the table below, outline opportunities to centralize or decentralize data tracking, budget and contract management, and technology management activities.
    Centralize Decentralize
    Data collection & analysis
    • Make better use of central ITAM database.
    • Support local IT departments building runbooks for data tracking during lifecycle activities (create templates, examples)
    Budget and contract management
    • Centralize Microsoft contracts.
    • Create a runbook to onboard new companies to MSFT contracts.
    • Create tools and data views to support local department budget exercises.
    Technology management
    • Ensure all end-user devices are visible to centrally managed InTune, ConfigMgr.
    • Enable direct shipping from vendor to local sites.
    • Establish disposal/pickup at local sites.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.4: Create a RACI

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Review the role of the IT asset manager.
    • Identify who’s responsible, accountable, consulted, and informed for key ITAM activities.

    Empower your asset manager

    The asset manager is the critical ITAM role. Ensure they’re positioned to succeed.

    There’s too much change in the technology and business environment to expect ITAM to be “a problem to solve.” It is a practice that requires care and feeding through regular iteration to achieve success. At the helm of this practice is your asset manager, whose approach and past experience will have a significant impact on how you approach ITAM.

    The asset manager role requires a variety of skills, knowledge, and abilities including:

    • Operations, process, and practice management.
    • An ability to communicate, influence, negotiate, and facilitate.
    • Organizational knowledge and relationship management.
    • Contract and license agreement analysis, attention to detail.
    • Natural curiosity and a willingness to learn.
    • A strong understanding of technologies in use by the organization, and how they fit into the asset management program.
    Where the asset manager sits in the organization will also have an impact on their focus and priorities. When the asset manager reports into a service team, their focus will often reflect their team’s focus: end-user devices and software, customer satisfaction, request fulfillment. Asset teams that report into a leadership or governance function will be more likely to focus on organization-wide assets, governance, budget management, and compliance.

    “Where your asset manager sits, and what past experience they have, is going to influence how they do asset management.” (Jeremy Boerger, Consultant & Author)

    “It can be annoying at times, but a good IT asset manager will poke their nose into activities that do not obviously concern them, such as programme and project approval boards and technical design committees. Their aim is to identify and mitigate ITAM risks BEFORE the technology is deployed as well as to ensure that projects and solutions ‘bake in’ the necessary processes and tools that ensure IT assets can be managed effectively throughout their lifecycle.” (Kylie Fowler, ITAM by Design, 2017)

    IT asset managers must have a range of skills and knowledge

    • ITAM Operations, Process, and Practice Management
      The asset manager is typically responsible for managing and improving the ITAM practice and related processes and tools. The asset manager may administer the ITAM tool, develop reports and dashboards, evaluate and implement new technologies or services to improve ITAM maturity, and more.
    • Organizational Knowledge
      An effective IT asset manager has a good understanding of your organization and its strategy, products, stakeholders, and culture.
    • Technology & Product Awareness
      An IT asset manager must learn about new and changing technologies and products adopted by the organization (e.g. IoT, cloud) and develop recommendations on how to track and manage them via the ITAM practice.
    A book surrounded by icons corresponding to the bullet points.
    • People Management
      Asset managers often manage a team directly and have dotted-line reports across IT and the business.
    • Communication
      Important in any role, but particularly critical where learning, listening, negotiation, and persuasion are so critical.
    • Finance & Budgeting
      A foundational knowledge of financial planning and budgeting practices is often helpful, where the asset manager is asked to contribute to these activities.
    • Contract Review & Analysis
      Analyze new and existing contracts to evaluate changes, identify compliance requirements, and optimize spend.

    Assign ITAM responsibilities and accountabilities

    Align authority and accountability.
    • A RACI exercise will help you discuss and document accountability and responsibility for critical ITAM activities.
    • When responsibility and accountability are not currently well documented, it’s often useful to invite a representative of the roles identified to participate in this alignment exercise. The discussion can uncover contrasting views on responsibility and governance, which can help you build a stronger management and governance model.
    • The RACI chart can help you identify who should be involved when making changes to a given activity. Clarify the variety of responsibilities assigned to each key role.
    • In the future, you may need to define roles in more detail as you change your hardware and software asset management procedures.

    R

    Responsible: The person who actually gets the job done.

    Different roles may be responsible for different aspects of the activity relevant to their role.

    A

    Accountable: The one role accountable for the activity (in terms completion, quality, cost, etc.)

    Must have sufficient authority to be held accountable; responsible roles are often accountable to this role.

    C

    Consulted: Must have the opportunity to provide meaningful input at certain points in the activity.

    Typically, subject matter experts or stakeholders. The more people you must consult, the more overhead and time you’ll add to a process.

    I

    Informed: Receives information regarding the task, but has no requirement to provide feedback.

    Information might relate to process execution, changes, or quality.

    2.4 Conduct a RACI Exercise

    1-2 hours

    Input: An understanding of key roles and activities in ITAM practices, An understanding of your organization, High-level structure of your ITAM program

    Output: A RACI diagram for IT asset management

    Materials: The table in the next slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Let’s face it – RACI exercises can be dry. We’ve found that the approach below is more collaborative, engaging, and effective compared to filling out the table as a large group.

    1. Create a shared working copy of the RACI charts on the following slides (e.g. write it out on a whiteboard or provide a link to this document and work directly in it).
    2. Review the list of template roles and activities as a group. Add, change, or remove roles and activities from the table as needed.
    3. Divide into small groups. Assign each group a set of roles, and have them define whether that role is accountable, responsible, consulted, or informed for each activity in the chart. Refer to the previous slide for context on RACI. Give everyone 15 minutes to update their section of the chart.
    4. Come back together as a large group to review the chart. First, check for accountability – there should generally be just one role accountable for each activity. Then, have each small group walk through their section, and encourage participants to ask questions. Is there at least one role responsible for each task, and what are they responsible for? Does everyone listed as consulted or informed really need to be? Make any necessary adjustments.

    Add your results to your copy of the ITAM Strategy Template

    Define ITAM governance activities

    RACI Chart for ITAM governance activities. In the first column is a list of governance activities, and the row headers are positions within a company. Fields are marked with an R, A, C, or I.

    Document asset management responsibilities and accountabilities

    RACI Chart for ITAM asset management responsibilities and accountabilities. In the first column is a list of responsibilities and accountabilities, and the row headers are positions within a company. Fields are marked with an R, A, C, or I.

    Step 2.5: Align ITAM with other Service Management Practices

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Establish shared and separate responsibilities for asset and configuration management.
    • Identify how ITAM can support other practices, and how other practices can support ITAM.

    Asset vs. Configuration

    Asset and configuration management look at the same world through different lenses.
    • IT asset management tends to focus on each IT asset in its own right: assignment or ownership, its lifecycle, and related financial obligations and entitlements.
    • Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations to other CIs.
    • ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they tend use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
    • Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.
    Asset and Configuration Management: An Example

    Configuration Management Database (CMDB)

    A database of uniquely identified configuration items (CIs). Each CI record may include information on:
    Service Attributes

    Supported Service(s)
    Service Description, Criticality, SLAs
    Service Owners
    Data Criticality/Sensitivity

    CI Relationships

    Physical Connections
    Logical Connections
    Dependencies

    Arrow connector.

    Discovery, Normalization, Dependency Mapping, Business Rules*

    Manual Data Entry

    Arrow connector.
    This shared information could be attached to asset records, CI records, or both, and it should be synchronized between the two databases where it’s tracked in both.
    Hardware Information

    Serial, Model and Specs
    Network Address
    Physical Location

    Software Installations

    Hypervisor & OS
    Middleware & Software
    Software Configurations

    Arrow connector.

    Asset Management Database (AMDB)

    A database of uniquely identified IT assets. Each asset record may include information on:
    Procurement/Purchasing

    Purchase Request/Purchase Order
    Invoice and Cost
    Cost Center
    Vendor
    Contracts and MSAs
    Support/Maintenance/Warranties

    Asset Attributes

    Model, Title, Product Info, License Key
    Assigned User
    Lifecycle Status
    Last ITAM Audit Date
    Certificate of Disposal

    Arrows connecting multiple fields.

    IT Security Systems

    Vulnerability Management
    Threat Management
    SIEM
    Endpoint Protection

    IT Service Management (ITSM) System

    Change Tickets
    Request Tickets
    Incident Tickets
    Problem Tickets
    Project Tickets
    Knowledgebase

    Financial System/ERP

    General Ledger
    Accounts Payable
    Accounts Receivable
    Enterprise Assets
    Enterprise Contract Database

    (*Discovery, dependency mapping, and data normalization are often features or modules of configuration management, asset management, or IT service management tools.)

    2.5 Integrate ITAM and configuration practices

    45 minutes

    Input: Knowledge of the organization’s configuration management processes

    Output: Define how ITAM and configuration management will support one another

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Configuration manager

    Work through the table below to identify how you will collaborate and synchronize data across ITAM and configuration management practices and tools.

    What are the goals (if any currently exist) for the configuration management practice? Connect configuration items to services to support service management.
    How will configuration and asset management teams collaborate? Weekly status updates. As-needed working sessions.
    Shared visibility on each others’ Kanban tracker.
    Create tickets to raise and track issues that require collaboration or attention from the other team.
    How can config leverage ITAM? Connect CIs to financial, contractual, and ownership data.
    How can ITAM leverage config? Connect assets to services, changes, incidents.
    What key fields will be primarily tracked/managed by ITAM? Serial number, unique ID, user, location, PO number, …
    What key fields will be primarily tracked/managed by configuration management? Supported service(s), dependencies, service description, service criticality, network address…

    Add your results to your copy of the ITAM Strategy Template

    ITAM supports service management

    Decoupling asset management from other service management practices can result in lost value. Establish how asset management can support other service management practices – and how those practices can support ITAM.

    Incident Management

    What broke?
    Was it under warranty?
    Is there a service contract?
    Was it licensed?
    Who was it assigned to?
    Is it end-of-life?

    ITAM
    Practice

    Request Management

    What can this user request or purchase?
    What are standard hardware and software offerings?
    What does the requester already have?
    Are there items in inventory to fulfil the request?
    Did we save money by reissuing equipment?
    Is this a standard request?
    What assets are being requested regularly?

    What IT assets are related to the known issue?
    What models and vendors are related to the issue?
    Are the assets covered by a service contract?
    Are other tickets related to this asset?
    What end-of-life assets have been tied to incidents recently?

    Problem Management

    What assets are related to the change?
    Is the software properly licensed?
    Has old equipment been properly retired and disposed?
    Have software licenses been returned to the pool?
    Is the vendor support on the change part of a service contract?

    Change Enablement

    2.5. Connect with other IT service practices

    45 minutes

    Input: Knowledge of existing organizational IT service management processes

    Output: Define how ITAM will help other service management processes, and how other service management processes will help ITAM

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Service leads

    Complete the table below to establish what ITAM can provide to other service management practices, and what other practices can provide to ITAM.

    Practice ITAM will help Will help ITAM
    Incident Management Provide context on assets involved in an incident (e.g. ownership, service contracts). Track when assets are involved in incidents (via incident tickets).
    Request Management Oversee request & procurement processes. Help develop asset standards. Enter new assets in ITAM database.
    Problem Management Collect information on assets related to known issues. Report back on models/titles that are generating known issues.
    Change Enablement Provide context on assets for change review. Ensure EOL assets are retired and licenses are returned during changes.
    Capacity Management Identify ownership, location for assets at capacity. Identify upcoming refreshes or purchases.
    Availability Management Connect uptime and reliability to assets. Identify assets that are causing availability issues.
    Monitoring and Event Management Provide context to events with asset data. Notify asset of unrecognized software and hardware.
    Financial Management Establish current and predict future spending. Identify upcoming purchases, renewals.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.6: Evaluate ITAM tools and integrations

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Create a list of the ITAM tools currently in use, how they’re used, and their current limitations.
    • Identify new tools that could provide value to the ITAM practice, and what needs to be done to acquire and implement them.

    “Everything is connected. Nothing is also connected.” (Dirk Gently’s Holistic Detective Agency)

    Establish current strengths and gaps in your ITAM toolset

    ITAM data quality relies on tools and integrations that are managed by individuals or teams who don’t report directly to the ITAM function.

    Without direct line of sight into tools management, the ITAM team must influence rather than direct improvement initiatives that are in some cases critical to the performance of the ITAM function. To more effectively influence improvement efforts, you must explicitly identify what you need, why you need it, from which tools, and from which stakeholders.

    Data Sources
    Procurement Tools
    Discovery Tools
    Active Directory
    Purchase Documents
    Spreadsheets
    Input To Asset System(s) of Record
    ITAM Database
    ITSM Tool
    CMDB
    Output To Asset Data Consumption
    ITFM Tools
    Security Tools
    TEM Tools
    Accounting Tools
    Spreadsheets
    “Active Directory plays a huge role in audit defense and self-assessment, but no-one really goes out there and looks at Active Directory.

    I was talking to one organization that has 1,600,000 AD records for 100,000 employees.” (Mike Austin, Founder, MetrixData 360)

    2.6 Evaluate ITAM existing technologies

    30 minutes

    Input: Knowledge of existing ITAM tools

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Identify the use, limitations, and next steps for existing ITAM tools, including those not directly managed by the ITAM team.

    1. What tools do we have today?
    2. What are they used for? What are their limitations?
    3. Who manages them?
    4. What actions could we take to maximize the value of the tools?
    Existing Tool Use Constraints Owner Proposed Action?
    ITAM Module
    • Track HW/SW
    • Connect assets to incident, request
    • Currently used for end-user devices only
    • Not all divisions have access
    • SAM capabilities are limited
    ITAM Team/Service Management
    • Add license for additional read/write access
    • Start tracking infra in this tool
    Active Directory
    • Store user IDs, organizational data
    Major data quality issues IT Operations
    • Work with AD team to identify issues creating data issues

    Add your results to your copy of the ITAM Strategy Template

    2.6 Identify potential new tools

    30 minutes

    Input: Knowledge of tooling gaps, An understanding of available tools that could remediate gaps

    Output: New tools that can improve ITAM capabilities, including expected value and proposed next steps

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Identify tools that are required to support the identified goals of the ITAM practice.

    1. What types of tools do we need that we don’t have?
    2. What could these tools help us do?
    3. What needs to be done next to investigate or acquire the appropriate tool?
    New Tool Expected Value Proposed Next Steps
    SAM tool
    • Automatically calculate licensing entitlements from contract data.
    • Automatically calculate licensing requirements from discovery data.
    • Support gap analyses.
    • Further develop software requirements.
    • Identify vendors in the space and create a shortlist.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.7: Create a plan for internal and external audits

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Establish your approach to internal data audits.
    • Create a high-level response plan for external audits.

    Validate ITAM data via internal audits

    Data audits provide assurance that the records in the ITAM database are as accurate as possible. Consider these three approaches:

    Compare Tool Records

    Audit your data by comparing records in the ITAM system to other discovery sources.

    • Ideally, use three separate data sources (e.g. ITAM database, discovery tool, security tool). Use a common field, such as the host name, to compare across fields. (To learn more about discovery tool analysis, see Jeremy Boerger’s book, Rethinking IT Asset Management.)
    • Run reports to compare records and identify discrepancies. This could include assets missing from one system or metadata differences such as different users or installed software.
    • Over time, discrepancies between tools should be well understood and accepted; otherwise, they should be addressed and remediated.
    IT-led Audit

    Conduct a hands-on investigation led by ITAM staff and IT technicians.

    • In-person audits require significant effort and resources. Each audit should be scoped and planned ahead of time to focus on known problem areas.
    • Provide the audit team with exact instructions on what needs to be verified and recorded. Depending on the experience and attention to detail of the audit team, you may need to conduct spot checks to ensure you’re catching any issues in the audit process itself.
    • Automation should be used wherever possible (e.g. through barcodes, scanners, and tables for quick access to ITAM records).
    User-led audit

    Have users validate the IT assets assigned to them.

    • Even more than IT-led audits: don’t use this approach too frequently; keep the scope as narrow as possible and the process as simple as possible.
    • Ensure users have all the information and tools they’ll need readily available to complete this task, or the result will be ineffective and will only frustrate your users.
    • Consider a process integrated with your ITSM tool: once a year, when a user logs in to the portal, they will be asked to enter the asset code for their laptop (and provided with instructions on where to find that code). Investigate discrepancies between assignments and ITAM records.

    2.7 Set an approach to internal data audits

    30 minutes

    Input: An understanding of current data audit capabilities and needs

    Output: An outline of how you’ll approach data audits, including frequency, scope, required resources

    Materials: Your copy of the ITAM Strategy Template

    Participants: ITAM team

    Review the three internal data audit approaches outlined on the previous slide, and identify which of the three approaches you’ll use. For each approach, complete the fields in the table below.

    Audit Approach How often? What scope? Who’s involved? Comments
    Compare tool records Monthly Compare ITAM DB, Intune/ConfigMgr, and Vulnerability Scanner Data; focus on end-user devices to start Asset manager will lead at first.
    Work with tool admins to pull data and generate reports.
    IT-led audit Annual End-user devices at a subset of locations Asset manager will work with ITSM admins to generate reports. In-person audit to be conducted by local techs.
    User-led audit Annual Assigned personal devices (start with a pilot group) Asset coordinator to develop procedure with ITSM admin. Run pilot with power users first.

    Add your results to your copy of the ITAM Strategy Template

    Prepare for and respond to external audits and true-ups

    Are you ready when software vendors come knocking?

    • Vendor audits are expensive.
    • If you’re out of compliance, you will at minimum be required to pay the missing license fees. At their discretion, vendors may choose to add punitive fees and require you to cover the hourly cost of their audit teams. If you choose not to pay, the vendor could secure an injunction to cut off your service, which in many cases will be far more costly than the fines. And this is aside from the intangible costs of the disruption to your business and damaged relationships between IT, ITAM, your business, and other partners.
    • Having a plan to respond to an audit is critical to reducing audit risk. Preparation will help you coordinate your audit response, ensure the audit happens on the most favorable possible terms, and even prevent some audits from happening in the first place.
    • The best defense, as they say, is a good offense. Good ITAM and SAM processes will allow you to track acquisition, allocation, and disposal of software licenses; understand your licensing position; and ensure you remain compliant whenever possible. The vendor has no reason to audit you when there’s nothing to find.
    • Know when and where your audit risk is greatest, so you can focus your resources where they can deliver the most value.
    “If software audits are a big part of your asset operations, you have problems. You can reduce the time spent on audits and eliminate some audits by having a proactive ITAM practice.” (Sandi Conrad, Principal Research Director)

    Info-Tech Insight

    Audit defense starts long before you get audited. For an in-depth review of your audit approach, see Info-Tech’s Prepare and Defend Against a Software Audit.

    Identify areas of higher audit risk

    Watch for these warning signs
    • Your organization is visibly fighting fires. Signs of disorder may signal to vendors that there are opportunities to exploit via an audit. Past audit failures make future audits more likely.
    • You are looking for ways to decrease spend. Vendors may counter attempts to true-down licensing by launching an audit to try to find unlicensed software that provides them leverage to negotiate maintained or even increased spending.
    • Your license/contract terms with the vendor are particularly complex or highly customized. Very complex terms may make it harder to validate your own compliance, which may present opportunities to the vendor in an audit.
    • The vendor has earned a reputation for being particularly aggressive with audits. Some vendors include audits as a standard component of their business model to drive revenue. This may include acquiring smaller vendors or software titles that may not have been audit-driven in the past, and running audits on their new customer base.

    “The reality is, software vendors prey on confusion and complication. Where there’s confusion, there’s opportunity.” (Mike Austin, Founder, MetrixData 360)

    Develop an audit response plan

    You will be on the clock once the vendor sends you an audit request. Have a plan ready to go.
    • Don’t panic: Resist knee-jerk reactions. Follow the plan.
    • Form an audit response team and centralize your response: This team should be led by a member of the ITAM group, and it should include IT leadership, software SMEs, representatives from affected business areas, vendor management, contract management, and legal. You may also need to bring on a contractor with deep expertise with the vendor in question to supplement your internal capabilities. Establish clearly who will be the point of contact with the vendor during the audit.
    • Clarify the scope of the audit: Clearly establish what the audit will cover – what products, subsidiaries, contracts, time periods, geographic regions, etc. Manage the auditors to prevent scope creep.
    • Establish who covers audit costs: Vendors may demand the auditee cover the hourly cost of their audit team if you’re significantly out of compliance. Consider asking the vendor to pay for your team’s time if you’re found to be compliant.
    • Know your contract: Vendors’ contracts change over time, and it’s no guarantee that even your vendor’s licensing experts will be aware of the rights you have in your contract. You must know your entitlements to negotiate effectively.
    1. Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
    2. Acknowledge receipt of audit notice.
    3. Negotiate timing and scope of the audit.
    4. Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
    5. Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
    6. Compare entitlements to installed software.
    7. Investigate any anomalies (e.g. unexpected or non-compliant software).
    8. Review results with the audit response team.

    2.7 Clarify your vendor audit response plan

    1 hour

    Input: Organizational knowledge on your current audit response procedures

    Output: Audit response team membership, High-level audit checklist, A list of things to start, stop, and continue doing as part of the audit response

    Materials: Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    1. Who’s on the audit response team, and what’s their role? Who will lead the team? Who will be the point of contact with the auditor?
    2. What are the high-level steps in our audit response workflow? Use the example checklist below as a starting point.
    3. What do we need to start, stop, and continue doing in response to audit requests?

    Example Audit Checklist

    • Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
    • Acknowledge receipt of audit notice.
    • Negotiate timing and scope of the audit.
    • Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
    • Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
    • Compare entitlements to installed software.
    • Investigate any anomalies (e.g. unexpected or non-compliant software).
    • Review results with the audit response team.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.8: Improve budget processes

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Identify what you need to start, stop, and continue to do to support budgeting processes.

    Improve budgeting and forecasting

    Insert ITAM into budgeting processes to deliver significant value.

    Some examples of what ITAM can bring to the budgeting table:
    • Trustworthy data on deployed assets and spending obligations tied to those assets.
    • Projections of hardware due for replacement in terms of quantity and spend.
    • Knowledge of IT hardware and software contract terms and pricing.
    • Lists of unused or underused hardware and software that could be redeployed to avoid spend.
    • Comparisons of spend year-over-year.

    Being part of the budgeting process positions ITAM for success in other ways:

    • Helps demonstrate the strategic value of the ITAM practice.
    • Provides insight into business and IT strategic projects and priorities for the year.
    • Strengthens relationships with key stakeholders, and positions the ITAM team as trusted partners.

    “Knowing what you have [IT assets] is foundational to budgeting, managing, and optimizing IT spend.” (Dave Kish, Info-Tech, Practice Lead, IT Financial Management)

    Stock image of a calculator.

    2.8 Build better budgets

    20 minutes

    Input: Context on IT budgeting processes

    Output: A list of things to start, stop, and continue doing as part of budgeting exercises

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    What should we start, stop, and continue doing to support organizational budgeting exercises?

    Start Stop Continue
    • Creating buckets of spend and allocating assets to those buckets.
    • Zero-based review on IaaS instances quarterly.
    • Develop dashboards plugged into asset data for department heads to view allocated assets and spend.
    • Create value reports to demonstrate hard savings as well as cost avoidance.
    • Waiting for business leaders to come to us for help (start reaching out with reports proactively, three months before budget cycle).
    • % increases on IT budgets without further review.
    • Monthly variance budget analysis.
    • What-if analysis for asset spend based on expected headcount increases.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.9: Establish a documentation framework

    Participants

    • Project sponsor and lead facilitator
    • ITAM team

    Outcomes

    • Identify key documentation and gaps in your documentation.
    • Establish where documentation should be stored, who should own it, who should have access, and what should trigger a review.

    Create ITAM documentation

    ITAM documentation will typically support governance or operations.

    Long-term planning and governance
    • ITAM policy and/or related policies (procurement policy, security awareness policy, acceptable use policy, etc.)
    • ITAM strategy document
    • ITAM roadmap or burndown list
    • Job descriptions
    • Functional requirements documents for ITAM tools

    Operational documentation

    • ITAM SOPs (hardware, software) and workflows
    • Detailed work instructions/knowledgebase articles
    • ITAM data/records
    • Contracts, purchase orders, invoices, MSAs, SOWs, etc.
    • Effective Licensing Position (ELP) reports
    • Training and communication materials
    • Tool and integration documentation
    • Asset management governance, operations, and tools typically generate a lot of documentation.
    • Don’t create documentation for the sake of documentation. Prioritize building and maintaining documentation that addresses major risks or presents opportunities to improve the consistency and reliability of key processes.
    • Maximize the value of ITAM documentation by ensuring it is as current, accessible, and usable as it needs to be.
    • Clearly identify where documentation is stored and who should have access to it.
    • Identify who is accountable for the creation and maintenance of key documentation, and establish triggers for reviews, updates, and changes.

    Consider ITAM policies

    Create policies that can and will be monitored and enforced.
    • Certain requirements of the ITAM practice may need to be backed up by corporate policies: formal statements of organizational expectations that must be recognized by staff, and which will lead to sanctions/penalties if breached.
    • Some organizations will choose to create one or more ITAM-specific policies. Others will include ITAM-related statements in other existing policies, such as acceptable use policies, security training and awareness policies, procurement policies, configuration policies, e-waste policies, and more.
    • Ensure that you are prepared to monitor compliance with policies and evenly enforce breaches of policy. Failing to consistently enforce your policies exposes you and your organization to claims of negligence or discriminatory conduct.
    • For a template for ITAM-specific policies, see Info-Tech’s policy templates for Hardware Asset Management and Software Asset Management.

    2.9 Establish documentation gaps

    15-30 minutes

    Input: An understanding of existing documentation gaps and risks

    Output: Documentation gaps, Identified owners, repositories, access rights, and review/update protocols

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, Optional: IT managers, ITAM business partners

    Discuss and record the following:

    • What planning/governance, operational, and tooling documentation do we still need to create? Who is accountable for the creation and maintenance of these documents?
    • Where will the documentation be stored? Who can access these documents?
    • What will trigger reviews or changes to the documents?
    Need to Create Owner Stored in Accessible by Trigger for review
    Hardware asset management SOP ITAM manager ITAM SharePoint site › Operating procedures folder
    • All IT staff
    • Annual review
    • As-needed for major tooling changes that require a documentation update

    Add your results to your copy of the ITAM Strategy Template

    Step 2.10: Create a roadmap and communication plan

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • A timeline of key ITAM initiatives.
    • Improvement ideas aligned to key initiatives.
    • A communication plan tailored to key stakeholders.
    • Your ITAM Strategy document.

    “Understand that this is a journey. This is not a 90-day project. And in some organizations, these journeys could be three or five years long.” (Mike Austin, MetrixData 360)

    2.10 Identify key ITAM initiatives

    30-45 minutes

    Input: Organizational strategy documents

    Output: A roadmap that outlines next steps

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Project sponsor

    1. Identify key initiatives that are critical to improving practice maturity and meeting business goals.
    2. There should only be a handful of really key initiatives. This is the work that will have the greatest impact on your ability to deliver value. Too many initiatives muddy the narrative and can distract from what really matters.
    3. Plot the target start and end dates for each initiative in the business and IT transformation timeline you created in Phase 1.
    4. Review the chart and consider – what new capabilities should the ITAM practice have once the identified initiatives are complete? What transformational initiatives will you be better positioned to support?

    Add your results to your copy of the ITAM Strategy Template

    Transformation Timeline

    Example transformation timeline with row headers 'Business Inititiaves', 'IT Initiatives', and 'ITAM Initiatives'. Each initiative is laid out along the timeline appropriately.

    2.10 Align improvement ideas to initiatives

    45 minutes

    Input: Key initiatives, Ideas for ITAM improvement collected over the course of previous exercises

    Output: Concrete action items to support each initiative

    Materials: The table in the next slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Project sponsor

    As you’ve been working through the previous exercises, you have been tracking ideas for improvement – now we’ll align them to your roadmap.

    1. Review the list of ideas for improvement you’ve produced over the working sessions. Consolidate the list – are there any ideas that overlap or complement each other? Record any new ideas. Frame each idea as an action item – something you can actually do.
    2. Connect the action items to initiatives. It may be that not every action item becomes part of a key initiative. (Don’t lose ideas that aren’t part of key initiatives – track them in a separate burndown list or backlog.)
    3. Identify a target completion date and owner for each action item that’s part of an initiative.

    Add your results to your copy of the ITAM Strategy Template

    Example ITAM initiatives

    Initiative 1: Develop hardware/software standards
    Task Target Completion Owner
    Laptop standards Q1-2023 ITAM manager
    Identify/eliminate contracts for unused software using scan tool Q2-2023 ITAM manager
    Review O365 license levels and standard service Q3-2023 ITAM manager

    Initiative 2: Improve ITAM data quality
    Task Target Completion Owner
    Implement scan agent on all field laptops Q3-2023 Desktop engineer
    Conduct in person audit on identified data discrepancies Q1-2024 ITAM team
    Develop and run user-led audit Q1-2024 Asset manager

    Initiative 3: Acquire & implement a new ITAM tool
    Task Target Completion Owner
    Select an ITAM tool Q3-2023 ITAM manager
    Implement ITAM tool, incl. existing data migration Q1-2024 ITAM manager
    Training on new tool Q1-2024 ITAM manager
    Build KPIs, executive dashboards in new tool Q2-2024 Data analyst
    Develop user-led audit functionality in new tool Q3-2024 ITAM coordinator

    2.10 Create a communication plan

    45 minutes

    Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

    Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: IT asset manager, Project sponsor

    Develop clear, consistent, and targeted messages to key ITAM stakeholders.

    1. Modify the list of stakeholders in the first column.
    2. What benefits should those stakeholders realize from ITAM? What impact may the proposed improvements have on them? Refer back to exercises from Phase 1, where you identified key stakeholders, their priorities, and how ITAM could help them.
    3. Identify communication channels (in-person, email, all-hands meeting, etc.) and timing – when you’ll distribute the message. You may choose to use more than one channel, and you may need to convey the message more than once.
    Group ITAM Benefits Impact Channel(s) Timing
    CFO
    • More accurate IT spend predictions
    • Better equipment utilization and value for money
    • Sponsor integration project between ITAM DB and financial system
    • Support procurement procedures review
    Face-to-face – based on their availability Within the next month
    CIO
    • Better oversight into IT spend
    • Data to help demonstrate IT value
    • Resources required to support tool and ITAM process improvements
    Standing bi-monthly 1:1 meetings Review strategy at next meeting
    IT Managers
    Field Techs

    Add your results to your copy of the ITAM Strategy Template

    2.10 Put the final touches on your ITAM Strategy

    30 minutes

    Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

    Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: IT asset manager, Project sponsor

    You’re almost done! Do a final check of your work before you send a copy to your participants.

    1. Summarize in three points the key findings from the activities you’ve worked through. What have you learned? What are your priorities? What key message do you need to get across? Add these to the appropriate slide near the start of the ITAM Strategy Template.
    2. What are your immediate next steps? Summarize no more than five and add them to the appropriate slide near the start of the ITAM Strategy Template.
      1. Are you asking for something? Approval for ITAM initiatives? Funding? Resources? Clearly identify the ask as part of your next steps.
    3. Are the KPIs identified in Phase 1 still valid? Will they help you monitor for success in the initiatives you’ve identified in Phase 2? Make any adjustments you think are required to the KPIs to reflect the additional completed work.

    Add your results to your copy of the ITAM Strategy Template

    Research Contributors and Experts

    Kylie Fowler
    Principal Consultant
    ITAM Intelligence

    Kylie is an experienced ITAM/FinOps consultant with a track record of creating superior IT asset management frameworks that enable large companies to optimize IT costs while maintaining governance and control.

    She has operated as an independent consultant since 2009, enabling organizations including Sainsbury's and DirectLine Insurance to leverage the benefits of IT asset management and FinOps to achieve critical business objectives. Recent key projects include defining an end-to-end SAM strategy, target operating model, policies and processes which when implemented provided a 300% ROI.

    She is passionate about supporting businesses of all sizes to drive continuous improvement, reduce risk, and achieve return on investment through the development of creative asset management and FinOps solutions.

    Rory Canavan
    Owner and Principal Consultant
    SAM Charter

    Rory is the founder, owner, and principal consultant of SAM Charter, an internationally recognized consultancy in enterprise-wide Software & IT Asset Management. As an industry leader, SAM Charter is uniquely poised to ensure your IT & SAM systems are aligned to your business requirements.

    With a technical background in business and systems analysis, Rory has a wide range of first-hand experience advising numerous companies and organizations on the best practices and principles pertaining to software asset management. This experience has been gained in both military and civil organizations, including the Royal Navy, Compaq, HP, the Federation Against Software Theft (FAST), and several software vendors.

    Research Contributors and Experts

    Jeremy Boerger
    Founder, Boerger Consulting
    Author of Rethinking IT Asset Management

    Jeremy started his career in ITAM fighting the Y2K bug at the turn of the 21st century. Since then, he has helped companies in manufacturing, healthcare, banking, and service industries build and rehabilitate hardware and software asset management practices.

    These experiences prompted him to create the Pragmatic ITAM method, which directly addresses and permanently resolves the fundamental flaws in current ITAM and SAM implementations.

    In 2016, he founded Boerger Consulting, LLC to help business leaders and decision makers fully realize the promises a properly functioning ITAM can deliver. In his off time, you will find him in Cincinnati, Ohio, with his wife and family.

    Mike Austin
    Founder and CEO
    MetrixData 360

    Mike Austin leads the delivery team at MetrixData 360. Mike brings more than 15 years of Microsoft licensing experience to his clients’ projects. He assists companies, from Fortune 500 to organizations with as few as 500 employees, with negotiations of Microsoft Enterprise Agreements (EA), Premier Support Contracts, and Select Agreements. In addition to helping negotiate contracts, he helps clients build and implement software asset management processes.

    Previously, Mike was employed by Microsoft for more than 8 years as a member of the global sales team. With Microsoft, Mike successfully negotiated more than a billion dollars in new and renewal EAs. Mike has also negotiated legal terms and conditions for all software agreements, developed Microsoft’s best practices for global account management, and was awarded Microsoft’s Gold Star Award in 2003 and Circle of Excellence in 2008 for his contributions.

    Bibliography

    “Asset Management.” SFIA v8. Accessed 17 March 2022.

    Boerger, Jeremy. Rethinking IT Asset Management. Business Expert Press, 2021.

    Canavan, Rory. “C-Suite Cheat Sheet.” SAM Charter, 2021. Accessed 17 March 2022.

    Fisher, Matt. “Metrics to Measure SAM Success.” Snow Software, 26 May 2015. Accessed 17 March 2022.

    Flexera (2021). “State of ITAM Report.” Flexera, 2021. Accessed 17 March 2022.

    Fowler, Kylie. “ITAM by design.” BCS, The Chartered Institute for IT, 2017. Accessed 17 March 2022.

    Fowler, Kylie. “Ch-ch-ch-changes… Is It Time for an ITAM Transformation?” ITAM Intelligence, 2021. Web. Accessed 17 March 2022.

    Fowler, Kylie. “Do you really need an ITAM policy?” ITAM Accelerate, 15 Oct. 2021. Accessed 17 March 2022.

    Hayes, Chris. “How to establish a successful, long-term ITAM program.” Anglepoint, Sept. 2021. Accessed 17 March 2022.

    ISO/IEC 19770-1-2017. IT Asset Management Systems – Requirements. Third edition. ISO, Dec 2017.

    Joret, Stephane. “IT Asset Management: ITIL® 4 Practice Guide”. Axelos, 2020.

    Jouravlev, Roman. “IT Service Financial Management: ITIL® 4 Practice Guide”. Axelos, 2020.

    Pagnozzi, Maurice, Edwin Davis, Sam Raco. “ITAM Vs. ITSM: Why They Should Be Separate.” KPMG, 2020. Accessed 17 March 2022.

    Rumelt, Richard. Good Strategy, Bad Strategy. Profile Books, 2013.

    Stone, Michael et al. “NIST SP 1800-5 IT Asset Management.” Sept, 2018. Accessed 17 March 2022.

    Create a Game Plan to Implement Cloud Backup the Right Way

    • Buy Link or Shortcode: {j2store}469|cart{/j2store}
    • member rating overall impact: 7.0/10 Overall Impact
    • member rating average dollars saved: $2,000 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Cloud adoption is frequently driven by hype rather than careful consideration of the best-fit solution.
    • IT is frequently rushed into cloud adoption without appropriate planning.
    • Organizations frequently lack appropriate strategies to deal with cloud-specific backup challenges.
    • Insufficient planning for cloud backup can exacerbate problems rather than solving them, leading to poor estimates of the cost and effort involved, budget overruns, and failure to meet requirements.

    Our Advice

    Critical Insight

    • The cloud isn’t a magic bullet, but it tends to deliver the most value to organizations with specific use cases – frequently smaller organizations who are looking to avoid the cost of building or upgrading a data center.
    • Cloud backup does not necessarily reduce backup costs so much as it moves them around. Cloud backup distributes costs over a longer term. Organizations need to compare the difference in CAPEX and OPEX to determine if making the move makes financial sense.
    • The cloud can deliver a great deal of value for organizations who are looking to reduce the operational effort demanded by an existing tape library for second- or third-tier backups.
    • Data security risks in some cases may be overstated, depending on what on-premises security is available. However, targeting backup to the cloud introduces other risks that need to be considered before implementation is given the green light.

    Impact and Result

    • Understand if cloud backup is the right solution for actual organizational needs.
    • Make an informed decision about targeting backup to the cloud by considering the big picture TCO and effort level involved in adoption.
    • Have a ready strategy to mitigate the most common challenges with cloud adoption projects.
    • Develop a roadmap that lays out the required step-by-step to implement cloud backup.

    Create a Game Plan to Implement Cloud Backup the Right Way Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the benefits and risks of targeting backups to the cloud

    Build a plan to mitigate the risks associated with backing data up in the cloud.

    • Storyboard: Create a Game Plan to Implement Cloud Backup the Right Way

    2. Determine if the cloud can meet the organization's data requirements

    Assess if the cloud is a good fit for your organization’s backup data.

    • Cloud Backup Implementation Game Plan Tool

    3. Mitigate the Challenges of Backing Up to the Cloud

    Build a cloud challenge contingency plan.

    4. Build a Cloud Backup Implementation Roadmap

    Perform a gap analysis to determine cloud backup implementation initiatives.

    Infographic

    Workshop: Create a Game Plan to Implement Cloud Backup the Right Way

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Evaluate the business case for targeting backup at the cloud

    The Purpose

    Understand how cloud backup will affect backup and recovery processes

    Determine backup and recovery objectives

    Assess the value proposition of cloud backup

    Key Benefits Achieved

    A high-level understanding of the benefits of moving to cloud backup

    A best-fit analysis of cloud backup in comparison to organizational needs

    Activities

    1.1 Document stakeholder goals for cloud backup

    1.2 Document present backup processes

    1.3 Document ideal backup processes

    1.4 Review typical benefits of cloud backup

    Outputs

    Documented stakeholder goals

    Current backup process diagrams

    Ideal backup process diagram

    2 Identify candidate data sets and assess opportunities and readiness

    The Purpose

    Identify candidate data sets for cloud-based backup

    Determine RPOs and RTOs for candidate data sets

    Identify potential value specific to each data set for targeting backup at the cloud

    Evaluate organizational readiness for targeting backup at the cloud

    Key Benefits Achieved

    Documented recovery objectives

    Recommendations for cloud backup based on actual organizational needs and readiness

    Activities

    2.1 Document candidate data sets

    2.2 Determine recovery point and recovery time objectives for candidate data sets

    2.3 Identify potential value of cloud-based backup for candidate data sets

    2.4 Discuss the risk and value of cloud-based backup versus an on-premises solution

    2.5 Evaluate organizational readiness for cloud backup

    2.6 Identify data sets to move to the cloud

    Outputs

    Validated list of candidate data sets

    Specific RPOs and RTOs for core data sets

    An assessment of the value of cloud backup for data sets

    A tool-based recommendation for moving backups to the cloud

    3 Mitigate the challenges of backing up to the cloud

    The Purpose

    Understand different cloud provider models and their specific risks

    Identification of how cloud backup will affect IT infrastructure and personnel

    Strategize ways to mitigate the most common challenges of implementing cloud backup

    Understand the client/vendor relationship in cloud backup

    Understand the affect of cloud backup on data security

    Key Benefits Achieved

    Verified best-fit cloud provider model for organizational needs

    Verified strategy for meeting the most common challenges for cloud-based backup

    A strong understanding of how cloud backup will change IT

    Strategies for approaching vendors to ensure a strong footing in negotiations and clear expectations for the client/vendor relationship

    Activities

    3.1 Discuss the impact of cloud backup on infrastructure and IT environment

    3.2 Create a cloud backup risk contingency plan

    3.3 Document compliance and security regulations

    3.4 Identify client and vendor responsibilities for cloud backup

    3.5 Discuss and document the impact of cloud backup on IT roles and responsibilities

    3.6 Compile a list of implementation intiatives

    3.7 Evaluate the financial case for cloud backup

    Outputs

    Cloud risk assessment

    Documented contingency strategies for probabe risks

    Negotiation strategies for dealing with vendors

    A committed go/no-go decision on the value of cloud backup weighted against the effort of implementation

    4 Build a cloud backup implementation roadmap

    The Purpose

    Create a road map for implementing cloud backup

    Key Benefits Achieved

    Determine any remaining gaps between the present state and the ideal state for cloud backup

    Understand the steps and time frame for implementing cloud backup

    Allocate roles and responsibilities for the implementation intitiative

    A validated implementation road map

    Activities

    4.1 Perform a gap analysis to generate a list of implementation intiatives

    4.2 Prioritize cloud backup initiatives

    4.3 Assess risks and dependencies for critical implementation initiatives

    4.4 Assign ownership over implementation tasks

    4.5 Determine road map time frame and structure

    4.6 Populate the roadmap with cloud backup initiatives

    Outputs

    A validated gap analysis

    A prioritized list of cloud backup initiatives

    Documented dependencies and risks associated with implementation tasks

    A roadmap for targeting backups at the cloud

    Integrate Threat Intelligence Into Your Security Operations

    • Buy Link or Shortcode: {j2store}320|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: 2 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Organizations have limited visibility into their threat landscape, and as such are vulnerable to the latest attacks, hindering business practices, workflow, revenue generation, and damaging their public image.
    • Organizations are developing ad hoc intelligence capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
    • It is difficult to communicate the value of a threat intelligence solution when trying to secure organizational buy-in and the appropriate resourcing.
    • There is a vast array of “intelligence” in varying formats, often resulting in information overload.

    Our Advice

    Critical Insight

    1. Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives.
    2. Your security controls are diminishing in value (if they haven’t already). As technology in the industry evolves, threat actors will inevitably adopt new tools, tactics, and procedures; a threat intelligence program can provide relevant situational awareness to stay on top of the rapidly-evolving threat landscape.
    3. Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product/service offerings. Threat intelligence provides visibility into the latest threats, which can help you avoid becoming a backdoor in the next big data breach.

    Impact and Result

    • Assess the needs and intelligence requirements of key stakeholders.
    • Garner organizational buy-in from senior management.
    • Identify organizational intelligence gaps and structure your efforts accordingly.
    • Understand the different collection solutions to identify which best supports your needs.
    • Optimize the analysis process by leveraging automation and industry best practices.
    • Establish a comprehensive threat knowledge portal.
    • Define critical threat escalation protocol.
    • Produce and share actionable intelligence with your constituency.
    • Create a deployment strategy to roll out the threat intelligence program.
    • Integrate threat intelligence within your security operations.

    Integrate Threat Intelligence Into Your Security Operations Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement a threat intelligence program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plan for a threat intelligence program

    Assess current capabilities and define an ideal target state.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 1: Plan for a Threat Intelligence Program
    • Security Pressure Posture Analysis Tool
    • Threat Intelligence Maturity Assessment Tool
    • Threat Intelligence Project Charter Template
    • Threat Intelligence RACI Tool
    • Threat Intelligence Management Plan Template
    • Threat Intelligence Policy Template

    2. Design an intelligence collection strategy

    Understand the different collection solutions to identify which best supports needs.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 2: Design an Intelligence Collection Strategy
    • Threat Intelligence Prioritization Tool
    • Threat Intelligence RFP MSSP Template

    3. Optimize the intelligence analysis process

    Begin analyzing and acting on gathered intelligence.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 3: Optimize the Intelligence Analysis Process
    • Threat Intelligence Malware Runbook Template

    4. Design a collaboration and feedback program

    Stand up an intelligence dissemination program.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 4: Design a Collaboration and Feedback Program
    • Threat Intelligence Alert Template
    • Threat Intelligence Alert and Briefing Cadence Schedule Template
    [infographic]

    Optimize the IT Operations Center

    • Buy Link or Shortcode: {j2store}449|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Your team’s time is burned up by incident response.
    • Manual repetitive work uses up expensive resources.
    • You don’t have the visibility to ensure the availability the business demands.

    Our Advice

    Critical Insight

    • Sell the project to the business.
    • Leverage the Operations Center to improve IT Operations.

    Impact and Result

    • Clarify lines of accountability and metrics for success.
    • Implement targeted initiatives and track key metrics for continual improvement.

    Optimize the IT Operations Center Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should Optimize the IT Operations Center, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lightning Phase: Pluck Low-Hanging Fruit for Quick Wins

    Get quick wins to demonstrate early value for investments in IT Operations.

    • Optimize the IT Operations Center – Lightning Phase: Pluck Low-Hanging Fruit for Quick Wins

    2. Get buy-in

    Get buy-in from business stakeholders by speaking their language.

    • Optimize the IT Operations Center – Phase 1: Get Buy-In
    • IT Operations Center Prerequisites Assessment Tool
    • IT Operations Center Stakeholder Buy-In Presentation
    • IT Operations Center Continual Improvement Tracker

    3. Define accountability and metrics

    Formalize process and task accountability and develop targeted metrics.

    • Optimize the IT Operations Center – Phase 2: Define Accountability and Metrics
    • IT Operations Center RACI Charts Template

    4. Assess gaps and prioritize initiatives

    Identify pain points and determine the top solutions.

    • Optimize the IT Operations Center – Phase 3: Assess Gaps and Prioritize Initiatives
    • IT Operations Center Gap and Initiative Tracker
    • IT Operations Center Initiative Prioritization Tool

    5. Launch initiatives and track metrics

    Lay the foundation for implementation and continual improvement.

    • Optimize the IT Operations Center – Phase 4: Launch Initiatives and Track Metrics
    [infographic]

    Workshop: Optimize the IT Operations Center

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Check Foundation

    The Purpose

    Ensure base maturity in IT Operations processes.

    Key Benefits Achieved

    Verify that foundation is in place to proceed with Operations Center project.

    Activities

    1.1 Evaluate base maturity.

    Outputs

    IT Operations Center Prerequisites Assessment Tool

    2 Define Accountabilities

    The Purpose

    Define accountabilities for Operations processes and tasks.

    Key Benefits Achieved

    Documented accountabilities.

    Activities

    2.1 Pluck low-hanging fruit for quick wins.

    2.2 Complete process RACI.

    2.3 Complete task RACI.

    Outputs

    Project plan

    Process RACI

    Task RACI

    3 Map the Challenge

    The Purpose

    Define metrics and identify accountabilities and gaps.

    Key Benefits Achieved

    List of initiatives to address pain points.

    Activities

    3.1 Define metrics.

    3.2 Define accountabilities.

    3.3 Identify gaps.

    Outputs

    IT Operations Center Gap and Initiative Tracker

    4 Build Action Plan

    The Purpose

    Develop an action plan to boost KPIs.

    Key Benefits Achieved

    Action plan and success criteria.

    Activities

    4.1 Prioritize initiatives.

    Outputs

    IT Operations Center Initiative Prioritization Tool

    5 Map Out Implementation

    The Purpose

    Build an implementation plan for continual improvement.

    Key Benefits Achieved

    Continual improvement against identified metrics and KPIs.

    Activities

    5.1 Build implementation plan.

    Outputs

    IT Operations Center Continual Improvement Tracker

    Further reading

    Optimize the IT Operations Center

    Stop burning budget on non-value-adding activities.

    ANALYST PERSPECTIVE

    The Network Operations Center is not in Kansas anymore.

    "The old-school Network Operations Center of the telecom world was heavily peopled and reactionary. Now, the IT Operations Center is about more than network monitoring. An effective Operations Center provides visibility across the entire stack, generates actionable alerts, resolves a host of different incidents, and drives continual improvement in the delivery of high-quality services.
    IT’s traditional siloed approach cannot provide the value the business demands. The modern Operations Center breaks down these silos for the end-to-end view required for a service-focused approach."

    Derek Shank,
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • IT Operations Managers
    • IT Infrastructure Managers
    • CIOs

    This Research Will Help You:

    • Improve reliability of services.
    • Reduce the cost of incident response.
    • Reduce the cost of manual repetitive work (MRW).

    This Research Will Also Assist

    • Business Analysts
    • Project Managers
    • Business Relationship Managers

    This Research Will Help Them

    • Develop appropriate non-functional requirements.
    • Integrate non-functional requirements into solution design and project implementation.

    Executive Summary

    Situation

    • Your team’s time is burned up by incident response.
    • MRW burns up expensive resources.
    • You don’t have the visibility to ensure the availability the business demands.

    Complication

    • The increasing complexity of technology has resulted in siloed teams of specialists.
    • The business views IT Operations as a cost center and doesn’t want to provide resources to support improvement initiatives.

    Resolution

    • Pluck low-hanging fruit for quick wins.
    • Obtain buy-in from business stakeholders by speaking their language.
    • Clarify lines of accountability and metrics for success.
    • Implement targeted initiatives and track key metrics for continual improvement.

    Info-Tech Insight

    1. Sell the project to the business. Your first job is a sales job because executive sponsorship is key to project success.
    2. Worship the holy trinity of metrics: impact of downtime, cost of incident response, and time spent on manual repetitive work (MRW).
    3. Invest in order to profit. Improving the Operations Center takes time and money. Expect short-term pain to realize long-term gain.

    The role of the Network Operations Center has changed

    • The old approach was technology siloed and the Network Operations Center (NOC) only cared about the network.
    • The modern Operations Center is about ensuring high availability of end-user services, and requires cross-functional expertise and visibility across all the layers of the technology stack.
    A pie chart is depicted. The data displayed on the chart, in decreasing order of size, include: Applications; Servers; LAN; WAN; Security; Storage. Source: Metzler, n.d.

    Most organizations lack adequate visibility

    • The rise of hybrid cloud has made environments more complex, not less.
    • The increasing complexity makes monitoring and incident response more difficult than ever.
    • Only 31% of organizations use advanced monitoring beyond what is offered by cloud providers.
    • 69% perform no monitoring, basic monitoring, or rely entirely on the cloud provider’s monitoring tools.
    A Pie chart is depicted. Two data are represented on the chart. The first, representing 69% of the chart, is: Using no monitoring, basic monitoring, or relying only on the cloud vendor's monitoring. the second, representing 31% of the chart, is Using advanced monitoring beyond what cloud vendors provide. Source: InterOp ITX, 2018

    Siloed service level agreements cannot ensure availability

    You can meet high service level agreements (SLAs) for functional silos, but still miss the mark for service availability. The business just wants things to work!

    this image contains Info-Tech's SLA-compliance rating chart, which displays the categories: Available, behaving as expected; Slow/degraded; and Unavailable, for each of: Webserver; Database; Storage; Network; Application; and, Business Service

    The cost of downtime is massive

    Increasing reliance on IT makes downtime hurt more than ever.
    98% of enterprises lose $100,000+.
    81% of enterprises lose $300,000+ per hour of downtime.

    This is a bar graph, showing the cost per hour of downtime, against the percentage of enterprises.

    Source: ITIC, 2016

    IT is asked to do more with less

    Most IT budgets are staying flat or shrinking.

    57% of IT departments expect their budget to stay flat or to shrink from 2018 to 2019.

    This image contains a pie chart with two data, one is labeled: Increase; representing 43% of the chart. The other datum is labeled: Shrink or stay flat, and represents 57% of the chart.

    Unify and streamline IT Operations

    A well-run Operations Center ensures high availability at reasonable cost. Improving your Operations Center results in:

    • Higher availability
    • Increased reliability
    • Improved project capacity
    • Higher business satisfaction

    Measure success with the holy trinity of metrics

    Focus on reducing downtime, cost of incident response, and MRW.

    This image contains a Funnel Chart showing the inputs: Downtime; Cost of Incident Response; MRW; and the output: Reduce for continual improvement

    Start from the top and employ a targeted approach

    Analyze data to get buy-in from stakeholders, and use our tools and templates to follow the process for continual improvement in IT Operations.

    This image depicts a cycle, which includes: Data analysis; Executive Sponsorship; Success Criteria; Gap Assessment; Initiatives; Tracking & Measurement

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Optimize the IT Operations Center – project overview

    Launch the Project

    Identify Enterprise Services

    Identify Line of Business Services

    Complete Service Definitions

    Best-Practice Toolkit

    🗲 Pluck Low-Hanging Fruit for Quick Wins

    1.1 Ensure Base Maturity Is in Place

    1.2 Make the Case

    2.1 Define Accountabilities

    2.2 Define Metrics

    3.1 Assess Gaps

    3.2 Plan Initiatives

    4.1 Lay Foundation

    4.2 Launch and Measure

    Guided Implementations

    Discuss current state.

    Review stakeholder presentation.

    Review RACIs.

    Review metrics.

    Discuss gaps.

    Discuss initiatives.

    Review plan and metric schedule.

    Onsite Workshop Module 1:

    Clear understanding of project objectives and support obtained from the business.

    Module 2:

    Enterprise services defined and categorized.

    Module 3:

    LOB services defined based on user perspective.

    Module 4:

    Service record designed according to how IT wishes to communicate to the business.

    Phase 1 Results:

    Stakeholder presentation

    Phase 2 Results:
    • RACIs
    • Metrics
    Phase 3 Results:
    • Gaps list
    • Prioritized list of initiatives
    Phase 4 Results:
    • Implementation plan
    • Continual improvement tracker

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Pre-Workshop Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities

    Check Foundation

    Define Accountabilities

    Map the Challenge

    Build Action Plan

    Map Out Implementation

    1.1 Ensure base maturity.

    🗲 Pluck low-hanging fruit for quick wins.

    2.1 Complete process RACI.

    2.2 Complete task RACI.

    3.1 Define metrics.

    3.2 Define accountabilities.

    3.2 Identify gaps.

    4.1 Prioritize initiatives.

    5.1 Build implementation plan.

    Deliverables
    1. IT Operations Center Prerequisites Assessment Tool
    1. IT Operations Center RACI Charts Template
    1. IT Operations Center Gap and Initiative Tracker
    1. IT Operations Center Initiative Prioritization Tool
    1. IT Operations Center Continual Improvement Tracker

    PHASE 🗲

    Pluck Low-Hanging Fruit for Quick Wins

    Optimize the IT Operations Center

    Conduct a ticket-trend analysis

    Generate reports on tickets from your IT service management (ITSM) tool. Look for areas that consume the most resources, such as:

    • Recurring tickets.
    • Tickets that have taken a long time to resolve.
    • Tickets that could have been resolved at a lower tier.
    • Tickets that were unnecessarily or improperly escalated.

    Identify issues

    Analyze the tickets:

    • Look for recurring tickets that may indicate underlying problems.
    • Ask tier 2 and 3 technicians to flag tickets that could have been resolved at a lower tier.
    • Identify painful and/or time consuming service requests.
    • Flag any manual repetitive work.

    Write the issues on a whiteboard.

    Oil & Gas IT reduces manual repetitive maintenance work

    CASE STUDY
    Industry Oil & Gas
    Source Interview

    Challenge

    The company used a webserver to collect data from field stations for analytics. The server’s version did not clear its cache – it filled up its own memory and would not overwrite, so it would just lock up and have to be rebooted manually.

    Solution

    The team found out that the volumes and units of data would cause the memory to fill at a certain time of the month. They wrote a script to reboot the machine and set up a planned outage during the appropriate weekend each month.

    Results

    The team never had to do manual reboots again – though they did have to tweak their reboot script not to rely on their calendar, after a shift in production broke the pattern between memory consumption and the calendar.

    Rank the issues

    🗲.1.1 10 minutes

    1. Assign each participant five sticky dots to use for voting.
    2. Have each participant place any number of dots beside the issue(s) of their choice.
    3. Count the dots and rank the top three most important issues.

    INPUT

    • List of issues

    OUTPUT

    • Top three issues

    Materials

    • Whiteboard
    • Markers
    • Sticky dots

    Participants

    • Operations Manager
    • Infrastructure Manager
    • I&O team members

    Brainstorm solutions

    🗲.1.2 10 minutes

    1. Write the three issues at the top of a whiteboard, each at the head of its own column.
    2. Focusing on one issue at a time, brainstorm potential solutions for each issue. Have one person write all the proposed solutions on the board beneath the issue.

    Info-Tech Best Practice

    Do not censor or evaluate the proposed solutions at this time. During brainstorming, focus on coming up with as many potential solutions as possible, no matter how infeasible or outlandish.

    INPUT

    • Top three issues

    OUTPUT

    • Potential solutions

    Materials

    • Whiteboard
    • Markers

    Participants

    • Operations Manager
    • Infrastructure Manager
    • I&O team members

    Evaluate and rank potential solutions

    🗲.1.3 30 minutes

    1. Score the solutions from 1-5 on each of the two dimensions:
    • Attainability
    • Probable efficacy
  • Identify the top scoring solution for each issue. In the event of a tie, vote to determine the winner.
  • Info-Tech Insight

    Quick wins are the best of both worlds. To get a quick win, pick a solution that is both readily attainable and likely to have high impact.

    INPUT

    • Potential solutions

    OUTPUT

    • Ranked list of solutions

    Materials

    • Whiteboard
    • Markers

    Participants

    • Operations Manager
    • Infrastructure Manager
    • I&O team members

    Develop metrics to measure the effectiveness of solutions

    You should now have a top potential solution for each pain point.

    For each pain point and proposed solution, identify the metric that would indicate whether the solution had been effective or not. For example:

    • Pain point: Too many unnecessary escalations for SharePoint issues.
    • Solution: Train tier 1 staff to resolve SharePoint tickets.
    • Metric: % of SharePoint tickets resolved at tier 1.

    Design solutions

    • Some solutions explain themselves. E.g., hire an extra service desk person.
    • Others require more planning and design, as they involve a bespoke solution. E.g., improve asset management process or automate onboarding of new users.
    • For the solutions that require planning, take the time to design each solution fully before rushing to implement it.

    Build solutions

    • Build any of the solutions that require building. For example, any scripting for automations requires the writing of those scripts, and any automated ticket routing requires configuration of your ITSM tool.
    • Part of the build phase for many solutions should also involve designing the tests of those solutions.

    Test solutions – refine and iterate

    • Think about the expected outcome and results of the solutions that require testing.
    • Test each solution under production-like circumstances to see if the results and behavior are as expected.
    • Refine and iterate upon the solutions as necessary, and test again.

    Implement solutions and measure results

    • Before implementing each solution, take a baseline measurement of the metric that will measure success.
    • Implement the solutions using your change management process.
    • After implementation, measure the success of the solution using the appropriate metric.
    • Document the results and judge whether the solution has been effective.

    Use the top result as a case study to obtain buy-in

    Your most effective solution will make a great case study.

    Write up the results and input the case study into the IT Operations Center Stakeholder Buy-In Presentation.

    This image contains a screenshot of info-tech's default format for presenting case studies.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    this is a picture of an Info-Tech Analyst
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    🗲.1.2 This image contains a screenshot from section 🗲.1.2 of this blueprint.

    Identify issues

    Look for areas that aren’t working optimally.

    🗲.1.3 this image contains a screenshot from section 🗲.1.3 of this blueprint.

    Evaluate and rank potential solutions

    Sort the wheat from the chaff and plan for quick wins.

    PHASE 1

    Get Buy-In

    Optimize the IT Operations Center

    Step 1.1: Ensure Base Maturity Is in Place

    This step will walk you through the following activities:

    • Assess maturity of base IT Operations processes.

    Outcomes of this step

    • Completed IT Operations Center Prerequisites Assessment Tool

    Base processes underpin the Operations Center

    • Before you optimize your Operations Center, you should have foundational ITSM processes in place: service desk, and incident, problem, and change management.
    • Attempting to optimize Operations before it rests on a solid foundation can only lead to frustration.

    IT Operations Center

    • Service Desk
    • Incident Management
    • Problem Management
    • Change Management

    Info-Tech Insight

    ITIL isn’t dead. New technology such as cloud solutions and advanced monitoring tools have transformed how ITSM processes are implemented, but have not obviated them.

    Assess maturity of prerequisite processes

    1.1.1 IT Operations Center Prerequisites Assessment Tool

    • Don’t try to prematurely optimize your Operations Center.
    • Before undertaking this project, you should already have a base level of maturity in the four foundational IT Operations processes.
    • Complete the IT Operations Center Prerequisites Assessment Tool to assess your current level in service desk, incident management, problem management, and change management.
    this image contains a screenshot from Info-Tech's IT Operations Center Prerequisite Assessment

    Make targeted improvements on prerequisite processes if necessary

    If there are deficiencies in any of your foundational processes, take the time to remedy those first before proceeding with Optimize the IT Operations Center. See Info-Tech’s other blueprints:

    Standardize the Service Desk

    Strengthen your service desk to build a strong ITSM foundation.

    Incident and Problem Management

    Don’t let persistent problems govern your department.

    Optimize Change Management

    Turn and face the change with a right-sized change management process.

    Step 1.2: Make the Case

    This step will walk you through the following activities:

    • Estimate the impact of downtime for top five applications.
    • Estimate the cost of incident response.
    • Estimate the cost of MRW.
    • Set success metrics and estimate the ROI of the Operations Center project.
    • IT Operations Center Stakeholder Buy-In Presentation

    Obtaining buy-in is critical

    Buy-in from top-level stakeholders is critical to the success of the project.

    Before jumping into your initiatives, take the time to make the case and bring the business on board.

    Factors that “prevent us from improving the NOC”

    This image contains a graph of factors that prevent us from improving the NOC. In decreasing order, they include: Lack of strategic guidance from our vendors; The unwillingness of our management to accept new risk; Lack of adequate software tools; Our internal processes; Lack of management vision; Lack of funding; and Lack of personnel resources. There is a red circle drawn around the last three entries, with the words: Getting Buy-in Removes the Top Three Roadblocks to Improvement!. Source: Metzier, n.d

    List your top five applications

    List your top five applications for business criticality.

    Don’t agonize over decisions at this point.

    Generally, the top applications will be customer facing, end-user facing for the most critical business units, or critical for health and safety.

    Estimate impact of downtime

    • Come up with a rough, back-of-the-napkin estimate of the hourly cost of downtime for each application.
    • Complete page two of the IT Operations Center Stakeholder Buy-In Presentation.
    • Estimate loss of revenue per hour, loss of productivity per hour, and IT cost per incident resolution hour.
    • Pull a report on incident hours/outages in the past year from your ITSM tool. Multiply the total cost per incident hour by the incident hours per year to determine the current cost per year of service disruptions for each service.
    • Add up the cost for each of the top five services.
    • Now you can show the business a hard value number that quantifies your availability issues.

    Estimate salary cost of non-value-adding work

    Complete page three of the IT Operations Center Stakeholder Buy-In Presentation.

    • Estimate annual wage cost of incident response: multiply incident response hours per year (take from your ITSM tool) by the average hourly wage of incident responders.
    • Estimate annual cost of MRW: multiply MRW hours per year (take from ITSM tool or from time-keeping tool, or use best guess based on talking to staff members) by the average hourly wage of IT staff performing MRW.
    • Add the two numbers together to calculate the non-value-adding IT salary cost per year.
    • Express the previous number as a percentage of total IT salary. Everything that is not incident response or MRW is value-adding work.

    Now you have the holy trinity of metrics: set some targets

    The holy trinity of metrics:

    • Cost of downtime
    • % of salary on incident response
    • % of salary on MRW

    You want to reduce the above numbers. Set some back-of-the-napkin targets for percentage reductions for each of these areas. These are high-level metrics that business stakeholders will care about.

    Take your best guess at targets. Higher maturity organizations will have less potential for reduction from a percentage point of view (eventually you hit diminishing returns), while organizations just beginning to optimize their Operations Center have the potential for huge gains.

    Calculate the potential gains of targets

    Complete page five of the IT Operations Center Stakeholder Buy-In Presentation.

    • Multiply the targeted/estimated % reductions of the costs by your current costs to determine the potential savings/benefits.
    • Do a back-of-the napkin estimate of the cost of the Operations Center improvement project. Use reasonable numbers for cost of personnel time and cost of tools, and be sure to include ongoing personnel time costs – your time isn’t free and continual improvement takes work and effort.
    • Calculate the ROI.

    Fill out the case study

    • Complete page six of the IT Operations Center Stakeholder Buy-In Presentation. If you completed the lightning phase, use the results of your own quick win project(s) as an example of feasibility.
    • If you did not complete the lightning phase, delete this slide, or use an example of what other organizations have achieved to demonstrate feasibility.
    This image contains a screenshot of info-tech's default format for presenting case studies.

    Present to stakeholders

    • Deliver the presentation to key stakeholders.
    • Focus on the high-level story that the current state is costing real dollars and wages, and that these losses can be minimized through process improvements.
    • Be up front that many of the numbers are based on estimates, but be prepared to defend the reasonableness of the estimates.

    Gain buy-in and identify project sponsor

    • If the business is on board with the project, determine one person to be the executive sponsor for the project. This person should have a strong desire to see the project succeed, and should have some skin in the game.

    Formalize communication with the project sponsor

    • Establish how you will communicate with the sponsor throughout the project (e.g. weekly or monthly e-mail updates, bi-weekly meetings).
    • Set up a regular/recurring cadence and stick to it, so it can be put on auto-pilot. Be clear about who is responsible for initiating communication and sticking to the reporting schedule.

    Info-Tech Insight

    Tailor communication to the sponsor. The project sponsor is not the project manager. The sponsor’s role is to drive the project forward by allocating appropriate resources and demonstrating highly visible support to the broader organization. The sponsor should be kept in the loop, but not bothered with minutiae.

    Note the starting numbers for the holy trinity

    Use the IT Operations Center Continual Improvement Tracker:

    • Enter your starting numbers for the holy trinity of metrics.
    • After planning and implementing initiatives, this tracker will be used to update against the holy trinity to assess the success of the project on an ongoing basis and to drive continual improvement.

    PHASE 2

    Define Accountability and Metrics

    Optimize the IT Operations Center

    Step 2.1: Define Accountabilities

    This step will walk you through the following activities:

    • Formalize RACI for key processes.
    • Formalize RACI for key tasks.

    Outcomes of this step

    • Completed RACIs

    List key Operations Center processes

    Compile a list of processes that are key for the Operations Center.

    These processes should include the four foundational processes:

    • Service Desk
    • Incident Management
    • Problem Management
    • Change Management

    You may also want to include processes such as the following:

    • Event Management
    • Configuration Management

    Avoid listing processes you have yet to develop – stick with those already playing a role in your current state.

    Formalize RACI for key processes

    Use the IT Operations Center RACI Charts Template. Complete a RACI for each of the key processes involved in the IT Operations Center.

    RACI:

    • Responsible (does the work on a day-to-day basis)
    • Accountable (reviews, signs off, and is held accountable for outcomes)
    • Consulted (input is sought to feed into decision making)
    • Informed (is given notification of outcomes)

    As a best practice, no more than one person should be responsible or accountable for any given process. The same person can be both responsible and accountable for a given process, or it could be two different people.

    Avoid making someone accountable for a process if they do not have full visibility into the process for appropriate oversight, or do not have time to give the process sufficient attention.

    Formalize RACI for IT tasks

    Now think about the actual tasks or work that goes on in IT. Which roles and individuals are accountable for which tasks or pieces of work?

    In this case, more than one role/person can be listed as responsible or accountable in the RACI because we’re talking about types or categories of work. No conflict will occur because these individuals will be responsible or accountable for different pieces of work or individual tasks of the same type. (e.g. all service desk staff are responsible for answering phones and inputting tickets into the ITSM tool, but no more than one staff member is responsible for the input of any given ticket from a specific phone call).

    Step 2.2: Define Metrics

    This step will walk you through the following activities:

    • Cascade operational metrics from the holy trinity.
    • Evaluate metrics and identify key performance indicators (KPIs).
    • Cascade performance assessment (PA) metrics to support KPIs.
    • Build feedback loop for PA metrics.

    Outcomes of this step

    • KPIs
    • PA metrics

    Metrics must span across silos for shared accountability

    To adequately support the business goals of the organization, IT metrics should span across functional silos.

    Metrics that span across silos foster shared accountability across the IT organization.

    Metrics supported by all groups

    three grain silos are depicted. below, are the words IT Groups, with arrows pointing from the words to each of the three silos.

    Cascade operational metrics from the holy trinity

    Focus on the holy trinity of metrics.

    From these, cascade down to operational metrics that contribute to the holy trinity. It is possible that an operational metric may support more than one trinity metric. For example:

    a flow chart is depicted. two input circles point toward a central circle, and two output circles point away. the input circles include: Cost of Downtime; Cost of Incident Response. The central circle reads: Mean time to restore service. the output circles include the words: Tier 1 Resolution Rate; %% of Known Errors Captured in ITSM Tool.

    Evaluate metrics and identify KPIs

      • Evaluate your operational metrics and determine which ones are likely to have the largest impact on the holy trinity of metrics.
      • Identify the ten metrics likely to have the most impact: these will be your KPIs moving forward.
      • Enter these KPIs into the IT Operations Center Continual Improvement Tracker.
      this image depicts a cycle around the term KPI. The cycle includes: Objective; Measurement; optimization; strategy; performance; evaluation

    Beware how changing variables/context can affect metrics

    • Changes in context can affect metrics drastically. It’s important to keep the overall context in mind to avoid being led astray by certain numbers taken in isolation.
    • For example, a huge hiring spree might exhaust the stock of end-user devices, requiring time to procure hardware before the onboarding tickets can be completely fulfilled. You may have improved your onboarding process through automation, but see a large increase in average time to onboard a new user. Keep an eye out for such anomalies or fluctuations, and avoid putting too much stock in any single operational KPI.
    • Remember, operational KPIs are just a heuristic tool to support the holy trinity of metrics.

    Determine accountability for KPIs

    • For each operational KPI, assign one person to be accountable for that KPI.
    • Be sure the person in charge has the necessary authority and oversight over the processes and personnel that most affect that KPI – otherwise it makes little sense to hold the individual accountable.
    • Consulting your process RACIs is a good place to start.
    • Record the accountable person for each KPI in the IT Operations Center Continual Improvement Tracker.

    Info-Tech Best Practice

    Match accountability with authority. The person accountable for each KPI should be the one who has the closet and most direct control over the work and processes that most heavily impact that KPI.

    Cascade PA metrics to support KPIs

    KPIs are ultimately driven by how IT does its work, and how individuals work is driven by how their performance is assessed and evaluated.

    For the top KPIs, be sure there are individual PA metrics in place that support the KPI, and if not, develop the appropriate PA metrics.

    For example:

    • KPI: Mean time to resolve incidents
    • PA metric: % of escalations that followed SOP (e.g. not holding onto a ticket longer than supposed to)
    • KPI: Number of knowledge base articles written
    • PA metric: Number of knowledge base articles written/contributed to

    Communicate key changes in PA metrics

    Any changes from the previous step will take time and effort to implement and make stick.

    Changing people’s way of working is extremely difficult.

    Build a communication and implementation plan about rolling out these changes, emphasize the benefits for everyone involved, and get buy-in from the affected staff members.

    Build feedback loops for PA metrics

    Now that PA metrics support your Operations Center’s KPIs, you should create frequent feedback loops to drive and boost those PA metrics.

    Once per year or once per quarter is not frequent enough. Managers should meet with their direct reports at least monthly and review their reports’ performance against PA metrics.

    Use a “set it and forget it” implementation, such as a recurring task or meeting in your calendar.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    this is a picture of an Info-Tech Analyst

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    2.2.1 This image contains a screenshot from section 2.2.1 of this blueprint.

    Cascade operational metrics from the holy trinity

    Rank goals based on business impact and stakeholder pecking order.

    2.2.2 this image contains a screenshot from section 2.2.2 of this blueprint.

    Determine accountability for KPIs

    Craft a concise and compelling elevator pitch that will drive the project forward.

    PHASE 3

    Assess Gaps and Prioritize Initiatives

    Optimize the IT Operations Center

    Step 3.1: Assess Gaps

    This step will walk you through the following activities:

    • Assess visibility provided by monitoring.
    • Assess process workflows and identify areas for automation.
    • Assess requests and identify potential for automation.
    • Assess Operations Center staff capabilities.
    • Conduct a root cause analysis on the gaps/pain points.

    Outcomes of this step

    • List of gaps
    • List of root causes

    Measure current state of KPIs and identify lagging ones

    Take a baseline measurement of each operational KPI.

    If historical data is available, compare the present state measurement to data points collected over the last year or so.

    Review the measured KPIs.

    Identify any KPIs that seem lagging or low, or that may be particularly important to influence.

    Record lagging KPIs in the IT Operations Center Gap and Initiative Tracker tool.

    Assess visibility provided by monitoring

    List the top five most critical business services supported by IT.
    Assess the current state of your monitoring tools.

    For each business service, rate the level of visibility your monitoring tools allow from the following options:

    1. We have no visibility into the service, or lack visibility into crucial elements.
    2. We have basic visibility (up/down) into all the IT components that support the service.
    3. We have basic visibility (up/down) into the end service itself, in addition to all the IT components that make it up.
    4. We have some advanced visibility into some aspects of the service and/or its IT components.
    5. We have a full, end-to-end view of performance across all the layers of the stack, as well as the end business service itself.

    Identify where more visibility may be necessary

    For most organizations it isn’t practical to have complete visibility into everything. For the areas in which visibility is lacking into key services, think about whether more visibility is actually required or not. Consider some of the following questions:

    • How great is the impact of this service being unavailable?
    • Would greater visibility into the service significantly reduce the mean time to restore the service in the event of incidents?

    Record any deficiencies in the IT Operations CenterGap and Initiative Tracker tool.

    Assess alerting

    Assess alerting for your most critical services.

    Consider whether any of the following problems occur:

    • Often receive no alert(s) in the event of critical outages of key services (we find out about critical outages from the service desk).
    • We are regularly overwhelmed with too many alerts to investigate properly.
    • Our alerts are rarely actionable.
    • We often receive many false alerts.

    Identify areas for potential improvement in the managing of alerts. Record any deficiencies in the IT Operations Center Gap and Initiative Tracker tool.

    Assess process workflows and identify areas for automation

    Review your process flows for base processes such as Service Desk, Incident Management, Problem Management, and Change Management.

    Identify areas in the workflows where there may be defects, inefficiencies, or potential for improvement or automation.

    Record any deficiencies in the IT Operations Center Gap and Initiative Tracker tool.

    See the blueprint Prepare for Cognitive Service Management for process workflows and areas to look for automation possibilities.

    Prepare for Cognitive Service Management

    Make ready for AI-assisted IT operations.

    Assess requests and identify potential for automation

    • Assess the most common work orders or requests handled by the Operations Center group (i.e. this does not include requests fulfilled by the help desk).
    • Which work orders are the most painful? That is, what common work orders involve the greatest effort or the most manual work to fulfill?
    • Fulfillment of common, recurring work orders is MRW, and should be reduced or removed if possible.
    • Consider automation of certain work orders, or self-service delivery.
    • Record any deficiencies in the IT Operations Center Gap and Initiative Tracker tool.

    Assess Operations Center staff capabilities

    • Assess the skills and expertise of your team members.
    • Consider some of the following:
      • Are there team members who could perform their job more effectively by picking up certain skills or proficiencies?
      • Are there team members who have the potential to shift into more valuable or useful roles, given the appropriate training?
      • Are there individual team members whose knowledge is crucial for operations, and whose function cannot be taken up by others?

    Record any deficiencies in the IT Operations Center Gap and Initiative Tracker tool.

    Info-Tech Insight

    Train to avoid pain. All too often organizations expose themselves to significant key person risk by relying on the specialized skills and knowledge of one team member. Use cross training to remedy such single points of failure before the risk materializes.

    Brainstorm pain points

    Brainstorm any pain points not discussed in the previous areas.

    Pain points can be specific operational issues that have not yet been considered. For example:

    • Tom is overwhelmed with tickets.
    • Our MSP often breaches SLA.
    • We don’t have a training budget.

    Record any deficiencies in the IT Operations CenterGap and Initiative Tracker tool.

    Conduct a root cause analysis on the gaps/pain points

    • Pain points can often be symptoms of other deficiencies, or somewhat removed from the actual problem.
    • Using the 5 Whys, conduct a root cause analysis on the pain points for which the causes are not obvious.
    • For each pain point, ask “why” for a sequence of five times, attempting to proceed to the root cause of the issue. This root cause is the true gap that needs to be remedied to resolve the pain point.
    • For example:
      • The Wi-Fi network often goes down in the afternoon.
        • Why?: Its bandwidth gets overloaded.
        • Why?: Many people are streaming video.
        • Why?: There’s a live broadcast of a football game at that time.
      • Possible solutions:
        • Block access to the streaming services.
        • Project the game on a screen in a large conference room and encourage everyone to watch it there.

    Step 3.2: Plan Initiatives

    This step will walk you through the following activities:

    • Brainstorm initiatives to boost KPIs and address gaps.
    • Prioritize potential initiatives.
    • Decide which initiatives to include on the roadmap.

    Outcomes of this step

    • Targeted improvement roadmap

    Brainstorm initiatives to boost KPIs and address gaps

    Prioritize potential initiatives

    3.2.1 IT Operations Center Initiative Prioritization Tool

    • Use the IT Operations Center Initiative Prioritization Tool.
    • Enter the initiatives into the tool.
    • For each initiative, input the following ranking criteria:
      • The metric/KPI’s estimated degree of impact on the holy trinity.
      • The gap or pain point’s estimated degree of impact on the metric/KPI.
      • The initiative’s estimated degree of positive impact on the gap or pain point
      • The initiative’s attainability.
    • Estimate the resourcing capacity required for each initiative.
    • For accurate capacity assessment, input as “force include” all current in-flight projects handled by the Operations Center group (including those unrelated to the Operations Center project).

    Decide which initiatives to include on the roadmap

    • Not all initiatives will be worth pursuing – and especially not all at once.
    • Consider the results displayed on the final tab of the IT Operations CenterInitiative Prioritization Tool.
    • Based on the prioritization and taking capacity into account, decide which initiatives to include on your roadmap.
    • Sometimes, for operational or logistical reasons, it may make sense to schedule an initiative at a time other than its priority might dictate. Make such exceptions on a case-by-case basis.

    Assign an owner to each initiative, and provide resourcing

    • For each initiative, assign one person to be the owner of that initiative.
    • Be sure that person has the authority and the bandwidth necessary to drive the initiative forward.
    • Secure additional resourcing for any initiatives you want to include on your roadmap that are lacking capacity.

    Info-Tech Insight

    You must invest resources in order to reduce the time spent on non-value-adding work.

    "The SRE model of working – and all of the benefits that come with it – depends on teams having ample capacity for engineering work. If toil eats up that capacity, the SRE model can’t be launched or sustained. An SRE perpetually buried under toil isn’t an SRE, they are just a traditional long-suffering SysAdmin with a new title."– David N. Blank-Edelman

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    this is a picture of an Info-Tech Analyst

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    3.1.1 This image contains a screenshot from section 3.1.1 of this blueprint.

    Conduct a root cause analysis on the gaps/pain points

    Find out the cause, so you can come up with solutions.

    3.2.1 this image contains a screenshot from section 3.2.1 of this blueprint.

    Prioritize potential initiatives

    Don’t try to boil the ocean. Target what’s manageable and what will have the most impact.

    PHASE 4

    Launch Initiatives and Track Metrics

    Optimize the IT Operations Center

    Step 4.1: Lay Foundation

    This step will walk you through the following activities:

    • Build initiative communication plan.
    • Develop a testing plan for each technical initiative.

    Outcomes of this step

    • Communication plan
    • Testing plan(s)

    Expect resistance to change

    • It’s not as simple as rolling out what you’ve designed.
    • Anything that affects people’s way of working will inevitably be met with suspicion and pushback.
    • Be prepared to fight the battle.
    • "The hardest part is culture. You must get people to see the value of automation. Their first response is ‘We've been doing it this way for 10 years, why do we need to do it another way?’ It's hard to get someone out of their comfort zone to learn something new, especially when they've been at an organization for 20 years. You need to give them incentives."– Cyrus Kalatbari, Senior IT Architect, Infrastructure/Cloud

    Communicate changes in advance, along with their benefits!

    • Communicate changes well in advance of the date(s) of implementation.
    • Emphasize the benefits of the changes – not just for the organization, but for employees and staff members.
    • Advance communication of changes helps make them more palatable, and builds trust in employees by making them feel informed of what’s going on.

    Involve IT staff in design and implementation of changes

    • As you communicate the coming changes, take the opportunity to involve any affected staff members who have not yet participated in the project.
    • Solicit their feedback and get them to help design and implement the initiatives that involve significant changes to their roles.

    Develop a testing plan for each technical initiative

    • Some initiatives, such as appointing a new change manager or hiring a new staff member, do not make sense to test.
    • On the other hand, technical initiatives such as automation scripts, new monitoring tools or dashboards, and changed alert thresholds should be tested thoroughly before implementation.
    • For each technical initiative, think about the expected results and performance if it were to run in production, and build a test plan to ensure it behaves as expected and there are no corner cases.

    Test technology initiatives and iterate if necessary

    • Test each technical initiative under a variety of circumstances, with as close an environment to production as possible.
    • Try to develop corner cases or unusual or unexpected situations, and see if any of these will break the functionality or produce unintended or unexpected results.
    • Document the results of the testing, and iterate on the initiative and test again if necessary.

    "The most important things – and the things that people miss – are prerequisites and expected results. People jump out and build scripts, then the scripts go into the ditch, and they end up debugging in production." – Darin Stahl, Research Director, Infrastructure & Operations

    Step 4.2: Launch and Measure

    This step will walk you through the following activities:

    • Launch initiatives and track adoption and effectiveness.
    • Investigate initiatives that appear ineffective.
    • Measure success with the holy trinity.

    Outcomes of this step

    • Continual improvement roadmap

    Establish a review cycle for each metric

    Info-Tech Best Practice

    Don’t measure what doesn’t matter. If a metric is not going to be reviewed or reported on for informational or decision-making purposes, it should not be tracked.

    Launch initiatives and track adoption and effectiveness

    • Launch the initiatives.
    • Some initiatives will need to proceed through your change management process in order to roll out, but others will not.
    • Track the adoption of initiatives that require it.
      • Some initiatives will require tracking of adoption, whereas others will not.
      • For example, hiring a new service desk staff member does not require tracking of adoption, but implementing a new process for ticket handling does.
      • The implementation plan should include a way to measure the adoption of such initiatives, and regularly review the numbers to see if the implementation has been successful.
    • For all initiatives, measure their effectiveness by continuing to track the KPI/metric that the initiative is intended to influence.

    Assess metrics according to review cycle for continual improvement

    • Assess metrics according to the review cycle.
    • Note whether metrics are improving in the right direction or not.
    • Correlate changes in the metrics with measures of the adoption of the initiatives – see whether initiatives that have been adopted are moving the needle on the KPIs they are intended to.

    Investigate initiatives that appear ineffective

    • If the adoption of an initiative has succeeded, but the expected impact of that initiative on the KPI has not taken place, investigate further and conduct a root causes analysis to determine why this is the case.
    • Sometimes, anomalies or fluctuations will occur that cause the KPI not to move in accordance with the success of the initiative. In this case, it’s just a fluke and the initiative can still be successful in influencing the KPI over the long term.
    • Other times, the initiative may prove mostly or entirely ineffective, either due to misdesign of the initiative itself, a change of circumstances, or other compounding factors or complexities. If the initiative proves ineffective, consider iterating modifications of the initiative and continuing to measure the effect on KPIs – or perhaps killing the initiative altogether.
    • Remember that experimentation is not a bad thing – it’s okay that not every initiative will always prove worthwhile.

    Measure success with the holy trinity

    • Report to business stakeholders on the effect on the holy trinity of metrics at least annually.
    • Calculate the ROI of the project after two years and compare the results to the targeted ROI you initially presented in the IT Operations Center Stakeholder Buy-In Presentation.
    This image contains a Funnel Chart showing the inputs: Downtime; Cost of Incident Response; MRW; and the output: Reduce for continual improvement

    Iterate on the Operations Center process for continual improvement

    This image depicts a cycle, which includes: Data analysis; Executive Sponsorship; Success Criteria; Gap Assessment; Initiatives; Tracking & Measurement

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    this is a picture of an Info-Tech Analyst

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    4.1.1This image contains a screenshot from section 3.1.1 of this blueprint.

    Communicate changes in advance, along with their benefits!

    Rank goals based on business impact and stakeholder pecking order.

    4.1.2 this image contains a screenshot from section 3.2.1 of this blueprint.

    Develop a testing plan for each technical initiative

    Craft a concise and compelling elevator pitch that will drive the project forward.

    Research contributors and experts
    This is a picture of Cyrus Kalatbari, IT infrastructure/cloud architect

    Cyrus Kalatbari, IT Infrastructure/Cloud Architect

    Cyrus’ in-depth knowledge cutting across I&O and service delivery has enhanced the IT operations of multiple enterprise-class clients.

    This is a picture of Derek Cullen, Chief Technology Officer

    Derek Cullen, Chief Technology Officer

    Derek is a proven leader in managing enterprise-scale development, deployment, and integration of applications, platforms, and systems, with a sharp focus on organizational transformation and corporate change.

    This is a picture of Phil Webb, Senior Manager

    Phil Webb, Senior Manager – Unified Messaging and Mobility

    Phil specializes in service delivery for cloud-based and hybrid technology solutions, spanning requirements gathering, solution design, new technology introduction, development, integration, deployment, production support, change/release delivery, maintenance, and continuous improvement.

    This is a picture of Richie Mendoza, IT Services Delivery Consultant

    Richie Mendoza, IT Services Delivery Consultant

    Ritchie’s accomplishments include pioneering a cloud capacity management process and presenting to the Operations team and to higher management, while providing a high level of technical leadership in all phases of capacity management activities.

    This is a picture of Rob Thompson, Solutions Architect

    Rob Thomson, Solutions Architect

    Rob is an IT leader with a track record of creating and executing digital transformation initiatives to achieve the desired outcomes by integrating people, process, and technology into an efficient and effective operating model.

    Related Info-Tech research

    Create a Configuration Management Roadmap

    Right-size your CMDB to improve IT operations.

    Harness Configuration Management Superpowers

    Build a CMDB around the IT services that are most important to the organization.

    Develop an IT Infrastructure Services Playbook

    Automation, SDI, and DevOps – build a cheat sheet to manage a changing Infrastructure & Operations environment.

    Develop an Availability and Capacity Management Plan

    Manage capacity to increase uptime and reduce costs.

    Establish a Program to Enable Effective Performance Monitoring

    Maximize the benefits of infrastructure monitoring investments by diagnosing and assessing transaction performance, from network to server to end-user interface.

    Bibliography

    Baker, Dan, and Hal Baylor. “How Benchmarking & Streamlining NOC Operations Can Lower Costs & Boost Effectiveness.” Top Operator, Mar. 2017. Web.

    Blank-Edelman, David. Seeking SRE: Conversations About Running Production Systems at Scale. O'Reilly, 2018. Web.

    CA Technologies. “IT Transformation to Next-Generation Operations Centers: Assure Business Service Reliability by Optimizing IT Operations.” CA Technologies, 2014. Web.

    Ditmore, Jim. “Improving Availability: Where to Start.” Recipes for IT, n.d. Web.

    Ennis, Shawn. “A Phased Approach for Building a Next-Generation Network Operations Center.” Monolith Software, 2009. Web.

    Faraclas, Matt. “Why Does Infrastructure Operations Still Suck?” Ideni, 25 Feb. 2016. Web.

    InterOp ITX. “2018 State of the Cloud.” InterOp ITX, Feb. 2018. Web.

    ITIC. “Cost of Hourly Downtime Soars: 81% of Enterprises Say it Exceeds $300K On Average.” ITIC, 2 Aug. 2016. Web.

    Joe the IT Guy. “Availability Management Is Harder Than it Looks.” Joe the IT Guy, 10 Feb. 2016. Web.

    ---. “Do Quick Wins Exist for Availability Management?” Joe the IT Guy, 15 May 2014. Web.

    Lawless, Steve. “11 Top Tips for Availability Management.” Purple Griffon, 4 Jan. 2019. Web.

    Metzler, Jim. “The Next Generation Network Operations Center: How the Focus on Application Delivery is Redefining the NOC.” Ashton, Metzler & Associates, n.d. Web.

    Nilekar, Shirish. “Beyond Redundancy: Improving IT Availability.” Network Computing, 28 Aug. 2015. Web.

    Slocum, Mac. “Site Reliability Engineering (SRE): A Simple Overview.” O’Reilly, 16 Aug. 2018. Web.

    Spiceworks. “The 2019 State of IT.” Spiceworks, 2019. Web

    Architect Your Big Data Environment

    • Buy Link or Shortcode: {j2store}202|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • Organizations may understand the transformative potential of a big data initiative, but they struggle to make the transition from the awareness of its importance to identifying a concrete use case for a pilot project.
    • The big data ecosystem is crowded and confusing, and a lack of understanding of it may cause paralysis for organizations.

    Our Advice

    Critical Insight

    • Don’t panic, and make use of the resources you already have. The skills, tools, and infrastructure for big data can break any budget quickly, but before making rash decisions, start with the resources you have in-house.
    • Big data as a service (BDaaS) is making big waves. BDaaS removes many of the hurdles associated with implementing a big data strategy and vastly lowers the barrier of entry.

    Impact and Result

    • Follow Info-Tech’s methodology for understanding the types of modern approaches to big data tools, and then determining which approach style makes the most sense for your organization.
    • Based on your big data use case, create a plan for getting started with big data tools that takes into account the backing of the use case, the organization’s priorities, and resourcing available.
    • Put a repeatable framework in place for creating a comprehensive big data tool environment that will help you decide on the necessary tools to help you realize the value from your big data use case and scale for the future.

    Architect Your Big Data Environment Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should find your optimal approach to big data tools, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plant the foundations of your big data tool architecture

    Identify your big data use case and your current data-related capabilities.

    • Architect Your Big Data Environment – Phase 1: Plant the Foundations of Your Big Data Tool Architecture
    • Big Data Execution Plan Presentation
    • Big Data Architecture Planning Tool

    2. Weigh your big data architecture decision criteria

    Determine your capacity for big data tools, as well as the level of customizability and security needed for your solution to help justify your implementation style decision.

    • Architect Your Big Data Environment – Phase 2: Weigh Your Big Data Architecture Decision Criteria

    3. Determine your approach to implementing big data tools

    Analyze the three big data implementation styles, select your approach, and complete the execution plan for your big data initiative.

    • Architect Your Big Data Environment – Phase 3: Determine Your Approach To Implementing Big Data Tools
    [infographic]

    Establish Data Governance – APAC Edition

    • Buy Link or Shortcode: {j2store}348|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $172,999 Average $ Saved
    • member rating average days saved: 63 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Organisations are faced with challenges associated with changing data landscapes, evolving business models, industry disruptions, regulatory and compliance obligations, and changing and maturing user landscapes and demands for data.
    • Although the need for a data governance program is often evident, organisations miss the mark when their data governance efforts are not directly aligned to delivering measurable business value by supporting key strategic initiatives, value streams, and their underlying business capabilities.

    Our Advice

    Critical Insight

    • Your organisation’s value streams and the associated business capabilities require effectively governed data. Without this, you face the impact of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.
    • Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture.
    • Data governance must continuously align with the organisation’s enterprise governance function. It should not be perceived as an IT pet project, but rather as a business-driven initiative.

    Impact and Result

    Info-Tech’s approach to establishing and sustaining effective data governance is anchored in the strong alignment of organisational value streams and their business capabilities with key data governance dimensions and initiatives.

    • Align with enterprise governance, business strategy and organizational value streams to ensure the program delivers measurable business value.
    • Understand your current data governance capabilities and build out a future state that is right sized and relevant.
    • Define data governance leadership, accountability, and responsibility, supported by an operating model that effectively manages change and communication and fosters a culture of data excellence.

    Establish Data Governance – APAC Edition Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data Governance Research – A step-by-step document to ensure that the people handling the data are involved in the decisions surrounding data usage, data quality, business processes, and change implementation.

    Data governance is a strategic program that will help your organisation control data by managing the people, processes, and information technology needed to ensure that accurate and consistent data policies exist across varying lines of the business, enabling data-driven insight. This research will provide an overview of data governance and its importance to your organization, assist in making the case and securing buy-in for data governance, identify data governance best practices and the challenges associated with them, and provide guidance on how to implement data governance best practices for a successful launch.

    • Establish Data Governance – Phases 1-3 – APAC

    2. Data Governance Planning and Roadmapping Workbook – A structured tool to assist with establishing effective data governance practices.

    This workbook will help your organisation understand the business and user context by leveraging your business capability map and value streams, developing data use cases using Info-Tech's framework for building data use cases, and gauging the current state of your organisation's data culture.

    • Data Governance Planning and Roadmapping Workbook – APAC

    3. Data Use Case Framework Template – An exemplar template to highlight and create relevant use cases around the organisation’s data-related problems and opportunities.

    This business needs gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation. This template provides a framework for data requirements and a mapping methodology for creating use cases.

    • Data Use Case Framework Template – APAC

    4. Data Governance Initiative Planning and Roadmap Tool – A visual roadmapping tool to assist with establishing effective data governance practices.

    This tool will help your organisation plan the sequence of activities, capture start dates and expected completion dates, and create a roadmap that can be effectively communicated to the organisation.

    • Data Governance Initiative Planning and Roadmap Tool – APAC

    5. Business Data Catalogue – A comprehensive template to help you to document the key data assets that are to be governed based on in-depth business unit interviews, data risk/value assessments, and a data flow diagram for the organisation.

    Use this template to document information about key data assets such as data definition, source system, possible values, data sensitivity, data steward, and usage of the data.

    • Business Data Catalogue – APAC

    6. Data Governance Program Charter Template – A program charter template to sell the importance of data governance to senior executives.

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    • Data Governance Program Charter Template – APAC

    7. Data Policies – A set of policy templates to support the data governance framework for the organisation.

    This set of policies supports the organisation's use and management of data to ensure that it efficiently and effectively serves the needs of the organisation.

    • Data Governance Policy – APAC
    • Data Classification Policy, Standard, and Procedure – APAC
    • Data Quality Policy, Standard, and Procedure – APAC
    • Data Management Definitions – APAC
    • Metadata Management Policy, Standard, and Procedure – APAC
    • Data Retention Policy and Procedure – APAC
    [infographic]

    Workshop: Establish Data Governance – APAC Edition

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value

    The Purpose

    Identify key business data assets that need to be governed.

    Create a unifying vision for the data governance program.

    Key Benefits Achieved

    Understand the value of data governance and how it can help the organisation better leverage its data.

    Gain knowledge of how data governance can benefit both IT and the business.

    Activities

    1.1 Establish business context, value, and scope of data governance at the organisation.

    1.2 Introduction to Info-Tech’s data governance framework.

    1.3 Discuss vision and mission for data governance.

    1.4 Understand your business architecture, including your business capability map and value streams.

    1.5 Build use cases aligned to core business capabilities.

    Outputs

    Sample use cases (tied to the business capability map) and a repeatable use case framework

    Vision and mission for data governance

    2 Understand Current Data Governance Capabilities and Plot Target-State Levels

    The Purpose

    Assess which data contains value and/or risk and determine metrics that will determine how valuable the data is to the organisation.

    Assess where the organisation currently stands in data governance initiatives.

    Determine gaps between the current and future states of the data governance program.

    Key Benefits Achieved

    Gain a holistic understanding of organisational data and how it flows through business units and systems.

    Identify which data should fall under the governance umbrella.

    Determine a practical starting point for the program.

    Activities

    2.1 Understand your current data governance capabilities and maturity.

    2.2 Set target-state data governance capabilities.

    Outputs

    Current state of data governance maturity

    Definition of target state

    3 Build Data Domain to Data Governance Role Mapping

    The Purpose

    Determine strategic initiatives and create a roadmap outlining key steps required to get the organisation to start enabling data-driven insights.

    Determine timing of the initiatives.

    Key Benefits Achieved

    Establish clear direction for the data governance program.

    Step-by-step outline of how to create effective data governance, with true business-IT collaboration.

    Activities

    3.1 Evaluate and prioritise performance gaps.

    3.2 Develop and consolidate data governance target-state initiatives.

    3.3 Define the role of data governance: data domain to data governance role mapping.

    Outputs

    Target-state data governance initiatives

    Data domain to data governance role mapping

    4 Formulate a Plan to Get to Your Target State

    The Purpose

    Consolidate the roadmap and other strategies to determine the plan of action from day one.

    Create the required policies, procedures, and positions for data governance to be sustainable and effective.

    Key Benefits Achieved

    Prioritised initiatives with dependencies mapped out.

    A clearly communicated plan for data governance that will have full business backing.

    Activities

    4.1 Identify and prioritise next steps.

    4.2 Define roles and responsibilities and complete a high-level RACI.

    4.3 Wrap-up and discuss next steps and post-workshop support.

    Outputs

    Initialised roadmap

    Initialised RACI

    Further reading

    Establish Data Governance

    Deliver measurable business value.

    Analyst Perspective

    Establish a data governance program that brings value to your organisation.

    Picture of analyst

    Data governance does not sit as an island on its own in the organisation – it must align with and be driven by your enterprise governance. As you build out data governance in your organisation, it's important to keep in mind that this program is meant to be an enabling framework of oversight and accountabilities for managing, handling, and protecting your company's data assets. It should never be perceived as bureaucratic or inhibiting to your data users. It should deliver agreed-upon models that are conducive to your organisation's operating culture, offering clarity on who can do what with the data and via what means. Data governance is the key enabler for bringing high-quality, trusted, secure, and discoverable data to the right users across your organisation. Promote and drive the responsible and ethical use of data while helping to build and foster an organisational culture of data excellence.

    Crystal Singh

    Director, Research & Advisory, Data & Analytics Practice

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The amount of data within organisations is growing at an exponential rate, creating a need to adopt a formal approach to governing data. However, many organisations remain uninformed on how to effectively govern their data. Comprehensive data governance should define leadership, accountability, and responsibility related to data use and handling and be supported by a well-oiled operating model and relevant policies and procedures. This will help ensure the right data gets to the right people at the right time, using the right mechanisms.

    Common Obstacles

    Organisations are faced with challenges associated with changing data landscapes, evolving business models, industry disruptions, regulatory and compliance obligations, and changing and maturing user landscape and demand for data. Although the need for a data governance program is often evident, organisations miss the mark when their data governance efforts are not directly aligned to delivering measurable business value. Initiatives should support key strategic initiatives, as well as value streams and their underlying business capabilities.

    Info-Tech's Approach

    Info-Tech's approach to establishing and sustaining effective data governance is anchored in the strong alignment of organisational value streams and their business capabilities with key data governance dimensions and initiatives. Organisations should:

    • Align their data governance with enterprise governance, business strategy and value streams to ensure the program delivers measurable business value.
    • Understand their current data governance capabilities so as to build out a future state that is right-sized and relevant.
    • Define data leadership, accountability, and responsibility. Support these with an operating model that effectively manages change and communication and fosters a culture of data excellence.

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operating costs, missed opportunities, eroded stakeholder satisfaction, and increased business risk.

    Your challenge

    This research is designed to help organisations build and sustain an effective data governance program.

    • Your organisation has recognised the need to treat data as a corporate asset for generating business value and/or managing and mitigating risk.
    • This has brought data governance to the forefront and highlighted the need to build a performance-driven enterprise program for delivering quality, trusted, and readily consumable data to users.
    • An effective data governance program is one that defines leadership, accountability. and responsibility related to data use and handling. It's supported by a well-oiled operating model and relevant policies and procedures, all of which help build and foster a culture of data excellence where the right users get access to the right data at the right time via the right mechanisms.

    As you embark on establishing data governance in your organisation, it's vital to ensure from the get-go that you define the drivers and business context for the program. Data governance should never be attempted without direction on how the program will yield measurable business value.

    'Data processing and cleanup can consume more than half of an analytics team's time, including that of highly paid data scientists, which limits scalability and frustrates employees.' – Petzold, et al., 2020

    Image is a circle graph and 30% of it is coloured with the number 30% in the middle of the graph

    'The productivity of employees across the organisation can suffer.' – Petzold, et al., 2020

    Respondents to McKinsey's 2019 Global Data Transformation Survey reported that an average of 30% of their total enterprise time was spent on non-value-added tasks because of poor data quality and availability. – Petzold, et al., 2020

    Common obstacles

    Some of the barriers that make data governance difficult to address for many organisations include:

    • Gaps in communicating the strategic value of data and data governance to the organisation. This is vital for securing senior leadership buy-in and support, which, in turn, is crucial for sustained success of the data governance program.
    • Misinterpretation or a lack of understanding about data governance, including what it means for the organisation and the individual data user.
    • A perception that data governance is inhibiting or an added layer of bureaucracy or complication rather than an enabling and empowering framework for stakeholders in their use and handling of data.
    • Embarking on data governance without firmly substantiating and understanding the organisational drivers for doing so. How is data governance going to support the organisation's value streams and their various business capabilities?
    • Neglecting to define and measure success and performance. Just as in any other enterprise initiative, you have to be able to demonstrate an ROI for time, resources and funding. These metrics must demonstrate the measurable business value that data governance brings to the organisation.
    • Failure to align data governance with enterprise governance.
    Image is a circle graph and 78% of it is coloured with the number 78% in the middle of the graph

    78% of companies (and 92% of top-tier companies) have a corporate initiative to become more data-driven. – Alation, 2020.

    Image is a circle graph and 58% of it is coloured with the number 58% in the middle of the graph

    But despite these ambitions, there appears to be a 'data culture disconnect' – 58% of leaders overestimate the current data culture of their enterprises, giving a grade higher than the one produced by the study. – Fregoni, 2020.

    The strategic value of data

    Power intelligent and transformative organisational performance through leveraging data.

    Respond to industry disruptors

    Optimise the way you serve your stakeholders and customers

    Develop products and services to meet ever-evolving needs

    Manage operations and mitigate risk

    Harness the value of your data

    The journey to being data-driven

    The journey to declaring that you are a data-driven organisation requires a pit stop at data enablement.

    The Data Economy

    Data Disengaged

    You have a low appetite for data and rarely use data for decision making.

    Data Enabled

    Technology, data architecture, and people and processes are optimised and supported by data governance.

    Data Driven

    You are differentiating and competing on data and analytics; described as a 'data first' organisation. You're collaborating through data. Data is an asset.

    Data governance is essential for any organisation that makes decisions about how it uses its data.

    Data governance is an enabling framework of decision rights, responsibilities, and accountabilities for data assets across the enterprise.

    Data governance is:

    • Executed according to agreed-upon models that describe who can take what actions with what information, when, and using what methods (Olavsrud, 2021).
    • True business-IT collaboration that will lead to increased consistency and confidence in data to support decision making. This, in turn, helps fuel innovation and growth.

    If done correctly, data governance is not:

    • An annoying, finger-waving roadblock in the way of getting things done.
    • Meant to solve all data-related business or IT problems in an organisation.
    • An inhibitor or impediment to using and sharing data.

    Info-Tech's Data Governance Framework

    An image of Info-Tech's Data Governance Framework

    Create impactful data governance by embedding it within enterprise governance

    A model is depicted to show the relationship between enterprise governance and data governance.

    Organisational drivers for data governance

    Data governance personas:

    Conformance: Establishing data governance to meet regulations and compliance requirements.

    Performance: Establishing data governance to fuel data-driven decision making for driving business value and managing and mitigating business risk.

    Two images are depicted that show the difference between conformance and performance.

    Data Governance is not a one-person show

    • Data governance needs a leader and a home. Define who is going to be leading, driving, and steering data governance in your organisation.
    • Senior executive leaders play a crucial role in championing and bringing visibility to the value of data and data governance. This is vital for building and fostering a culture of data excellence.
    • Effective data governance comes with business and IT alignment, collaboration, and formally defined roles around data leadership, ownership, and stewardship.
    Four circles are depicted. There is one person in the circle on the left and is labelled: Data Governance Leadership. The circle beside it has two people in it and labelled: Organisational Champions. The circle beside it has three people in it and labelled: Data Owners, Stewards & Custodians. The last circle has four people in it and labelled: The Organisation & Data Storytellers.

    Traditional data governance organisational structure

    A traditional structure includes committees and roles that span across strategic, tactical, and operational duties. There is no one-size-fits-all data governance structure. However, most organisations follow a similar pattern when establishing committees, councils, and cross-functional groups. Most organisations strive to identify roles and responsibilities at a strategic and operational level. Several factors will influence the structure of the program, such as the focus of the data governance project and the maturity and size of the organisation.

    A triangular model is depicted and is split into three tiers to show the traditional data governance organisational structure.

    A healthy data culture is key to amplifying the power of your data.

    'Albert Einstein is said to have remarked, "The world cannot be changed without changing our thinking." What is clear is that the greatest barrier to data success today is business culture, not lagging technology.' – Randy Bean, 2020

    What does it look like?

    • Everybody knows the data.
    • Everybody trusts the data.
    • Everybody talks about the data.

    'It is not enough for companies to embrace modern data architectures, agile methodologies, and integrated business-data teams, or to establish centres of excellence to accelerate data initiatives, when only about 1 in 4 executives reported that their organisation has successfully forged a data culture.'– Randy Bean, 2020

    Data literacy is an essential part of a data-driven culture

    • In a data-driven culture, decisions are made based on data evidence, not on gut instinct.
    • Data often has untapped potential. A data-driven culture builds tools and skills, builds users' trust in the condition and sources of data, and raises the data skills and understanding among their people on the front lines.
    • Building a data culture takes an ongoing investment of time, effort, and money. This investment will not achieve the transformation you want without data literacy at the grassroots level.

    Data-driven culture = 'data matters to our company'

    Despite investments in data initiative, organisations are carrying high levels of data debt

    Data debt is 'the accumulated cost that is associated with the sub-optimal governance of data assets in an enterprise, like technical debt.'

    Data debt is a problem for 78% of organisations.

    40% of organisations say individuals within the business do not trust data insights.

    66% of organisations say a backlog of data debt is impacting new data management initiatives.

    33% of organisations are not able to get value from a new system or technology investment.

    30% of organisations are unable to become data-driven.

    Source: Experian, 2020

    Absent or sub-optimal data governance leads to data debt

    Only 3% of companies' data meets basic quality standards. (Source: Nagle, et al., 2017)

    Organisations suspect 28% of their customer and prospect data is inaccurate in some way. (Source: Experian, 2020)

    Only 51% of organisations consider the current state of their CRM or ERP data to be clean, allowing them to fully leverage it. (Source: Experian, 2020)

    35% of organisations say they're not able to see a ROI for data management initiatives. (Source: Experian, 2020)

    Embrace the technology

    Make the available data governance tools and technology work for you:

    • Data catalogue
    • Business data glossary
    • Data lineage
    • Metadata management

    While data governance tools and technologies are no panacea, leverage their automated and AI-enabled capabilities to augment your data governance program.

    Logos of data governance tools and technology.

    Measure success to demonstrate tangible business value

    Put data governance into the context of the business:

    • Tie the value of data governance and its initiatives back to the business capabilities that are enabled.
    • Leverage the KPIs of those business capabilities to demonstrate tangible and measurable value. Use terms and language that will resonate with senior leadership.

    Don't let measurement be an afterthought:

    Start substantiating early on how you are going to measure success as your data governance program evolves.

    Build a right-sized roadmap

    Formulate an actionable roadmap that is right-sized to deliver value in your organisation.

    Key considerations:

    • When building your data governance roadmap, ensure you do so through an enterprise lens. Be cognizant of other initiatives that might be coming down the pipeline that may require you to align your data governance milestones accordingly.
    • Apart from doing your planning with consideration for other big projects or launches that might be in-flight and require the time and attention of your data governance partners, also be mindful of the more routine yet still demanding initiatives.
    • When doing your roadmapping, consider factors like the organisation's fiscal cycle, typical or potential year-end demands, and monthly/quarterly reporting periods and audits. Initiatives such as these are likely to monopolise the time and focus of personnel key to delivering on your data governance milestones.

    Sample milestones:

    Data Governance Leadership & Org Structure Definition

    Define the home for data governance and other key roles around ownership and stewardship, as approved by senior leadership.

    Data Governance Charter and Policies

    Create a charter for your program and build/refresh associated policies.

    Data Culture Diagnostic

    Understand the organisation's current data culture, perception of data, value of data, and knowledge gaps.

    Use Case Build and Prioritisation

    Build a use case that is tied to business capabilities. Prioritise accordingly.

    Business Data Glossary

    Build and/or refresh the business' glossary for addressing data definitions and standardisation issues.

    Tools & Technology

    Explore the tools and technology offering in the data governance space that would serve as an enabler to the program. (e.g. RFI, RFP).

    Key takeaways for effective business-driven data governance

    Data governance leadership and sponsorship is key.

    Ensure strategic business alignment.

    Build and foster a culture of data excellence.

    Evolve along the data journey.

    Make data governance an enabler, not a hindrance.

    Insight summary

    Overarching insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face the impact of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

    Insight 1

    Data governance should not sit as an island in your organisation. It must continuously align with the organisation's enterprise governance function. It shouldn't be perceived as a pet project of IT, but rather as an enterprise-wide, business-driven initiative.

    Insight 2

    Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture. Leverage the measures of success or KPIs of the underlying business capabilities to demonstrate the value data governance has yielded for the organisation.

    Insight 3

    Data governance remains the foundation of all forms of reporting and analytics. Advanced capabilities such as AI and machine learning require effectively governed data to fuel their success.

    Tactical insight

    Tailor your data literacy program to meet your organisation's needs, filling your range of knowledge gaps and catering to your different levels of stakeholders. When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to fill the knowledge gaps about data, as they exist in your organisation. It should be targeted across the board – from your executive leadership and management through to the subject matter experts across different lines of the business in your organisation.

    Info-Tech's methodology for establishing data governance

    1. Build Business and User Context 2. Understand Your Current Data Governance Capabilities 3. Build a Target State Roadmap and Plan
    Phase Steps
    1. Substantiate Business Drivers
    2. Build High-Value Use Cases for Data Governance
    1. Understand the Key Components of Data Governance
    2. Gauge Your Organisation's Current Data Culture
    1. Formulate an Actionable Roadmap and Right-Sized Plan
    Phase Outcomes
    • Your organisation's business capabilities and value streams
    • A business capability map for your organisation
    • Categorisation of your organisation's key capabilities
    • A strategy map tied to data governance
    • High-value use cases for data governance
    • An understanding of the core components of an effective data governance program
    • An understanding your organisation's current data culture
    • A data governance roadmap and target-state plan comprising of prioritised initiatives

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Screenshot of Info-Tech's Data Governance Planning and Roadmapping Workbook data-verified=

    Data Governance Planning and Roadmapping Workbook

    Use the Data Governance Planning and Roadmapping Workbook as you plan, build, roll out, and scale data governance in your organisation.

    Screenshot of Info-Tech's Data Use Case Framework Template

    Data Use Case Framework Template

    This template takes you through a business needs gathering activity to highlight and create relevant use cases around the organisation's data-related problems and opportunities.

    Screenshot of Info-Tech's Business Data Glossary data-verified=

    Business Data Glossary

    Use this template to document the key data assets that are to be governed and create a data flow diagram for your organisation.

    Screenshot of Info-Tech's Data Culture Diagnostic and Scorecard data-verified=

    Data Culture Diagnostic and Scorecard

    Leverage Info-Tech's Data Culture Diagnostic to understand how your organisation scores across 10 areas relating to data culture.

    Key deliverable:

    Data Governance Planning and Roadmapping Workbook

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Data Governance Initiative Planning and Roadmap Tool

    Leverage this tool to assess your current data governance capabilities and plot your target state accordingly.

    This tool will help you plan the sequence of activities, capture start dates and expected completion dates, and create a roadmap that can be effectively communicated to the organisation.

    Data Governance Program Charter Template

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    Data Governance Policy

    This policy establishes uniformed data governance standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of your organisation

    Other Deliverables:

    • Data Governance Initiative Planning and Roadmap Tool
    • Data Governance Program Charter Template
    • Data Governance Policy

    Blueprint benefits

    Defined data accountability & responsibility

    Shared knowledge & common understanding of data assets

    Elevated trust & confidence in traceable data

    Improved data ROI & reduced data debt

    Support for ethical use and handling of data in a culture of excellence

    Measure the value of this blueprint

    Leverage this blueprint's approach to ensure your data governance initiatives align and support your key value streams and their business capabilities.

    • Aligning your data governance program and its initiatives to your organisation's business capabilities is vital for tracing and demonstrating measurable business value for the program.
    • This alignment of data governance with value streams and business capabilities enables you to use business-defined KPIs and demonstrate tangible value.
    Screenshot from this blueprint on the Measurable Business Value

    In phases 1 and 2 of this blueprint, we will help you establish the business context, define your business drivers and KPIs, and understand your current data governance capabilities and strengths.

    In phase 3, we will help you develop a plan and a roadmap for addressing any gaps and improving the relevant data governance capabilities so that data is well positioned to deliver on those defined business metrics.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    'Our team, has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.'

    Guided Implementation

    'Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track.'

    Workshop

    'We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.'

    Consulting

    'Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.'

    Diagnostics and consistent frameworks are used throughout all four options.

    Establish Data Governance project overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    1. Build Business and User context2. Understand Your Current Data Governance Capabilities3. Build a Target State Roadmap and Plan
    Best-Practice Toolkit
    1. Substantiate Business Drivers
    2. Build High-Value Use Cases for Data Governance
    1. Understand the Key Components of Data Governance
    2. Gauge Your Organisation's Current Data Culture
    1. Formulate an Actionable Roadmap and Right-Sized Plan
    Guided Implementation
    • Call 1
    • Call 2
    • Call 3
    • Call 4
    • Call 5
    • Call 6
    • Call 7
    • Call 8
    • Call 9
    Phase Outcomes
    • Your organisation's business capabilities and value streams
    • A business capability map for your organisation
    • Categorisation of your organisation's key capabilities
    • A strategy map tied to data governance
    • High-value use cases for data governance
    • An understanding of the core components of an effective data governance program
    • An understanding your organisation's current data culture
    • A data governance roadmap and target-state plan comprising of prioritised initiatives

    Guided Implementation

    What does a typical GI on this topic look like?

    An outline of what guided implementation looks like.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organisation. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4
    Establish Business Context and Value Understand Current Data Governance Capabilities and Plot Target-State Levels Build Data Domain to Data Governance Role Mapping Formulate a Plan to Get to Your Target State
    Activities
    • Establish business context, value, and scope of data governance at the organisation
    • Introduction to Info-Tech's data governance framework
    • Discuss vision and mission for data governance
    • Understand your business architecture, including your business capability map and value streams
    • Build use cases aligned to core business capabilities
    • Understand your current data governance capabilities and maturity
    • Set target state data governance capabilities
    • Evaluate and prioritise performance gaps
    • Develop and consolidate data governance target-state initiatives
    • Define the role of data governance: data domain to data governance role mapping
    • Identify and prioritise next steps
    • Define roles and responsibilities and complete a high-level RACI
    • Wrap-up and discuss next steps and post-workshop support
    Deliverables
    1. Sample use cases (tied to the business capability map) and a repeatable use case framework
    2. Vision and mission for data governance
    1. Current state of data governance maturity
    2. Definition of target state
    1. Target-state data governance initiatives
    2. Data domain to data governance role mapping
    1. Initialised roadmap
    2. Initialised RACI
    3. Completed Business Data Glossary (BDG)

    Phase 1

    Build Business and User Context

    Three circles are in the image that list the three phases and the main steps. Phase 1 is highlighted.

    'When business users are invited to participate in the conversation around data with data users and IT, it adds a fundamental dimension — business context. Without a real understanding of how data ties back to the business, the value of analysis and insights can get lost.' – Jason Lim, Alation

    This phase will guide you through the following activities:

    • Identify Your Business Capabilities
    • Define your Organisation's Key Business Capabilities
    • Develop a Strategy Map that Aligns Business Capabilities to Your Strategic Focus

    This phase involves the following participants:

    • Data Governance Leader/Data Leader (CDO)
    • Senior Business Leaders
    • Business SMEs
    • Data Leadership, Data Owners, Data Stewards and Custodians

    Step 1.1

    Substantiate Business Drivers

    Activities

    1.1.1 Identify Your Business Capabilities

    1.1.2 Categorise Your Organisation's Key Business Capabilities

    1.1.3 Develop a Strategy Map Tied to Data Governance

    This step will guide you through the following activities:

    • Leverage your organisation's existing business capability map or initiate the formulation of a business capability map, guided by Info-Tech's approach
    • Determine which business capabilities are considered high priority by your organisation
    • Map your organisation's strategic objectives to value streams and capabilities to communicate how objectives are realised with the support of data

    Outcomes of this step

    • A foundation for data governance initiative planning that's aligned with the organisation's business architecture: value streams, business capability map, and strategy map

    Info-Tech Insight

    Gaining a sound understanding of your business architecture (value streams and business capabilities) is a critical foundation for establishing and sustaining a data governance program that delivers measurable business value.

    1.1.1 Identify Your Business Capabilities

    Confirm your organisation's existing business capability map or initiate the formulation of a business capability map:

    1. If you have an existing business capability map, meet with the relevant business owners/stakeholders to confirm that the content is accurate and up to date. Confirm the value streams (how your organisation creates and captures value) and their business capabilities are reflective of the organisation's current business environment.
    2. If you do not have an existing business capability map, follow this activity to initiate the formulation of a map (value streams and related business capabilities):
      1. Define the organisation's value streams. Meet with senior leadership and other key business stakeholders to define how your organisation creates and captures value.
      2. Define the relevant business capabilities. Meet with senior leadership and other key business stakeholders to define the business capabilities.

    Note: A business capability defines what a business does to enable value creation. Business capabilities are business terms defined using descriptive nouns such as 'Marketing' or 'Research and Development.' They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome.

    Input

    • List of confirmed value streams and their related business capabilities

    Output

    • Business capability map with value streams for your organisation

    Materials

    • Your existing business capability map or the template provided in the Data Governance Planning and Roadmapping Workbook accompanying this blueprint

    Participants

    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data Governance Working Group

    For more information, refer to Info-Tech's Document Your Business Architecture.

    Define or validate the organisation's value streams

    Value streams connect business goals to the organisation's value realisation activities. These value realisation activities, in turn, depend on data.

    If the organisation does not have a business architecture function to conduct and guide Activity 1.1.1, you can leverage the following approach:

    • Meet with key stakeholders regarding this topic, then discuss and document your findings.
    • When trying to identify the right stakeholders, consider: Who are the decision makers and key influencers? Who will impact this piece of business architecture related work? Who has the relevant skills, competencies, experience, and knowledge about the organisation?
    • Engage with these stakeholders to define and validate how the organisation creates value.
    • Consider:
      • Who are your main stakeholders? This will depend on the industry in which you operate. For example, customers, residents, citizens, constituents, students, patients.
      • What are your stakeholders looking to accomplish?
      • How does your organisation's products and/or services help them accomplish that?
      • What are the benefits your organisation delivers to them and how does your organisation deliver those benefits?
      • How do your stakeholders receive those benefits?

    Align data governance to the organisation's value realisation activities.

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face the possibilities of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, negative impact to reputation and brand, and/or increased exposure to business risk.

    Example of value streams – Retail Banking

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Retail Banking

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for retail banking.

    For this value stream, download Info-Tech's Info-Tech's Industry Reference Architecture for Retail Banking.

    Example of value streams – Higher Education

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Higher Education

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for higher education

    For this value stream, download Info-Tech's Industry Reference Architecture for Higher Education.

    Example of value streams – Local Government

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Local Government

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for local government

    For this value stream, download Info-Tech's Industry Reference Architecture for Local Government.

    Example of value streams – Manufacturing

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Manufacturing

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for manufacturing

    For this value stream, download Info-Tech's Industry Reference Architecture for Manufacturing.

    Example of value streams – Retail

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Retail

    Model example of value streams for retail

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    For this value stream, download Info-Tech's Industry Reference Architecture for Retail.

    Define the organisation's business capabilities in a business capability map

    A business capability defines what a business does to enable value creation. Business capabilities represent stable business functions and typically will have a defined business outcome.

    Business capabilities can be thought of as business terms defined using descriptive nouns such as 'Marketing' or 'Research and Development.'

    If your organisation doesn't already have a business capability map, you can leverage the following approach to build one. This initiative requires a good understanding of the business. By working with the right stakeholders, you can develop a business capability map that speaks a common language and accurately depicts your business.

    Working with the stakeholders as described above:

    • Analyse the value streams to identify and describe the organisation's capabilities that support them.
    • Consider: What is the objective of your value stream? (This can highlight which capabilities support which value stream.)
    • As you initiate your engagement with your stakeholders, don't start a blank page. Leverage the examples on the next slides as a starting point for your business capability map.
    • When using these examples, consider: What are the activities that make up your particular business? Keep the ones that apply to your organisation, remove the ones that don't, and add any needed.

    Align data governance to the organisation's value realisation activities.

    Info-Tech Insight

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    For more information, refer to Info-Tech's Document Your Business Architecture.

    Example business capability map – Retail Banking

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Retail Banking

    Model example business capability map for retail banking

    For this business capability map, download Info-Tech's Industry Reference Architecture for Retail Banking.

    Example business capability map – Higher Education

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Higher Education

    Model example business capability map for higher education

    For this business capability map, download Info-Tech's Industry Reference Architecture for Higher Education.

    Example business capability map – Local Government

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Local Government

    Model example business capability map for local government

    For this business capability map, download Info-Tech's Industry Reference Architecture for Local Government.

    Example business capability map – Manufacturing

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Manufacturing

    Model example business capability map for manufacturing

    For this business capability map, download Info-Tech's Industry Reference Architecture for Manufacturing.

    Example business capability map - Retail

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Retail

    Model example business capability map for retail

    For this business capability map, download Info-Tech's Industry Reference Architecture for Retail.

    1.1.2 Categorise Your Organisation's Key Capabilities

    Determine which capabilities are considered high priority in your organisation.

    1. Categorise or heatmap the organisation's key capabilities. Consult with senior and other key business stakeholders to categorise and prioritise the business' capabilities. This will aid in ensuring your data governance future state planning is aligned with the mandate of the business. One approach to prioritising capabilities with business stakeholders is to examine them through the lens of cost advantage creators, competitive advantage differentiators, and/or by high value/high risk.
    2. Identify cost advantage creators. Focus on capabilities that drive a cost advantage for your organisation. Highlight these capabilities and prioritise programs that support them.
    3. Identify competitive advantage differentiators. Focus on capabilities that give your organisation an edge over rivals or other players in your industry.

    This categorisation/prioritisation exercise helps highlight prime areas of opportunity for building use cases, determining prioritisation, and the overall optimisation of data and data governance.

    Input

    • Strategic insight from senior business stakeholders on the business capabilities that drive value for the organisation

    Output

    • Business capabilities categorised and prioritised (e.g. cost advantage creators, competitive advantage differentiators, high value/high risk)

    Materials

    • Your existing business capability map or the business capability map derived in the previous activity

    Participants

    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data Governance Working Group

    For more information, refer to Info-Tech's Document Your Business Architecture.

    Example of business capabilities categorisation or heatmapping – Retail

    This exercise is useful in ensuring the data governance program is focused and aligned to support the priorities and direction of the business.

    • Depending on the mandate from the business, priority may be on developing cost advantage. Hence the capabilities that deliver efficiency gains are the ones considered to be cost advantage creators.
    • The business' priority may be on maintaining or gaining a competitive advantage over its industry counterparts. Differentiation might be achieved in delivering unique or enhanced products, services, and/or experiences, and the focus will tend to be on the capabilities that are more end-stakeholder-facing (e.g. customer-, student-, patient,- and/or constituent-facing). These are the organisation's competitive advantage creators.

    Example: Retail

    Example of business capabilities categorisation or heatmapping – Retail

    For this business capability map, download Info-Tech's Industry Reference Architecture for Retail.

    1.1.3 Develop a Strategy Map Tied to Data Governance

    Identify the strategic objectives for the business. Knowing the key strategic objectives will drive business-data governance alignment. It's important to make sure the right strategic objectives of the organisation have been identified and are well understood.

    1. Meet with senior business leaders and other relevant stakeholders to help identify and document the key strategic objectives for the business.
    2. Leverage their knowledge of the organisation's business strategy and strategic priorities to visually represent how these map to value streams, business capabilities, and, ultimately, to data and data governance needs and initiatives. Tip: Your map is one way to visually communicate and link the business strategy to other levels of the organisation.
    3. Confirm the strategy mapping with other relevant stakeholders.

    Guide to creating your map: Starting with strategic objectives, map the value streams that will ultimately drive them. Next, link the key capabilities that enable each value stream. Then map the data and data governance to initiatives that support those capabilities. This is one approach to help you prioritise the data initiatives that deliver the most value to the organisation.

    Input

    • Strategic objectives as outlined by the organisation's business strategy and confirmed by senior leaders

    Output

    • A strategy map that maps your organisational strategic objectives to value streams, business capabilities, and, ultimately, to data program

    Materials

    Participants

    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data Governance Working Group

    Download Info-Tech's Data Governance Planning and Roadmapping Workbook

    Example of a strategy map tied to data governance

    • Strategic objectives are the outcomes that the organisation is looking to achieve.
    • Value streams enable an organisation to create and capture value in the market through interconnected activities that support strategic objectives.
    • Business capabilities define what a business does to enable value creation in value streams.
    • Data capabilities and initiatives are descriptions of action items on the data and data governance roadmap and which will enable one or multiple business capabilities in its desired target state.

    Info-Tech Tip:

    Start with the strategic objectives, then map the value streams that will ultimately drive them. Next, link the key capabilities that enable each value stream. Then map the data and data governance initiatives that support those capabilities. This process will help you prioritise the data initiatives that deliver the most value to the organisation.

    Example: Retail

    Example of a strategy map tied to data governance for retail

    For this strategy map, download Info-Tech's Industry Reference Architecture for Retail.

    Step 1.2

    Build High-Value Use Cases for Data Governance

    Activities

    1.2.1 Build High-Value Use Cases

    This step will guide you through the following activities:

    • Leveraging your categorised business capability map to conduct deep-dive sessions with key business stakeholders for creating high-value uses cases
    • Discussing current challenges, risks, and opportunities associated with the use of data across the lines of business
    • Exploring which other business capabilities, stakeholder groups, and business units will be impacted

    Outcomes of this step

    • Relevant use cases that articulate the data-related challenges, needs, or opportunities that are clear and contained and, if addressed ,will deliver value to the organisation

    Info-Tech Tip

    One of the most important aspects when building use cases is to ensure you include KPIs or measures of success. You have to be able to demonstrate how the use case ties back to the organisational priorities or delivers measurable business value. Leverage the KPIs and success factors of the business capabilities tied to each particular use case.

    1.2.1 Build High-Value Use Cases

    This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation.

    1. Bring together key business stakeholders (data owner, stewards, SMEs) from a particular line of business as well as the relevant data custodian(s) to build cases for their units. Leverage the business capability map you created for facilitating this act.
    2. Leverage Info-Tech's framework for data requirements and methodology for creating use cases, as outlined in the Data Use Case Framework Template and seen on the next slide.
    3. Have the stakeholders move through each breakout session outlined in the Use Case Worksheet. Use flip charts or a whiteboard to brainstorm and document their thoughts.
    4. Debrief and document results in the Data Use Case Framework Template.
    5. Repeat this exercise with as many lines of the business as possible, leveraging your business capability map to guide your progress and align with business value.

    Tip: Don't conclude these use case discussions without substantiating what measures of success will be used to demonstrate the business value of the effort to produce the desired future state, as relevant to each particular use case.

    This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation.

    1. Bring together key business stakeholders (data owner, stewards, SMEs) from a particular line of business as well the relevant data custodian(s) to build cases for their units. Leverage the business capability map you created for facilitating this act.
    2. Leverage Info-Tech's framework for data requirements and methodology for creating use cases, as outlined in the Data Use Case Framework Template and seen on the next slide.
    3. Have the stakeholders move through each breakout session outlined in the Use Case Worksheet. Use flip charts or a whiteboard to brainstorm and document their thoughts.
    4. Debrief and document results in the Data Use Case Framework Template
    5. Repeat this exercise with as many lines of the business as possible, leveraging your business capability map to guide your progress and align with business value.

    Tip: Don't conclude these use case discussions without substantiating what measures of success will be used to demonstrate the business value of the effort to produce the desired future state, as relevant to each particular use case.

    Input

    • Value streams and business capabilities as defined by business leaders
    • Business stakeholders' subject area expertise
    • Data custodian systems, integration, and data knowledge

    Output

    • Use cases that articulate data-related challenges, needs or opportunities that are tied to defined business capabilities and hence if addressed will deliver measurable value to the organisation.

    Materials

    • Your business capability map from activity 1.1.1
    • Info-Tech's Data Use Case Framework Template
    • Whiteboard or flip charts (or shared screen if working remotely)
    • Markers/pens

    Participants

    • Key business stakeholders
    • Data stewards and business SMEs
    • Data custodians
    • Data Governance Working Group

    Download Info-Tech's Data Use Case Framework Template

    Info-Tech's Framework for Building Use Cases

    Objective: This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation.

    Leveraging your business capability map, build use cases that align with the organisation's key business capabilities.

    Consider:

    • Is the business capability a cost advantage creator or an industry differentiator?
    • Is the business capability currently underserved by data?
    • Does this need to be addressed? If so, is this risk- or value-driven?

    Info-Tech's Data Requirements and Mapping Methodology for Creating Use Cases

    1. What business capability (or capabilities) is this use case tied to for your business area(s)?
    2. What are your data-related challenges in performing this today?
    3. What are the steps in this process/activity today?
    4. What are the applications/systems used at each step today?
    5. What data domains are involved, created, used, and/or transformed at each step today?
    6. What does an ideal or improved state look like?
    7. What other business units, business capabilities, activities, and/or processes will be impacted or improved if this issue was solved?
    8. Who are the stakeholders impacted by these changes? Who needs to be consulted?
    9. What are the risks to the organisation (business capability, revenue, reputation, customer loyalty, etc.) if this is not addressed?
    10. What compliance, regulatory, and/or policy concerns do we need to consider in any solution?
    11. What measures of success or change should we use to prove the value of the effort (such as KPIs, ROI)? What is the measurable business value of doing this?

    The resulting use cases are to be prioritised and leveraged for informing the business case and the data governance capabilities optimisation plan.

    Taken from Info-Tech's Data Use Case Framework Template

    Phase 2

    Understand Your Current Data Governance Capabilities

    Three circles are in the image that list the three phases and the main steps. Phase 2 is highlighted.

    This phase will guide you through the following activities:

    • Understand the Key Components of Data Governance
    • Gauge Your Organisation's Current Data Culture

    This phase involves the following participants:

    • Data Leadership
    • Data Ownership & Stewardship
    • Policies & Procedures
    • Data Literacy & Culture
    • Operating Model
    • Data Management
    • Data Privacy & Security
    • Enterprise Projects & Services

    Step 2.1

    Understand the Key Components of Data Governance

    This step will guide you through the following activities:

    • Understanding the core components of an effective data governance program and determining your organisation's current capabilities in these areas:
      • Data Leadership
      • Data Ownership & Stewardship
      • Policies & Procedures
      • Data Literacy & Culture
      • Operating Model
      • Data Management
      • Data Privacy & Security
      • Enterprise Projects & Services

    Outcomes of this step

    • An understanding of the core components of an effective data governance program
    • An understanding your organisation's current data governance capabilities

    Leverage Info-Tech's: Data Governance Initiative Planning and Roadmap Tool to assess your current data governance capabilities and plot your target state accordingly.

    This tool will help your organisation plan the sequence of activities, capture start dates and expected completion dates, and create a roadmap that can be effectively communicated to the organisation.

    Review: Info-Tech's Data Governance Framework

    An image of Info-Tech's Data Governance Framework

    Key components of data governance

    A well-defined data governance program will deliver:

    • Defined accountability and responsibility for data.
    • Improved knowledge and common understanding of the organisation's data assets.
    • Elevated trust and confidence in traceable data.
    • Improved data ROI and reduced data debt.
    • An enabling framework for supporting the ethical use and handling of data.
    • A foundation for building and fostering a data-driven and data-literate organisational culture.

    The key components of establishing sustainable enterprise data governance, taken from Info-Tech's Data Governance Framework:

    • Data Leadership
    • Data Ownership & Stewardship
    • Operating Model
    • Policies & Procedures
    • Data Literacy & Culture
    • Data Management
    • Data Privacy & Security
    • Enterprise Projects & Services

    Data Leadership

    • Data governance needs a dedicated head or leader to steer the organisation's data governance program.
    • For organisations that do have a chief data officer (CDO), their office is the ideal and effective home for data governance.
    • Heads of data governance also have titles such as director of data governance, director of data quality, and director of analytics.
    • The head of your data governance program works with all stakeholders and partners to ensure there is continuous enterprise governance alignment and oversight and to drive the program's direction.
    • While key stakeholders from the business and IT will play vital data governance roles, the head of data governance steers the various components, stakeholders, and initiatives, and provides oversight of the overall program.
    • Vital data governance roles include: data owners, data stewards, data custodians, data governance steering committee (or your organisation's equivalent), and any data governance working group(s).

    The role of the CDO: the voice of data

    The office of the chief data officer (CDO):

    • Has a cross-organisational vision and strategy for data.
    • Owns and drives the data strategy; ensures it supports the overall organisational strategic direction and business goals.
    • Leads the organisational data initiatives, including data governance
    • Is accountable for the policy, strategy, data standards, and data literacy necessary for the organisation to operate effectively.
    • Educates users and leaders about what it means to be 'data-driven.'
    • Builds and fosters a culture of data excellence.

    'Compared to most of their C-suite colleagues, the CDO is faced with a unique set of problems. The role is still being defined. The chief data officer is bringing a new dimension and focus to the organisation: "data." '
    – Carruthers and Jackson, 2020

    Who does the CDO report to?

    Example reporting structure.
    • The CDO should be a true C- level executive.
    • Where the organisation places the CDO role in the structure sends an important signal to the business about how much it values data.

    'The title matters. In my opinion, you can't have a CDO without executive authority. Otherwise no one will listen.'

    – Anonymous European CDO

    'The reporting structure depends on who's the 'glue' that ties together all these uniquely skilled individuals.'

    – John Kemp, Senior Director, Executive Services, Info-Tech Research Group

    Data Ownership & Stewardship

    Who are best suited to be data owners?

    • Wherever they may sit in your organisation, data owners will typically have the highest stake in that data.
    • Data owners needs to be suitably senior and have the necessary decision-making power.
    • They have the highest interest in the related business data domain, whether they are the head of a business unit or the head of a line of business that produces data or consumes data (or both).
    • If they are neither of these, it's unlikely they will have the interest in the data (in terms of its quality, protection, ethical use, and handling, for instance) necessary to undertake and adopt the role effectively.

    Data owners are typically senior business leaders with the following characteristics:

    • Positioned to accept accountability for their data domain.
    • Hold authority and influence to affect change, including across business processes and systems, needed to improve data quality, use, handling, integration, etc.
    • Have access to a budget and resources for data initiatives such as resolving data quality issues, data cleansing initiatives, business data catalogue build, related tools and technology, policy management, etc.
    • Hold the influence needed to drive change in behaviour and culture.
    • Act as ambassadors of data and its value as an organisational strategic asset.

    Right-size your data governance organisational structure

    • Most organisations strive to identify roles and responsibilities at a strategic, and operational level. Several factors will influence the structure of the program such as the focus of the data governance project as well as the maturity and size of the organisation.
    • Your data governance structure has to work for your organisation, and it has to evolve as the organisation evolves.
    • Formulate your blend of data governance roles, committees, councils, and cross-functional groups, that make sense for your organisation.
    • Your data governance organisational structure should not add complexity or bureaucracy to your organisation's data landscape; it should support and enable your principle of treating data as an asset.

    There is no one-size-fits-all data governance organisational structure.

    Example of a Data Governance Organisational Structure

    Critical roles and responsibilities for data governance

    Data Governance Working Groups

    Data governance working groups:

    • Are cross-functional teams
    • Deliver on data governance projects, initiatives, and ad hoc review committees.

    Data Stewards

    Traditionally, data stewards:

    • Serve on an operational level addressing issues related to adherence to standards/procedures, monitoring data quality, raising issues identified, etc.
    • Are responsible for managing access, quality, escalating issues, etc.

    Data Custodians

    • Traditionally, data custodians:
    • Serve on an operational level addressing issues related to data and database administration.
    • Support the management of access, data quality, escalating issues, etc.
    • Are SMEs from IT and database administration.

    Example: Business capabilities to data owner and data stewards mapping for a selected data domain

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

    Enabling business capabilities with data governance role definitions

    Example: Business capabilities to data owner and data stewards mapping for a selected data domain

    Operating Model

    Your operating model is the key to designing and operationalizing a form of data governance that delivers measurable business value to your organisation.

    'Generate excitement for data: When people are excited and committed to the vision of data enablement, they're more likely to help ensure that data is high quality and safe.' – Petzold, et al., 2020

    Operating Model

    Defining your data governance operating model will help create a well-oiled program that sustainably delivers value to the organisation and manages risks while building and fostering a culture of data excellence along the way. Some organisations are able to establish a formal data governance office, whether independent or attached to the office of the chief data officer. Regardless of how you are organised, data governance requires a home, a leader, and an operating model to ensure its sustainability and evolution.

    Examples of focus areas for your operating model:

    • Delivery: While there are core tenets to every data governance program, there is a level of variability in the implementation of data governance programs across organisations, sectors, and industries. Every organisation has its own particular drivers and mandates, so the level and rigour applied will also vary.
    • The key is to determine what style will work best in your organisation, taking into consideration your organisational culture, executive leadership support (present and ongoing), catalysts such as other enterprise-wide transformative and modernisation initiatives, and/or regulatory and compliances drivers.

    • Communication: Communication is vital across all levels and stakeholder groups. For instance, there needs to be communication from the data governance office up to senior leadership, as well as communication within the data governance organisation, which is typically made up of the data governance steering committee, data governance council, executive sponsor/champion, data stewards, and data custodians and working groups.
    • Furthermore, communication with the wider organisation of data producers, users, and consumers is one of the core elements of the overall data governance communications plan.

    Communication is vital for ensuring acceptance of new processes, rules, guidelines, and technologies by all data producers and users as well as for sharing success stories of the program.

    Operating Model

    Tie the value of data governance and its initiatives back to the business capabilities that are enabled.

    'Leading organisations invest in change management to build data supporters and convert the sceptics. This can be the most difficult part of the program, as it requires motivating employees to use data and encouraging producers to share it (and ideally improve its quality at the source)[.]' – Petzold, et al., 2020

    Operating Model

    Examples of focus areas for your operating model (continued):

    • Change management and issue resolution: Data governance initiatives will very likely bring about a level of organisational disruption, with governance recommendations and future state requiring potentially significant business change. This may include a redesign of a substantial number of data processes affecting various business units, which will require tweaking the organisation's culture, thought processes, and procedures surrounding its data.
    • Preparing people for change well in advance will allow them to take the steps necessary to adapt and reduce potential confrontation. By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

      Attempting to implement change without an effective communications plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

    • Performance measuring, monitoring and reporting: Measuring and reporting on performance, successes, and realisation of tangible business value are a must for sustaining, growing, and scaling your data governance program.
    • Aligning your data governance to the organisation's value realisation activities enables you to leverage the KPIs of those business capabilities to demonstrate tangible and measurable value. Use terms and language that will resonate with your senior business leadership.

    Info-Tech Tip:

    Launching a data governance program will bring with it a level of disruption to the culture of the organisation. That disruption doesn't have to be detrimental if you are prepared to manage the change proactively and effectively.

    Policies, Procedures & Standards

    'Data standards are the rules by which data are described and recorded. In order to share, exchange, and understand data, we must standardise the format as well as the meaning.' – U.S. Geological Survey

    Policies, Procedures & Standards

    • When defining, updating, or refreshing your data policies, procedures, and standards, ensure they are relevant, serve a purpose, and/or support the use of data in the organisation.
    • Avoid the common pitfall of building out a host of policies, procedures, and standards that are never used or followed by users and therefore don't bring value or serve to mitigate risk for the organisation.
    • Data policies can be thought of as formal statements and are typically created, approved, and updated by the organisation's data decision-making body (such as a data governance steering committee).
    • Data standards and procedures function as actions, or rules, that support the policies and their statements.
    • Standards and procedures are designed to standardise the processes during the overall data lifecycle. Procedures are instructions to achieve the objectives of the policies. The procedures are iterative and will be updated with approval from your data governance committee as needed.
    • Your organisation's data policies, standards, and procedures should not bog down or inhibit users; rather, they should enable confident data use and handling across the overall data lifecycle. They should support more effective and seamless data capture, integration, aggregation, sharing, and retention of data in the organisation.

    Examples of data policies:

    • Data Classification Policy
    • Data Retention Policy
    • Data Entry Policy
    • Data Backup Policy
    • Data Provenance Policy
    • Data Management Policy

    See Info-Tech's Data Governance Policy Template: This policy establishes uniformed data governance standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of your organisation.

    Data Domain Documentation

    Select the correct granularity for your business need

    Diagram of data domain documentation
    Sources: Dataversity; Atlan; Analytics8

    Data Domain Documentation Examples

    Data Domain Documentation Examples

    Data Culture

    'Organisational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.' – Petzold, et al., 2020

    A healthy data culture is key to amplifying the power of your data and to building and sustaining an effective data governance program.

    What does a healthy data culture look like?

    • Everybody knows the data.
    • Everybody trusts the data.
    • Everybody talks about the data.

    Building a culture of data excellence.

    Leverage Info-Tech's Data Culture Diagnostic to understand your organisation's culture around data.

    Screenshot of Data Culture Scorecard

    Contact your Info-Tech Account Representative for more information on the Data Culture Diagnostic

    Cultivating a data-driven culture is not easy

    'People are at the heart of every culture, and one of the biggest challenges to creating a data culture is bringing everyone into the fold.' – Lim, Alation

    It cannot be purchased or manufactured,

    It must be nurtured and developed,

    And it must evolve as the business, user, and data landscapes evolve.

    'Companies that have succeeded in their data-driven efforts understand that forging a data culture is a relentless pursuit, and magic bullets and bromides do not deliver results.' – Randy Bean, 2020

    Hallmarks of a data-driven culture

    There is a trusted, single source of data the whole company can draw from.

    There's a business glossary and data catalogue and users know what the data fields mean.

    Users have access to data and analytics tools. Employees can leverage data immediately to resolve a situation, perform an activity, or make a decision – including frontline workers.

    Data literacy, the ability to collect, manage, evaluate, and apply data in a critical manner, is high.

    Data is used for decision making. The company encourages decisions based on objective data and the intelligent application of it.

    A data-driven culture requires a number of elements:

    • High-quality data
    • Broad access and data literacy
    • Data-driven decision-making processes
    • Effective communication

    Data Literacy

    Data literacy is an essential part of a data-driven culture.

    • Building a data-driven culture takes an ongoing investment of time, effort, and money.
    • This investment will not realise its full return without building up the organisation's data literacy.
    • Data literacy is about filling data knowledge gaps across all levels of the organisation.
    • It's about ensuring all users – senior leadership right through to core users – are equipped with appropriate levels of training, skills, understanding, and awareness around the organisation's data and the use of associated tools and technologies. Data literacy ensures users have the data they need and they know how to interpret and leverage it.
    • Data literacy drives the appetite, demand, and consumption for data.
    • A data-literate culture is one where the users feel confident and skilled in their use of data, leveraging it for making informed or evidence-based decisions and generating insights for the organisation.

    Data Management

    • Data governance serves as an enabler to all of the core components that make up data management:
      • Data quality management
      • Data architecture management
      • Data platform
      • Data integration
      • Data operations management
      • Data risk management
      • Reference and master data management (MDM)
      • Document and content management
      • Metadata management
      • Business intelligence (BI), reporting, analytics and advanced analytics, artificial intelligence (AI), machine learning (ML)
    • Key tools such as the business data glossary and data catalogue are vital for operationalizing data governance and in supporting data management disciplines such as data quality management, metadata management, and MDM as well as BI, reporting, and analytics.

    Enterprise Projects & Services

    • Data governance serves as an enabler to enterprise projects and services that require, use, share, sell, and/or rely on data for their viability and, ultimately, their success.
    • Folding or embedding data governance into the organisation's project management function or project management office (PMO) serves to ensure that, for any initiative, suitable consideration is given to how data is treated.
    • This may include defining parameters, following standards and procedures around bringing in new sources of data, integrating that data into the organisation's data ecosystem, using and sharing that data, and retaining that data post-project completion.
    • The data governance function helps to identify and manage any ethical issues, whether at the start of the project and/or throughout.
    • It provides a foundation for asking relevant questions as it relates to the use or incorporation of data in delivering the specific project or service. Do we know where the data obtained from? Do we have rights to use that data? Are there legislations, policies, or regulations that guide or dictate how that data can be used? What are the positive effects, negative impacts, and/or risks associated with our intended use of that data? Are we positioned to mitigate those risks?
    • Mature data governance creates organisations where the above considerations around data management and the ethical use and handling of data is routinely implemented across the business and in the rollout and delivery of projects and services.

    Data Privacy & Security

    • Data governance supports the organisation's data privacy and security functions.
    • Key tools include the data classification policy and standards and defined roles around data ownership and data stewardship. These are vital for operationalizing data governance and supporting data privacy, security, and the ethical use and handling of data.
    • While some organisations may have a dedicated data security and privacy group, data governance provides an added level of oversight in this regard.
    • Some of the typical checks and balances include ensuring:
      • There are policies and procedures in place to restrict and monitor staff's access to data (one common way this is done is according to job descriptions and responsibilities) and that these comply with relevant laws and regulations.
      • There's a data classification scheme in place where data has been classified on a hierarchy of sensitivity (e.g. top secret, confidential, internal, limited, public).
      • The organisation has a comprehensive data security framework, including administrative, physical, and technical procedures for addressing data security issues (e.g. password management and regular training).
      • Risk assessments are conducted, including an evaluation of risks and vulnerabilities related to intentional and unintentional misuse of data.
      • Policies and procedures are in place to mitigate the risks associated with incidents such as data breaches.
      • The organisation regularly audits and monitors its data security.

    Ethical Use & Handling of Data

    Data governance will support your organisation's ethical use and handling of data by facilitating definition around important factors, such as:

    • What are the various data assets in the organisation and what purpose(s) can they be used for? Are there any limitations?
    • Who is the related data owner? Who holds accountability for that data? Who will be answerable?
    • Where was the data obtained from? What is the intended use of that data? Do you have rights to use that data? Are there legislations, policies, or regulations that guide or dictate how that data can be used?
    • What are the positive effects, negative impacts, and/or risks associated with the use of that data?

    Ethical Use & Handling of Data

    • Data governance serves as an enabler to the ethical use and handling of an organisation's data.
    • The Open Data Institute (ODI) defines data ethics as: 'A branch of ethics that evaluates data practices with the potential to adversely impact on people and society – in data collection, sharing and use.'
    • Data ethics relates to good practice around how data is collected, used and shared. It's especially relevant when data activities have the potential to impact people and society, whether directly or indirectly (Open Data Institute, 2019).
    • A failure to handle and use data ethically can negatively impact an organisation's direct stakeholders and/or the public at large, lead to a loss of trust and confidence in the organisation's products and services, lead to financial loss, and impact the organisation's brand, reputation, and legal standing.
    • Data governance plays a vital role is building and managing your data assets, knowing what data you have, and knowing the limitations of that data. Data ownership, data stewardship, and your data governance decision-making body are key tenets and foundational components of your data governance. They enable an organisation to define, categorise, and confidently make decisions about its data.

    Step 2.2

    Gauge Your Organisation's Current Data Culture

    Activities

    2.2.1 Gauge Your Organisation's Current Data Culture

    This step will guide you through the following activities:

    • Conduct a data culture survey or leverage Info-Tech's Data Culture Diagnostic to increase your understanding of your organisation's data culture

    Outcomes of this step

    • An understanding of your organisational data culture

    2.2.1 Gauge Your Organisation's Current Data Culture

    Conduct a Data Culture Survey or Diagnostic

    The objectives of conducting a data culture survey are to increase the understanding of the organisation's data culture, your users' appetite for data, and their appreciation for data in terms of governance, quality, accessibility, ownership, and stewardship. To perform a data culture survey:

    1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
    2. Conduct an information session to introduce Info-Tech's Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organisation's current data culture and inform the improvement of that culture.
    3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
    4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

    Input

    • Email addresses of participants in your organisation who should receive the survey

    Output

    • Your organisation's Data Culture Scorecard for understanding current data culture as it relates to the use and consumption of data
    • An understanding of whether data is currently perceived to be an asset to the organisation

    Materials

    Screenshot of Data Culture Scorecard

    Participants

    • Participants include those at the senior leadership level through to middle management, as well as other business stakeholders at varying levels across the organisation
    • Data owners, stewards, and custodians
    • Core data users and consumers

    Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

    Phase 3

    Build a Target State Roadmap and Plan

    Three circles are in the image that list the three phases and the main steps. Phase 3 is highlighted.

    'Achieving data success is a journey, not a sprint. Companies that set a clear course, with reasonable expectations and phased results over a period of time, get to the destination faster.' – Randy Bean, 2020

    This phase will guide you through the following activities:

    • Build your Data Governance Roadmap
    • Develop a target state plan comprising of prioritised initiatives

    This phase involves the following participants:

    • Data Governance Leadership
    • Data Owners/Data Stewards
    • Data Custodians
    • Data Governance Working Group(s)

    Step 3.1

    Formulate an Actionable Roadmap and Right-Sized Plan

    This step will guide you through the following activities:

    • Build your data governance roadmap
    • Develop a target state plan comprising of prioritised initiatives

    Download Info-Tech's Data Governance Planning and Roadmapping Workbook

    See Info-Tech's Data Governance Program Charter Template: A program charter template to sell the importance of data governance to senior executives.

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    Outcomes of this step

    • A foundation for data governance initiative planning that's aligned with the organisation's business architecture: value streams, business capability map, and strategy map

    Build a right-sized roadmap

    Formulate an actionable roadmap that is right sized to deliver value in your organisation.

    Key considerations:

    • When building your data governance roadmap, ensure you do so through an enterprise lens. Be cognizant of other initiatives that might be coming down the pipeline that may require you to align your data governance milestones accordingly.
    • Apart from doing your planning with consideration for other big projects or launches that might be in-flight and require the time and attention of your data governance partners, also be mindful of the more routine yet still demanding initiatives.
    • When doing your roadmapping, consider factors like the organisation's fiscal cycle, typical or potential year-end demands, and monthly/quarterly reporting periods and audits. Initiatives such as these are likely to monopolise the time and focus of personnel key to delivering on your data governance milestones.

    Sample milestones:

    Data Governance Leadership & Org Structure Definition

    Define the home for data governance and other key roles around ownership and stewardship, as approved by senior leadership.

    Data Governance Charter and Policies

    Create a charter for your program and build/refresh associated policies.

    Data Culture Diagnostic

    Understand the organisation's current data culture, perception of data, value of data, and knowledge gaps.

    Use Case Build and Prioritisation

    Build a use case that is tied to business capabilities. Prioritise accordingly.

    Business Data Glossary/catalogue

    Build and/or refresh the business' glossary for addressing data definitions and standardisation issues.

    Tools & Technology

    Explore the tools and technology offering in the data governance space that would serve as an enabler to the program. (e.g. RFI, RFP).

    Recall: Info-Tech's Data Governance Framework

    An image of Info-Tech's Data Governance Framework

    Build an actionable roadmap

    Data Governance Leadership & Org Structure Division

    Define key roles for getting started.

    Use Case Build & Prioritisation

    Start small and then scale – deliver early wins.

    Literacy Program

    Start understanding data knowledge gaps, building the program, and delivering.

    Tools & Technology

    Make the available data governance tools and technology work for you.

    Key components of your data governance roadmap

    Data Governance Program Charter Template – A program charter template to sell the importance of data governance to senior executives.

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    By now, you have assessed current data governance environment and capabilities. Use this assessment, coupled with the driving needs of your business, to plot your data Governance roadmap accordingly.

    Sample data governance roadmap milestones:

    • Define data governance leadership.
    • Define and formalise data ownership and stewardship (as well as the role IT/data management will play as data custodians).
    • Build/confirm your business capability map and data domains.
    • Build business data use cases specific to business capabilities.
    • Define business measures/KPIs for the data governance program (i.e. metrics by use case that are relevant to business capabilities).
    • Data management:
      • Build your data glossary or catalogue starting with identified and prioritised terms.
      • Define data domains.
    • Design and define the data governance operating model (oversight model definition, communication plan, internal marketing such as townhalls, formulate change management plan, RFP of data governance tool and technology options for supporting data governance and its administration).
    • Data policies and procedures:
      • Formulate, update, refresh, consolidate, rationalise, and/or retire data policies and procedures.
      • Define policy management and administration framework (i.e. roll-out, maintenance, updates, adherence, system to be used).
    • Conduct Info-Tech's Data Culture Diagnostic or survey (across all levels of the organisation).
    • Define and formalise the data literacy program (build modules, incorporate into LMS, plan lunch and learn sessions).
    • Data privacy and security: build data classification policy, define classification standards.
    • Enterprise projects and services: embed data governance in the organisation's PMO, conduct 'Data Governance 101' for the PMO.

    Defining data governance roles and organisational structure at Organisation

    The approach employed for defining the data governance roles and supporting organisational structure for .

    Key Considerations:

    • The data owner and data steward roles are formally defined and documented within the organisation. Their involvement is clear, well-defined, and repeatable.
    • There are data owners and data stewards for each data domain within the organisation. The data steward role is given to someone with a high degree of subject matter expertise.
    • Data owners and data stewards are effective in their roles by ensuring that their data domain is clean and free of errors and that they protect the organisation against data loss.
    • Data owners and data stewards have the authority to make final decisions on data definitions, formats, and standard processes that apply to their respective data sets. Data owners and data stewards have authority regarding who has access to certain data.
    • Data owners and data stewards are not from the IT side of the organisation. They understand the lifecycle of the data (how it is created, curated, retrieved, used, archived, and destroyed) and they are well-versed in any compliance requirements as it relates to their data.
    • The data custodian role is formally defined and is given to the relevant IT expert. This is an individual with technical administrative and/or operational responsibility over data (e.g. a DBA).
    • A data governance steering committee exists and is comprised of well-defined roles, responsibilities, executive sponsors, business representatives, and IT experts.
    • The data governance steering committee works to provide oversight and enforce policies, procedures, and standards for governing data.
    • The data governance working group has cross-functional representation. This comprises business and IT representation, as well as project management and change management where applicable: data stewards, data custodians, business subject matter experts, PM, etc.).
    • Data governance meetings are coordinated and communicated about. The meeting agenda is always clear and concise, and meetings review pressing data-related issues. Meeting minutes are consistently documented and communicated.

    Sample: Business capabilities to data owner and data stewards mapping for a selected data domain

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

    Enable business capabilities with data governance role definitions.

    Sample: Business capabilities to data owner and data stewards mapping for a selected data domain

    Consider your technology options:

    Make the available data governance tools and technology work for you:

    • Data catalogue
    • Business data glossary
    • Data lineage
    • Metadata management

    Logos of data governance tools and technology.

    These are some of the data governance tools and technology players. Check out SoftwareReviews for help making better software decisions.

    Make the data steward the catalyst for organisational change and driving data culture

    The data steward must be empowered and backed politically with decision-making authority, or the role becomes stale and powerless.

    Ensuring compliance can be difficult. Data stewards may experience pushback from stakeholders who must deliver on the policies, procedures, and processes that the data steward enforces.

    Because the data steward must enforce data processes and liaise with so many different people and departments within the organisation, the data steward role should be their primary full-time job function – where possible.

    However, in circumstances where budget doesn't allow a full-time data steward role, develop these skills within the organisation by adding data steward responsibilities to individuals who are already managing data sets for their department or line of business.

    Info-Tech Tip

    A stewardship role is generally more about managing the cultural change that data governance brings. This requires the steward to have exceptional interpersonal skills that will assist in building relationships across departmental boundaries and ensuring that all stakeholders within the organisation believe in the initiative, understand the anticipated outcomes, and take some level of responsibility for its success.

    Changes to organisational data processes are inevitable; have a communication plan in place to manage change

    Create awareness of your data governance program. Use knowledge transfer to get as many people on board as possible.

    Data governance initiatives must contain a strong organisational disruption component. A clear and concise communication strategy that conveys milestones and success stories will address the various concerns that business unit stakeholders may have.

    By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

    Governance recommendations will require significant business change. The redesign of a substantial number of data processes affecting various business units will require an overhaul of the organisation's culture, thought processes, and procedures surrounding its data. Preparing people for change well in advance will allow them to take the necessary steps to adapt and reduce potential confrontation.

    Because a data governance initiative will involve data-driven business units across the organisation, the governance team must present a compelling case for data governance to ensure acceptance of new processes, rules, guidelines, and technologies by all data producers and users.

    Attempting to implement change without an effective communication plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

    Info-Tech Insight

    Launching a data governance initiative is guaranteed to disrupt the culture of the organisation. That disruption doesn't have to be detrimental if you are prepared to manage the change proactively and effectively.

    Create a common data governance vision that is consistently communicated to the organisation

    A data governance program should be an enterprise-wide initiative.

    To create a strong vision for data governance, there must be participation from the business and IT. A common vision will articulate the state the organisation wishes to achieve and how it will reach that state. Visioning helps to develop long-term goals and direction.

    Once the vision is established, it must be effectively communicated to everyone, especially those who are involved in creating, managing, disposing, or archiving data.

    The data governance program should be periodically refined. This will ensure the organisation continues to incorporate best methods and practices as the organisation grows and data needs evolve.

    Info-Tech Tips

    • Use information from the stakeholder interviews to derive business goals and objectives.
    • Work to integrate different opinions and perspectives into the overall vision for data governance.
    • Brainstorm guiding principles for data and understand the overall value to the organisation.

    Develop a compelling data governance communications plan to get all departmental lines of business on board

    A data governance program will impact all data-driven business units within the organisation.

    A successful data governance communications plan involves making the initiative visible and promoting staff awareness. Educate the team on how data is collected, distributed, and used, what internal processes use data, and how that data is used across departmental boundaries.

    By demonstrating how data governance will affect staff directly, you create a deeper level of understanding across lines of business, and ultimately, a higher level of acceptance for new processes, rules, and guidelines.

    A clear and concise communications strategy will raise the profile of data governance within the organisation, and staff will understand how the program will benefit them and how they can share in the success of the initiative. This will end up providing support for the initiative across the board.

    A proactive communications plan will:

    • Assist in overcoming issues with data control, stalemates between stakeholder units, and staff resistance.
    • Provide a formalised process for implementing new policies, rules, guidelines, and technologies, and managing organisational data.
    • Detail data ownership and accountability for decision making, and identify and resolve data issues throughout the organisation.
    • Encourage acceptance and support of the initiative.

    Info-Tech Tip

    Focus on literacy and communication: include training in the communication plan. Providing training for data users on the correct procedures for updating and verifying the accuracy of data, data quality, and standardised data policies will help validate how data governance will benefit them and the organisation.

    Leverage the data governance program to communicate and promote the value of data within the organisation

    The data governance program is responsible for continuously promoting the value of data to the organisation. The data governance program should seek a variety of ways to educate the organisation and data stakeholders on the benefit of data management.

    Even if data policies and procedures are created, they will be highly ineffective if they are not properly communicated to the data producers and users alike.

    There needs to be a communication plan that highlights how the data producer and user will be affected, what their new responsibilities are, and the value of that change.

    To learn how to manage organisational change, refer to Info-Tech's Master Organisational Change Management Practices.

    Understand what makes for an effective policy for data governance

    It can be difficult to understand what a policy is, and what it is not. Start by identifying the differences between a policy and standards, guidelines, and procedures.

    Diagram of an effective policy for data governance

    The following are key elements of a good policy:

    Heading Descriptions
    Purpose Describes the factors or circumstances that mandate the existence of the policy. Also states the policy's basic objectives and what the policy is meant to achieve.
    Scope Defines to whom and to what systems this policy applies. Lists the employees required to comply or simply indicates 'all' if all must comply. Also indicates any exclusions or exceptions, i.e. those people, elements, or situations that are not covered by this policy or where special consideration may be made.
    Definitions Define any key terms, acronyms, or concepts that will be used in the policy. A standard glossary approach is sufficient.
    Policy Statements Describe the rules that comprise the policy. This typically takes the form of a series of short prescriptive and proscriptive statements. Sub-dividing this section into sub-sections may be required depending on the length or complexity of the policy.
    Non-Compliance Clearly describe consequences (legal and/or disciplinary) for employee non-compliance with the policy. It may be pertinent to describe the escalation process for repeated non-compliance.
    Agreement Confirms understanding of the policy and provides a designated space to attest to the document.

    Leverage myPolicies, Info-Tech's web-based application for managing your policies and procedures

    Most organisations have problems with policy management. These include:

    1. Policies are absent or out of date
    2. Employees largely unaware of policies in effect
    3. Policies are unmonitored and unenforced
    4. Policies are in multiple locations
    5. Multiple versions of the same policy exist
    6. Policies managed inconsistently across different silos
    7. Policies are written poorly by untrained authors
    8. Inadequate policy training program
    9. Draft policies stall and lose momentum
    10. Weak policy support from senior management

    Technology should be used as a means to solve these problems and effectively monitor, enforce, and communicate policies.

    Product Overview

    myPolicies is a web-based solution to create, distribute, and manage corporate policies, procedures, and forms. Our solution provides policy managers with the tools they need to mitigate the risk of sanctions and reduce the administrative burden of policy management. It also enables employees to find the documents relevant to them and build a culture of compliance.

    Some key success factors for policy management include:

    • Store policies in a central location that is well known and easy to find and access. A key way that technology can help communicate policies is by having them published on a centralised website.
    • Link this repository to other policies' taxonomies of your organisation. E.g. HR policies to provide a single interface for employees to access guidance across the organisation.
    • Reassess policies annually at a minimum. myPolicies can remind you to update the organisation's policies at the appropriate time.
    • Make the repository searchable and easily navigable.
    • myPolicies helps you do all this and more.
    myPolicies logo myPolicies

    Enforce data policies to promote consistency of business processes

    Data policies are short statements that seek to manage the creation, acquisition, integrity, security, compliance, and quality of data. These policies vary amongst organisations, depending on your specific data needs.

    • Policies describe what to do, while standards and procedures describe how to do something.
    • There should be few data policies, and they should be brief and direct. Policies are living documents and should be continuously updated to respond to the organisation's data needs.
    • The data policies should highlight who is responsible for the data under various scenarios and rules around how to manage it effectively.

    Examples of Data Policies

    Trust

    • Data Cleansing and Quality Policy
    • Data Entry Policy

    Availability

    • Acceptable Use Policy
    • Data Backup Policy

    Security

    • Data Security Policy
    • Password Policy Template
    • User Authorisation, Identification, and Authentication Policy Template
    • Data Protection Policy

    Compliance

    • Archiving Policy
    • Data Classification Policy
    • Data Retention Policy

    Leverage data management-related policies to standardise your data management practices

    Info-Tech's Data Management Policy:

    This policy establishes uniform data management standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of the organisation. This policy applies to all critical data and to all staff who may be creators and/or users of such data.

    Info-Tech's Data Entry Policy:

    The integrity and quality of data and evidence used to inform decision making is central to both the short-term and long-term health of an organisation. It is essential that required data be sourced appropriately and entered into databases and applications in an accurate and complete manner to ensure the reliability and validity of the data and decisions made based on the data.

    Info-Tech's Data Provenance Policy:

    Create policies to keep your data's value, such as:

    • Only allow entry of data from reliable sources.
    • Employees entering and accessing data must observe requirements for capturing/maintaining provenance metadata.
    • Provenance metadata will be used to track the lifecycle of data from creation through to disposal.

    Info-Tech's Data Integration and Virtualisation Policy:

    This policy aims to assure the organisation, staff, and other interested parties that data integration, replication, and virtualisation risks are taken seriously. Staff must use the policy (and supporting guidelines) when deciding whether to integrate, replicate, or virtualise data sets.

    Select the right mix of metrics to successfully supervise data policies and processes

    Policies are only as good as your level of compliance. Ensure supervision controls exist to oversee adherence to policies and procedures.

    Although they can be highly subjective, metrics are extremely important to data governance success.

    • Establishing metrics that measure the performance of a specific process or data set will:
      • Create a greater degree of ownership from data stewards and data owners.
      • Help identify underperforming individuals.
      • Allow the steering committee to easily communicate tailored objectives to individual data stewards and owners.
    • Be cautious when establishing metrics. The wrong metrics can have negative repercussions.
      • They will likely draw attention to an aspect of the process that doesn't align with the initial strategy.
      • Employees will work hard and grow frustrated as their successes aren't accurately captured.

    Policies are great to have from a legal perspective, but unless they are followed, they will not benefit the organisation.

    • One of the most useful metrics for policies is currency. This tracks how up to date the policy is and how often employees are informed about the policy. Often, a policy will be introduced and then ignored. Policies must be continuously reviewed by management and employees.
    • Some other metrics include adherence (including performance in tests for adherence) and impacts from non-adherence.

    Review metrics on an ongoing basis with those data owners/stewards who are accountable, the data governance steering committee, and the executive sponsors.

    Establish data standards and procedures for use across all organisational lines of business

    A data governance program will impact all data-driven business units within the organisation.

    • Data management procedures are the methods, techniques, and steps to accomplish a specific data objective. Creating standard data definitions should be one of the first tasks for a data governance steering committee.
    • Data moves across all departmental boundaries and lines of business within the organisation. These definitions must be developed as a common set of standards that can be accepted and used enterprise wide.
    • Consistent data standards and definitions will improve data flow across departmental boundaries and between lines of business.
    • Ensure these standards and definitions are used uniformly throughout the organisation to maintain reliable and useful data.

    Data standards and procedural guidelines will vary from company to company.

    Examples include:

    • Data modelling and architecture standards.
    • Metadata integration and usage procedures.
    • Data security standards and procedures.
    • Business intelligence standards and procedures.

    Info-Tech Tip

    Have a fundamental data definition model for the entire business to adhere to. Those in the positions that generate and produce data must follow the common set of standards developed by the steering committee and be accountable for the creation of valid, clean data.

    Changes to organisational data processes are inevitable; have a communications plan in place to manage change

    Create awareness of your data governance program, using knowledge transfer to get as many people on board as possible.

    By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

    Governance recommendations will require significant business change. The redesign of a substantial number of data processes affecting various business units will require an overhaul of the organisation's culture, thought processes, and procedures surrounding its data. Preparing people for change well in advance will allow them to take the necessary steps to adapt and reduce potential confrontation.

    Because a data governance initiative will involve data-driven business units across the organisation, the governance team must present a compelling case for data governance to ensure acceptance of new processes, rules, guidelines, and technologies by all data producers and users.

    Attempting to implement change without an effective communications plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

    Data governance initiatives will very likely bring about a level of organisational disruption. A clear and concise communications strategy that conveys milestones and success stories will address the various concerns that business unit stakeholders may have.

    Info-Tech Tip

    Launching a data governance program will bring with it a level of disruption to the culture of the organisation. That disruption doesn't have to be detrimental if you are prepared to manage the change proactively and effectively.

    Other Deliverables:

    The list of supporting deliverables will help to kick start on some of the Data Governance initiatives

    • Data Classification Policy, Standard, and Procedure
    • Data Quality Policy, Standard, and Procedure
    • Metadata Management Policy, Standard, and Procedure
    • Data Retention Policy and Procurement

    Screenshot from Data Classification Policy, Standard, and Procedure

    Data Classification Policy, Standard, and Procedure

    Screenshot from Data Retention Policy and Procedure

    Data Retention Policy and Procedure

    Screenshot from Metadata Management Policy, Standard, and Procedure

    Metadata Management Policy, Standard, and Procedure

    Screenshot from Data Quality Policy, Standard, and Procedure

    Data Quality Policy, Standard, and Procedure

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Picture of analyst

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Screenshot of example data governance strategy map.

    Build Your Business and User Context

    Work with your core team of stakeholders to build out your data governance strategy map, aligning data governance initiatives with business capabilities, value streams, and, ultimately, your strategic priorities.

    Screenshot of Data governance roadmap

    Formulate a Plan to Get to Your Target State

    Develop a data governance future state roadmap and plan based on an understanding of your current data governance capabilities, your operating environment, and the driving needs of your business.

    Related Info-Tech Research

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    Create a Data Management Roadmap

    Streamline your data management program with our simplified framework.

    The First 100 Days as CDO

    Be the voice of data in a time of transformation.

    Research Contributors

    Name Position Company
    David N. Weber Executive Director - Planning, Research and Effectiveness Palm Beach State College
    Izabela Edmunds Information Architect Mott MacDonald
    Andy Neill Practice Lead, Data & Analytics Info-Tech Research Group
    Dirk Coetsee Research Director, Data & Analytics Info-Tech Research Group
    Graham Price Executive Advisor, Advisory Executive Services Info-Tech Research Group
    Igor Ikonnikov Research Director, Data & Analytics Info-Tech Research Group
    Jean Bujold Senior Workshop Delivery Director Info-Tech Research Group
    Rajesh Parab Research Director, Data & Analytics Info-Tech Research Group
    Reddy Doddipalli Senior Workshop Director Info-Tech Research Group
    Valence Howden Principal Research Director, CIO Info-Tech Research Group

    Bibliography

    Alation. “The Alation State of Data Culture Report – Q3 2020.” Alation, 2020. Accessed 25 June 2021.

    Allott, Joseph, et al. “Data: The Next Wave in Forestry Productivity.” McKinsey & Company, 27 Oct. 2020. Accessed 25 June 2021.

    Bean, Randy. “Why Culture Is the Greatest Barrier to Data Success.” MIT Sloan Management Review, 30 Sept. 2020. Accessed 25 June 2021.

    Brence, Thomas. “Overcoming the Operationalization Challenge With Data Governance at New York Life.” Informatica, 18 March 2020. Accessed 25 June 2021.

    Bullmore, Simon, and Stuart Coleman. “ODI Inside Business – A Checklist for Leaders.” Open Data Institute, 19 Oct. 2020. Accessed 25 June 2021.

    Canadian Institute for Health Information. “Developing and Implementing Accurate National Standards for Canadian Health Care Information.” Canadian Institute for Health Information. Accessed 25 June 2021.

    Carruthers, Caroline, and Peter Jackson. “The Secret Ingredients of the Successful CDO.” IRM UK Connects, 23 Feb. 2017.

    Dashboards. “Useful KPIs for Healthy Hospital Quality Management.” Dashboards. Accessed 25 June 2021.

    Dashboards. “Why (and How) You Should Improve Data Literacy in Your Organization Today.” Dashboards. Accessed 25 June 2021.

    Datapine. “Healthcare Key Performance Indicators and Metrics.” Datapine. Accessed 25 June 2021.

    Datapine. “KPI Examples & Templates: Measure what matters the most and really impacts your success.” Datapine. Accessed 25 June 2021.

    Diaz, Alejandro, et al. “Why Data Culture Matters.” McKinsey Quarterly, Sept. 2018. Accessed 25 June 2021.

    Everett, Dan. “Chief Data Officer (CDO): One Job, Four Roles.” Informatica, 9 Sept. 2020. Accessed 25 June 2021.

    Experian. “10 Signs You Are Sitting On A Pile Of Data Debt.” Experian. Accessed 25 June 2021.

    Fregoni, Silvia. “New Research Reveals Why Some Business Leaders Still Ignore the Data.” Silicon Angle, 1 Oct. 2020

    Informatica. Holistic Data Governance: A Framework for Competitive Advantage. Informatica, 2017. Accessed 25 June 2021.

    Knight, Michelle. “What Is a Data Catalog?” Dataversity, 28 Dec. 2017. Web.

    Lim, Jason. “Alation 2020.3: Getting Business Users in the Game.” Alation, 2020. Accessed 25 June 2021.

    McDonagh, Mariann. “Automating Data Governance.” Erwin, 29 Oct. 2020. Accessed 25 June 2021.

    NewVantage Partners. Data-Driven Business Transformation: Connecting Data/AI Investment to Business Outcomes. NewVantage Partners, 2020. Accessed 25 June 2021.

    Olavsrud, Thor. “What Is Data Governance? A Best Practices Framework For Managing Data Assets.” CIO.com, 18 March 2021. Accessed 25 June 2021.

    Open Data Institute. “Introduction to Data Ethics and the Data Ethics Canvas.” Open Data Institute, 2020. Accessed 25 June 2021.

    Open Data Institute. “The UK National Data Strategy 2020: Doing Data Ethically.” Open Data Institute, 17 Nov. 2020. Accessed 25 June 2021.

    Open Data Institute. “What Is the Data Ethics Canvas?” Open Data Institute, 3 July 2019. Accessed 25 June 2021.

    Pathak, Rahul. “Becoming a Data-Driven Enterprise: Meeting the Challenges, Changing the Culture.” MIT Sloan Management Review, 28 Sept. 2020. Accessed 25 June 2021.

    Petzold, Bryan, et al. “Designing Data Governance That Delivers Value.” McKinsey & Company, 26 June 2020. Accessed 25 June 2021.

    Redman, Thomas, et al. “Only 3% of Companies’ Data Meets Basic Quality Standards.” Harvard Business Review. 11 Sept 2017.

    Smaje, Kate. “How Six Companies Are Using Technology and Data To Transform Themselves.” McKinsey & Company, 12 Aug. 2020. Accessed 25 June 2021.

    Talend. “The Definitive Guide to Data Governance.” Talend. Accessed 25 June 2021.

    “The Powerfully Simple Modern Data Catalog.” Atlan, 2021. Web.

    U.S. Geological Survey. “Data Management: Data Standards.” U.S. Geological Survey. Accessed 25 June 2021.

    Waller, David. “10 Steps to Creating a Data-Driven Culture.” Harvard Business Review, 6 Feb. 2020. Accessed 25 June 2021.

    “What Is the Difference Between A Business Glossary, A Data Dictionary, and A Data Catalog, and How Do They Play A Role In Modern Data Management?” Analytics8, 23 June 2021. Web.

    Wikipedia. “RFM (Market Research).” Wikipedia. Accessed 25 June 2021.

    Windheuser, Christoph, and Nina Wainwright. “Data in a Modern Digital Business.” Thoughtworks, 12 May 2020. Accessed 25 June 2021.

    Wright, Tom. “Digital Marketing KPIs - The 12 Key Metrics You Should Be Tracking.” Cascade, 3 March 2021. Accessed 25 June 2021.

    Get really good at resilience

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    Why be resilient?

    Well, your clients demand it. And it makes business sense; it is much cheaper to retain a client than to acquire new ones. By all means, always expand your client base; just don't make it a zero-sum game by losing clients because you cannot provide decent service. 

    Although the term has existed since the 17th century, it has only received legal attention since 2020. Now, several years later, the EU and the US require companies to prove their resilience.

    To understand what resilience is, please read our article on resilience

    What does it take to become really good at IT resilience?

    IT resilience is a mindset, a collection of techniques, and people management focused on providing consistent service to clients, all rolled into one discipline. While we discuss IT resilience, it takes more than IT staff or IT processes to become a truly resilient business.

    Here are 10 themes relevant to the (IT) resilient organization:

    Transparent culture

    A transparent company culture empowers its people to act confidently, respond swiftly to challenges, and continuously learn and improve. This builds a strong foundation for resilience, enabling the organization to navigate disruption or adversity much more easily.

    At its core, transparency is about open communication, sharing information, and fostering a culture of honesty and trust. These traits directly influence the various aspects of resilience.

    Client service focus

    A client service focus isn't just about customer satisfaction; it's an integral part of a company's resilience strategy. Service stability and continuous value delivery are the elements that retain existing clients and attract new ones through reputation.  System outages, slowdowns, and errors lead to client frustration and erode confidence. In other words, client service focuses on making sure you are available. Once you have that, then you can look at enhancing and expanding services and products. 

    Resilient systems and processes often also include tools and capabilities for proactive communication with clients. This can include automated notifications during system maintenance or updates, providing transparency and minimizing inconvenience. A proactive approach to communication creates a sense of partnership, and it demonstrates that you value your clients' time and business.

    Adaptability

    Adaptable systems and processes give you the flexibility for rapid incident response and easy workarounds, bringing your service back to the level it is supposed to be at.

    In the bigger picture, when you design your systems for flexibility and modification, you can rapidly adjust to new market conditions, evolving customer demands, and technological advancements. This agility allows you to pivot swiftly, seizing opportunities while mitigating risks.

    In the same vein, adaptable processes, fostered by a culture of continuous improvement and open communication, empower teams to innovate and refine workflows in response to challenges. This constant evolution ensures the company remains competitive and aligned with its ever-changing environment.

    Robust change management

    When you establish standardized procedures for planning, testing, and implementing changes, IT change management ensures that every modification, no matter how seemingly small, is carefully considered and assessed for its impact on the broader IT ecosystem. This structured approach significantly reduces the risk of unexpected side effects, unforeseen conflicts, and costly downtime, protecting the company's operations and its reputation.

    It does not have to be a burdensome bureaucratic process. Modern processes and tools take the sting out of these controls. Many actions within change management can be automated without losing oversight by both the IT custodians and the business process owners.

    Redundancy and fault tolerance

    By having duplicates of essential components or systems in place, you ensure that even if one part fails, another is ready to take over. This helps you minimize the impact of unexpected events like hardware issues, software glitches, or other unforeseen problems. This might mean replicating critical policy data across multiple servers or data centers in different locations.

    Fault tolerance is all about your systems and processes being able to keep working even when facing challenges. By designing your software and systems architecture with fault tolerance in mind, you are sure it can gracefully handle errors and failures, preventing those small problems from causing bigger issues, outages, and unhappy clients.

    Security

    Clients entrust you with valuable information. Demonstrating a commitment to data security through resilient systems builds trust and provides reassurance that their data is safeguarded against breaches and unauthorized access.

    Monitoring and alerting

    Trusting that all working is good. making sure is better.  When you observe your systems and receive timely notifications when something seems off, you'll be able to address issues before they snowball into real problems. 

    In any industry, monitoring helps you keep an eye on crucial performance metrics, resource usage, and system health. You'll get insights into how your systems behave, allowing you to identify bottlenecks or potential points of failure before they cause serious problems. And with a well-tuned alerting system, you'll get those critical notifications when something requires immediate attention. This gives you the chance to respond quickly, minimize downtime, and keep things running smoothly for your customers.

    Monitoring is also all about business metrics. Keep your service chains running smoothly and understand the ebb and flow of when clients access your services. Then update and enhance in line with what you see happening. 

    Incident response processes

    Well-thought-out plans and processes are key. Work with your incident managers, developers, suppliers, business staff and product owners and build an embedded method for reacting to incidents. 

    The key is to limit the time of the service interruption. Not everything needs to be handled immediately, so your plan must be clear on how to react to important vs lower-priority incidents. Making the plan and process well-known in the company helps everybody and keeps the calm.

    Embedded business continuity

    Business continuity planning anticipates and prepares for various scenarios, allowing your company to adapt and maintain essential functions even in the face of unexpected disruptions.

    When you proactively address these non-IT aspects of recovery, you build resilience that goes beyond simply restoring technology. It enables you to maintain customer relationships, meet contractual obligations, and safeguard your reputation, even in the face of significant challenges.

    Business continuity is not about prevention; it is about knowing what to do when bad things happen that may threaten your company in a more existential way or when you face issues like a power outage in your building, a pandemic, major road works rendering your business unreachable and such events.

    Effective disaster recovery  

    Disaster recovery is your lifeline when the worst happens. Whether it's a major cyberattack, a natural disaster, or a catastrophic hardware failure, a solid disaster recovery plan ensures your business doesn't sink. It's your strategy to get those critical systems back online and your data restored as quickly as possible.

    Think of it this way: disaster recovery, just like business continuity, isn't about preventing bad things from happening; it's about being prepared to bounce back when they do. It's like having a spare tire in your car, you hope you never need it, but if you get a flat, you're not stranded. With a well-tested disaster recovery plan, you can minimize downtime, reduce data loss, and keep your operations running even in the face of the unexpected. That translates to happier customers, protected revenue, and a reputation for reliability even amidst chaos.

     

    Resilience is the result of a well-conducted orchestra. Many disciplines come together to help you service your clients in a consistent way.

    The operational lifeline of your company and the reason it exists in the first place is to provide your clients with what they need, when they need it, and be able to command a good price for it. And that will keep your shareholders happy as well.

    Equip Managers to Effectively Manage Virtual Teams

    • Buy Link or Shortcode: {j2store}600|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $20,240 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Virtual team members must rely upon collaboration technology to communicate and collaborate.
    • Management practices and approaches that work face to face do not always translate effectively in virtual contexts.
    • Managers cannot rely upon spontaneous social interactions that happen organically when people are colocated to build meaningful and trusting relationships. Space and time need to be created in a virtual environment for this to happen.
    • Observing an employee’s performance or development can be more difficult, and relying on others’ feedback becomes more critical for managing performance and development.

    Our Advice

    Critical Insight

    • Managing virtual teams does not require developing new manager competencies. Instead, managers need to “dial up” competencies they already have and adjust their approaches.
    • Setting clear expectations with virtual teams creates the foundation needed to manage them effectively.
    • Virtual employees crave more meaningful interactions about performance and development with their managers.

    Impact and Result

    • Create a solid foundation for managing virtual teams by setting clear expectations and taking a more planful approach to managing performance and employee development.
    • Dial up key management competencies that you already have. Managers do not need to develop new competencies; they just need to adjust and refocus their approaches.

    Equip Managers to Effectively Manage Virtual Teams Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Equip managers to effectively manage virtual teams

    Equip managers to become more effective with managing remote teams.

    The workbook serves as a reference guide participants will use to support formal training.

    • Training Deck: Equip Managers to Effectively Manage Virtual Teams
    • Workbook: Equip Managers to Effectively Manage Virtual Teams
    • Standard Participant Training Session Evaluation Template

    2. Additional Resources

    Many organizations are developing plans to allow employees more flexible work options, including remote work. Use these resources to help managers and employees make the most of remote work arrangements.

    • Work-From-Home Tips for Managers
    • Work-From-Home Tips for Employees
    • Health & Safety at Home Infographic
    • Wellness and Working From Home
    • Ergonomic Workspaces Infographic
    [infographic]

    Further reading

    Equip Managers to Effectively Manage Virtual Teams

    Learning objectives

    Describe the benefits of virtual teams.

    Create a plan for adopting effective management practices and setting clear expectations with virtual teams.

    Identify potential solutions to the challenges of managing performance and developing members of virtual teams.

    Create an action plan to increase effectiveness in managing virtual teams.

    Target audience

    People managers who manage or plan to manage virtual teams.

    Training length

    Two three-hour sessions

    Training material

    • Use the speaker’s notes in the notes pane section of each slide to plan and practice the training session.
    • Activity slides are scattered throughout this training deck and are clearly numbered in the slide title.
    • Notes in italics are written to the facilitator and are not meant to be read aloud.
    • Download the Workbook for participants to use.

    Suggested materials for activities:

    • Index cards or sticky notes
    • Markers
    • Whiteboard/large table space/flip chart

    Agenda & activities

    Section 1

    Section 2

    10 min

    Welcome: Overview & Introductions

    • Introductions
    10 min

    Welcome: Overview & Introductions

    • Session 1 Review
    • Session 2 Overview
    50 min

    1.1 Introduction to virtual teams

    • What kind of virtual team do you lead?
    • Virtual team benefits and challenges
    55 min

    2.1 Managing wellbeing in a virtual team context

    • Share current practices and challenges regarding wellbeing in virtual teams
    • Identify and discuss proposed solutions
    • Develop draft action plan for managing wellbeing in a virtual team context
    5 min

    Break

    5 min Break
    45 min

    1.2 Laying the foundation for a virtual team

    • Identify behaviors to better inform, interact with, and involve team members
    60 min

    2.2 Managing performance in a virtual team context

    • Share current performance management practices for virtual teams
    • Identify challenges of current practices and propose solutions
    • Develop draft action plan for managing performance in a virtual team context
    10 min

    Break

    10 min Break
    55 min

    1.2 Laying the foundation for a virtual team

    • Identify and share ways you prefer to communicate for different activities
    • Develop draft action plan for laying the foundation for a virtual team
    40 min

    Action planning & conclusion

    • Refine consolidated action plan (three parts) and commit to implementing it
    • Key takeaways
    5 min

    Session 1 Wrap-Up

    Recommended Customization

    Review all slides and adjust the language or content as needed to suit your organizational context and culture.

    The pencil icon to the left denotes slides requiring customization of the slide and/or the speaker’s notes, e.g. adding in an organization-specific process.

    Customization instructions are found in the notes pane.

    Tips

    • Adjust the speaker’s notes on the slides before (or after) any slides you modify or delete to ensure logical transitions between slides.
    • Update the agenda to reflect new timings if major modifications are made.
    • Even seasoned leaders need to be reminded of the basics now and again. Rather than delete more basic slides, cut back on the amount of time spent covering them and frame the content as a refresher.
    • Participant Workbooks
    • Relevant organization-specific documents (see side panel)
    • Training Session Feedback Form

    Required Information

    • Communication guidelines for managers (e.g. cadence of manager interactions)
    • Performance management process and guidelines
    • Employee development guidelines
    • List of available resources (e.g. social collaboration tools)

    Effectively Manage Virtual Teams

    Section 1.1

    Practical foundations for managing teams in a remote environment

    Feasibility of virtual IT teams

    Most organizations are planning some combination of remote and onsite work in 2022.

    This is an image of a bar graph demonstrating the percentage of companies who have the following plans for return to work: Full work-from-home (All employees WFH permanently) - 4% ; No work-from-home permitted	9% ; Partial work-from-home team (Eligible employees can WFH for a certain portion of their work week)	23% ; Balanced work-from-home team (All employees can WFH for a certain portion of their work week)	28% ; Hybrid work-from-home team (Eligible employees WFH on a full-time basis)	37%

    Source: IT Talent Trends, 2022; n=199

    Speaker’s Notes:

    Most organizations are planning some combination of remote and onsite work in 2022 – the highest reported plans for WFH were hybrid, balanced, and partial work-from-home. This builds on our findings in the IT Talent Trends 2022 report.

    Feasibility of virtual IT teams

    What percentage of roles in IT are capable of being performed remotely permanently?

    Approximately what percentage of roles in IT are capable of being performed remotely permanently?

    0% to less than 10%: 3%; 10% to less than 25%: 5%; 25% to less than 50%: 12%; 50% to less than 75%: 30%; 75% to 100%L 50%.

    IT Talent Trends, 2022; n=207

    Speaker’s Notes:

    80% of respondents estimated that 50 to 100% of IT roles can be performed remotely.

    Virtual teams take all kinds of forms

    A virtual team is any team that has members that are not colocated and relies on technology for communications.

    This image depicts the three levels of virtual teams, Municipal; National; Global.

    Speaker’s Notes:

    Before we start, it will be useful to review what we mean by the term “virtual team.” For our purposes we will be defining a virtual team as any team that has members that are not colocated and relies on technology for communications.

    There are a wide variety of virtual work arrangements and a variety of terms used to describe them. For example, some common terms include:

    • “Flexible work arrangements”: Employees have the option to work where they see fit (within certain constraints). They may choose to work from the office, home, a shared office space, the road, etc.
    • “Remote work,” “work from home,” and “telecommuting”: These are just various ways of describing how or where people are working virtually. They all share the idea that these kinds of employees are not colocated.
    • “Multi-office team”: the team members all work in office environments, but they may not always be in the same office as their team members or manager.

    Our definition of virtual work covers all of these terms. It is also distance neutral, meaning that it applies equally to teams that are dispersed globally or regionally or even those working in the same cities but dispersed throughout different buildings. Our definition also applies whether virtual employees work full time or part time.

    The challenges facing managers arise as soon as some team members are not colocated and have to rely on technology to communicate and coordinate work. Greater distances between employees can complicate challenges (e.g. time zone coordination), but the core challenges of managing virtual teams are the same whether those workers are merely located in different buildings in the same city or in different buildings on different continents.

    1.1 What kind of virtual team do you lead?

    15 Minutes

    Working on your own, take five minutes to figure out what kind of virtual team you lead.

    1. How many people on your team work virtually (all, most, or a small percentage)?
    2. How often and how regularly do they tend to work virtually (full time, part time regularly, or part time as needed)?
    3. What kinds of virtual work arrangements are there on your team (multi-site, work from home, mobile employees)?
    4. Where do your workers tend to be physically located (different offices but in the same city/region or globally dispersed)?
    5. Record this information in your workbook.
    6. Discuss as a group.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Size of virtual team
    • Current remote work practices

    Output

    • Documented list of current state of remote work

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Advantages

    Benefits to the organization

    Benefits to employees

    Operational continuity in disaster situations that prevent employees from coming into the office.

    Cost savings: Employees who WFH half the time can save $2,500 to $4,000 per year (Global Workplace Analytics, 2021).

    Cost savings: Organizations save ~$11,000 annually per employee working from home half the time (Global Workplace Analytics, 2021).

    Time savings: Employees who WFH half the time save on average 11 workdays per year (Global Workplace Analytics, 2021).

    Increased attraction: 71% of employees would likely choose one employer over another based on WFH offerings (Owl Labs, 2021).

    Improved wellbeing:

    83% employees agree that WFH would make them happier.

    80% agree that WFH would decrease their stress.

    81% agree that WFH would improve their ability to manage their work-life balance.

    (Owl Labs, 2021)

    Increased retention: 74% of employees would be less likely to leave their employer if they could WFH (Owl Labs, 2021).

    Increased flexibility: 32% of employees rated the “ability to have a flexible schedule” as the biggest benefit of WFH (OWL Labs, 2021).

    Increased productivity: 50% of employees report they would maintain or increase their productivity while working from home (Glassdoor Team, 2020).

    Increased engagement: Offsite employees tend to have higher overall engagement than onsite employees (McLean & Company Engagement Survey, 2020).

    Speaker’s Notes:

    Remote work arrangements are becoming more and more common, and for good reason: there are a lot of benefits to the organization – and to employees.

    #1: Save Money

    Perhaps one of the most common reasons for opting for remote-work arrangements is the potential cost savings. One study found that organizations could save about $11,000 per employee working from home half the time (Global Workplace Analytics, 2021).

    #2 Increased Attraction

    In addition, supporting remote-work arrangements can attract employees. One study found that 71% of employees would likely choose one employer over another based on WFH offerings (Owl Labs, 2019).

    #3 Improve productivity.

    There are also improvements to productivity. Fifty percent of employees report they would maintain or increase their productivity while working from home (Glassdoor Team, 2020).

    Remote work also has benefits to employees.

    #1: Save Money

    As with organizations, employees also benefit financially from remote work arrangements, saving between $2,500 and $4,000 and on average 11 working days while working from home half of the time.

    #2: Improved Wellbeing

    Most employees agree that working from home makes them happier, reduces stress, and provides an improved work-life balance through increased flexibility.

    Challenges

    Organizations

    • Concerns that WFH may stifle innovation (Scientific American, 2021), likely due to the potential lack of collaboration and knowledge sharing.
    • Fewer organic opportunities for informal interaction between employees working from home means active efforts are required to foster organizational culture.

    Leaders

    • 42% of managers believe that monitoring the productivity of their direct reports is a top challenge of WFH (Ultimate Software, 2019).
    • The lack of in-person supervision compounded with a lack of trust in employees leads many leaders to believe that WFH will result in a drop in productivity.

    Employees

    • 20% of employees report collaboration/communication as their top struggle with WFH (Owl Labs, 2021).
    • Employees often experience burnout from working longer hours due to the lack of commute, blurring of work and home life, and the perceived need to prove their productivity.

    Many of these barriers can be addressed by changing traditional mindsets and finding alternative ways of working, but the traditional approach to work is so entrenched that it has been hard to make the shift.

    Speaker’s Notes:

    Many organizations are still grappling with the challenges of remote work. Some are just perceived challenges, while others are quite real.

    Limited innovation and a lack of informal interaction are a potential consequence of failing to properly adapt to the remote-work environment.

    Leaders also face challenges with remote work. Losing in-person supervision has led to the lack of trust and a perceived drop in productivity.

    A study conducted 2021 asked remote workers to identify their biggest struggle with working remotely. The top three struggles remote workers report facing are unplugging after work, loneliness, and collaborating and/or communicating.

    Seeing the struggles remote workers identify is a good reminder that these employees have a unique set of challenges. They need their managers to help them set boundaries around their work; create feelings of connectedness to the organization, culture, and team; and be expert communicators.

    1.2 Virtual teams: benefits and challenges

    20 Minutes

    1. Discuss and list:
      1. Any positives you’ve experienced since managing virtual employees.
      2. Any challenges you’ve had to manage connected to managing virtual employees.
    2. Record information in the workbook.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Personal experiences managing remote teams

    Output

    • List of benefits and challenges of remote work

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Section 1.2

    Laying the foundations for a virtual team

    The 3i’s: Inform, interact, and involve your way to effective management:

    Inform

    Interact Involve

    ↓ Down

    Connect

    ↑ Up

    Tell employees the whys

    Get to know employees

    Solicit input from employees

    Speaker’s Notes:

    Effectively managing a virtual team really comes down to adopting management approaches that will engage virtual employees.

    Managing a virtual team does not actually require a new management style. The basics of effective management are the same in both colocated and virtual teams; however, the emphasis on certain behaviors and actions we take often differs. Managing a virtual team requires much more thoughtfulness and planning in our everyday interactions with our teams as we cannot rely on the relative ease of face-to-face interactions available to colocated teams.

    The 3i’s Engaging Management Model is useful when interacting with all employees and provides a handy framework for more planful interactions with virtual employees.

    Think of your management responsibilities in these three buckets – they are the most important components of being an effective manager. We’re first going to look at inform and involve before moving on to interact.

    Inform: Relay information down from senior management and leaders to employees. Communicate the rationale behind decisions and priorities, and always explain how they will directly affect employees.

    Why is this important? According to McLean & Company’s Engagement Survey data, employees who say their managers keep them well informed about decisions that affect them are 3.4 times more likely to be engaged (Source: McLean & Company, 2020; N=77,363). Your first reaction to this might be “I already do this,” which may very well be the case. Keep in mind, though, we sometimes tend to communicate on a “need-to-know basis,” especially when we are stressed or short on time. Engaging employees takes more. Always focus on explaining the “why?” or the rationale behind business decisions.

    It might seem like this domain should be the least affected, since important company announcements probably continue in a remote environment. But remember that information like that also flows informally. And even in formal settings, there are question-and-answer opportunities. Or maybe your employee might come to your office to ask for more details. Virtual team members can’t gather around the watercooler. They don’t have the same opportunities to hear information in passing as people who are colocated do, so managers need to make a concerted effort to share information with virtual team members in a clear and timely way.

    Swinging over to the other end, we have involve: Involve your employees. Solicit information and feedback from employees and collaborate with them.

    However, it’s not enough to just solicit their feedback and input; you also need to act on it.

    Make sure you involve your employees in a meaningful way. Such collaboration makes employees feel like a valued part of the team. Not to mention that they often have information and perspectives that can help make your decisions stronger!

    Employees who say their department leaders act on feedback from them are 3.9 times more likely to be engaged than those whose leaders don’t. (Source: McLean & Company, 2020; N=59,779). That is a huge difference!

    Keeping virtual employees engaged and feeling connected and committed to the organization requires planful and regular application of the 3i’s model.

    Finally, Interact: Connect with employees on a personal level; get to know them and understand who they are on a personal and professional level.

    Why? Well, over and above the fact that it can be rewarding for you to build stronger relationships with your team, our data shows that human connection makes a significant difference with employees. Employees who believe their managers care about them as a person are 3.8 times more likely to be engaged than those who do not (Source: McLean & Company, 2017; N=70,927).

    And you might find that in a remote environment, this is the area that suffers the most, since a lot of these interactions tend to be unscripted, unscheduled, and face to face.

    Typically, if we weren’t in the midst of a pandemic, we’d emphasize the importance of allocating some budget to travel and get some face-to-face time with your staff. Meeting and interacting with team members face to face is crucial to building trusting relationships, and ultimately, an effective team, so given the context of our current circumstances, we recommend the use of video when interacting with your employees who are remote.

    Relay information down from senior management to employees.

    Ensure they’ve seen and understand any organization-wide communication.

    Share any updates in a timely manner.

    Connect with employees on a personal level.
    Ask how they’re doing with the new work arrangement.
    Express empathy for challenges (sick family member, COVID-19 diagnosis, etc.).
    Ask how you can support them.
    Schedule informal virtual coffee breaks a couple of times a week and talk about non-work topics.

    Get information from employees and collaborate with them.
    Invite their input (e.g. have a “winning remotely” brainstorming session).
    Escalate any challenges you can’t address to your VP.
    Give them as much autonomy over their work as possible – don’t micromanage.

    1.3 Identify behaviors to inform, interact with, and involve team members

    20 Minutes

    Individually:

    1. Identify one behavior for each of Inform, Interact, and Involve to improve.
    2. Record information in the workbook.

    As a group:

    1. Discuss behaviors to improve for each of Inform, Interact, and Involve and record new ideas to incorporate into your leadership practice.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • 3i's Model
    • Current leadership behaviors to improve

    Output

    • List of behaviors to better inform, interact, and involve team members

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Laying the foundation: Set clear expectations

    Tasks

    • What are the daily and weekly team activities? How do they affect one another?

    Goals

    • Clarify any adjustments to strategy based on the situation; clarify metrics.

    Communication

    • How often and when will you check in? What should they come to you for? What modalities will you use and when?

    Roadblocks

    • Involve your team in deciding how to handle roadblocks and challenges.

    Speaker’s Notes:

    Clear expectations are important in any environment, remote or not. But it is much harder to do in a remote environment. The barrier to seeking clarification is so much higher (For example, email vs. catching someone in hallway, or you can’t notice that a colleague is struggling without them asking).

    Communication – This is one area where the importance actually changes in a remote context. We’ve been talking about a lot of practices that are the same in importance whether you’re in an office or remote, and maybe you just enact them differently. But clarity around communication processes is actually tremendously more important in a remote environment.

    Adopt a five-step process to set specific and documented expectations

    1. Check in with how your team member is doing on a daily basis. Don’t forget to ask how they are doing personally.
    2. Follow up on previously set expectations. Ask how things are going. Discuss if priorities or expectations have changed and update expectations accordingly.
    3. Ask if they are experiencing any roadblocks and collaborate to find solutions.
    4. Provide feedback and recognition as appropriate.
    5. Document newly set expectations – either through a collaboration tool or through email.

    Speaker’s Notes:

    Suggested best practices: Hold daily team check-ins and hold separate individual check-ins. Increase frequency of these.

    During Check-in
    1. Set up a running Teams chat for your team.
    • This is your community. You must be the biggest cheerleader and keep the team feeling like they are contributing. Make sure everyone is involved.
  • Start each workday with a video scrum to discuss what’s coming today for your team.
    • Ask: What are you planning to work on today? Are there any roadblocks I can help with? Technology working OK?
  • Right after your team meeting, set up an “every morning video call” one-on-one meeting with each team member (5-10 minutes max).
    • Ask: What are you working on today? What will your momentum metrics be? What do you need from me?
  • Set up a separate video call at the end of the afternoon to review what everyone did (5 minutes max).
    • Ask: What went well? What went poorly? How can we improve?
  • After a Check-in
    1. Be accessible:
      • Ensure your team knows the best way to get in touch with you.
      • Email is not ideal for informal, frequent contact – use messaging instead.
    2. Be available:
      • Keep a running conversation going in Teams.
      • Respond in a timely manner; address issues quickly so that your team has what they need to succeed.
      • Let your team know if you’ll be away/offline for longer than an hour during the workday and ask them to do the same (e.g. for an appointment).
      • Help address roadblocks, answer questions, clarify priorities, etc.

    Define communication requirements

    • Set up an ongoing communication with your team.
      • E.g. a running conversation on Slack or Teams
    • Schedule daily virtual meetings and check-ins.
      • This can help to maintain a sense of normalcy and conduct a pulse check on your team.
    • Use video for important conversations.
      • Video chat creates better rapport, shows body language, and lessens feelings of isolation, but it can be taxing.
    • Set expectations about communication.
      • Differentiate between day-to-day communication and updates on the state of events.
    • Clearly communicate the collaboration toolkit.
      • What do we have available? What is the purpose of each?

    Speaker’s Notes:

    With organizational expectations set, we need to establish team expectations around how we collaborate and communicate.

    Today there is no lack of technology available to support our virtual communication. We can use the phone, conference calls, videoconferencing, Skype, instant messaging, [insert organization-specific technological tools.], etc.

    However, it is important to have a common understanding of which tools are most appropriate when and for what.

    What are some of the communication channel techniques you’ve found useful in your informal interactions with employees or that you’ve seen work well between employees?

    [Have participants share any technological tools they find useful and why.]

    Check in with your team on communication requirements

    • Should we share our calendars, hours of availability, and/or IM status?
    • How often should we meet as a team and one on one? Should we institute a time when we should not communicate virtually?
    • Which communication channel should we use in what context? How should we decide which communication method to use?
    • Should I share guidelines for email and meeting etiquette (or any other communication methods)?
    • Should we establish a new team charter?
    • What feedback does the team have regarding how we’ve been communicating?

    Speaker’s Notes:

    Whenever we interact, we make the following kinds of social exchanges. We exchange:

    • Information: Data or opinions
    • Emotions: Feelings and evaluations about the data or opinions
    • Motivations: What we feel like doing in response to data or opinions

    We need to make sure that these exchanges are happening as each team member intends. To do this, we have to be sensitive to what information is being conveyed, what emotions are involved in the interaction, and how we are motivating each other to act through the interaction. Every interaction will have intended and unintended effects on others. No one can pay attention to all of these aspects of communication all the time, but if we develop habits that are conducive to successful exchanges in all three areas, we can become more effective.

    In addition to being mindful of the exchange in our communication, as managers it is critical to build trusting relationships and rapport with employees as we saw in the 3i's model. However, in virtual teams we cannot rely on running into someone in the kitchen or hallway to have an informal conversation. We need to be thoughtful and deliberate in our interactions with employees. We need to find alternative ways to build these relationships with and between employees that are both easy and accepted by ourselves and employees. Because of that, it is important to set communication norms and really understand each other’s preferences. For example:

    • Timing of responses. Set the expectation that emails should be responded to within X hours/days unless otherwise noted in the actual email.
    • When it’s appropriate to send an email vs. using instant messaging.
    • A team charter – the team’s objectives, individual roles and responsibilities, and communication and collaboration guidelines.

    1.4 Identify and share ways you prefer to communicate for different activities

    20 Minutes

    1. Brainstorm and list the different types of exchanges you have with your virtual employees and they have with each other.
    2. List the various communication tools in use on your team.
    3. Assign a preferred communication method for each type of exchange

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current types of exchanges on team
    • Communication methods used

    Output

    • Defined ways to communicate for each communication method

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Section 2.1
    Balancing wellbeing and performance in a virtual team context

    The pandemic has taken a significant toll on employees’ mental wellbeing

    44% of employees reported declined mental wellbeing since the start of the pandemic.

    • 44% of those who work from home.
    • 34% of those who have other work arrangements (i.e. onsite).
      (Qualtrics, 2020)

    "If one of our colleagues were to fall, break their leg, and get a cast, colleagues would probably rally around that person signing their cast. But, really, we don’t view the health of our brain the same as we do the health of our body."
    – Centre for Addiction and Mental Health (CAMH) Employee

    Speaker’s Notes:

    Despite being over two years into the pandemic, we are still seeing its effect on the physical and mental health of employees.

    The mental health aspect has been often overlooked by organizations, but in order to have a safe, happy, and productive team, you need to give mental health the same level of focus as physical heath. This requires a change in mindset in order for you as a leader to support your team's mental wellbeing during the pandemic and beyond.

    Employees are reporting several key mental wellbeing challenges

    Stress: 67%

    Employees report increasingly high levels of stress from the onset of COVID-19, stating that it has been the most stressful time in their careers.
    (Qualtrics, 2020)

    Anxiety: 57%

    Similarly, employees’ anxiety levels have peaked because of the pandemic and the uncertainty it brings.
    (Qualtrics, 2020)

    Four main themes surrounding stress & anxiety

    • Fear of contracting COVID-19
    • Financial pressures
    • Job security and uncertainty
    • Loneliness caused by social isolation

    Speaker’s Notes:

    The stress and uncertainty about the future caused by the pandemic and its fallout are posing the biggest challenges to employees.

    Organizations shutting down operations, moving to fully remote, or requiring some of their employees to be on site based on the current situation causes a lot of anxiety as employees are not able to plan for what is coming next.

    Adding in the loss of social networks and in-person interactions exacerbates the problem employees are facing. As leaders, it is your job to understand and mitigate these challenges wherever possible.

    Re-examine your workplace barriers to mental wellbeing

    New Barriers

    Old Barriers

    • Childcare/eldercare responsibilities
    • Fear of workplace health risks
    • Work location
    • Lost support networks
    • Changed work schedules
    • Social distancing
    • Workload
    • Fear of stigma
    • Benefits limits
    • Limits to paid time off
    • Lack of manager knowledge

    Key considerations:

    • Work Environment
      • Accessibility of mental wellbeing programs and initiatives
    • Organizational Culture
      • Modeling of wellbeing
      • Paid time off
      • Discussions around mental wellbeing
    • Total Rewards
      • Benefits coverage
      • Employee assistance programs (EAPs)
      • Manager knowledge

    Speaker’s Notes:

    Organizational barriers to mental wellbeing are sadly not new. Workloads, stigma around mental health, lack of sick days, and limits to benefits for mental health supports were challenges before the pandemic. Adding in the new barriers can very easily result in a tipping point for many employees who are simply not equipped to deal with or supported in dealing with the added burden of remote work in a post-pandemic world.

    To provide the needed support to your employees, it’s important to be mindful of the key considerations.

    Holistic employee wellbeing has never been more critical than it is right now

    Employee Wellbeing

    Physical

    The physical body; ensuring a person has the freedom, opportunities, and resources needed to sustainably maintain bodily health.

    Mental

    The psychological ability to cope with information, emotions, desires, and stressors (e.g. change, threats, etc.) in a healthy and balanced way. Essential for day-to-day living and functioning.

    Social

    The state of personal and professional relationships, including personal and community engagement. The capability for genuine, authentic, and mutually affirming interactions with others.

    Financial

    The state of a person’s finances; ensuring that a person feels capable to handle their financial situation and behaviors. The ability to live productively without the weight of financial stress.

    Speaker’s Notes:

    As a manager, you need to be mindful of all of these. Create an atmosphere where people are able to come to you for help if they are struggling in one of these areas. For example, some people might be more comfortable raising physical safety or comfort concerns (personal protective equipment, ergonomics) than concerns about mental health. Or they might feel like their feelings of loneliness are not appropriate to bring into their professional life.

    Wellbeing is a delicate subject, and most of the time, people are reluctant to talk about it. It requires vulnerability. And here’s the thing about it: Your staff will not drive a change in your team around making these topics more acceptable. It has to be the manager. You have to be the one to not just tell but show them that it’s OK to talk about this

    Encourage human-centered workplace behaviors

    Promote empathy as a focus value

    • Listen and show compassion.
    • Allow room for emotions.

    Encourage social connection

    • Leverage networks.
    • Infuse fun where possible.
    • Encourage community and sense of joint purpose.

    Cultivate a growth mindset

    • Encourage mindfulness and resilience.
    • Express gratitude.

    Empower others

    • Ask employees what they need and co-create solutions.
    • Integrate needs of personal and family life with work life.
    • Be clear on accountability.

    Speaker’s Notes:

    As a leader, your focus should be on encouraging the right behaviors on your team and in yourself.
    Show empathy; allowing room for emotion and showing you are willing and able to listen goes a long way to establishing trust.

    A growth mindset applies to resilience too. A person with a growth mindset is more likely to believe that even though they’re struggling now, they will get through it.

    Infuse fun – schedule social check-ins. This is not wasted time, or time off work – it is an integral part of the workday. We have less of it now organically, so you must bring it back deliberately. Remember that theme? We are deliberately reinfusing important organic elements into the workday.

    The last item, empowerment, is interesting – being clear on accountability. Have clear performance expectations. It might sound like telling people what to do would be disempowering, but it’s the opposite. By clarifying the goals of what they need to achieve, you empower them to invent their own “how,” because you and they are both sure they will arrive at the place that you agreed on. We will talk more about this in performance management.

    Emphasize the importance of wellbeing by setting the tone for the team

    Managers must…

    • LEAD BY EXAMPLE
      • Employees look to their managers for cues about how to react in a crisis. If the manager reacts with stress and fear, the team will follow.
    • ENCOURAGE OPEN COMMUNICATION
      • Frequent check-ins and transparent communication are essential during a time of crisis, especially when working remotely.
    • ACKNOWLEDGE THE SITUATION
      • Recognizing the stress that teams may be facing and expressing confidence in them goes a long way.
    • PROMOTE WELLBEING
      • Managers who take care of themselves can better support their teams and encourage them to practice good self-care too.
    • REDUCE STIGMA
      • Reducing stigma around mental health encourages people to come forward with their struggles and get the support they need.

    Speaker’s Notes:

    Emphasize the importance of wellbeing with what you do. If you do not model self-care behavior, people will follow what you do, not what you say.

    Lead by example – Live the behaviors you want to see in your employees. If you show confidence, positivity, and resiliency, it will filter down to your team.

    Encourage open communication – Have regular meetings where your team is able to set the agenda, or allow one-on-ones to be guided by the employee. Make sure these are scheduled and keep them a priority.

    Acknowledge the situation – Pretending things are normal doesn’t help the situation. Talk about the stress that the team is facing and express confidence that you will get through it together.

    Promote wellbeing – Take time off, don’t work when you’re sick, and you will be better able to support your team!

    Reduce stigma – Call it out when you see it and be sure to remind people of and provide access to any supports that the organization has.

    Conduct dedicated conversations around wellbeing

    1. Check in with how each team member is doing frequently and ask how they are doing personally.
    2. Discuss how things are going. Ask: “How is your work situation working out for you so far? Do you feel supported? How are you taking care of yourself in these circumstances?”
    3. Ask if there are any stressors or roadblocks that they have experienced and collaborate to find solutions.
    4. Provide reassurance of your support and confidence in them.
    5. Document the plan for managing stressors and roadblocks – either through a collaboration tool or through email.

    Speaker’s Notes:

    Going back to the idea of a growth mindset – this may be uncomfortable for you as a manager. So here’s a step-by-step guide that over time you can morph into your own style.

    With your team – be prepared to share first and to show it is OK to be vulnerable and address wellbeing seriously.

    1. Make sure you make time for the personal. Ask about their lives and show compassion.
    2. Give opportunities for them to bring up things that might stay hidden otherwise. Ask questions that show you care.
    3. Help identify areas they are struggling with and work with them to move past those areas.
    4. Make sure they feel supported in what they are going through and reassured of their place on the team.
    5. Roll wellbeing into your planning process. This signals to team that you see wellbeing as important, not just a checklist to cover during a team meeting, and are ready to follow through on it.

    Recognize when professional help is needed

    SIGNS OF BURNOUT: Overwhelmed; Frequent personal disclosure; Trouble sleeping and focusing; Frequent time off; Strained relationships; Substance abuse; Poor work performance

    Speaker’s Notes:

    As a leader, it is important to be on the lookout for warning signs of burnout and know when to step in and direct individuals to professional help.

    Poor work performance – They struggle to maintain work performance, even after you’ve worked with them to create coping strategies.

    Overwhelmed – They repeatedly tell you that they feel overwhelmed, very stressed, or physically unwell.

    Frequent personal disclosure – They want to discuss their personal struggles at length on a regular basis.

    Trouble sleeping and focusing – They tell you that they are not sleeping properly and are unable to focus on work.

    Frequent time off – They feel the need to take time off more frequently.

    Strained relationships – They have difficulty communicating effectively with coworkers; relationships are strained.

    Substance abuse – They show signs of substance abuse (e.g. drunk/high while working, social media posts about drinking during the day).

    Keeping an eye out for these signs and being able to step in before they become unmanageable can mean the difference between keeping and losing an employee experiencing burnout.

    Remember: Managers also need support

    • Added burden
    • Lead by example
    • Self-care

    Speaker’s Notes:

    If you’ve got managers under you, be mindful of their unique stressors. Don’t forget to check in with them, too.

    If you are a manager, remember to take care of yourself and check in with your own manager about your own wellbeing.

    2.1 Balance wellbeing and performance in a virtual team context

    30 Minutes

    1. Brainstorm and list current practices and challenges connected to wellbeing on your teams.
    2. Choose one or two wellbeing challenges that are most relevant for your team.
    3. Discuss as a group and identify one solution for each challenge that you can put into action with your own virtual team. Document this under “Action plan to move forward” on the workbook slide “2.1 Balancing wellbeing and performance in a virtual team context.”

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current practices and challenges connected to wellbeing

    Output

    • Action plan for each challenge listed

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Section 2.2

    Managing performance in a virtual team context

    Virtual employees are craving more meaningful interactions with their managers

    A survey indicated that, overall, remote employees showed less satisfaction with manager interactions compared to other non-remote employees.

    1. 16% less likely to strongly agree their manager involves them in setting goals at work.
    2. 28% less likely to strongly agree they continually work with their manager to clarify work priorities.
    3. 29% less likely to strongly agree they have reviewed their greatest successes with their manager in the last six months.
    4. 30% less likely to strongly agree they have talked with their manager about progress toward goals in the last six months.

    Speaker’s Notes:

    In many cases, we have put people into virtual roles because they are self-directed and self-motivated workers who can thrive with the kind of autonomy and flexibility that comes with virtual work. As managers, we should expect many of these workers to be proactively interested in how they are performing and in developing their careers.

    It would be a mistake to take a hands-off approach when managing virtual workers. A recent survey indicated that, overall, remote employees showed less satisfaction with manager interactions compared to other non-remote employees. It was also one of the aspects of their work experience they were least satisfied with overall (Gallup, State of the American Workplace, 2017). Simply put, virtual employees are craving more meaningful conversations with their managers.

    While conversations about performance and development are important for all employees (virtual or non-virtual), managers of remote teams can have a significant positive impact on their virtual employees’ experience and engagement at work by making efforts to improve their involvement and support in these areas.

    During this module we will work together to identify ways that each of us can improve how we manage the performance of our virtual employees. At the end of the module everyone will create an action plan that they can put in place with their own teams. In the next module, we go through a similar set of activities to create an action plan for our interactions with employees about their development.

    Building blocks of performance management

    • Goal Setting

    • Setting Expectations

    • Measuring Progress

    • Feedback & Coaching

    Speaker’s Notes:

    [Include a visualization of your existing performance management process in the slide. Walk the participants through the process to remind them of what is expected. While the managers participating in the training should know this, there may be different understandings of it, or it might just be the case that it’s been a while since people looked at the official process. The intention here is merely to ensure everyone is on the same page for the purposes of the activities that follow.]

    Now that we’ve reviewed performance management at a high level, let’s dive into what is currently happening with the performance management of virtual teams.

    I know that you have some fairly extensive material at your organization around how to manage performance. This is fantastic. And we’re going to focus mainly on how things change in a virtual context.

    When measuring progress, how do you as a manager make sure that you are comfortable not seeing your team physically at their desks? This is the biggest challenge for remote managers.

    2.2 Share current performance management practices for virtual teams

    30 Minutes

    1. Brainstorm and list current high-level performance management practices connected to each building block. Record in your workbook.
    2. Discuss current challenges connected to implementing the building blocks with virtual employees.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current performance management practices
    • Challenges surrounding performance management

    Output

    • Current state of virtual performance management defined

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Communicate the “why”: Cascade organizational goals

    This image depicts the Cascade of Why- organizational goals. Organizational Mission; Organizational Values; Organizational Goals; Department Goals; Team Goals; Individual Goals

    Speaker’s Notes:

    When assisting your employees with their goals, think about the organization’s overall mission and goals to help you determine team and individual goals.

    • Organizational goals: Employee goals should align with organizational goals. Goals may cascade down through the organization.
    • Department or team goals: Create a clear strategy based on high-level goals for the year so employees can link short-term goals to the larger picture.
    • Individual goals: Employees should draw on their individual development plan to help set performance goals.

    Sometimes it’s difficult to get employees thinking about goals and they need assistance from managers. It’s also important to be clear on team goals to help guide employees in setting individual ones.

    The basic idea is to show people how their individual day-to-day work contributes to the overall success of the organization. It gives them a sense of purpose and a rationale, which translates to motivation. And also helps them problem solve with more autonomy.

    You’re giving people a sense of the importance of their own contribution.

    How to set clear expectations for job performance

    Ensure employees have a clear understanding of what’s expected for their role:

    1. Review their metrics so they understand how they’re being evaluated.
    2. Outline daily, weekly, monthly, and quarterly goals.
    3. If needed, help them plan when and how each part of their job should be done and what to prioritize.
    4. Ask them to come to you early if they experience a roadblock so that you can help rather than having them flounder on their own.
    5. Document instances where employees aren’t meeting role or performance expectations.

    Speaker’s Notes:

    Tailor performance goals to address any root causes of poor performance.

    For example:

    • If personal factors are getting in the way, work with the employee (and HR if necessary) to create a strategy to address any impediments to performing in the role.

    Tips for managing performance remotely

    • Reflect on one key question: What needs to happen for my direct reports to continue their work while working remotely?
    • Manage for results – not employee visibility at the office.
    • Use metrics to measure performance. If you don’t have any, define tasks and deliverables as clearly as possible and conduct regular check-ins.
    • Work with the employee to set goals and metrics to measure progress.

    Focus on results: Be flexible about how and when work gets done, as long as team members are hitting their targets.

    • For example, if they have childcare duties from 3 to 5pm during school closures and want to work later in the evening to make up the time, that’s fine – as long as the work gets done.
    • Set clear expectations about which work must be done during normal work hours (e.g. attend team meetings, client calls) and which can be done at other hours.
    • Team members must arrange with you any nonstandard working hours before they start using an altered schedule. It is your responsibility to keep track of hours and any alternate arrangements.
    • Don’t make team members feel constantly monitored (i.e. “Where were you from 10 to 11am?”); trust them until you have reason not to.

    Encourage your team members to unplug: If they’re sending you emails late at night and they haven’t made an alternate work hours agreement with you, encourage them to take time away from work.

    • It’s harder to unplug when working at home, and everyone needs a break to stay productive.

    Avoid micromanagement with holistic performance measures

    Quality

    How well tasks are accomplished

    Behavior

    Related to specific employee actions, skills, or attitudes

    Quantity

    How much work gets done

    Holistic measures demonstrate all the components required for optimal performance. This is the biggest driver in having comfort as a manager of a remote team and avoiding micromanagement. Typically these are set at the organizational level. You may need to adjust for individual roles, etc.

    Speaker's Notes:

    Metrics come in different types. One way to ensure your metrics capture the full picture is to use a mix of different kinds of metrics.

    Some metrics are quantitative: they describe quantifiable or numerical aspects of the goal. This includes timeliness. On the other hand, qualitative metrics have to do with the final outcome or product. And behavioral metrics have to do with employees' actions, skills, or attitudes. Using different kinds of metrics together helps you set holistic measures, which capture all the components of optimal performance toward your goal and prevent gaming the system.

    Let's take an example:

    A courier might have an objective to do a good job delivering packages. An example of a quantitative measure might be that the courier is required to deliver X number of packages per day on time. The accompanying metrics would be the number of packages delivered per day and the ratio of packages delivered on time vs. late.

    Can you see a problem if we use only these quantitative measures to evaluate the courier's performance?

    Wait to see if anyone volunteers an answer. Discuss suggestions.

    That's right, if the courier's only goal is to deliver more packages, they might start to rush, may ruin the packages, and may offer poor customer service. We can help to guard against this by implementing qualitative and behavioral measures as well. For example, a qualitative measure might be that the courier is required to deliver the packages in mint condition. And the metric would be the number of customer complaints about damaged packages or ratings on a satisfaction survey related to package condition.

    For the behavioral aspect, the courier might be required to provide customer-centric service with a positive attitude. The metrics could be ratings on customer satisfaction surveys related to the courier's demeanor or observations by the manager.

    Managing poor performance virtually: Look for key signs

    It’s crucial to acknowledge that an employee might have an “off week” or need time to balance work and life – things that can be addressed with performance management (PM) techniques. Managers should move into the process for performance improvement when:

    1. Performance fluctuates frequently or significantly.
    2. Performance has dropped for an extended period of time.
    3. Expectations are consistently not being met.

    Key signs to look for:

    • PM data/performance-related assessments
    • Continual absences
    • Decreased quality or quantity of output
    • Frequent excuses (e.g. repeated internet outages)
    • Lack of effort or follow-through
    • Missed deadlines
    • Poor communication or lack of responsiveness
    • Failure to improve

    Speaker’s notes:

    • Let’s talk more about identifying low performance.
    • Everybody has off days or weeks. And what if they are new to the role or new to working remotely? Their performance may be low because they need time to adjust. These sort of situations should be managed, but they don’t require moving into the process for performance improvement.
    • When managing employees who are remote or working in a hybrid situation, it is important to be alert to these signs and check in with your employees on a regular basis. Aim to identify and work with employees on addressing performance issues as they arise rather than waiting until it’s too late. Depending on your availability, the needs of the employee, and the complexity of their role, check-ins could occur daily, weekly, and/or monthly. As I mentioned, for remote employees, it’s often better to check-in more frequently but for a shorter period of time.
    • You want to be present in their work life and available to help them manage through roadblocks and stay on track, but try to avoid over-monitoring employees. Micromanaging can impact the manager-employee relationship and lead to the employee feeling that there is a lack of trust. Remember, the employee needs to be responsible for their own performance and improvement.
    • Check-ins should not just be about the work either. Take some time to check in personally. This is particularly important when managing remotely. It enables you to build a personal relationship with the employee and also keeps you aware if there are other personal issues at play that are impacting their work.
    • So, how do you know what does require performance improvement? There are three key things that you should look for that are clear signals that performance improvement is necessary:
      1. Their performance is fluctuating frequently or significantly.
      2. Their performance has dropped for an extended period of time.
      3. Expectations are consistently not being met.
    • What do you think are some key signs to look for that indicate a performance issue is occurring?

    Managing poor performance virtually: Conducting remote performance conversations

    Video calling

    Always use video calls instead of phone calls when possible so that you don’t lose physical cues and body language.

    Meeting invitations

    Adding HR/your leader to a meeting invite about performance may cause undue stress. Think through who needs to participate and whether they need to be included in the invite itself.

    Communication

    Ensure there are no misunderstandings by setting context for each discussion and having the employee reiterate the takeaways back to you.

    Focus on behavior

    Don’t assume the intent behind the behavior(s) being discussed. Instead, just focus on the behavior itself.

    Policies

    Be sure to adhere to any relevant HR policies and support systems. Working with HR throughout the process will ensure none are overlooked.

    Speaker’s notes:

    There are a few best practices you should follow when having performance conversations:

    • First, if you are in a different work environment than your employee, always use video calls instead of phone calls whenever possible so that you don’t miss out on physical cues and body language. If videoconferencing isn’t the norm, encourage them to turn on their video. Be empathic that it can feel awkward but explain the benefits, and you will both have an easier time communicating and understanding each other.
    • As I’ve mentioned, be considerate of the environment they are in. If they are in the office and you are working remotely, be sure to book a private meeting room for them to go to for the conversation. If they are working from home, be sure to check that they are prepared and able to focus on the conversation.
    • Next, carefully consider who you are adding to the meeting invite and whether it’s necessary for them to be there. Adding HR or your leader to a meeting invite may cause undue stress for the employee.
    • Consider the timing of the invite. Don’t send it out weeks in advance. When a performance problem exists, you’ll want to address it as soon as possible. A day or two of notice would be an ideal approach because it gives them a heads up but will not cause them extended stress or worrying.
    • Be considerate about the timing of the meeting and what else they may have scheduled. For example, a Friday afternoon before they are heading off on vacation or right before they are leading an important client call would not be appropriate timing.
    • As we just mentioned clear communication is critical. Ensure there are no misunderstandings by setting context for each discussion and having the employee reiterate takeaways back to you.
    • Focus on the behavior and don’t assume their intent. It can be tempting to say, “I know you didn’t mean to miss the deadline,” but you don’t know what they intended. Often people are not aware of the impact their behavior can have on others.
    • Lastly, be sure to adhere to any relevant HR policies and support systems. Working with HR throughout the process will ensure nothing is overlooked.

    2.3 Identify challenges of current practices and propose solutions

    30 Minutes

    1. Select one or two challenges from the previous activity.
    2. Identify one solution for each challenge that you can put into action with your own virtual team. Document in the workbook.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current performance management practices
    • Challenges surrounding performance management

    Output

    • Action plan to move forward

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Optional Section

    Employee development in a virtual team setting

    There are three main development approaches for both colocated and virtual employees

    Formal Training; Relational Learning; Experimental Learning

    Speaker’s Notes:

    As we have seen, our virtual employees crave more meaningful interactions with their managers. In addition to performance conversations, managers should also be having regular discussions with their employees about their employee development plans. One key component of these discussions is career planning. Whether you are thinking shorter term – how to become better at their current role – or longer term – how to advance beyond their current role – discussions about employee development are a great way to engage employees. Employees are ultimately responsible for creating and executing their own development plans, but managers are responsible for making sure that employees have thought through these plans and helping employees identify opportunities for executing those plans.

    To help us think about our own employee development practices, identify challenges they pose when working with virtual employees, and create solutions to these challenges, it is useful to think about employee development opportunities according to three types:

    1. The first kind of development opportunity is formal training. Formal training is organized and has a clearly defined curriculum and desired outcome. It usually takes the form of a group training session (like this one) or training videos or materials that employees can watch individually and on their own time. These opportunities usually end with a test or assignment that can be used to evaluate the degree to which the participant achieved the desired learning outcomes.
    2. The second kind of development opportunity is relational learning. Perhaps the most common form of this type of learning is coaching or mentoring. By establishing a long-term work relationship, checking in with employees about their daily work and development goals, and sharing their own experiences and knowledge, mentors help employees reflect and draw out learning from everyday, on-the-job development activities. Other examples include a peer support group or communities of practice. In these group settings peers share best practices and work together to overcome challenges.
    3. The third kind of development opportunity is experiential learning. This kind of opportunity provides employees the chance to work on real work problems, and the output of the development work can directly benefit the organization. Most people learn best by doing. On-the-job experiences that are challenging or new can force people to use and develop new skills and knowledge based on what worked effectively and what failed. Examples of experiential learning are on-the-job learning for new hires, stretch assignments, or special projects that take the employee beyond their daily routine and allow them to try new activities and develop competencies that they would not have the chance to develop as part of their regular job.

    According to McLean & Company, organizations should use the “70-20-10” rule as a rough guideline when working with employees to create their development plans: 10% of the plan should be dedicated to formal training opportunities, 20% to relational learning, and 70% to experiential learning. Managers should work with employees to identify their performance and career goals, ensure that their development plans are aligned with these goals, and include an appropriate mixture of all three kinds of development opportunities.

    To help identify challenges and solutions, think about how virtual work arrangements will impact the employee’s ability to leverage each type of opportunity at our organization.

    Here are some examples that can help us start thinking about the kinds of challenges virtual employees on our team face:

    Career Planning

    • One challenge can be identifying a career path that is consistent with working virtually. If switching from a virtual arrangement to an onsite arrangement is not a viable option for an employee, some career paths may not feasibly be open to them (at least as the company is currently organized). For example, if an employee would eventually like to be promoted to a senior leadership role in their business function but all senior leaders are required to work onsite at corporate headquarters, the employee will need to consider whether such a move is possible for them. In some cases employees may be willing to do this, but in others they may not. The important thing is to have these conversations with virtual employees and avoid the assumption that all career paths can be done virtually, since that might not be the case

    Formal Training

    • This is probably the least problematic form of employee development for virtual employees. In many cases this kind of training is scheduled well in advance, so virtual employees may be able to join non-virtual employees in person for some group training. When this is not possible (due to distance, budget, or time zone), many forms of group training can be recorded and watched by virtual employees later. Training videos and training materials can also easily be shared with virtual employees using existing collaboration software.

    Relational Learning

    • One major challenge here is developing a mentoring relationship virtually. As we discussed in the module on performance management, developing relationships virtually can be challenging because people cannot rely upon the kind of informal and spontaneous interactions that occur when people are located in the same office. Mentors and mentees will have to put in more effort and planning to get to know each other and they will have to schedule frequent check-ins so that employees can reflect upon their progress and experience (with the help of their mentors) more often.
    • Time zones and technology may pose potential barriers for certain candidates to be mentors. In some cases, employees that are best qualified to be mentors may not be as comfortable with collaborative software as other mentors or their mentees. If there are large time zone differences, some people who would otherwise be interested in acting as a mentor may be dissuaded. Managers need to take this into consideration if they are connecting employees with mentors or if they are thinking of taking on the mentor role themselves.

    Experiential Learning

    • Virtual employees risk being overlooked for special projects due to the “out of sight, out of mind” bias: When special projects come up, the temptation is to look around the room and see who is the best fit. The problem is, however, that in some cases the highest performers or best fit may not physically be in the room. In these cases it is important for managers to take on an advocate role for their employees and remind other managers that they have good virtual employees on their team that should be included or contacted. It is also important for managers to keep their team informed about these opportunities as often as possible.
    • Sometimes certain projects or certain kinds of work just cannot be done virtually in a company for a variety of reasons. The experiential learning opportunities will not be open to virtual employees. If such opportunities are open to the majority of other workers in this role (potentially putting virtual employees’ career development at a disadvantage relative to their peers), managers should work with their virtual employees to identify alternative experiences. Managers may also want to consider advocating for more or for higher quality experiential learning opportunities at the organization.

    Now that we have considered some general examples of challenges and solutions, let’s look at our own employee development practices and think about the practical steps we can take as managers to improve employee development for our virtual employees.

    Employee development basics

    • Career planning & performance improvement
    • Formal training
    • Relational learning
    • Experiential learning

    Speaker’s Notes:

    [Customize this slide according to your organization’s own policies and processes for employee development. Provide useful images that outline this on the slide, and in these notes describe the processes/policies that are in place. Note: In some cases policies or processes may not be designed with virtual employees or virtual teams in mind. That is okay for the purposes of this training module. In the following activities participants will discuss how they apply these policies and processes with their virtual teams. If your organization is interested in adapting its policies/processes to better support virtual workers, it may be useful to record those conversations to supplement existing policies later.]

    Now that we have considered some general examples of challenges and solutions, let’s look at our own employee development practices and think about the practical steps we can take as managers to improve employee development for our virtual employees.

    2.4 Share current practices for developing employees on a virtual team

    30 Minutes

    1. Brainstorm and list current high-level employee development practices. Record in your workbook.
    2. Discuss current challenges connected to developing virtual employees. Record in your workbook.
    3. Identify one solution for each challenge that you can put into action with your own virtual team.
    4. Discuss as a group.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current employee development practices
    • Challenges surrounding employee development

    Output

    • Action plan to move forward

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Refine Action Plans

    2.5 Refine your action plan and commit to implementing it

    30 Minutes

    1. Review your action plans for consistency and overlap. Highlight any parts you may struggle to complete.
    2. Meeting with your group, summarize your plans to each other. Provide feedback and discuss each other’s action plans.
    3. Discuss how you can hold each other accountable.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Action items from previous activities.

    Output

    • Action plan to move forward

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Summary of Accomplishment

    • We do not need to go out and learn a new set of manager responsibilities to better manage our virtual teams; rather, we have to “dial up” certain responsibilities we already have or adjust certain approaches that we already take.
    • It is important to set clear expectations. While managers are ultimately responsible for making sure expectations are set and are clearly communicated, they are not the only ones with responsibilities. Employees and managers need to work together to overcome the challenges that virtual work involves.
    • Virtual employees crave meaningful interactions with their managers and team. Managers must take charge in fostering an atmosphere of openness around wellbeing and establish effective performance management strategies. By being proactive with our virtual teams’ wellness and mindful of our performance management habits, we can take significant steps toward keeping these employees engaged and productive.
    • Effective management in virtual contexts requires being more deliberate than is typical in non-virtual contexts. By working as a group to identify challenges and propose solutions, we have helped each other create action plans that we can use going forward to continually improve our management practices.

    If you would like additional support, have our analysts guide you through an info-tech workshop or guided implementation.

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Speaker’s Notes:

    First, let’s take a moment to summarize the key things we have learned today:

    1. We do not need to go out and learn a new set of manager competencies to better manage our virtual teams; rather, we have to “dial up” certain competencies we already have or adjust certain approaches that we already take. In many cases we just need to be more aware of the challenges that virtual communication poses and be more planful in our approaches.
    2. It is important to set clear expectations. While managers are ultimately responsible for making sure expectations are set and clearly communicated, they are not the only ones with responsibilities. Employees and managers need to work together to overcome the challenges that virtual work involves. Making sure that teams have meaningful conversations about expectations, come to a shared understanding of them, and record them will create a firm foundation for all other interactions on the virtual team.
    3. Virtual employees crave meaningful interactions with their managers related to performance and employee development. By creating action plans for improving these kinds of interactions with our teams, we can take significant steps toward keeping these employees engaged and productive.
    4. Effective performance management and employee development in virtual contexts require more planfulness than is required in non-virtual contexts. By working as a group to identify challenges and propose solutions, we have helped each other create action plans that we can use going forward to continually improve our management practices.

    Is there anything that anyone has learned that is not on this list and that they would like to share with the group?

    Finally, were there any challenges identified today that were not addressed?

    [Note to facilitator: Take note of any challenges not addressed and commit to getting back to the participants with some suggested solutions.]

    Additional resources

    Manager Training: Lead Through Change

    Train managers to navigate the interpersonal challenges associated with change management and develop their communication and leadership skills. Upload this LMS module into your learning management system to enable online training.

    Manager Training: Build a Better Manager: Manage Your People

    Management skills training is needed, but organizations are struggling to provide training that makes a long-term difference in the skills managers use in their day to day.

    Many training programs are ineffective because they offer the wrong content, deliver it in a way that is not memorable, and are not aligned with the IT department’s business objectives.

    Blueprint: Manage Poor Performance While Working From Home

    Assess and improve remote work performance with our ready-to-use tools.

    Works Cited

    April, Richard. “10 KPIs Every Sales Manager Should Measure in 2019.” HubSpot, 24 June 2019. Web.

    Banerjea, Peter. “5 Powerful Strategies for Managing a Remote Sales Team.” Badger - Maps for field sales, n.d. Web.

    Bibby, Adrianne. “5 Employers’ Awesome Quotes about Work Flexibility.” FlexJobs, 9 January 2017. Web.

    Brogie, Frank. “The 14 KPIs every field sales rep should strive to improve.” Repsly, 2018. Web.

    Dunn, Julie. “5 smart tips for leading field sales teams.” LevelEleven, March 2015. Web.

    Edinger, Scott. “How great sales leaders coach.” Forbes, 2013. Web.

    “Employee Outlook: Employee Views on Working Life.” CIPD, April 2016. Web.

    Hall, Becki. “The 5 biggest challenges facing remote workers (and how to solve them).” interact, 7 July 2017. Web.

    Hofstede, Geert. “National Cultural Dimensions.” Hofstede Insights, 2012. Web.

    “Inventory of U.S. Greenhouse Gas Emissions and Sinks: 1990-2014 (EPA 430-R-16-002).” Environmental Protection Agency (EPA), 15 April 2016.

    “Latest Telecommuting Statistics.” Global Workplace Analytics, June 2021. Web.

    Knight, Rebecca. “How to manage remote direct reports.” Harvard Business Review, 2015. Web.

    “Rewards and Recognition: 5 ways to show remote worker appreciation.” FurstPerson, 2019. Web.

    Palay, Jonathan. "How to build your sales management cadence." CommercialTribe, 22 March 2018. Web.

    “Sales Activity Management Matrix.” Asian Sales Guru, 2019. Web.

    Smith, Simone. “9 Things to Consider When Recognizing Remote Employees.” hppy, 2018. Web.

    “State of Remote Work 2017.” OWL Labs, 2021. Web.

    “State of the American Workplace.” Gallup, 2017. Web.

    “Telework Savings Potential.” Global Workplace Analytics, June 2021. Web.

    “The Future of Jobs Employment Trends.” World Economic Forum, 2016. Web.

    “The other COVID-19 crisis: Mental health.” Qualtrics, 14 April 2020. Web.

    Thompson, Dan. “The straightforward truth about effective sales leadership.” Sales Hacker, 2017. Web.

    Tsipursky, Gleb. “Remote Work Can Be Better for Innovation Than In-Person Meetings.” Scientific American, 14 Oct. 2021. Web.

    Walsh, Kim. “New sales manager? Follow this guide to crush your first quarter.” HubSpot, May 2019. Web.

    “What Leaders Need to Know about Remote Workers: Surprising Differences in Workplace Happiness and Relationships.” TINYpulse, 2016.

    Zenger, Jack, and Joe Folkman. “Feedback: The Leadership Conundrum.” Talent Quarterly: The Feedback Issue, 2015.

    Contributors

    Anonymous CAMH Employee

    Right-Size the Service Desk for Small Enterprise

    • Buy Link or Shortcode: {j2store}487|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk

    The service desk is a major function within IT. Small enterprises with constrained resources need to look at designing a service desk that enables consistency in supporting the business and finds the right balance of documentation.

    Determining the right level of documentation to provide backup and getting the right level of data for good reporting may seem like a waste of time when the team is small, but this is key to knowing when to invest in more people, upgraded technology, and whether your efforts to improve service are successful.

    Our Advice

    Critical Insight

    It’s easy to lose sight of the client experience when working as a small team supporting a variety of end users. Changing from a help desk to a service desk requires a focus on what it means to be a customer centric service desk and a change to the way the technicians think about providing support.

    • Make the best use of the team. Clearly define roles and responsibilities and monitor those wearing multiple hats to make sure they don’t burn out.
    • Build cross training and documentation into your culture to preserve service levels while giving team members time off to recharge.
    • Don’t discount the benefit of good tools. As volume increases, so does the likelihood of issues and requests getting missed. Look for tools that will help to keep a customer focus.

    Impact and Result

    • Improved workload distribution for technicians and enable prioritization based on work type, urgency, and impact.
    • Improved communications methods and messaging will help the technicians to set expectations appropriately and reduce friction between each other and their supported end users.
    • Best practices and use of industry standard tools will reduce administrative overhead while improving workload management.

    Right-Size the Service Desk for Small Enterprise Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Right-Size the Service Desk for Small Enterprise Storyboard – A step-by-step guide to help you identify and prioritize initiatives to become more customer centric.

    This blueprint provides a framework to quickly identify a plan for service desk improvements. It also provides references to build out additional skills and functionality as a continual improvement initiative.

    • Right-Size the Service Desk for Small Enterprise Storyboard

    2. Maturity Assessment – An assessment to determine baseline maturity.

    The maturity assessment will provide a baseline and identify areas of focus based on level of current and target maturity.

    • IT Service Desk Maturity Assessment for Small Enterprise

    3. Standard Operating Procedure – A template to build out a clear, concise SOP right-sized for a small enterprise.

    The SOP provides an excellent guide to quickly inform new team members or contractors of your support approach.

    • Incident Management and Service Desk SOP for Small Enterprise

    4. Categorization Scheme – A template to build out an effective categorization scheme.

    The categorization scheme template provides examples of asset-based categories, resolution codes and status.

    • Service Desk Asset-Based Categories Template

    5. Improvement Plan – A template to present the improvement plan to stakeholders.

    This template provides a starting point for building your communications on planned improvements.

    • Service Desk Improvement Initiative
    [infographic]

    Further reading

    Right-Size the Service Desk for Small Enterprise

    Turn your help desk into a customer-centric service desk.

    Analyst Perspective

    Small enterprises have many of the same issues as large ones, but with far fewer resources. Focus on the most important aspects to improve customer service.

    The service desk is a major function within IT. Small enterprises with constrained resources need to look at designing a service desk that enables consistency in supporting the business and finds the right balance of documentation.

    Evaluate documentation to ensure there is always redundancy built in to cover absences. Determining coverage will be an important factor, especially if vendors will be brought into the organization to assist during shortages. They will not have the same level of knowledge as teammates and may have different requirements for documentation.

    It is important to be customer centric, thinking about how services are delivered and communicated with a focus on providing self-serve at the appropriate level for your users and determining what information the business needs for expectation-setting and service level agreements, as well as communications on incidents and changes.

    And finally, don’t discount the value of good reporting. There are many reasons to document issues besides just knowing the volume of workload and may become more important as the organization evolves or grows. Stakeholder reporting, regulatory reporting, trend spotting, and staff increases are all good reasons to ensure minimum documentation standards are defined and in use.

    Photo of Sandi Conrad, Principal Research Director, Info-Tech Research Group. Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Table of Contents

    Title Page Title Page
    Blueprint benefits 6 Incident management 25
    Start / Stop / Continue exercise 10 Prioritization scheme 27
    Complete a maturity assessment 11 Define SLAs 29
    Select an ITSM tool 13 Communications 30
    Define roles & responsibilities 15 Reporting 32
    Queue management 17 What can you do to improve? 33
    Ticket handling best practices 18 Staffing 34
    Customer satisfaction surveys 19 Knowledge base & self-serve 35
    Categorization 20 Customer service 36
    Separate ticket types 22 Ticket analysis 37
    Service requests 23 Problem management 38
    Roadmap 39

    Insight summary

    Help desk to service desk

    It’s easy to lose sight of the client experience when working as a small team supporting a variety of end users. Changing from a help desk to a service desk requires a focus on what it means to be a customer-centric service desk and a change to the way the technicians think about providing support.

    Make the best use of the team

    • Clearly define primary roles and responsibilities, and identify when and where escalations should occur.
    • Divide the work in a way that makes the most sense based on intake patterns and categories of incidents or service requests.
    • Recognize who is wearing multiple hats, and monitor to make sure they don’t burn out or struggle to keep up.
    • Determine the most appropriate areas to outsource based on work type and skills required.

    Build cross-training into your culture

    • Primary role holders need time off and need to know the day-to-day work won’t be waiting for them when they come back.
    • The knowledge base is your first line of defense to make sure incidents don’t have to wait for resolution and to avoid having technicians remote in on their day off.
    • When volumes spike for incidents and service requests, everyone needs to be prepared to pitch in. Train the team to recognize and step up to the call to action.

    Don’t discount the benefit of good tools

    • When volume increases, so does the likelihood of missing issues and requests.
    • Designate a single solution to manage the workload, so there is one place to go for work orders, incident reporting, asset data, and more.
    • Set up self-serve for users so they have access to how-to articles and can check the status of tickets themselves.
    • Create a service catalog to make it easy for them to request the most frequent items easily.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Standard Operating Procedures

    Sample of the Standard Operating Procedures deliverable.

    Maturity Assessment

    Sample of the Maturity Assessment deliverable.

    Categorization scheme

    Sample of the Categorization scheme deliverable.

    Improvement Initiative

    Sample of the Improvement Initiative deliverable.
    Create a standard operating procedure to ensure the support team has a consistent understanding of how they need to engage with the business.

    Blueprint benefits

    IT benefits

    • Improve workload distribution for technicians and enable prioritization based on work type, urgency, and impact.
    • Improved communications methods and messaging will help the technicians set expectations appropriately and reduce friction between each other and their supported end users.
    • Best practices and use of industry-standard tools will reduce administrative overhead while improving workload management.

    Business benefits

    • IT taking a customer-centric approach will improve access to support and reduce interruptions to the way they do business.
    • Expectation setting and improved communications will allow the business to better plan their work around new requests and will have a better understanding of service level agreements.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is six to ten calls over the course of three to four months.

    The current state discussion will determine the path.

    What does a typical GI on this topic look like?

    Current State & Vision

    Best Practices

    Service Requests & Incidents

    Communications

    Next Steps & Roadmap

    Call #1: Discuss current state & create a vision

    Call #2: Document roles & responsibilities

    Call #3:Review and define best practices for ticket handling Call #4: Review categorization

    Call #5: Discuss service requests & self-serve

    Call #6: Assess incident management processes
    Call #7: Assess and document reporting and metrics

    Call #8: Discuss communications methods

    Call #9: Review next steps

    Call #10: Build roadmap for updates

    For a workshop on this topic, see the blueprint Standardize the Service Desk

    Executive Brief Case Study

    Southwest CARE Center
    Logo for Southwest Care.
    INDUSTRY
    Healthcare

    Service Desk Project

    After relying on a managed service provider (MSP) for a number of years, the business hired Kevin to repatriate IT. As part of that mandate, his first strategic initiative was to build a service desk. SCC engaged Info-Tech Research Group to select and build a structure; assign roles and responsibilities; implement incident management, request fulfilment, and knowledge management processes; and integrate a recently purchased ITSM tool.

    Over the course of a four-day onsite engagement, SCC’s IT team worked with two Info-Tech analysts to create and document workflows, establish ticket handling guidelines, and review their technological requirements.

    Results

    The team developed a service desk standard operating procedure and an implementation roadmap with clear service level agreements.

    Southwest CARE Center (SCC) is a leading specialty healthcare provider in New Mexico. They offer a variety of high-quality services with a focus on compassionate, patient-centered healthcare.

    “Info-Tech helped me to successfully rebrand from an MSP help desk to an IT service desk. Sandi and Michel provided me with a customized service desk framework and SOP that quickly built trust within the organization. By not having to tweak and recalibrate my service desk processes through trial and error, I was able to save a year’s worth of work, resulting in cost savings of $30,000 to $40,000.” (Kevin Vigil, Director of Information Technology, Southwest CARE Center)

    The service desk is the cornerstone for customer satisfaction

    Bar charts comparing 'Dissatisfied' vs 'Satisfied End Users' in both 'Service Desk Effectiveness' and 'Timeliness'.
    N=63, small enterprise organizations from the End-User Satisfaction Diagnostic, at December 2021
    Dissatisfied was classified as those organizations with an average score less than 7.
    Satisfied was classified as those organizations with an average score greater or equal to 8.
    • End users who were satisfied with service desk effectiveness rated all other IT processes 36% higher than dissatisfied end users.
    • End users who were satisfied with service desk timeliness rated all other IT processes 34% higher than dissatisfied end-users.

    Improve the service desk with a Start, Stop, Continue assessment

    Use this exercise as an opportunity to discuss what’s working and what isn’t with your current help desk. Use this to define your goals for the improvement project, with a plan to return to the results and rerun the exercise on a regular basis.

    STOP

    • What service desk processes are counterproductive?
    • What service blockers exist that consistently undermine good results?
    • Are end-user relationships with individual team members negatively impacting satisfaction?
    • Make notes on initial ideas for improvement.

    START

    • What service process improvements could be implemented immediately?
    • What technical qualifications do individual staff members need to improve?
    • What opportunities exist to improve service desk communications with end users?
    • How can escalation and triage be more efficient?

    CONTINUE

    • What aspects of your current service desk are positive?
    • What processes are efficient and can be emulated elsewhere?
    • Where can you identify high levels of end-user satisfaction?

    Complete a maturity assessment to create a baseline and areas of focus

    The Service Desk Maturity Assessment tool helps organizations assess their service desk process maturity and focus the project on the activities that matter most.

    The tool will help guide improvement efforts and measure your progress.

    • The second tab of the tool walks through a qualitative assessment of your service desk practices. Questions will prompt you to evaluate how you are executing key activities. Select the answer in the drop-down menus that most closely aligns with your current state.
    • The third tab displays your rate of process completeness and maturity. You will receive a score for each phase, an overall score, and advice based on your performance.
    • Document the results of the efficiency assessment in the Service Desk Improvement Initiative.
    • The tool is intended for periodic use. Review your answers each year and devise initiatives to improve the process performance where you need it most.
    Sample of the Service Desk Maturity Assessment.

    Define your vision for the support structure

    Use this vision for communicating with the business and your IT team

    Consider service improvements and how those changes can be perceived by the organization. For example, offering multiple platforms, such as adding Macs to end-user devices, could translate to “Providing the right IT solutions for the way our employees want to work.”

    To support new platforms, you might need to look at the following steps to get there:
    • Evaluate skills needed – can you upskill generalists quickly, or will specialists be required? Determine training needs for support staff on new platforms.
    • Estimate uptake of the new platform and adjusting budgets – will these mostly be role-based decisions?
    • Determine what applications will work on the new platform and which will have a parity offering, which will require a solution like Parallels or VirtualBox, and which might need substitute applications.
    • What utilities will be needed to secure your solutions such as for encryption, antivirus, and firewalls?
    • What changes in the way you deploy and patch machines?
    • What level of support do you need to provide – just platform, or applications as well? What self-serve training can be made available?
    If you need to change the way you deploy equipment, you may want to review the blueprint Simplify Remote Deployment With Zero-Touch Provisioning

    Info-Tech Insight

    Identify some high-level opportunities and plan out how these changes will impact the way you provide support today. Document steps you’ll need to follow to make it happen. This may include new offerings and product sourcing, training, and research.

    Facilitate service desk operations with an ITSM tool

    You don’t need to spend a fortune. Many solutions are free or low-cost for a small number of users, and you don’t necessarily have to give up functionality to save money.

    Encourage users to submit requests through email or self-serve to keep organized. Ensure that reporting will provide you with the basics without effort, but ensure report creation is easy enough if you need to add more.

    Consider tools that do more than just store tickets. ITSM tools for small enterprises can also assist with:
    • Equipment and software license management
    • Self-serve for password reset and improving the experience for end users to submit tickets
    • Software deployment
    • Onboarding and offboarding workflows
    • Integration with monitoring tools
    Info-Tech Insight Buying rather than building allows you the greatest flexibility and can provide enterprise-level functionality at small-enterprise pricing. Use Info-Tech’s IT Service Management Selection Guide to create a business case and list of requirements for your ITSM purchase.
    Logo for Spiceworks.
    Logo for ZenDesk. Logo for SysAid.
    Logo for ManageEngine.
    Logo for Vector Networks.
    Logo for Freshworks.
    Logo for Squadcast.
    Logo for Jira Software.
    Logos contain links

    ITSM implementations are the perfect time to fix processes

    Consider engaging a partner for the installation and setup as they will have the expertise to troubleshoot and get you to value quickly.

    Even with a partner, don’t rely on them to set up categories, prioritizations, and workflows. If you have unique requirements, you will need to bring your design work to the table to avoid getting a “standard install” that will need to be modified later.

    When we look at what makes a strong and happy product launch, it boils down to a few key elements:
    • Improving customer service, or at least avoiding a decline
    • Improving access to information for technical team and end users
    • Successfully taking advantage of workflows, templates, and other features designed to improve the technician and user experience
    • Using existing processes with the new tools, without having to completely reengineer how things are done
    For a complete installation guide, visit the blueprint Build an ITSM Implementation Plan
    To prepare for a quick time to value in setting up the new ITSM tool, prioritize in this order:
    1. Categorization and status codes
    2. Prioritization
    3. Divide tickets into incidents and service requests
    4. Create workflows for onboarding and offboarding (automate where you can)
    5. Track escalations to vendors
    6. Reporting
    7. Self-serve
    8. Equipment inventory (leading to hardware asset management)

    Define roles looking to balance between customer service and getting things done

    The team will need to provide backfill for each other with high volume, vacations, and leave, but also need to proactively manage interruptions appropriately as they work on projects.
    Icon of a bullseye. First contact – customer service, general knowledge
    Answers phones, chats, responds to email, troubleshooting, creates knowledge articles for end users.
    Icon of a pie chart. Analyst – experienced troubleshooter, general knowledge
    Answers phone when FC isn’t available, responds to email, troubleshooting, creates knowledge articles for first contact, escalates to other technicians or vendors.
    Icon of a lightbulb. Analyst – experienced troubleshooter, specialist
    Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors.
    Icon of gear on a folder. Engineer – deep expertise, specialist
    Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors.
    Icon of a handshake. Vendor, Managed Service Providers
    Escalation point per contract terms, must meet SLAs, communicate regularly with analysts and management as appropriate. Who escalates and who manages them?
    Row of colorful people.

    Note roles in the Incident Management and Service Desk – Standard Operating Procedure Template

    Keep customers happy and technicians calm by properly managing your queue

    If ticket volume is too high or too dispersed to effectively have teams self-select tickets, assign a queue manager to review tickets throughout the day to ensure they’re assigned and on the technician’s schedule. This is particularly important for technicians who don’t regularly work out of the ticketing system. Follow up on approaching or missed SLAs.

    • Separate incidents (break fix) and service requests: Prioritize incidents over service requests to focus on getting users doing business as soon as possible. Schedule service requests for slower times or assign to technicians who are not working the front lines.
    • First in/first out…mostly: We typically look to prioritize incidents over service requests and only prioritize incidents if there are multiple people or VIPs affected. Where everything is equal, deal with the oldest first. Pause occasionally to deal with quick wins such as password resets.
    • Update ticket status and notes: Knowing what tickets are in progress and which ones are waiting on information or parts is important for anyone looking to pick up the next ticket. Make sure everyone is aware of the benefits of keeping this information up to date, so technicians know what to work on next without duplicating each other’s work.
    • Implement solutions quickly by using knowledge articles: Continue to build out the knowledge base to be able to resolve end-user issues quickly, check to see if additional information is needed before escalating tickets to other technicians.
    • Encourage end users to create tickets through the portal: Issues called in are automatically moved to the front of the queue, regardless of urgency. Make it easy for users to report issues using the portal and save the phone for urgent issues to allow appropriate prioritization of tickets.
    • Create a process to add additional resources on a regular basis to keep control of the backlog: A few extra hours once a week may be enough if the team is focused without interruptions.
    • Determine what backlog is acceptable to your users: Set that as a maximum time to resolve. Ideally, set up automated escalations for tickets that are approaching target SLAs, and build flexibility into schedules to have an “all hands on deck” option if the volume gets too high.

    Info-Tech Insight

    Make sure your queue manager has an accurate escalation list and has the authority to assign tickets and engage with the technical team to manage SLAs; otherwise, SLAs will never be consistently managed.

    Best practices for ticket handling

    Accurate data leads to good decisions. If working toward adding staff members, reducing recurring incidents, gaining access to better tools, or demonstrating value to the business, tickets will enable reporting and dashboards to manage your day-to-day business and provide reports to stakeholders.
    • Provide an easy way for end users to electronically submit tickets and encourage them to do so. This doesn’t mean you shouldn’t still accept phone calls, but that should be encouraged for time sensitive issues.
    • Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem.
    • Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along to the next technician.
    • Update user of ETA if issue cannot be resolved quickly.
    • Update categories to reflect the actual issue and resolution.
    • Reference or link to the knowledge base article as the documented steps taken to resolve the incident.
    • Validate incident is resolved with client. Automate this process with ticket closure after a certain time.
    • Close or resolve the ticket on time.
    Ticket templates (or quick tickets) for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.
    Sample ticket template.

    Create a right-sized self-service portal

    Review tickets and talk to the team to find out the most frequent requests and the most frequent incidents that could be solved by the end user if there were clear instructions. Check with your user community to see what they would like to see in the portal.

    A portal is only as attractive as it is useful. Enabling ticket creation and review is the bare minimum and may not entice users to the portal if email is just as easy to use for ticket creation.

    Consider opening the portal to groups other than IT. HR, finance, and others may have information they want to share or forms to fill in or download where an employee portal rather than an IT portal could be helpful. Work with other departments to see if they would find value. Make sure your solution is easy to use when adding content. Low-code options are useful for this.

    Portals could be built in the ITSM solution or SharePoint/Teams and should include:

    • Easy ways to create and see status on all tickets
    • Manuals, how-to articles, links to training
    • Answers to common questions, could be a wiki or Q&A for users to help each other as well as IT
    • Could have a chatbot to help people find documents or to create a ticket

    Info-Tech Insight

    Consider using video capture software to create short how-to videos for common questions. Vendors such as TechSmith Snagit , Vimeo Screen Recorder, Screencast-O-Matic Video Recording, and Movavi Screen Recording may be quick and easy to learn.

    49%

    49% of employees have trouble finding information at work

    35%

    Employees can cut time spent looking for information by 35% with quality intranet

    (Source: Liferay)

    Use customer satisfaction surveys to monitor service levels

    Transactional surveys are tied to specific interactions and provide a means of communication to help users communicate satisfaction or dissatisfaction with single interactions.
    • Keep it simple: One question to rate the service with opportunity to add a comment is enough to understand the sentiment and potential issues, and it will be more likely that the user will fill it out.
    • Follow up: Feedback will only be provided if customers think it’s being read and actioned. Set an alert to receive notification of any negative feedback and follow up within one or two business days to show you’re listening.

    A simple customer feedback form with smiley face scale.

    Relationship surveys can be run annually to obtain feedback on the overall customer experience.

    Inform yourself of how well you are doing or where you need improvement in the broad services provided.

    Provide a high-level perspective on the relationship between the business and IT.

    Help with strategic improvement decisions.

    Should be sent over a duration of time and to the entire customer base after they’ve had time to experience all the services provided by the service desk. This can be done on an annual basis.

    For example: Info-Tech’s End User Satisfaction Diagnostic. Included in your membership.

    Keep categorizations simple

    Asset categorization provides reports that are straightforward and useful for IT and that are typically used where the business isn’t demanding complex reports.

    Too many options can cause confusion; too few options provide little value. Try to avoid using “miscellaneous” – it’s not useful information. Test your tickets against your new scheme to make sure it works for you. Effective classification schemes are concise, easy to use correctly, and easy to maintain.

    Build out the categories with these questions:
    • What kind of asset am I working on? (type)
    • What general asset group am I working on? (category)
    • What particular asset am I working on? (sub-category)

    Create resolution codes to further modify the data for deeper reporting. This is typically a separate field, as you could use the same code for many categories. Keep it simple, but make sure it’s descriptive enough to understand the type of work happening in IT.

    Create and define simple status fields to quickly review tickets and know what needs to be actioned. Don’t stop the clock for any status changes unless you’re waiting on users. The elapsed time is important to measure from a customer satisfaction perspective.

    Info-Tech Insight

    Think about how you will use the data to determine which components need to be included in reports. If components won’t be used for reporting, routing, or warranty, reporting down to the component level adds little value.

    Example table of categorizations.


    Need to make quick progress? Use Info-Tech Research Group’s Service Desk Asset-Based Categories template.

    1.1 Build or review your categories

    1-3 hours

    Input: Existing tickets

    Output: Categorization scheme

    Materials: Whiteboard/Flip charts, Markers, Sample categorization scheme

    Participants: CIO, Service desk manager, Technicians

    Discuss:

    • How can you use categories and resolution information to enhance reporting?
    • What level of detail do you need to be able to understand the data and take action? What level of detail is too much?
    • Are current status fields allowing you to accurately assess pending work at a glance?

    Draft:

    1. Start with existing categories and review, identifying duplicates and areas of inconsistency.
    2. Write out proposed resolution codes and status fields and critically assess their value.
    3. Test categories and resolution codes against a few recent tickets.
    4. Record the ticket categorization scheme in the Incident Management and Service Desk – Standard Operating Procedure.

    Download the Incident Management and Service Desk – Standard Operating Procedure Template

    Separate tickets into service requests and incidents

    Tickets should be separated into different ticket types to be able to see briefly what needs to be prioritized. This may seem like a non-issue if you have a small team, but if you ever need to report how quickly you’re solving break-fix issues or whether you’re doing root cause analysis, this will save on future efforts. Separating ticket types may make it easier to route tickets automatically or to a new provider in the future.

    INCIDENTS

    SERVICE REQUESTS

    Icon of a bullseye.

    PRIORITIZATION

    Incidents will be prioritized based on urgency and impact to the organization. Service requests will be scheduled and only increase in prioritization if there is an issue with the request process (e.g. new hire start).
    Icon of a handshake.

    SLAs

    Did incidents get resolved according to prioritization rules? REPONSE & RESOLUTION Did service requests get completed on time? SCHEDULING & FULFILMENT
    Icon of a lightbulb.

    TRIAGE & ROOT CAUSE ANALYSIS

    Incidents will typically need triage at the service desk unless something is set up to go directly to a specialist. Service requests don’t need triage and can be routed automatically for approvals and fulfillment.

    “For me, the first key question is, is this keeping you from doing business? Is this a service request? Is it actually something that's broken? Well, okay. Now let's have the conversation about what's broken and keeping you from doing business.” (Anonymous CIO)

    Determine how service requests will be fulfilled

    Process steps for service requests: 'Request, Approve, Schedule, Fulfill, Notify requester, Close ticket'.

    • Identify standard requests, meaning any product approved for use and deployment in the organization.
    • Determine whether this should be published and how. Consider a service catalog with the ability to create tickets right from the request page. If there is an opportunity to automate fulfillment, build that into your workflow and project plans.
    • Create workflows for complicated requests such as onboarding, and build them into a template in the service desk tool. This will allow you to reduce the administrative work to deploy tasks.
    • Who will fulfill requests? There may be a need for more than one technician to be able to fulfill if volume dictates, but it’s important to determine what will be done by each level to quickly assign those tickets for scheduling. Define what will be done by each group of technicians.
    • Determine reasonable SLAs for most service requests. Identify which ones will not meet “normal” SLAs. As you build out a service catalog or automate fulfillment, SLAs can be refined.

    Info-Tech Insight

    Service requests are not as urgent as incidents and should be scheduled.

    Set the SLA based on time to fulfill, plus a buffer to schedule around more urgent service requests.

    1.2 Identify service requests and routing needs

    2-3 hours

    Input: Ticket data, Existing workflow diagrams

    Output: Workflow diagrams

    Materials: Whiteboard/Flip charts, Markers, Visio

    Participants: CIO, Service desk manager, Technicians

    Identify:

    1. Create your list of typical service requests and identify the best person to fulfill, based on complexity, documentation, specialty, access rights.
    2. Review service requests which include multiple people or departments, such as onboarding and offboarding
    3. Draw existing processes.
    4. Discuss challenges and critique existing process.
    5. Document proposed changes and steps that will need to be taken to improve the process.

    Download the Incident Management and Service Desk – Standard Operating Procedure Template

    Incident management

    Critical incidents and normal incidents

    Even with a small team, it’s important to define a priority for response and resolution time for SLA and uptime reporting and extracting insights for continual improvement efforts.

    • Mission-critical systems or problems that affect many people should always come first (i.e. Severity Level 1).
    • The bulk of reported problems, however, are often individual problems with desktop PCs (i.e. Severity Level 3 or 4).
    • Some questions to consider when deciding on problem severity include:
      • How is productivity affected?
      • How many users are affected?
      • How many systems are affected?
      • How critical are the affected systems to the organization?
    • Decide how many severity levels the organization needs the service desk to have. Four levels of severity is ideal for most organizations.
    Go to incident management for SE

    Super-specialization of knowledge is also a common factor in smaller teams and is caused by complex architectures. While helpful, if that knowledge isn’t documented, it can walk out the door with the resource and the rest of the team is left scrambling.

    Lessons learned may be gathered for critical incidents but often are not propagated, which impacts the ability to solve recurring incidents.

    Over time, repeated incidents can have a negative impact on the customer’s perception that the service desk is a credible and essential service to the business.

    Cover image for 'Incident Management for Small Enterprise'.
    Click picture for a link to the blueprint

    1.3 Activity: Identify critical systems

    1 hour

    Input: Ticket data, Business continuity plan

    Output: Service desk SOP

    Materials: Whiteboard/Flip charts, Markers

    Participants: CIO, Service desk manager, Technicians

    Discuss and document:

    1. Create a list of the most critical systems, and identify and document the escalation path.
    2. Review inventory of support documents for critical systems and identify any that require runbooks to ensure quick resolution in the event of an outage or major performance issue. Refer to the blueprint Incident Management for Small Enterprise to prioritize and document runbooks as needed.
    3. Review vendor agreements to determine if SLAs are appropriate to support needs. If there is a need for adjustments, determine options for modifying or renegotiating SLAs.

    Download the Incident Runbook Prioritization Tool

    Prioritization scheme

    Keep the priority scheme simple and meaningful, using this framework to communicate and report to stakeholders and set SLAs for response and resolution.
    1. Focus primarily on incidents. Service requests should always be medium urgency, unless there is a valid reason to move one to high level.
    2. Separate major outages from all other tickets as these are a major factor in business impact.
    3. Decide how many levels of severity are appropriate for your organization.
    4. Build a prioritization matrix, breaking down priority levels by impact and urgency.
    5. Build out the definitions of “impact” and “urgency” to complete the prioritization matrix.
    6. Run through examples of each priority level to make sure everyone is on the same page.
    A matrix of prioritization with rows as levels of 'IMPACT' and columns as levels of 'URGENCY'. Ratings range from 'Critical' at 'Extensive/Critical' to 'Low' at 'Low Impact/Low'.

    Document escalation rules and contacts

    Depending on the size of the team, escalations may be mostly to internal technical colleagues or could be primarily to vendors.

    • Ensure the list of escalation rules and contacts is accurate and available, adding expected SLAs for quick reference
    • If tickets are being escalated but shouldn’t be, ensure knowledge articles and training materials are up to date
    • Follow up on all external escalations, ensuring SLAs are respected
    • Publish an escalation path for clients if service is not meeting their needs (for internal and external providers) and automate escalations for tickets breaching SLAs
    Escalation rules strung together.
    User doesn’t know who will fix the issue but expects to see it done in a reasonable time. If issue cannot be resolved right away, set expectations for resolution time.
    • Document information so next technician doesn’t need to ask the same questions.
    • Escalate to the right technician the first time.
    • Check notes to catch up on the issue.
    • Run tests if necessary.
    • Contact user to troubleshoot and fix.
    • Meet SLAs or update client on new ETA.
    • Provide complete information to vendor.
    • Monitor resolution.
    • Follow up with vendor if delays.
    • Update client as needed.
    • Vendor will provide support according to agreement.
    • Encourage vendor to provide regular updates to IT.
    • Review vendor performance regularly.
    • IT will validate issue is resolved and close ticket.
    Validate user is happy with the experience

    Define, measure, and report on service level agreements

    Improving communications is the most effective way to improve customer service
    1. Set goals for time to respond and time to resolve for different incident levels, communicate to the technical team, and test ability to meet these goals.
    2. Set goals for time to fulfil for most service requests, document exceptions (e.g. onboarding).
    3. Create reports to measure against goals and determine what information will be most effective for reporting to the business.
    4. Management: Communicate expectations to the business leaders and end users.
    5. Management: Set regular cadence to meet with stakeholders to discuss expectations and review relevant metrics.
    6. Management: Determine how metrics will be tracked and reviewed to manage technical partners.
    Keep messaging simple
    • Be prepared with detailed reporting if needed, but focus on a few key metrics to inform stakeholders of progress against goals.
    • Use trending to tell a story, especially when presenting success stories.
    • Use appropriate media for each type of message. For example: SLAs can be listed on automated ticket responses or in a banner on the portal.

    Determine what communications are most important and who will do them

    Icon of a bperson ascending a staircase.

    PROACTIVE, PLANNED CHANGES

    From: Service Desk

    Messaging provided by engineer or director, sent to all employees; proactive planning with business unit leaders.

    Icon of a bullseye.

    OUTAGES & UPDATES

    From: Service Desk

    Use templates to send out concise messaging and updates hourly, with input from technical team working on restoring services to all; director to liaise with business stakeholders.

    Icon of a lightbulb.

    UPDATES TO SERVICES, SELF-SERVE

    From: Director

    Send announcements no more than monthly about new services and processes.

    Icon of a handshake.

    REGULAR STAKEHOLDER COMMUNICATIONS

    From: Director

    Monthly reporting to business and IT stakeholders on strategic and project goals, manage escalations.

    1.4 Create communications plan

    2 hours

    Input: Sample past communications

    Output: Communications templates

    Materials: Whiteboard/flip charts, Markers

    Participants: CIO, Service desk manager, Technicians

    Determine where templates are needed to ensure quick and consistent communications. Review sample templates and modify to suit your needs:

    1. Proactive, planned changes
    2. Outages and updates
    3. Updates to services, self-serve
    4. Regular stakeholder communications

    Download the communications templates

    Create reports that are useful and actionable

    Reporting serves two purposes:

    1. Accountability to stakeholders
    2. Identification of items that need action

    To determine what reports are needed, ask yourself:

    • What are your goals?
    • What story are you trying to tell?
    • What do you need to manage day to day?
    • What do you need to report to get funding?
    • What do you need to report to your stakeholders for service updates?

    Determine which metrics will be most useful to suit your strategic and operational goals

    STRATEGIC GOAL (stakeholders): Improve customer service evidenced by:

    TIME

    • Aged backlog
    • Service requests solved within SLA (could also look for quick ones, e.g. tickets solved in one day, % solved within one hour)
    • Volume of incidents and time to solve each type
    • Critical incidents solved in 4 hours
    • Incidents solved same day

    QUALITY

    • Percentage of tickets solved at first contact
    • SLAs missed
    • Percentage of services available to request through catalog
    • Percentage of tickets created through portal (speaks to quality of experience)
    • Customer satisfaction survey results – transactional and annual

    RESOURCES

    • Knowledge articles used by technicians
    • Knowledge articles used by end users
    • Tickets resolved at each technician level (volume)
    • Non-standard requests evaluated and fulfilled by volume & time served
    • Volume of recurring incidents
    OPERATIONAL GOALS: Report to director & technicians

    What else can you do to improve service?

    Review the next few pages to see if you need additional blueprints to help you:
    • Evaluate staffing and training needs to ensure the right number of resources are available and they have the skills they need for your environment.
    • Create self-service for end users to get quick answers and create tickets.
    • Create a knowledge base to ensure backup for technical expertise.
    • Develop customer service skills through training.
    • Perform ticket analysis to better understand your technical environment.

    Be agile in your approach to service

    It’s easy for small teams to get overwhelmed when covering for vacations, illness, or leave. Determine where priorities may be adjusted during busy or short-staffed times.

    • Have a plan to cross-train technicians and create comprehensive knowledge articles for coverage during vacations and unexpected absences.
    • Know where it makes sense to bring in vendors, such as for managed print services, or to cover for extended absences.
    • Look for opportunities to automate functions or reduce administrative overhead through workflows.
    • Identify any risks and determine how to mitigate, such as managing or changing administrative passwords.
    • Create self-serve to enable ticket creation and self-solve for those users who wish to use it.

    Staff the service desk to meet demand

    • With increasing complexity of support and demand on service desks, staff are often left feeling overwhelmed and struggling to keep up with ticket volume, resulting in long resolution times and frustrated end users.
    • However, it’s not as simple as hiring more staff to keep up with ticket volume. IT managers must have the data to support their case for increasing resources or even maintaining their current resources in an environment where many executives are looking to reduce headcount.
    • Without changing resources to match demand, IT managers will need to determine how to maximize the use of their resources to deliver better service.

    Cover image for 'Staff the Service Desk to Meet Demand'.
    Click picture for a link to the blueprint

    Create and manage a knowledge base

    With a small team, it may seem redundant to create a knowledge base, but without key system and process workflows and runbooks, an organization is still at risk of bottlenecks and knowledge failure.

    • Use a knowledge base to document pre-escalation troubleshooting steps, known errors and workarounds, and runbook solutions.
    • Where incidents may have many root causes, document which are the most frequent solutions and where variations are typically used.
    • Start with an inventory of personal documents, compare and consolidate into the knowledge base, and ensure they are accurate and up to date.
    • Assign someone to review articles on a regular basis and flag for editing and archiving as the technical environment changes.
    • Supplement with vendor-provided or purchased content. Two options for purchased content include RightAnswers or Netformx.

    Info-Tech Insight

    Appeal to a broad audience. Use non-technical language whenever possible to help less technical readers. Identify error messages and use screenshots where it makes sense. Take advantage of social features like voting buttons to increase use.

    Optimize the service desk with a shift-left strategy

    • “Shift left” is a strategy which moves appropriate technical work to users through knowledge articles, automation and service catalogs, freeing up time for technicians to work on more complex issues.
    • Many organizations have built a great knowledge base but fail to see the value of it over time as it becomes overburdened with overlapping and out-of-date information. Knowledge capture, updating, and review must be embedded into your processes if you want to keep the knowledge base useful.
    • Similarly, the self-service portal is often deployed out of the box with little input from end users and fails to deliver its intended benefits. The portal needs to be designed from the end user’s point of view with the goal of self-resolution if it will serve its purpose of deflecting tickets.

    Cover image for 'Optimize the Service Desk With a Shift-Left Strategy'.
    Click picture for a link to the blueprint

    Customer service isn’t just about friendliness

    Your team will all need to deal with end users at some point, and that may occur in times of high stress. Ensure the team has the skills they need to actively listen, stay positive, and de-escalate.

    Info-Tech’s customer service program is a modular approach to improve skills one area at a time. Delivering good customer service means being effective in these areas:
    • Customer focus – Focus on the customer and use a positive, caring, and helpful attitude.
    • Listening and verbal communication skills – Demonstrate empathy and patience, actively listen, and speak in user-friendly ways to help get your point across.
    • Written communication skills – Use appropriate tone, language, and terms in writing (whether via chat, email, or other).
    • Manage difficult situations – Remain calm and in control when dealing with difficult customers and situations.
    • Go the extra mile – Go beyond simply resolving the request to make each interaction positive and memorable.

    Deliver a customer service training program to your IT department

    • There’s a common misconception that customer service skills can’t be taught, so no effort is made to improve those skills.
    • Even when there is a desire to improve customer service, it’s hard for IT teams to make time for training and improvement when they’re too busy trying to keep up with tickets.
    • A talented service desk agent with both great technical and customer service skills doesn’t have to be a rare unicorn, and an agent without innate customer service skills isn’t a lost cause. Relevant and impactful customer service habits, techniques, and skills can be taught through practical, role-based training.
    • IT leaders can make time for this training through targeted, short modules along with continual on-the-job coaching and development.

    Cover image for 'Deliver Customer Service Training Program to Your IT Department'.
    Click picture for a link to the blueprint

    Improve your ticket analysis

    Once you’ve got great data coming into the ticketing system, it’s important to rethink your metrics and determine if there are more insights to be found.

    Analyzing ticket data involves:
    • Collecting ticket data and keeping it clean. Based on the metrics you’re analyzing, define ticket expectations and keep the data up to date.
    • Showing the value of the service desk. SLAs are meaningless if they are not met consistently. The prerequisite to implementing proper SLAs is fully understanding the proper workload of the service desk.
    • Understanding – and improving – the user experience. You cannot improve the user experience without meaningful metrics that allow you to understand the user experience. Different user groups will have different needs and different expectations of the level of service. Your metrics should reflect those needs and expectations.

    Analyze your service desk ticket data

    Properly analyzing ticket data is challenging for the following reasons:
    • Poor ticket hygiene and unclear ticket handling
    • Service desk personnel are not sure where to start with analysis
    • Too many metrics are tracked to parse actionable data from the noise
    Ticket data won’t give you a silver bullet, but it can help point you in the right direction.

    Cover image for 'Analyze Your Service Desk Ticket Data'.
    Click picture for a link to the blueprint

    Start doing problem management

    Proactively focusing on root cause analysis will reduce the most disruptive incidents to the organization.

    • A focus on elimination of critical incidents and the more disruptive recurring incidents will reduce future workloads for the team and improve customer satisfaction.
    • This can be challenging when the team is already struggling with workload; however, setting a regular cadence to review tickets, looking for trends, and identifying at least one focus area a month can be a positive outcome for everyone.
    • Focus on the most impactful ticket or service first. The initial goal should be to reduce or eliminate critical and high-impact incidents. Once the high-stress situations are reduced, proactively scheduling the smaller but still time-consuming repeatable incidents can be done.
    • Where you have vendors involved, work with them to determine when root cause analysis must happen and where they’ll need to coordinate with your team or other supporting vendors.

    Problem management

    Problem management can be challenging because it requires skills and knowledge to go deep into a problem and troubleshoot the root cause of an issue, but it also requires uninterrupted time.
    • Problem management, however, can be taught, and the issue isn’t always hard to spot if you have time to look.
    • Using tried and true methods for walking through an issue step by step will enable the team to improve their investigative and troubleshooting skills.
    • Reduction of one or two major incidents and recurring incidents per month will pay off quickly in reducing reactive ticket volume and improve customer satisfaction.

    Cover image for 'Problem Management'.
    Click picture for a link to the blueprint

    Create your roadmap with high-level requirements

    Determine what tasks and projects need to be completed to meet your improvement goals. Create a high-level project plan and balance with existing resources.

    Roadmap of high-level requirements with 'Goals' as row headers and their timelines mapped out across fiscal quarters.

    Bibliography

    Taylor, Sharon and Ivor Macfarlane. ITIL Small Scale Implementation. Office of Government Commerce, 2005.

    “Share, Collaborate, and Communicate on One Consistent Platform.” Liferay, n.d. Accessed 19 July 2022.

    Rodela, Jimmy. “A Beginner’s Guide to Customer Self-Service.” The Ascent, 18 May 2022. Web.

    Manage Service Catalogs

    • Buy Link or Shortcode: {j2store}44|cart{/j2store}
    • Related Products: {j2store}44|crosssells{/j2store}
    • member rating overall impact: 9.0/10
    • member rating average dollars saved: $3,956
    • member rating average days saved: 24
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture

    The challenge

    • Your business users may not be aware of the full scope of your services.
    • Typically service information is written in technical jargon. For business users, this means that the information will be tough to understand.
    • Without a service catalog, you have no agreement o what is available, so business will assume that everything is.

    Our advice

    Insight

    • Define your services from a user's or customer perspective.
      • When your service catalog contains too much information that does not apply to most users, they will not use it.
    • Separate the line-of-business services from enterprise services. It simplifies your documentation process and makes the service catalog more comfortable to use.

    Impact and results 

    • Our approach helps you organize your service catalog in a business-friendly way while keeping it manageable for IT.
    • And manageable also means that your service catalog remains a living document. You can update your service records easily.
    • Your service catalog forms a visible bridge between IT and the business. Improve IT's perception by communicating the benefits of the service catalog.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why building a service catalog is a good idea for your company. We'll show you our methodology and the ways we can help you in handling this.

    Minimize the risks from attrition through an effective knowledge transfer process.

    Launch the initiative

    Our launch phase will walk you through the charter template, build help a balanced team, create your change message and communication plan to obtain buy-in from all your organization's stakeholders.

    • Design & Build a User-Facing Service Catalog – Phase 1: Launch the Project (ppt)
    • Service Catalog Project Charter (doc)

    Identify and define the enterprise services

    Group enterprise services which you offer to everyone in the company, logically together.

    • Design & Build a User-Facing Service Catalog – Phase 2: Identify and Define Enterprise Services (ppt)
    • Sample Enterprise Services (ppt)

    Identify and define your line-of-business (LOB) services

    These services apply only to one business line. Other business users should not see them in the catalog.

    • Design & Build a User-Facing Service Catalog – Phase 3: Identify and Define Line of Business Services (ppt)
    • Sample LOB Services – Industry Specific (ppt)
    • Sample LOB Services – Functional Group (ppt)

    Complete your services definition chart

    Complete this chart to allow the business to pick what services to include in the service catalog. It also allows you to extend the catalog with technical services by including IT-facing services. Of course, separated-out only for IT.

    • Design & Build a User-Facing Service Catalog – Phase 4: Complete Service Definitions (ppt)
    • Services Definition Chart (xls)

    Map Technical Skills for a Changing Infrastructure & Operations Organization

    • Buy Link or Shortcode: {j2store}333|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: 5 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • Infrastructure & Operations is changing rapidly. It’s a constant challenge to find the right skills to support the next new technology while at the same time maintaining the skills in house that allow you to support your existing platforms.
    • A lack of clarity around required skills makes finding the right skills difficult, and it’s not clear whether you should train, hire, contract, or outsource to address gaps.
    • You need to keep up with changes and new strategy while continuing to support your existing environment.

    Our Advice

    Critical Insight

    • Take a strategic approach to acquiring skills – looking only as far as the needs of the next project will lead to a constant skills shortage with no plan for it to be addressed.
    • Begin by identifying your future state. Identify needed skills in the organization to support planned projects and initiatives, and to mitigate skills-related risks.

    Impact and Result

    • Leverage your infrastructure roadmap and cloud strategy to identify needed skills in your future state environment.
    • Decide how you’ll acquire needed skills based on the characteristics of need for each skill.
    • Communicate the change and create a plan of action for the skills transformation.

    Map Technical Skills for a Changing Infrastructure & Operations Organization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should map technical skills for a changing Infrastructure & Operations organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify skills needs for the future state environment

    Identify what skills are needed based on where the organization is going.

    • Map Technical Skills for a Changing Infrastructure & Operations Organization – Phase 1: Identify Skills Needs for Your Future State Environment
    • Future State Playbook
    • IT/Cloud Solutions Architect
    • IT/Cloud Engineer
    • IT/Cloud Administrator
    • IT/Cloud Demand Billing & Accounting Analyst

    2. Acquire needed skills

    Ground skills acquisition decisions in the characteristics of need.

    • Map Technical Skills for a Changing Infrastructure & Operations Organization – Phase 2: Acquire Needed Skills
    • Technical Skills Map

    3. Maximize the value of the skills map

    Get stakeholder buy-in; leverage the skills map in other processes.

    • Map Technical Skills for a Changing Infrastructure & Operations Organization – Phase 3: Maximize the Value of Your Skills Map
    • Technical Skills Map Communication Deck Template
    [infographic]

    Workshop: Map Technical Skills for a Changing Infrastructure & Operations Organization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Initiatives and Skills-Related Risks

    The Purpose

    Identify process and skills changes required by the future state of your environment.

    Key Benefits Achieved

    Set foundation for alignment between strategy-defined technology initiatives and needed skills.

    Activities

    1.1 Review the list of initiatives and projects with the group.

    1.2 Identify how key support, operational, and deployment processes will change through planned initiatives.

    1.3 Identify skills-related risks and pain points.

    Outputs

    Future State Playbook

    2 Identify Needed Skills and Roles

    The Purpose

    Identify process and skills changes required by the future state of your environment.

    Key Benefits Achieved

    Set foundation for alignment between strategy-defined technology initiatives and needed skills.

    Activities

    2.1 Identify skills required to support the new environment.

    2.2 Map required skills to roles.

    Outputs

    IT/Cloud Architect Role Description

    IT/Cloud Engineer Role Description

    IT/Cloud Administrator Role Description

    3 Create a Plan to Acquire Needed Skills

    The Purpose

    Create a skills acquisition strategy based on the characteristics of need.

    Key Benefits Achieved

    Optimal skills acquisition strategy defined.

    Activities

    3.1 Modify impact scoring scale for key skills decision factors.

    3.2 Apply impact scoring scales to needed skills

    3.3 Decide whether to train, hire, contract, or outsource to acquire needed skills.

    Outputs

    Technical Skills Map

    4 Develop a Communication Plan

    The Purpose

    Create an effective communication plan for different stakeholders across the organization.

    Identify opportunities to leverage the skills map elsewhere.

    Key Benefits Achieved

    Create a concise, clear, consistent, and relevant change message for stakeholders across the organization.

    Activities

    4.1 Review skills decisions and decide how you will acquire skills in each role.

    4.2 Update roles descriptions.

    4.3 Create a change message.

    4.4 Identify opportunities to leverage the skills map in other processes.

    Outputs

    Technical Skills Map Communication Deck

    Govern Shared Services

    • Buy Link or Shortcode: {j2store}459|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • IT managers have come under increasing pressure to cut costs, and implementing shared services has become a popular demand from the business.
    • Business unit resistance to a shared services implementation can derail the project.
    • Shared services rearranges responsibilities within existing IT departments, potentially leaving no one accountable for project success and causing cost overruns and service performance failures.

    Our Advice

    Critical Insight

    • Over one-third of shared services implementations increase IT costs, due to implementation failures. Ineffective governance plays a major role in the breakdown of shared services, particularly when it does not overcome stakeholder resistance or define clear areas of responsibility.
    • Effective governance of a shared services implementation requires the IT leader to find the optimal combination of independence and centralization for the shared service provider.
    • Three primary models exist for governing shared services: entrepreneurial, mandated, and market-based. Each one occupies a different location in the trade-off of independence and centralization. The optimal model for a specific situation depends on the size of the organization, the number of participants, the existing trend towards centralization, and other factors.

    Impact and Result

    • Find the optimal governance model for your organization by weighing the different likely benefits and costs of each path.
    • Assign appropriate individual responsibilities to participants, so you can effectively scope your service offering and fund your implementation.
    • Support the governance effort effectively using published Info-Tech tools and templates.

    Govern Shared Services Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand each of the governance models and what each entails

    Build a plan for governing an implementation.

    • Storyboard: Govern Shared Services
    • None

    2. Choose the optimal approach to shared services governance

    Maximize the net benefit conferred by governance.

    • Shared Services Governance Strategy Roadmap Tool
    [infographic]

    Legacy Active Directory Environment

    • Buy Link or Shortcode: {j2store}471|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    You are looking to lose your dependency on Active Directory (AD), and you need to tackle infrastructure technical debt, but there are challenges:

    • Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
    • You are unaware of what processes depend on AD and how integrated they are.
    • Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.

    Our Advice

    Critical Insight

    • Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
    • With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
    • Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

    Impact and Result

    Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

    Legacy Active Directory Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Legacy Active Directory Environment Deck – Legacy AD was never built for modern infrastructure. Understand the history and future of Active Directory and what alternatives are in the market.

    Build all new systems with cloud integration in mind. Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code.

    • Legacy Active Directory Environment Storyboard
    [infographic]

    Further reading

    Legacy Active Directory Environment

    Kill the technical debt of your legacy Active Directory environment.

    Analyst Perspective

    Understand what Active Directory is and why Azure Active Directory does not replace it.

    It’s about Kerberos and New Technology LAN Manager (NTLM).

    The image contains a picture of John Donovan.

    Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress.

    Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications.

    If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

    John Donovan
    Principal Director, I&O Practice
    Info-Tech Research Group

    Insight Summary

    Legacy AD was never built for modern infrastructure

    When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge.

    Build all new systems with cloud integration in mind

    Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase.

    Hybrid AD is a solution but not a long-term goal

    Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.

    • Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
    • You are unaware of what processes depend on AD and how integrated they are.
    • Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.
    • Legacy applications can prevent you from upgrading servers or may need to be isolated due to security concerns related to inadequate patching and upgrades.
    • You do not see any return on investment in AD maintenance.
    • Mergers and acquisitions can prevent you from migrating away from AD if one company is dependent on AD and the other is fully in the cloud. This increases technical debt.
    • Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
    • With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
    • Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

    Info-Tech Insight

    Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

    The history of Active Directory

    The evolution of your infrastructure environment

    From NT to the cloud

    AD 2001 Exchange Server 2003 SharePoint 2007 Server 2008 R2 BYOD Security Risk All in Cloud 2015
    • Active Directory replaces NT and takes over from Novell as the enterprise access and control plane.
    • With slow WAN links, no cellphones, no tablets, and very few laptops, security was not a concern in AD.
    • In 2004, email becomes business critical.
    • This puts pressure on links, increases replication and domains, and creates a need for multiple identities.
    • Collaboration becomes pervasive.
    • Cross domain authentication becomes prevalent across the enterprise.
    • SharePoint sites need to be connected to multiple Domain AD accounts. More multiple identities are required.
    • Exchange resource forest rolls out, causing the new forest functional level to be a more complex environment.
    • Fine-grained password policies have impacted multiple forests, forcing them to adhere to the new password policies.
    • There are powerful Domain controllers, strong LAN and WAN connections, and an increase in smartphones and laptops.
    • Audits and compliance become a focus, and mergers and acquisitions add complexity. Security teams are working across the board.
    • Cloud technology doesn’t work well with complicated, messy AD environment. Cloud solutions need simple, flat AD architecture.
    • Technology changes after 15+ years. AD becomes the backbone of enterprise infrastructure. Managers demand to move to cloud, building complexity again.

    Organizations depend on AD

    AD is the backbone of many organizations’ IT infrastructure

    73% of organizations say their infrastructure is built on AD.

    82% say their applications depend on AD data.

    89% say AD enables authenticated access to file servers.

    90% say AD is the main source for authentication.

    Source: Dimensions research: Active Directory Modernization :

    Info-Tech Insight

    Organizations fail to move away from AD for many reasons, including:

    • Lack of time, resources, budget, and tools.
    • Difficulty understanding what has changed.
    • Migrating from AD being a low priority.

    Active Directory components

    Physical and logical structure

    Authentication, authorization, and auditing

    The image contains a screenshot of the active directory components.

    Active Directory has its hooks in!

    AD creates infrastructure technical debt and is difficult to migrate away from.

    The image contains a screenshot of an active directory diagram.

    Info-Tech Insight

    Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.

    Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.

    AD security

    Security is the biggest concern with Active Directory.

    Neglecting Active Directory security

    98% of data breaches came from external sources.

    Source: Verizon, Data Breach Report 2022

    85% of data breach took weeks or even longer to discover.

    Source: Verizon Data Breach Report, 2012

    The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.

    Info-Tech Insight

    Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.

    What are the security risks to legacy AD architecture?

    • It's been 22 years since AD was released by Microsoft, and it has been a foundational technology for most businesses over the years. However, while there have been many innovations over those two decades, like Amazon, Facebook, iPhones, Androids, and more, Active Directory has remained mostly unchanged. There hasn’t been a security update since 2016.
    • This lack of security innovation has led to several cyberattacks over the years, causing businesses to bolt on additional security measures and added complexity. AD is not going away any time soon, but the security dilemma can be addressed with added security features.

    AD event logs

    84% of organizations that had a breach had evidence of that breach in their event logs.

    Source: Verizon Data Breach Report, 2012

    What is the business risk

    How does AD impact innovation in your business?

    It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:

    • Constraints of AD and growth of your digital footprint
    • Difficulty integrating modern technologies
    • Difficulty maintaining consistent security policies
    • Inflexible central domains preventing innovation and modernization
    • Inability to move to a self-service password portal
    • Vulnerability to being hacked
    • BYOD not being AD friendly

    AD is dependent on Windows Server

    1. Even though AD is compliant with LDAP, software vendors often choose optional features of LDAP that are not supported by AD. It is possible to implement Kerberos in a Unix system and establish trust with AD, but this is a difficult process and mistakes are frequent.
    2. Restricting your software selection to Windows-based systems reduces innovation and may hamper your ability to purchase best-in-class applications.

    Azure AD is not a replacement for AD

    AD was designed for an on-premises enterprise

    The image contains a screenshot of a Azure AD diagram.

    • Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD.
    • In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially those businesses that have an in-house footprint of servers and applications.
    • If you are a greenfield business and intend to take advantage of SaaS, IaaS, and PaaS, as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

    "Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

    That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."

    – Gregory Hall,
    Brand Representative for Microsoft
    (Source: Spiceworks)

    The hybrid model for AD and Azure AD

    How the model works

    The image contains a screenshot of a hybrid model for AD and Azure AD.

    Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.

    Many companies are:

    • Moving to SaaS solutions for customer relationship management, HR, collaboration, voice communication, file storage, and more.
    • Managing non-Windows devices.
    • Moving to a hybrid model of work.
    • Enabling BYOD.

    Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.

    The difference between AD Domain Services and Azure AD DS

    One of the core principles of Azure AD is that the user is the security boundary, not the network.

    Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.

    Info-Tech Insight

    If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.

    Feature Azure AD DS Self-managed AD DS
    Managed service
    Secure deployments Administrator secures the deployment
    DNS server ✓ (managed service)
    Domain or Enterprise administrator privileges
    Domain join
    Domain authentication using NTLM and Kerberos
    Kerberos-constrained delegation Resource-based Resource-based and account-based
    Custom OU structure
    Group Policy
    Schema extensions
    AD domain/forest trusts ✓ (one-way outbound forest trusts only)
    Secure LDAP (LDAPS)
    LDAP read
    LDAP write ✓ (within the managed domain)
    Geo-distributed deployments

    Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022

    Impact of work-from-anywhere

    How AD poses issues that impact the user experience

    IT organizations are under pressure to enable work-from-home/work-from-anywhere.

    • IT teams regard legacy infrastructure, namely Active Directory, as inadequate to securely manage remote workloads.
    • While organizations previously used VPNs to access resources through Active Directory, they now have complex webs of applications that do not reside on premises, such as AWS, G-Suite, and SaaS customer relationship management and HR management systems, among others. These resources live outside the Windows ecosystem, complicating user provisioning, management, and security.
    • The work environment has changed since the start of COVID-19, with businesses scrambling to enable work-from-home. This had a huge impact on on-premises identity management tools such as AD, exposing their limitations and challenges. IT admins are all too aware that AD does not meet the needs of work-from-home.
    • As more IT organizations move infrastructure to the cloud, they have the opportunity to move their directory services to the cloud as well.
      • JumpCloud, OneLogin, Okta, Azure AD, G2, and others can be a solution for this new way of working and free up administrators from the overloaded AD environment.
      • Identity and access management (IAM) can be moved to the cloud where the modern infrastructure lives.
      • Alternatives for printers using AD include Google Cloud Print, PrinterOn, and PrinterLogic.

    How AD can impact your migration to Microsoft 365

    The beginning of your hybrid environment

    • Businesses that have a large on-premises footprint have very few choices for setting up a hybrid environment that includes their on-premises AD and Azure AD synchronization.
    • Microsoft 365 uses Azure AD in the background to manage identities.
    • Azure AD Connect will need to be installed, along with IdFix to identify errors such as duplicates and formatting problems in your AD.
    • Password hash should be implemented to synchronize passwords from on-premises AD so users can sign in to Azure without the need for additional single sign-on infrastructure.
    • Azure AD Connect synchronizes accounts every 30 minutes and passwords within two minutes.

    Alternatives to AD

    When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.

    • JumpCloud: Cloud-based directory services. JumpCloud provides LDAP-as-a-Service and RADIUS-as-a-Service. It authenticates, authorizes, and manages employees, their devices, and IT applications. However, domain name changes are not supported.
    • Apache Directory Studio Pro: Written in Java, it supports LDAP v3–certified directory services. It is certified by Eclipse-based database utilities. It also supports Kerberos, which is critical for legacy Microsoft AD apps authentication.
    • Univention Corporate Server (UCS): Open-source Linux-based solution that has a friendly user interface and gets continuous security and feature updates. It supports Kerberos V5 and LDAP, works with AD, and is easy to sync. It also supports DNS server, DHCP, multifactor authentication and single sign-on, and APIs and REST APIs. However, it has a limited English knowledgebase as it is a German tool.

    What to look for

    If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.

    Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.

    These are just a few examples of the many alternatives available.

    Market drivers to modernize your infrastructure

    The business is now driving your Active Directory migration

    What IT must deal with in the modern world of work:

    • Leaner footprint for evolving tech trends
    • Disaster recovery readiness
    • Dynamic compliance requirements
    • Increased security needs
    • The need to future-proof
    • Mergers and acquisitions
    • Security extending the network beyond Windows

    Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
    The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.

    Activity

    Build a checklist to migrate off Active Directory.

    Discovery

    Assessment

    Proof of Concept

    Migration

    Cloud Operations

    ☐ Catalog your applications.

    ☐ Define your users, groups and usage.

    ☐ Identify network interdependencies and complexity.

    ☐ Know your security and compliance regulations.

    ☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO).

    ☐ Build a methodology for migrating apps to IaaS.

    ☐ Develop a migration team using internal resources and/or outsourcing.

    ☐ Use Microsoft resources for specific skill sets.

    ☐ Map on-premises third-party solutions to determine how easily they will migrate.

    ☐ Create a plan to retire and archive legacy data.

    ☐ Test your workload: Start small and prove value with a phased approach.

    ☐ Estimate cloud costs.

    ☐ Determine the amount and size of your compute and storage requirements.

    ☐ Understand security requirements and the need for network and security controls.

    ☐ Assess network performance.

    ☐ Qualify and test the tools and solutions needed for the migration.

    ☐ Create a blueprint of your desired cloud environment.

    ☐ Establish a rollback plan.

    ☐ Identify tools for automating migration and syncing data.

    ☐ Understand the implications of the production-day data move.

    ☐ Keep up with the pace of innovation.

    ☐ Leverage 24/7 support via skilled Azure resources.

    ☐ Stay on top of system maintenance and upgrades.

    ☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime.

    Related Info-Tech Research

    Manage the Active Directory in the Service Desk

    • Build and maintain your Active Directory with good data.
    • Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.

    SoftwareReviews: Microsoft Azure Active Directory

    • The Azure Active Directory (Azure AD) enterprise identity service provides SSO and multifactor authentication to help protect your users from 99.9% of cybersecurity attacks

    Define Your Cloud Vision

    • Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

    Bibliography

    “2012 Data Breach Investigations Report.” Verizon, 2012. Web.
    “2022 Data Breach Investigations Report.” Verizon, 2012. Web.
    “22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
    Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
    “Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
    Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
    Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
    Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
    “Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
    "Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
    “Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
    Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
    “How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
    Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
    Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
    Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
    Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
    “Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
    “What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.

    Cybersecurity Priorities in Times of Pandemic

    • Buy Link or Shortcode: {j2store}381|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • Novel coronavirus 2019 (COVID-19) has thrown organizations around the globe into chaos as they attempt to continue operations while keeping employees safe.
    • IT needs to support business continuity – juggling available capacity and ensuring that services are available to end users – without clarity of duration, amid conditions that change daily, on a scale never seen before.
    • Security has never been more important than now. But…where to start? What are the top priorities? How do we support remote work while remaining secure?

    Our Advice

    Critical Insight

    • There is intense pressure to enable employees to work remotely, as soon as possible. IT is scrambling to enable access, source equipment to stage, and deploy products to employees, many of whom are unfamiliar with working from home.
    • There is either too much security to allow people to be productive or too little security to ensure that the organization remains protected and secure.
    • These events are unprecedented, and no plan currently exists to sufficiently maintain a viable security posture during this interim new normal.

    Impact and Result

    • Don’t start from scratch. Leverage your current security framework, processes, and mechanisms but tailor them to accommodate the new way of remote working.
    • Address priority security items related to remote work capability and its implications in a logical sequence. Some security components may not be as time sensitive as others.
    • Remain diligent! Circumstances may have changed, but the importance of security has not. In fact, IT security is likely more important now than ever before.

    Cybersecurity Priorities in Times of Pandemic Research & Tools

    Start here – read our Cybersecurity Priorities research.

    Our recommendations and the accompanying checklist tool will help you quickly get a handle on supporting a remote workforce while maintaining security in your organization.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Cybersecurity Priorities in Times of Pandemic Storyboard
    • Cybersecurity Priorities Checklist Tool
    [infographic]

    Develop the Right Message to Engage Buyers

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Sixty percent of marketers find it hard to produce high-quality content consistently. SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.

    Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:

    • High website bounce rates and low time on site
    • Low page views
    • A low percentage of return visitors
    • Low conversions
    • Low open and click-through rates on email campaigns

    Our Advice

    Critical Insight

    Marketing content that identifies the benefit of the product along with a deep understanding of the buyer pain points, desired value, and benefit proof points is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.

    Impact and Result

    Marketers that activate the SoftwareReviews message mapping architecture will be able to crack the code on the formula for improving open and click-through rates.

    By applying the SoftwareReviews message mapping architecture, clients will be able to:

    • Quickly diagnose the current state of their content marketing effectiveness compared to industry metrics.
    • Compare their current messaging approach versus the key elements of the Message Map Architecture.
    • Create more compelling and relevant content that aligns with a buyer’s needs and journey.
    • Shrink marketing and sales cycles.
    • Increase the pace of content production.

    Develop the Right Message to Engage Buyers Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop the Right Message to Engage Buyers Executive Brief – A mapping architecture to enable marketers to crack the code on the formula for improving open and click-through rates.

    Through this blueprint marketers will learn how to shift content away from low-performing content that only focuses on the product and company to high-performing customer-focused content that answers the “What’s in it for me?” question for a buyer, increasing engagement and conversions.

    Infographic

    Further reading

    Develop the Right Message to Engage Buyers

    Drive higher open rates, time-on-site, and click-through rates with buyer-relevant messaging.

    Analyst Perspective

    Develop the right message to engage buyers.

    Marketers only have seven seconds to capture a visitor's attention but often don't realize that the space between competitors and their company is that narrow. They often miss the mark on content and create reams of product and company-focused messaging that result in high bounce rates, low page views, low return visits, low conversions, and low click-through rates.

    We wouldn't want to sit in a conversation with someone who only speaks about themselves, so why would it be any different when we buy something? Today's marketers must quickly hook their visitors with content that answers the critical question of "What's in it for me?"

    Our research finds that leading content marketers craft messaging that lets their audience ”know they know them,” points out what’s in it for them, and includes proof points of promised value. This simple, yet often missed approach, we call Message Mapping, which helps marketers grab a visitor’s initial attention and when applied throughout the customer journey will turn prospects into customers, lifelong buyers, advocates, and referrals.

    Photo of Terra Higginson, Marketing Research Director, SoftwareReviews.

    Terra Higginson
    Marketing Research Director
    SoftwareReviews

    Executive Summary

    Your Challenge

    Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:

    • High website bounce rates and low time on site
    • Low page views
    • A low percentage of return visitors
    • Low conversions
    • Low open and click-through rates on email campaigns
    Sixty percent of marketers find it hard to produce high-quality content consistently. SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.
    Common Obstacles

    Marketers struggle to create content that quickly engages the buyer because they lack:

    • Resources to create a high volume of quality content.
    • True buyer understanding.
    • Experience in how to align technical messaging with the buyer persona.
    • Easy-to-deploy content strategy tools.
    Even though most marketers will say that it’s important to produce interesting content, only 58% of B2B markers take the time to ask their customers what’s important to them. Without a true and deep understanding of buyers, marketers continue to invest their time and resources in an uninteresting product and company-focused diatribe.
    SoftwareReviews’ Approach

    By applying the SoftwareReviews’ message mapping architecture, clients will be able to:

    • Quickly diagnose the current state of their content marketing effectiveness compared to industry metrics.
    • Compare their current messaging approach against the key elements of the Message Map Architecture.
    • Create more compelling and relevant content that aligns with a buyer’s needs and journey.
    • Shrink marketing and sales cycles.
    • Increase the pace of content production.
    Marketers that activate the SoftwareReviews message mapping architecture will be able to crack the code on the formula for improving open and click-through rates.

    SoftwareReviews Insight

    Marketing content that identifies the benefit of the product, along with a deep understanding of the buyer pain points, desired value, and benefit proof-points, is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.

    Your Challenge

    65% of marketers find it challenging to produce engaging content.

    Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:

    • High website bounce rates and low time on site
    • Low page views
    • A low percentage of return visitors
    • Low conversions
    • Low open and click-through rates on email campaigns

    A staggering 60% of marketers find it hard to produce high-quality content consistently and 62% don’t know how to measure the ROI of their campaigns according to OptinMonster.

    SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.


    Over 64% of marketers want to learn how to build a better content
    (Source: OptinMonster, 2021)

    Benchmark your content marketing

    Do your content marketing metrics meet the industry-standard benchmarks for the software industry?
    Visualization of industry benchmarks for 'Bounce Rate', 'Organic CTR', 'Pages/Session', 'Average Session Duration', '% of New Sessions', 'Email Open Rate', 'Email CTR', and 'Sales Cycle Length (Days)' with sources linked below.
    GrowRevenue, MarketingSherpa, Google Analytics, FirstPageSage, Google Analytics, HubSpot
    • Leaders will measure content marketing performance against these industry benchmarks.
    • If your content performance falls below these benchmarks, your content architecture may be missing the mark with prospective buyers.

    Common flaws in content messaging

    Why do marketers have a hard time consistently producing messaging that engages the buyer?

    Mistake #1

    Myopic Focus on Company and Product

    Content suffers a low ROI due to a myopic focus on the company and the product. This self-focused content fails to engage prospects and move them through the funnel.

    Mistake #2

    WIIFM Question Unanswered

    Content never answers the fundamental “What’s in it for me?” question due to a lack of true buyer understanding. This leads to an inability to communicate the value proposition to the prospect.

    Mistake #3

    Inability to Select the Right Content Format

    Marketers often guess what kind of content their buyers prefer without any real understanding or research behind what buyers would actually want to consume.

    Leaders Will Avoid the “Big Three” Pitfalls
    • While outdated content, poor content organization on your website, and poor SEO are additional strategic factors (outside the scope of this research), poor messaging structure will doom your content marketing strategy.
    • Leaders will be vigilant to diagnose current messaging structure and avoid:
      1. Making messaging all about you and your company.
      2. Failing to describe what’s in it for your prospects.
      3. Often guessing at what approach to use when structuring your messaging.

    Implications of poor content

    Without quality content, the sales and marketing cycles elongate and content marketing metrics suffer.
    • Lost sales: Research shows that B2B buyers are 57-70% done with their buying research before they ever contact sales.(Worldwide Business Research, 2022)
    • The buyer journey is increasingly digital: Research shows that 67% of the buyer's journey is now done digitally.(Worldwide Business Research, 2022)
    • Wasted time: In a Moz study of 750,000 pieces of content, 50% had zero backlinks, indicating that no one felt these assets were interesting enough to reference or share. (Moz, 2015)
    • Wasted money: SaaS companies spend $342,000 to $1,080,000 per year (or more) on content marketing. (Zenpost, 2022) The wrong content will deliver a poor ROI.

    50% — Half of the content produced has no backlinks. (Source: Moz, 2015)

    Content matters more than ever since 67% of the buyer's journey is now done digitally. (Source: Worldwide Business Research, 2022)

    Benefits of good content

    A content mapping approach lets content marketers:
    • Create highly personalized content. Content mapping helps marketers to create highly targeted content at every stage of the buyer’s journey, helping to nurture leads and prospects toward a purchase decision.
    • Describe “What’s in it for me?” to buyers. Remember that you aren’t your customer. Good content quickly answers the question “What’s in it for me?” (WIIFM) developed from the findings of the buyer persona. WIIFM-focused content engages a prospect within seven seconds.
    • Increase marketing ROI. Content marketing generates leads three times greater than traditional marketing (Patel, 2016).
    • Influence prospects. Investing in a new SaaS product isn’t something buyers do every day. In a new situation, people will often look to others to understand what they should do. Good content uses the principles of authority and social proof to build the core message of WIIFM. Authority can be conferred with awards and accolades, whereas social proof is given through testimonials, case studies, and data.
    • Build competitive advantage. Increase competitive advantage by providing content that aligns with the ideal client profile. Fifty-two percent of buyers said they were more likely to buy from a vendor after reading its content (1827 Marketing, 2022).
    Avoid value claiming. Leaders will use client testimonials as proof points because buyers believe peers more than they believe you.

    “… Since 95 percent of the people are imitators and only 5 percent initiators, people are persuaded more by the actions of others than by any proof we can offer. (Robert Cialdini, Influence: The Psychology of Persuasion)

    Full slide: 'Message Map Architecture'.

    Full slide: 'Message Map Template' with field descriptions and notes.

    Full slide: 'Message Map Template' with field descriptions, no notes.

    Full slide: 'Message Map Template' with blank fields.

    Full slide: 'Message Map Template' with 'Website Example segment.com' filled in fields.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Email & Social Post Example

    Use the message mapping architecture to create other types of content.

    Examples of emails and social media posts as they appear online with labels on the locations of elements of the message map.

    Insight Summary

    Create Content That Matters

    Marketing content that identifies the benefit of the product along with a deep understanding of the buyer pain points, desired value, and benefit proof-points is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.

    What’s in It for Me?

    Most content has a focus on the product and the company. Content that lacks a true and deep understanding of the buyer suffers low engagement and low conversions. Our research shows that all content must answer ”What’s in it for me?” for a prospect.

    Social Proof & Authority

    Buyers that are faced with a new and unusual buying experience (such as purchasing SaaS) look at what others say about the product (social proof) and what experts say about the product (authority) to make buying decisions.

    Scarcity & Loss Framing

    Research shows that scarcity is a strong principle of influence that can be used in marketing messages. Loss framing is a variation of scarcity and can be used by outlining what a buyer will lose instead of what will be gained.

    Unify the Experience

    Use your message map to structure all customer-facing content across Sales, Product, and Marketing and create a unified and consistent experience across all touchpoints.

    Close the Gap

    SaaS marketers often find the gap between product and company-focused content and buyer-focused content to be so insurmountable that they never manage to overcome it without a framework like message mapping.

    Related SoftwareReviews Research

    Sample of 'Create a Buyer Persona and Journey' blueprint.

    Create a Buyer Persona and Journey

    Make it easier to market, sell, and achieve product-market fit with deeper buyer understanding.
    • Reduce time and treasure wasted chasing the wrong prospects.
    • Improve product-market fit.
    • Increase open and click-through rates in your lead gen engine.
    • Perform more effective sales discovery and increase eventual win rates.
    Sample of 'Diagnose Brand Health to Improve Business Growth' blueprint.

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix it.
    • Importance of brand is recognized, endorsed, and prioritized.
    • Support and resources allocated.
    • All relevant data and information collected in one place.
    • Ability to make data-driven recommendations and decisions on how to improve.
    Sample of 'Build a More Effective Go-to-Market Strategy' blueprint.

    Build a More Effective Go-to-Market Strategy

    Creating a compelling Go-to-Market strategy, and keeping it current, is a critical software company function – as important as financial strategy, sales operations, and even corporate business development – given its huge impact on the many drivers of sustainable growth.
    • Align stakeholders on a common vision and execution plan.
    • Build a foundation of buyer and competitive understanding.
    • Deliver a team-aligned launch plan that enables commercial success.

    Bibliography

    Arakelyan, Artash. “How SaaS Companies Increase Their ROI With Content Marketing.” Clutch.co, 27 July 2018. Accessed July 2022.

    Bailyn, Evan. “Average Session Duration: Industry Benchmarks.” FirstPageSage, 16 March 2022. Accessed July 2022.

    Burstein, Daniel. “Marketing Research Chart: Average clickthrough rates by industry.” MarketingSherpa, 1 April 2014. Accessed July 2022.

    Cahoon, Sam. “Email Open Rates By Industry (& Other Top Email Benchmarks).” HubSpot, 10 June 2021. Accessed July 2022.

    Cialdini, Robert. Influence: Science and Practice. 5th ed. Pearson, 29 July 2008. Print.

    Cialdini, Robert. Influence: The Psychology of Persuasion. Revised ed. Harper Business, 26 Dec. 2006. Print.

    Content Marketing—Statistics, Evidence and Trends.” 1827 Marketing, 7 Jan. 2022. Accessed July 2022.

    Devaney, Erik. “Content Mapping 101: The Template You Need to Personalize Your Marketing.” HubSpot, 21 April 2022. Accessed July 2022.

    Hiscox Business Insurance. “Growing Your Business--and Protecting It Every Step of the Way.” Inc.com. 25 April 2022. Accessed July 2022.

    Hurley Hall, Sharon. “85 Content Marketing Statistics To Make You A Marketing Genius.” OptinMonster, 14 Jan. 2021. Accessed July 2022.

    Patel, Neil. “38 Content Marketing Stats That Every Marketer Needs to Know.” NeilPatel.com, 21 Jan. 2016. Web.

    Prater, Meg. “SaaS Sales: 7 Tips on Selling Software from a Top SaaS Company.” HubSpot, 9 June 2021. Web.

    Polykoff, Dave. “20 SaaS Content Marketing Statistics That Lead to MRR Growth in 2022.” Zenpost blog, 22 July 2022. Web.

    Rayson, Steve. “Content, Shares, and Links: Insights from Analyzing 1 Million Articles.” Moz, 8 Sept. 2015. Accessed July 2022.

    “SaaS Content Marketing: How to Measure Your SaaS Content’s Performance.” Ken Moo, 9 June 2022. Accessed July 2022.

    Taylor Gregory, Emily. “Content marketing challenges and how to overcome them.” Longitude, 14 June 2022. Accessed July 2022.

    Visitors Benchmarking Channels. Google Analytics, 2022. Accessed July 2022.

    WBR Insights. “Here's How the Relationship Between B2B Buying, Content, and Sales Reps Has Changed.” Worldwide Business Research, 2022. Accessed July 2022.

    “What’s a good bounce rate? (Here’s the average bounce rate for websites).” GrowRevenue.io, 24 Feb. 2020. Accessed July 2022.

    The State of Black Professionals in Tech

    • Buy Link or Shortcode: {j2store}550|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • The experience of Black professionals in IT differs from their colleagues.
    • Job satisfaction is also lower for Black IT professionals.
    • For organizations to gain from the benefits of diversity, equity, and inclusion, they need to ensure they understand the landscape for many Black professionals.

    Our Advice

    Critical Insight

    • As an IT leader, you can make a positive difference in the working lives of your team; this is not just the domain of HR.
    • Employee goals can vary depending on the barriers that they encounter. IT leaders must ensure they have an understanding of unique employee needs to better support them, increasing their ability to recruit and retain.
    • Improve the experience of Black IT professionals by ensuring your organization has diversity in leadership and supports mentorship and sponsorship.

    Impact and Result

    • Use the data from Info-Tech’s analysis to inform your DEI strategy.
    • Learn about actions that IT leaders can take to improve the satisfaction and career advancement of their Black employees.

    The State of Black Professionals in Tech Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The State of Black Professionals in Tech Report – A report providing you with advice on barriers and solutions for leaders of Black employees.

    IT leaders often realize that there are barriers impacting their employees but don’t know how to address them. This report provides insights on the barriers and actions that can help improve the lives of Black professionals in technology.

    • The State of Black Professionals in Tech Report

    Infographic

    Further reading

    The State of Black Professionals in Tech

    Keep inclusion at the forefront to gain the benefits from diversity.

    Analysts' Perspective

    The experience of Black professionals in technology is unique.

    Diversity in tech is not a new topic, and it's not a secret that technology organizations struggle to attract and retain Black employees. Ever since the early '90s, large tech organizations have been dealing with public critique of their lack of diversity. This topic is close to our hearts, but unfortunately while improvements have been made, progress is quite slow.

    In recent years, current events have once again brought diversity to the forefront for many organizations. In addition, the pandemic along with talent trends such as "the great resignation" and "quiet quitting" and preparations for a recession have not only impacted diversity at large but also Black professionals in technology. Our previous research has focused on the wider topic of Recruiting and Retaining People of Color in Tech, but we've found that the experiences of persons of color are not all the same.

    This study focuses on the unique experience of Black professionals in technology. Over 600 people were surveyed using an online tool; interviews provided additional insights. We're excited to share our findings with you.

    This is a picture of Allison Straker This is an image of Ugbad Farah

    Allison Straker
    Research Director
    Info-Tech Research Group

    Ugbad Farah
    Research Director
    Info-Tech Research Group

    Demographics

    In October 2021, we launched a survey to understand what the Black experience is like for people in technology. We wanted and received a variety of responses which would help us to understand how Black technology professionals experienced their working world. We received responses from 633 professionals, providing us with the data for this report.

    For more information on our survey demographics please see the appendix at this end of this report.

    A pie chart showing 26% black and 74% All Other

    26% of our respondents either identified as Black or felt the world sees them as Black.

    Professionals from various countries responded to the survey:

    • Most respondents were born in the US (52%), Canada (14%), India (14%), or Nigeria (4%).
    • Most respondents live in the US (56%), Canada (25%), Nigeria (2%), or the United Kingdom (2%).

    Companies with more diversity achieve more revenue from innovation

    Organizations do better and are more innovative when they have more diversity, a key ingredient in an organization's secret sauce.
    Organizations also benefit from engaged employees, yet we've seen that organizations struggle with both. Just having a certain number of diverse individuals is not enough. When it comes to reaping the benefits of diversity, organizations can flourish when employees feel safe bringing their whole selves to work.

    45% Innovation Revenue by Companies With Above-Average Diversity Scores
    26%

    Innovation Revenue by Companies With Below-Average Diversity Scores

    (Chart source: McKinsey, 2020)


    Companies with higher employee engagement experience 19.2% higher earnings.

    However, those with lower employee engagement experience 32.7% lower earnings.
    (DecisionWise, 2020)

    If your workforce doesn't reflect the community it serves, your business may be missing out on the chance to find great employees and break into new and growing markets, both locally and globally.
    Diversity makes good business sense.
    (Business Development Canada, 2023)

    A study about Black professionals

    Why is this about Black professionals and not other diverse groups?

    While there are a variety of diversity dimensions, it's important to understand what makes up a "multicultural workforce." There is more to diversity than gender, race, and ethnicity. Organizations need to understand that there is diversity within these groups and Black professionals have their own unique experience when it comes to entering and navigating tech that needs to be addressed.

    This image contains two bar graphs from the Brookfield Institute for Innovation and Entrepreneurship. They show the answers to two questions, sorted by the following categories: Black; Non-White; Asian; White. The questions are as follows: I feel comfortable to voice my opinion, even when it differs from the group opinion; I am part of the decision-making process at work.

    (Brookfield Institute for Innovation and Entrepreneurship, 2019)

    The solutions that apply to Black professionals are not only beneficial for Black employees but for all. While all demographics are unique, the solutions in this report can support many.

    Unsatisfied and underrepresented

    Less Black professionals responded as "satisfied" in their IT careers. The question is: How do we mend the Gap?

    Percentage of IT Professionals Who Reported Being Very Satisfied in Their Current Role

    • All Other Professionals: 34%
    • Black Professionals: 23%

    Black workers are underrepresented in most professional roles, especially computer and math Occupations

    A bar graph showing representation of black workers in the total workforce compared to computer and mathematical science occupations.

    The gap in satisfaction

    What's Important?

    Our research suggests that the differences in satisfaction among ethnic groups are related to differences in value systems. We asked respondents to rank what's important, and we explored why.

    Non-Black professionals rated autonomy and their manager working relationships as most important.

    For Black professionals, while those were important, #1 was promotion and growth opportunities, ranked #7 by all other professionals. This is a significant discrepancy.

    Recognition of my work/accomplishments also was viewed significantly differently, with Black professionals ranking it low on the list at #7 and all other professionals considering it very important at #3.

    All Other Professionals

    Black Professionals

    Two columns, containing metrics of satisfaction rated by Black Professionals, and All Other Professionals.

    Maslow's Hierarchy of Needs applies to job satisfaction

    In Maslow's hierarchy, it is necessary for people to achieve items lower on the hierarchy before they can successfully pursue the higher tiers.

    An image of Maslow's Hierarchy of Needs modified to apply to Job Satisfaction

    Too many Black professionals in tech are busy trying to achieve some of the lower parts of the hierarchy; it is stopping them from achieving elements higher up that can lead to job satisfaction.

    This can stop them from gaining esteem, importance, and ultimately, self-actualization. The barriers that impact safety and social belonging happen on a day-to-day basis, and so the day-to-day lives of Black professionals in tech can look very different from their counterparts.

    There are barriers that hinder and solutions that support employees

    An image showing barriers to success An image showing Actions for Success.
    There are various barriers that increase the likelihood for Black professionals to focus on the lower end of the needs hierarchy:

    These are among some of the solutions that, when layered, can support Black professionals in tech in moving up the needs hierarchy.

    Focusing on these actions can support Black professionals in achieving much needed job satisfaction.

    What does this mean?

    The minority experience is not a monolith

    The barriers that Black professionals encounter aren't limited to the same barriers as their colleagues, and too often this means that they aren't in a position to grow their careers in a way that leads to job satisfaction.

    There is a 11% gap between the satisfaction of Black professionals and their peers.

    Early Steps:
    Take time to understand the Black experience.

    As leaders, it's important to be aware that employee goals vary depending on the barriers they're battling with.

    Intermediate:
    If Black employees don't have strong relationships, networks, and mentorships it becomes increasingly difficult to navigate the path to upward mobility.

    As a leader, you can look for opportunities to bridge the gap on these types of conversations.

    Advanced:
    Black professionals in tech are not advancing like their counterparts.

    Creating clear career paths will not only benefit Black employees but also support your entire organization.

    Key metrics:

    • Engagement
    • Committed Executive Leadership
    • Development Opportunities
    • Organizational Programs

    Black respondents are significantly more likely to report barriers to their career advancement

    Common barriers

    Black professionals, like their colleagues, encounter barriers as they try to advance their careers. The barriers both groups encounter include microaggressions, racism, ageism, accessibility issues, sexual orientation, bias due to religion, lack of a career-supported network, gender bias, family status bias, and discrimination due to language/accents.

    What tops the list

    Microaggressions and racism are at the top of these barriers, but Black professionals also deal with other barriers that their colleagues may experience, such as gender-based bias, accessibility issues, religion, and more.

    One of these barriers alone can be difficult to deal with but when they are compounded it can be very difficult to navigate through the working environment in tech.

    A graph charting the impact of the common barriers

    What are microaggressions?

    Microaggression

    A statement, action, or incident regarded as an instance of indirect, subtle, or unintentional discrimination against members of a marginalized group such as a racial or ethnic minority.

    (Oxford Languages, 2023)

    Why are they significant?

    These things may seem innocent enough but the messaging that is received and the lasting impression is often far from it.

    Our research shows that racism and discrimination contribute to poor mental health among Black professionals.

    Examples

    • You're so articulate!
    • How do you always have different hair, can I touch it?
    • Where are you really from?
    • I don't see color.
    • I believe the most qualified person should get the job; everyone can succeed in this society if they work hard enough.

    "The experience of having to question whether something happened to you because of your race or constantly being on edge because your environment is hostile can often leave people feeling invisible, silenced, angry, and resentful."
    Dr. Joy Bradford,
    clinical Psychologist, qtd. In Pfizer

    It takes some time to get in the door

    For too many Black respondents, It took Longer than their peers to Find Technology Jobs.

    Both groups had some success finding jobs in "no time" – however, there was a difference. Thirty-four percent of "all others" found their jobs quickly, while the numbers were less for Black professionals, at 26%. There was also a difference at the opposite end of the spectrum. For 29% of Black professionals, it took seven months or longer to find their IT job, while that number is only 19% for their peers.

    .a graph showing time taken for respondents sorted by black; and all other.

    This points to the need for improvements in recruitment and career advancement.

    29% of Black respondents said that it took them 7 months or longer to find their technology job.

    Compared to 19% of all other professionals that selected the same response.

    And once they're in, it's difficult to advance

    Black Professionals are not Advancing as Quickly as their Colleagues. Especially when you look at their Experience.

    Our research shows that compared to all other ethnicities; Black participants were 55% more likely to report that they had no career advancement/promotion in their career. There is a bigger percentage of Black professionals who have never received a promotion; there's also a large number of Black professionals who have been working a significant amount time in the same role without a promotion.

    .Career Advancement

    A graph showing career advancement for the categories: Black and All Other.

    Black participants were 55% more likely to report that they had had no career advancement/promotion in their career.

    No advancement

    A graph showing the number of respondents who reported no career advancement over time, for the categories: Black; and All Other.

    There's a high cost to lack of engagement

    When employees feel disillusioned with things like career advancement and microaggressions, they often become disengaged. When you continuously have to steel yourself against microaggressions, racism, and other barriers, it prevents you from bringing your whole self to the office. The barriers can lead to what's been coined as "emotional tax." An emotional tax is the experience of feeling different from colleagues because of your inherent diversity and the associated negative effects on health, wellbeing, and the ability to thrive at work.

    Earnings of companies with higher employee engagement

    19.2%

    Earnings of companies with lower employee engagement

    -32.7%

    (DecisionWise, 2020)

    "I've conditioned myself for the corporate world, I don't bring my authentic self to work."
    Anonymous Interview Subject

    Lack of engagement also costs the organization in terms of turnover, something many organizations today are struggling with how to address. Organizations want to increase the ability of the workforce to remain in the organization. For Black employees, this gets harder when they're not engaged and they're the only one. When the emotional tax gets to be too much, this can lead to turnover. Turnover not only costs companies billions in profits, it also negatively impacts leadership diversity. It's difficult to imagine career growth when you don't see anyone that looks like you at the top. It is a challenge to see your future when there aren't others that you can relate to at top levels in the organization, leading to one of our interview subjects to muse, "How long can I last?"

    "Being Black in tech can be hard on your mental health. Your mind is constantly wondering, 'how long can I last?' "
    Anonymous Interview Subject

    Fewer Black professionals feel like they can be their authentic selves at work

    Authentic vs. Successes

    For many Black professionals, "code-switching," or altering the way one speaks and acts depending on context, becomes the norm to make others more comfortable. Many feel that being authentic and succeeding in the workplace are mutually exclusive.

    Programs and Resources

    We asked respondents "What's in place to build an inclusive culture at your company?" Most respondents (51% and 45%) reported that there were employee resource groups at their organizations.

    Do you feel you can be your authentic self at work?

    A bar graph showing 86% for All Other Professions, and 75% for Black Professionals

    A bar graph showing responses to the question What’s in place to build an inclusive culture at your company.

    What can be done?

    An image showing actions for success.

    There are various actions that organizations can take to help address barriers.

    It's important to ensure these are not put in as band-aid solutions but that they are carefully thought out and layered.

    Our findings demonstrate that remote work, career development, and DEI programs along with mentorship and diverse leadership are strong enablers of professional satisfaction. An unfortunate consequence, if professionals are not nurtured, is that we risk losing much needed talent to self-employment or to other organizations.

    There are several solutions

    Respondents were asked to distribute points across potential solutions that could lead to job satisfaction. The ratings showed that there were common solutions that could be leveraged across all groups.

    Respondents were asked what solutions were valuable for their career development.

    All groups were mostly aligned on the order of the solutions that would lead to career satisfaction; however, Black professionals rated the importance of employee resource groups as higher than their colleagues did.

    An image showing how respondents rate a number of categories, sorted into Ratings by Black Professionals, and Ratings by Other Professionals

    Mentorship and sponsorship are seen as key for all employees, as is of course training.

    However, employee resource groups (ERGs) were rated significantly higher for Black professionals and discussions around diversity were higher for their colleagues. This may be because other groups feel a need to learn more about diversity, whereas Black professionals live this experience on a day-to day basis, so it's not as critical for them.

    Double the number of satisfied Black professionals through mentorship and sponsorship

    a bar graph showing the number of very satisfied people with and without mentors/sponsors.

    Mentorship and sponsorship help to close the job satisfaction gap for Black IT professionals. The percentage of satisfied Black employees almost doubles when they have a mentor or sponsorship, moving the satisfaction rate to closer to all other colleagues.

    As leaders, you likely benefit from a few different advisors, and your staff should be able to benefit in the same way.

    They can have their own personal board of advisors, both inside and outside of your organization, helping them to navigate the working world in IT.

    To support your staff, provide guidance and coaching to internal mentors so that they can best support employees, and ensure that your organizational culture supports relationship building and trust.

    While all are critical, coaching, mentoring, and sponsorship are not the same

    Coaching

    Performance-driven guidance geared to support the employee with on-the-job performance. This could be a short-term relationship.

    Mentorship

    A relationship where the mentor provides guidance, information, and expertise to support the long-term career development of the mentee.

    Sponsorship

    The act of advocating on the behalf of another for a position, promotion, development opportunity, etc. over a longer period.

    For more information on setting up a mentorship program, see Optimize the Mentoring Program to Build a High Performing Learning Organization.

    On why mentorship and sponsorship are important:

    "With some degree of mentorship or sponsorship, it means that your ability to thrive or to have a positive experience in organizations increases substantially.

    Mentorship and sponsorship are very often the lynchpin of someone being successful and sticking with an organization.

    Sponsorship is an endorsement to other high-level stakeholders who very often are the gatekeepers of opportunity. Sponsors help to shepherd you through the gate."

    An Image of Carlos Thomas

    Carlos Thomas
    Executive Councilor, Info-Tech Research Group

    What is an employee resource group?

    IT Professionals rated ERGs as the third top driver of success at work

    Employee resource groups enable employees to connect in their workplace based on shared characteristics or life experiences.

    ERGs generally focus on providing support, enhancing career development, and contributing to personal development in the work environment. Some ERGs provide advice to the organization on how they can support their diverse employees.

    As leaders, you should support and encourage the formation of ERGs in your organization.

    What each ERG does will vary according to the needs of employees in your organization. Your role is to enable the ERGs as they are created and maintained.

    On setting up and leveraging employee resource groups:

    "Employee resource groups, when leveraged in an authentically intentional way, can be the some of the most impactful stakeholders in the development and implementation of the organizational diversity, equity, and inclusion strategy.

    ERGs are essential to the development of policies, programs, and initiatives that address the needs of equity-seeking groups and are key to driving organizational culture and employee wellbeing, in addition to hiring and recruitment.

    ERGs must be set up for success by having adequate resources to do the work, which includes adequate budgets, executive sponsorship, training, support, and capacity to do the work. According to a Great Place To Work survey (2021), 50% of ERGs identified the need for adequate resources as a challenge for carrying out the work.:"

    An image of Cinnamon Clark

    CINNAMON CLARK
    PRACTICE LEAD, DIVERSITY, EQUITY AND INCLUSION services, MCLEAN & CO

    There is a gap when it comes to diversity in leadership

    Representation at leadership levels is especially stagnant.

    Black Americans comprise 13.6% of the US population
    (2022 data from the US Census Bureau)

    And yet only 5.9% of the country's CEOs are Black, with only 6 (1%) at the top of Fortune 500 companies.
    (2021 data from the Bureau of Labor Statistics and Fortune.com)

    I've never worked for a company that has Black executives. It's difficult to envision long-term growth with an organization when you don't see yourself represented in leadership.
    – Anonymous Interview Subject

    Having diversity in your leadership team doubles satisfaction

    An image of a bar graph showing satisfaction for those who do, and do not see diversity in their company's leadership.

    Our research shows that Black professionals are more satisfied in their role when they see leaders that look like them.

    Satisfaction of other professionals is not as impacted by diversity in leadership as for Black professionals. Satisfaction doubles in organizations that have a diverse leadership team.

    To reap the benefits from diversity, we need to ensure diversity is not just in entry or mid-level positions and provide employees an opportunity to see diversity in their company's leadership.

    On the need for diversity in leadership:

    "As a Black professional leader, it's not lost on me that I have a responsibility. I have to demonstrate authenticity, professionalism, and exemplary behavior that others can mimic. And I must also showcase that there are possibilities for those coming up in their career. I feel very grateful that I can bestow onto others my knowledge, my experience, my journey, and the tips that I've used to help bring me to be where I am.
    (Having Black leaders in an organization) demonstrates that there is talent across the board, that there are all types of women and people with proficiencies. What it brings to the table is a difference in thoughts and experience.
    A person like myself, sitting at the table, can bring a unique perspective on employee behavior and employee impact. CCL is an organization focused on equity, diversity, and inclusion; for sure having me at the table and others that look like me at the table demonstrates to the public an organization that's practicing what it preaches."

    An image of C. Fara Francis

    C. Fara Francis
    CIO, Center for creative leadership

    Work from home

    While all groups have embraced the work-from-home movement, many Black professionals find it reduces the impact of racial incidents in the workplace.

    Percentage of employees who experienced positive changes in motivation after working remotely.

    Black: 43%; All Other: 43%

    I have to guard and protect myself from experiencing and witnessing racism every day. I am currently working remotely, and I can say for certain my mood and demeanor have improved. Not having to decide if I should address a racist comment or action has made my day easier.
    Source: Slate, 2022

    Remote work significantly led to feelings of better chances for career advancement

    Survey respondents were asked about the positive and negative changes they saw in their interactions and experiences with remote work. Black employees and their colleagues replied similarly, with mostly positive experiences.

    While both groups enjoyed better chances for career advancement, the difference was significantly higher for Black professionals.

    An image of a series of bar graphs showing the effects of remote work on a number of factors.

    Reasons for Self-Employment:

    More Black professionals have chosen self-employment than their colleagues.

    All Other: 26%; Black: 30%.

    A bar graph showing rankings for reasons for self employment, sorted by Black and All Other.

    The biggest reasons for both groups in choosing self-employment were for better pay, career growth, and work/life balance.

    While the desire for better pay was the highest reason for both groups, for engaged employees salary is a lower priority than other concerns (Adecco Group's Global Workforce of the Future report). Consider salary in conjunction with career growth, work/life balance, and the variety in the work that your employees have.

    A bar graph showing rankings for reasons for self employment, sorted by Black and All Other.

    If we don't consider our Black employees, not only do we risk them leaving the organization, but they may decide to just work for themselves.

    Most professionals believe their organizations are committed to diversity, equity, and inclusion

    38% of all respondents believe their organizations are very committed to DEI
    49% believe they are somewhat committed
    9% feel they are not committed
    4% are unsure

    Make sure supports are in place to help your employees grow in their careers:

    Leadership
    IT Leadership Career Planning Research Center

    Diversity and Inclusion Tactics
    IT Diversity & Inclusion Tactics

    Employee Development Planning
    Implement an IT Employee Development Plan

    Belief in your organization's diversity, equity, and inclusion efforts isn't consistent across groups: Make sure actions are seen as genuine

    While organization's efforts are acknowledged, Black professionals aren't as optimistic about the commitment as their peers. Make sure that your programs are reaching the various groups you want to impact, to increase the likelihood of satisfaction in their roles.

    SATISFACTION INCREASES IN BOTH BLACK AND NON-BLACK PROFESSIONALS

    When they believe in their company's commitment to diversity, equity. and inclusion.

    Of those who believe in their organization's commitment, 61% of Black professionals and 67% of non-Black professionals are very satisfied in their roles.

    BELIEVE THEIR ORGANIZATION IS NOT COMMITTED TO DEI

    BELIEVE THEIR ORGANIZATION IS VERY COMMITTED TO DEI

    NON-BLACK PROFESSIONALS

    8%

    41%

    BLACK PROFESSIONALS

    13%

    30%

    Recommendations

    It's important to understand the current landscape:

    • The barriers that Black employees often face.
    • The potential solutions that can help close the gap in employee satisfaction.

    We recognize that resolving this is not easy. Although senior executives are recognizing that a diverse set of experiences, perspectives, and backgrounds is crucial to fostering innovation and competing on the global stage, organizations often don't take the extra step to actively look for racialized talent, and many people still believe that race doesn't play an important part in an individual's ability to access opportunities.

    Look at a variety of solutions that you can implement within your organization; layering solutions is the key to driving business diversity. Always keep in mind that diversity is not a monolith, that the experiences of each demographic varies.

    Info-Tech resources

    Appendix

    About the research

    Diversity in tech survey

    As part of the research process for the State of Black Tech Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from October 2021 to April 2022, collecting 633 responses.

    An image of Page 1 of the Appendix.

    Current Position

    An image of Page 2 of the Appendix.

    Education and Experience

    Education was fairly consistent across both groups, with a few exceptions: more Black professionals had secondary school (9% vs. 4%) and more Black professionals had Doctorate degrees (4% vs. 2%).

    We had more non-Black respondents with 20+ years of experience (31% vs. 19%) and more Black respondents with less than 1 year of experience (8% vs. 5%) – the rest of the years of experience were consistent across the two groups.

    An image of Page 3 of the Appendix.

    It is important to recognize that people are often seen by "the world" as belonging to a different race or set of races than what they personally identify as. Both aspects impact a professional's experience in the workplace.

    An image of Page 4 of the Appendix.

    Bibliography

    Barton, LeRon. “I’m Black. Remote Work Has Been Great for My Mental Health.” Slate, 15 July 2022.

    “Black or African American alone, percent.” U.S. Census Bureau QuickFacts: United States. Accessed 14 February 2023.

    Boyle, Matthew. “More Workers Ready to Quit Over ‘Window Dressing’ Racism Efforts.” Bloomberg.com, 9 June 2022.

    Boyle, Matthew. “Remote Work Has Vastly Improved the Black Worker Experience.” Bloomberg.com, 5 October 2021.

    Cooper, Frank, and Ranjay Gulati. “What Do Black Executives Really Want?” Harvard Business Review, 18 November 2021.

    “Emotional Tax.” Catalyst. Accessed 1 April 2022.

    “Employed Persons by Detailed Occupation, Sex, Race, and Hispanic or Latino Ethnicity” U.S. Bureau of Labor Statistics. Accessed February 14, 2023.

    “Equality in Tech Report - Welcome.” Dice, 9 March 2022. Accessed 23 March 2022.

    Erb, Marcus. "Leaders Are Missing the Promise and Problems of Employee Resource Groups." Great Place To Work, 30 June 2021.

    Gawlak, Emily, et al. “Key Findings - Being Black In Corporate America.” Coqual, Center for Talent Innovation (CTI), 2019.

    “Global Workforce of the Future Research.” Adecco, 2022. Accessed 4 February 2023.

    Gruman, Galen. “The State of Ethnic Minorities in U.S. Tech: 2020.” Computerworld, 21 September 2020. Accessed 31 May 2022.

    Hancock, Bryan, et al. “Black Workers in the US Private Sector.” McKinsey, 21 February 2021. Accessed 1 April 2022.

    “Hierarchy Of Needs Applied To Employee Engagement.” Proactive Insights, 12 February 2020.

    Hobbs, Cecyl. “Shaping the Future of Leadership for Black Tech Talent.” Russell Reynolds Associates, 27 January 2022. Accessed 3 August 2022.

    Hubbard, Lucas. “Race, Not Job, Predicts Economic Outcomes for Black Households.” Duke Today, 16 September 2021. Accessed 30 May 2022.

    Knight, Marcus. “How the Tech Industry Can Be More Inclusive to the Black Community.” Crunchbase, 23 February 2022.

    “Maslow’s Hierarchy of Needs in Employee Engagement (Pre and Post Covid 19).” Vantage Circle HR Blog, 30 May 2022.

    McDonald, Autumn. “The Racism of the ‘Hard-to-Find’ Qualified Black Candidate Trope (SSIR).” Stanford Social Innovation Review, 1 June 2021. Accessed 13 December 2021.

    McGlauflin, Paige. “The Fortune 500 Features 6 Black CEOs—and the First Black Founder Ever.” Fortune, 23 May 2022. Accessed 14 February 2023.

    “Microaggression." Oxford English Dictionary, Oxford Languages, 2023.

    Reed, Jordan. "Understanding Racial Microaggression and Its Effect on Mental Health." Pfizer, 26 August 2020.

    Shemla, Meir “Why Workplace Diversity Is So Important, And Why It’s So Hard To Achieve.” Forbes, 22 August 2018. Accessed 4 February 2023.

    “The State of Black Women in Corporate America.” Lean In and McKinsey & Company, 2020. Accessed 14 January 2022.

    Van Bommel, Tara. “The Power of Empathy in Times of Crisis and Beyond (Report).” Catalyst, 2021. Accessed 1 April 2022.

    Vu, Viet, Creig Lamb, and Asher Zafar. “Who Are Canada’s Tech Workers?” Brookfield Institute for Innovation and Entrepreneurship, January 2019. Accessed on Canadian Electronic Library, 2021. Web.

    Warner, Justin. “The ROI of Employee Engagement: Show Me the Money!” DecisionWise, 1 January 2020. Web.

    White, Sarah K. “5 Revealing Statistics about Career Challenges Black IT Pros Face.” CIO (blog), 9 February 2023. Accessed 5 July 2022.

    Williams, Joan C. “Stop Asking Women of Color to Do Unpaid Diversity Work.” Bloomberg.com, 14 April 2022.

    Williams, Joan C., Rachel Korn, and Asma Ghani. “A New Report Outlines Some of the Barriers Facing Asian Women in Tech.” Fast Company, 13 April 2022.

    Wilson, Valerie, Ethan Miller, and Melat Kassa. “Racial representation in professional occupations.” Economic Policy Institute, 8 June 2021.

    “Workplace Diversity: Why It’s Good for Business.” Business Development Canada (BDC.ca), 6 Feb. 2023. Accessed 4 February 2023.

    Drive Real Business Value with an HRIS Strategy

    • Buy Link or Shortcode: {j2store}586|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $43,457 Average $ Saved
    • member rating average days saved: 36 Average Days Saved
    • Parent Category Name: Human Resource Systems
    • Parent Category Link: /human-resource-systems
    • In most organizations, the HR application portfolio has evolved tactically on an as-needed basis, resulting in un-integrated systems and significant effort spent on manual workarounds.
    • The relationship between HR and IT is not optimal for technology decision making. System-related decisions are made by HR and IT is typically involved only post-purchase to fix issues as they arise and offer workarounds.
    • IT systems for HR are not viewed as a strategic differentiator or business enabler, thereby leading to a limited budget and resources for HR IT systems and subsequently hindering the adoption of a strategic, holistic perspective.
    • Some organizations overinvest, while others underinvest in lightweight, point-to-point solutions. Finding the sweet spot between a full suite and lightweight functionality is no easy task.

    Our Advice

    Critical Insight

    • Align HRIS goals with the business. Organizations must position HR as a partner prior to embarking on an HRIS initiative, aligning technology goals with organizational objectives before looking at software.
    • Communication is key. Often, HR and IT speak different languages. Maintain a high degree of communication by engaging stakeholder groups early.
    • Plan where you want to go. Designing a roadmap based on clear requirements, alignment with the business, and an understanding of priorities will contribute to success.

    Impact and Result

    • Evaluate the current state of HRIS, understand the pain points, and visualize your ideal processes prior to choosing a solution.
    • Explore the different solution alternatives: maintain current system, integrate and consolidate, augment, or replace system entirely.
    • Create a plan to engage IT and HR throughout the project. Equip HR with the decision-making tools to meet business objectives and drive business strategy. Establish a common language for IT and HR to effectively communicate.
    • Develop a practical and actionable roadmap that the entire organization can buy into.

    Drive Real Business Value with an HRIS Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop an HRIS strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Conduct an environmental scan

    Create a clear project vision that outlines the goals and objectives for the HRIS strategy. Subsequently, construct an HRIS business model that is informed by enablers, barriers, and the organizational, IT, and HR needs.

    • Drive Real Business Value with an HRIS Strategy – Phase 1: Conduct an Environmental Scan
    • Establish an HRIS Strategy Project Charter Template
    • HRIS Readiness Assessment Checklist

    2. Design the future state

    Gather high-level requirements to determine the ideal future state. Explore solution alternatives and choose the path that is best aligned with the organization's needs.

    • Drive Real Business Value with an HRIS Strategy – Phase 2: Design the Future State
    • HRIS Strategy Stakeholder Interview Guide
    • Process Owner Assignment Guide

    3. Finalize the roadmap

    Identify roadmap initiatives. Prioritize initiatives based on importance and effort.

    • Drive Real Business Value with an HRIS Strategy – Phase 3: Finalize the Roadmap
    • Initiative Roadmap Tool
    • HRIS Stakeholder Presentation Template
    [infographic]

    Workshop: Drive Real Business Value with an HRIS Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Conduct an Environmental Scan

    The Purpose

    Understand the importance of creating an HRIS strategy before proceeding with software selection and implementation.

    Learn why a large percentage of HRIS projects fail and how to avoid common mistakes.

    Set expectations for the HRIS strategy and understand Info-Tech’s HRIS methodology.

    Complete a project charter to gain buy-in, build a project team, and track project success.   

    Key Benefits Achieved

    A go/no-go decision on the project appropriateness.

    Project stakeholders identified.

    Project team created with defined roles and responsibilities.

    Finalized project charter to gain buy-in.  

    Activities

    1.1 Set a direction for the project by clarifying the focus.

    1.2 Identify the right stakeholders for your project team.

    1.3 Identify HRIS needs, barriers, and enablers.

    1.4 Map the current state of your HRIS.

    1.5 Align your business goals with your HR goals and objectives.

    Outputs

    Project vision

    Defined project roles and responsibilities

    Completed HRIS business model

    Completed current state map and thorough understanding of the HR technology landscape

    Strategy alignment between HR and the business

    2 Design the Future State

    The Purpose

    Gain a thorough understanding of the HRIS-related pains felt throughout the organization.

    Use stakeholder-identified pains to directly inform the HRIS strategy and long-term solution.

    Visualize your ideal processes and realize the art of the possible.  

    Key Benefits Achieved

    Requirements to strengthen the business case and inform the strategy.

    The art of the possible.

    Activities

    2.1 Requirements gathering.

    2.2 Sketch ideal future state processes.

    2.3 Establish process owners.

    2.4 Determine guiding principles.

    2.5 Identify metrics.

    Outputs

    Pain points classified by data, people, process, and technology

    Ideal future process vision

    Assigned process owners, guiding principles, and metrics for each HR process in scope

    3 Create Roadmap and Finalize Deliverable

    The Purpose

    Brainstorm and prioritize short- and long-term HRIS tasks.

    Key Benefits Achieved

    Understand next steps for the HRIS project.

    Activities

    3.1 Create a high-level implementation plan that shows dependencies.

    3.2 Identify risks and mitigation efforts.

    3.3 Finalize stakeholder presentation.

    Outputs

    Completed implementation plan

    Completed risk management plan

    HRIS stakeholder presentation

    Tech Trend Update: If Biosecurity Then Autonomous Edge

    • Buy Link or Shortcode: {j2store}99|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    COVID-19 has created new risks to physical encounters among workers and customers. New biosecurity processes and ways to effectively enforce them – in the least intrusive way possible – are required to resume these activities.

    Our Advice

    Critical Insight

    New biosecurity standards will be imposed on many industries, and the autonomous edge will be part of the solution to manage that new reality.

    Impact and Result

    There are some key considerations for businesses considering new biosecurity measures:

    1. If prevention, then ID-based access control
    2. If intervention, then alerts based on data
    3. If investigation, then contact tracing

    Tech Trend Update: If Biosecurity Then Autonomous Edge Research & Tools

    Tech Trend Update: If Biosecurity Then Autonomous Edge

    Understand how new biosecurity requirements could affect your business and why AI at the edge could be part of the solution.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Tech Trend Update: If Biosecurity Then Autonomous Edge Storyboard
    [infographic]

    Identify and Manage Security Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}221|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
    • A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.
    • Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.

    Impact and Result

    • Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.

    Identify and Manage Security Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Security Risk Impacts on Your Organization Deck – Use the research to better understand the negative impacts of vendor actions on your security.

    Use this research to identify and quantify the potential security impacts caused by vendors. Use Info-Tech’s approach to look at the security impacts from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Security Risk Impacts on Your Organization Storyboard

    2. Security Risk Impact Tool – Use this tool to help identify and quantify the security impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Security Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Security Risk Impacts on Your Organization

    Know where the attacks are coming from so you know where to protect.

    Analyst perspective

    It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.

    Frank Sewell, Research Director, Vendor Management

    Frank Sewell,
    Research Director, Vendor Management
    Info-Tech Research Group

    We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.

    Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.

    Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.

    “Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.

    Executive Summary

    Your Challenge

    More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.

    Common Obstacles

    Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.

    Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.

    Info-Tech’s Approach

    Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.

    Info-Tech Insight
    Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    Multi-blueprint series on vendor risk assessment

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Security risk impacts

    Potential losses to the organization due to security incidents

    • In this blueprint we’ll explore security risks, particularly from third-party vendors, and their impacts.
    • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct security plans.

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    62% 83% 84%
    Ransomware attacks spiked 62% globally (and 158% in North America alone). 83% of companies increased organizational focus on third-party risk management in 2020. In a 2020 survey, 84% of organizations reported having experienced a third-party incident in the last three years.
    One Trust, 2022 Help Net Security, 2021 Deloitte, 2020

    Identify and manage security risk impacts on your organization

    Identify and manage security risk impacts on your organization

    Due diligence will enable successful outcomes.

    What is third-party risk?

    Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).

    Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).

    It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.

    Identify and manage security risks

    Global Pandemic

    Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.

    Vendor Breaches

    The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.

    Resource Shortages

    A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.

    Select and Implement a Reporting and Analytics Solution

    • Buy Link or Shortcode: {j2store}363|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $10,110 Average $ Saved
    • member rating average days saved: 3 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • Statistics show that the top priority of 85% of CIOs is insight and intelligence. Yet an appetite for intelligence does not mean that business intelligence initiatives will be an automatic success. In fact, many industry studies found that only 30% to 50% of organizations considered their BI initiative to be a complete success. It is, therefore, imperative that organizations take the time to select and implement a BI suite that aligns with business goals and fosters end-user adoption.
    • The multitude of BI offerings creates a busy and sometimes overwhelming vendor landscape. When selecting a solution, you have to make sense of the many offerings and bridge the gap between what is out there and what your organization needs.
    • BI is more than software. A BI solution has to effectively address business needs and demonstrate value through content and delivery once the platform is implemented.
    • Another dimension of the success of BI is the quality and validity of the reports and insights. The overall success of the BI solution is only as good as the quality of data fueling them.

    Our Advice

    Critical Insight

    • Business intelligence starts with data management. Without data management, including governance and data quality capabilities, your BI users will not be able to get the insights they need due to inaccurate and unavailable data.
    • When selecting a BI tool, it is crucial to ensure that the tool is fit for the purpose of the organization. Ensure alignment between the business drivers and the tool capabilities.
    • Self-serve BI requires a measured approach. Self-serve BI is meant to empower users to make more informed and faster decisions. But uncontrolled self-serve BI will lead to report chaos and prevent users from getting the most out of the tool. You must govern self-serve before it gets out of hand.

    Impact and Result

    • Evaluate your organization and land yourself into one of our three BI use cases. Find a BI suite that best suits the use case and, therefore, your organization.
    • Understand the ever-changing BI market. Get to know the established vendors as well as the emerging players.
    • Define BI requirements comprehensively through the lens of business, data, architecture, and user groups. Evaluate requirements to ensure they align with the strategic goals of the business.

    Select and Implement a Reporting and Analytics Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should select and implement a business intelligence and analytics solution, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch a BI selection project

    Promote and get approval for the BI selection and implementation project.

    • Select and Implement a Business Intelligence and Analytics Solution – Phase 1: Launch a BI Selection Project
    • BI Score Calculator
    • BI Project Charter

    2. Select a BI solution

    Select the most suitable BI platform.

    • Select and Implement a Business Intelligence and Analytics Solution – Phase 2: Select a BI Solution
    • BI Use-Case Fit Assessment Tool
    • BI Planning and Scoring Tool
    • BI Vendor Demo Script
    • BI Vendor Shortlist & Detailed Feature Analysis Tool
    • BI Request for Proposal Template

    3. Implement the BI solution

    Build a sustainable BI program.

    • Select and Implement a Business Intelligence and Analytics Solution – Phase 3: Implement the BI Solution
    • BI Test Plan Template
    • BI Implementation Planning Tool
    • BI Implementation Work Breakdown Structure Template
    [infographic]

    Workshop: Select and Implement a Reporting and Analytics Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch a BI Selection Project

    The Purpose

    Identify the scope and objectives of the workshop.

    Discuss the benefits and opportunities related to a BI investment.

    Gain a high-level understanding of BI and the BI market definitions and details.

    Outline a project plan and identify the resourcing requirements for the project.

    Key Benefits Achieved

    Determine workshop scope.

    Identify the business drivers and benefits behind a BI investment.

    Outline the project plan for the organization’s BI selection project.

    Determine project resourcing.

    Identify and perform the steps to launch the organization’s selection project.

    Activities

    1.1 Identify business drivers for investing in process automation technology.

    1.2 Identify the organization’s fit for a BI investment.

    1.3 Create a project plan.

    1.4 Identify project resourcing.

    1.5 Outline the project’s timeline.

    1.6 Determine key metrics.

    1.7 Determine project oversight.

    1.8 Complete a project charter.

    Outputs

    Completion of a project charter

    Launched BI selection project

    2 Analyze BI Requirements and Shortlist Vendors

    The Purpose

    Identify functional requirements for the organization’s BI suite.

    Determine technical requirements for the organization’s BI suite.

    Identify the organization’s alignment to the Vendor Landscape’s use-case scenarios.

    Shortlist BI vendors.

    Key Benefits Achieved

    Documented functional requirements.

    Documented technical requirements.

    Identified use-case scenarios for the future BI solution.

    Activities

    2.1 Interview business stakeholders.

    2.2 Interview IT staff.

    2.3 Consolidate interview findings.

    2.4 Build the solution’s requirements package.

    2.5 Identify use-case scenario alignment.

    2.6 Review Info-Tech’s BI Vendor Landscape results.

    2.7 Create custom shortlist.

    Outputs

    Documented requirements for the future solution.

    Identification of the organization’s BI functional use-case scenarios.

    Shortlist of BI vendors.

    3 Plan the Implementation Process

    The Purpose

    Identify the steps for the organization’s implementation process.

    Select the right BI environment.

    Run a pilot project.

    Measure the value of your implementation.

    Key Benefits Achieved

    Install a BI solution and prepare the BI solution in a way that allows intuitive and interactive uses.

    Keep track of and quantify BI success.

    Activities

    3.1 Select the right environment for the BI platform.

    3.2 Configure the BI implementation.

    3.3 Conduct a pilot to get started with BI and to demonstrate BI possibilities.

    3.4 Promote BI development in production.

    Outputs

    A successful BI implementation.

    BI is architected with the right availability.

    BI ROI is captured and quantified.

    Select the Optimal Disaster Recovery Deployment Model

    • Buy Link or Shortcode: {j2store}413|cart{/j2store}
    • member rating overall impact: 8.8/10 Overall Impact
    • member rating average dollars saved: $10,247 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • DR deployment has many possibilities. It becomes overwhelming and difficult to sift through all of the options and understand what makes sense for your organization.
    • The combination of high switching costs and the pressure to move applications to cloud leaves managers overwhelmed and complacent with their current DR model.

    Our Advice

    Critical Insight

    1. Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
    2. A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.
    3. Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.

    Impact and Result

    • By efficiently eliminating models that are not suited for your organization and narrowing the scope of DR deployment possibilities, you spend more time focusing on what works rather than what doesn’t.
    • Taking a funneled approach ensures that you are not wasting time evaluating application-level considerations when organizational constraints prevent you from moving forward.
    • Comparing the total cost of ownership among candidate models helps demonstrate to the business the reason behind choosing one method over another.

    Select the Optimal Disaster Recovery Deployment Model Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build the optimal DR deployment model, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Target the relevant DR options for your organization

    Complete Phase 1 to outline your DR site requirements, review any industry or organizational constraints on your DR strategy, and zero in on relevant DR models.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 1: Target Relevant DR Options for Your Organization
    • DR Decision Tree (Visio)
    • DR Decision Tree (PDF)
    • Application Assessment Tool for Cloud DR

    2. Conduct a comprehensive analysis and vet the DR vendors

    Complete Phase 2 to explore possibilities of deployment models, conduct a TCO comparison analysis, and select the best-fit model.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 2: Conduct a Comprehensive Analysis and Vet the DR Vendors
    • DR Solution TCO Comparison Tool

    3. Make the case and plan your transition

    Complete Phase 3 to assess outsourcing best practices, address implementation considerations, and build an executive presentation for business stakeholders.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 3: Make the Case and Plan Your Transition
    • DR Solution Executive Presentation Template
    [infographic]

    Workshop: Select the Optimal Disaster Recovery Deployment Model

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Target Relevant DR Options for Your Organization

    The Purpose

    Identify potential DR models

    Key Benefits Achieved

    Take a funneled approach and avoid getting lost among all of the DR models available

    Activities

    1.1 Define DR site requirements

    1.2 Document industry and organizational constraints

    1.3 Identify potential DR models

    Outputs

    Determine the type of site, replication, and risk mitigation initiatives required

    Rule out unfit models

    DR Decision Tree

    Application Assessment Tool for Cloud DR

    2 Conduct a Comprehensive Analysis of Appropriate Models

    The Purpose

    Explore relevant DR models

    Key Benefits Achieved

    Develop supporting evidence for the various options

    Activities

    2.1 Explore pros and cons of potential solutions

    2.2 Understand the use case for DRaaS

    2.3 Review DR model diagrams

    Outputs

    Qualitative analysis on candidate models

    Evaluate the need for DRaaS

    DR diagrams for candidate models

    3 Build the DR Solution TCO Comparison Tool

    The Purpose

    Determine best cost models

    Key Benefits Achieved

    Save money by selecting the most cost effective option to meet your DR requirements

    Activities

    3.1 Gather hardware requirements for production site

    3.2 Define capacity requirements for DR

    3.3 Compare cost across various models

    Outputs

    Populate the production summary tab in TCO tool

    Understand how much hardware will need to be on standby and how much will be procured at the time of disaster

    Find the most cost effective method

    4 Make the Case and Plan Your Transition

    The Purpose

    Build support from business stakeholders by having a clear and defendable proposal for DR

    Key Benefits Achieved

    Effective and ready DR deployment model

    Activities

    4.1 Address implementation considerations for network, capacity, and day-to-day operations

    4.2 Build presentation for business stakeholders

    Outputs

    Define implementation projects necessary for deployment and appoint staff to execute them

    PowerPoint presentation to summarize findings from the course of the project

    Demystify Blockchain: How Can It Bring Value to Your Organization?

    • Buy Link or Shortcode: {j2store}96|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Most leaders have an ambiguous understanding of blockchain and its benefits, let alone how it impacts their organization.
    • At the same time, with bitcoin drawing most of the media attention, organizations are finding it difficult to translate cryptocurrency usage to business case.

    Our Advice

    Critical Insight

    • Cut through the hype associated with blockchain by focusing on what is relevant to your organization. You have been hearing about blockchain for some time now and want to better understand it. While it is complex, you can beat the learning curve by analyzing its key benefits and purpose. Features such as transparency, efficiency, and security differentiate blockchain from existing technologies and help explain why it has transformative potential.
    • Ensure your use case is actually useful by first determining whether blockchain aligns with your organization. CIOs must take a practical approach to blockchain in order to avoid wasting resources (both time and money) and hurting IT’s image in the eyes of the business. While is easy to get excited and invest in a new technology to help maintain your image as a thought leader, you must ensure that your use case is fully developed prior to doing so.

    Impact and Result

    • Follow Info-Tech’s methodology for simplifying an otherwise complex concept. By focusing on its benefits and how they directly relate to a use case, blockchain technology is made easy to understand for business and IT professionals.
    • Our program will help you understand if blockchain is the optimal solution for your organization by mapping its key benefits (i.e. transparency, integrity, efficiency, and security) to your needs and capabilities.
    • Leverage a repeatable framework for brainstorming blockchain use case ideas and communicate your findings to business stakeholders who may otherwise be confused about the transformative potential of blockchain.

    Demystify Blockchain: How Can It Bring Value to Your Organization? Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about determining whether blockchain aligns with your organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. What exactly is blockchain?

    Understand blockchain’s unique feature, benefits, and business use cases.

    • Demystify Blockchain – Phase 1: What Is Blockchain?
    • Blockchain Glossary

    2. What can blockchain do for your organization?

    Envision blockchain’s transformative potential for your organization by brainstorming and validating a use case.

    • Demystify Blockchain – Phase 2: What Can Blockchain Do for Your Organization?
    • Blockchain Alignment Tool
    • Blockchain Alignment Presentation
    [infographic]

    Recruit and Retain People of Color in IT

    • Buy Link or Shortcode: {j2store}546|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $19,184 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • Organizations have been trying to promote equality for many years. Diversity and inclusion strategies and a myriad of programs have been implemented in companies across the world. Despite the attempts, many organizations still struggle to ensure that their workforce is representative of the populations they support or want to support.
    • IT brings another twist. Many IT companies and departments are based on the culture of white males, and underrepresented ethnic communities find it more of a challenge to fit in.
    • This sometimes means that talented minorities are less incentivized to join or stay in technology.

    Our Advice

    Critical Insight

    • Diversity and inclusion cannot be a one-time campaign or a one-off initiative.
    • For real change to happen, every leader needs to internalize the value of creating and retaining diverse teams.

    Impact and Result

    • To stay competitive, IT leaders need to be more involved and commit to a plan to recruit and retain people of color in their departments and organizations. A diverse team is an answer to innovation that can differentiate your company.
    • Treat recruiting and retaining a diverse team as a business challenge that requires full engagement. Info-Tech offers a targeted solution that will help IT leaders build a plan to attract, recruit, engage, and retain people of color.

    Recruit and Retain People of Color in IT Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should recruit and retain people of color in your IT department or organization, review Info-Tech’s methodology, and understand the ways we can support you in this endeavor.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Recruit people of color in IT

    Diverse teams are necessary to foster creativity and guide business strategies. Overcome limitations by recruiting people of color and creating a diverse workforce.

    • Recruit and Retain People of Color in IT – Phase 1: Recruit People of Color in IT
    • Support Plan
    • IT Behavioral Interview Question Library

    2. Retain people of color in IT

    Underrepresented employees benefit from an expansive culture. Create an inclusive environment and retain people of color and promote value within your organization.

    • Recruit and Retain People of Color in IT – Phase 2: Retain People of Color in IT

    Infographic

    Workshop: Recruit and Retain People of Color in IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Setting the Stage

    The Purpose

    Introduce challenges and concerns around recruiting and retaining people of color.

    Key Benefits Achieved

    Gain a sense of direction.

    Activities

    1.1 Introduction to diversity conversations.

    1.2 Assess areas to focus on and determine what is right, wrong, missing, and confusing.

    1.3 Obtain feedback from your team about the benefits of working at your organization.

    1.4 Establish your employee value proposition (EVP).

    1.5 Discuss and establish your recruitment goals.

    Outputs

    Current State Analysis

    Right, Wrong, Missing, Confusing Quadrant

    Draft EVP

    Recruitment Goals

    2 Refine Your Recruitment Process

    The Purpose

    Identify areas in your current recruitment process that are preventing you from hiring people of color.

    Establish a plan to make improvements.

    Key Benefits Achieved

    Optimized recruitment process

    Activities

    2.1 Brainstorm and research community partners.

    2.2 Review current job descriptions and equity statement.

    2.3 Update job description template and equity statement.

    2.4 Set team structure for interview and assessment.

    2.5 Identify decision-making structure.

    Outputs

    List of community partners

    Updated job description template

    Updated equity statement

    Interview and assessment structure

    Behavioral Question Library

    3 Culture and Management

    The Purpose

    Create a plan for an inclusive culture where your managers are supported.

    Key Benefits Achieved

    Awareness of how to better support employees of color.

    Activities

    3.1 Discuss engagement and belonging.

    3.2 Augment your onboarding materials.

    3.3 Create an inclusive culture plan.

    3.4 Determine how to support your management team.

    Outputs

    List of onboarding content

    Inclusive culture plan

    Management support plan

    4 Close the Loop

    The Purpose

    Establish mechanisms to gain feedback from your employees and act on them.

    Key Benefits Achieved

    Finalize the plan to create your diverse and inclusive workforce.

    Activities

    4.1 Ask and listen: determine what to ask your employees.

    4.2 Create your roadmap.

    4.3 Wrap-up and next steps.

    Outputs

    List of survey questions

    Roadmap

    Completed support plan

    Position IT to Support and Be a Leader in Open Data Initiatives

    • Buy Link or Shortcode: {j2store}326|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Open data programs are often seen as unimportant or not worth taking up space in the budget in local government.
    • Open data programs are typically owned by a single open data evangelist who works on it as a side-of-desk project.
    • Having a single resource spend a portion of their time on open data doesn’t allow the open data program to mature to the point that local governments are realizing benefits from it.
    • It is difficult to gain buy-in for open data as it is hard to track the benefits of an open data program.

    Our Advice

    Critical Insight

    • Local government can help push the world towards being more open, unlocking economic benefits for the wider economy.
    • Cities don’t know the solutions to all of their problems often they don’t know all of the problems they have. Release data as a platform to crowdsource solutions and engage your community.
    • Build your open data policies in collaboration with the community. It’s their data, let them shape the way it’s used!

    Impact and Result

    • Level-set expectations for your open data program. Every local government is different in terms of the benefits they can achieve with open data; ensure the business understands what is realistic to achieve.
    • Create a team of open data champions from departments outside of IT. Identify potential champions for the team and use this group to help gain greater business buy-in and gather feedback on the program’s direction.
    • Follow the open data maturity model in order to assess your current state, identify a target state, and assess capability gaps that need to be improved upon.
    • Use industry best practices to develop an open data policy and processes to help improve maturity of the open data program and reach your desired target state.
    • Identify metrics that you can use to track, and communicate the success of, the open data program.

    Position IT to Support and Be a Leader in Open Data Initiatives Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop your open data program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set the foundation for the success of your open data program

    Identify your open data program's current state maturity, and gain buy-in from the business for the program.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 1: Set the Foundation for the Success of Your Open Data Program
    • Open Data Maturity Assessment
    • Open Data Program – IT Stakeholder Powermap Template
    • Open Data in Our City Stakeholder Presentation Template

    2. Grow the maturity of your open data program

    Identify a target state maturity and reach it through building a policy and processes and the use of metrics.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 2: Grow the Maturity of Your Open Data Program
    • Open Data Policy Template
    • Open Data Process Template
    • Open Data Process Descriptions Template
    • Open Data Process Visio Templates (Visio)
    • Open Data Process Visio Templates (PDF)
    • Open Data Metrics Template
    [infographic]

    Workshop: Position IT to Support and Be a Leader in Open Data Initiatives

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Drivers for Open Data Program

    The Purpose

    Ensure that the open data program is being driven out from the business in order to gain business support.

    Key Benefits Achieved

    Identify drivers for the open data program that are coming directly from the business.

    Activities

    1.1 Understand constraints for the open data program.

    1.2 Conduct interviews with the business to gain input on business drivers and level-set expectations.

    1.3 Develop list of business drivers for open data.

    Outputs

    Defined list of business drivers for the open data program

    2 Assess Current State and Define Target State of the Open Data Program

    The Purpose

    Understand the gaps between where your program currently is and where you want it to be.

    Key Benefits Achieved

    Identify top processes for improvement in order to bring the open data program to the desired target state maturity.

    Activities

    2.1 Perform current state maturity assessment.

    2.2 Define desired target state with business input.

    2.3 Highlight gaps between current and target state.

    Outputs

    Defined current state maturity

    Identified target state maturity

    List of top processes to improve in order to reach target state maturity

    3 Develop an Open Data Policy

    The Purpose

    Develop a draft open data policy that will give you a starting point when building your policy with the community.

    Key Benefits Achieved

    A draft open data policy will be developed that is based on best-practice standards.

    Activities

    3.1 Define the purpose of the open data policy.

    3.2 Establish principles for the open data program.

    3.3 Develop a rough governance outline.

    3.4 Create a draft open data policy document based on industry best-practice examples.

    Outputs

    Initial draft of open data policy

    4 Develop Open Processes and Identify Metrics

    The Purpose

    Build open data processes and identify metrics for the program in order to track benefits realization.

    Key Benefits Achieved

    Formalize processes to set in place to improve the maturity of the open data program.

    Identify metrics that can track the success of the open data program.

    Activities

    4.1 Develop the roles that will make up the open data program.

    4.2 Create processes for new dataset requests, updates of existing datasets, and the retiring of datasets.

    4.3 Identify metrics that will be used for measuring the success of the open data program.

    Outputs

    Initial draft of open data processes

    Established metrics for the open data program

    Into the Metaverse

    • Buy Link or Shortcode: {j2store}95|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Define the metaverse.
    • Understand where Meta and Microsoft are going and what their metaverse looks like today.
    • Learn about other solution providers implementing the enterprise metaverse.
    • Identify risks in deploying metaverse solutions and how to mitigate them.

    Our Advice

    Critical Insight

    • A metaverse experience must combine the three Ps: user presence is represented, the world is persistent, and data is portable.

    Impact and Result

    • Understand how Meta and Microsoft define the Metaverse and the coming challenges that enterprises will need to solve to harness this new digital capability.

    Into the Metaverse Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Into the Metaverse – A deck that examines how IT can prepare for the new digital world

    Push past the hype and understand what the metaverse really means for IT.

    • Into the Metaverse Storyboard

    Infographic

    Further reading

    Into the Metaverse

    How IT can prepare for the new digital world.

    Analyst Perspective

    The metaverse is still a vision of the future.

    Photo of Brian Jackson, Research Director, CIO, Info-Tech Research Group.

    On October 28, 2021, Mark Zuckerberg got up on stage and announced Facebook's rebranding to Meta and its intent to build out a new business line around the metaverse concept. Just a few days later, Microsoft's CEO Satya Nadella put forward his own idea of the metaverse at Microsoft Ignite. Seeing two of Silicon Valley's most influential companies pitch a vision of avatar-driven virtual reality collaboration sparked our collective curiosity. At the heart of it lies the question, "What is the metaverse, anyway?“

    If you strip back the narrative of the companies selling you the solutions, the metaverse can be viewed as technological convergence. Years of development on mixed reality, AI, immersive digital environments, and real-time communication are culminating in a totally new user experience. The metaverse makes the digital as real as the physical. At least, that's the vision.

    It will be years yet before the metaverse visions pitched to us from Silicon Valley stages are realized. In the meantime, understanding the individual technologies contributing to that vision can help CIOs realize business value today. Join me as we delve into the metaverse.

    Brian Jackson
    Research Director, CIO
    Info-Tech Research Group

    From pop culture to Silicon Valley

    Sci-fi visionaries are directly involved in creating the metaverse concept

    The term “metaverse” was coined by author Neal Stephenson in the 1992 novel “Snow Crash.” In the novel, main character Hiro Protagonist interacts with others in a digitally defined space. Twenty-five years after its release, the cult classic is influential among Silicon Valley's elite. Stephenson has played some key roles in Silicon Valley firms. He became the first employee at Blue Origin, the space venture founded by Jeff Bezos, in 2006, and later became chief futurist at augmented reality firm Magic Leap in 2014. Stephenson also popularized the Hindu concept "avatar" in his writing, paving the way for people to embody digitally rendered models to participate in the metaverse (Vanity Fair, 2017).

    Even earlier concepts of the metaverse were examined in the 1980s, with William Gibson’s “Neuromancer” exploring the same idea as cyberspace. Gibson's novel was influenced by his time in Seattle, where friend and Microsoft executive Eileen Gunn took him to hacker bars where he'd eavesdrop on "the poetics of the technological subculture" (Medium, 2022). Other visions of a virtual reality mecca were brought to life in the movies, including the 1982 Disney release “Tron,” the 1999 flick “The Matrix,” and 2018’s “Ready Player One.”

    There's a common set of traits among these sci-fi narratives that help us understand what Silicon Valley tech firms are now set to commercialize: users interact with one another in a digitally rendered virtual world, with a sense of presence provided through the use of a head-mounted display.

    Cover of the book Snow Crash by Neal Stephenson.

    Image courtesy nealstephenson.com

    Meta’s view of the metaverse

    CEO Mark Zuckerberg rebranded Facebook to make his intent clear

    Mark Zuckerberg is all in on the metaverse, announcing October 28, 2021, that Facebook would be rebranded to Meta. The new brand took effect on December 1, and Facebook began trading under the new stock ticker MVRS on certain exchanges. On February 15, 2022, Zuckerberg announced at a company meeting that his employees will be known as Metamates. The company's new values are to live in the future, build awesome things, and focus on long-term impact. Its motto is simply "Meta, Metamates, me" (“Out With the Facebookers. In With the Metamates,” The New York Times, 2022).

    Meta's Reality Labs division will be responsible for developing its metaverse product, using Meta Quest, its virtual reality head-mounted displays. Meta's early metaverse environment, Horizon Worlds, rolled out to Quest users in the US and Canada in early December 2021. This drove a growth in its monthly user base by ten times, to 300,000 people. The product includes Horizon Venues, tailored to attending live events in VR, but not Horizon Workrooms, a VR conferencing experience that remains invite-only. Horizon Worlds provides users tools to construct their own 3D digital environments and had been used to create 10,000 separate worlds by mid-February 2022 (“Meta’s Social VR Platform Horizon Hits 300,000 Users,“ The Verge, 2022).

    In the future, Meta plans to amplify the building tools in its metaverse platform with generative AI. For example, users can give speech commands to create scenes and objects in VR. Project CAIRaoke brings a voice assistant to an augmented reality headset that can help users complete tasks like cooking a stew. Zuckerberg also announced Meta is working on a universal speech translator across all languages (Reuters, 2022).

    Investment in the metaverse:
    $10 billion in 2021

    Key People:
    CEO Mark Zuckerberg
    CTO Andrew Bosworth
    Chief Product Officer Chris Cox

    (Source: “Meta Spent $10 Billion on the Metaverse in 2021, Dragging Down Profit,” The New York Times, 2022)

    Microsoft’s view of the metaverse

    CEO Satya Nadella showcased a mixed reality metaverse at Microsoft Ignite

    In March 2021 Microsoft announced Mesh, an application that allows organizations to build out a metaverse environment. Mesh is being integrated into other Microsoft hardware and software, including its head-mounted display, the HoloLens, a mixed reality device. The Mesh for HoloLens experience allows users to collaborate around digital content projected into the real world. In November, Microsoft announced a Mesh integration with Microsoft Teams. This integration brings users into an immersive experience in a fully virtual world. This VR environment makes use of AltspaceVR, a VR application Microsoft first released in May 2015 (Microsoft Innovation Stories, 2021).

    Last Fall, Microsoft also announced it is rebranding its Dynamics 365 Connected Store solution to Dynamics 365 Connected Spaces, signaling its expansion from retail to all spaces. The solution uses cognitive vision to create a digital twin of an organization’s physical space and generate analytics about people’s behavior (Microsoft Dynamics 365 Blog, 2021).

    In the future, Microsoft wants to make "holoportation" a part of its metaverse experience. Under development at Microsoft Research, the technology captures people and things in photorealistic 3D to be projected into mixed reality environments (Microsoft Research, 2022). It also has plans to offer developers AI-powered tools for avatars, session management, spatial rendering, and synchronization across multiple users. Open standards will allow Mesh to be accessed across a range of devices, from AR and VR headsets, smartphones, tablets, and PCs.

    Microsoft has been developing multi-user experiences in immersive 3D environments though its video game division for more than two decades. Its capabilities here will help advance its efforts to create metaverse environments for the enterprise.

    Investment in the metaverse:
    In January 2022, Microsoft agreed to acquire Activision Blizzard for $68.7 billion. In addition to acquiring several major gaming studios for its own gaming platforms, Microsoft said the acquisition will play a key role in the development of its metaverse.

    Key People:
    CEO Satya Nadella
    CEO of Microsoft Gaming Phil Spencer
    Microsoft Technical Research Fellow Alex Kipman

    Current state of metaverse applications from Meta and Microsoft

    Meta

    • Horizon Worlds (formerly Facebook Horizon). Requires an Oculus Rift S or Quest 2 headset to engage in an immersive 3D world complete with no-code building tools for users to construct their own environments. Users can either interact in the space designed by Meta or travel to other user-designed worlds through the plaza.
    • Horizon Workrooms (beta, invite only). An offshoot of Horizon Worlds but more tailored for business collaboration. Users can bring in their physical desks and keyboards and connect to PC screens from within the virtual setting. Integrates with Facebook’s Workplace solution.

    Microsoft

    • Dynamics 365 Connected Spaces (preview). Cognitive vision combined with surveillance cameras provide analytics on people's movement through a facility.
    • Mesh for Microsoft Teams (not released). Collaborate with your colleagues in a virtual reality space using personalized avatars. Use new 2D and 3D meeting experiences.
    • Mesh App for HoloLens (preview). Interact with colleagues virtually in a persistent digital environment that is overlaid on top of the real world.
    • AltspaceVR. A VR space accessible via headset or desktop computer that's been available since 2015. Interact through use of an avatar to participate in daily events

    Current providers of an “enterprise metaverse”

    Other providers designing mixed reality or digital twin tools may not have used the “metaverse” label but provide the same capabilities via platforms

    Logo for NVIDIA Omniverse. Logo for TeamViewer.
    NVIDIA Omniverse
    “The metaverse for engineers,” Omniverse is a developer toolset to allow organizations to build out their own unique metaverse visions.
    • Omniverse Nucleus is the platform database that allows clients to publish digital assets or subscribe to receive changes to them in real-time.
    • Omniverse Connectors are used to connect to Nucleus and publish or subscribe to individual assets and entire worlds.
    • NVIDIA’s core physics engine provides a scalable and physically accurate world simulation.
    TeamViewer’s Remote as a Service Platform
    Initially focusing on providing workers remote connectivity to work desktops, devices, and robotics, TeamViewer offers a range of software as a service products. Recent acquisitions to this platform see it connecting enterprise workflows to frontline workers using mixed reality headsets and adding more 3D visualization development tools to create digital twins. Clients include Coca-Cola and BMW.

    “The metaverse matters in the future. TeamViewer is already making the metaverse tangible in terms of the value that it brings.” (Dr. Hendrik Witt, Chief Product Officer, TeamViewer)

    The metaverse is a technological convergence

    The metaverse is a platform combining multiple technologies to enable social and economic activity in a digital world that is connected to the physical world.

    A Venn diagram with four circles intersecting and one circle unconnected on the side, 'Blockchain, Emerging'. The four circles, clock-wise from top, are 'Artificial Intelligence', 'Real-Time Communication', 'Immersive Digital Space', and 'Mixed Reality'. The two-circle crossover sections, clock-wise from top-right are AI + RTC: 'Smart Agent-Facilitated Communication', RTC + IDS: 'Avatar-Based Social Interaction', IDS + MR: 'Digital Immersive UX', and MR + AI: 'Perception AI'. There are only two three-circle crossover sections labelled, AI + RTC + MR: 'Generative Sensory Environments' and RTC + IDS + MR: 'Presence'. The main cross-section is 'METAVERSE'.

    Info-Tech Insight

    A metaverse experience must combine the three P’s: user presence is represented, the world is persistent, and data is portable.

    Mixed reality provides the user experience (UX) for the metaverse

    Both virtual and augmented reality will be part of the picture

    Mixed reality encompasses both virtual reality and augmented reality. Both involve allowing users to immerse themselves in digital content using a head-mounted device or with a smartphone for a less immersive effect. Virtual reality is a completely digital world that is constructed as separate from the physical world. VR headsets take up a user's entire field of vision and must also have a mechanism to allow the user to interact in their virtual environment. Augmented reality is a digital overlay mapped on top of the real world. These headsets are transparent, allowing the user to clearly see their real environment, and projects digital content on top of it. These headsets must have a way to map the surrounding environment in 3D in order to project digital content in the right place and at the right scale.

    Meta’s Plans

    Meta acquired virtual reality developer Oculus VR Inc. and its set of head-mounted displays in 2014. It continues to develop new hardware under the Oculus brand, most recently releasing the Oculus Quest 2. Oculus Quest hardware is required to access Meta's early metaverse platform, Horizon Worlds.

    Microsoft’s Plans

    Microsoft's HoloLens hardware is a mixed reality headset. Its visor that can project digital content into the main portion of the user's field of vision and speakers capable of spatial audio. The HoloLens has been deployed at enterprises around the world, particularly in scenarios where workers typically have their hands busy. For example, it can be used to view digital schematics of a machine while a worker is performing maintenance or to allow a remote expert to "see through the eyes" of a worker.

    Microsoft's Mesh metaverse platform, which allows for remote collaboration around digital content, was demonstrated on a HoloLens at Microsoft Ignite in November 2021. Mesh is also being integrated into AltspaceVR, an application that allows companies to hold meetings in VR with “enterprise-grade security features including secure sign-ins, session management and privacy compliance" (Microsoft Innovation Stories, 2021).

    Immersive digital environments provide context in the metaverse

    The interactive environment will be a mix of digital and physical worlds

    If you've played a video game in the past decade, you've experienced an immersive 3D environment, perhaps even in a multiplayer environment with many other users at the same time. The video game industry grew quickly during the pandemic, with users spending more time and money on video games. Massive multiplayer online games like Fortnite provide more than a gaming environment. Users socialize with their friends and attend concerts featuring famous performers. They also spend money on different appearances or gestures to express themselves in the environment. When they are not playing the game, they are often watching other players stream their experience in the game. In many ways, the consumer metaverse already exists on platforms like Fortnite. At the same time, gaming developers are improving the engines for these experiences and getting closer to approximating the real world both visually and in terms of physics.

    In the enterprise space, immersive 3D environments are also becoming more popular. Manufacturing firms are building digital twins to represent entire factories, modeling their real physical environments in digital space. For example, BMW’s “factory of the future” uses NVIDIA Omniverse to create a digital twin of its assembly system, simulated down to the detail of digital workers. BMW uses this simulation to plan reconfiguration of its factory to accommodate new car models and to train robots with synthetic data (“NVIDIA Omniverse,” NVIDIA, 2021).

    Meta’s Plans

    Horizon Workrooms is Meta's business-focused application of Horizon Worlds. It facilitates a VR workspace where colleagues can interact with others’ avatars, access their computer, use videoconferencing, and sketch out ideas on a whiteboard. With the Oculus Quest 2 headset, passthrough mode allows users to add their physical desk to the virtual environment (Oculus, 2022).

    Microsoft’s Plans

    AltspaceVR is Microsoft's early metaverse environment and it can be accessed with Oculus, HTC Vive, Windows Mixed Reality, or in desktop mode. Separately, Microsoft Studios has been developing digital 3D environments for its Xbox video game platform for yeas. In January 2022, Microsoft acquired games studio Activision Blizzard for $68.7 billion, saying the games studio would play a key role in the development of the metaverse.

    Real-time communications allow for synchronous collaboration

    Project your voice to a room full of avatars for a presentation or whisper in someone’s ear

    If the metaverse is going to be a good place to collaborate, then communication must feel as natural as it does in the real world. At the same time, it will need to have a few more controls at the users’ disposal so they can focus in on the conversation they choose. Audio will be a major part of the communication experience, augmented by expressive avatars and text.

    Mixed reality headsets come with integrated microphones and speakers to enable voice communications. Spatial audio will also be an important component of voice exchange in the metaverse. When you are in a videoconference conversation with 50 participants, every one of those people will sound as though they are sitting right next to you. In the metaverse, each person will sound louder or quieter based on how distant their avatar is from you. This will allow large groups of people to get together in one digital space and have multiple conversations happening simultaneously. In some situations, there will also be a need for groups to form a “party” as they navigate the metaverse, meaning they would stay linked through a live audio connection even if their avatars were not in the same digital space. Augmented reality headsets also allow remote users to “see through the eyes” of the person wearing the headset through a front-facing camera. This is useful for hands-on tasks where expert guidance is required.

    People will also need to communicate with people not in the metaverse. More conventional videoconference windows or chat boxes will be imported into these environments as 2D panels, allowing users to integrate them into the context of their digital space.

    Meta’s Plans

    Facebook Messenger is a text chat and video chat application that is already integrated into Facebook’s platform. Facebook also owns WhatsApp, a messaging platform that offers group chat and encrypted messaging.

    Microsoft’s Plans

    Microsoft Teams is Microsoft’s application that combines presence-based text chat and videoconferencing between individuals and groups. Dynamics 365 Remote Assist is its augmented reality application designed for HoloLens wearers or mobile device users to share their real-time view with experts.

    Generative AI will fill the metaverse with content at the command of the user

    No-code and low-code creation tools will be taken to the next level in the metaverse

    Metaverse platforms provide users with no-code and low-code options to build out their own environments. So far this looks like playing a game of Minecraft. Users in the digital environment use native tools to place geometric shapes and add textures. Other metaverse platforms allow users to design models or textures with tools outside the platform, often even programming behaviors for the objects, and then import them into the metaverse. These tools can be used effectively, but it can be a tedious way to create a customized digital space.

    Generative AI will address that by taking direction from users and quickly generating content to provide the desired metaverse setting. Generative AI can create content that’s meaningful based on natural inputs like language or visual information. For example, a user might give voice commands to a smart assistant and have a metaverse environment created or take photos of a real-world object from different angles to have its likeness digitally imported.

    Synthetic data will also play a role in the metaverse. Instead of relying only on people to create a lot of relevant data to train AI, metaverse platform providers will also use simulated data to provide context. NVIDIA’s Omniverse Replicator engine provides this capability and can be used to train self-driving cars and manipulator robots for a factory environment (NVIDIA Newsroom, 2021).

    Meta’s Plans

    Meta is planning to use generative AI to allow users to construct their VR environments. It will allow users to describe a world to a voice assistant and have it created for them. Users could also speak to each other in different languages with the aid of a universal translator. Separately, Project CAIRaoke combines cognitive vision with a voice assistant to help a user cook dinner. It keeps track of where the ingredients are in the kitchen and guides the user through the steps (Reuters, 2022).

    Microsoft’s Plans

    Microsoft Mesh includes AI resources to help create natural interactions through speech and vision learning models. HoloLens 2 already uses AI models to track users’ hands and eye movements as well as map content onto the physical world. This will be reinforced in the cloud through Microsoft Azure’s AI capabilities (Microsoft Innovation Stories, 2021).

    Blockchain will provide a way to manage digital identity and assets across metaverse platforms

    Users will want a way to own their metaverse identity and valued digital possessions

    Blockchain technology provides a decentralized digital ledger that immutably records transactions. A specific blockchain can either be permissioned, with one central party determining who gets access, or permissionless, in which anyone with the means can transact on the blockchain. The permissionless variety emerged in 2008 as the foundation of Bitcoin. It's been a disruptive force in the financial industry, with Bitcoin inspiring a long list of offshoot cryptocurrencies, and now even central banks are examining moving to a digital currency standard.

    In the past couple of years, blockchain has spurred a new economy around digital assets. Smart contracts can be used to create a token on a blockchain and bind it to a specific digital asset. These assets are called non-fungible tokens (NFTs). Owners of NFTs can prove their chain of ownership and sell their tokens to others on a variety of marketplaces.

    Blockchain could be useful in the metaverse to track digital identity, manage digital assets, and enable data portability. Users could register their own avatars as NFTs to prove they are the real person behind their digital representation. They may also want a way to verify they own a virtual plot of land or demonstrate the scarcity of the digital clothing they are wearing in the metaverse. If users want to leave a certain metaverse platform, they could export their avatar and digital assets to a digital wallet and transfer them to another platform that supports the same standards.

    In the past, centralized platforms that create economies in a virtual world were able to create digital currencies and sell specific assets to users without the need for blockchain. Second Life is a good example, with Linden Labs providing a virtual token called Linden Dollars that users can exchange to buy goods and services from each other within the virtual world. Second Life processes 345 million transactions a year for virtual goods and reports a GDP of $650 million, which would put it ahead of some countries (VentureBeat, 2022). However, the value is trapped within Second Life and can't be exported elsewhere.

    Meta’s Plans

    Meta ended its Diem project in early 2022, winding down its plan to offer a digital currency pegged to US dollars. Assets were sold to Silvergate Bank for $182 million. On February 24, blockchain developer Atmos announced it wanted to bring the project back to life. Composed of many of the original developers that created Diem while it was still a Facebook project, the firm plans to raise funds based on the pitch that the new iteration will be "Libra without Facebook“ (CoinDesk, 2022).

    Microsoft’s Plans

    Microsoft expanded its team of blockchain developers after its lead executive in this area stated the firm is closely watching cryptocurrencies and NFTs. Blockchain Director York Rhodes tweeted on November 8, 2021, that he was expanding his team and was interested to connect with candidates "obsessed with Turing complete, scarce programmable objects that you can own & transfer & link to the real world through a social contract.”

    The enterprise metaverse holds implications for IT across several functional areas

    Improve maturity in these four areas first

    • Infrastructure & Operations
      • Lay the foundation
    • Security & Risk
      • Mitigate the risks
    • Apps
      • Deploy the precursors
    • Data & BI
      • Prepare to integrate
    Info-Tech and COBIT5's IT Management & Governance Framework with processes arranged like a periodic table. Highlighted process groups are 'Infrastructure & Operations', 'Security & Risk', 'Apps', and 'Data & BI'.

    Infrastructure & Operations

    Make space for the metaverse

    Risks

    • Network congestion: Connecting more devices that will be delivering highly graphical content will put new pressures on networks. Access points will have more connections to maintain and transit pathways more bandwidth to accommodate.
    • Device fragmentation: Currently many different vendors are selling augmented reality headsets used in the enterprise, including Google, Epson, Vuzix, and RealWear. More may enter soon, creating various types of endpoints that have different capabilities and different points of failure.
    • New workflows: Enterprises will only be able to benefit from deploying mixed reality devices if they're able to make them very useful to workers. Serving up relevant information in the context of a hands-free interface will become a new competency for enterprises to master.

    Mitigations

    • Dedicated network: Some companies are avoiding the congestion issue by creating a separate network for IoT devices on different infrastructure. For example, they might complement the Wi-Fi network with a wireless network on 5G or LoRaWAN standards.
    • Partner with systems integrators: Solutions vendors bringing metaverse solutions to the enterprise are already working with systems integrator partners to overcome integration barriers. These vendors are solving the problems of delivering enterprise content to a variety of new mixed reality touchpoints and determining just the right information to expose to users, at the right time.

    Security & Risk

    Mitigate metaverse risks before they take root

    Risks

    • Broader attack surface: Adding new mixed reality devices to the enterprise network will create more potential points of ingress for a cyberattack. Previous enterprise experiences with IoT in the enterprise have seen them exploited as weak points and used to create botnets or further infiltrate company networks.
    • More data in transit: Enterprise data will be flowing between these new devices and sometimes outside the company firewall to remote connections. Data from industrial IoT could also be integrated into these solutions and exposed.
    • New fraud opportunities: When Web 1.0 was first rolling out, not every company was able to secure the rights to the URL address matching its brand. Those not quick enough on the draw saw "domain squatters" use their brand equity to negotiate for a big pay day or, worse yet, to commit fraud. With blockchain opening up similar new digital real estate in Web3, the same risk arises.

    Mitigations

    • Mobile device management (MDM): New mixed reality headsets can be secured using existing MDM solutions on the market.
    • Encryption: Encrypting data end to end as it flows between IoT devices ensures that even if it does leak, it's not likely to be useful to a hacker.
    • Stake your claim: Claiming your brand's name in new Web3 domains may seems tedious, but it is likely to be cheap and might save you a headache down the line.

    Apps

    Deploy to your existing touchpoints

    Risks

    • Learning curves: Using new metaverse applications to complete tasks and collaborate with colleagues won’t be a natural progression for everyone. New headsets, gesture-based controls, and learning how to navigate the metaverse will present hurdles for users to overcome before they can be productive.
    • Is there a dress code in the metaverse? Avatars in the metaverse won’t necessarily look like the people behind the controls. What new norms will be needed to ensure avatars are appropriate for a work setting?
    • Fragmentation: Metaverse experiences are already creating islands. Users of Horizon Worlds can’t connect with colleagues using AltspaceVR. Similar to the challenges around different videoconferencing software, users could find they are divided by applications.

    Mitigations

    • Introduce concepts over time: Ask users to experiment with meeting in a VR context in a small group before expanding to a companywide conference event. Or have them use a headset for a simple video chat before they use it to complete a task in the field.
    • Administrative controls: Ensure that employees have some boundaries when designing their avatars, enforced either through controls placed on the software or through policies from HR.
    • Explore but don’t commit: It’s early days for these metaverse applications. Explore opportunities that become available through free trials and new releases to existing software suites but maintain flexibility to pivot should the need arise.

    Data & BI

    Deploy to your existing touchpoints

    Risks

    • Interoperability: There is no established standard for digital objects or behaviors in the metaverse. Meta and Microsoft say they are committed to open standards that will ensure portability of data across platforms, but how that will be executed isn’t clear yet.
    • Privacy: Sending data to another platform carries risks that it will be exfiltrated and stored elsewhere, presenting some challenges for companies that need to be compliant with legislation such as GDPR.
    • High-fidelity models: 3D models with photorealistic textures will come with high CPU requirements to render properly. Some head-mounted displays will run into limitations.

    Mitigations

    • Adopt standard interfaces: Using open APIs will be the most common path to integrating enterprise systems to metaverse applications.
    • Maintain compliance: The current approach enterprises take to creating data lakes and presenting them to platforms will extend to the metaverse. Building good controls and anonymizing data that resides in these locations will enable firms to interact in new platforms and remain compliant.
    • Right-sized rendering: Providing enough data to a device to make it useful without overburdening the CPU will be an important consideration. For example, TeamViewer uses polygon reduction to display 3D models on lower-powered head-mounted displays.

    More Info-Tech research to explore

    CIO Priorities 2022
    Priorities to compete in the digital economy.

    Microsoft Teams Cookbook
    Recipes for best practices and use cases for Microsoft Teams.

    Run Better Meetings
    Hybrid, virtual, or in person – set meeting best practices that support your desired meeting norms.

    Double Your Organization’s Effectiveness With a Digital Twin
    Digital twin: A living, breathing reflection.

    Contributing experts

    Photo of Dr. Hendrik Witt, Chief Product Officer, TeamViewer

    Dr. Hendrik Witt
    Chief Product Officer,
    TeamViewer

    Photo of Kevin Tucker, Principal Research Director, Industry Practice, INFO-TECH RESEARCH GROUP

    Kevin Tucker
    Principal Research Director, Industry Practice,
    INFO-TECH RESEARCH GROUP

    Bibliography

    Cannavò, Alberto, and F. Lamberti. “How Blockchain, Virtual Reality and Augmented Reality Are Converging, and Why.” IEEE Consumer Electronics Magazine, vol. 10, no. 5, Sept. 2020, pp. 6-13. IEEE Xplore. Web.

    Culliford, Elizabeth. “Meta’s Zuckerberg Unveils AI Projects Aimed at Building Metaverse Future.” Reuters, 24 Feb. 2022. Web.

    Davies, Nahla. “Cybersecurity and the Metaverse: Pioneering Safely into a New Digital World.” GlobalSign Blog, 10 Dec. 2021. GlobalSign by GMO. Web.

    Doctorow, Cory. “Neuromancer Today.” Medium, 10 Feb. 2022. Web.

    Heath, Alex. “Meta’s Social VR Platform Horizon Hits 300,000 Users.” The Verge, 17 Feb. 2022. Web.

    “Holoportation™.” Microsoft Research, 22 Feb. 2022. Microsoft. Accessed 3 March 2022.

    Isaac, Mike. “Meta Spent $10 Billion on the Metaverse in 2021, Dragging down Profit.” The New York Times, 2 Feb. 2022. Web.

    Isaac, Mike, and Sheera Frenkel. “Out With the Facebookers. In With the Metamates.” The New York Times, 15 Feb. 2022. Web.

    Langston, Jennifer. “‘You Can Actually Feel like You’re in the Same Place’: Microsoft Mesh Powers Shared Experiences in Mixed Reality.” Microsoft Innovation Stories, 2 Mar. 2021. Microsoft. Web.

    “Maple Leaf Sports & Entertainment and AWS Team Up to Transform Experiences for Canadian Sports Fans.” Amazon Press Center, 23 Feb. 2022. Amazon.com. Accessed 24 Feb. 2022. Web.

    Marquez, Reynaldo. “How Microsoft Will Move To The Web 3.0, Blockchain Division To Expand.” Bitcoinist.com, 8 Nov. 2021. Web.

    Metinko, Chris. “Securing The Metaverse—What’s Needed For The Next Chapter Of The Internet.” Crunchbase News, 6 Dec. 2021. Web.

    Metz, Rachel Metz. “Why You Can’t Have Legs in Virtual Reality (Yet).” CNN, 15 Feb. 2022. Accessed 16 Feb. 2022.

    “Microsoft to Acquire Activision Blizzard to Bring the Joy and Community of Gaming to Everyone, across Every Device.” Microsoft News Center, 18 Jan. 2022. Microsoft. Web.

    Nath, Ojasvi. “Big Tech Is Betting Big on Metaverse: Should Enterprises Follow Suit?” Toolbox, 15 Feb. 2022. Accessed 24 Feb. 2022.

    “NVIDIA Announces Omniverse Replicator Synthetic-Data-Generation Engine for Training AIs.” NVIDIA Newsroom, 9 Nov. 2021. NVIDIA. Accessed 9 Mar. 2022.

    “NVIDIA Omniverse - Designing, Optimizing and Operating the Factory of the Future. 2021. YouTube, uploaded by NVIDIA, 13 April 2021. Web.

    Peters, Jay. “Disney Has Appointed a Leader for Its Metaverse Strategy.” The Verge, 15 Feb. 2022. Web.

    Robinson, Joanna. The Sci-Fi Guru Who Predicted Google Earth Explains Silicon Valley’s Latest Obsession.” Vanity Fair, 23 June 2017. Accessed 13 Feb. 2022.

    Scoble, Robert. “New Startup Mixes Reality with Computer Vision and Sets the Stage for an Entire Industry.” Scobleizer, 17 Feb. 2022. Web.

    Seward, Zack. “Ex-Meta Coders Raising $200M to Bring Diem Blockchain to Life: Sources.” CoinDesk, 24 Feb. 2022. Web.

    Shrestha, Rakesh, et al. “A New Type of Blockchain for Secure Message Exchange in VANET.” Digital Communications and Networks, vol. 6, no. 2, May 2020, pp. 177-186. ScienceDirect. Web.

    Sood, Vishal. “Gain a New Perspective with Dynamics 365 Connected Spaces.” Microsoft Dynamics 365 Blog, 2 Nov. 2021. Microsoft. Web.

    Takahashi, Dean. “Philip Rosedale’s High Fidelity Cuts Deal with Second Life Maker Linden Lab.” VentureBeat, 13 Jan. 2022 Web.

    “TeamViewer Capital Markets Day 2021.” TeamViewer, 10 Nov. 2021. Accessed 22 Feb. 2022.

    VR for Work. Oculus.com. Accessed 1 Mar. 2022.

    Wunderman Thompson Intelligence. “New Trend Report: Into the Metaverse.” Wunderman Thompson, 14 Sept. 2021. Accessed 16 Feb. 2022.

    Improve Application Development Throughput

    • Buy Link or Shortcode: {j2store}151|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $59,399 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • The business is demanding more features at an increasing pace. It is expecting your development teams to keep up with its changing needs while maintaining high quality.
    • However, your development process is broken. Tasks are taking significant time to complete, and development handoffs are not smooth.

    Our Advice

    Critical Insight

    • Lean development is independent of your software development lifecycle (SDLC) methodology. Lean development practices can be used in both Agile and Waterfall teams.
    • Lean isn’t about getting rid of sound development processes. Becoming lean means fine-tuning the integration of core practices like coding and testing.
    • Lean thinking motivates automation. By focusing on optimizing the development process, automation becomes a logical and necessary step toward greater maturity and improved throughput.

    Impact and Result

    • Gain a deep understanding of lean principles and associated behaviors. Become familiar with the core lean principles and the critical attitudes and mindsets required by lean. Understand how incorporating DevOps and Agile principles can help your organization.
    • Conduct a development process and tool review. Use a value-stream analysis of your current development process and tools to reveal bottlenecks and time-consuming or wasteful tasks. Analyze these insights to identify root causes and the impact to product delivery.
    • Incorporate the right tools and practices to become more lean. Optimize the key areas where you are experiencing the most pain and consuming the most resources. Look at how today’s best development and testing practices (e.g. version control, branching) and tools (e.g. automation, continuous integration) can improve the throughput of your delivery pipeline.

    Improve Application Development Throughput Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should make development teams leaner, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Conduct a current state analysis

    Acquire a holistic perspective of the development team, process, and tools to identify the bottlenecks and inefficiency points that are significantly delaying releases.

    • Improve Application Development Throughput – Phase 1: Conduct a Current State Analysis
    • Lean Implementation Roadmap Template
    • Lean Development Readiness Assessment

    2. Define the lean future state

    Identify the development guiding principles and artifact management practices and build automation and continuous integration processes and tools that best fit the context and address the organization’s needs.

    • Improve Application Development Throughput – Phase 2: Define the Lean Future State

    3. Create an implementation roadmap

    Prioritize lean implementation initiatives in a gradual, phased approach and map the critical stakeholders in the lean transformation.

    • Improve Application Development Throughput – Phase 3: Create an Implementation Roadmap
    [infographic]

    Workshop: Improve Application Development Throughput

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Conduct a Current State Analysis

    The Purpose

    Assess the current state of your development environment.

    Select a pilot project to demonstrate the value of your optimization.

    Key Benefits Achieved

    Realization of the root causes behind the bottlenecks and inefficiencies in your current development process.

    Valuation of your current development tools.

    Selection of a pilot project that will be used to gather the metrics in order obtain buy-in for wider optimization initiatives.

    Activities

    1.1 Assess your readiness to transition to lean development.

    1.2 Conduct a SWOT analysis and value-stream assessment of your current development process.

    1.3 Evaluate your development tools.

    1.4 Select a pilot project.

    Outputs

    Lean development readiness assessment

    Current state analysis of development process

    Value assessment of existing development tools

    Pilot project selection

    2 Define Your Lean Future State

    The Purpose

    Establish your development guiding principles.

    Enhance the versioning and management of your development artifacts.

    Automatically build and continuously integrate your code.

    Key Benefits Achieved

    Grounded and well-understood set of guiding principles that are mapped to development tasks and initiatives.

    Version control strategy of development artifacts, including source code, adapted to support lean development.

    A tailored approach to establish the right environment to support automated build, testing, and continuous integration tools.

    Activities

    2.1 Assess your alignment to the lean principles.

    2.2 Define your lean development guiding principles.

    2.3 Define your source code branching approach.

    2.4 Define your build automation approach.

    2.5 Define your continuous integration approach.

    Outputs

    Level of alignment to lean principles

    Development guiding principles

    Source code branching approach

    Build automation approach.

    Continuous integration approach

    3 Create Your Implementation Roadmap

    The Purpose

    Prioritize your optimization initiatives to build an implementation roadmap.

    Identify the stakeholders of your lean transformation.

    Key Benefits Achieved

    Phased implementation roadmap that accommodates your current priorities, constraints, and enablers.

    Stakeholder engagement strategy to effectively demonstrate the value of the optimized development environment.

    Activities

    3.1 Identify metrics to gauge the success of your lean transformation.

    3.2 List and prioritize your implementation steps.

    3.3 Identify the stakeholders of your lean transformation.

    Outputs

    List of product, process, and tool metrics

    Prioritized list of tasks to optimize your development environment

    Identification of key stakeholders

    2024 Tech Trends

    • Buy Link or Shortcode: {j2store}289|cart{/j2store}
    • member rating overall impact: 10
    • Parent Category Name: Innovation
    • Parent Category Link: /improve-your-core-processes/strategy-and-governance/innovation

    AI has revolutionized the landscape, placing the spotlight firmly on the generative enterprise.

    The far-reaching impact of generative AI across various sectors presents fresh prospects for organizations to capitalize on and novel challenges to address as they chart their path for the future. AI is more than just a fancy auto-complete. At this point it may look like that, but do not underestimate the evolutive power.

    In this year's Tech Trends report, we explore three key developments to capitalize on these opportunities and three strategies to minimize potential risks.

    Generative AI will take the lead.

    As AI transforms industries and business processes, IT and business leaders must adopt a deliberate and strategic approach across six key domains to ensure their success.

    Seize Opportunities:

    • Business models driven by AI
    • Automation of back-office functions
    • Advancements in spatial computing

    Mitigate Risks:

    • Ethical and responsible AI practices
    • Incorporating security from the outset
    • Ensuring digital sovereignty

    Deliver Digital Products at Scale

    • Buy Link or Shortcode: {j2store}156|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $86,499 Average $ Saved
    • member rating average days saved: 53 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Products are the lifeblood of an organization. They provide the capabilities the business needs to deliver value to both internal and external customers and stakeholders.
    • Product organizations are expected to continually deliver evolving value to the overall organization as they grow.
    • You need to clearly convey the direction and strategy of a broad product portfolio to gain alignment, support, and funding from your organization.

    Our Advice

    Critical Insight

    • Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that improve end-user value and enterprise alignment.
    • Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.
    • Recognize that each product owner represents one of three primary perspectives: business, technical, and operational. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.
    • The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.
    • Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.
    • Although products can be delivered with any software development lifecycle, methodology, delivery team structure, or organizational design, high-performing product teams optimize their structure to fit the needs of product and product family delivery.

    Impact and Result

    • Understand the importance of product families for scaling product delivery.
    • Define products in your context and organize products into operational families.
    • Use product family roadmaps to align product roadmaps to enterprise goals and priorities.
    • Evaluate the different approaches to improve your product family delivery pipelines and milestones.

    Deliver Digital Products at Scale Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should define enterprise product families to scale your product delivery capability, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Become a product-centric organization

    Define products in your organization’s context and explore product families as a way to organize products at scale.

    • Deliver Digital Products at Scale – Phase 1: Become a Product-Centric Organization
    • Deliver Digital Products at Scale Workbook
    • Digital Product Family Strategy Playbook

    2. Organize products into product families

    Identify an approach to group the inventory of products into one or more product families.

    • Deliver Digital Products at Scale – Phase 2: Organize Products Into Product Families

    3. Ensure alignment between products and families

    Confirm alignment between your products and product families via the product family roadmap and a shared definition of delivered value.

    • Deliver Digital Products at Scale – Phase 3: Ensure Alignment Between Products and Families

    4. Bridge the gap between product families and delivery

    Agree on a delivery approach that best aligns with your product families.

    • Deliver Digital Products at Scale – Phase 4: Bridge the Gap Between Product Families and Delivery
    • Deliver Digital Products at Scale Readiness Assessment

    5. Build your transformation roadmap and communication plan

    Define your communication plan and transformation roadmap for transitioning to delivering products at the scale of your organization.

    • Deliver Digital Products at Scale – Phase 5: Transformation Roadmap and Communication

    Infographic

    Workshop: Deliver Digital Products at Scale

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Become a Product-Centric Organization

    The Purpose

    Define products in your organization’s context and explore product families as a way to organize products at scale.

    Key Benefits Achieved

    An understanding of the case for product practices

    A concise definition of products and product families

    Activities

    1.1 Understand your organizational factors driving product-centric delivery.

    1.2 Establish your organization’s product inventory.

    1.3 Determine your approach to scale product families.

    Outputs

    Organizational drivers and goals for a product-centric delivery

    Definition of product

    Product scaling principles

    Scaling approach and direction

    Pilot list of products to scale

    2 Organize Products Into Product Families

    The Purpose

    Identify a suitable approach to group the inventory of products into one or more product families.

    Key Benefits Achieved

    A scaling approach for products that fits your organization

    Activities

    2.1 Define your product families.

    Outputs

    Product family mapping

    Enabling applications

    Dependent applications

    Product family canvas

    3 Ensure Alignment Between Products and Families

    The Purpose

    Confirm alignment between your products and product families via the product family roadmap and a shared definition of delivered value.

    Key Benefits Achieved

    Recognition of the product family roadmap and a shared definition of value as key concepts to maintain alignment between your products and product families

    Activities

    3.1 Leverage product family roadmaps.

    3.2 Use stakeholder management to improve roadmap communication.

    3.3 Configure your product family roadmaps.

    3.4 Confirm product family to product alignment.

    Outputs

    Current approach for communication of product family strategy

    List of product family stakeholders and a prioritization plan for communication

    Defined key pieces of a product family roadmap

    An approach to confirming alignment between products and product families through a shared definition of business value

    4 Bridge the Gap Between Product Families and Delivery

    The Purpose

    Agree on the delivery approach that best aligns with your product families.

    Key Benefits Achieved

    An understanding of the team configuration and operating model required to deliver value through your product families

    Activities

    4.1 Assess your organization’s delivery readiness.

    4.2 Understand your delivery options.

    4.3 Determine your operating model.

    4.4 Identify how to fund product delivery.

    4.5 Learn how to introduce your digital product family strategy.

    4.6 Communicate changes on updates to your strategy.

    4.7 Determine your next steps.

    Outputs

    Assessment results on your organization’s delivery maturity

    A preferred approach to structuring product delivery

    Your preferred operating model for delivering product families

    Understanding of your preferred approach for product family funding

    Product family transformation roadmap

    Your plan for communicating your roadmap

    List of actionable next steps to start on your journey

    5 Advisory: Next Steps and Wrap-Up (offsite)

    The Purpose

    Implement your communication plan and transformation roadmap for transitioning to delivering products at the scale of your organization.

    Key Benefits Achieved

    New product family organization and supporting product delivery approach

    Activities

    5.1 Execute communication plan and product family changes.

    5.2 Review the pilot family implementation and update the transformation roadmap.

    5.3 Begin advisory calls for related blueprints.

    Outputs

    Organizational communication of product families and product family roadmaps

    Product family implementation and updated transformation roadmap

    Support for product owners, backlog and roadmap management, and other topics

    Further reading

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    Analyst Perspective

    Product families align enterprise goals to product changes and value realization.

    A picture of Info-Tech analyst Banu Raghuraman. A picture of Info-Tech analyst Ari Glaizel. A picture of Info-Tech analyst Hans Eckman

    Our world is changing faster than ever, and the need for business agility continues to grow. Organizations are shifting from long-term project delivery to smaller, iterative product delivery models to be able to embrace change and respond to challenges and opportunities faster.

    Unfortunately, many organizations focus on product delivery at the tactical level. Product teams may be individually successful, but how well are their changes aligned to division and enterprise goals and priorities?

    Grouping products into operationally aligned families is key to delivering the right value to the right stakeholders at the right time.

    Product families translate enterprise goals, constraints, and priorities down to the individual product level so product owners can make better decisions and more effectively manage their roadmaps and backlogs. By scaling products into families and using product family roadmaps to align product roadmaps, product owners can deliver the capabilities that allow organizations to reach their goals.

    In this blueprint, we’ll provide the tools and guidance to help you define what “product” means to your organization, use scaling patterns to build product families, align product and product family roadmaps, and identify impacts to your delivery and organizational design models.

    Banu Raghuraman, Ari Glaizel, and Hans Eckman

    Applications Practice

    Info-Tech Research Group

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    • Products are the lifeblood of an organization. They deliver the capabilities needed to deliver value to customers, internal users, and stakeholders.
    • The shift to becoming a product organization is intended to continually increase the value you provide to the broader organization as you grow and evolve.
    • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.

    Common Obstacles

    • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This conflicts with product delivery, which continuously delivers value over the lifetime of a product.
    • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.
    • Product owners struggle to prioritize changes to deliver product value. This creates a gap and conflict between product and enterprise goals.

    Info-Tech’s Approach

    Info-Tech’s approach will guide you through:

    • Understanding the importance of product families in scaling product delivery.
    • Defining products in your context and organizing products into operational families.
    • Using product family roadmaps to align product roadmaps to enterprise goals and priorities.
    • Evaluating the different approaches to improve your product family delivery pipelines and milestones.

    Info-Tech Insight

    Changes can only be made at the individual product or service level. To achieve enterprise goals and priorities, organizations needed to organize and scale products into operational families. This structure allows product managers to translate goals and constraints to the product level and allows product owners to deliver changes that support enabling capabilities. In this blueprint, we’ll help you define your products, scale them using the best patterns, and align your roadmaps and delivery models to improve throughput and value delivery.

    Info-Tech’s approach

    Operationally align product delivery to enterprise goals

    A flowchart is shown on how to operationally align product delivery to enterprise goals.

    The Info-Tech difference:

    1. Start by piloting product families to determine which approaches work best for your organization.
    2. Create a common definition of what a product is and identify products in your inventory.
    3. Use scaling patterns to build operationally aligned product families.
    4. Develop a roadmap strategy to align families and products to enterprise goals and priorities.
    5. Use products and families to evaluate delivery and organizational design improvements.

    Deliver Digital Products at Scale via Enterprise Product Families

    An infographic on the Enterprise Product Families is shown.

    Product does not mean the same thing to everyone

    Do not expect a universal definition of products.

    Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.

    “A product [is] something (physical or not) that is created through a process and that provides benefits to a market.”

    - Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance

    “A product is something ... that is created and then made available to customers, usually with a distinct name or order number.”

    - TechTarget

    “A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.”

    - Mark Curphey

    Organizations need a common understanding of what a product is and how it pertains to the business. This understanding needs to be accepted across the organization.

    “There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.”

    – Chad Beier, "How Do You Define a Product?” Scrum.org

    What is a product?

    “A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”

    Info-Tech Insight

    A proper definition of product recognizes three key facts:

    1. Products are long-term endeavors that don’t end after the project finishes.
    2. Products are not just “apps” but can be software or services that drive the delivery of value.
    3. There is more than one stakeholder group that derives value from the product or service.

    Products and services share the same foundation and best practices

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. Product is used for consistency but would apply to services as well.

    Product = Service

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Recognize the different product owner perspectives

    Business:

    • Customer facing, revenue generating

    Technical:

    • IT systems and tools

    Operations:

    • Keep the lights on processes

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Info-Tech Insight

    Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.

    “A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”

    – Robbin Schuurman, “Tips for Starting Product Owners”

    Identify the differences between a project-centric and a product-centric organization

    Project

    Product

    Fund projects

    Funding

    Fund products or teams

    Line of business sponsor

    Prioritization

    Product owner

    Makes specific changes to a product

    Product management

    Improve product maturity and support

    Assign people to work

    Work allocation

    Assign work to product teams

    Project manager manages

    Capacity management

    Team manages capacity

    Info-Tech Insight

    Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

    Projects can be a mechanism for delivering product changes and improvements

    A flowchart is shown to demonstrate the difference between project lifecycle, hybrid lifecycle and product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply. The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release. Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    An image is shown to demonstrate the relationship between the product backlog and the product roadmap.

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    An example of a product roadmap is shown to demonstrate how it is the core to value realization.

    Adapted from: Pichler, "What Is Product Management?""

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    Use Agile DevOps principles to expedite product-centric delivery and management

    Delivering products does not necessarily require an Agile DevOps mindset. However, Agile methods facilitate the journey because product thinking is baked into them.

    A flowchart is shown to demonstrate the product deliery maturity and the Agile DevOps used.
    Based on: Ambysoft, 2018

    Organizations start with Waterfall to improve the predictable delivery of product features.

    Iterative development shifts the focus from delivery of features to delivery of user value.

    Agile further shifts delivery to consider ROI. Often, the highest-value backlog items aren’t the ones with the highest ROI.

    Lean and DevOps improve your delivery pipeline by providing full integration between product owners, development teams, and operations.

    CI/CD reduces time in process by allowing release on demand and simplifying release and support activities.

    Although teams will adopt parts of all these stages during their journey, it isn’t until you’ve adopted a fully integrated delivery chain that you’ve become product centric.

    Scale products into related families to improve value delivery and alignment

    Defining product families builds a network of related products into coordinated value delivery streams.

    A flowchart is shown to demonstrate the relations between product family and the delivery streams.

    “As with basic product management, scaling an organization is all about articulating the vision and communicating it effectively. Using a well-defined framework helps you align the growth of your organization with that of the company. In fact, how the product organization is structured is very helpful in driving the vision of what you as a product company are going to do.”

    – Rich Mironov, Mironov Consulting

    Product families translate enterprise goals into value-enabling capabilities

    A flowchart is shown to demonstrate the relationship between enterprise strategy and enabling capabilities.

    Info-Tech Insight

    Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.

    Arrange product families by operational groups, not solely by your org chart

    A flowchart is shown to demonstrate how to arrange product families by operational groups.

    1. To align product changes with enterprise goals and priorities, you need to organize your products into operational groups based on the capabilities or business functions the product and family support.

    2. Product managers translate these goals, priorities, and constraints into their product families, so they are actionable at the next level, whether that level is another product family or products implementing enhancements to meet these goals.

    3. The product family manager ensures that the product changes enhance the capabilities that allow you to realize your product family, division, and enterprise goals.

    4. Enabling capabilities realize value and help reach your goals, which then drives your next set of enterprise goals and strategy.

    Approach alignment from both directions, validating by the opposite way

    Defining your product families is not a one-way street. Often, we start from either the top or the bottom depending on our scaling principles. We use multiple patterns to find the best arrangement and grouping of our products and families.

    It may be helpful to work partway, then approach your scaling from the opposite direction, meeting in the middle. This way you are taking advantage of the strengths in both approaches.

    Once you have your proposed structure, validate the grouping by applying the principles from the opposite direction to ensure each product and family is in the best starting group.

    As the needs of your organization change, you may need to realign your product families into your new business architecture and operational structure.

    A top-down alignment example is shown.

    When to use: You have a business architecture defined or clear market/functional grouping of value streams.

    A bottom-up alignment example is shown.

    When to use: You are starting from an Application Portfolio Management application inventory to build or validate application families.

    Leverage patterns for scaling products

    Organizing your products and families is easier when leveraging these grouping patterns. Each is explained in greater detail on the following slides

    Value Stream Alignment

    Enterprise Applications

    Shared Services

    Technical

    Organizational Alignment

    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products
    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > ModulesSupporting: Job board, healthcare administrator
    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools
    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network
    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure no longer needed because the management team owns product management role

    Leverage the product family roadmap for alignment

    It’s more than a set of colorful boxes. It’s the map to align everyone to where you are going.

    Your product family roadmap

      ✓ Lays out a strategy for your product family.

      ✓ Is a statement of intent for your family of products.

      ✓ Communicates direction for the entire product family and product teams.

      ✓ Directly connects to the organization’s goals.

    However, it is not:

      x Representative of a hard commitment.

      x A simple combination of your current product roadmaps.

    Before connecting your family roadmap to products, think about what each roadmap typically presents

    An example of a product family roadmap is shown and how it can be connected to the products.

    Info-Tech Insight

    Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.

    Product family roadmaps are more strategic by nature

    While individual product roadmaps can be different levels of tactical or strategic depending on a variety of market factors, your options are more limited when defining roadmaps for product families.

    Product

    TACTICAL

    A roadmap that is technical, committed, and detailed.

    Product Family

    STRATEGIC

    A roadmap that is strategic, goal based, high level, and flexible.

    Info-Tech Insight

    Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.

    Consider volatility when structuring product family roadmaps

    A roadmap is shown without any changes.

    There is no such thing as a roadmap that never changes.

    Your product family roadmap represents a broad statement of intent and high-level tactics to get closer to the organization’s goals.

    A roadmap is shown with changes.

    All good product family roadmaps embrace change!

    Your strategic intentions are subject to volatility, especially those planned further in the future. The more costs you incur in planning, the more you leave yourself exposed to inefficiency and waste if those plans change.

    Info-Tech Insight

    A good product family roadmap is intended to manage and communicate the inevitable changes as a result of market volatility and changes in strategy.

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    PRODUCT STRATEGY

    What are the artifacts?

    What are you saying?

    Defined at the family level?

    Defined at the product level?

    Vision

    I want to...

    Strategic focus

    Delivery focus

    Goals

    To get there we need to...

    Roadmap

    To achieve our goals, we’ll deliver...

    Backlog

    The work will be done in this order...

    Release Plan

    We will deliver in the following ways...

    Typical elements of a product family roadmap

    While there are others, these represent what will commonly appear across most family-based roadmaps.

    An example is shown to highlight the typical elements of a product family roadmap.

    GROUP/CATEGORY: Groups are collections of artifacts. In a product family context, these are usually product family goals, value streams, or products.

    ARTIFACT: An artifact is one of many kinds of tangible by-products produced during the delivery of products. For a product family, the artifacts represented are capabilities or value streams.

    MILESTONE: Points in the timeline when established sets of artifacts are complete. This is a critical tool in the alignment of products in a given family.

    TIME HORIZON: Separated periods within the projected timeline covered by the roadmap.

    Connecting your product family roadmaps to product roadmaps

    Your product and product family roadmaps should be connected at an artifact level that is common between both. Typically, this is done with capabilities, but it can be done at a more granular level if an understanding of capabilities isn’t available.

    An example is shown on how the product family roadmpas can be connected to the product roadmaps.

    Multiple roadmap views can communicate differently, yet tell the same truth

    Audience

    Business/ IT Leaders

    Users/Customers

    Delivery Teams

    Roadmap View

    Portfolio

    Product Family

    Technology

    Objectives

    To provide a snapshot of the portfolio and priority products

    To visualize and validate product strategy

    To coordinate broad technology and architecture decisions

    Artifacts

    Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level.

    Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize those goals.

    Artifacts are grouped by the teams who deliver that work and consist of technical capabilities that support the broader delivery of value for the product family.

    Your communication objectives are linked to your audience; ensure you know your audience and speak their language

    I want to...

    I need to talk to...

    Because they are focused on...

    ALIGN PRODUCT TEAMS

    Get my delivery teams on the same page.

    Architects

    Products Owners

    PRODUCTS

    A product that delivers value against a common set of goals and objectives.

    SHOWCASE CHANGES

    Inform users and customers of product strategy.

    Bus. Process Owners

    End Users

    FUNCTIONALITY

    A group of functionality that business customers see as a single unit.

    ARTICULATE RESOURCE REQUIREMENTS

    Inform the business of product development requirements.

    IT Management

    Business Stakeholders

    FUNDING

    An initiative that those with the money see as a single budget.

    Assess the impacts of product-centric delivery on your teams and org design

    Product delivery can exist within any org structure or delivery model. However, when making the shift toward product management, consider optimizing your org design and product team structure to match your capacity and throughput needs.

    A flowchart is shown to see how the impacts of product-centric delivery can impact team and org designs.

    Determine which delivery team structure best fits your product pipeline

    Four delivery team structures are shown. The four are: functional roles, shared service and resource pools, product or system, and skills and competencies.

    Weigh the pros and cons of IT operating models to find the best fit

    There are many different operating models. LoB/Product Aligned and Hybrid Functional align themselves most closely with how products and product families are typically delivered.

    1. LoB/Product Aligned – Decentralized Model: Line of Business, Geographically, Product, or Functionally Aligned
    2. A decentralized IT operating model that embeds specific functions within LoBs/product teams and provides cross-organizational support for their initiatives.

    3. Hybrid Functional: Functional/Product Aligned
    4. A best-of-both-worlds model that balances the benefits of centralized and decentralized approaches to achieve both customer responsiveness and economies of scale.

    5. Hybrid Service Model: Product-Aligned Operating Model
    6. A model that supports what is commonly referred to as a matrix organization, organizing by highly related service categories and introducing the role of the service owner.

    7. Centralized: Plan-Build-Run
    8. A highly typical IT operating model that focuses on centralized strategic control and oversight in delivering cost-optimized and effective solutions.

    9. Centralized: Demand-Develop-Service
    10. A centralized IT operating model that lends well to more mature operating environments. Aimed at leveraging economies of scale in an end-to-end services delivery model.

    Consider how investment spending will differ in a product environment

    Reward for delivering outcomes, not features

    Autonomy

    Flexibility

    Accountability

    Fund what delivers value

    Allocate iteratively

    Measure and adjust

    Fund long-lived delivery of value through products (not projects).

    Give autonomy to the team to decide exactly what to build.

    Allocate to a pool based on higher-level business case.

    Provide funds in smaller amounts to different product teams and initiatives based on need.

    Product teams define metrics that contribute to given outcomes.

    Track progress and allocate more (or less) funds as appropriate.

    Adapted from Bain, 2019

    Info-Tech Insight

    Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.

    Why is having a common value measure important?

    CIO-CEO Alignment Diagnostic

    A stacked bar graph is shown to demonstrate CIO-CEO Alignment Diagnostic. A bar titled: Business Value Metrics is highlighted. 51% had some improvement necessary and 32% had significant improvement necessary.

    Over 700 Info-Tech members have implemented the Balanced Value Measurement Framework.

    “The cynic knows the price of everything and the value of nothing.”

    – Oscar Wilde

    “Price is what you pay. Value is what you get.”

    – Warren Buffett

    Understanding where you derive value is critical to building solid roadmaps.

    Measure delivery and success

    Metrics and measurements are powerful tools to drive behavior change and decision making in your organization. However, metrics are highly prone to creating unexpected outcomes, so use them with great care. Use metrics judiciously to uncover insights but avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.

    Build good practices in your selection and use of metrics:

    • Choose the metrics that are as close to measuring the desired outcome as possible.
    • Select the fewest metrics possible and ensure they are of the highest value to your team, the safest from gaming behaviors and unintended consequences, and the easiest to gather and report.
    • Never use metrics for reward or punishment; use them to develop your team.
    • Automate as much metrics gathering and reporting as possible.
    • Focus on trends rather than precise metrics values.
    • Review and change your metrics periodically.

    Executive Brief Case Study

    INDUSTRY: Public Sector & Financial Services

    SOURCE: Info-Tech Interviews

    A tale of two product transformations

    Two of the organizations we interviewed shared the challenges they experienced defining product families and the impact these challenges had on their digital transformations.

    A major financial services organization (2,000+ people in IT) had employed a top-down line of business–focused approach and found itself caught in a vicious circle of moving applications between families to resolve cross-LoB dependencies.

    A similarly sized public sector organization suffered from a similar challenge as grouping from the bottom up based on technology areas led to teams fragmented across multiple business units employing different applications built on similar technology foundations.

    Results

    Both organizations struggled for over a year to structure their product families. This materially delayed key aspects of their product-centric transformation, resulting in additional effort and expenditure delivering solutions piecemeal as opposed to as a part of a holistic product family. It took embracing a hybrid top-down and bottom-up approach and beginning with pilot product families to make progress on their transformation.

    A picture of Cole Cioran is shown.

    Cole Cioran

    Practice Lead,

    Applications Practice

    Info-Tech Research Group

    There is no such thing as a perfect product-family structure. There will always be trade-offs when you need to manage shifting demand from stakeholder groups spanning customers, business units, process owners, and technology owners.

    Focusing on a single approach to structure your product families inevitably leads to decisions that are readily challenged or are brittle in the face of changing demand.

    The key to accelerating a product-centric transformation is to build a hybrid model that embraces top-down and bottom-up perspectives to structure and evolve product families over time. Add a robust pilot to evaluate the structure and you have the key to unlocking the potential of product delivery in your organization.

    Info-Tech’s methodology for Deliver Digital Products at Scale

    1. Become a Product-Centric Organization

    2. Organize Products Into Product Families

    3. Ensure Alignment Between Products and Families

    4. Bridge the Gap Between Product Families and Delivery

    5. Build Your Transformation Roadmap and Communication Plan

    Phase Steps

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm goal and value alignment of products and their product families

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    Phase Outcomes
    • Organizational drivers and goals for a product-centric delivery
    • Definition of product
    • Pilot list of products to scale
    • Product scaling principles
    • Scaling approach and direction
    • Product family mapping
    • Enabling applications
    • Dependent applications
    • Product family canvas
    • Approach for communication of product family strategy
    • Stakeholder management plan
    • Defined key pieces of a product family roadmap
    • An approach to confirming alignment between products and product families
    • Assessment of delivery maturity
    • Approach to structuring product delivery
    • Operating model for product delivery
    • Approach for product family funding
    • Product family transformation roadmap
    • Your plan for communicating your roadmap
    • List of actionable next steps to start on your journey

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Deliver Digital Products at Scale Workbook

    Use this supporting workbook to document interim results from a number of exercises that will contribute to your overall strategy.

    A screenshot of the Scale Workbook is shown.

    Deliver Digital Products at Scale Readiness Assessment

    Your strategy needs to encompass your approaches to delivery. Understand where you need to focus using this simple assessment.

    A screenshot of the Scale Readiness Assessment is shown.

    Key deliverable:

    Digital Product Family Strategy Playbook

    Record the results from the exercises to help you define, detail, and deliver digital products at scale.

    A screenshot of the Digital Product Family Strategy Playbook is shown.

    Blueprint benefits

    IT Benefits

    • Improved product delivery ROI.
    • Improved IT satisfaction and business support.
    • Greater alignment between product delivery and product family goals.
    • Improved alignment between product delivery and organizational models.
    • Better support for Agile/DevOps adoption.

    Business Benefits

    • Increased value realization across product families.
    • Faster delivery of enterprise capabilities.
    • Improved IT satisfaction and business support.
    • Greater alignment between product delivery and product family goals.
    • Uniform understanding of product and product family roadmaps and key milestones.

    Measure the value of this blueprint

    Align product family metrics to product delivery and value realization.

    Member Outcome Suggested Metric Estimated Impact

    Increase business application satisfaction

    Satisfaction with business applications (CIO Business Vision diagnostic)

    20% increase within one year after implementation

    Increase effectiveness of application portfolio management

    Effectiveness of application portfolio management (Management & Governance diagnostic)

    20% increase within one year after implementation

    Increase importance and effectiveness of application portfolio

    Importance and effectiveness to business ( Application Portfolio Assessment diagnostic)

    20% increase within one year after implementation

    Increase satisfaction of support of business operations

    Support to business (CIO Business Vision diagnostic.

    20% increase within one year after implementation

    Successfully deliver committed work (productivity)

    Number of successful deliveries; burndown

    20% increase within one year after implementation

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1: Become a Product-Centric Organization

    Phase 2: Organize Products Into Product Families

    Phase 3: Ensure Alignment Between Products and Families

    Phase 4: Bridge the Gap Between Product Families and Delivery

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Define products and product families in your context.

    Call #3: Understand the list of products in your context.

    Call #4: Define your scaling principles and goals.

    Call #5: Select a pilot and define your product families.

    Call #6: Understand the product family roadmap as a method to align products to families.

    Call #7: Define components of your product family roadmap and confirm alignment.

    Call #8: Assess your delivery readiness.

    Call #9: Discuss delivery, operating, and funding models relevant to delivering product families.

    Call #10: Wrap up.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1

    Become a Product-Centric Organization

    Day 2

    Organize Products Into Product Families

    Day 3

    Ensure Alignment Between Products and Families

    Day 4

    Bridge the Gap Between Product Families and Delivery

    Advisory

    Next Steps and Wrap-Up (offsite)

    Activities

    1.1 Understand your organizational factors driving product-centric delivery.

    1.2 Establish your organization’s product inventory.

    2.1 Determine your approach to scale product families.

    2.2 Define your product families.

    3.1 Leverage product family roadmaps.

    3.2 Use stakeholder management to improve roadmap communication.

    3.3 Configure your product family roadmaps.

    3.4 Confirm product family to product alignment.

    4.1 Assess your organization’s delivery readiness.

    4.2 Understand your delivery options.

    4.3 Determine your operating model.

    4.4 Identify how to fund product family delivery.

    5.1 Learn how to introduce your digital product family strategy.

    5.2 Communicate changes on updates to your strategy.

    5.3 Determine your next steps.

    1. Execute communication plan and product family changes.
    2. Review the pilot family implementation and update the transformation roadmap.
    3. Begin advisory calls for related blueprints.

    Key Deliverables

    1. Organizational drivers and goals for a product-centric delivery
    2. Definition of product
    3. Product scaling principles
    4. Scaling approach and direction
    5. Pilot list of products to scale
    1. Product family mapping
    2. Enabling applications
    3. Dependent applications
    4. Product family canvas
    1. Current approach for communication of product family strategy
    2. List of product family stakeholders and a prioritization plan for communication
    3. Defined key pieces of a product family roadmap
    4. An approach to confirming alignment between products and product families through a shared definition of business value
    1. Assessment results on your organization’s delivery maturity
    2. A preferred approach to structuring product delivery
    3. Your preferred operating model for delivering product families
    4. Understanding your preferred approach for product family funding
    5. Product family transformation roadmap
    6. Your plan for communicating your roadmap
    7. List of actionable next steps to start on your journey
    1. Organizational communication of product families and product family roadmaps
    2. Product family implementation and updated transformation roadmap
    3. Support for product owners, backlog and roadmap management, and other topics

    Phase 1

    Become a Product-Centric Organization

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    1.1.1 Understand your drivers for product-centric delivery

    1.1.2 Identify the differences between project and product delivery

    1.1.3 Define the goals for your product-centric organization

    1.2.1 Define “product” in your context

    1.2.2 Identify and establish a pilot list of products

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Step 1.1

    Understand the organizational factors driving product-centric delivery

    Activities

    1.1.1 Understand your drivers for product-centric delivery

    1.1.2 Identify the differences between project and product delivery

    1.1.3 Define the goals for your product-centric organization

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • Organizational drivers to move to product-centric delivery
    • List of differences between project and product delivery
    • Goals for product-centric delivery

    1.1.1 Understand your drivers for product-centric delivery

    30-60 minutes

    1. Identify your pain points in the current delivery model.
    2. What is the root cause of these pain points?
    3. How will a product-centric delivery model fix the root cause?
    4. Record the results in the Deliver Digital Products at Scale Workbook.
    Pain Points Root Causes Drivers
    • Lack of ownership
    • Siloed departments
    • Accountability

    Output

    • Organizational drivers to move to product-centric delivery.

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    1.1.2 Identify the differences between project and product delivery

    30-60 minutes

    1. Consider project delivery and product delivery.
    2. Discuss what some differences are between the two.
    3. Note: This exercise is not about identifying the advantages and disadvantages of each style of delivery. This is to identify the variation between the two.

    4. Record the results in the Deliver Digital Products at Scale Workbook.
    Project Delivery Product Delivery
    Point in time What is changed
    Method of funding changes Needs an owner

    Output

    • List of differences between project and product delivery

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Identify the differences between a project-centric and a product-centric organization

    Project Product
    Fund projects Funding Fund products or teams
    Line of business sponsor Prioritization Product owner
    Makes specific changes to a product Product management Improves product maturity and support
    Assignment of people to work Work allocation Assignment of work to product teams
    Project manager manages Capacity management Team manages capacity

    Info-Tech Insight

    Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

    Projects can be a mechanism for funding product changes and improvements

    A flowchart is shown to demonstrate the difference between project lifecycle, hybrid lifecycle, and product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.

    Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Use Agile DevOps principles to expedite product-centric delivery and management

    Delivering products does not necessarily require an Agile DevOps mindset. However, Agile methods facilitate the journey because product thinking is baked into them.

    A flowchart is shown to demonstrate the product delivery maturity and the Agile DevOps used.

    Based on: Ambysoft, 2018

    Organizations start with Waterfall to improve the predictable delivery of product features.

    Iterative development shifts the focus from delivery of features to delivery of user value.

    Agile further shifts delivery to consider ROI. Often, the highest-value backlog items aren’t the ones with the highest ROI.

    Lean and DevOps improve your delivery pipeline by providing full integration between product owners, development teams, and operations.

    CI/CD reduces time in process by allowing release on demand and simplifying release and support activities.

    Although teams will adopt parts of all these stages during their journey, it isn’t until you’ve adopted a fully integrated delivery chain that you’ve become product centric.

    1.1.3 Define the goals for your product-centric organization

    30 minutes

    1. Review your list of drivers from exercise 1.1.1 and the differences between project and product delivery from exercise 1.1.2.
    2. Define your goals for achieving a product-centric organization.
    3. Note: Your drivers may have already covered the goals. If so, review if you would like to change the drivers based on your renewed understanding of the differences between project and product delivery.

    Pain PointsRoot CausesDriversGoals
    • Lack of ownership
    • Siloed departments
    • Accountability
    • End-to-end ownership

    Output

    • Goals for product-centric delivery

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 1.2

    Establish your organization’s product inventory

    Activities

    1.2.1 Define “product” in your context

    1.2.2 Identify and establish a pilot list of products

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • Your organizational definition of products and services
    • A pilot list of active products

    Product does not mean the same thing to everyone

    Do not expect a universal definition of products.

    Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.

    “A product [is] something (physical or not) that is created through a process and that provides benefits to a market.”

    - Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance

    “A product is something ... that is created and then made available to customers, usually with a distinct name or order number.”

    - TechTarget

    “A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.”

    - Mark Curphey

    Organizations need a common understanding of what a product is and how it pertains to the business. This understanding needs to be accepted across the organization.

    “There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.”

    – Chad Beier, "How Do You Define a Product?” Scrum.org

    Products and services share the same foundation and best practices

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. Product is used for consistency but would apply to services as well.

    Product = Service

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Recognize the different product owner perspectives

    Business:

    • Customer facing, revenue generating

    Technical:

    • IT systems and tools

    Operations

    • Keep the lights on processes

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Info-Tech Insight

    Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.

    “A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”

    – Robbin Schuurman, “Tips for Starting Product Owners”

    Your product definition should include everything required to support it, not just what users see.

    A picture of an iceburg is shown, showing the ice both above and below the water to demonstrate that the product definition should include everything, not just what users see. On top of the picture are various words to go with the product definition. They inlude: funding, external relationships, adoption, product strategy, stakeholder managment. The product defitions that may not be seen include: Product governance, business functionality, user support, managing and governing data, maintenance and enhancement, R-and-D, requirements analysis and design, code, and knowledge management.

    Establish where product management would be beneficial in the organization

    What does not need product ownership?

    • Individual features
    • Transactions
    • Unstructured data
    • One-time solutions
    • Non-repeatable processes
    • Solutions that have no users or consumers
    • People or teams

    Characteristics of a discrete product

    • Has end users or consumers
    • Delivers quantifiable value
    • Evolves or changes over time
    • Has predictable delivery
    • Has definable boundaries
    • Has a cost to produce and operate

    Product capabilities deliver value!

    These are the various facets of a product. As a product owner, you are responsible for managing these facets through your capabilities and activities.

    A flowchart is shown that demonstrates the various facets of a product.

    It is easy to lose sight of what matters when we look at a product from a single point of view. Despite what The Agile Manifesto says, working software is not valuable without the knowledge and support that people need in order to adopt, use, and maintain it. If you build it, they will not come. Product leaders must consider the needs of all stakeholders when designing and building products.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    An image is shown to demonstrate the relationship between the product backlog and the product roadmap.

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    An example of a product roadmap is shown to demonstrate how it is the core to value realization.

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    What is a product?

    Not all organizations will define products in the same way. Take this as a general example:

    “A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”

    Info-Tech Insight

    A proper definition of product recognizes three key facts:

    1. Products are long-term endeavors that don’t end after the project finishes.
    2. Products are not just “apps” but can be software or services that drive the delivery of value.
    3. There is more than one stakeholder group that derives value from the product or service.

    1.2.1 Define “product” in your context

    30-60 minutes

    1. Discuss what “product” means in your organization.
    2. Create a common, enterprise-wide definition for “product.”
    3. Record the results in the Deliver Digital Products at Scale Workbook.

    For example:

    • An application, platform, or application family.
    • Discrete items that deliver value to a user/customer.

    Output

    • Your enterprise/organizational definition of products and services

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    1.2.2 Identify and establish a pilot list of products

    1-2 hours

    1. Review any current documented application inventory. If you have these details in an existing document, share it with the team. Select the group of applications for your family scaling pilot.
    2. List your initial application inventory on the Product List tab of the Deliver Digital Products at Scale Workbook.
  • For each of the products listed, add the vision and goals of the product. Refer to Deliver on Your Digital Product Vision to learn more about identifying vision and goals or to complete the product vision canvas.
  • You’ll add business capabilities and vision in Phase 2, but you can add these now if they are available in your existing inventory.
  • Output

    • A pilot list of active products

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Phase 2

    Organize Products Into Product Families

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    2.1.1 Define your scaling principles and goals

    2.1.2 Define your pilot product family areas and direction

    2.2.1 Arrange your applications and services into product families

    2.2.2 Define enabling and supporting applications

    2.2.3 Build your product family canvas

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Step 2.1

    Determine your approach to scale product families

    Activities

    2.1.1 Define your scaling principles and goals

    2.1.2 Define your pilot product family areas and direction

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • List of product scaling principles
    • Scope of product scaling pilot and target areas
    • Scaling approach and direction

    Use consistent terminology for product and service families

    In this blueprint, we refer to any grouping of products or services as a “family.” Your organization may prefer other terms, such as product/service line, portfolio, group, etc. The underlying principles for grouping and managing product families are the same, so define the terminology that fits best with your culture. The same is true for “products” and “services,” which may also be referred to in different terms.

    An example flowchart is displayed to demonstrate the terminology for product and service families.

    A product family is a logical and operational grouping of related products or services. The grouping provides a scaled hierarchy to translate goals, priorities, strategy, and constraints down the grouping while aligning value realization upwards.

    Group product families by related purpose to improve business value

    Families should be scaled by how the products operationally relate to each other, with clear boundaries and common purpose.

    A product family contains...

    • Vision
    • Goals
    • Cumulative roadmap of the products within the family

    A product family can be grouped by...

    • Function
    • Value stream and capability
    • Customer segments or end-user group
    • Strategic purpose
    • Underlying architecture
    • Common technology or support structures
    • And many more
    A flowchart is shown to demonstrate the product family and product relations.

    Scale products into related families to improve value delivery and alignment

    Defining product families builds a network of related products into coordinated value delivery streams.

    A flowchart is shown to demonstrate the relations between product family and the delivery streams.

    “As with basic product management, scaling an organization is all about articulating the vision and communicating it effectively. Using a well-defined framework helps you align the growth of your organization with that of the company. In fact, how the product organization is structured is very helpful in driving the vision of what you as a product company are going to do.”

    – Rich Mironov, Mironov Consulting

    Product families translate enterprise goals into value-enabling capabilities

    A flowchart is shown to demonstrate the relationship between enterprise strategy and enabling capabilities.

    Info-Tech Insight

    Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.

    Arrange product families by operational groups, not solely by your org chart

    A flowchart is shown to demonstrate how to arrange product families by operational groups.

    1. To align product changes with enterprise goals and priorities, you need to organize your products into operational groups based on the capabilities or business functions the product and family support.

    2. Product managers translate these goals, priorities, and constraints into their product families, so they are actionable at the next level, whether that level is another product family or products implementing enhancements to meet these goals.

    3. The product family manager ensures that the product changes enhance the capabilities that allow you to realize your product family, division, and enterprise goals.

    4. Enabling capabilities realize value and help reach your goals, which then drives your next set of enterprise goals and strategy.

    Product families need owners with a more strategic focus

    Product Owner

    (More tactical product delivery focus)

    • Backlog management and prioritization
    • Product vision and product roadmap
    • Epic/story definition, refinement in conjunction with business stakeholders
    • Sprint planning with Scrum Master and delivery team
    • Working with Scrum Master to minimize disruption to team velocity
    • Ensuring alignment between business and Scrum teams during sprints
    • Profit and loss (P&L) product analysis and monitoring

    Product Manager

    (More strategic product family focus)

    • Product strategy, positioning, and messaging
    • Product family vision and product roadmap
    • Competitive analysis and positioning
    • New product innovation/definition
    • Release timing and focus (release themes)
    • Ongoing optimization of product-related marketing and sales activities
    • P&L product analysis and monitoring

    Info-Tech Insight

    “Product owner” and “product manager” are terms that should be adapted to fit your culture and product hierarchy. These are not management relationships but rather a way to structure related products and services that touch the same end users. Use the terms that work best in your culture.

    Download Build a Better Product Owner for role support.

    2.1.1 Define your scaling principles and goals

    30-60 minutes

    1. Discuss the guiding principles for your product scaling model. Your guiding principles should consider key business priorities, organizational culture, and division/team objectives, such as improving:
    • Business agility and ability to respond to changes and needs.
    • Alignment of product roadmaps to enterprise goals and priorities.
    • Collaboration between stakeholders and product delivery teams.
    • Resource utilization and productivity.
    • The quality and value of products.
    • Coordination between related products and services.

    Output

    • List of product scaling principles

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Start scaling with a pilot

    You will likely use a combination of patterns that work best for each product area. Pilot your product scaling with a domain, team, or functional area before organizing your entire portfolio.

    Learn more about each pattern.

    Discuss the pros and cons of each.

    Select a pilot product area.

    Select a pattern.

    Approach alignment from both directions, validating by the opposite way

    Defining your product families is not a one-way street. Often, we start from either the top or the bottom depending on our scaling principles. We use multiple patterns to find the best arrangement and grouping of our products and families.

    It may be helpful to work partway, then approach your scaling from the opposite direction, meeting in the middle. This way you are taking advantage of the strengths in both approaches.

    Once you have your proposed structure, validate the grouping by applying the principles from the opposite direction to ensure each product and family is in the best starting group.

    As the needs of your organization change, you may need to realign your product families into your new business architecture and operational structure.

    A top-down alignment example is shown.

    When to use: You have a business architecture defined or clear market/functional grouping of value streams.

    A bottom-up alignment example is shown.

    When to use: You are starting from an Application Portfolio Management application inventory to build or validate application families.

    Top-down examples: Start with your enterprise structure or market grouping

    A top-down example flowchart is shown.

    Examples:

    Market Alignment
    • Consumer Banking
      • DDA: Checking, Savings, Money Market
      • Revolving Credit: Credit Cards, Line of Credit
      • Term Credit: Mortgage, Auto, Boat, Installment
    Enterprise Applications
    • Human Resources
      • Benefits: Health, Dental, Life, Retirement
      • Human Capital: Hiring, Performance, Training
      • Hiring: Posting, Interviews, Onboarding
    Shared Service
    • End-User Support
      • Desktop: New Systems, Software, Errors
      • Security: Access Requests, Password Reset, Attestations
    Business Architecture
    • Value Stream
      • Capability
        • Applications
        • Services

    Bottom-up examples: Start with your inventory

    Based on your current inventory, start organizing products and services into related groups using one of the five scaling models discussed in the next step.

    A bottom-up example flowchart is shown.

    Examples:

    Technical Grouping
    • Custom Apps: Java, .NET, Python
    • Cloud: Azure, AWS, Virtual Environments
    • Low Code: ServiceNow, Appian
    Functional/Capability Grouping
    • CRM: Salesforce, Microsoft CRM
    • Security Platforms: IAM, SSO, Scanning
    • Workflow: Remedy, ServiceNow
    Shared Services Grouping
    • Workflow: Appian, Pega, ServiceNow
    • Collaboration: SharePoint, Teams
    • Data: Dictionary, Lake, BI/Reporting

    2.1.2 Define your pilot product family areas and direction

    30-60 minutes

    1. Using your inventory of products for your pilot, consider the top-down and bottom-up approaches.
    2. Identify areas where you will begin arranging your product into families.
    3. Prioritize these pilot areas into waves:
      1. First pilot areas
      2. Second pilot areas
      3. Third pilot areas
    4. Discuss and decide whether a top-down or bottom-up approach is the best place to start for each pilot group.
    5. Prioritize your pilot families in the order in which you want to organize them. This is a guide to help you get started, and you may change the order during the scaling pattern exercise.

    Output

    • Scope of product scaling pilot and target areas

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 2.2

    Define your product families

    Activities

    2.2.1 Arrange your applications and services into product families

    2.2.2 Define enabling and supporting applications

    2.2.3 Build your product family canvas

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • Product family mapping
    • Product families
    • Enabling applications
    • Dependent applications
    • Product family canvas

    Use three perspectives to guide scaling pattern selection

    • One size does not fit all. There is no single or static product model that fits all product teams.
    • Structure relationships based on your organizational needs and capabilities.
    • Be flexible. Product ownership is designed to enable value delivery.
    • Avoid structures that promote proxy product ownership.
    • Make decisions based on products and services, not people. Then assign people to the roles.
    Alignment perspectives:

    Value Stream

    Align products based on the defined sources of value for a collection of products or services.

    For example: Wholesale channel for products that may also be sold directly to consumers, such as wireless network service.

    Users/Consumers

    Align products based on a common group of users or product consumers.

    For example: Consumer vs. small business vs. enterprise customers in banking, insurance, and healthcare.

    Common Domain

    Align products based on a common domain knowledge or skill set needed to deliver and support the products.

    For example: Applications in a shared service framework supporting other products.

    Leverage patterns for scaling products

    Organizing your products and families is easier when leveraging these grouping patterns. Each is explained in greater detail on the following slides

    Value Stream AlignmentEnterprise ApplicationsShared ServicesTechnicalOrganizational Alignment
    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products
    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > ModulesSupporting: Job board, healthcare administrator
    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools
    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network
    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure no longer needed because the management team owns product management role

    Select the best family pattern to improve alignment

    A flowchart is shown on how to select the best family pattern to improve alignment.

    Use scenarios to help select patterns

    Top-Down

    Bottom-Up

    We have a business architecture defined.

    (See Document Your Business Architecture and industry reference architectures for help.)

    Start with your business architecture

    Start with market segments

    We want to be more customer first or customer centric.

    Start with market segments

    Our organization has rigid lines of business and organizational boundaries.

    Start with LoB structure

    Most products are specific to a business unit or division. Start with LoB structure

    Products are aligned to people, not how we are operationally organized.

    Start with market or LoB structure

    We are focusing on enterprise or enabling applications.

    1. Start with enterprise app and service team

    2. Align supporting apps

    We already have applications and services grouped into teams but want to evaluate if they are grouped in the best families.

    Validate using multiple patterns

    Validate using multiple patterns

    Our applications and services are shared across the enterprise or support multiple products, value streams, or shared capabilities.

    Our applications or services are domain, knowledge, or technology specific.

    Start by grouping inventory

    We are starting from an application inventory. (See the APM Research Center for help.)

    Start by grouping inventory

    Pattern: Value Stream – Capability

    Grouping products into capabilities defined in your business architecture is recommended because it aligns people/processes (services) and products (tools) into their value stream and delivery grouping. This requires an accurate capability map to implement.

    Example:

    • Healthcare is delivered through a series of distinct value streams (top chevrons) and shared services supporting all streams.
    • Diagnosing Health Needs is executed through the Admissions, Testing, Imaging, and Triage capabilities.
    • Products and services are needed to deliver each capability.
    • Shared capabilities can also be grouped into families to better align capability delivery and maturity to ensure that the enterprise goals and needs are being met in each value stream the capabilities support.
    An example is shown to demonstrate how to group products into capabilities.

    Sample business architecture/ capability map for healthcare

    A sample business architecture/capability map for healthcare is shown.

    Your business architecture maps your value streams (value delivered to your customer or user personas) to the capabilities that deliver that value. A capability is the people, processes, and/or tools needed to deliver each value function.

    Defining capabilities are specific to a value stream. Shared capabilities support multiple value streams. Enabling capabilities are core “keep the lights on” capabilities and enterprise functions needed to run your organization.

    See Info-Tech’s industry coverage and reference architectures.

    Download Document Your Business Architecture

    Pattern: Value Stream – Market

    Market/Customer Segment Alignment focuses products into the channels, verticals, or market segments in the same way customers and users view the organization.

    An example is shown to demonstrate how products can be placed into channels, verticals, or market segments.

    Example:

    • Customers want one stop to solve all their issues, needs, and transactions.
    • Banking includes consumer, small business, and enterprise.
    • Consumer banking can be grouped by type of financial service: deposit accounts (checking, savings, money market), revolving credit (credit cards, lines of credit), term lending (mortgage, auto, installment).
    • Each group of services has a unique set of applications and services that support the consumer product, with some core systems supporting the entire relationship.

    Pattern: Value Stream – Line of Business (LoB)

    Line of Business Alignment uses the operational structure as the basis for organizing products and services into families that support each area.

    An example of the operational structure as the basis is shown.

    Example:

    • LoB alignment favors continuity of services, tools, and skills based on internal operations over unified customer services.
    • A hospital requires care and services from many different operational teams.
    • Emergency services may be internally organized by the type of care and emergency to allow specialized equipment and resources to diagnose and treat the patients, relying on support teams for imaging and diagnostics to support care.
    • This model may be efficient and logical from an internal viewpoint but can cause gaps in customer services without careful coordination between product teams.

    Pattern: Enterprise Applications

    A division or group delivers enabling capabilities, and the team’s operational alignment maps directly to the modules/components of an enterprise application and other applications that support the specific business function.

    An example flowchart is shown with enterprise applications.

    Example:

    • Human resources is one corporate function. Within HR, however, there are subfunctions that operate independently.
    • Each operational team is supported by one or more applications or modules within a primary HR system.
    • Even though the teams work independently, the information they manage is shared with or ties into processes used by other teams. Coordination of efforts helps provide a higher level of service and consistency.

    For additional information about HRMS, please download Get the Most Out of Your HRMS.

    Pattern: Shared Services

    Grouping by service type, knowledge area, or technology allows for specialization while families align service delivery to shared business capabilities.

    An example is shown with the shared services.

    Example:

    • Recommended for governance, risk, and compliance; infrastructure; security; end-user support; and shared platforms (workflow, collaboration, imaging/record retention). Direct hierarchies do not necessarily exist within the shared service family.
    • Service groupings are common for service owners (also known as support managers, operations managers, etc.).
    • End-user ticketing comes through a common request system, is routed to the team responsible for triage, and then is routed to a team for resolution.
    • Collaboration tools and workflow tools are enablers of other applications, and product families might support multiple apps or platforms delivering that shared capability.

    Pattern: Technical

    Technical grouping is used in Shared Services or as a family grouping method within a Value Stream Alignment (Capability, Market, LoB) product family.

    An example of technical grouping is shown.

    Example:

    • Within Shared Services, Technical product grouping focuses on domains requiring specific experience and knowledge not common to typical product teams. This can also support insourcing so other product teams do not have to build their own capacity.
    • Within a Market or LoB team, these same technical groups support specific tools and services within that product family only while also specializing in the business domain.
    • Alignment into tool, platform, or skill areas improves delivery capabilities and resource scalability.

    Pattern: Organizational Alignment

    Eventually in your product hierarchy, the management structure functions as the product management team.

    • When planning your product families, be careful determining when to merge product families into the management team structure.
    • Since the goal of scaling products into families is to align product delivery roadmaps to enterprise goals and enable value realization, the primary focus of scaling must be operational.
    • Alignment to the organizational chart should only occur when the product families report into an HR manager who has ownership for the delivery and value realization for all product and services within that family.
    Am example of organizational alignment is shown.

    Download Build a Better Product Owner for role support.

    2.2.1 Arrange your applications and services into product families

    1-4 hours

    1. (Optional but recommended) Define your value streams and capabilities on the App Capability List tab in the Deliver Digital Products at Scale Workbook.
    2. On the Product Families tab, build your product family hierarchy using the following structure:
    • Value Stream > Capability > Family 3 > Family 2 > Family 1 > Product/Service.
    • If you are not using a Value Stream > Capability grouping, you can leave these blank for now.
    A screenshot of the App Capability List in the Deliver Disital Products at Scale Workbook is shown.
  • If you previously completed an application inventory using one of our application portfolio management (APM) resources, you can paste values here. Do not paste cells, as Excel may create a cell reference or replace the current conditional formatting.
  • Output

    • Product family mapping

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    2.2.2 Define enabling and supporting applications

    1-4 hours

    1. Review your grouping from the reverse direction or with different patterns to validate the grouping. Consider each grouping.
    • Does it operationally align the products and families to best cascade enterprise goals and priorities while validating enabling capabilities?
    • In the next phase, when defining your roadmap strategy, you may wish to revisit this phase and adjust as needed.
  • Select and enter enabling or dependent applications to the right of each product.
  • A screenshot from the Deliver Digitial Products at Scale Workbook is shown.

    Output

    • Product families
    • Enabling applications
    • Dependent applications

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Use a product canvas to define key elements of your product family

    A product canvas is an excellent tool for quickly providing important information about a product family.

    Product owners/managers

    Provide target state to align child product and product family roadmaps.

    Stakeholders

    Communicate high-level concepts and key metrics with leadership teams and stakeholders.

    Strategy teams

    Use the canvas as a tool for brainstorming, scoping, and ideation.

    Operations teams

    Share background overview to align operational team with end-user value.

    Impacted users

    Refine communication strategy and support based on user impacts and value realization.

    Download Deliver on Your Digital Product Vision.

    Product Family Canvas: Define your core information

    A screenshot of the product family canvas is shown.

    Problem Statement: The problem or need the product family is addressing

    Business Goals: List of business objectives or goals for the product

    Personas/Customers/Users: List of groups who consume the product/service

    Vision: Vision, unique value proposition, elevator pitch, or positioning statement

    Child Product Families or Products: List of product families or products within this family

    Stakeholders: List of key resources, stakeholders, and teams needed to support the product or service

    Download Deliver on Your Digital Product Vision.

    2.2.3 Build your product family canvas

    30-60 minutes

    1. Complete the following fields to build your product family canvas in your Digital Product Family Strategy Playbook:
      1. Product family name
      2. Product family owner
      3. Parent product family name
      4. Problem that the family is intending to solve (For additional help articulating your problem statement, refer to Deliver on Your Digital Product Vision.)
      5. Product family vision/goals (For additional help writing your vision, refer to Deliver on Your Digital Product Vision..)
      6. Child product or product family name(s)
      7. Primary customers/users (For additional help with your product personas, download and complete Deliver on Your Digital Product Vision..)
      8. Stakeholders (If you aren’t sure who your stakeholders are, fill this in after completing the stakeholder management exercises in phase 3.)

    Output

    • Product family canvas

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Digital Product Family Strategy Playbook.

    A screenshot of the Product Family Canvas is shown.

    Phase 3

    Ensure Alignment Between Products and Families

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    • 3.1.1 Evaluate your current approach to product family communication
    • 3.2.1 Visualize interrelationships among stakeholders to identify key influencers
    • 3.2.2 Group stakeholders into categories
    • 3.2.3 Prioritize your stakeholders
    • 3.3.1 Define the communication objectives and audience of your product family roadmaps
    • 3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent
    • 3.4.1 Validate business value alignment between products and their product families

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Step 3.1

    Leverage product family roadmaps

    Activities

    3.1.1 Evaluate your current approach to product family communication

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Understanding of what a product family roadmap is
    • Comparison of Info-Tech’s position on product families to how you currently communicate about product families

    Aligning products’ goals with families

    Without alignment between product family goals and their underlying products, you aren’t seeing the full picture.

    An example of a product roadmap is shown to demonstrate how it is the core to value realization.

    Adapted from: Pichler," What Is Product Management?"

    • Aligning product strategy to enterprise goals needs to happen through the product family.
    • A product roadmap has traditionally been used to express the overall intent and visualization of the product strategy.
    • Connecting the strategy of your products with your enterprise goals can be done through the product family roadmap.

    Leveraging product family roadmaps

    It’s more than a set of colorful boxes.

      ✓ Lays out a strategy for your product family.

      ✓ Is a statement of intent for your family of products.

      ✓ Communicates direction for the entire product family and product teams.

      ✓ Directly connects to the organization’s goals.

    However, it is not:

      x Representative of a hard commitment.

      x A simple combination of your current product roadmaps.

      x A technical implementation plan.

    Product family roadmaps

    A roadmap is shown without any changes.

    There is no such thing as a roadmap that never changes.

    Your product family roadmap represents a broad statement of intent and high-level tactics to get closer to the organization’s goals.

    A roadmap is shown with changes.

    All good product family roadmaps embrace change!

    Your strategic intentions are subject to volatility, especially those planned further in the future. The more costs you incur in planning, the more you leave yourself exposed to inefficiency and waste if those plans change.

    Info-Tech Insight

    A good product family roadmap is intended to manage and communicate the inevitable changes as a result of market volatility and changes in strategy.

    Product family roadmaps are more strategic by nature

    While individual product roadmaps can be different levels of tactical or strategic depending on a variety of market factors, your options are more limited when defining roadmaps for product families.

    An image is displayed to show the relationships between product and product family, and how the roadmaps could be tactical or strategic.

    Info-Tech Insight

    Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.

    Reminder: Your enterprise vision provides alignment for your product family roadmaps

    Not knowing the difference between enterprise vision and goals will prevent you from both dreaming big and achieving your dream.

    Your enterprise vision represents your “north star” – where you want to go. It represents what you want to do.

    • Your enterprise goals represent what you need to achieve in order to reach your enterprise vision.
    • A key element of operationalizing your vision.
    • Your strategy, initiatives, and features will align with one or more goals.

    Download Deliver on Your Digital Product Vision for support.

    Multiple roadmap views can communicate differently, yet tell the same truth

    Audience

    Business/ IT Leaders

    Users/Customers

    Delivery Teams

    Roadmap View

    Portfolio

    Product Family

    Technology

    Objectives

    To provide a snapshot of the portfolio and priority products

    To visualize and validate product strategy

    To coordinate broad technology and architecture decisions

    Artifacts

    Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level.

    Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize those goals.

    Artifacts are grouped by the teams who deliver that work and consist of technical capabilities that support the broader delivery of value for the product family.

    Typical elements of a product family roadmap

    While there are others, these represent what will commonly appear across most family-based roadmaps.

    An example is shown to highlight the typical elements of a product family roadmap.

    GROUP/CATEGORY: Groups are collections of artifacts. In a product family context, these are usually product family goals, value streams, or products.

    ARTIFACT: An artifact is one of many kinds of tangible by-products produced during the delivery of products. For a product family, the artifacts represented are capabilities or value streams.

    MILESTONE: Points in the timeline when established sets of artifacts are complete. This is a critical tool in the alignment of products in a given family.

    TIME HORIZON: Separated periods within the projected timeline covered by the roadmap.

    3.1.1 Evaluate your current approach to product family communication

    1-2 hours

    1. Write down how you currently communicate your intentions for your products and family of products.
    2. Compare and contrast this to how this blueprint defines product families and product family roadmaps.
    3. Consider the similarities and the key gaps between your current approach and Info-Tech’s definition of product family roadmaps.

    Output

    • Your documented approach to product family communication

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 3.2

    Use stakeholder management to improve roadmap communication

    Activities

    3.2.1 Visualize interrelationships among stakeholders to identify key influencers

    3.2.2 Group stakeholders into categories

    3.2.3 Prioritize your stakeholders

    Info-Tech Note

    If you have done the stakeholder exercises in Deliver on Your Digital Product Vision or Build a Better Product Owner u don’t need to repeat the exercises from scratch.

    You can bring the results forward and update them based on your prior work.

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Relationships among stakeholders and influencers
    • Categorization of stakeholders and influencers
    • Stakeholder and influencer prioritization

    Reminder: Not everyone is a user!

    USERS

    Individuals who directly obtain value from usage of the product.

    STAKEHOLDERS

    Represent individuals who provide the context, alignment, and constraints that influence or control what you will be able to accomplish.

    FUNDERS

    Individuals both external and internal that fund the product initiative. Sometimes they are lumped in as stakeholders. However, motivations can be different.

    For more information, see Deliver on Your Digital Product Vision.

    A stakeholder strategy is a key part of product family attainment

    A roadmap is only “good” when it effectively communicates to stakeholders. Understanding your stakeholders is the first step in delivering great product family roadmaps.

    A picture is shown that has 4 characters with puzzle pieces, each repersenting a key to product family attainment. The four keys are: Stakeholder management, product lifecycle, project delivery, and operational support.

    Create a stakeholder network map for product roadmaps and prioritization

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    An example stakeholder network map is displayed.

    Legend

    Black arrows: indicate the direction of professional influence

    Dashed green arrows: indicate bidirectional, informal influence relationships

    Info-Tech Insight

    Your stakeholder map defines the influence landscape your product family operates in. It is every bit as important as the teams who enhance, support, and operate your product directly.

    Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

    3.2.1 Visualize interrelationships among stakeholders to identify key influencers

    60 minutes

    1. List direct stakeholders for your product.
    2. Determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
    3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    4. Construct a diagram linking stakeholders and their influencers together.
    • Use black arrows to indicate the direction of professional influence.
    • Use dashed green arrows to indicate bidirectional, informal influence relationships.

    Output

    • Relationships among stakeholders and influencers

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Categorize your stakeholders with a prioritization map

    A stakeholder prioritization map helps product leaders categorize their stakeholders by their level of influence and ownership in the product and/or teams.

    An example stakeholder prioritization map is shown.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

    Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

    Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

    Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

    3.2.2 Group stakeholders into categories

    30-60 minutes

    1. Identify your stakeholders’ interest in and influence on your product as high, medium, or low by rating the attributes below.
    2. Map your results to the model below to determine each stakeholder’s category.
    Level of Influence
    • Power: Ability of a stakeholder to effect change.
    • Urgency: Degree of immediacy demanded.
    • Legitimacy: Perceived validity of stakeholder’s claim.
    • Volume: How loud their “voice” is or could become.
    • Contribution: What they have that is of value to you.
    Level of Interest

    How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

    The example stakeholder prioritization map is shown with the stakeholders grouped into the categories.

    Output

    • Categorization of stakeholders and influencers

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Level of Support

    Stakeholder Category

    Supporter

    Evangelist

    Neutral Blocker

    Player

    Critical

    High

    High

    Critical

    Mediator

    Medium

    Low

    Low

    Medium

    Noisemaker

    High

    Medium

    Medium

    High

    Spectator

    Low

    Irrelevant

    Irrelevant

    Low

    Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How likely is it that this stakeholder would recommend your product?

    These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

    3.2.3 Prioritize your stakeholders

    30 minutes

    1. Identify the level of support of each stakeholder by answering the following question: How likely is it that this stakeholder would endorse your product?
    2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

    Stakeholder

    Category

    Level of Support

    Prioritization

    CMO

    Spectator

    Neutral

    Irrelevant

    CIO

    Player

    Supporter

    Critical

    Output

    • Stakeholder and influencer prioritization

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Define strategies for engaging stakeholders by type

    An example is shown to demonstrate how to define strategies to engage staeholders by type.

    Type

    Quadrant

    Actions

    Players

    High influence, high interest – actively engage

    Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.

    Mediators

    High influence, low interest – keep satisfied

    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.

    Noisemakers

    Low influence, high interest – keep informed

    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.

    Spectators

    Low influence, low interest – monitor

    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Info-Tech Insight

    Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying your stakeholder groups, the product owner can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers, while ensuring the needs of Mediators and Players are met.

    Step 3.3

    Configure your product family roadmaps

    Activities

    3.3.1 Define the communication objectives and audience of your product family roadmaps

    3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent

    Info-Tech Note

    If you are unfamiliar with product roadmaps, Deliver on Your Digital Product Vision contains more detailed exercises we recommend you review before focusing on product family roadmaps.

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • An understanding of the key communication objectives and target stakeholder audience for your product family roadmaps
    • A position on the level of detail you want your product family roadmap to operate at

    Your communication objectives are linked to your audience; ensure you know your audience and speak their language

    I want to... I need to talk to... Because they are focused on...
    ALIGN PRODUCT TEAMS Get my delivery teams on the same page. Architects Products Owners PRODUCTS A product that delivers value against a common set of goals and objectives.
    SHOWCASE CHANGES Inform users and customers of product strategy. Bus. Process Owners End Users FUNCTIONALITY A group of functionality that business customers see as a single unit.
    ARTICULATE RESOURCE REQUIREMENTS Inform the business of product development requirements. IT Management Business Stakeholders FUNDING An initiative that those with the money see as a single budget.

    3.3.1 Define the communication objectives and audience of your product family roadmaps

    30-60 minutes

    1. Explicitly state the communication objectives and audience of your roadmap.
    • Think of finishing this sentence: This roadmap is designed for … in order to …
  • You may want to consider including more than a single audience or objective.
  • Example:
  • Roadmap

    Audience

    Statement

    Internal Strategic Roadmap

    Internal Stakeholders

    This roadmap is designed to detail the strategy for delivery. It tends to use language that represents internal initiatives and names.

    Customer Strategic Roadmap

    External Customers

    This roadmap is designed to showcase and validate future strategic plans and internal teams to coordinate the development of features and enablers.

    Output

    • Roadmap list with communication objectives and audience

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    The length of time horizons on your roadmap depend on the needs of the underlying products or families

    Info-Tech InsightAn example timeline is shown.

    Given the relationship between product and product family roadmaps, the product family roadmap needs to serve the time horizons of its respective products.

    This translates into product family roadmaps with timelines that, at a minimum, cover the full scope of the respective product roadmaps.

    Based on your communication objectives, consider different ways to visualize your product family roadmap

    Swimline/Stream-Based roadmap example.

    Swimlane/Stream-Based – Understanding when groups of items intend to be delivered.

    An example is shown that has an overall plan with rough intentions around delivery.

    Now, Next, Later – Communicate an overall plan with rough intentions around delivery without specific date ranges.

    An example of a sunrise roadmap is shown.

    Sunrise Roadmap – Articulate the journey toward a given target state across multiple streams.

    Before connecting your family roadmap to products, think about what each roadmap typically presents

    An example of a product family roadmap is shown and how it can be connected to the products.

    Info-Tech Insight

    Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.

    Example: Connecting your product family roadmaps to product roadmaps

    Your roadmaps should be connected at an artifact level that is common between both. Typically, this is done with capabilities, but you can do it at a more granular level if an understanding of capabilities isn’t available.

    Example is shown connecting product family roadmaps to product roadmaps.

    3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent

    30-60 minutes

    1. Consider the different available artifacts for a product family (goals, value stream, capabilities).
    2. List the roadmaps that you wish to represent.
    3. Based on how you currently articulate details on your product families, consider:
    • What do you want to use as the level of granularity for the artifact? Consider selecting something that has a direct connection to the product roadmap itself (for example, capabilities).
    • For some roadmaps you will want to categorize your artifacts – what would work best in those cases?

    Examples

    Level of Hierarchy

    Artifact Type

    Roadmap 1

    Goals

    Capability

    Roadmap 2

    Roadmap 3

    Output

    • Details on your roadmap granularity

    Participants

    • Product owners
    • Product managers
    • Portfolio managers

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 3.4

    Confirm goal and value alignment of products and their product families

    Activities

    3.4.1 Validate business value alignment between products and their product families

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Validation of the alignment between your product families and products

    Confirming product to family value alignment

    It isn’t always obvious whether you have the right value delivery alignment between products and product families.

    An example is shown to demonstrate product-to-family-alignment.

    Product-to-family alignment can be validated in two different ways:

    1. Initial value alignment
    2. Confirm the perceived business value at a family level is aligned with what is being delivered at a product level.

    3. Value measurement during the lifetime of the product
    4. Validate family roadmap attainment through progression toward the specified product goals.

    For more detail on calculating business value, see Build a Value Measurement Framework.

    To evaluate a product family’s contribution, you need a common definition of value

    Why is having a common value measure important?

    CIO-CEO Alignment Diagnostic

    A stacked bar graph is shown to demonstrate CIO-CEO Alignment Diagnostic. A bar titled Business Value Metrics is highlighted. 51% had some improvement necessary and 32% had significant improvement necessary.

    Over 700 Info-Tech members have implemented the Balanced Value Measurement Framework.

    “The cynic knows the price of everything and the value of nothing.”

    – Oscar Wilde

    “Price is what you pay. Value is what you get.”

    – Warren Buffett

    Understanding where you derive value is critical to building solid roadmaps.

    All value in your product family is not created equal

    Business value is the value of the business outcome the application produces and how effective the product is at producing that outcome. Dissecting value by the benefit type and the value source allows you to see the many ways in which a product or service brings value to your organization. Capture the value of your products in short, concise statements, like an elevator pitch.

    A business value matrix is shown.

    Increase Revenue

    Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.

    Reduce Costs

    Reduction of overhead. The ways in which your product limits the operational costs of business functions.

    Enhance Services

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Reach Customers

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    Financial Benefits vs. Improved Capabilities

    • Financial Benefit refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible.
    • Human Benefit refers to how a product or service can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    • Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.
    • Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    3.4.1 Validate business value alignment between products and their product families

    30-60 minutes

    1. Draw the 2x2 Business Value Matrix on a flip chart or open the Business Value Matrix tab in the Deliver Digital Products at Scale Workbook to use in this exercise.
    2. Brainstorm and record the different types of business value that your product and product family produce on the sticky notes (one item per sticky note).
    3. As a team, evaluate how the product value delivered contributes to the product family value delivered. Note any gaps or differences between the two.

    Download and complete Build a Value Measurement Framework for full support in focusing product delivery on business value–driven outcomes.

    A business value matrix is shown.

    Output

    • Confirmation of value alignment between product families and their respective products

    Participants

    • Product owners
    • Product managers

    Record the results in the Deliver Digital Products at Scale Workbook.

    Example: Validate business value alignment between products and their product families

    An example of a business value matrix is shown.

    Measure product value with metrics tied to your business value sources and objectives

    Assign metrics to your business value sources

    Business Value Category

    Source Examples

    Metric Examples

    Profit Generation

    Revenue

    Customer Lifetime Value (LTV)

    Data Monetization

    Average Revenue per User (ARPU)

    Cost Reduction

    Reduce Labor Costs

    Contract Labor Cost

    Reduce Overhead

    Effective Cost per Install (eCPI)

    Service Enablement

    Limit Failure Risk

    Mean Time to Mitigate Fixes

    Collaboration

    Completion Time Relative to Deadline

    Customer and Market Reach

    Customer Satisfaction

    Net Promoter Score

    Customer Trends

    Number of Customer Profiles

    The importance of measuring business value through metrics

    The better an organization is at using business value metrics to evaluate IT’s performance, the more satisfied the organization is with IT’s performance as a business partner. In fact, those that say they’re effective at business value metrics have satisfaction scores that are 30% higher than those that believe significant improvements are necessary (Info-Tech’s IT diagnostics).

    Assigning metrics to your prioritized values source will allow you to more accurately measure a product’s value to the organization and identify optimization opportunities. See Info-Tech’s Related Research: Value, Delivery Metrics, Estimation blueprint for more information.

    Your product delivery pipeline connects your roadmap with business value realization

    The effectiveness of your product roadmap needs to be evaluated based on delivery capacity and throughput.

    A product roadmap is shown with additional details to demonstrate delivery capacity and throughput.

    When thinking about product delivery metrics, be careful what you ask for…

    As the saying goes “Be careful what you ask for, because you will probably get it.”

    Metrics are powerful because they drive behavior.

    • Metrics are also dangerous because they often lead to unintended negative outcomes.
    • Choose your metrics carefully to avoid getting what you asked for instead of what you intended.

    It’s a cautionary tale that also offers a low-risk path through the complexities of metrics use.

    For more information on the use (and abuse) of metrics, see Select and Use SDLC Metrics Effectively.

    Measure delivery and success

    Metrics and measurements are powerful tools to drive behavior change and decision making in your organization. However, metrics are highly prone to creating unexpected outcomes, so use them with great care. Use metrics judiciously to uncover insights but avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.

    Build good practices in your selection and use of metrics:

    • Choose the metrics that are as close to measuring the desired outcome as possible.
    • Select the fewest metrics possible and ensure they are of the highest value to your team, the safest from gaming behaviors and unintended consequences, and the easiest to gather and report.
    • Never use metrics for reward or punishment; use them to develop your team.
    • Automate as much metrics gathering and reporting as possible.
    • Focus on trends rather than precise metrics values.
    • Review and change your metrics periodically.

    Phase 4

    Bridge the Gap Between Product Families and Delivery

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    4.1.1 Assess your organization’s readiness to deliver digital product families

    4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    4.4.1 Discuss traditional vs. product-centric funding methods

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Assess the impacts of product-centric delivery on your teams and org design

    Product delivery can exist within any org structure or delivery model. However, when making the shift toward product management, consider optimizing your org design and product team structure to match your capacity and throughput needs.

    A flowchart is shown to see how the impacts of product-centric delivery can impact team and org designs.

    Info-Tech Note

    Realigning your delivery pipeline and org design takes significant effort and time. Although we won’t solve these questions here, it’s important to identify factors in your current or future models that improve value delivery.

    Step 4.1

    Assess your organization’s delivery readiness

    Activities

    4.1.1 Assess your organization’s readiness to deliver digital product families

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the group’s maturity level when it comes to product delivery

    Maturing product practices enables delivery of product families, not just products or projects

    A flowchart is shown to demonstrate the differences between project lifecycle, hybrid lifecycle, and product lifecycle.

    Just like product owners, product family owners are needed to develop long-term product value, strategy, and delivery. Projects can still be used as the source of funding and change management; however, the product family owner must manage product releases and operational support. The focus of this section will be on aligning product families to one or more releases.

    4.1.1 Assess your organization’s readiness to deliver digital product families

    30-60 minutes

    1. For each question in the Deliver Digital Products at Scale Readiness Assessment, ask yourself which of the five associated maturity statements most closely describes your organization.
    2. As a group, agree on your organization’s current readiness score for each of the six categories.

    A screenshot of the Deliver Digital Products at Scale Readiness Assessment is shown.

    Output

    • Product delivery readiness score

    Participants

    • Product managers
    • Product owners

    Download the Deliver Digital Products at Scale Readiness Assessment.

    Value realization is constrained by your product delivery pipeline

    Value is realized through changes made at the product level. Your pipeline dictates the rate, quality, and prioritization of your backlog delivery. This pipeline connects your roadmap goals to the value the goals are intended to provide.

    An example of a product roadmap is shown with the additional details of the product delivery pipeline being highlighted.

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    PRODUCT STRATEGY

    What are the artifacts?

    What are you saying?

    Defined at the family level?

    Defined at the product level?

    Vision

    I want to...

    Strategic focus

    Delivery focus

    Goals

    To get there we need to...

    Roadmap

    To achieve our goals, we’ll deliver...

    Backlog

    The work will be done in this order...

    Release Plan

    We will deliver in the following ways...

    Step 4.2

    Understand your delivery options

    Activities

    4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the different team configuration options when it comes to delivery and their relevance to how you currently work

    Define the scope of your product delivery strategy

    The goal of your product delivery strategy is to establish streamlined, enforceable, and standardized product management and delivery capabilities that follow industry best practices. You will need to be strategic in how and where you implement your changes because this will set the stage for future adoption. Strategically select the most appropriate products, roles, and areas of your organization to implement your new or enhanced capabilities and establish a foundation for scaling.

    Successful product delivery requires people who are knowledgeable about the products they manage and have a broad perspective of the entire delivery process, from intake to delivery, and of the product portfolio. The right people also have influence with other teams and stakeholders who are directly or indirectly impacted by product decisions. Involve team members who have expertise in the development, maintenance, and management of your selected products and stakeholders who can facilitate and promote change.

    Learn about different patterns to structure and resource your product delivery teams

    The primary goal of any product delivery team is to improve the delivery of value for customers and the business based on your product definition and each product’s demand. Each organization will have different priorities and constraints, so your team structure may take on a combination of patterns or may take on one pattern and then transform into another.

    Delivery Team Structure Patterns

    How Are Resources and Work Allocated?

    Functional Roles

    Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC).

    Completed work is handed off from team to team sequentially as outlined in the organization’s SDLC.

    Shared Service and Resource Pools

    Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk).

    Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high.

    Product or System

    Teams are dedicated to the development, support, and management of specific products or systems.

    Work is directly sent to the teams who are directly managing the product or directly supporting the requester.

    Skills and Competencies

    Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, finance).

    Work is directly sent to the teams who have the IT and business skills and competencies to complete the work.

    See the flow of work through each delivery team structure pattern

    Four delivery team structures are shown. The four are: functional roles, shared service and resource pools, product or system, and skills and competencies.

    Staffing models for product teams

    Functional Roles Shared Service and Resource Pools Product or System Skills and Competencies
    A screenshot of the functional roles from the flow of work example is shown. A screenshot of the shared service and resource pools from the flow of work example is shown. A screenshot of the product or system from the flow of work example is shown. A screenshot of skills and competencies from the flow of work example is shown.
    Pros
      ✓ Specialized resources are easier to staff

      ✓ Product knowledge is maintained

      ✓ Flexible demand/capacity management

      ✓ Supports full utilization of resources

      ✓ Teams are invested in the full life of the product

      ✓ Standing teams enable continuous improvement

      ✓ Teams are invested in the technology

      ✓ Standing teams enable continuous improvement

    Cons
      x Demand on specialists can create bottlenecks

      x Creates barriers to collaboration

      x Unavailability of resources can lead to delays

      x Product knowledge can be lost as resources move

      x Changes in demand can lead to downtime

      x Cross-functional skills make staffing a challenge

      x Technology bias can lead to the wrong solution

      x Resource contention when team supports multiple solutions

    Considerations
      ! Product owners must break requests down into very small components to support Agile delivery as mini-Waterfalls
      ! Product owners must identify specialist requirements in the roadmap to ensure resources are available
      ! Product owners must ensure that there is a sufficient backlog of valuable work ready to keep the team utilized
      ! Product owners must remain independent of technology to ensure the right solution is built
    Use Case
    • When you lack people with cross-functional skills
    • When you have specialists such as those skilled in security and operations who will not have full-time work on the product
    • When you have people with cross-functional skills who can self-organize around the request
    • When you have a significant investment in a specific technology stack

    4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver

    1. Document your current staffing model for your product delivery teams.
    2. Evaluate the pros and cons of each model, as specified on the previous slide, relative to how you currently work.
    3. What would be the ideal target state for your team? If one model does not completely fit, is there a hybrid option worth considering? For example: Product-Based combined with Shared Service/Resource Pools for specific roles.

    Functional Roles

    Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC).

    Shared Service and Resource Pools

    Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk).

    Product or System

    Teams are dedicated to the development, support, and management of specific products or systems.

    Skills and Competencies

    Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, finance).

    Output

    • An understanding of pros and cons for each delivery model and the ideal target state for your team

    Participants

    • Product managers
    • Product owners

    Record the results in the Digital Product Family Strategy Playbook.

    Step 4.3

    Determine your operating model

    Activities

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the potential operating models and what will work best for your organization

    Reminder: Patterns for scaling products

    The alignment of your product families should be considered in your operating model.

    Value Stream Alignment

    Enterprise Applications

    Shared Services

    Technical

    Organizational Alignment

    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products
    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > ModulesSupporting: Job board, healthcare administrator
    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools
    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network
    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure no longer needed because the management team owns product management role

    Ensure consistency in the application of your design principles with a coherent operating model

    What is an operating model?

    An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design

    The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.

    An example of an operating model is shown.

    For more information, see Redesign Your IT Organizational Structure.

    Weigh the pros and cons of IT operating models to find the best fit

    1. LoB/Product Aligned – Decentralized Model: Line of Business, Geographically, Product, or Functionally Aligned
    2. A decentralized IT operating model that embeds specific functions within LoBs/product teams and provides cross-organizational support for their initiatives.

    3. Hybrid Functional: Functional/Product Aligned
    4. A best-of-both-worlds model that balances the benefits of centralized and decentralized approaches to achieve both customer responsiveness and economies of scale.

    5. Hybrid Service Model: Product-Aligned Operating Model
    6. A model that supports what is commonly referred to as a matrix organization, organizing by highly related service categories and introducing the role of the service owner.

    7. Centralized: Plan-Build-Run
    8. A highly typical IT operating model that focuses on centralized strategic control and oversight in delivering cost-optimized and effective solutions.

    9. Centralized: Demand-Develop-Service
    10. A centralized IT operating model that lends well to more mature operating environments. Aimed at leveraging economies of scale in an end-to-end services delivery model.

    There are many different operating models. LoB/Product Aligned and Hybrid Functional align themselves most closely with how products and product families are typically delivered.

    Decentralized Model: Line of Business, Geographically, Product, or Functionally Aligned

    An example of a decentralized model is shown.

    BENEFITS

    DRAWBACKS

    • Organization around functions (FXN) allows for diversity in approach in how areas are run to best serve specific business units needs.
    • Each functional line exists largely independently, with full capacity and control to deliver service at the committed service level agreements.
    • Highly responsive to shifting needs and demands with direct connection to customers and all stages of the solution development lifecycle.
    • Accelerates decision making by delegating authority lower into the FXN.
    • Promotes a flatter organization with less hierarchy and more direct communication with the CIO.
    • Less synergy and integration across what different lines of business are doing can result in redundancies and unnecessary complexity.
    • Higher overall cost to the IT group due to role and technology duplication across different FXN.
    • Inexperience becomes an issue; requires more competent people to be distributed across the FXN.
    • Loss of sight of the big picture – difficult to enforce standards around people/process/technology with solution ownership within the FXN.

    For more information, see Redesign your IT Organizational Structure.

    Hybrid Model: Functional/Product Aligned

    An example of a hybrid model: functional/product aligned is shown.

    BENEFITS

    DRAWBACKS

    • Best of both worlds of centralization and decentralization; attempts to channel benefits from both centralized and decentralized models.
    • Embeds key IT functions that require business knowledge within functional areas, allowing for critical feedback.
    • Balances a holistic IT strategy and architecture with responsiveness to needs of the organization.
    • Achieves economies of scale where necessary through the delivery of shared services that can be requested by the function.
    • May result in excessive cost through role and system redundancies across different functions
    • Business units can have variable levels of IT competence; may result in different levels of effectiveness.
    • No guaranteed synergy and integration across functions; requires strong communication, collaboration, and steering.
    • Cannot meet every business unit’s needs – can cause tension from varying effectiveness of the IT functions placed within the functional areas.

    For more information, see Redesign your IT Organizational Structure.

    Hybrid Model: Product-Aligned Operating Model

    An example of a hybrid model: product-aligned operating model.

    BENEFITS

    DRAWBACKS

    • Focus is on the full lifecycle of a product – takes a strategic view of how technology enables the organization.
    • Promotes centralized backlog around a specific value creator, rather than traditional project focus, which is more transactional.
    • Dedicated teams around the product family ensure that you have all of the resources required to deliver on your product roadmap.
    • Reduces barriers between IT and business stakeholders, focuses on technology as a key strategic enabler.
    • Delivery is largely done through a DevOps methodology.
    • Significant business involvement is required for success within this model, with business stakeholders taking an active role in product governance and potentially product management as well.
    • Strong architecture standards and practices are required to make this successful because you need to ensure that product families are building in a consistent manner and limiting application sprawl.
    • Introduced the need for practice standards to drive consistency in quality of delivered services.
    • May result in increased cost through role redundancies across different squads.

    For more information, see Redesign your IT Organizational Structure.

    Centralized: Plan-Build-Run

    An example of a centralized: Plan-Build-Run is shown.

    BENEFITS

    DRAWBACKS

    • Effective at implementing long-term plans efficiently, separates maintenance and projects to allow each to have the appropriate focus.
    • More oversight over financials; better suited for fixed budgets.
    • Works across centralized technology domains to better align with the business's strategic objectives – allows for a top-down approach to decision making.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Well suited for a project-driven environment that employs Waterfall or a hybrid project management methodology that is less iterative.
    • Not optimized for unpredictable/shifting project demands, as decision making is centralized in the plan function.
    • Less agility to deliver new features or solutions to the customer in comparison to decentralized models.
    • Build (developers) and run (operations staff) are far removed from the business, resulting in lower understanding of business needs (as well as “passing the buck” – from development to operations).
    • Requires strong hand-off processes to be defined and strong knowledge transfer from build to run functions in order to be successful.

    For more information, see Redesign your IT Organizational Structure.

    Centralized: Demand-Develop-Service

    An example of a centralized: Demand-Develop-Service model is shown.

    BENEFITS

    DRAWBACKS

    • Aligns well with an end-to-end services model; constant attention to customer demand and service supply.
    • Centralizes service operations under one functional area to serve shared needs across lines of business.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Elevates sourcing and vendor management as its own strategic function; lends well to managed service and digital initiatives.
    • Development and operations housed together; lends well to DevOps-related initiatives.
    • Can be less responsive to business needs than decentralized models due to the need for portfolio steering to prioritize initiatives and solutions.
    • Requires a higher level of operational maturity to succeed; stable supply functions (service mgmt., operations mgmt., service desk, security, data) are critical to maintaining business satisfaction.
    • Requires highly effective governance around project portfolio, services, and integration capabilities.
    • Effective feedback loop highly dependent on accurate performance measures.

    For more information, see Redesign your IT Organizational Structure.

    Assess how your product scaling pattern impacts your resource delivery model

    Value Stream Alignment

    Enterprise Applications

    Shared Services

    Technical

    Plan-Build-Run:
    Centralized

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Can be used to align high-level families.

    Con: Lacks flexibility at the product level to address shifting priorities in product demand.

    Pro: Supports a factory model.

    Con: Lacks flexibility at the product level to address shifting priorities in product demand.

    Centralized Model 2:
    Demand-Develop-
    Service

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Recommended for aligning high-level service families based on user needs.

    Con: Reduces product empowerment, prioritizing demand. Slow.

    Pro: Supports factory models.

    Con: Reduces product empowerment, prioritizing demand. Slow.

    Decentralized Model:
    Line of Business, Product, Geographically, or

    Functionally Aligned

    Pro: Aligns product families to value streams, capabilities, and organizational structure.

    Con: Reduces shared solutions and may create duplicate apps and services.

    Pro: Enterprise apps treated as distinct LoB groups.

    Con: Reduces shared solutions and may create duplicate apps and services.

    Pro: Complements value stream alignment by consolidating shared apps and services.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Fits within other groupings where technical expertise is needed.

    Con: Creates redundancy between localized and shared technical teams.

    Hybrid Model:
    Functional/Product

    Aligned

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Creates redundancy between localized and shared technical teams.

    Hybrid Model:

    Product-Aligned Operating Model

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Creates redundancy between localized and shared technical teams.

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    30-60 minutes

    1. Discuss the intake sources of product work.
    2. Trace the flow of requests down to the functional roles of your delivery team (e.g., developer, QA, operations).
    3. Indicate where key deliverables are produced, particularly those that are built in collaboration.
    4. Discuss the five operating models relative to your current operating model choice. How aligned are you?
    5. Review Info-Tech’s recommendation on the best-aligned operating models for product family delivery. Do you agree or disagree?
    6. Evaluate recommendations against how you operate/work.

    Output

    • Understanding of the relationships between key groups
    • A preferred operating model

    Participants

    • Product owners
    • Product managers
    • Delivery managers

    Record the results in the Digital Product Family Strategy Playbook.

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    An example of activity 4.3.1 to understand the relationships between product management, delivery teams, and stakeholders is shown.

    Output

    • Understanding of the relationships between key groups
    • A preferred operating model

    Participants

    • Product owners
    • Product managers
    • Delivery managers

    Step 4.4

    Identify how to fund product family delivery

    Activities

    4.4.1 Discuss traditional vs. product-centric funding methods

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the differences between product-based and traditional funding methods

    Why is funding so problematic?

    We often still think about funding products like construction projects.

    Three models are shown on the various options to fund projects.

    These models require increasing accuracy throughout the project lifecycle to manage actuals vs. estimates.

    "Most IT funding depends on one-time expenditures or capital-funding mechanisms that are based on building-construction funding models predicated on a life expectancy of 20 years or more. Such models don’t provide the stability or flexibility needed for modern IT investments." – EDUCAUSE

    Reminder: Projects don’t go away. The center of the conversation changes.

    A flowchart is shown to demonstrate the difference between project lifecycle, hybrid lifecycle, and product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.

    Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Planning and budgeting for products and families

    Reward for delivering outcomes, not features

    AutonomyFlexibilityAccountability
    Fund what delivers valueAllocate iterativelyMeasure and adjust

    Fund long-lived delivery of value through products (not projects).

    Give autonomy to the team to decide exactly what to build.

    Allocate to a pool based on higher-level business case.

    Provide funds in smaller amounts to different product teams and initiatives based on need.

    Product teams define metrics that contribute to given outcomes.

    Track progress and allocate more (or less) funds as appropriate.

    Info-Tech Insight

    Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.

    The Lean Enterprise Funding Model is an example of a different approach

    An example of the lean enterprise funding model is shown.
    From: Implement Agile Practices That Work

    A flexible funding pool akin to venture capital models is maintained to support innovative ideas and fund proofs of concept for product and process improvements.

    Proofs of concept (POCs) are run by standing innovation teams or a reserve of resources not committed to existing products, projects, or services.

    Every product line has funding for all changes and ongoing operations and support.

    Teams are funded continuously so that they can learn and improve their practices as much as possible.

    Budgeting approaches must evolve as you mature your product operating environment

    TRADITIONAL PROJECTS WITH WATERFALL DELIVERY

    TRADITIONAL PROJECTS WITH AGILE DELIVERY

    PRODUCTS WITH AGILE PROJECT DELIVERY

    PRODUCTS WITH AGILE DELIVERY

    WHEN IS THE BUDGET TRACKED?

    Budget tracked by major phases

    Budget tracked by sprint and project

    Budget tracked by sprint and project

    Budget tracked by sprint and release

    HOW ARE CHANGES HANDLED?

    All change is by exception

    Scope change is routine, budget change is by exception

    Scope change is routine, budget change is by exception

    Budget change is expected on roadmap cadence

    WHEN ARE BENEFITS REALIZED?

    Benefits realization after project completion

    Benefits realization is ongoing throughout the life of the project

    Benefits realization is ongoing throughout the life of the product

    Benefits realization is ongoing throughout life of the product

    WHO “DRIVES”?

    Project Manager

    • Project team delivery role
    • Refines project scope, advocates for changes in the budget
    • Advocates for additional funding in the forecast

    Product Owner

    • Project team delivery role
    • Refines project scope, advocates for changes in the budget
    • Advocates for additional funding in the forecast

    Product Manager

    • Product portfolio team role
    • Forecasting new initiatives during delivery to continue to drive value throughout the life of the product

    Product Manager

  • Product family team role
  • Forecasting new initiatives during delivery to continue to drive value throughout the life of the product
  • Info-Tech Insight

    As you evolve your approach to product delivery, you will be decoupling the expected benefits, forecast, and budget. Managing them independently will improve your ability to adapt to change and drive the right outcomes!

    Your strategy must include the cost to build and operate

    Most investment happens after go-live, not in the initial build!

    An example strategy is displayed that incorporates the concepts of cost to build and operate.

    Adapted from: LookFar

    Info-Tech Insight

    While the exact balance point between development or implementation costs varies from application to application, over 80% of the cost is accrued after go-live.

    Traditional accounting leaves software development CapEx on the table

    Software development costs have traditionally been capitalized, while research and operations are operational expenditures.

    The challenge has always been the myth that operations are only bug fixes, upgrades, and other operational expenditures. Research shows that most post-release work on developed solutions is the development of new features and changes to support material changes in the business. While projects could bundle some of these changes into capital expenditure, much of the business-as-usual work that goes on leaves capital expenses on the table because the work is lumped together as maintenance-related OpEx.

    From “How to Stop Leaving Software CapEx on the Table With Agile and DevOps”

    4.4.1 Discuss traditional vs. product-centric funding methods

    30-60 minutes

    1. Discuss how products and product families are currently funded.
    2. Review how the Agile/product funding models differ from how you currently operate.
    3. What changes do you need to consider in order to support a product delivery model?
    4. For each change, identify the key stakeholders and list at least one action to take.
    5. Record the results in the Digital Product Family Strategy Playbook.

    Output

    • Understanding of funding principles and challenges

    Participants

    • Product owners
    • Product managers
    • Delivery managers

    Record the results in the Digital Product Family Strategy Playbook.

    Phase 5

    Build Your Transformation Roadmap and Communication Plan

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    5.1.1 Introduce your digital product family strategy

    5.2.1 Define your communication cadence for your strategy updates

    5.2.2 Define your messaging for each stakeholder

    5.3.1 How do we get started?

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Application leaders
    • Stakeholders

    Step 5.1

    Introduce your digital product family strategy

    Activities

    5.1.1 Introduce your digital product family strategy

    This step involves the following participants:

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Outcomes of this step

    • A completed executive summary presenting your digital product strategy

    Product decisions are traditionally made in silos with little to no cross-functional communication and strategic oversight

    Software delivery teams and stakeholders traditionally make plans, strategies, and releases within their silos and tailor their decisions based on their own priorities. Interactions are typically limited to hand-offs (such as feature requests) and routing of issues and defects back up the delivery pipeline. These silos likely came about through well-intentioned training, mandates, and processes, but they do not sufficiently support today’s need to rapidly release and change platforms.

    Siloed departments often have poor visibility into the activities of other silos, and they may not be aware of the ramifications their decisions have on teams and stakeholders outside of their silo.

    • Silos may make choices that are optimal largely for themselves without thinking of the holistic impact on a platform’s structure, strategy, use cases, and delivery.
    • The business may approve platform improvements without the consideration of the delivery team’s current capacity or the system’s complexity, resulting in unrealistic commitments.
    • Quality standards may be misinterpreted and inconsistently enforced across the entire delivery pipeline.

    In some cases, the only way to achieve greater visibility and communication for all roles across a platform’s lifecycle is implementing an overarching role or team.

    “The majority of our candid conversations with practitioners and project management offices indicate that the platform ownership role is poorly defined and poorly executed.”

    – Barry Cousins

    Practice Lead, Applications – Project & Portfolio Management

    Info-Tech Research Group

    Use stakeholder management and roadmap views to improve communication

    Proactive, clear communication with stakeholders, SMEs, and your product delivery team can significantly improve alignment and agreement with your roadmap, strategy, and vision.

    When building your communication strategy, revisit the work you completed in phase 3 developing your:

    • Roadmap types
    • Stakeholder strategy

    Type

    Quadrant

    Actions

    Players

    High influence, high interest – actively engage

    Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.

    Mediators

    High influence, low interest – keep satisfied

    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.

    Noisemakers

    Low influence, high interest – keep informed

    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.

    Spectators

    Low influence, low interest – monitor

    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    5.1.1 Introduce your digital product family strategy

    30-60 minutes

    This exercise is intended to help you lay out the framing of your strategy and the justification for the effort. A lot of these items can be pulled directly from the product canvas you created in phase 2. This is intended to be a single slide to frame your upcoming discussions.

    1. Update your vision, goals, and values on your product canvas. Determine which stakeholders may be impacted and what their concerns are. If you have many stakeholders, limit to Players and Influencers.
    2. Identify what you need from the stakeholders as a result of this communication.
    3. Keeping in mind the information gathered in steps 1 and 2, describe your product family strategy by answering three questions:
    1. Why do we need product families?
    2. What is in our way?
    3. Our first step will be... ?

    Output

    • An executive summary that introduces your product strategy

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    Example: Scaling delivery through product families

    Why do we need product families?

    • The growth of our product offerings and our company’s movement into new areas of growth mean we need to do a better job scaling our offerings to meet the needs of the organization.

    What is in our way?

    • Our existing applications and services are so dramatically different we are unsure how to bring them together.

    Our first step will be...

    • Taking a full inventory of our applications and services.

    Step 5.2

    Communicate changes on updates to your strategy

    Activities

    5.2.1 Define your communication cadence for your strategy updates

    5.2.2 Define your messaging for each stakeholder

    This step involves the following participants:

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Outcomes of this step

    • A communication plan for when strategy updates need to be given

    5.2.1 Define your communication cadence for your strategy updates

    30 minutes

    Remember the role of different artifacts when it comes to your strategy. The canvas contributes to the What, and the roadmap addresses the How. Any updates to the strategy are articulated and communicated through your roadmap.

    1. Review your currently defined roadmaps, their communication objectives, update frequency, and updates.
    2. Consider the impacted stakeholders and the strategies required to communicate with them.
    3. Fill in your communication cadence and communication method.

    EXAMPLE:

    Roadmap Name

    Audience/Stakeholders

    Communication Cadence

    External Customer Roadmap

    Customers and External Users

    Quarterly (Website)

    Product Delivery Roadmap

    Development Teams, Infrastructure, Architects

    Monthly (By Email)

    Technology Roadmap

    Development Teams, Infrastructure, Architects

    Biweekly (Website)

    Output

    • Clear communication cadence for your roadmaps

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    The “what” behind the communication

    Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff.

    The change message should:

    • Explain why the change is needed.
    • Summarize what will stay the same.
    • Highlight what will be left behind.
    • Emphasize what is being changed.
    • Explain how change will be implemented.
    • Address how change will affect various roles in the organization.
    • Discuss the staff’s role in making the change successful.

    Five elements of communicating change

    1. What is the change?
    2. Why are we doing it?
    3. How are we going to go about it?
    4. How long will it take us to do it?
    5. What is the role for each department and individual?

    Source: Cornelius & Associates

    How we engage with the message is just as important as the message itself

    Why are we here?

    Speak to what matters to them

    Sell the improvement

    Show real value

    Discuss potential fears

    Ask for their support

    Be gracious

    5.2.2 (Optional) Define your messaging for each stakeholder

    30 minutes

    It’s one thing to communicate the strategy, it’s another thing to send the right message to your stakeholders. Some of this will depend on the kind of news given, but the majority of this is dependent on the stakeholder and the cadence of communication.

    1. From exercise 5.2.1, take the information on the specific roadmaps, target audience, and communication cadence.
    2. Based on your understanding of the audience’s needs, what would the specific update try to get across?
    3. Pick a specific typical example of a change in strategy that you have gone through. (e.g. Product will be delayed by a quarter; key feature is being substituted for another.)

    EXAMPLE:

    Roadmap Name

    Audience/ Stakeholder

    Communication Cadence

    Messaging

    External Customer Roadmap

    Customers and External Users

    Quarterly (Website)

    Output

    • Messaging plan for each roadmap type

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    Step 5.3

    Determine your next steps

    Activities

    5.3.1 How do we get started?

    This step involves the following participants:

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Outcomes of this step

    • Understanding the steps to get started in your transformation

    Make a plan in order to make a plan!

    Consider some of the techniques you can use to validate your strategy.

    Learning Milestones

    Sprint Zero (AKA Project-before-the-project)

    The completion of a set of artifacts dedicated to validating business opportunities and hypotheses.

    Possible areas of focus:

    Align teams on product strategy prior to build

    Market research and analysis

    Dedicated feedback sessions

    Provide information on feature requirements

    The completion of a set of key planning activities, typically the first sprint.

    Possible areas of focus:

    Focus on technical verification to enable product development alignment

    Sign off on architectural questions or concerns

    An image showing the flowchart of continuous delivery of value is shown.

    Go to your backlog and prioritize the elements that need to be answered sooner rather than later.

    Possible areas of focus:

    Regulatory requirements or questions to answer around accessibility, security, privacy.

    Stress testing any new processes against situations that may occur.

    The “Now, Next, Later” roadmap

    Use this when deadlines and delivery dates are not strict. This is best suited for brainstorming a product plan when dependency mapping is not required.

    Now: What are you going to do now?

    Next: What are you going to do very soon?

    Later: What are you going to do in the future?

    An example of a now, next, later roadmap is shown.

    Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017

    5.3.1 How do we get started?

    30-60 minutes

    1. Identify what the critical steps are for the organization to embrace product-centric delivery.
    2. Group each critical step by how soon you need to address it:
    • Now: Let’s do this ASAP.
    • Next: Sometime very soon, let’s do these things.
    • Later: Much further off in the distance, let’s consider these things.
  • Record the group results in the Deliver Digital Products at Scale Workbook.
  • Record changes for your product and product family in the Digital Product Family Strategy Playbook.
  • An example of a now, next, later roadmap is shown.

    Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017

    Output

    • Product family transformation critical steps and basic roadmap

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    Record the results in the Deliver Digital Products at Scale Workbook.

    Summary of Accomplishment

    Problem Solved

    The journey to become a product-centric organization is not short or easy. Like with any improvement or innovation, teams need to continue to evolve and mature with changes in their operations, teams, tools, and user needs.You’ve taken a big step completing your product family alignment. This provides a backbone for aligning all aspects of your organization to your enterprise goals and strategy while empowering product teams to find solutions closer to the problem. Continue to refine your model and operations to improve value realization and your product delivery pipelines to embrace business agility. Organizations that are most responsive to change will continue to outperform command-and-control leadership.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    Photo of Emily Archer.

    Emily Archer

    Lead Business Analyst,

    Enterprise Consulting, authentic digital agency

    Emily Archer is a consultant currently working with Fortune 500 clients to ensure the delivery of successful projects, products, and processes. She helps increase the business value returned for organizations’ investments in designing and implementing enterprise content hubs and content operations, custom web applications, digital marketing, and e-commerce platforms.

    Photo of David Berg

    Founder & CTO

    Strainprint Technologies Inc.

    David Berg is a product commercialization expert that has spent the last 20 years of his career delivering product management and business development services across a broad range of industries. Early in his career, David worked with product management and engineering teams to build core network infrastructure products that secure and power the internet we benefit from today. David’s experience also includes working with clean technologies in the area of clean power generation, agritech, and Internet of Things infrastructure. Over the last five years, David has been focused on his latest venture, Strainprint Technologies, a data and analytics company focused on the medical cannabis industry. Strainprint has built the largest longitudinal medical cannabis dataset in the world with the goal to develop an understanding of treatment behavior, interactions, and chemical drivers to guide future product development.

    Kathy Borneman

    Digital Product Owner, SunTrust Bank

    Kathy Borneman is a senior product owner who helps people enjoy their jobs again by engaging others in end-to-end decision making to deliver software and operational solutions that enhance the client experience and allow people to think and act strategically.

    Photro of Charlie Campbell

    Charlie Campbell

    Product Owner, Merchant e-Solutions

    Charlie Campbell is an experienced problem solver with the ability to quickly dissect situations and recommend immediate actions to achieve resolution, liaise between technical and functional personnel to bridge the technology and communication gap, and work with diverse teams and resources to reach a common goal.

    Photo of Yarrow Diamond

    Yarrow Diamond

    Sr. Director, Business Architecture

    Financial Services

    Yarrow Diamond is an experienced professional with expertise in enterprise strategy development, project portfolio management, and business process reengineering across financial services, healthcare and insurance, hospitality, and real estate environments. She has a master’s in Enterprise Architecture from Penn State University, LSSMBB, PMP, CSM, ITILv3.

    Photo of Cari J. Faanes-Blakey

    Cari J. Faanes-Blakey, CBAP, PMI-PBA

    Enterprise Business Systems Analyst,

    Vertex, Inc.

    Cari J. Faanes-Blakey has a history in software development and implementation as a Business Analyst and Project Manager for financial and taxation software vendors. Active in the International Institute of Business Analysis (IIBA), Cari participated on the writing team for the BA Body of Knowledge 3.0 and the certification exam.

    Photo of Kieran Gobey

    Kieran Gobey

    Senior Consultant Professional Services

    Blueprint Software Systems

    Kieran Gobey is an IT professional with 24 years of experience, focused on business, technology, and systems analysis. He has split his career between external and internal customer-facing roles, and this has resulted in a true understanding of what is required to be a Professional Services Consultant. His problem-solving skills and ability to mentor others have resulted in successful software implementations. Kieran’s specialties include deep system troubleshooting and analysis skills, facilitating communications to bring together participants effectively, mentoring, leadership, and organizational skills.

    Photo of Rupert Kainzbauer

    Rupert Kainzbauer

    VP Product, Digital Wallets

    Paysafe Group

    Rupert Kainzbauer is an experienced senior leader with a passion for defining and delivering products that deliver real customer and commercial benefit. Together with a team of highly experienced and motivated product managers, he has successfully led highly complex, multi-stakeholder payments initiatives, from proposition development and solution design through to market delivery. Their domain experience is in building online payment products in high-risk and emerging markets, remittance, prepaid cards, and mobile applications.

    Photo of Saeed Khan

    Saeed Khan

    Founder,

    Transformation Labs

    Saeed Khan has been working in high tech for 30 years in both Canada and the US and has held a number of leadership roles in Product Management over that time. He speaks regularly at conferences and has been writing publicly about technology product management since 2005. Through Transformation Labs, Saeed helps companies accelerate product success by working with product teams to improve their skills, practices, and processes. He is a cofounder of ProductCamp Toronto and currently runs a Meetup group and global Slack community called Product Leaders; the only global community of senior level product executives.

    Photo of Hoi Kun Lo

    Hoi Kun Lo

    Product Owner

    Nielsen

    Hoi Kun Lo is an experienced change agent who can be found actively participating within the IIBA and WITI groups in Tampa, FL and a champion for Agile, architecture, diversity, and inclusion programs at Nielsen. She is currently a Product Owner in the Digital Strategy team within Nielsen Global Watch Technology.

    Photo of Abhishek Mathur

    Abhishek Mathur

    Sr Director, Product Management

    Kasisto, Inc.

    Abhishek Mathur is a product management leader, an artificial intelligence practitioner, and an educator. He has led product management and engineering teams at Clarifai, IBM, and Kasisto to build a variety of artificial intelligence applications within the space of computer vision, natural language processing, and recommendation systems. Abhishek enjoys having deep conversations about the future of technology and helping aspiring product managers enter and accelerate their careers.

    Photo of Jeff Meister

    Jeff Meister

    Technology Advisor and Product Leader

    Jeff Meister is a technology advisor and product leader. He has more than 20 years of experience building and operating software products and the teams that build them. He has built products across a wide range of industries and has built and led large engineering, design, and product organizations. Jeff most recently served as Senior Director of Product Management at Avanade, where he built and led the product management practice. This involved hiring and leading product managers, defining product management processes, solution shaping and engagement execution, and evangelizing the discipline through pitches, presentations, and speaking engagements. Jeff holds a Bachelor’s of Applied Science (Electrical Engineering) and a Bachelor’s of Arts from the University of Waterloo, an MBA from INSEAD (Strategy), and certifications in product management, project management, and design thinking.

    Photo of Vincent Mirabelli

    Vincent Mirabelli

    Principal,

    Global Project Synergy Group

    With over 10 years of experience in both the private and public sectors, Vincent Mirabelli possesses an impressive track record of improving, informing, and transforming business strategy and operations through process improvement, design and re-engineering, and the application of quality to business analysis, project management, and process improvement standards.

    Photo of Oz Nazili

    Oz Nazili

    VP, Product & Growth

    TWG

    Oz Nazili is a product leader with a decade of experience in both building products and product teams. Having spent time at funded startups and large enterprises, he thinks often about the most effective way to deliver value to users. His core areas of interest include Lean MVP development and data-driven product growth.

    Photo of Mark Pearson

    Mark Pearson

    Principal IT Architect, First Data Corporation

    Mark Pearson is an executive business leader grounded in the process, data, technology, and operations of software-driven business. He knows the enterprise software landscape and is skilled in product, technology, and operations design and delivery within information technology organizations, outsourcing firms, and software product companies.

    Photo of Brenda Peshak

    Brenda Peshak

    Product Owner,

    Widget Industries, LLC

    Brenda Peshak is skilled in business process, analytical skills, Microsoft Office Suite, communication, and customer relationship management (CRM). She is a strong product management professional with a Master’s focused in Business Leadership (MBL) from William Penn University.

    Photo of Mike Starkey

    Mike Starkey

    Director of Engineering

    W.W. Grainger

    Mike Starkey is a Director of Engineering at W.W. Grainger, currently focusing on operating model development, digital architecture, and building enterprise software. Prior to joining W.W. Grainger, Mike held a variety of technology consulting roles throughout the system delivery lifecycle spanning multiple industries such as healthcare, retail, manufacturing, and utilities with Fortune 500 companies.

    Photo of Anant Tailor

    Anant Tailor

    Cofounder & Head of Product

    Dream Payments Corp.

    Anant Tailor is a cofounder at Dream Payments where he currently serves as the COO and Head of Product, having responsibility for Product Strategy & Development, Client Delivery, Compliance, and Operations. He has 20+ years of experience building and operating organizations that deliver software products and solutions for consumers and businesses of varying sizes. Prior to founding Dream Payments, Anant was the COO and Director of Client Services at DonRiver Inc, a technology strategy and software consultancy that he helped to build and scale into a global company with 100+ employees operating in seven countries. Anant is a Professional Engineer with a Bachelor’s degree in Electrical Engineering from McMaster University and a certificate in Product Strategy & Management from the Kellogg School of Management at Northwestern University.

    Photo of Angela Weller

    Angela Weller

    Scrum Master, Businessolver

    Angela Weller is an experienced Agile business analyst who collaborates with key stakeholders to attain their goals and contributes to the achievement of the company’s strategic objectives to ensure a competitive advantage. She excels when mediating or facilitating teams.

    Related Info-Tech Research

    Product Delivery

    Deliver on Your Digital Product Vision

    • Build a product vision your organization can take from strategy through execution.

    Build a Better Product Owner

    • Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Build Your Agile Acceleration Roadmap

    • Quickly assess the state of your Agile readiness and plan your path forward to higher value realization.

    Implement Agile Practices That Work

    • Improve collaboration and transparency with the business to minimize project failure.

    Implement DevOps Practices That Work

    • Streamline business value delivery through the strategic adoption of DevOps practices.

    Extend Agile Practices Beyond IT

    • Further the benefits of Agile by extending a scaled Agile framework to the business.

    Build Your BizDevOps Playbook

    • Embrace a team sport culture built around continuous business-IT collaboration to deliver great products.

    Embed Security Into the DevOps Pipeline

    • Shift security left to get into DevSecOps.

    Spread Best Practices With an Agile Center of Excellence

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Enable Organization-Wide Collaboration by Scaling Agile

    • Execute a disciplined approach to rolling out Agile methods in the organization.

    Application Portfolio Management

    APM Research Center

    • See an overview of the APM journey and how we can support the pieces in this journey.

    Application Portfolio Management for Small Enterprises

    • There is no one-size-fits-all rationalization. Tailor your framework to meet your goals.

    Streamline Application Maintenance

    • Effective maintenance ensures the long-term value of your applications.

    Build an Application Rationalization Framework

    • Manage your application portfolio to minimize risk and maximize value.

    Modernize Your Applications

    • Justify modernizing your application portfolio from both business and technical perspectives.

    Review Your Application Strategy

    • Ensure your applications enable your business strategy.

    Discover Your Applications

    • Most application strategies fail. Arm yourself with the necessary information and team structure for a successful application portfolio strategy.

    Streamline Application Management

    • Move beyond maintenance to ensuring exceptional value from your apps.

    Optimize Applications Release Management

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Embrace Business-Managed Applications

    • Empower the business to implement their own applications with a trusted business-IT relationship.

    Value, Delivery Metrics, Estimation

    Build a Value Measurement Framework

    • Focus product delivery on business value–driven outcomes.

    Select and Use SDLC Metrics Effectively

    • Be careful what you ask for, because you will probably get it.

    Application Portfolio Assessment: End User Feedback

    • Develop data-driven insights to help you decide which applications to retire, upgrade, re-train on, or maintain to meet the demands of the business.

    Create a Holistic IT Dashboard

    • Mature your IT department by measuring what matters.

    Refine Your Estimation Practices With Top-Down Allocations

    • Don’t let bad estimates ruin good work.

    Estimate Software Delivery With Confidence

    • Commit to achievable software releases by grounding realistic expectations.

    Reduce Time to Consensus With an Accelerated Business Case

    • Expand on the financial model to give your initiative momentum.

    Optimize Project Intake, Approval, and Prioritization

    • Deliver more projects by giving yourself the voice to say “no” or “not yet” to new projects.

    Enhance PPM Dashboards and Reports

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Org Design and Performance

    Redesign Your IT Organizational Structure

    • Focus product delivery on business value–driven outcomes.

    Build a Strategic Workforce Plan

    • Have the right people, in the right place, at the right time.

    Implement a New Organizational Structure

    • Reorganizations are inherently disruptive. Implement your new structure with minimal pain for staff while maintaining IT performance throughout the change.

    Improve Employee Engagement to Drive IT Performance

    • Don’t just measure engagement, act on it.

    Set Meaningful Employee Performance Measures

    • Set holistic measures to inspire employee performance.

    Master Organizational Change Management Practices

    • PMOs, if you don't know who is responsible for org change, it's you.

    Bibliography (Product Management)

    “12th Annual State of Agile Report.” VersionOne, 9 April 2018. Web.

    A, Karen. “20 Mental Models for Product Managers.” Product Management Insider, Medium, 2 Aug. 2018. Web.

    Adams, Paul. “Product Teams: How to Build & Structure Product Teams for Growth.” Inside Intercom, 30 Oct. 2019. Web.

    Agile Alliance. “Product Owner.” Agile Alliance. n.d. Web.

    Ambysoft. “2018 IT Project Success Rates Survey Results.” Ambysoft. 2018. Web.

    Banfield, Richard, et al. “On-Demand Webinar: Strategies for Scaling Your (Growing) Enterprise Product Team.” Pluralsight, 31 Jan. 2018. Web.

    Berez, Steve, et al. “How to Plan and budget for Agile at Scale.” Bain & Company, 08 Oct 2019. Web

    Blueprint. “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint. 2012. Web.

    Breddels, Dajo, and Paul Kuijten. “Product Owner Value Game.” Agile2015 Conference, Agile Alliance 2015. Web.

    Cagan, Martin. “Behind Every Great Product.” Silicon Valley Product Group. 2005. Web.

    Cohn, Mike. “What Is a Product?” Mountain Goat Software. 6 Sept. 2016. Web.

    Connellan, Thomas K. Inside the Magic Kingdom, Bard Press, 1997.

    Curphey, Mark. “Product Definition.” SlideShare, 25 Feb. 2007. Web.

    “Delegation Poker Product Image.” Management 3.0, n.d. Web.

    Distel, Dominic, et al. “Finding the sweet spot in product-portfolio management.’ McKinsey, 4 Dec. 2020. Web

    Eringa, Ron. “Evolution of the Product Owner.” RonEringa.com, 12 June 2016. Web.

    Fernandes, Thaisa. “Spotify Squad Framework - Part I.” PM101, Medium, 6 Mar. 2017. Web.

    Galen, Robert. “Measuring Product Ownership – What Does ‘Good’ Look Like?” RGalen Consulting, 5 Aug. 2015. Web.

    Halisky, Merland, and Luke Lackrone. “The Product Owner’s Universe.” Agile2016 Conference, Agile Alliance, 2016. Web.

    Kamer, Jurriaan. “How to Build Your Own ‘Spotify Model’.” The Ready, Medium, 9 Feb. 2018. Web.

    Kendis Team. “Exploring Key Elements of Spotify’s Agile Scaling Model.” Scaled Agile Framework, Medium, 23 Jul. 2018. Web.

    Lindstrom, Lowell. “7 Skills You Need to Be a Great Product Owner.” Scrum Alliance, n.d. Web.

    Lukassen, Chris. “The Five Belts Of The Product Owner.” Xebia.com, 20 Sept. 2016. Web.

    McCloskey, Heather. “Scaling Product Management: Secrets to Defeating Common Challenges.” ProductPlan, 12 July 2019. Web.

    McCloskey, Heather. “When and How to Scale Your Product Team.” UserVoice, 21 Feb. 2017. Web.

    Mironov, Rich. “Scaling Up Product Manager/Owner Teams.” Rich Mironov's Product Bytes, Mironov Consulting, 12 Apr. 2014 . Web.

    Overeem, Barry. “A Product Owner Self-Assessment.” Barry Overeem, 6 Mar. 2017. Web.

    Overeem, Barry. “Retrospective: Using the Team Radar.” Barry Overeem, 27 Feb. 2017. Web.

    Pichler, Roman. “How to Scale the Scrum Product Owner.” Roman Pichler, 28 June 2016 . Web.

    Pichler, Roman. “Product Management Framework.” Pichler Consulting Limited, 2014. Web.

    Pichler, Roman. “Sprint Planning Tips for Product Owners.” LinkedIn, 4 Sept. 2018. Web.

    Pichler, Roman. “What Is Product Management?” Pichler Consulting Limited, 26 Nov. 2014. Web.

    Radigan, Dan. “Putting the ‘Flow' Back in Workflow With WIP Limits.” Atlassian, n.d. Web.

    Rouse, Margaret. “Definition: product.” TechTarget, Sept. 2005. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on (Business) Value.” Scrum.org, 30 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Agile Product Management.” Scrum.org, 28 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Product Backlog Management.” Scrum.org, 5 Dec. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on the Product Vision.” Scrum.org, 29 Nov. 2017. Web.

    Schuurman, Robbin. “Tips for Starting Product Owners.” Scrum.org, 27 Nov. 2017. Web.

    Sharma, Rohit. “Scaling Product Teams the Structured Way.” Monetary Musings, 28 Nov. 2016. Web.

    Shirazi, Reza. “Betsy Stockdale of Seilevel: Product Managers Are Not Afraid To Be Wrong.” Austin Voice of Product, 2 Oct. 2018. Web.

    Steiner, Anne. “Start to Scale Your Product Management: Multiple Teams Working on Single Product.” Cprime, 6 Aug. 2019. Web.

    “The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2016. Web.

    “The Standish Group 2015 Chaos Report.” The Standish Group. 2015. Web.

    Theus, Andre. “When Should You Scale the Product Management Team?” ProductPlan, 7 May 2019. Web.

    Tolonen, Arto. “Scaling Product Management in a Single Product Company.” Smartly.io, 26 Apr. 2018. Web.

    Ulrich, Catherine. “The 6 Types of Product Managers. Which One Do You Need?” Medium, 19 Dec. 2017. Web.

    Verwijs, Christiaan. “Retrospective: Do The Team Radar.” The Liberators, Medium, 10 Feb. 2017. Web.

    Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management”. Academia.edu. 2010. Web.

    Bibliography (Roadmap)

    Bastow, Janna. “Creating Agile Product roadmaps Everyone Understands.” ProdPad, 22 Mar. 2017. Accessed Sept. 2018.

    Bastow, Janna. “The Product Tree Game: Our Favorite Way To Prioritize Features.” ProdPad, 21 Feb. 2016. Accessed Sept. 2018.

    Chernak, Yuri. “Requirements Reuse: The State of the Practice.” 2012 IEEE International Conference, 12 June 2012, Herzliya, Israel. Web.

    Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Accessed 20 Nov. 2017.

    Harrin, Elizabeth. “Learn What a Project Milestone Is.” The Balance Careers, 10 May 2018. Accessed Sept. 2018.

    “How to create a product roadmap.” Roadmunk, n.d. Accessed Sept. 2018.

    Johnson, Steve. “How to Master the 3 Horizons of Product Strategy.” Aha!, 24 Sept. 2015. Accessed Sept. 2018.

    Johnson, Steve. “The Product Roadmap vs. the Technology Roadmap.” Aha!, 23 June 2016. Accessed Sept. 2018

    Juncal, Shaun. “How Should You Set Your Product Roadmap Timeframes?” ProductPlan, Web. Sept. 2018.

    Leffingwell, Dean. “SAFe 4.0.” Scaled Agile, 2017. Web.

    Maurya, Ash. “What is a Minimum Viable Product (MVP).” Leanstack, 12 June 2017. Accessed Sept. 2018.

    Pichler, Roman. “10 Tips for Creating an Agile Product Roadmap.” Roman Pichler, 20 July 2016. Accessed Sept. 2018.

    Pichler, Roman. Strategize: Product Strategy and Product Roadmap Practices for the Digital Age. Pichler Consulting, 2016.

    “Product Roadmap Contents: What Should You Include?” ProductPlan, n.d. Accessed 20 Nov. 2017.

    Saez, Andrea. “Why Your Roadmap Is Not a Release Plan.” ProdPad, 23 October 2015. Accessed Sept. 2018.

    Schuurman, Robbin. “Tips for Agile product roadmaps & product roadmap examples.” Scrum.org, 7 Dec. 2017. Accessed Sept. 2018.

    Bibliography (Vision and Canvas)

    Adams, Paul. “The Future Product Canvas.” Inside Intercom, 10 Jan. 2014. Web.

    “Aligning IT Funding Models to the Pace of Technology Change.” EDUCAUSE, 14 Dec. 2015. Web.

    Altman, Igor. “Metrics: Gone Bad.” OpenView, 10 Nov. 2009. Web.

    Barry, Richard. “The Product Vision Canvas – a Strategic Tool in Developing a Successful Business.” Polymorph, 2019. Web.

    “Business Canvas – Business Models & Value Propositions.” Strategyzer, 2019. Web.

    “Business Model Canvas.” Wikipedia: The Free Encyclopedia, 4 Aug. 2019. Web.

    Charak, Dinker. “Idea to Product: The Working Model.” ThoughtWorks, 13 July 2017. Web.

    Charak, Dinker. “Product Management Canvas - Product in a Snapshot.” Dinker Charak, 29 May 2017. Web.

    Chudley, James. “Practical Steps in Determining Your Product Vision (Product Tank Bristol, Oct. 2018).” LinkedIn SlideShare. Uploaded by cxpartners, 2 Nov. 2018. Web.

    Cowan, Alex. “The 20 Minute Business Plan: Business Model Canvas Made Easy.” COWAN+, 2019. Web.

    Craig, Desiree. “So You've Decided To Become A Product Manager.” Start it up, Medium, 2 June 2019. Web.

    Create an Aha! Business Model Canvas Strategic Model.” Aha! Support, 2019. Web.

    Eick, Stephen. “Does Code Decay? Assessing the Evidence from Change Management Data.” IEEE Transactions on Software Engineering, vol. 27, no. 1, Jan. 2001, pp. 1-12. Web.

    Eriksson, Martin. “The next Product Canvas.” Mind the Product, 22 Nov. 2013. Web.

    “Experience Canvas: a Lean Approach: Atlassian Team Playbook.” Atlassian, 2019. Web.

    Freeman, James. “How to Make a Product Canvas – Visualize Your Product Plan.” Edraw, 23 Dec. 2019. Web.

    Fuchs, Danny. “Measure What Matters: 5 Best Practices from Performance Management Leaders.” OpenGov, 8 Aug. 2018. Web.

    Gorisse, Willem. “A Practical Guide to the Product Canvas.” Mendix, 28 Mar. 2017. Web.

    Gothelf, Jeff. “The Lean UX Canvas.” Jeff Gothelf, 15 Dec. 2016. Web.

    Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product: Getting Started.” EBG Consulting, 15 Jan. 2019. Web.

    Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product's Core Requirements.” EBG Consulting, 4 Feb. 2019. Web.

    Gray, Mark Krishan. “Should I Use the Business Model Canvas or the Lean Canvas?” Emergn, 2019. Web.

    Hanby, Jeff. "Software Maintenance: Understanding and Estimating Costs." LookFar, 21 Oct. 2016. Web.

    “How do you define a product?” Scrum.org, 4 Apr 2017, Web

    Juncal, Shaun. “How to Build a Product Roadmap Based on a Business Model Canvas.” ProductPlan, 19 June 2019. Web.

    “Lean Canvas Intro - Uber Example.” YouTube, uploaded by Railsware Product Academy, 12 Oct. 2018. Web.

    “Lesson 6: Product Canvas.” ProdPad Help Center, 2019. Web.

    Lucero, Mario. “The Product Canvas.” Agilelucero.com, 22 June 2015. Web.

    Maurya, Ash. “Create a New Lean Canvas.” Canvanizer, 2019. Web.

    Maurya, Ash. “Don't Write a Business Plan. Create a Lean Canvas Instead.” LEANSTACK, 2019. Web.

    Maurya, Ash. “Why Lean Canvas vs Business Model Canvas?” Medium, 27 Feb. 2012. Web.

    Mirabelli, Vincent. “The Project Value Canvas.” Vincent Mirabelli, 2019. Web.

    Mishra, LN. “Business Analysis Canvas – The Ultimate Enterprise Architecture.” BA Times, 19 June 2019. Web.

    Muller. Jerry Z. “Why performance metrics isn’t always the best way to judge performance.” Fast Company, 3 April 2019. Web.

    Perri, Melissa. “What Is Good Product Strategy?” Melissa Perri, 14 July 2016. Web.

    Pichler, Roman. “A Product Canvas for Agile Product Management, Lean UX, Lean Startup.” Roman Pichler, 16 July 2012. Web.

    Pichler, Roman. “Introducing the Product Canvas.” JAXenter, 15 Jan. 2013. Web.

    Pichler, Roman. “Roman's Product Canvas: Introduction.” YouTube, uploaded by Roman Pichler, 3 Mar. 2017. Web.

    Pichler, Roman. “The Agile Vision Board: Vision and Product Strategy.” Roman Pichler, 10 May 2011. Web.

    Pichler, Roman. “The Product Canvas – Template.” Roman Pichler, 11 Oct. 2016. Web.

    Pichler, Roman. “The Product Canvas Tutorial V1.0.” LinkedIn SlideShare. Uploaded by Roman Pichler, 14 Feb. 2013. Web.

    Pichler, Roman. “The Product Vision Board: Introduction.” YouTube uploaded by Roman Pichler, 3 Mar. 2017. Web.

    “Product Canvas PowerPoint Template.” SlideModel, 2019. Web.

    Product Canvas.” SketchBubble, 2019, Web.

    “Product Canvas.” YouTube, uploaded by Wojciech Szramowski, 18 May 2016. Web.

    “Product Roadmap Software to Help You Plan, Visualize, and Share Your Product Roadmap.” Productboard, 2019. Web.

    Roggero, Giulio. “Product Canvas Step-by-Step.” LinkedIn SlideShare, uploaded by Giulio Roggero, 18 May 2013. Web.

    Royce, Dr. Winston W. “Managing the Development of Large Software Systems.” Scf.usc.edu, 1970. Web.

    Ryan, Dustin. “The Product Canvas.” Qdivision, Medium, 20 June 2017. Web.

    Snow, Darryl. “Product Vision Board.” Medium, 6 May 2017. Web.

    Stanislav, Shymansky. “Lean Canvas – a Tool Your Startup Needs Instead of a Business Plan.” Railsware, 12 Oct. 2018. Web.

    Stanislav, Shymansky. “Lean Canvas Examples of Multi-Billion Startups.” Railsware, 20 Feb. 2019. Web.

    “The Product Vision Canvas.” YouTube, Uploaded by Tom Miskin, 20 May 2019. Web.

    Tranter, Leon. “Agile Metrics: the Ultimate Guide.” Extreme Uncertainty, n.d. Web.

    “Using Business Model Canvas to Launch a Technology Startup or Improve Established Operating Model.” AltexSoft, 27 July 2018. Web.

    Veyrat, Pierre. “Lean Business Model Canvas: Examples + 3 Pillars + MVP + Agile.” HEFLO BPM, 10 Mar. 2017. Web.

    “What Are Software Metrics and How Can You Track Them?” Stackify, 16 Sept. 2017. Web

    “What Is a Product Vision?” Aha!, 2019. Web.

    Get the Best Discount Possible With a Data-Driven Negotiation Approach

    • Buy Link or Shortcode: {j2store}610|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Vendors have well-honed negotiation strategies that don’t prioritize the customer’s best interest, and they will take advantage of your weaknesses to extract as much money as they can from the deal.
    • IT teams are often working with time pressure and limited resources or experience in negotiation. Even those with an experienced procurement team aren’t evenly matched with the vendor when it comes to the ins and outs of the product.
    • As a result, many have a poor negotiation experience and fail to get the discount they wanted, ultimately leading to dissatisfaction with the vendor.

    Our Advice

    Critical Insight

    • Requirements should always come first, but IT leaders are under pressure to get discounts and cost ends up playing a big role in decision making.
    • Cost is one of the top factors influencing satisfaction with software and the decision to leave a vendor.
    • The majority of software customers are receiving a discount. If you’re in the minority who are not, there are strategies you can and should be using to improve your negotiating skills. Discounts of up to 40% off list price are available to those who enter negotiations prepared.

    Impact and Result

    • SoftwareReviews data shows that there are multiple benefits to taking a concerted approach to negotiating a discount on your software.
    • The most common ways of getting a discount (e.g. volume purchasing) aren’t necessarily the best methods. Choose a strategy that is appropriate for your organization and vendor relationship and that focuses on maximizing the value of your investment for the long term. Optimizing usage or licenses as a discount strategy leads to the highest software satisfaction.
    • Using a vendor negotiation service or advisory group was one of the most successful strategies for receiving a discount. If your team doesn’t have the right negotiation expertise, Info-Tech can help.

    Get the Best Discount Possible With a Data-Driven Negotiation Approach Research & Tools

    Prepare to negotiate

    Leverage insights from SoftwareReviews data to best position yourself to receive a discount through your software negotiations.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Get the Best Discount Possible with a Data-Driven Negotiation Approach Storyboard
    [infographic]

    Drive Ongoing Adoption With an M365 Center of Excellence

    • Buy Link or Shortcode: {j2store}66|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: 20 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    There are roadblocks common to all CoEs: lack of in-house expertise, lack of resources (time, budget, etc.), and employee perception that this is just another burdensome administrative layer. These are exacerbated when building an M365 CoE.

    • Constant vendor-initiated change in M365 means expertise always needs updating.
    • The self-service architecture of M365 is at odds with centralized limits and controls.
    • M365 has a multitude of services that can be adopted across a huge swath of the organization compared to the specific capabilities and limited audience of traditional CoEs.

    Our Advice

    Critical Insight

    The M365 CoE should be somewhat decentralized to avoid an “us versus them” mentality. Having clear KPIs at the center of the program makes it easier to demonstrate improvements and competencies. COMMUNICATE these early successes! They are vital in gaining widespread credibility and momentum.

    Impact and Result

    Having a clear vision of what you want business outcomes you want your Microsoft 365 CoE to accomplish is key. This vision helps select the core competencies and deliverables of the CoE.

    • Ongoing measurement and reporting of business value generated from M365 adoption.
    • Servant leadership allows the CoE to work closely and deeply with end users, which builds them up to share knowledge with others
    • Focus and clear lines of accountability ensure that everyone involved feels part of the compromise when decisions are to be made.

    Drive Ongoing Adoption With an M365 Center of Excellence Research & Tools

    Build out your M365 CoE competencies, membership, and roles; create success metrics and build your M365 adoption, then communicate

    In this deck we explain why your M365 CoE needs to be distributed and how it should be organized. Using a roadmap will assist you in building competency and maturity through training, certifications, and building governance.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Drive Ongoing Adoption With an M365 Center of Excellence Storyboard
    [infographic]

    Further reading

    Drive Ongoing Adoption With an M365 Center of Excellence

    Accelerate business processes change and get more value from your subscription by building and sharing thanks to an effective Centre of Excellence.

    CLIENT ADVISORY DECK

    Drive Ongoing Adoption With an M365 Centre of Excellence

    Accelerate business processes change and get more value from your subscription by building and sharing thanks to an effective Centre of Excellence

    Research Team:
    John Donovan
    John Annand
    Principal Research Directors I&O Practice

    41 builds released in 2021!
    IT can no longer be expected to provide training to all users on all features

    • Traditional classroom training (online and self-paced) is time consuming and overly generic
    • Users tend to hold onto old familiar tools even as new ones roll out
    • Citizen Programming comes with a lot of promise but also the spectre of reliving the era of Access ‘97 databases
    • Seemingly small decisions around configuration have outsized impacts
    • Every enterprises’ journey through adoption is unique

    ▲20% $ spent in 2021

    148% more meetings
    66% more users collaborating on documents
    40.6B more emails

    2021 vs. 2022 Source: Microsoft The Work Trend Index

    • Who needs to be in a CoE? What daily tasks do they undertake?
    • How do you turn artifacts like best practice documents into actual behavioral change?
    • How does CoE differ from governance? And why is it going to be any more successful?
    • How does the CoE evolve over time as enterprises become more mature?

    CoE Competencies, Membership and Roles
    Communication, Standards Templates
    Adoption, and Business Success Metrics

    this image depicts the key CoE Competencies: Goals; Controls; Tools; Training; and Support

    Using these deliverables, Info-Tech will help you drive consistency in your enterprise collaboration, increase end-user satisfaction in the tools they are provided, optimize your license spending, fill the gaps between implementation of a technology and realization of business value, and empower end-users to innovate in ways that senior leadership had not imagined.

    Executive Summary

    Insight

    User adoption is the primary focus of the efforts in the CoE

    User adoption and setting up guardrails in governance are the focuses of the CoE in its early stages. Purging obsolete data from legacy share servers, and exchange, and rationalize legacy applications that are comparable to Microsoft offerings. The primary goal is M365 excellence, but that needs to be primed with a Roadmap, and laying down clear milestones to show progress, along with setting up quick wins to get buy in from the organization.

    Breakdown your CoE into distinct areas for improvement

    Due to the size and complexity of Microsoft 365, breaking it into clearly defined divisions makes sense. The parts that need to be fragmented into are, Collaboration, Power Apps, Office tools, Learning, Professional Training and Certifications, Governance and Support. Subject Matter experts needs to keep pace with the ever-changing M365 environment with enhancements continuously being rolled out. (There were 41 build releases in 2021 alone! )

    Set up your M365 CoE in a decentralized design

    Define how your CoE will be set up. It will either be centralized, distributed, or a combination of both. They all have their strengths and weaknesses; however a distributed CoE can ensure there is buy-in from the various departments across the CoE, as they participate in the decision making and therefore the direction the CoE goes. Additionally, it ensures that each segment of the CoE is accountable for the success of the M365 adoption, its usage, and delivering value to the organization.

    Summary

    Your Challenge

    You have purchased Microsoft 365 for your business, and you have determined that you are not realizing the full value and potential of the product, neither adoption nor usage – for example, you have legacy applications that the user base is reluctant to move away from, whether it be Skype, Jabber, or other collaboration tools available to them. You have released Teams to the organization but may have not shown how useful it is and you have not communicated to the business that it is your new collaboration tool, along with SharePoint Online and OneDrive. How do you fix this problem?

    Common Obstacles

    There are roadblocks common to all CoEs: lack of in-house expertise, lack of resources (time, budget, etc.) and employee perception of just another burdensome administrative layer. These are exacerbated when building an M365 CoE.

    • Constant vendor-initiated change in M365 means expertise always needs updating
    • The self-service architecture of M365 is at odds with centralized limits and controls
    • M365 is a multitude of services, adopted across a huge swath of the organization compared to the specific capabilities and limited audience of traditional CoEs

    Info-Tech’s Approach

    Having a clear vision of what business outcomes you want your Microsoft 365 CoE to accomplish is key. This vision helps select the core competencies and deliverables of the CoE.

    1. Ongoing measurement and reporting of business value generated from M365 adoption
    2. Servant leadership allows the CoE to work closely and deeply with end-users, which builds them up to share knowledge with others
    3. Focus and clear lines of accountability ensure that everyone involved feels part of the compromise when decisions are to be made

    Info-Tech Insight

    The M365 CoE should be somewhat decentralized to avoid an “us versus them” mentality. Having clear KPIs at the center of the program makes it easier to demonstrate improvements and competencies. COMMUNICATE these early successes! They are vital in gaining widespread credibility and momentum.

    Charter Mandate Authority to Operate

    Mission : To accelerate the value that M365 brings to the organization by using the M365 CoE to increase adoption, build competency through training and best practices, and deliver on end user innovation throughout the business.

    Vision Statement: To transform the organization’s efficiencies and performance through an optimized world-class M365 CoE by meeting all KPIs set out in the Charter.

    Info-Tech Insights

    A mission and vision for your M365 CoE are a necessary step to kick the program off. Not aving clear goals and a roadmap to get there will hinder your progress. It may even stall the whole objective if you cannot agree or measure what you are trying to accomplish

    • The scope of the M365 CoE is to build the adoption rate that can meet milestone goals to advance user competency, as well as the maturation of the SMEs in each segment of the CoE leadership and contributors.
    • Maturity will be measured through 100% adoption, specifically around collaboration tools and Office apps across the organization that use M365. Strategic value will be measured by core competencies within the CoE.
    • SMEs are developed and educated with certifications and other training throughout the course of the CoE development to bring “bench strength” to the vision of optimizing a world-class M365 CoE.
    • SMEs will all be certified Microsoft professionals. They will set the standard to be met within the CoE. The SMEs can either be internal candidates or external hires, depending on the current IT department competency.
    • Additional resources required will be tech savvy department leads that understand and can help in the training of staff, who also are willing to spend a certain amount of their work time in coaching colleagues.
    • They will be assisted by the training through the SMEs providing relevant material and various M365 courses both in class and self-paced online learning using M365 VIVA tools.

    Charter Metrics

    Areas in Scope:

    • Ensure Mission is aligned to the business objectives.
    • Form core team for M365 CoE, including steering committee.
    • Create document for signoff from business sponsors.
    • Build training plans for users, engineers, and admins.
    • Document best practices and build standard templates for organizational uniformity.
    • Build governance charter and priorities, setting up guardrails early to ensure compliance and security.
    • Transition away and retire all legacy on-Prem apps to M365 Cloud apps.
    • Build a RACI model for roles and responsibility.

    Info-Tech Insights

    If meaningful metrics are set up correctly, the CoE can produce results early in the one- or two-year process, demonstrating business value and increasing production amongst staff and demonstrating SME development.

    this image contains example metrics, spread across three phases.

    CoE

    What are the reason to build an M365 CoE, and what is it expected to deliver?

    What It IS NOT

    It does not design or build applications, migrate applications, or create migration plans. It does not deploy applications nor does it operate and monitor applications. While a steering committee is a key part of the M365 CoE, its real function is to set the standards to be achieved though metrics that can measure a successful, efficient, and best-in-class M365 operation. It does not set business goals but does align M365 goals to the business drivers. SMEs in the CoE give guidance on M365 best practices and assist in its adoption and users’ competency.

    What It IS

    M365 CoE means investing in and developing usage growth and adoption while maintaining governance and control. A CoE is designed to drive innovation and improvement, and as a business-wide functional unit, it can break down geographical and organizational silos that utilize their own tools and collaboration platforms. It builds a training and artifacts database of relevant and up-to-date materials.

    Why Build It

    Benefits that can be realized are:

    • Building efficiencies, delivering quality training and knowledge transfer, and reducing risk from an organized and effective governance.
    • Consistency in document and information management.
    • Reusable templates and blueprints that standardize the business processes.
    • Standardized and communicated business policies around security and best practices.
    • Overcoming the challenges that comes with the titan of a platform that is M365.

    Expected Goals and Benefits With Risk

    Demonstrated impact for sustainability
    Ensuring value is delivered
    Ability to escalate to executive branch

    The What?

    What does the M365 CoE solve?

    • M365 Adoption
    • M365 tools templates
    • SME in tools deployment and delivery
    • Training and education – create artifacts and organize training sessions and certifications
    • Empower users into super users
    • Build analytics around usage, adoption, and ROI from license optimization

    And the How?

    How does the M365 CoE do it?

    • By defining clear adoption goals and best practices
    • By building a dedicated team with the confidence to improve the user experience
    • By creating a collection of reusable artifacts.
    • By establishing a stable, tested environment ensures users are not hindered in execution of the tools
    • By continuously improving M365 processes

    What are the Risks?

    • All goals must be achievable
    • Timeline phases are based on core SME competency of the IT department and the training quality of end users
    • Current state of SMEs in house or hired to execute the mandate of the M365 CoE
    • Business success – if business is struggling to make profits and grow, its usually the CoE that will get chopped – mainly due to layoffs
    • Inability to find SMEs or train SMEs
    • Turnover in CoE due to job function changes or attrition
    • Overload of day-to-day responsibilities preventing SMEs from executing work for the CoE – Need to align SMEs and CoE steering chair to establish and enable shared responsibilities.

    Who needs to be in a CoE for M365

    Design the CoE – What model to be used?

    What are their daily tasks? Is the CoE centralized, decentralized, or a combination?

    a flow chart is depicted, starting with the executive steering committee, describing governance 365, and VP applications.

    Info-Tech Insights

    Due to the size and complexity of Microsoft 365, a decentralized model works best. Each segment of the group could in themselves be a CoE, as in governance, training, or collaboration CoE. Maintaining SME in each group will drive the success of the M365 CoE.

    Key Competencies for CoE

    • Build a team of experts in M365 with sub teams in Products.
    • Manage the business processes around M365.
    • Train and optimize technical teams.
    • Share best practices and create a knowledge base.
    • Build processes that are repeatable and self-provisioned.
    This image depicts the core Coe Competencies, Strategy; Technology; Governance; and Skills/Capabilities.

    CoE for M365

    What is the Structure? Is it centralized, decentralized, or combination? What are the pros and cons?

    Thought Model

    This image depicts a thought model describing CoE for M365.

    How does the CoE differ from governance?

    Why is it going to be any more successful?

    “These problems already exist and haven't been successfully addressed by governance – how is the CoE going to be any different?”

    • Leadership
    • Empower end users
    • Automation of processes
    • Retention policies
    • Governance priorities
    • Risk management
    • Standard procedures
    • Set metrics
    • Self service
    • Training
    • SMEs
    • Automation
    • Innovation

    CoE

    While M365 governance is an integral part of the M365 CoE, the CoE is a more strategic program aimed at providing guidance, experienced leadership, and training.

    The CoE is designed to drive innovation and improvements throughout the organization’s M365 deployment. It will build best practices, create artifacts, and mentor members to become SMEs.

    Governance

    CoE is a form of collaborative governance. Those responsible for making the rules are the same ones who are working through how the rules are implemented in practice.

    The word most associated with CoE is "nurture." The word most associated with governance is "prevent."

    The CoE is experimental and innovative and constantly revising its guidance compared to governance, which is opaque and static.

    RACI chart for CoE define activities and ownership

    The Work

    Build artifacts

    Templates

    Scripts

    Reference architecture

    Policies definition

    Blueprints

    Version control

    Measure usage and ROI

    Quality assurance

    Baseline creation and integrity

    ActivitiesSupport Steering CTraining TeamM365 Tools Admin M365 Security AdminDoc Mgt
    Monitor M365 ChangeAIRR
    CommunicationsIR
    TrainingAR
    Support – Microsoft + HelpdeskRI
    Monitor UsageR
    Security and ComplianceAR
    Decom On-PremAR
    Eliminate Shadow ITR
    Identity and AccessAR
    Automate Policies in TennantAR
    Audit MonitorAR
    Data and Information ProtectionARR
    Build TemplatesAAR
    Manage ArtifactsARA

    Steering Committee

    This image contains a screenshot of the organization of the CoE Steering Committee

    Roles and Responsibilities

    • Set the goals and metrics for the CoE charter
    • Ensure the CoE is aligned to the business objectives
    • Clear any roadblocks that may hinder progress for the team leads
    • Provide guidance on best practices
    • Set expectations for training and certifications
    • Build SME strength through mentoring
    • Promote and facilitate research into M365 developments and releases
    • Ensure knowledge transfer is documented
    • Create roadmap to ensure phase KPIs are met and drive toward excellence

    Info-Tech Insight

    Executive sponsorship is an element of the CoE that cannot be overlooked. If this occurs, the funding and longevity of the CoE will be limited. Additionally, ensure you determine if the CoE will have an end of life and what that looks like.

    M365 Governance CoE Team

    Governance and Management

    After you’ve developed and implemented your data classification framework, ongoing governance and maintenance will be critical to your success. In addition to tracking how sensitivity labels are used in practice, you’ll need to update your control requirements based on changes in regulations, cybersecurity leading practices, and the nature of the content you manage. Governance and maintenance efforts can include:

    • Establishing a governance body dedicated to data classification or adding a data classification responsibility to the charter of an existing information security body.
    • Defining roles and responsibilities for those overseeing Data Classification
    • Establishing KPIs to monitor and measure progress
    • Tracking cybersecurity leading practices and regulatory changes
    • Developing Standard Operating Procedures that support and enforce a data classification framework

    Governance CoE

    Tools Used in the Governance CoE Identity – MFA, SSO, Identity Manager, Conditional Access, AD , Microsoft Defender, Compliance Assessments Templates

    Security and Compliance - Azure Purview, Microsoft Defender Threat Analytics, Rules-Based Classification (AIP Client & Scanner), Endpoint DLP, Insider Risk Management

    Information Management – Audit Log Retention, Information Protection and Governance, Trainable Classifiers

    Licenses – Entitlement Management, Risk-Based Conditional Access.

     This image depicts the M365 Governance CoE Team organization.

    M365 Tools CoE Team

    • Collaboration tools are at the center of the product portfolio for M365.
    • Need to get users empowered to manage and operate Teams, OneDrive, and SharePoint Online and promote uniform communications and collaborate with document building, sharing, and storing.

    This image depicts a screenshot of the Tools CoE Team organization

    Collaboration SME – Teams admin, Exchange admin, SharePoint, One Drive admin, Viva Learning (Premium), and Viva Insights (Premium)

    Application SME – Covers all updates and new features related to Office programs

    Power BI SME – Covers Power Automate for Office 365, Power Apps for Office 365, and Power BI Pro

    Voice and Video – Tools-Calling Plan, Audio Conference (Full), Teams Phone, Mobility

    PMO – Manages all M365 products online and in production. Also coordinates enhancements, writes up documentation for updates, and releases them to the training CoE for publication.

    Microsoft 365 tools used to support business

    M365 Training CoE Team

    Training and certifications for both end users and technical staff managing the M365 platform. Ensure that you set goals and objectives with your training schedule.

    this image depicts the framework for the training CoE team.

    Training for SMEs can be broken into two categories:

    First line training is internal training for users, in the collaboration space. Teams, One Drive, SharePoint Online, Exchange, and specialty training on Office tools – Word, PowerPoint, Excel, and Microsoft Forms.

    Second line training is professional development for the SMEs including certifications in M365 admin, Global admin, Teams admin, and SharePoint administrator.

    Additional training and certification can be obtained in governance, information management, and in the admin center for licencing optimization and compliance.

    Tools used

    • Viva topics – Integrated knowledge and expert discovery
    • Viva Insight
    • Viva Learning
    • Viva Connections
    • Dynamics 365
    • Voice of the customer surveys

    Support M365 CoE Team

    This image depicts the framework for m365 CoE team support.

    Support CoE:

    In charge of creating a knowledge base for M365. Manages incidents with access, usage, and administering apps to desktop. Manages change issues related to updates in patching.

    Help Desk Admin:

    Resets passwords when self service fails, force sign out, manages service requests.

    Works with learning CoE to populate knowledge base with articles and templates.

    Manages end user issues with changes and enhancements for M365.

    Supporting Metrics

    • Number of calls for M365 support
    • Recurring M365 incidents
    • Number of unresolved Platform issues
    • First call resolution
    • Knowledge sharing of M365
    • Customer satisfaction
    • Turnaround time of tickets created

    Roadmap

    How does the CoE evolve over time as enterprises become more mature?

    • Depending on the complexity and regulatory requirements of the business, baseline governance and rules around external partners sharing internal documents will need to be set up.
    • Identifying your SMEs in the organization is a perquisite at the beginning stages of setting up the M365 working group.
    • Build a roadmap to get to maturity and competency that brings strategic business value.
    • Meet milestone goals through a two-year, three-phase process. Begin with setting up governance guardrails.
    • Set up foundational baselines against which metrics will be measured.
    • Set up the M365 CoE, at first with target easy wins through group training and policy communications throughout the organization.
    this image depicts the CoE Roadmap, from Foundational Baseline, to Standardize Process, to Optimization

    How do you turn artifacts like best practice documents into actual behavior change?

    this image depicts the process of turning M365 ARtifacts into actual behavioural change within a company

    Info-Tech Insights

    Building Blocks
    The building blocks for a change in end user behavior are based on four criteria which must be clearly communicated. Knowledge transfer from SMEs to the training team is key. That in turn leads to effective knowledge transfer, allowing end users to develop skills quickly that can be shared with their teams. Sharing practices leads to best practices and maintaining these in a repository that can be quickly accessed will build on the efficiencies and effectiveness of the employees.

    How Do You Empower End Users to Innovate?

    Info-Tech Insights

    Understand the Vision

    Empowering End users starts with understanding the business vision that is embedded into the M365 CoE charter.

    Ensure that the business innovation goals are aligned to the organizational strategies.

    The innovative strategies need to be clearly communicated to the employees and the tools to achieve this needs to be mapped out and trained. Clearly lay out the goals, outcomes, and expectations.

    End users need to understand how the M365 CoE will assist them in their day-to-day operations, whether in the collaboration space with their colleagues, or with power BI that assists them in their decision making though analytics.

    The Right Resources

    Arm your team with the resources they need to be successful. Building use cases as part of the training program will give the employees insight into how the M365 tools can be used in their daily work environment. It will also address the pervasive use of nonstandard tools as is seen throughout organizations that are operated in a vacuum.

    Empowering your user base though the knowledge transfer borne through the building of artifacts that deal with real life examples that join the dots for employees.

    By painting a picture of how the innovative use of the M365 platform can be achieved, users will feel empowered and use those use cases to build out their own innovative ideas.

    Hybrid Work

    Digital fabric

    Collaboration – Communication – Creation

    Cloud Services – Innovative Apps – Security

    Productivity anywhere any place

    Shared working documents in secure cloud

    Mesh for Microsoft Teams/Viva

    Power apps and dataverse for Teams

    Self Service M365

    My Apps

    My Sign-Ins

    My Groups

    My Staff

    My Access

    My Account

    Password reset

    Sample Best Practices
    Tools and Standards Templates

    Then communicate them

    Collaboration Best Practices

    Sharing documents

    Real time co-authoring

    Comment

    Meet

    Mobile

    Version History

    Security Best Practices

    This is a screenshot of the Security Best Practices

    Default Security Settings

    Microsoft Security Score

    Enable Alert Policies

    Assign RBAC for Admins

    Enable Continuous Access Evaluation

    Admin Roles Best Practices in M365

    This is a screenshot of the admin roles best ractices in M365.

    Business Success Metrics for M365 CoE

    What does success look like?

    • Are you aligning the M365 metrics to business goals?
    • Are your decisions data driven?
    • Are you able to determine opportunities to improve with your metrics – continuous process improvement?
    • Are you seeing productivity gains, and are they being measured?
    This image contains a screenshot of the Business Success Metrics for M365-CoE: SMC Training; Content published and tagged; Usage Metrics; Cost Metrics; Adoption Metrics; New Product Introduction

    Activity Output

    Start building your M365 CoE and considering the steps for the Phase 1 checklist

    BUILD A FOUNDATIONAL BASELINE

    Step 1

    1. Select Resources to create a CoE working group
    2. Define your goals and objectives
    3. Identify SMEs within the business and do a gap analysis
    4. Build the M365 charter, mission, and vision
    5. Build consensus and sponsorship from C suite
    6. Create an organizational M365 framework that provides best coverage for all touch points to the platform, from support to training to controls.
    7. Determine the type of CoE you want to create that fits your business (centralized, distributed, or a combination).

    Step 2

    1. Build training plans for SMEs and M365 teams
    2. Populate company intranet with artifacts, knowledge articles, and user training portal with all things M365
    3. Build out best practice workbooks, tools, and templates that encompass all departments
    4. Create roles and responsibilities matrix
    5. Identify “super users” in departments to assist with promoting learning and knowledge sharing.
    6. Develop Metrics scorecards on success criteria ensuring they align to business goals

    Step 3

    1. Rational M365 licensing
    2. Create communication plan promoting CoE and M365 advantages
    3. Align your governance posture and building guardrails
    4. Identify legacy apps that can be retired and replaced
    5. Train support team and analysts with metrics supporting M365 CoE goals
    6. Create baseline metrics with clear alignment to business KPIs

    Related Blueprints

    Modernize Your Microsoft Licensing for the Cloud Era

    • Take control of your Microsoft licensing and optimize spend

    Govern Office 365

    • Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals

    Migrate to Office 365 Now

    • One small step to cloud, one big leap to Office 365. The key is to look before you leap

    Build a Data Classification MVP for M365

    • Kickstart your governance with data classification users will actually use!

    Bibliography

    “Five Guiding Principles of a successful Center of Excellence” Perficient, n.d. Web.

    “Self Service in Microsoft 365.” Janbakker.tech, n.d. Web.

    “My Apps portal overview.” Microsoft, June 2, 2022. Web.

    “Collaboration Best Practices Microsoft365.” Microsoft, n.d. Web.

    “Security Best Practices Microsoft 365” Microsoft, July 1, 2022. Web.

    Industry-Specific Digital Transformation

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Infographic

    In Case Of Emergency...

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    1. Get people to safety efficiently by following the floor warden's information and get out if needed
      If there are no floor wardens, YOU take the initiative and alert people. Vacate the premises if you suspect danger.
      Err on the side of caution. Nobody ever got fired over keeping people safe.
    2. Get people to safety (yes! double check this)
    3. Check what is happening
    4. Stop the bleeding
    5. Check what you broke while stopping the bleeding
    6. Check if you need to go into DR mode
    7. Go into DR mode if that is the fastest way to restore the service
    8. Only now start to look deeper

    Notice what is missing in this list?

    • WHY did this happen?
    • WHO did what

    During the first reactions to an event, stick to the facts of what is happening and the symptoms. If the symptoms are bad, attend to people first, no matter the financial losses occurring.
    Remember that financial losses are typically insured. Human life is not. Only loss of income and ability to pay is insured! Not the person's life.

    The WHY, HOW, WHO and other root cause questions are asked in the aftermath of the incident and after you have stabilized the situation.
    In ITIL terms, those are Problem Management and Root Cause Analysis stage questions.

     

     

     

    Management, incident, reaction, emergency

    Build an Information Security Strategy

    • Buy Link or Shortcode: {j2store}242|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $45,303 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Many security leaders struggle to decide how to best to prioritize their scarce information security resources
    • The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

    Our Advice

    Critical Insight

    The most successful information security strategies are:

    • Holistic – They consider the full spectrum of information security, including people, processes, and technology.
    • Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
    • Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

    Impact and Result

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
    • This approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Build an Information Security Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Information Security (IS) Strategy Research – A step-by-step document that helps you build a holistic, risk-based, and business-aligned IS strategy.

    Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context. Use this storyboard to augment your security strategy by ensuring alignment with business objectives, assessing your organization's risk and stakeholder expectations, understanding your current security state, and prioritizing initiatives and a security roadmap.

    • Build an Information Security Strategy – Phases 1-4

    2. Information Security Requirements Gathering Tool – A tool to make informed security risk decisions to support business needs.

    Use this tool to formally identify business goals and customer and compliance obligations and make explicit links to how security initiatives propose to support these business interests. Then define the scope and boundaries for the security strategy and the risk tolerance definitions that will guide future security risk decisions.

    • Information Security Requirements Gathering Tool

    3. Information Security Pressure Analysis Tool – An evaluation tool to invest in the right security functions using a pressure analysis approach.

    Security pressure posture analysis helps your organization assess your real security context and enables you to invest in the right security functions while balancing the cost and value in alignment with business strategies. Security pressure sets the baseline that will help you avoid over-investing or under-investing in your security functions.

    • Information Security Pressure Analysis Tool

    4. Information Security Program Gap Analysis Tool – A structured tool to systematically understand your current security state.

    Effective security planning should not be one size fits all – it must consider business alignment, security benefit, and resource cost. To enable an effective security program, all areas of security need to be evaluated closely to determine where the organization sits currently and where it needs to go in the future.

    • Information Security Program Gap Analysis Tool

    5. Information Security Strategy Communication Deck – A best-of-breed presentation document to build a clear, concise, and compelling strategy document.

    Use this communication deck template to present the results of the security strategy to stakeholders, demonstrate the progression from the current state to the future state, and establish the roadmap of the security initiatives that will be implemented. This information security communication deck will help ensure that you’re communicating effectively for your cause.

    • Information Security Strategy Communication Deck

    6. Information Security Charter – An essential document for defining the scope and purpose of a security project or program.

    A charter is an essential document for defining the scope and purpose of security. Without a charter to control and set clear objectives for this committee, the responsibility of security governance initiatives will likely be undefined within the enterprise, preventing the security governance program from operating efficiently. This template can act as the foundation for a security charter to provide guidance to the governance of information security.

    • Information Security Charter
    [infographic]

    Workshop: Build an Information Security Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Security Requirements

    The Purpose

    Understand business and IT strategy and plans.

    Key Benefits Achieved

    Defined security obligations, scope, and boundaries.

    Activities

    1.1 Define business and compliance.

    1.2 Establish security program scope.

    1.3 Analyze the organization’s risk and stakeholder pressures.

    1.4 Identify the organizational risk tolerance level.

    Outputs

    Security obligations statement

    Security scope and boundaries statement

    Defined risk tolerance level

    Risk assessment and pressure analysis

    2 Perform a Gap Analysis

    The Purpose

    Define the information security target state.

    Key Benefits Achieved

    Set goals and Initiatives for the security strategy in line with the business objectives.

    Activities

    2.1 Assess current security capabilities.

    2.2 Identify security gaps.

    2.3 Build initiatives to bridge the gaps.

    Outputs

    Information security target state

    Security current state assessment

    Initiatives to address gaps

    3 Complete the Gap Analysis

    The Purpose

    Continue assessing current security capabilities.

    Key Benefits Achieved

    Identification of security gaps and initiatives to bridge them according to the business goals.

    Activities

    3.1 Identify security gaps.

    3.2 Build initiatives to bridge the maturity gaps.

    3.3 Identify initiative list and task list.

    3.4 Define criteria to be used to prioritize initiatives.

    Outputs

    Completed security current state assessment

    Task list to address gaps

    Initiative list to address gaps

    Prioritize criteria

    4 Develop the Roadmap

    The Purpose

    Create a plan for your security strategy going forward.

    Key Benefits Achieved

    Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

    Activities

    4.1 Conduct cost/benefit analysis on initiatives.

    4.2 Prioritize gap initiatives based on cost and alignment with business.

    4.3 Build an effort list.

    4.4 Determine state times and accountability.

    4.5 Finalize security roadmap and action plan.

    4.6 Create communication plan.

    Outputs

    Information security roadmap

    Draft communication deck

    5 Communicate and Implement

    The Purpose

    Finalize deliverables.

    Key Benefits Achieved

    Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

    Activities

    5.1 Support communication efforts.

    5.2 Identify resources in support of priority initiatives.

    Outputs

    Security strategy roadmap documentation

    Detailed cost and effort estimates

    Mapping of Info-Tech resources against individual initiatives

    Further reading

    Build an Information Security Strategy

    Create value by aligning your strategy to business goals and business risks.

    Analyst Perspective

    Set your security strategy up for success.

    “Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders.

    Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

    While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.”

    Kevin Peuhkurinen

    Research Director – Security, Risk & Compliance

    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many security leaders struggle to decide how best to prioritize their scarce information security resources.
    • The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

    Common Obstacle

    • Developing a security strategy can be challenging. Complications include:
      • Performing an accurate assessment of your current security program can be extremely difficult when you don’t know what to assess or how.
      • Determining the appropriate target state for security can be even more challenging. A strategy built around following best practices is unlikely to garner significant support from business stakeholders.

    Info-Tech’s Approach

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.
    • This unique approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Info-Tech Insight

    The most successful information security strategies are:

    • Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
    • Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
    • Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.

    It’s not a matter of if you have a security incident, but when

    Organizations need to prepare and expect the inevitable security breach.

    Fifty-eight percent of companies surveyed that experienced a breach were small businesses.

    Eighty-nine percent of breaches have a financial or espionage motive.

    Three graphs are depicted. The first is labeled ‘Total Cost for Three Data Breach Root Causes,’ the second ‘Distribution of Benchmark by Root Cause of the Data Breach,’ and the third ‘Per Capita for Three Root Causes of a Data Breach.’ The three root causes are malicious or criminal attack (US$166 million per capita), system glitch ($132 million per capita), and human error ($133 million per capita).

    Source: Ponemon Institute, “2019 Global Cost of Data Breach Study”

    An information security strategy can help you prepare for incidents

    Organizations need to expect the inevitable security breach.

    90%

    of businesses have experienced an external threat in the last year.

    50%

    of IT professionals consider security to be their number one priority.

    53%

    of organizations claimed to have experienced an insider attack in the previous 12 months. 1

    46%

    of businesses believe the frequency of attacks is increasing. 2

    Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

    Sources: 1 Kaspersky Lab, “Global IT Security Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report”

    Persistent Issues

    Evolving Ransomware

    • Continual changes in types and platforms make ransomware a persistent threat. The frequency of ransomware attacks was reported to have increased by 67% in the past five years. 1

    Phishing Attacks

      • Despite filtering and awareness, email remains the most common threat vector for phishing attacks (94%) and an average of 3% of participants in phishing campaigns still click on them. 2

    Insider Privilege and Misuse

    • Typically, 34% of breaches are perpetrated by insiders, with 15% involving privilege misuse. Takeaway: Care less about titles and more about access levels. 3

    Denial of Service

    • The median amount of time that an organization is under attack from DDoS attack is three days.

    Emerging Trends

    Advanced Identity and Access Governance

    • Using emerging technologies in automation, orchestration, and machine learning, the management and governance of identities and access has become more advanced.

    Sources: 1 Accenture, “2019 The Cost of Cyber Crime Study”; 2,3 Verizon, “2019 Data Breach Investigations Report”

    New threat trends in information security aren’t new.

    Previously understood attacks are simply an evolution of prior implementations, not a revolution.

    Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

    However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

    Cyberattacks have a significant financial impact

    Global average cost of a data breach: $3.92 Million

    Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview”

    A bar graph, titled ‘Average cost of data breach by industry,’ is depicted. Of 17 industries depicted, public is the lowest average cost (US$1.29 million) and health is the highest average cost ($6.45 million).

    Primary incident type (with a confirmed data breach)

    1. Leading incident type is Denial of Service attacks (DoS), taking up to 70% of all incidents.
    2. When it comes to data breaches, we see that the use of stolen credentials leads to the most cases of confirmed breaches, accounting for 29%.

    Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches.

    Source: Verizon, “2019 Data Breach Investigations Report”

    Security threats are not going away

    We continue to see and hear of security breaches occurring regularly.

    A bar graph depicts the percentage of businesses who experienced a data breach in the last year–US total and global total. Numbers have increased from 2016 to 2019. In 2016, 19 percent of US businesses experienced a breach. In 2019, this number was 59 percent.

    An attacker must be successful only once. The defender – you – must be successful every time.

    Info-Tech’s approach

    Maturing from reactive to strategic information security

    Two circular graphs depict the move from ‘reactive security’ to ‘strategic security’ organizations can accomplish using Info-Tech’s approach.

    Tools icon that is used in the first three stages of the strategic security graph above. Indicates Info-Tech tools included in this blueprint.

    The Info-Tech difference:

    1. A proven, structured approach to mature your information security program from reactive to strategic.
    2. A comprehensive set of tools to take the pain out of each phase in the strategy building exercise.
    3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders.

    Info-Tech’s Security Strategy Model

    Info-Tech’s Security Strategy Model is depicted in this rectangular image with arrows. The first level depicts business context (enterprise goals, compliance obligations, scope and boundaries) and pressures (security risks, risk tolerance, stakeholder expectations). The second level depicts security target state (maturity model, security framework, security alignment goals, target maturity, time frame) and current state (current state assessment, gap analysis). The third level depicts the information security roadmap (initiative list, task list, prioritization methodology, and Gantt chart).

    The Info-Tech difference:

    An information security strategy model that is:

    1. Business-Aligned. Determines business context and cascades enterprise goals into security alignment goals.
    2. Risk-Aware. Understands the security risks of the business and how they intersect with the overall organizational risk tolerance.
    3. Holistic. Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities.

    Info-Tech’s best-of-breed security framework

    This image shows how Info-Tech’s framework is based on ISO 27000 series, CIS Top 20, COBIT 2019, NIST 800-53, and NIST CSF.

    Info-Tech’s approach

    Creating an information security strategy

    Value to the business

    Outcome

    Best-of-breed security strategy

    Have documentation that paints a picture of the road to compliance. Integrate your framework with your risk tolerance and external pressures.

    Be ready for future changes by aligning your security strategy to security framework best practices.

    Address the nature of your current information security

    Eliminate gaps in process and know what is in scope for your security strategy. Learn what pressures your business and industry are under.

    Gain insight into your current state, allowing you to focus on high-value projects first, transitioning towards a target state.

    Highlight overlooked functions of your current security strategy

    Build a comprehensive security program that brings to light all aspects of your security program.

    Instead of pursing ad hoc projects, know what needs work and how to prioritize your pressing security issues.

    Create a tangible roadmap to your target state

    Create a plan for your future state of information security. Refer to and update your target state as your business needs change.

    Document your current progress and path forward in the future. Know your goals and requirements, codified in a living document.

    Use our prepopulated deliverables to fast track your progress

    Let Info-Tech do the work for you. With completed deliverables, have tangible documents to convey your business needs.

    A comprehensive set of deliverables with concrete, defensible data to justify any business changes.

    A living security strategy

    Pivot and change prioritization to meet the needs of your security deficits.

    Future-proof your security strategy for any contingency.

    The Info-Tech difference:

    Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.

    • Dive deep into security obligations and security pressures to define the business context.
    • Conduct a thorough current state and future state analysis that is aligned with a best-of-breed framework.
    • Prioritize gap-closing initiatives to create a living security strategy roadmap.

    Use Info-Tech’s blueprint to save one to three months

    This image depicts how using Info-Tech’s four-phase blueprint can save an estimated seven to 14 weeks of an organization’s time and effort.

    Iterative benefit

    Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve but with less associated effort, time, and costs.

    These estimates are based on experiences with Info-Tech clients throughout the creation of this blueprint.

    Key deliverable:

    Information Security Strategy Communication Deck (PPT)

    Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.

    Screenshots from Info-Tech’s Information Security Strategy Communication Deck Template.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Information Security Requirements Gathering Tool

    Define the business, customer, and compliance alignment for your security program.

    Information Security Pressure Analysis Tool

    Determine your organization’s security pressures and ability to tolerate risk.

    Information Security Program Gap Analysis Tool

    Use our best-of-breed security framework to perform a gap analysis between your current and target states.

    Information Security Charter

    Ensure the development and management of your security policies meet the broader program vision.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical Guided Implementation on this topic look like?

    Guided Implementation #1 - Assess security requirements
    • Call #1 - Introduce project and complete pressure analysis.
    Guided Implementation #2 - Build a gap initiative strategy
    • Call #1 - Introduce the maturity assessment.
    • Call #2 - Perform gap analysis and translate into initiatives.
    • Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.
    Guided Implementation #3 - Prioritize initiatives and build roadmap
    • Call #1 - Review cost/benefit analysis and build an effort map.
    • Call #2 - Build implementation waves and introduce Gantt chart.
    Guided Implementation #4 - Execute and maintain
    • Call #1 - Review Gantt chart and ensure budget/buy-in support.
    • Call #2 - Three-month check-in: Execute and maintain.

    A Guided Implementation is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical Guided Implementation is between 2-12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information, or contact workshops@infotech.com or 1-888-670-8889.

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Activities

    Assess Security Requirements

    Perform a Gap Analysis

    Complete the Gap Analysis

    Develop Roadmap

    Communicate and Implement

    1.1 Understand business and IT strategy and plans

    1.2 Define business and compliance requirements

    1.3 Establish the security program scope

    1.4 Analyze the organization’s risks and stakeholder pressures

    1.5 Identify the organizational risk tolerance level

    2.1 Define the information security target state

    2.2 Assess current security capabilities

    2.3 Identify security gaps

    2.4 Build initiatives to bridge the gaps

    3.1 Continue assessing current security capabilities

    3.2 Identify security gaps

    3.3 Build initiatives to bridge the maturity gaps

    3.4 Identify initiative list and task list

    3.5 Define criteria to be used to prioritize initiatives

    4.1 Conduct cost/benefit analysis on initiatives

    4.2 Prioritize gap initiatives based on cost, time, and alignment with the business

    4.3 Build effort map

    4.4 Determine start times and accountability

    4.5 Finalize security roadmap and action plan

    4.6 Create communication plan

    5.1 Finalize deliverables

    5.2 Support communication efforts

    5.3 Identify resources in support of priority initiatives

    Deliverables

    1.Security obligations statement

    2.Security scope and boundaries statement

    3.Defined risk tolerance level

    4.Risk assessment and pressure analysis

    1.Information security target state

    2.Security current state assessment

    3.Initiatives to address gaps

    1.Completed security current state assessment

    2.Task list to address gaps address gaps

    4.Prioritization criteria

    1.Information security roadmap

    2.Draft communication deck

    1.Security strategy roadmap documentation

    2.Detailed cost and effort estimates

    3.Mapping of Info-Tech resources against individual initiatives

    Executive Brief Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research group

    Founded over 100 years ago, Credit Service Company (CSC)* operates in the United States with over 40 branches located across four states. The organization services over 50,000 clients.

    Situation

    Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.

    Solution

    During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.

    Results

    Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.

    *Some details have been changed for client privacy.

    Phase 1

    Assess Security Requirements

      Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

      Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

      Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

      Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    1.1 Define goals and scope of the security strategy.

    1.2 Assess your organization’s current inherent security risks.

    1.3 Determine your organization’s stakeholder pressures for security.

    1.4 Determine your organization’s risk tolerance.

    1.5 Establish your security target state.

    1.1.1 Record your business goals

    Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

    1. Record your identified primary and secondary business goals in the Goals Cascade tab of the Information Security Requirements Gathering Tool.

    Use the drop-down lists to select an appropriate goal or choose “Other.” If you do choose “Other,” you will need to manually enter an appropriate business goal.

    2. For each of your business goals, select one to two security alignment goals. The tool will provide you with recommendations, but you can override these by selecting a different goal from the drop-down lists.

    A screenshot of the ‘Business Goals Cascade,’ which is part of the ‘Information Security Requirements Gathering Tool.’

    A common challenge for security leaders is how to express their initiatives in terms that are meaningful to business executives. This exercise helps to make an explicit link between what the business cares about and what security is trying to accomplish.

    1.1.2 Review your goals cascade

    Estimated Time: 15 minutes

    1. When you have completed the goals cascade, you can review a graphic diagram that illustrates your goals. The graphic is found on the Results tab of the Information Security Requirements Gathering Tool.
      • Security must support the primary business objectives. A strong security program will enable the business to compete in new and creative ways, rather than simply acting as an obstacle.
      • Failure to meet business obligations can result in operational problems, impacting the organization’s ability to function and the organization’s bottom line.
    2. Once you have reviewed the diagram, copy it into the Information Security Strategy Communication Deck.

    A screenshot of the ‘Goal Cascade Diagrams,’ which is part of the ‘Information Security Requirements Gathering Tool.’

    Identify your compliance obligations

    Most conventional regulatory obligations are legally mandated legislation or compliance obligations, such as:

    Sarbanes-Oxley Act (SOX)

    Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud.

    Payment Card Industry Data Security Standard (PCI DSS)

    Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected.

    Health Insurance Portability and Accountability Act (HIPAA)

    Applies to the healthcare sector and protects the privacy of individually identifiable healthcare information.

    Health Information Technology for Economic and Clinical Health (HITECH)

    Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA.

    Personal Information Protection and Electronic Documents Act (PIPEDA)

    Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business.

    Compliance obligations also extend to voluntary security frameworks:

    NIST

    National Institute of Standards and Technology; a non-regulatory agency that develops and publicizes measurement

    CIS – 20 CSC

    Center for Internet Security – 20 Critical Security Controls; foundational set of effective cybersecurity practices.

    ISO 27001

    An information security management system framework outlining policies and procedures.

    COBIT 5

    An information technology and management and governance framework.

    HITRUST

    A common security framework for organizations that use or hold regulated personal health information.

    1.1.3 Record your compliance obligations

    Estimated Time: 30 minutes

    1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
      • Laws
      • Government regulations
      • Industry standards
      • Contractual agreements
      Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your security strategy, include only those that have information security or privacy requirements.
    2. Record your compliance obligations, along with any notes, in your copy of the Information Security Requirements Gathering Tool.

    A screenshot of ‘Security Compliance Obligations,’ part of the ‘Information Security Requirements Gathering Tool.’

    Establish your scope and boundaries

    It is important to know at the outset of the strategy: what are we trying to secure?

    This includes physical areas we are responsible for, types of data we care about, and departments or IT systems we are responsible for.

    This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

    Physical Scope and Boundaries

    • How many offices and locations does your organization have?
    • Which locations/offices will be covered by your information security management system (ISMS)?
    • How sensitive is the data residing at each location?
    • You may have many physical locations, and it is not necessary to list every one. Rather, list exceptional cases that are specifically in or out of scope.

    IT Systems Scope and Boundaries

    • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Does your ISMS need to secure all your programs or a select few?
    • Is the system owned or outsourced?
    • Where are we accountable for security?
    • How sensitive is the data that each system handles?

    Organizational Scope and Boundaries

    • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. Operations) not need any security coverage?
    • Do you have the ability to make security decisions for each department?
    • Who are the key stakeholders/data owners for each department?

    Organizational scope considerations

    Many different groups will fall within the purview of the security strategy. Consider these two main points when deciding which departments will be in scope:

    1. If a group/user has access to data or systems that can impact the organization, then securing that group/user should be included within scope of the security strategy.
    2. If your organization provides some work direction to a group/user, they should be included within scope of the security strategy.
    1. Identify your departments and business groups
      • Start by identifying departments that provide some essential input or service to the organization or departments that interact with sensitive data.
    2. Break out different subsidiaries or divisions
      • Subsidiaries may or may not be responsible for securing themselves and protecting their data, but either way they are often heavily reliant on corporate for guidance and share IT resourcing support.
    3. Identify user groups
      • Many user groups exist, all requiring different levels of security. For example, from on-premises to remote access, from full-time employees to part-time or contractors.

    Physical scope considerations

    List physical locations by type

    Offices

    The primary location(s) where business operations are carried out. Usually leased or owned by the business.

    Regional Offices

    These are secondary offices that can be normal business offices or home offices. These locations will have a VPN connection and some sort of tenant.

    Co-Locations

    These are redundant data center sites set up for additional space, equipment, and bandwidth.

    Remote Access

    This includes all remaining instances of employees or contractors using a VPN to connect.

    Clients and Vendors

    Various vendors and clients have dedicated VPN connections that will have some control over infrastructure (whether owed/laaS/other).

    List physical locations by nature of the location

    Core areas within physical scope

    These are many physical locations that are directly managed. These are high-risk locations with many personal and services, resulting in many possible vulnerabilities and attack vectors.

    Locations on the edge of control

    These are on the edge of the physical scope, and thus, in scope of the security strategy. These include remote locations, remote access connections, etc.

    Third-party connections

    Networks of third-party users are within physical scope and need defined security requirements and definitions of how this varies per user.

    BYOD

    Mostly privately owned mobile devices with either on-network or remote access.

    It would be overkill and unhelpful to list every single location or device that is in scope. Rather, list by broad categories as suggested above or simply list exceptional cases that are in/out of scope.

    IT systems scope considerations

    Consider identifying your IT systems by your level of control or ownership.

    Fully owned systems

    These are systems that are wholly owned or managed by your organization.

    IT is almost always the admin of these systems. Generally they are hosted on premises. All securitization through methods such as patching or antivirus is done and managed by your IT department.

    Cloud/remote hosted (SaaS)

    These are systems with a lot of uncertainties because the vendor or service provided is either not known or what they are doing for security is not fully known.

    These systems need to be secured regardless, but supplier and vendor relationship management becomes a major component of how to manage these systems. Often, each system has varying levels of risk based on vendor practices.

    Hybrid owned (IaaS/PaaS)

    You likely have a good understanding of control for these systems, but they may not be fully managed by you (i.e. ownership of the infrastructure). These systems are often hosted by third parties that do some level of admin work.

    A main concern is the unclear definition of responsibility in maintaining these systems. These are managed to some degree by third parties; it is challenging for your security program to perform the full gamut of security or administrative functions.

    Unknown/unowned systems

    There are often systems that are unowned and even unknown and that very few people are using. These apps can be very small and my not fall under your IT management system framework. These systems create huge levels of risk due to limited visibility.

    For example, unapproved (shadow IT) file sharing or cloud storage applications would be unknown and unowned.

    1.1.4 Record your scope and boundaries

    Estimated Time: 30-60 minutes

    1. Divide into groups and give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the scope buckets.
    2. Collect each group’s responses and discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.
      • Careful attention should be paid to any elements of the strategy that are not in scope.
    3. Discuss and aggregate all responses as to what will be in scope of the security strategy and what will not be. Record these in the Information Security Requirements Gathering Tool.

    A screenshot of ‘Scope and Boundaries,’ part of the ‘Information Security Requirements Gathering Tool.’

    1.2 Conduct a risk assessment

    Estimated Time: 1-3 hours

    1. As a group, review the questions on the Risk Assessment tab of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk elements:
      • Threats
      • Assets
      • Vulnerabilities (people, systems, supply chain)
      • Historical security incidents

    Input

    • List of organizational assets
    • Historical data on information security incidents

    Output

    • Completed risk assessment

    Materials

    • Information Security Pressure Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Risk Management

    Download the Information Security Pressure Analysis Tool

    1.2.1 Complete the risk assessment questionnaire

    Estimated Time: 60-90 minutes

    1. Review each question in the questionnaire and provide the most appropriate response using the drop-down list.
      • If you are unsure of the answer, consult with subject matter experts to obtain the required data.
      • Otherwise, provide your best estimation
    2. When providing responses for the historical incident questions, only count incidents that had a sizeable impact on the business.

    A screenshot of the ‘Organizational Security Risk Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    Info-Tech Insight

    Understanding your organization’s security risks is critical to identifying the most appropriate level of investment into your security program. Organizations with more security risks will need more a mature security program to mitigate those risks.

    1.2.2 Review the results of the risk assessment

    Estimated Time: 30 minutes

    1. Once you have completed the risk assessment, you can review the output on the Results tab.
    2. If required, the weightings of each of the risk elements can be customized on the Weightings tab.
    3. Once you have reviewed the results, copy your risk assessment diagram into the Information Security Strategy Communication Deck.

    A screenshot showing sample results of the ‘Organizational Risk Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    It is important to remember that the assessment measures inherent risk, meaning the risk that exists prior to the implementation of security controls. Your security controls will be assessed later as part of the gap analysis.

    1.3 Conduct pressure analysis

    Estimated Time: 1-2 hours

    1. As a group, review the questions on the Pressure Analysis tab of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following pressure elements:
      • Compliance and oversight
      • Customer expectations
      • Business expectations
      • IT expectations

    Input

    • Information on various pressure elements within the organization

    Output

    • Completed pressure analysis

    Materials

    • Information Security Pressure Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Leaders
    • Compliance

    Download the Information Security Pressure Analysis Tool

    Risk tolerance considerations

    At this point, we want to frame risk tolerance in terms of business impact. Meaning, what kinds of impacts to the business would we be able to tolerate and how often? This will empower future risk decisions by allowing the impact of a potential event to be assessed, then compared against the formalized tolerance. We will consider impact from three perspectives:

    F

    Functional Impact

    The disruption or degradation of business/organizational processes.

    I

    Informational Impact

    The breach of confidentiality, privacy, or integrity of data/information.

    R

    Recoverability Impact

    The disruption or degradation of the ability to return to conditions prior to a security incident.

    Consider these questions:

    Questions to ask

    Description

    Is there a hard-dollar impact from downtime?

    This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it affects sales, and therefore, revenue.

    Is regulatory compliance a factor?

    Depending on the circumstances of the vulnerabilities, it can be a violation of compliance obligations that would cause significant fines.

    Are any critical services dependent on this asset?

    Functional dependencies are sometimes not obvious, and assets that appear marginal can have huge impacts on critical services.

    Is there a health or safety risk?

    Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure uninterrupted critical health services. An exploited vulnerability that impacts these operations can have life and death consequences.

    ANALYST PERSPECTIVE

    It is crucial to keep in mind that you care about a risk scenario impact to the main business processes.

    For example, imagine a complete functional loss of the corporate printers. For most businesses, even the most catastrophic loss of printer function will have a small impact on their ability to carry out the main business functions.

    On the flip side, even a small interruption to email or servers could have a large functional impact on business processes.

    Risk tolerance descriptions

    High

    • Organizations with high risk tolerances are often found in industries with limited security risk, such as Construction, Agriculture and Fishing, or Mining.
    • A high risk tolerance may be appropriate for organizations that do not rely on highly sensitive data, have limited compliance obligations, and where their customers do not demand strong security controls. Organizations that are highly focused on innovation and rapid growth may also tend towards a higher risk tolerance.
    • However, many organizations adopt a high risk tolerance by default simply because they have not adequately assessed their risks.

    Moderate

    • Organizations with medium risk tolerances are often found in industries with moderate levels of security risk, such as Local Government, Education, or Retail and Wholesale
    • A medium risk tolerance may be appropriate for organizations that store and process some sensitive data, have a modest number of compliance obligations, and where customer expectations for security tend to be implicit rather than explicit.

    Low

    • Organizations with low risk tolerances are often found in industries with elevated security risk, such as Financial Services, Federal Governments, or Defense Contractors.
    • A low risk tolerance may be appropriate for organizations that store very sensitive data, process high-value financial transactions, are highly regulated, and where customers demand strong security controls.
    • Some organizations claim to have a low risk tolerance, but in practice will often allow business units or IT to accept more security risk than would otherwise be permissible. A strong information security program will be required to manage risks to an acceptable level.

    1.4.1 Complete the risk tolerance questionnaire

    Estimated Time: 30-60 minutes

    1. In a group discussion, review the low-, medium-, and high-impact scenarios and examples for each impact category. Ensure that everyone has a consistent understanding of the scenarios.
    2. For each impact type, use the frequency drop-down list to identify the maximum frequency that the organization could tolerate for the event scenarios, considering:
      • The current frequency with which the scenarios are occurring in your organization may be a good indication of your tolerance. However, keep in mind that you may be able to tolerate these incidents happening more frequently than they do.
      • Hoping is not the same as tolerating. While everyone hopes that high-impact incidents never occur, carefully consider whether you could tolerate them occurring more frequently.

    A screenshot showing the ‘Organizational Security Risk Tolerance Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    1.4.2 Review the results of the risk tolerance analysis

    Estimated Time: 30 minutes

    1. Once you have completed the risk tolerance exercise, you can review the output on the Results tab.
    2. If required, the weightings of each of the impact types can be customized on the Weightings tab.
    3. Once you have reviewed the results, copy your risk tolerance diagram into the Information Security Strategy Communication Deck.

    A screenshot showing the results of the 'Information Security Risk Tolerance Assessment,' part of the ‘Information Security Pressure Analysis Tool.’

    A low risk tolerance will require a stronger information security program to ensure that operational security risk in the organization is minimized. If this tool reports that your risk tolerance is low, it is recommended that you review the results with your senior stakeholders to ensure agreement and support for the security program.

    1.5 Establish your target state

    Estimated Time: 30-60 minutes

    1. As a group, review the overall results of the requirements gathering exercise:
      • Business goals cascade
      • Compliance obligations
      • Scope
    2. Review the overall results of the risk assessment, pressure analysis, and risk tolerance exercises.
    3. Conduct a group discussion to arrive at a consensus of what the ideal target state for the information security program should look like.
      • Developing mission and vision statements for security may be useful for focusing the group.
      • This discussion should also consider the desired time frame for achieving the target state.

    Download the Information Security Pressure Analysis Tool

    Input

    • Information security requirements (goals cascade, compliance obligations, scope)
    • Risk assessment
    • Pressure analysis
    • Risk tolerance

    Output

    • Completed information security target state

    Materials

    Participants

    • Security Team
    • IT Leadership
    • Risk Management
    • Business Leaders
    • Compliance

    Understanding security target states

    Maturity models are very effective for determining information security target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state for information security in your organization.

    1. AD HOC

      Initial/Ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.
    2. DEVELOPING

      Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.
    3. DEFINED

      A defined security program is holistic, documented, and proactive. At least some governance is in place, however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.
    4. MANAGED

      Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.
    5. OPTIMIZED

      An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

    1.5.1 Review the results of the target state recommendation

    Estimated Time: 30-60 minutes

    1. Based upon your risk assessment, pressure analysis, and risk tolerance, the Information Security Pressure Analysis Tool will provide a recommended information security target state.
    2. With your group, review the recommendation against your expectations.
    3. If required, the weightings of each of the factors can be customized on the Weightings tab.
    4. Once you have reviewed the results, copy your target state diagram into the Information Security Strategy Communication Deck.

    A screenshot showing the results of the ‘Information Security Target State,’ part of the ‘Information Security Pressure Analysis Tool.’

    Info-Tech Insight

    Higher target states require more investment to attain. It is critical to ensure that all key stakeholders agree on the security target state. If you set a target state that aims too high, you may struggle to gain support and funding for the strategy. Taking this opportunity to ensure alignment from the start will pay off dividends in future.

    1.5.2 Review and adjust risk and pressure weightings

    Estimated Time: 30 minutes

    1. If the results of your risk assessment, pressure analysis, risk tolerance, or target state do not match your expectations, you may need to review and adjust the weightings for the elements within one or more of these areas.
    2. On the Weightings tab, review each of the strategic categories and adjust the weights as required.
      • Each domain is weighted to contribute to your overall pressure score based on the perceived importance of the domain to the organization.
      • The sum of all weights for each category must add up to 100%.

    A screenshot showing the results of the weightings given to each factor in a category, part of the ‘Information Security Pressure Analysis Tool.’

    Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research group

    Below are some of the primary requirements that influenced CSC’s initial strategy development.

    External Pressure

    Pressure Level: High

    • Highly regulated industries, such as Finance, experience high external pressure.
    • Security pressure was anticipated to increase over the following three years due to an increase in customer requirement.

    Obligations

    Regulatory: Numerous regulations and compliance requirements as a financial institution (PCI, FFIEC guidance).

    Customer: Implicitly assumes personal, financial, and health information will be kept secure.

    Risk Tolerance

    Tolerance Level: Low

    1. Management: Are risk averse and have high visibility into information security.
    2. Multiple locations controlled by a central IT department decreased the organization’s risk tolerance.

    Summary of Security Requirements

    Define and implement dynamic information security program that understands and addresses the business’ inherent pressure, requirements (business, regulatory, and customer), and risk tolerance.

    Phase 2

    Build a Gap Initiative Strategy

      Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

      Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

      Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

      Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

      This phase will walk you through the following activities:

    • 2.1 Review Info-Tech’s framework.
    • 2.2 Assess your current state of security against your target state.
    • 2.3 Identify actions required to close gaps.

    2.1 Review the Info-Tech framework

    Estimated Time: 30-60 minutes

    1. As a group, have the security team review the security framework within the Information Security Gap Analysis Tool.
    2. Customize the tool as required using the instructions on the following slides.

    Input

    • Information security requirements
    • Security target state

    Output

    • Customized security framework

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team

    Download the Information Security Gap Analysis Tool

    Understand the Info-Tech framework

    Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:

    • ISO 27001/27002
    • COBIT
    • Center for Internet Security (CIS) Critical Controls
    • NIST Cybersecurity Framework
    • NIST SP 800-53
    • NIST SP 800-171

    A diagram depicting Info-Tech’s best-of-breed security framework.

    A best-of-breed approach ensures holistic coverage of your information security program while refraining from locking you in to a specific compliance standard.

    2.1.1 Configure the Information Security Gap Analysis Tool

    Estimated Time: 30 minutes

    Review the Setup tab of the Information Security Gap Analysis Tool. This tab contains several configurable settings that should be customized to your organization. For now, the three settings you will need to modify are:

    • The security target state. Enter the target state from your Information Security Pressure Analysis Tool. If you do not enter a target state, the tool will default to a target of 3 (Defined).
    • Your Security Alignment Goals (from your Information Security Requirements Gathering Tool).
    • The starting year for your security roadmap.

    A screenshot showing the ‘Setup’ tab of the ‘Information Security Gap Analysis Tool.’

    2.2 Assess current state of security

    Estimated Time: 8-16 hours

    1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to complete your current state and target state assessment.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Input

    • Security target state
    • Information on current state of security controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

    Output

    • Gap analysis

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Download the Information Security Gap Analysis Tool

    Example maturity levels

    To help determine appropriate current and target maturity levels, refer to the example below for the control “Email communication is filtered for spam and potential malicious communications.”

    AD HOC 01

    There is no centrally managed spam filter. Spam may be filtered by endpoint email clients.

    DEVELOPING 02

    There is a secure email gateway. However, the processes for managing it are not documented. Administrator roles are not well defined. Minimal fine-tuning is performed, and only basic features are in use.

    DEFINED 03

    There is a policy and documented process for email security. Roles are assigned and administrators have adequate technical training. Most of the features of the solution are being used. Rudimentary reports are generated, and some fine-tuning is performed.

    MANAGED 04

    Metrics are produced to measure the effectiveness of the email security service. Advanced technical features of the solution have been implemented and are regularly fine-tuned based on the metrics.

    OPTIMIZED 05

    There is a dedicated email security administrator with advanced technical training. Custom filters are developed to further enhance security, based on relevant cyber threat intelligence. Email security metrics feed key risk indicators that are reported to senior management.

    2.2.1 Conduct current state assessment

    Estimated Time: 8-16 hours

    1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
      • You should only use “N/A” if you are confident that the control is not required in your organization.
      • For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
    2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
    3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

    2.2.1 Conduct current state assessment

    Estimated Time: 8-16 hours

    1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
      • You should only use “N/A” if you are confident that the control is not required in your organization. For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
    2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
    3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

    A screenshot showing the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Review the Gap Analysis Dashboard

    Use the Gap Assessment Dashboard to map your progress. As you fill out the Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.

    Use the color-coded legend to see how large the gap between your current and target state is. The legend can be customized further if desired.

    Security domains that appear white have not yet been assessed or are rated as “N/A.”

    2.2.3 Identify actions required to close gaps

    Estimated Time: 4-8 hours

    1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to identify gap closure actions for each control that requires improvement.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Input

    • Security control gap information

    Output

    • Gap closure action list

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Download the Information Security Gap Analysis Tool

    2.3.1 Identify gap closure actions

    Estimated Time: 4-8 hours

    1. For each of the controls where there is a gap between the current and target state, a gap closure action should be identified:
      • Review the example actions and copy one or more of them if appropriate. Otherwise, enter your own gap closure action.
    2. Identify whether the action should be managed as a task or as an initiative. Most actions should be categorized as an initiative. However, it may be more appropriate to categorize them as a task when:
      1. They have no costs associated with them
      2. They require a low amount of initial effort to implement and no ongoing effort to maintain
      3. They can be accomplished independently of other tasks

    A screenshot showing gap closure actions, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Considerations for gap closure actions

    • In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Actions column.
    • The example gap closure actions may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
    • Not all gaps will require their own action. You can enter one action that may address multiple gaps.
    • If you find that many of your actions are along the lines of “investigate and make recommendations,” you should consider using the estimated gap closure percentage column to track the fact that these gaps will not be fully closed by the actions.

    A screenshot showing considerations for gap closure actions, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    2.3.2 Define gap closure action effectiveness

    Estimated Time: 1-2 hours

    For each of the gap closure actions, optionally enter an estimated gap closure percentage to indicate how effective the action will be in fully closing the gap.

    • For instance, an action to “investigate solutions and make recommendations” will not fully close the gap.
    • This is an optional step but will be helpful to understand how much progress towards your security target state you will make based on your roadmap.
    • If you do not fill in this column, the tool will assume that your actions will fully close all gaps.

    A screenshot showing considerations for estimated gap closure percentage, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Completing this step will populate the “Security Roadmap Progression” diagram in the Results tab, which will provide a graphic illustration of how close to your target state you will get based upon the roadmap.

    Phase 3

    Prioritize Initiatives and Build Roadmap

    Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

    Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

    Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

    Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    • 3.1 Define tasks and initiatives.
    • 3.2 Define cost, effort, alignment, and security benefit of each initiative.
    • 3.3 Prioritize initiatives.
    • 3.4 Build the prioritized security roadmap

    3.1 Define tasks and initiatives

    Estimated Time: 2-4 hours

    1. As a group, review the gap actions identified in the Gap Analysis tab.
    2. Using the instructions on the following slides, finalize your task list.
    3. Using the instructions on the following slides, review and consolidate your initiative list.

    Input

    • Gap analysis

    Output

    • List of tasks and initiatives

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.1.1 Finalize your task list

    Estimated Time: 1-2 hours

    1. Obtain a list of all your task actions by filtering on the Action Type column in the Gap Analysis tab.
    2. Paste the list into the table on the Task List tab.
      • Use Paste Values to retain the table formatting
    3. Enter a task owner and due date for each task. Without accountability, it is too easy to fall into complacency and neglect these tasks.

    A screenshot showing the 'Task List' tab of the 'Information Security Gap Analysis Tool.'

    Info-Tech Insight

    Tasks are not meant to be managed to the same degree that initiatives will be. However, they are still important. It is recommended that you develop a process for tracking these tasks to completion.

    3.1.2 Consolidate your gap closure actions into initiatives

    Estimated Time: 2-3 hours

    1. Once you have finalized your task list, you will need to consolidate your list of initiative actions. Obtain a list of all your initiative actions by filtering on the Action Type column in the Gap Analysis tab.
    2. Create initiatives on the Initiative List tab. While creating initiatives, consider the following:
      • As much as possible, it is recommended that you consolidate multiple actions into a single initiative. Reducing the total number of initiatives will allow for more efficient management of the overall roadmap.
      • Start by identifying areas of commonality between gap closure actions, for instance:
        • Group all actions within a security domain into a single initiative.
        • Group together similar actions, such as all actions that require updating policies.
        • Consider combining actions that have inter-dependencies.
      • While it is recommended that you consolidate actions as much as possible, some actions should become initiatives on their own. This will be appropriate when:
        • The action is time sensitive and consolidating it with other actions will cause scheduling issues.
        • Actions that could otherwise be consolidated have different business sponsors or owners and need to be kept separate for funding or accountability reasons.
    3. Link the initiative actions on the Gap Analysis tab using the drop-down list in the Initiative Name column.

    Initiative consolidation example

    In the example below, we see three gap closure actions within the Security Culture and Awareness domain being consolidated into a single initiative “Develop security awareness program.”

    We can also see one gap closure action within the same domain being grouped with two actions from the Security Policies domain into another initiative “Update security policies.”

    Info-Tech Insight

    As you go through this exercise, you may find that some actions that you previously categorized as tasks could be consolidated into an initiative.

    A screenshot showing how six sample gap closure actions can be distilled into two gap closure initiatives. Part of the 'Information Security Gap Analysis Tool.'

    3.1.3 Finalize your initiative list

    Estimated Time: 30 minutes

    1. Review your final list of initiatives and make any required updates.
    2. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
    3. Use the drop-down list to indicate which of the security alignment goals most appropriately reflects the objectives of the initiative. If you are unsure, use the legend next to the table to find the primary security domain associated with the initiative and then select the recommended security alignment goal.
      • This step is important to understand how the initiative supports the business goals identified earlier.

     A screenshot showing the primary security alignment goal, part of the 'Initiative List' tab of the 'Information Security Gap Analysis Tool.'

    3.2 Conduct cost/ benefit analysis

    Estimated Time: 1-2 hours

    1. As a group, define the criteria to be used to conduct the cost/benefit analysis, following the instructions on the next slide.
    2. Assign costing and benefits information for each initiative.
    3. Define dependencies or business impacts if they will help with prioritization.

    Input

    • Gap analysis
    • Initiative list

    Output

    • Completed cost/benefit analysis for initiative list

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.2.1 Define costing criteria

    Estimated Time: 30 minutes

    1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low ranges for initial and ongoing costs and efforts.
      1. Initial costs are one-time, upfront capital investments (e.g. hardware and software costs, project-based consulting fees, training).
      2. Ongoing cost is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
      3. Initial staffing in hours is total time in person hours required to complete a project. It is not total elapsed time but dedicated time. Consider time required to gather requirements and to design, test, and implement the solution.
      4. Ongoing staffing in FTEs is the ongoing average effort required to support that initiative after implementation.
    2. In addition to ranges, provide an average for each. These will be used to calculate estimated total costs for the roadmap.

    A screenshot showing the initiative costs for estimation, part of the 'Setup' tab of the 'Information Security Gap Analysis Tool.' The range of costs is labeled with an arrow with number 1 on it, and the average cost per initiative is labeled with an arrow with number 2 on it.

    Make sure that your ranges allow for differentiation between initiatives to enable prioritization. For instance, if you set your ranges too low, all your initiatives will be assessed as high cost, providing no help when you must prioritize them.

    3.2.2 Define benefits criteria

    Estimated Time: 30 minutes

    1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low values for the Alignment with Business Benefit.
      • This variable is meant to capture how well each initiative aligns with organizational goals and objectives.
      • By default, this benefit is linked directly to business goals through the primary and secondary security alignment goals. This allows the tool to automatically calculate the benefit based on the security alignment goals associated with each initiative.
      • If you change these values, you may need to override the calculated values in the prioritization tab.
    2. Enter a high, medium, and low value for the Security Benefit.
      • This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative.
      • By default, this benefit is linked to security risk reduction.

    A screenshot showing the initiative benefits for estimation, part of the 'Setup' tab of the 'Information Security Gap Analysis Tool.'

    Some organizations prefer to use the “Security Benefit” criteria to demonstrate how well each initiative supports specific compliance goals.

    3.2.3 Complete the cost/benefit analysis

    Estimated Time: 1-2 hours

    1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
      • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
    2. Enter the estimated benefits, also using the criteria defined earlier.
      • The Alignment with Business benefit will be automatically populated, but you can override this value using the drop-down list if desired.

    A screenshot showing the estimated cost, estimated effort, and estimated benefits section, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' Estimated cost and estimated effort are labeled with an arrow with number 1 on it, and estimated benefits is labeled with an arrow with a number 2 on it.

    3.2.4 Optionally enter detailed cost estimates

    Estimated Time: 30 minutes

    1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in steps 3.2.1 and 3.2.2. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
      • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
      • You have defined your “Medium” cost range as being “$10-100K”, so you select medium as your initial cost for this initiative in step 3.2.3. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
      • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

    A screenshot showing the detailed cost estimates and detailed staffing estimates columns, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' These columns are labeled with an arrow with a number 1 on it.

    Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research Group

    A chart titled 'Framework Components,' displaying how the Credit Service Company profiled in the case study performed a current state assessment, created gap initiatives, and prioritized gap initiatives.

    3.3 Prioritize initiatives

    Estimated Time: 2-3 hours

    1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
      • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
      • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
    2. Follow step 3.3.1 to create an effort map with the results of the cost/benefit analysis.
    3. Follow step 3.3.2 to assign initiatives into execution waves.

    Input

    • Gap analysis
    • Initiative list
    • Cost/benefit analysis

    Output

    • Prioritized list of initiatives

    Materials

    • Information Security Gap Analysis Tool
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.3.1 Create effort map

    Estimated Time: 30 minutes

    1. On a whiteboard, draw the quadrant diagram shown.
    2. Create sticky notes for each initiative on your initiative list.
    3. For each initiative, use the “Cost/Effort Rating” and the “Benefit Rating” calculated on the Prioritization tab to place the corresponding sticky note onto the diagram.

    An effort map is a tool used for the visualization of a cost/benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized. In this example, the initiative “Update Security Policies” was assessed as low cost/effort (3) and high benefit (10).

    An image showing how 'update security policies,' as ranked on a cost/effort and benefit quadrant, translates to a cost/effort and benefit rating on the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.'

    3.3.2 Assign initiatives to execution waves

    Estimated Time: 60 minutes

    1. Using sticky flip chart sheets, create four sheets and label them according to the four execution waves:
      • MUST DO – These are initiatives that need to get moving right away. They may be quick wins, items with critical importance, or foundational projects upon which many other initiatives depend.
      • SHOULD DO – These are important initiatives that need to get done but cannot launch immediately due to budget constraints, dependencies, or business impacts that require preparation.
      • COULD DO – Initiatives that have merit but are not a priority.
      • WON’T DO – Initiatives where the costs outweigh the benefits.
    2. Using the further instructions on the following slides, move the initiative sticky notes from your effort map into the waves.

    Considerations for prioritization

    • Starting from the top right of the effort map, begin pulling stickies off and putting them in the appropriate roadmap category.
    • Keep dependencies in mind. If an important initiative depends on a low-priority one being completed first, then pull dependent initiatives up the list.
    • It may be helpful to think of each wave as representing a specific time frame (e.g. wave 1 = first year of your roadmap, wave 2 = year two, wave 3 = year three).

    Info-Tech Insight

    Use an iterative approach. Most organizations tend to put too many initiatives into wave 1. Be realistic about what you can accomplish and take several passes at the exercise to achieve a balance.

    An image showing how to map the sticky notes from a sample exercise, as placed on a cost/effort and benefit quadrant, into waves.

    3.3.3 Finalize prioritization

    Estimated Time: 30 minutes

    1. Once you have completed placing your initiative sticky notes into the waves, update the Prioritization tab with the Roadmap Wave column.
    2. Optionally, use the Roadmap Sub-Wave column to prioritize initiatives within a single wave.
      • This will allow you more granular control over the final prioritization, especially where dependencies require extra granularity.

    Any initiatives that are currently in progress should be assigned to Wave 0.

    An image showing the roadmap wave and roadmap sub-wave sections, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' Roadmap wave is labeled with an arrow with a number 1 on it, and roadmap sub-wave is labeled with an arrow with a number 2 on it.

    3.4 Build roadmap

    Estimated Time: 1-3 hours

    1. As a group, follow step 3.4.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Information Security Gap Analysis Tool.
    2. Review the roadmap for resourcing conflicts and adjust as required.
    3. Review the final cost and effort estimates for the roadmap.

    Input

    • Gap analysis
    • Cost/benefit analysis
    • Prioritized initiative list
    • (Optional) List of other non-security IT and business projects

    Output

    • Security strategic roadmap

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.4.1 Schedule initiatives using the Gantt chart

    Estimated Time: 1-2 Hours

    1. On the Gantt Chart tab for each initiative, enter an owner (the individual who will be primarily responsible for execution).
    2. Additionally, enter a start month and year for the initiative and the expected duration in months.
      • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
      • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.

    Info-Tech Insight

    Use the Owner column to help identify resourcing constraints. If a single individual is responsible for many different initiatives that are planned to start at the same time, consider staggering those initiatives.

    An image showing the owner and planned start sections, part of the 'Security Roadmap Gantt Chart' tab of the 'Information Security Gap Analysis Tool.' The owner column is labeled with an arrow with a 1 on it, and the planned start column is labeled with an arrow with a 2 on it.

    3.4.2 Review your roadmap

    Estimated Time: 30-60 minutes

    1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
      • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
      • Does your organization have regular change freezes throughout the year that will impact the schedule?
      • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
      • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
      • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

    A screenshot image showing parts of the 'Security Roadmap Gantt Chart' tab with sample data in it. Taken from the 'Information Security Gap Analysis Tool.'

    3.4.3 Review your expected roadmap progression

    Estimated Time: 30 minutes

    1. If you complete the optional exercise of filling in the Estimated Gap Closure Percentage column on the Gap Analysis tab, the tool will generate a diagram showing how close to your target state you can expect to get based on the tasks and initiatives in your roadmap. You can review this diagram on the Results tab.
      • Remember that this Expected Maturity at End of Roadmap score assumes that you will complete all tasks and initiatives (including all Wave 4 initiatives).
    2. Copy the diagram into the Information Security Strategy Communication Deck.

    Info-Tech Insight

    Often, internal stakeholders will ask the question “If we do everything on this roadmap, will we be at our target state?” This diagram will help answer that question.

    A screenshot image showing the 'Expected Security Roadmap Progression' with sample data in it. Part of the 'Results' tab of the 'Information Security Gap Analysis Tool.'

    3.4.4 Review your cost/effort estimates table

    Estimated Time: 30 minutes

    1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
      • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
      • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.
      • This table provides you with the information to have important conversations with management and stakeholders
    2. When you have completed your review, copy the table into the Information Security Strategy Communication Deck.

    A screenshot image showing the 'Information Security Roadmap Cost/Effort Estimates,' part of the 'Results' tab of the 'Information Security Gap Analysis Tool.'

    Phase 4

    Execute and Maintain

    Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

    Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

    Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

    Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    • 4.1 Build your security strategy communication deck.
    • 4.2 Develop a security charter.
    • 4.3 Execute on your roadmap.

    4.1 Build your communication deck

    Estimated Time: 1-3 hours

    1. As a group, review the Information Security Strategy Communication Deck.
    2. Follow the instructions within the template and on the next few slides to customize the template with the results of your strategic roadmap planning.

    Input

    • Completed Security Requirements Gathering Tool
    • Completed Security Pressure Analysis Tool
    • Completed Security Gap Analysis Tool

    Output

    • Information Security Strategy Communication Deck

    Materials

    • Information Security Strategy Communication Deck

    Participants

    • Security Team
    • IT Leadership

    Download the Information Security Gap Analysis Tool

    4.1.1 Customize the Communication Deck

    Estimated Time: 1-2 hours

    1. When reviewing the Information Security Strategy Communication Deck, you will find slides that contain instructions within green text boxes. Follow the instructions within the boxes, then delete the boxes.
      • Most slides only require that you copy and paste screenshots or tables from your tools into the slides.
      • However, some slides require that you customize or add text explanations that need to reflect your unique organization.
      • It is recommended that you pay attention to the Next Steps slide at the end of the deck. This will likely have a large impact on your audience.
    2. Once you have customized the existing slides, you may wish to add additional slides. For instance, you may wish to add more context to the risk assessment or pressure analysis diagrams or provide details on high-priority initiatives.

    An image showing the 'Business Goals Cascade,' part of the 'Information Security Strategy Communication Deck.' A green box on top of the screenshot instructs you to 'Paste your goals cascade from the Information Security Requirements Gathering Tool here.'

    Consider developing multiple versions of the deck for different audiences. Senior management may only want an executive summary, whereas the CIO may be more interested in the methodology used to develop the strategy.

    Communication considerations

    Developing an information security strategy is only half the job. For the strategy to be successful, you will need to garner support from key internal stakeholders. These may include the CIO, senior executives, and business leaders. Without their support, your strategy may never get the traction it needs. When building your communication deck and planning to present to these stakeholders, consider the following:

    • Gaining support from stakeholders requires understanding their needs. Before presenting to a new audience, carefully consider their priorities and tailor your presentation to address them.
    • Use the communication deck to clarify the business context and how your initiatives that will support business goals.
    • When presenting to senior stakeholders, anticipate what questions they might ask and be sure to prepare answers in advance. Always be prepared to speak to any data point within the deck.
    • If you are going to present your strategy to a group and you anticipate that one or more members of that group may be antagonistic, seek out an opportunity to speak to them before the meeting and address their concerns one on one.

    If you have already fully engaged your key stakeholders through the requirements gathering exercises, presenting the strategy will be significantly easier. The stakeholders will have already bought in to the business goals, allowing you to show how the security strategy supports those goals.

    Info-Tech Insight

    Reinforce the concept that a security strategy is an effort to enable the organization to achieve its core mission and goals and to protect the business only to the degree that the business demands. It is important that stakeholders understand this point.

    4.2 Develop a security charter

    Estimated Time: 1-3 hours

    1. As a group, review the Information Security Charter.
    2. Customize the template as required to reflect your information security program. It may include elements such as:
      • A mission and vision statement for information security in your organization
      • The objectives and scope of the security program
      • A description of the security principles upon which your program is built
      • High-level roles and responsibilities for information security within the organization

    Input

    • Completed Security Requirements Gathering Tool
    • Completed Security Pressure Analysis Tool
    • Completed Security Gap Analysis Tool

    Output

    • Information security charter

    Materials

    • Information Security Charter

    Participants

    • Security Team

    Download the Information Security Gap Analysis Tool

    4.2.1 Customize the Information Security Charter

    Estimated Time: 1-3 hours

    1. Involve the stakeholders that were present during Phase 1 activities to allow you to build a charter that is truly reflective of your organization.
    2. The purpose of the security charter is too:
      • Establish a mandate for information security within the organization.
      • Communicate executive commitment to risk and information security management.
      • Outline high-level responsibilities for information security within the organization.
      • Establish awareness of information security within the organization.

    A screenshot of the introduction of the 'Information Security Charter' template.

    A security charter is a formalized and defined way to document the scope and purpose of your security program. It will define security governance and allow it to operate efficiently through your mission and vision.

    4.3 Execute on your roadmap

    1. Executing on your information security roadmap will require coordinated effort by multiple teams within your organization. To ensure success, consider the following recommendations:
      1. If you have a project management office, leverage them to help apply formal project management methodologies to your initiatives.
      2. Develop a process to track the tasks on your strategy task list. Because these will not be managed as formal initiatives, it will be easy to lose track of them.
      3. Develop a schedule for regular reporting of progress on the roadmap to senior management. This will help hold yourself and others accountable for moving the project forward.
    2. Plan to review and update the strategy and roadmap on a regular basis. You may need to add, change, or remove initiatives as priorities shift.

    Input

    • Completed Security Gap Analysis Tool

    Output

    • Execution of your strategy and roadmap

    Materials

    • Information Security Gap Analysis Tool
    • Project management tools as required

    Participants

    • Security Team
    • Project Management Office
    • IT and Corporate Teams, as required

    Info-Tech Insight

    Info-Tech has many resources that can help you quickly and effectively implement most of your initiatives. Talk to your account manager to learn more about how we can help your strategy succeed.

    Summary of Accomplishment

    Knowledge Gained

    • Knowledge of organizational pressures and the drivers behind them
    • Insight into stakeholder goals and obligations
    • A defined security risk tolerance information and baseline
    • Comprehensive knowledge of security current state and summary initiatives required to achieve security objectives

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Information Security Program Gap Analysis Tool

    Use our best-of-breed security framework to perform a gap analysis between your current and target states.

    Information Security Requirements Gathering Tool

    Define the business, customer, and compliance alignment for your security program.

    Related Info-Tech Research

    Develop a Security Operations Strategy

    A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.

    This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Implement a Security Governance and Management Program

    Your security governance and management program needs to be aligned with business goals to be effective.

    This approach also helps to provide a starting point to develop a realistic governance and management program.

    This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

    Align Your Security Controls to Industry Frameworks for Compliance

    Don’t reinvent the wheel by reassessing your security program using a new framework.

    Instead, use the tools in this blueprint to align your current assessment outcomes to required standards.

    Bibliography

    “2015 Cost of Data Breach Study: United States.” Sponsored by IBM. Ponemon Institute, May 2015. Web.

    “2016 Cost of Cyber Crime Study & the Risk of Business Innovation.” Ponemon Institute, Oct. 2016. Web. 25 Oct. 2016.

    “2016 Cost of Data Breach Study: Global Analysis.” Ponemon Institute, June 2016. Web. 26 Oct. 2016.

    “2016 Data Breach Investigations Report.” Verizon, 2016. Web. 25 Oct. 2016.

    “2016 NowSecure Mobile Security Report.” NowSecure, 2016. Web. 5 Nov. 2016.

    “2017 Cost of Cyber Crime Study.” Ponemon Institute, Oct. 2017. Web.

    “2018 Cost of Data Breach Study: Global Overview.” Ponemon Institute, July 2018. Web.

    “2018 Data Breach Investigations Report.” Verizon, 2018. Web. Oct. 2019.

    “2018 Global State of Information Security Survey.” CSO, 2017. Web.

    “2018 Thales Data Threat Report.” Thales eSecurity, 2018. Web.

    “2019 Data Breach Investigations Report.” Verizon, 2020. Web. Feb. 2020.

    “2019 Global Cost of a Data Breach Study.” Ponemon Institute, Feb. 2020. Web.

    “2019 The Cost of Cyber Crime Study.” Accenture, 2019. Web Jan 2020.

    “2020 Thales Data Threat Report Global Edition.” Thales eSecurity, 2020. Web. Mar. 2020.

    Ben Salem, Malek. “The Cyber Security Leap: From Laggard to Leader.” Accenture, 2015. Web. 20 Oct. 2016.

    “Cisco 2017 Annual Cybersecurity Report.” Cisco, Jan. 2017. Web. 3 Jan. 2017.

    “Cyber Attack – How Much Will You Lose?” Hewlett Packard Enterprise, Oct. 2016. Web. 3 Jan. 2017.

    “Cyber Crime – A Risk You Can Manage.” Hewlett Packard Enterprise, 2016. Web. 3 Jan. 2017.

    “Global IT Security Risks Survey.” Kaspersky Lab, 2015. Web. 20 October 2016.

    “How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute, Jan. 2016. Web. 25 Oct. 2016.

    “Insider Threat 2018 Report.” CA Technologies, 2018. Web.

    “Kaspersky Lab Announces the First 2016 Consumer Cybersecurity Index.” Press Release. Kaspersky Lab, 8 Sept. 2016. Web. 3 Jan. 2017.

    “Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000.” Press Release. Kaspersky Lab, 13 Sept. 2016. Web. 20 Oct. 2016.

    “Kaspersky Security Bulletin 2016.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

    “Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015.” PwC, 30 Sept. 2014. Web.

    “Measuring Financial Impact of IT Security on Business.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

    “Ponemon Institute Releases New Study on How Organizations Can Leapfrog to a Stronger Cyber Security Posture.” Ponemon Institute, 10 Apr. 2015. Web. 20 Oct. 2016.

    “Predictions for 2017: ‘Indicators of Compromise’ Are Dead.” Kaspersky Lab, 2016. Web. 4 Jan. 2017.

    “Take a Security Leap Forward.” Accenture, 2015. Web. 20 Oct. 2016.

    “Trends 2016: (In)security Everywhere.” ESET Research Laboratories, 2016. Web. 25 Oct. 2016.

    Research Contributors

    • Peter Clay, Zeneth Tech Partners, Principal
    • Ken Towne, Zeneth Tech Partners, Security Architect
    • Luciano Siqueria, Road Track, IT Security Manager
    • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
    • Rick Vadgama, Cimpress, Head of Information Privacy and Security
    • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
    • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
    • Trevor Butler, City of Lethbridge, Information Technology General Manager
    • Shane Callahan, Tractor Supply, Director of Information Security
    • Jeff Zalusky, Chrysalis, President/CEO
    • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
    • Dan Humbert, YMCA of Central Florida, Director of Information Technology
    • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
    • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
    • Joan Middleton, Village of Mount Prospect, IT Director
    • Jim Burns, Great America Financial Services, Vice President Information Technology
    • Ryan Breed, Hudson’s Bay, Information Security Analyst
    • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems